Microsoft Entra lockouts, wine tasting malware, job scam solution - Cybersecurity Headlines

Summary

Cyber Security Headlines - Episode Summary

Title: Microsoft Entra Lockouts, Wine Tasting Malware, Job Scam Solution
Host: Steve Prentiss, CISO Series
Release Date: April 21, 2025

1. Microsoft Entra Lockouts Caused by New Security Feature Rollout

Overview:
A significant disruption occurred due to the rollout of Microsoft's new security feature within Microsoft Entra ID. The introduction of the Mace credential revocation app led to widespread account lockouts across numerous organizations.

Key Points:

Issue Details:
Administrators observed a surge in false positives triggered by the Mace app's leaked credentials detection mechanism. Surprisingly, the affected accounts had unique passwords, were protected by Multi-Factor Authentication (MFA), and showed no signs of actual compromise.
Impact:
Overnight on Friday, the app began sending out alerts that resulted in the locking out of large numbers of users. A Reddit thread highlighted the extensive reach, citing over 20,000 notifications sent to a managed detection and response provider.
Microsoft's Response:
Microsoft communicated to one affected organization that the lockouts stemmed from issues related to the Mace app rollout, acknowledging the unintended consequences of the new security measure.

Notable Quote:

"Admins report false positives triggered by the app's leaked credentials detection, despite affected accounts having unique passwords, MFA protection and no signs of compromise." — Steve Prentiss [02:15]

2. Wine Tasting Malware: APT29's Sophisticated Phishing Campaign

Overview:
A new phishing tactic has emerged, orchestrated by the Russian state-sponsored threat actor APT29. This campaign specifically targets high-ranking European and Middle Eastern diplomats and officials.

Key Points:

Phishing Method:
The attacks disguise themselves as email invitations to wine tasting events, purportedly sent from an unnamed European Ministry of Foreign Affairs.
Malware Deployment:
The invitation, when opened, triggers the download of a malware payload named Grape Loader, concealed within a ZIP archive titled "Wine Zip."
Mechanism of Action:
Upon execution, Grape Loader gains persistence by modifying the Windows registry, ensuring the malicious executable (Wine.exe) launches with every system reboot.

Notable Quote:

"This invite naturally triggers the deployment of malware, this time called Grape Loader, hidden inside a zip archive named Wine Zip." — Steve Prentiss [05:47]

3. Evolution of Job Scams: North Korean Operatives Shift Focus to Europe

Overview:
Due to increased difficulty in executing job-related scams within the United States, North Korean operatives have redirected their efforts towards Europe, particularly the United Kingdom.

Key Points:

Scam Tactics:
Scammers pose as employers offering remote work opportunities, aiming to extract sensitive data and financial gains.
Operational Support:
These operatives often collaborate with local conspirators who provide physical addresses and reside within the target country, adding legitimacy to their scams.
Expert Insight:
John Hultquist, Chief Analyst at Google's Threat Intelligence Group, emphasized the vulnerability within HR departments:

"Many of the remedies are in the hands of the HR department, which usually has very little experience dealing with a covert state adversary." — John Hultquist [15:30]

He further advised that verification processes, such as requiring interviews to be conducted in person or via video calls, can effectively disrupt these scams.

Notable Quote:

"This scheme usually breaks down when the actor is asked to go on camera or to come into the office for an interview." — John Hultquist [16:05]

4. Malicious Chrome Extensions with Hidden Tracking Capabilities

Overview:
A concerning discovery was made involving 57 hidden Chrome extensions that have amassed over 6 million installs, embedding dangerous tracking functionalities.

Key Points:

Functionality of Malicious Extensions:
These extensions monitor browsing activities, access cookies, and possess the ability to execute remote scripts, posing significant privacy and security threats.
Distribution Methods:
Unlike traditional extensions, these malicious ones don't appear in Chrome Web Store searches and are typically installed via direct URLs. They are often masqueraded as internal tools but can be exploited by threat actors to bypass detection.
Research Findings:
John Tuckner from Secure Annex identified the issue while examining the Fire Shield Extension Protection, an obfuscated extension sending collected data to an external API. The distribution channels include deceptive ads and malicious websites.

Notable Quote:

"These hidden extensions do not appear in Chrome Web Store searches and can only be installed via direct URLs, often used for internal tools but possibly exploited by threat actors to avoid detection." — Steve Prentiss [22:10]

5. Cisco WebEx Vulnerability: Remote Code Execution via Malicious Links

Overview:
Cisco has identified and issued security patches for a high-severity vulnerability in the WebEx application that allows unauthenticated attackers to execute remote code.

Key Points:

Vulnerability Details:
The flaw arises from improper input validation in WebEx's custom URL parser, making it susceptible across all operating systems and configurations.
Exploitation Method:
Attackers can craft malicious meeting invite links that, when clicked by unsuspecting users, prompt the download of malicious files. This enables arbitrary command execution with user-level privileges.
Urgent Recommendations:
Given the low complexity of exploiting this vulnerability and the absence of available workarounds, Cisco strongly advises all users to apply the necessary updates immediately to mitigate potential risks.

Notable Quote:

"This flaw could allow remote attackers to perform unauthorized execution of functions on susceptible devices." — Steve Prentiss [25:50]

6. Innovative Payment Card Scam Leveraging Mobile NFC Technology

Overview:
Researchers at the Italian cybersecurity firm CLEFI have uncovered a novel scam targeting financial institutions by integrating social engineering, malware, and mobile Near Field Communication (NFC) technology.

Key Points:

Scam Execution:
The scam initiates with a fraudulent bank alert sent via text message. Victims are prompted to call a deceptive phone number where they are coerced into providing their PINs and removing any spending limits on their cards.
Malware Functionality:
Victims are then instructed to place their physical debit or credit cards near their infected mobile devices. The SuperCardX malware captures card details transmitted via NFC, allowing attackers immediate access to stolen funds outside conventional fraud channels.
Impact Analysis:
This method enables rapid exploitation of stolen data, posing a significant threat to traditional banking security measures that rely on delayed bank transfers.

Notable Quote:

"This allows the attacker to access the stolen funds instantly and potentially outside traditional fraud channels that typically involve bank transfers." — Steve Prentiss [28:40]

7. Data Breach at Parent Company of Hannaford and Stop and Shop

Overview:
The parent company of major grocery chains Hannaford and Stop and Shop, Ehold Delhisie USA, confirmed that a cyberattack in early November 2024 resulted in the theft of data totaling six terabytes.

Key Points:

Attack Attribution:
The Inc. Ransomware Gang Inc. has claimed responsibility for the breach, stating they exfiltrated six terabytes of information.
Company Response:
Representatives from Ehold Delhisie are diligently working to ascertain the specific nature and extent of the data stolen, emphasizing ongoing investigative efforts.

Notable Quote:

"Representatives from the affected company state that they are still working to determine specifically what was stolen." — Steve Prentiss [31:20]

8. Critical Flaw in ASUS AI Cloud Routers

Overview:
ASUS has identified a critical vulnerability in their AI Cloud routers, rated with a CVSS score of 9.2, which could allow remote attackers to execute unauthorized functions.

Key Points:

Vulnerability Details:
The flaw permits attackers to perform arbitrary command executions on vulnerable devices by exploiting the identified weakness.
Affected Systems:
All operating systems and configurations using ASUS AI Cloud routers built on firmware versions prior to 3.0.0.4 are at risk.
Mitigation Measures:
ASUS has released firmware updates addressing the vulnerability and advises users to:
- Update to the latest firmware version.
- Use distinct passwords for their wireless network and the router administration interface to enhance security.

Notable Quote:

"The issue has been addressed with firmware updates for branches in the 3.0.0.4 range, and ASUS reminds users to use different passwords for the wireless network and the router administration page." — Steve Prentiss [34:10]

Conclusion

Today's episode of Cyber Security Headlines delved into a range of critical security incidents and emerging threats, from widespread service disruptions caused by new security feature rollouts to sophisticated phishing campaigns and innovative malware scams. Hosts and experts emphasized the importance of prompt response measures, robust verification processes, and staying informed about the latest security patches to mitigate risks effectively. As cyber threats continue to evolve, staying vigilant and proactive remains paramount for organizations and individuals alike.

For more detailed stories behind these headlines, visit CISOseries.com.

Summary

Cyber Security Headlines - Episode Summary

Title: Microsoft Entra Lockouts, Wine Tasting Malware, Job Scam Solution
Host: Steve Prentiss, CISO Series
Release Date: April 21, 2025

1. Microsoft Entra Lockouts Caused by New Security Feature Rollout

Key Points:

Issue Details:
Administrators observed a surge in false positives triggered by the Mace app's leaked credentials detection mechanism. Surprisingly, the affected accounts had unique passwords, were protected by Multi-Factor Authentication (MFA), and showed no signs of actual compromise.
Impact:
Overnight on Friday, the app began sending out alerts that resulted in the locking out of large numbers of users. A Reddit thread highlighted the extensive reach, citing over 20,000 notifications sent to a managed detection and response provider.
Microsoft's Response:
Microsoft communicated to one affected organization that the lockouts stemmed from issues related to the Mace app rollout, acknowledging the unintended consequences of the new security measure.

Notable Quote:

"Admins report false positives triggered by the app's leaked credentials detection, despite affected accounts having unique passwords, MFA protection and no signs of compromise." — Steve Prentiss [02:15]

2. Wine Tasting Malware: APT29's Sophisticated Phishing Campaign

Key Points:

Phishing Method:
The attacks disguise themselves as email invitations to wine tasting events, purportedly sent from an unnamed European Ministry of Foreign Affairs.
Malware Deployment:
The invitation, when opened, triggers the download of a malware payload named Grape Loader, concealed within a ZIP archive titled "Wine Zip."
Mechanism of Action:
Upon execution, Grape Loader gains persistence by modifying the Windows registry, ensuring the malicious executable (Wine.exe) launches with every system reboot.

Notable Quote:

"This invite naturally triggers the deployment of malware, this time called Grape Loader, hidden inside a zip archive named Wine Zip." — Steve Prentiss [05:47]

3. Evolution of Job Scams: North Korean Operatives Shift Focus to Europe

Key Points:

Scam Tactics:
Scammers pose as employers offering remote work opportunities, aiming to extract sensitive data and financial gains.
Operational Support:
These operatives often collaborate with local conspirators who provide physical addresses and reside within the target country, adding legitimacy to their scams.
Expert Insight:
John Hultquist, Chief Analyst at Google's Threat Intelligence Group, emphasized the vulnerability within HR departments:

"Many of the remedies are in the hands of the HR department, which usually has very little experience dealing with a covert state adversary." — John Hultquist [15:30]

He further advised that verification processes, such as requiring interviews to be conducted in person or via video calls, can effectively disrupt these scams.

Notable Quote:

"This scheme usually breaks down when the actor is asked to go on camera or to come into the office for an interview." — John Hultquist [16:05]

4. Malicious Chrome Extensions with Hidden Tracking Capabilities

Overview:
A concerning discovery was made involving 57 hidden Chrome extensions that have amassed over 6 million installs, embedding dangerous tracking functionalities.

Key Points:

Functionality of Malicious Extensions:
These extensions monitor browsing activities, access cookies, and possess the ability to execute remote scripts, posing significant privacy and security threats.
Distribution Methods:
Unlike traditional extensions, these malicious ones don't appear in Chrome Web Store searches and are typically installed via direct URLs. They are often masqueraded as internal tools but can be exploited by threat actors to bypass detection.
Research Findings:
John Tuckner from Secure Annex identified the issue while examining the Fire Shield Extension Protection, an obfuscated extension sending collected data to an external API. The distribution channels include deceptive ads and malicious websites.

Notable Quote:

"These hidden extensions do not appear in Chrome Web Store searches and can only be installed via direct URLs, often used for internal tools but possibly exploited by threat actors to avoid detection." — Steve Prentiss [22:10]

5. Cisco WebEx Vulnerability: Remote Code Execution via Malicious Links

Overview:
Cisco has identified and issued security patches for a high-severity vulnerability in the WebEx application that allows unauthenticated attackers to execute remote code.

Key Points:

Vulnerability Details:
The flaw arises from improper input validation in WebEx's custom URL parser, making it susceptible across all operating systems and configurations.
Exploitation Method:
Attackers can craft malicious meeting invite links that, when clicked by unsuspecting users, prompt the download of malicious files. This enables arbitrary command execution with user-level privileges.
Urgent Recommendations:
Given the low complexity of exploiting this vulnerability and the absence of available workarounds, Cisco strongly advises all users to apply the necessary updates immediately to mitigate potential risks.

Notable Quote:

"This flaw could allow remote attackers to perform unauthorized execution of functions on susceptible devices." — Steve Prentiss [25:50]

6. Innovative Payment Card Scam Leveraging Mobile NFC Technology

Key Points:

Scam Execution:
The scam initiates with a fraudulent bank alert sent via text message. Victims are prompted to call a deceptive phone number where they are coerced into providing their PINs and removing any spending limits on their cards.
Malware Functionality:
Victims are then instructed to place their physical debit or credit cards near their infected mobile devices. The SuperCardX malware captures card details transmitted via NFC, allowing attackers immediate access to stolen funds outside conventional fraud channels.
Impact Analysis:
This method enables rapid exploitation of stolen data, posing a significant threat to traditional banking security measures that rely on delayed bank transfers.

Notable Quote:

"This allows the attacker to access the stolen funds instantly and potentially outside traditional fraud channels that typically involve bank transfers." — Steve Prentiss [28:40]

7. Data Breach at Parent Company of Hannaford and Stop and Shop

Key Points:

Attack Attribution:
The Inc. Ransomware Gang Inc. has claimed responsibility for the breach, stating they exfiltrated six terabytes of information.
Company Response:
Representatives from Ehold Delhisie are diligently working to ascertain the specific nature and extent of the data stolen, emphasizing ongoing investigative efforts.

Notable Quote:

"Representatives from the affected company state that they are still working to determine specifically what was stolen." — Steve Prentiss [31:20]

8. Critical Flaw in ASUS AI Cloud Routers

Overview:
ASUS has identified a critical vulnerability in their AI Cloud routers, rated with a CVSS score of 9.2, which could allow remote attackers to execute unauthorized functions.

Key Points:

Vulnerability Details:
The flaw permits attackers to perform arbitrary command executions on vulnerable devices by exploiting the identified weakness.
Affected Systems:
All operating systems and configurations using ASUS AI Cloud routers built on firmware versions prior to 3.0.0.4 are at risk.
Mitigation Measures:
ASUS has released firmware updates addressing the vulnerability and advises users to:
- Update to the latest firmware version.
- Use distinct passwords for their wireless network and the router administration interface to enhance security.

Notable Quote:

"The issue has been addressed with firmware updates for branches in the 3.0.0.4 range, and ASUS reminds users to use different passwords for the wireless network and the router administration page." — Steve Prentiss [34:10]

Conclusion

For more detailed stories behind these headlines, visit CISOseries.com.