Signal clones, easyjson warning, UK retail hacker - Cybersecurity Headlines

Summary

Cyber Security Headlines - CISO Series Podcast Summary

Episode Title: Signal Clones, easyjson Warning, UK Retail Hacker
Host: CISO Series
Release Date: May 6, 2025

The latest episode of CISO Series' "Cyber Security Headlines" delves into critical developments in the information security landscape, unpacking significant breaches, emerging threats, and evolving cyber-attack methodologies. Hosted by Rich Stroffelino, the episode provides an in-depth analysis of three main topics: the breach of Signal clone applications, vulnerabilities in the open-source easyjson package, and recent ransomware attacks targeting UK retailers.

1. Signal Clone Breach via Telemessage

Timestamp: 00:06 - 02:30

The episode opens with a concerning revelation about Telemessage, an Israeli company known for offering modified versions of popular messaging apps like Signal, Telegram, WeChat, and WhatsApp to clients, including the U.S. government. 404 Media reported that a threat actor successfully breached Telemessage, resulting in the theft of sensitive customer data, encompassing direct messages and group chats from these cloned applications.

Rich Stroffelino highlights the severity of the breach:

"Data leaked by the hacker shows that archive chat logs are not end-to-end encrypted when sent from the app to archive servers." (00:45)

The breach was characterized by the hacker's assertion that accessing and exfiltrating data required minimal effort, taking only 15 to 20 minutes. This swift compromise was demonstrated through leaked screenshots from U.S. Customs and Border Protection and financial institutions like Coinbase. Notably, former National Security Advisor Mike Waltz was observed using Telemessage apps during a Cabinet meeting, though there is no evidence to suggest his information was compromised.

2. Vulnerability Alert: easyjson Package

Timestamp: 02:31 - 04:15

The podcast shifts focus to a warning issued by researchers at Hunted Labs regarding the open-source package easyjson. Designed as a code serialization tool for the Go programming language, easyjson is widely employed across various sectors, including defense, finance, technology, and healthcare.

Rich explains the geopolitical implications:

"EasyJSON is hosted on GitHub by a mailrew account owned by the Russian social media giant VK Group. VK's CEO is Vladimir Kiryenko, the son of one of Vladimir Putin's top aides." (03:10)

Despite no evidence of malicious code being added, the association with Russian-linked entities poses a strategic risk. The widespread use of easyjson means it could be leveraged as part of broader cyber campaigns, highlighting the increasingly murky intersection of politics and open-source software.

"This shows that the politics of open source are getting increasingly murky." (03:55)

Hunted Labs emphasizes the importance of scrutinizing dependencies in software projects to mitigate potential risks arising from such geopolitical entanglements.

3. Ransomware Group Targets UK Retailers

Timestamp: 04:16 - 07:17

The final major segment covers a series of ransomware attacks targeting UK-based retailers, including M&S, Co-op, and Harrods. These attacks have been attributed to the Dragonforest ransomware group, which first emerged in August 2023 as a hacktivist collective but has since transitioned to financially motivated operations.

Rich provides detailed insights into Dragonforest's evolution:

"Dragonforest initially operated as a hacktivist group, but it's now working for financial gain using ransomware developed from leaked Lockbit and Conti code." (04:50)

Dragonforest has rebranded into a ransomware cartel, offering white-label branding to affiliates, thereby expanding its operational reach. Additionally, the podcast discusses the indictment of Rami Khaled Ahmed, associated with the Black Kingdom ransomware group. Ahmed is accused of deploying ransomware across over 1,500 computer systems between March 2021 and June 2023, affecting diverse victims from educational institutions to medical businesses and leisure facilities.

"Once infected, Black Kingdom operators demanded a $10,000 bitcoin ransom, although it's not clear how many victims ultimately paid." (05:30)

Despite extensive investigations involving the FBI and New Zealand police, Ahmed remains elusive, believed to be residing in Yemen, a country that does not extradite to the United States.

Furthermore, the episode touches on the broader ransomware landscape, illustrating how groups like Dragonforest and Black Kingdom are iterating their malware as a service, thereby complicating defense strategies for organizations worldwide.

Additional Highlights

Deepfake Detection Challenges: The podcast briefly explores advancements in deepfake technology and the ongoing efforts to detect manipulated media through physiological signals like natural pulse behavior across facial regions.
Russian Cyber Activities: There is a mention of NoName057, a Russian-linked hacktivist group, responsible for DDoS attacks against Romanian government websites and efforts to spread misinformation through attacks on local media outlets.
New Malware Families: Researchers at Recorded Future attribute two new malware families, Terrasteeler V2 and Terralogger, to threat actors known as Golden Chickens or Spider Venom, indicating ongoing evolution in malware capabilities.
Skype Shutdown: The episode concludes with the announcement that Microsoft officially shuttered Skype on May 5th, 2025, marking the end of an era for the once-popular communication platform.

Notable Quotes

Rich Stroffelino:
"Data leaked by the hacker shows that archive chat logs are not end-to-end encrypted when sent from the app to archive servers." (00:45)
"This shows that the politics of open source are getting increasingly murky." (03:55)
"Once infected, Black Kingdom operators demanded a $10,000 bitcoin ransom, although it's not clear how many victims ultimately paid." (05:30)

Conclusion

Rich Stroffelino wraps up the episode by encouraging listeners to stay informed through CISO Series:

"Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines." (07:17)

This episode underscores the dynamic and ever-evolving nature of cyber threats, emphasizing the need for continuous vigilance and adaptive security measures in the face of sophisticated adversaries.

Transcript

A (0:00)

From the CISO series. It's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Tuesday, May 6, 2025. I'm Rich Stroffelino Signal Clone gets hacked Telemessage is an Israeli company that sells modified versions of messaging apps with customers, including the US government. 404 Media reported that a threat actor breached and stole customer data from the company, including direct messages and group chats sent from its cloned Signal Telegram, WeChat, WhatsApp versions. Data leaked by the hacker shows that archive chat logs are not end to end encrypted when sent from the app to archive servers. Screenshots of data from U.S. customs and Border Protection and financial institutions, including Coinbase, were shown to 404 Media. The hacker informed the news outlet that accessing and exfiltrating the data took 15 to 20 minutes and wasn't much effort at all. Former National Security Advisor Mike Waltz was seen using Telemessage apps in a Cabinet meeting, but there's no indication any of his information was leaked in the breach. Sounding the alarm on easyjson, researchers at Hunted Labs warned that the open source package easyjson could put organizations at risk due to its links to Russia. EasyJSON is a code serialization tool for GO that is used in cloud environments across defense, finance, technology and healthcare sectors. The package is hosted on GitHub by a mailrew account owned by the Russian social media giant VK Group. VK's CEO is Vladimir Kiryenko, the son of one of Vladimir Putin's top aides. Both father and son were sanctioned by the U.S. treasury in 2022. Haunted Labs found no evidence of malicious code added to easyjson, but noted that its widespread use could make it a strategic asset as part of a wider campaign. If nothing else, this shows that the politics of open source are getting increasingly murky. Ransomware Group takes credit for UK retail attacks in the past week we've covered a rash of cyber attacks against UK based retailers including M and S Co Op and Harrods. Now the dragonforest ransomware group claimed it orchestrated the attacks. In a statement to the BBC. Dragon Force first appeared in August 2023, initially as a hacktivist group, although it's now working for financial gain using ransomware developed from leaked Lockbit and Conti code. Earlier this year, it started offering white label branding to affiliates as part of a rebrand into a ransomware cartel. Heavy is the head of Black Kingdom ransomware. The U.S. attorney's office for the Central District of California indicted Rami Khaled Ahmed for allegedly deploying Black Kingdom ransomware on over 1500 computer systems between March 2021 and June 2023. Victims range from a school district in Pennsylvania to medical support businesses in Wisconsin and California to a ski resort in Oregon. Once infected, Black Kingdom operators demanded a $10,000 bitcoin ransom, although it's not clear how many victims ultimately paid. The FBI investigated Ahmed with the help of the New Zealand police. However, he's believed to be located in Yemen, which doesn't extradite to the US and now, thanks to today's episode sponsor ThreatLocker ThreatLocker is a global leader in zero trust endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com CISO that's T H R E A T L-O-C-K-E R.com the beating heart of Deepfakes While video deepfakes are becoming increasingly common, researchers had previously thought one way to detect them would be to look for subtle skin color changes caused by a pulse, which these models weren't trained to produce. However, Bruce Schneier passed on a report from the journal Frontiers in Imaging, which found that high quality deepfakes can already beat these checks, unintentionally retaining heartbeat patterns from training videos. These signals were notably weaker than in real video footage, but still present. The researchers say another method to detect deepfakes could be to look for a natural pulse behavior across different facial regions. Russians B Hacking ahead of presidential elections in Romania, the Russian linked hacktivist group NoName057 claimed credit for DDoS attacks against the website for the country's Ministry of Foreign affairs, the Romanian government, the Constitutional Court and several presidential candidates. Romania's National Directorate of Cybersecurity confirmed the attacks, but noted that all access had been restored to the public. Last week, the group attacked Dutch and other European organizations for military support for Ukraine. Not to be left out, Azerbaijan's head of parliament Ramid Namazov accused the Russian APT 29 aka cozy bear of attacks on local media outlets on February 20th. These attacks attempted to spread misinformation across TV and news sites. Namazov suspected these attacks came in response to the closure of the Russian House, a state funded cultural center in Baku. Golden chickens lay new malware eggs Researchers at Recorded Features Insect Group attributed two new malware families to the threat actors known as golden chickens or spider venom, depending on how scary you want them to sound. Terrasteeler V2 is a tool to find browser credentials, crypto wallet data, and extension information. Captured info is then exfiltrated to Telegram or to a wet domain. Meanwhile, Terralogger is a standalone keylogger, which is notable because it doesn't have any way to actually exfiltrate data, indicating it's under active development. Both pieces of malware show signs of the group iterating and advancing its malware as a service portfolio. And now a goodbye to avoip OG did you wake up today and feel the world was a little emptier? That may be because Microsoft officially shuttered Skype yesterday on May 5th. Users now have 60 days to export data or migrate to teams. Skype was first released in August 2003, acquired by eBay in 2005 for $2.6 billion, and then acquired by Microsoft for $8.5 billion in 2011. It now joins Windows Live messenger in the hallowed ground of the Redmond graveyard. Good night, sweet prince. If you're in the Boston area, remember to join us for a live CISO Series podcast recording on May 15th. If you've never joined us for a live recording, they are a ton of fun with great conversations, fun games and a chance to win some CISO Series swag. Plus free food, drink and networking. If you want to join us, this is a free event being organized by Zscaler, but you need to register. Head on over to our events page@cisoseries.com for more information. Reporting for the CISO Series, I'm Rich Stroffolino, reminding you to have a super sparkly day.