Slopsquatting risks, Morocco leak, EC ups US-based staff security - Cybersecurity Headlines

Summary7 min read

Cyber Security Headlines - Episode Summary

Title: Slopsquatting Risks, Morocco Leak, EC Ups US-Based Staff Security
Host: Rich Stroffelino, CISO Series
Release Date: April 15, 2025

1. Slopsquatting Risks and AI Code Dependencies

In the opening segment, host Rich Stroffelino delves into the emerging threat of slopsquatting, a term introduced by security researcher Seth Larson to describe a new type of software supply chain attack. Drawing parallels to typo squatting, slopsquatting involves threat actors proactively creating malicious packages on code repositories. These deceptive packages often have names fabricated by Large Language Models (LLMs) during code generation.

Rich explains, "AI code dependencies are Supply Chain Risk. Security researcher Seth Larson coined slop squatting to describe this new software supply chain attack type" ([00:00]). Unlike traditional phishing attacks, slopsquatting isn't merely opportunistic; it's a calculated tactic exploiting the high rate of LLM-generated package hallucinations. Depending on the programming language, open-source LLMs can hallucinate software packages upwards of 35%, whereas commercial models maintain rates below 5%.

A recent study by Socket further illustrates the persistence of these hallucinated packages. Rich notes, "58% of hallucinated packages were repeated more than once across 10 runs of the same code generation prompt" ([00:00]). Encouragingly, advanced models like GPT-4 Turbo and Deep Seq have demonstrated the capability to identify these malicious packages with over 75% accuracy, mitigating some of the associated risks.

2. Moroccan National Social Security Fund Data Leak

Transitioning to international cybersecurity incidents, Rich reports on a significant data breach affecting Morocco's National Social Security Fund. The fund disclosed that a cyber attack led to the exfiltration of over 54,000 files, compromising data related to nearly 2 million individuals. Sensitive information such as names, national ID numbers, and bank account details were leaked on the messaging platform Telegram.

According to Rich, "a cyber attack caused a significant amount of data to be leaked on Telegram. Local media reports that over 54,000 files were exfiltrated from the fund, resulting in data leaked on almost 2 million individuals" ([00:00]). However, not all leaked documents were accurate, with some containing false, incomplete, or truncated information. The hacking group Jaba Root has taken credit for the attack, though officials have refrained from making public attributions.

3. European Commission Enhances Security for US-Based Staff

In response to heightened surveillance and espionage threats, the European Commission (EC) is implementing enhanced security measures for its staff traveling to the United States for the upcoming IMF and World Bank spring meetings. Rich highlights, "The European Commission will issue burner phones and stripped-down temporary laptops to staff coming to the US for the IMF and World Bank spring meetings next week due to higher surveillance and espionage risks" ([00:00]).

This proactive stance mirrors the EC's usual precautions taken when delegations travel to high-risk regions like China or Ukraine. An EC spokesperson confirmed that while security advice has been updated, specific details remain undisclosed. This move aligns with a 2011 ruling by the 9th U.S. Circuit Court of Appeals, which expanded the government's authority to search devices at U.S. borders without warrants. Rich contextualizes, "So this doesn't appear to be a reaction to new surveillance powers per se, but how they're being applied" ([00:00]).

4. Surge in AI-Driven Tax Day Scams

As Tax Day approaches, cybersecurity firms have observed a notable increase in AI-driven scams targeting both taxpayers and tax preparers. Rich outlines the sophistication of these scams, which utilize AI-enabled voice and video phishing techniques to impersonate IRS officials or accountants. These tactics aim to deceive victims into divulging financial documents through convincingly fake interactions.

Rich states, "These use AI-enabled voice and video phishing attacks to impersonate officials from the IRS or accountants to obtain financial documents on top of text-based phishing that we usually see around this time of year" ([00:00]). The scams often direct victims to create profiles on counterfeit IRS portals, prompting them to upload sensitive information. Additionally, consumer-level deepfake tools empower threat actors to scale their operations and enhance the believability of their fraudulent schemes, making these attacks particularly challenging to detect and prevent.

5. Ransomware Attack on DaVita Healthcare Provider

In the healthcare sector, DaVita Inc., a leading provider of kidney dialysis services with over 2,600 outpatient centers in the U.S., disclosed a ransomware attack on April 12 via an SEC filing. Rich reports, "DaVita suffered a ransomware attack on April 12 that impacted some operations. The company did not announce any disruption to care facilities due to the attack" ([00:00]).

DaVita is actively investigating the incident, with no information available yet regarding potential data theft or ransom payments. As of now, the company has not identified or named the group responsible for the attack, and no hacker group has claimed credit. The absence of immediate operational disruptions suggests that the impact, while significant, may be contained, but ongoing investigations will shed more light on the full extent of the breach.

6. Critical Vulnerability Exploited in WordPress Plugin Sure Triggers

A rapid exploitation of a critical flaw in the Sure Triggers WordPress plugin underscores the persistent vulnerabilities in widely used software. Researchers at Patchstack identified a vulnerability that allows unauthorized users to create admin accounts by exploiting improper validation of the StAuthorization HTTP header.

Rich details, "On April 10, researchers at Patchstack disclosed a critical flaw in the Sure Triggers WordPress plugin that allows unauthorized users to create admin accounts due to improper validation of the StAuthorization HTTP header" ([00:00]). The flaw arose when sites failed to define an internal secret key, causing the plugin to return null values for both the header and the key, inadvertently treating them as a match. Although Sure Triggers promptly patched the vulnerability, exploitation began within four hours of the patch release through the plugin's APIs. Developers are urgently advised to apply the patch immediately and inspect their sites for any unauthorized modifications.

7. Resolver RAT Targets Healthcare and Pharmaceutical Firms

Security researchers at Morphisec Labs have uncovered a new campaign deploying the Resolver RAT malware, specifically targeting organizations within the healthcare and pharmaceutical industries. First observed on March 10, this campaign employs localized phishing lures, utilizing region-specific languages and messages to increase click-through rates. The phishing content often revolves around themes related to legal investigations, making the scams appear more credible.

Rich explains, "Resolver RAT starts off with a DLL sideloading technique to launch an in-memory loader and then communicate to a C2 server" ([00:00]). The malware employs an IP rotation system and certificate pinning to maintain resilient communication with command and control (C2) servers, even in the event of server takedowns. Additionally, Resolver RAT uses irregular beaconing patterns to evade detection by traditional security measures.

Once established within a network, Resolver RAT attempts to exfiltrate data in 16-kilobyte chunks, maintaining stealthy operations. The malware shares infrastructure and overlapping delivery mechanisms with other threats like Luma and Radamanthis, indicating a concerted effort to target and compromise sensitive sectors within the healthcare landscape.

8. Google Chrome Addresses Two-Decade-Old Privacy Vulnerability

In a significant update, Google Chrome announced that the upcoming Chrome 136 release will implement triple key partitioning of visited links as a default feature, effectively addressing a long-standing privacy vulnerability. Rich outlines the issue, stating, "Before this feature, Chrome stored links visited globally, allowing sites to show visited links in a color other than the familiar default blue" ([00:00]).

Researchers had previously identified multiple attack vectors that exploited this behavior, enabling third parties to track users' browsing histories through color-based link indicators. The new partitioning mechanism enhances privacy by storing each visited site with three distinct keys based on the link URL, top-level site, and frame origin. For a link to be displayed as visited, all three keys must match, thereby preventing unauthorized tracking, profiling, and phishing attempts that leveraged the prior vulnerabilities.

9. Measuring a CISO's Performance in the Evolving Cybersecurity Landscape

Concluding the episode, Rich touches upon an upcoming discussion within the CISO Series podcast focused on evaluating the performance of Chief Information Security Officers (CISOs). Traditionally, CISOs were often scrutinized in the aftermath of security breaches, viewed as potential scapegoats. However, as security incidents become more commonplace and less indicative of individual performance, there's a pressing need to develop more nuanced metrics for assessing a CISO's effectiveness.

Rich introduces the topic with, "That's one of the topics we'll be talking about on this week's CISO Series podcast. Look for 'Welcome to Cybersecurity, where everything is made up and the points don't matter' ([00:00]). This introspective discussion aims to explore beyond blame-centric evaluations, seeking comprehensive frameworks that accurately reflect a CISO's role in safeguarding organizational assets amidst an increasingly complex threat landscape.

Note: For more in-depth coverage of each headline, visit CISOseries.com.

Loading summary

Transcript1 lines

[00:00]
Rich Stroffelino
From the CISO series, It's Cybersecurity Headlines these are the cybersecurity headlines for Tuesday, April 15, 2025 I'm Rich Stroffelino AI code dependencies are Supply Chain Risk Security researcher Seth Larson coined slop squatting to describe this new software supply chain attack type. Similar to typo squatting, these attacks see Threat actors proactively creating malicious packages on indexes Name for ones commonly made up by LLMs when generating code. This isn't as much as a fishing expedition as it might initially sound. The rate of LLM software package hallucinations varies widely between the LLMs. Some open source LLMs create hallucinated packages over 35% of the time, while commercial models can hit rates of less than 5% depending on the programming language. A recent research paper from Socket on hallucinated software packages found 58% of hallucinated packages were repeated more than once across 10 runs of the same code generation prompt. To their credit, both GPT4 Turbo and Deep Seq were able to correctly identify hallucinated packages the models themselves Created with over 75% accuracy Morocco investigates Social Security Leak the Moroccan National Social Security Fund disclosed that a cyber attack caused a significant amount of data to be leaked on Telegram. Local media reports that over 54,000 files were exfiltrated from the fund, resulting in data leaked on almost 2 million individuals. This information includes names, national ID numbers and bank account details. Officials do say that some documents on Telegram contain false, inaccurate or truncated information. The threat actors Jaba Root took credit for the attack, but officials did not publicly attribute it. European Commission Increases Security Measures for U S Bound Staff the Financial Times sources say that the European Commission will issue burner phones and stripped down temporary laptops to staff coming to the US for the IMF and World bank spring meetings next week due to higher surveillance and espionage risks. The EC usually takes these kinds of precautions when staff are heading to China or Ukraine, an EC spokesperson confirmed it recently updated security advice but did not confirm any specifics. A ruling by the 9th U.S. circuit Court of Appeals expanded the government's ability to search devices at the border without a warrant way back in 2011 under the Obama administration. So this doesn't appear to be a reaction to new surveillance powers per se, but how they're being applied. Celebrating Tax Day with a Scam A report by the Record found that several cybersecurity firms have seen an increase on tax based AI driven scams focused on both taxpayers and preparers. These use AI enabled voice and video phishing attacks to impersonate officials from the IRS or accountants to obtain financial documents on top of text based phishing that we usually see around this time of year. Usually these schemes direct victims to create profiles on fake IRS portals and upload sensitive information. Consumer level deepfake tools allow threat actors to scale their operations while increasing the belief ability of of their scams. And now a huge thank to our sponsor Vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is crucial for security. When it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting. And it helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines that's V A N T A dot com headlines Dialysis firm hit with ransomware attack DaVita is a major provider of kidney dialysis and other care services in the US with over 2,600 outpatient centers. According to an SEC disclosure, it suffered a ransomware attack on April 12 that impacted some operations. The company did not announce any disruption to care facilities due to the attack. It said it began investigating the attack and there's no word on whether any data was stolen in the attack or if any ransom was paid. So far, DaVita has not named any group behind the attack and no groups have claimed Credit. Flaw in WordPress Plugin Exploited in 4 Hours On April 10, researchers at Patchstack disclosed a critical flaw in the sure Triggers WordPress plugin that allows unauthorized users to create admin accounts due to improper validation of the Stauthorization HTTP header. Effectively, when a site did not define an internal secret key, the plugin returned null values for both the header and the key, treating them as a match. Sure Triggers patched the flub, but Patchstack saw exploitation begin within four hours of release through the plugin's APIs. Suretrigers developers recommend patching ASAP and looking for modified content on sites. Resolver Rant hits Healthcare morphisec Labs Researchers discovered a new campaign targeting healthcare and pharmaceutical firms with a new Resolver RAT malware. First observed on March 10, this campaign uses localized phishing lures using regionally specific languages and messages to get higher click through using lures related to legal investigations. Resolver RAT starts off with a DLL sideloading technique to launch an in memory loader and then communicate to a C2 server. These communications prove resilient with an IP rotation system to connect to alternate servers in the event of a takedown, and using certificate pinning and irregular beaconing patterns to avoid detection. Once communication is established, Resolveret attempts to exfiltrate data in 16 kilobyte chunks, researchers found. Resolveret shares infrastructure and overlapping delivery mechanisms with Luma and Radamanthis malware. Chrome fixes 20 year old privacy risk the upcoming release of Chrome 136 will introduce a triple key partitioning of visited links as a default feature feature, resolving an issue that could allow for a third party to determine a user's browser history. Chrome introduced this as an optional experimental feature in Chrome 132. Until this feature, Chrome stored links visited globally, allowing sites to show visited links in a color other than the familiar default blue. This color change is shown regardless of what site you're actually on when clicking the link. Researchers have found multiple classes of attacks and scripts to enable tracking, profiling and phishing from this behavior. The new partitioning will store each visited site with three keys based on the link URL, top level site, and frame origin. The browser needs all three keys to display a link as visited on the page. Measuring a CISO's performance can be tricky. For a while, a company getting breached was a resume generating event for many CISOs. But as security incidents become eventualities rather than possibilities, how can we advance our understanding of a CISO's performance beyond just a scapegoat in waiting? That's one of the topics we'll be talking about on this week's CISO Series podcast. Look for welcome to Cybersecurity, where everything is made up and the points don't matter. Wherever you get your podcasts. Reporting for the CISO Series, I'm Rich Stroffelino, reminding you to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.

Cyber Security Headlines - Episode Summary

Title: Slopsquatting Risks, Morocco Leak, EC Ups US-Based Staff Security
Host: Rich Stroffelino, CISO Series
Release Date: April 15, 2025