Cyber Security Headlines - CISO Series Podcast Summary
Episode Title: Signal Clones, easyjson Warning, UK Retail Hacker
Host: CISO Series
Release Date: May 6, 2025
The latest episode of CISO Series' "Cyber Security Headlines" delves into critical developments in the information security landscape, unpacking significant breaches, emerging threats, and evolving cyber-attack methodologies. Hosted by Rich Stroffelino, the episode provides an in-depth analysis of three main topics: the breach of Signal clone applications, vulnerabilities in the open-source easyjson package, and recent ransomware attacks targeting UK retailers.
1. Signal Clone Breach via Telemessage
Timestamp: 00:06 - 02:30
The episode opens with a concerning revelation about Telemessage, an Israeli company known for offering modified versions of popular messaging apps like Signal, Telegram, WeChat, and WhatsApp to clients, including the U.S. government. 404 Media reported that a threat actor successfully breached Telemessage, resulting in the theft of sensitive customer data, encompassing direct messages and group chats from these cloned applications.
Rich Stroffelino highlights the severity of the breach:
"Data leaked by the hacker shows that archive chat logs are not end-to-end encrypted when sent from the app to archive servers." (00:45)
The breach was characterized by the hacker's assertion that accessing and exfiltrating data required minimal effort, taking only 15 to 20 minutes. This swift compromise was demonstrated through leaked screenshots from U.S. Customs and Border Protection and financial institutions like Coinbase. Notably, former National Security Advisor Mike Waltz was observed using Telemessage apps during a Cabinet meeting, though there is no evidence to suggest his information was compromised.
2. Vulnerability Alert: easyjson Package
Timestamp: 02:31 - 04:15
The podcast shifts focus to a warning issued by researchers at Hunted Labs regarding the open-source package easyjson. Designed as a code serialization tool for the Go programming language, easyjson is widely employed across various sectors, including defense, finance, technology, and healthcare.
Rich explains the geopolitical implications:
"EasyJSON is hosted on GitHub by a mailrew account owned by the Russian social media giant VK Group. VK's CEO is Vladimir Kiryenko, the son of one of Vladimir Putin's top aides." (03:10)
Despite no evidence of malicious code being added, the association with Russian-linked entities poses a strategic risk. The widespread use of easyjson means it could be leveraged as part of broader cyber campaigns, highlighting the increasingly murky intersection of politics and open-source software.
"This shows that the politics of open source are getting increasingly murky." (03:55)
Hunted Labs emphasizes the importance of scrutinizing dependencies in software projects to mitigate potential risks arising from such geopolitical entanglements.
3. Ransomware Group Targets UK Retailers
Timestamp: 04:16 - 07:17
The final major segment covers a series of ransomware attacks targeting UK-based retailers, including M&S, Co-op, and Harrods. These attacks have been attributed to the Dragonforest ransomware group, which first emerged in August 2023 as a hacktivist collective but has since transitioned to financially motivated operations.
Rich provides detailed insights into Dragonforest's evolution:
"Dragonforest initially operated as a hacktivist group, but it's now working for financial gain using ransomware developed from leaked Lockbit and Conti code." (04:50)
Dragonforest has rebranded into a ransomware cartel, offering white-label branding to affiliates, thereby expanding its operational reach. Additionally, the podcast discusses the indictment of Rami Khaled Ahmed, associated with the Black Kingdom ransomware group. Ahmed is accused of deploying ransomware across over 1,500 computer systems between March 2021 and June 2023, affecting diverse victims from educational institutions to medical businesses and leisure facilities.
"Once infected, Black Kingdom operators demanded a $10,000 bitcoin ransom, although it's not clear how many victims ultimately paid." (05:30)
Despite extensive investigations involving the FBI and New Zealand police, Ahmed remains elusive, believed to be residing in Yemen, a country that does not extradite to the United States.
Furthermore, the episode touches on the broader ransomware landscape, illustrating how groups like Dragonforest and Black Kingdom are iterating their malware as a service, thereby complicating defense strategies for organizations worldwide.
Additional Highlights
-
Deepfake Detection Challenges: The podcast briefly explores advancements in deepfake technology and the ongoing efforts to detect manipulated media through physiological signals like natural pulse behavior across facial regions.
-
Russian Cyber Activities: There is a mention of NoName057, a Russian-linked hacktivist group, responsible for DDoS attacks against Romanian government websites and efforts to spread misinformation through attacks on local media outlets.
-
New Malware Families: Researchers at Recorded Future attribute two new malware families, Terrasteeler V2 and Terralogger, to threat actors known as Golden Chickens or Spider Venom, indicating ongoing evolution in malware capabilities.
-
Skype Shutdown: The episode concludes with the announcement that Microsoft officially shuttered Skype on May 5th, 2025, marking the end of an era for the once-popular communication platform.
Notable Quotes
- Rich Stroffelino:
"Data leaked by the hacker shows that archive chat logs are not end-to-end encrypted when sent from the app to archive servers." (00:45)
"This shows that the politics of open source are getting increasingly murky." (03:55)
"Once infected, Black Kingdom operators demanded a $10,000 bitcoin ransom, although it's not clear how many victims ultimately paid." (05:30)
Conclusion
Rich Stroffelino wraps up the episode by encouraging listeners to stay informed through CISO Series:
"Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines." (07:17)
This episode underscores the dynamic and ever-evolving nature of cyber threats, emphasizing the need for continuous vigilance and adaptive security measures in the face of sophisticated adversaries.