Cyber Security Headlines - Episode Summary

Podcast: Cyber Security Headlines
Host: CISO Series
Release Date: February 7, 2025
Episode Title: Outlook RCE bug, Kimsuky ForceCopy malware, Treasury tightens DOGE

1. Critical Remote Code Execution (RCE) Vulnerability in Microsoft Outlook

Timestamp: 00:13 - 01:13

Steve Prentiss opens the episode by addressing a significant security threat related to Microsoft Outlook. A critical Remote Code Execution (RCE) vulnerability, identified by Check Point researchers and assigned a CVE number, has been actively exploited in attacks. This vulnerability arises from improper input validation when users open emails containing malicious links through vulnerable versions of Outlook.

Prentiss explains that the flaw allows attackers to bypass Outlook's protected view, which is designed to open Office files in read-only mode to prevent harmful content execution. By exploiting this vulnerability, malicious actors can execute code remotely, potentially compromising entire systems.

Key Point: The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies secure their networks by February 27th to mitigate ongoing threats.

2. Kimsuky's Deployment of ForceCopy Malware to Steal Credentials

Timestamp: 01:13 - 02:07

The discussion shifts to the activities of Kimsuky, a hacking group linked to North Korea, as reported by South Korea's ANLAB Security Intelligence Center. Kimsuky has been conducting spear-phishing campaigns to deliver ForceCopy malware, an information stealer designed to exfiltrate browser-stored credentials.

Prentiss details the attack vector:

• Phishing Emails: These contain Windows shortcut (LNK) files disguised as legitimate Microsoft Office or PDF documents.
• Malware Activation: Opening the attachment triggers PowerShell or MSHTA.EXE, a legitimate Microsoft executable that runs HTML application files.
• Payload Delivery: This process deploys a Trojan named Pebble Dash and a proxy malware component, ensuring persistent communication with external networks.

Quote: "Kim Suki uses Force Copy malware to steal browser stored credentials," Prentiss states, highlighting the sophisticated methods employed by the group (01:20).

3. U.S. Treasury Department Restricts Access to DOGE Team

Timestamp: 02:07 - 02:58

Prentiss reports on the U.S. Treasury Department's recent decision to restrict access for most members of the Department of Government Efficiency team, known as DOGE. This action follows a lawsuit filed by union groups against Treasury Secretary Scott Besant.

Key Points:

• Access Restrictions: Only two members, Tom Krause (CEO of a company owning Citrix and other tech firms) and his employee Marco Elez, retain access to sensitive payment systems, limited to read-only permissions.
• Allegations: DOGE previously had full access to Treasury payment systems, including the capacity to control federal government payments, raising significant security concerns.

Quote: Prentiss references a court filing stating, “the two members who are still allowed access are Tom Krause...and his employee Marco Elez” (02:31).

4. Cyber Incident at British Engineering Firm IMI

Timestamp: 03:36 - 04:03

The episode covers a recent cyber incident involving IMI, a prominent UK-based engineering company specializing in industrial automation and climate control products. This marks the second such incident reported to the London Stock Exchange within nine days.

Details:

• Unauthorized Access: IMI experienced unauthorized access to its systems. While specifics remain undisclosed, the incident underscores the increasing targeting of industrial firms.
• Impact: The lack of detailed information prevents a full assessment of the breach's scope, but the rapid succession of incidents suggests heightened vulnerability in the sector.

5. Exploitation of SimpleHelp Remote Management Software

Timestamp: 04:03 - 05:08

Prentiss highlights vulnerabilities in SimpleHelp Remote Management (RMM) software, widely used by tech support professionals. These flaws have been exploited to deploy Sliver malware, posing severe security risks.

Key Points:

• Exploited Flaws: Three specific CVEs in the SimpleHelp RMM client have been weaponized to create administrator accounts, install backdoors, and potentially facilitate ransomware attacks.
• Attack Mechanism: Hackers exploit vulnerabilities through an Estonian-based server running SimpleHelp on port 80, establishing unauthorized connections to target endpoints.
• Mitigation: Users are urged to apply the latest security updates and monitor for suspicious administrator accounts (e.g., SQL Admin, FPM HLT Tech) and connections to malicious IPs as detailed in Field Effect's report.

6. Paragon Terminates Contract with Italy Amid Spyware Scandal

Timestamp: 05:08 - 05:55

The episode revisits an ongoing story about Paragon, the manufacturer behind the notorious Paragon Zero Click spyware. Paragon has ended its contract with Italy following revelations that Italian investigative journalists and activists critical of Italy's government were targeted using its spyware.

Details:

• Contract Breach: Italy allegedly violated the terms by targeting individuals outside the allowed scope, specifically those opposing the right-wing government led by Prime Minister Giorgio Meloni.
• Affected Individuals: The spyware was used against an investigative journalist and two activists linked to criticisms of Italy's dealings with Libya.

Quote: Prentiss summarizes Paragon's stance: “the manufacturer of the infamous Paragon Zero Click spyware has allegedly ended its relationship with Italy following revelations...” (05:16).

7. Expert Advice: Reboot Your Phone to Prevent Spyware Infections

Timestamp: 05:57 - 06:26

In light of the Paragon spyware incident, Rocky Cole, co-founder of mobile threat protection company Iverify, offers practical advice to safeguard mobile devices against zero-click spyware.

Key Recommendations:

• Regular Reboots: Rebooting phones can help clear exploits that reside in memory, reducing the risk of persistent spyware infections.
• Use Security Tools: Implement internal scanning apps to detect malicious files and activate lockdown modes on Apple devices for enhanced security.
• Timely Updates: Emphasizes the importance of promptly applying security patches released by Apple and Google to address underlying vulnerabilities.

Quote: Rocky Cole advises, “the best way for people to avoid getting infected by zero click spyware like Paragon is to reboot their phone regularly” (05:57).

Conclusion

This episode of Cyber Security Headlines by CISO Series delivers a comprehensive overview of pressing cybersecurity issues, ranging from critical software vulnerabilities and sophisticated malware campaigns to significant policy decisions and expert recommendations on device security. By addressing these topics with detailed analysis and expert insights, the podcast equips its audience with the knowledge necessary to navigate the evolving landscape of information security.

For more in-depth coverage of these stories, visit CISOseries.com.