Medusa ransoms infrastructure, Google breakup sought, more Booking.com phishing - Cybersecurity Headlines

Summary

Cyber Security Headlines – Episode Summary Host: Steve Prentiss | CISO Series | Release Date: March 14, 2025

In this episode of Cyber Security Headlines, hosted by Steve Prentiss, the CISO Series delves into the latest developments in the information security landscape. The episode covers a range of critical topics, including ongoing ransomware threats, significant antitrust actions against tech giants, sophisticated phishing campaigns, emerging vulnerabilities, state-sponsored cyber-espionage activities, and notable advancements in cybersecurity education. Below is a comprehensive summary of each key discussion point.

1. Medusa Ransomware Continues to Attack Infrastructure

[00:00]
Steve Prentiss opens the episode by addressing the persistent threat posed by the Medusa ransomware group. In a joint alert released on March 12 by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center, it was highlighted that since February, Medusa and its affiliates have compromised over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing.

Notable Quote:
"The group engages in double extortion and uses phishing and unpatched vulnerabilities for initial access." – Steve Prentiss [00:45]

Prentiss elaborates on the tactics employed by Medusa, such as disabling security software, terminating backup processes, erasing shadow copies, and other measures designed to thwart data recovery efforts. He emphasizes the importance of organizations strengthening their cybersecurity defenses to mitigate such threats.

2. Department of Justice Seeks to Break Up Google

[05:20]
The discussion shifts to a groundbreaking legal development where the Department of Justice (DOJ) has filed a request aimed at dismantling Google. The DOJ accuses Google of creating an "economic Goliath" through unlawful monopolistic practices that distort market competition.

Notable Quote:
"Google's illegal conduct has created an economic Goliath, one that wreaks havoc over the marketplace to ensure that no matter what occurs, Google always wins." – Steve Prentiss [05:45]

Prentiss reviews the background of this action, referencing a 2023 antitrust case where Google was found guilty of monopolistic practices related to its search engine services. Additionally, a 2024 lawsuit is scrutinizing Google's advertising business for similar anti-competitive behaviors. The expected ruling this summer could have profound implications on Google's operations, user interactions, and the broader search engine industry landscape.

3. Booking.com Employees Targeted by New Phishing Campaign

[10:15]
A sophisticated phishing campaign has resurfaced, targeting Booking.com employees globally. The threat actor group, Storm 1865, has a history of deploying fake customer complaints and deceptive messages to lure victims.

Notable Quote:
"This year, the attackers are using a technique called 'click fix' that exploits human problem-solving tendencies by displaying fake error messages or prompts." – Steve Prentiss [10:40]

Prentiss explains that the "click fix" method involves presenting fake captcha overlays that trick users into executing malicious commands, resulting in malware downloads. The campaign leverages social engineering to bypass security measures, highlighting the need for heightened vigilance and employee training within organizations.

4. Grafana Vulnerabilities Exploited in SSRF Campaign

[15:30]
Researchers from Greynoise have identified a surge in exploitation of Server-Side Request Forgery (SSRF) vulnerabilities within Grafana and other platforms. This campaign enables threat actors to map internal networks, identify vulnerable services, and harvest cloud service credentials.

Notable Quote:
"SSRF vulnerabilities played a major role in the 2019 Capital One breach, which impacted over 100 million people." – Steve Prentiss [16:00]

Prentiss underscores the severity of these vulnerabilities by referencing the infamous Capital One breach. He notes that over 400 IPs have been observed targeting platforms like GitLab, VMware, and Ivanti, primarily focusing on organizations across the US, Germany, India, Japan, Singapore, Israel, and the Netherlands. The episode highlights the critical need for timely patching and robust security practices to prevent similar large-scale breaches.

5. Chinese Spy Group UNC3886 Exploits Juniper Network's Routers

[20:50]
Mandiant has issued a warning about UNC3886, a state-backed espionage group from China, targeting Juniper Networks' routers. This group, previously noted for exploiting a VMware ESXi zero-day vulnerability in June 2023, is now deploying custom backdoors on Junos OS routers.

Notable Quote:
"The malware deployed on the Juniper routers demonstrates that UNC3886 has in-depth knowledge of advanced system internals." – Steve Prentiss [21:15]

Prentiss elaborates on the group’s focus on defense technology and telecommunications organizations in the US and Asia. He points out that the targeted routers were running end-of-life hardware and software, which likely contributed to their vulnerability. The episode emphasizes the importance of maintaining up-to-date systems and monitoring for indicators of compromise to defend against such sophisticated threats.

6. Mozilla Warns Users to Update Firefox Before Certificate Expiry

[25:10]
Mozilla has issued an urgent warning for Firefox users to update their browsers due to the imminent expiration of a root certificate used to sign Firefox content, including add-ons.

Notable Quote:
"Users are urged to update their browsers to Firefox 128, released in July 2024, or later versions to avoid security risks." – Steve Prentiss [25:35]

Prentiss advises users on the importance of keeping software up-to-date to maintain security integrity and prevent potential disruptions or vulnerabilities arising from expired certificates.

7. Scarcraft Deploys New Android Spyware Cospy

[28:40]
The episode covers the deployment of a new Android spyware called Cospy by the threat actor group Scarcraft, linked to North Korea. This spyware targets both Korean and English-speaking users, leveraging fake utility applications as lures.

Notable Quote:
"Cospy was distributed through the Google Play Store and Firebase Firestore, but has since been removed by Google." – Steve Prentiss [29:05]

Prentiss discusses how Cospy imitates legitimate applications such as File Manager and Security utilities to deceive users into installing the malware. Despite its removal from official platforms, the spyware underscores the ongoing threat of mobile malware and the necessity for users to exercise caution when downloading apps.

8. Historic $40 Million Gift to Establish Bellini College at USF

[32:50]
In a segment of good news, the episode highlights a historic $40 million donation from Arnie and Lauren Bellini to the University of South Florida. This gift will establish the Bellini College of Artificial Intelligence, Cybersecurity, and Computing, marking it as the first college in the U.S. dedicated exclusively to the convergence of AI and cybersecurity.

Notable Quote:
"Arnie Bellini continues to champion Florida's transformation into a global technology powerhouse." – Steve Prentiss [33:15]

Prentiss remarks on the significance of this endowment in advancing cybersecurity education and research, further solidifying Tampa Bay’s reputation as a burgeoning hub for technology and cybersecurity innovation.

Conclusion

Steve Prentiss wraps up the episode by reiterating the importance of staying informed about the latest cybersecurity threats and developments. He encourages listeners to visit cisoseries.com for full stories behind the headlines and to stay tuned for daily updates on the evolving landscape of information security.

For more detailed analysis and updates on these stories, visit CISOseries.com.

Transcript

Steve Prentiss (0:00)

From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Friday, March 14, 2025. I'm Steve Prentiss. Medusa Ransomware Continues to Attack Infrastructure In a joint alert released on Wednesday, March 12, CISA, the FBI and the multi State Information Sharing and Analysis Center. Our warning that as of February this year, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical education, legal, insurance, technology and manufacturing. End quote the group, which is unrelated to Medusa Locker, engages in double extortion and uses phishing and unpatched vulnerabilities for initial access. The group's practices include disabling security software, terminating processes related to backups, security, data sharing and communication, and erasing shadow copies to prevent file recovery. End quote A link to the alert is available in the show Notes to this episode Department of Justice seeks to break up Google as posted in the Cyber Wire last Friday, the Department of Justice submitted a request that would aim to break up Google by forcing the company to sell. In its filing, the DOJ stated that Google's illegal conduct has created an economic Goliath, one that wreaks havoc over the marketplace to ensure that no matter what occurs, Google always wins. End quote these filings follow a 2023 antitrust case in which Google was found guilty of monopolistic practices regarding the company's search engine services, End quote as well as a second antitrust lawsuit from 2024 that is examining whether the company has also engaged in monopolistic behaviors related to its advertising business. The ruling, expected this summer, has the potential to significantly impact how Google operates, how users interact with its services, and the overall landscape of the search engine business. End quote Another phishing campaign hits booking.com employees at hotels around the world are being tricked once again by cybercriminals impersonating the reservations portal booking.com the gang behind this attack is Storm 1865, who in 2023 and again in 2024 used fake customer complaints and other messages as lures. This year, according to Microsoft, the attackers are using a technique called click fix that attempts to take advantage of human problem solving tendencies by displaying fake error messages or prompts that instruct targeted use to fix issues by copying, pasting and launching commands that eventually result in the download of malware. Much of this is done by using a fake captcha overlay that asks users to prove their humanity by pressing the Windows key followed by Control V and Enter, which actually triggers the download of malicious code Grafana vulnerabilities possibly targeted in large scale SSRF exploitation campaign Researchers from security intelligence firm Greynoise are reporting on a campaign that spiked over the past weekend in which server side request forgery bugs in multiple platforms were exploited to allow threat actors to map internal networks, identify vulnerable services and steal credentials for cloud services. SSRF vulnerabilities played a major role in the 2019 Capital One breach, which impacted over 100 million people. Greynoise said more than 400 IPs were observed targeting products from GitLab, VMware, Ivanti and others. The attacks focused on organizations in the us, Germany, India, Japan, Singapore, Israel and the Netherlands. Thanks to today's episode's sponsor, Vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that is a new way to GRC. Get started at vanta.com headlines that is V A N T A dot com headlines Chinese spy group exploits Juniper Network's routers Researchers at Mandiant are warning of a state backed espionage group operating out of China UNC3886 targeting routers made by Juniper Networks. This is a group we reported on back in June 2023 when they were exploiting a VMware ESXi zero day. In this latest report, Mandiant says the group was involved in a project to deploy custom backdoors on Junos OS routers and that the group's focus is mainly on defense technology and telecommunications organizations located in the US and Asia, end quote. They pointed out that the affected routers were running end of life hardware and software, but also that the malware deployed on the Juniper routers demonstrates that UNC3886 has in depth knowledge of advanced system internals. Update Firefox before certificate expires, says Mozela. This warning is intended to help Firefox users avoid disruption and security risks caused by the upcoming expiration of one of its root certificates, which is happening today, Friday, March 14th. The certificate was used to sign content including add ons for various Mozilla projects and Firefox itself. Users are urged to update their browsers to Firefox 128 which was released in July of 2024 or later, and ESR 115.13 or later for extended support. Release Users Scarcraft deploys new Android spyware Cospy to target Korean and English speaking user this threat actor, scarcruft S C A R Cruft, based in North Korea, is apparently behind a previously undetected Android surveillance tool named Kospy that was used to target Korean and English speaking users. We have reported on this group before, most recently last October Threat Intelligence Group Lookout Research says this is a relatively new malware family with early samples going back to March 2022. Adding COSP has been observed using fake utility application lures such as File Manager Software Update Utility and Kakao Security that is spelled K A K A O to infect devices. Cospy was distributed through the Google Play Store and Firebase Firestore, but since have been removed from Google Play and associated Firebase projects have been deactivated by Google historic $40 million gift hopes to solidify Tampa Bay as Cyber Bay in The Good News Department a record setting gift of $40 million from Arnie and Lauren Bellini intends to establish the Bellini College of Artificial Intelligence, Cybersecurity and Computing, part of the University of South Florida, as the first named college in the US Dedicated exclusively to the convergence of AI and cybersecurity. Arnie Bellini is a tech entrepreneur and investor who built ConnectWise into a billion dollar cybersecurity and IT services leader before it was sold in 2019, end quote. And he was thus instrumental in helping Tampa's tech boom. He is now the CEO of Bellini Capital, where he continues to champion Florida's transformation into a global technology powerhouse, end quote. As usual, we've got a busy Friday of live streams today. It starts at 1pm Eastern with Super Cyber Friday where the topic will be Hacking Competitive grc, an hour of critical thinking about how to get ahead of your competition with a well structured program. And then at 3:30pm Eastern we have our Week in Review Show. Nick Espinoza, host of the Deep Dive Radio show, will be our guest providing his expert commentary on the news of the week. To join us for both, head on over to the events page@ciso series.com I'm Steve Prentice reporting for the CISO Series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.