← Cybersecurity Headlines
Loading summary
Transcript1 lines
- [00:00]
Steve Prentiss
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, April 21, 2025. I'm Steve Prentiss. Widespread Microsoft Entra lockouts caused by new security feature rollout A widespread issue with Microsoft Entra ID's new Mace credential revocation app has caused mass account lockouts across organization organizations. Admins report false positives triggered by the app's leaked credentials detection, despite affected accounts having unique passwords, MFA protection and no signs of compromise. The alerts began overnight on Friday, locking out large numbers of users. A Reddit thread revealed an extensive impact, including over 20,000 notifications sent to a managed detection and response provider. Microsoft reportedly told one affected organization that the lockouts were due to a problem with the rollout of the Mace app, that is Mace Malware delivered through Diplomatic Wine Tasting Invites A new set of phishing attacks from Russian state sponsored threat actor APT29 is targeting high ranking European and Middle Eastern diplomats and officials under the guise of email invites for wine tasting events sent from an unspecified European Ministry of Foreign Affairs. This invite naturally triggers the deployment of malware, this time called Grape Loader, hidden inside a zip archive named Wine Zip. The malware gains persistence by modifying the Windows registry to ensure that the Wine exe executable is launched every time the system is rebooted. British companies told to hold in person interviews to thwart North Korea Job Scammers after finding it too difficult to pursue the job finding scam in the us, North Korean operatives are now focusing on Europe and especially the UK to seek out remote work with the goal of accessing sensitive data as well as cash. They are often assisted by co conspirators who hold physical addresses and who live in the country. John Hultquist, the chief analyst at Google's Threat Intelligence Group, told the UK news outlet the Guardian that many of the remedies are in the hands of the HR department, which usually has very little experience dealing with a covert state adversary. He added that companies need to do a better job checking physical identities and ensuring the person you're talking to is who they claim to be, end quote. He continues, this scheme usually breaks down when the actor is asked to go on camera or to come into the office for an interview. End quote. Chrome extensions with 6 million installs contain hidden tracking code A set of 57 hidden Chrome extensions installed by over 6 million users has been found with dangerous capabilities such as monitoring browsing activity, accessing cookies and potentially running remote scripts. These hidden extensions do not appear in Chrome Web Store searches and can only be installed via direct URLs, often used for internal tools but possibly exploited by threat actors to avoid detection. Researcher John Tuckner of Secure Annex discovered the issue while analyzing a suspicious obfuscated extension called Fire Shield Extension Protection, which sends collected data to an external API. These extensions may be distributed through ads and malicious websites. Huge thanks to our sponsor DropZone AI growing your MSSP client roster While your Alerts are multiplying, DropZone AI works alongside your team investigating alerts, just like your best human analysts would. Our AI SoC analyst cuts investigation time from an hour to minutes while handling five times more alerts per analyst. Unlike Complex Soar solutions, DropZone deploys quickly and adapts to your environment without the need for playbooks or coding, eliminate backlogs, reduce false positives, and deliver the detailed investigations your clients expect. Ready to scale your MSSP without scaling your team? Meet us at boothese60 sa Cisco WebEx bug lets hackers gain code execution via meeting links Cisco has issued security updates for a high severity vulnerability in the WebEx app that allows unauthenticated attackers to execute remote code via malicious meeting invite links. The flaw stems from improper input validation in the WebEx custom URL parser and affects all operating systems and configurations. Attackers can exploit the bug by tricking users into clicking a crafted link and downloading files, enabling arbitrary command execution with user level privileges. Discovered to be low complexity, this vulnerability poses significant risk and Cisco urges users to update immediately as there are no available workarounds to prevent exploitation. New payment card scam involves a phone call, some malware and a personal tap Researchers at the Italian cybersecurity firm CLEFI are warning financial institutions to watch for a scam that combines social engineering, previously undocumented malware and mobile phones, near field communication capabilities to compromise payment cards. End quote this scam, which is currently active in Italy, delivers malware dubbed SuperCardX. The scam starts with a bank fraud alert text message. Victims who call the phone number in the scam message are instructed to provide their pins and remove any spending limits on the card. The novel part of this scam is that the victim is then instructed to place their physical debit or credit card into the proximity of their infected mobile device. The SuperCard X malware then captures the card details transmitted by near field Communication nfc. Clefey's report states that this quote allows the attacker to access the stolen funds instantly and potentially outside traditional fraud channels that typically involve bank transfers. End quote the parent company of Hannaford and Stop and Shop Confirms data Stolen in a cyberattack following up on a story we covered last November, the Dutch food conglomerate Ehold Delhisie usa, the parent company of Stop and Shop, Hannaford Food, lion and Giant Food, now confirms that data was stolen during the cyber attack of early November 2024. Responsibility for this attack has been claimed by the Inc. Ransomware Gang Inc. Who claim to have stolen six terabytes of information. Representatives from the affected company state that they are still working to determine specifically what was stolen. ASUS confirms Critical flaw in AI Cloud routers this flaw, which has a CVSS score of 9.2, could allow remote attackers to perform unauthorized execution of functions on susceptible devices. The issue has been addressed with firmware updates for branches in the 3.0.0.4 range, and ASUS reminds users to use different passwords for the wireless network and the router administration page. End quote. Remember to register to join us for this week's Super Cyber Friday, where we'll be talking about hacking your risk how to determine what things actually matter to your specific organization to make you safer. Head on over to our events page@cisoseries.com to register and check out the latest episode of Security. You should know we are talking with Conveyor about how they are improving customer security reviews. Look for it wherever you get your podcasts. I'm Steve Prentice reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines. It.