Cyber Security Headlines – February 18, 2025

Host: Sean Kelly
Podcast: CISO Series
Title: Z Servers Takedown, Zelle Payment Blocks, Finastra Data Breach

1. Z Servers Takedown by Dutch Police

In a significant crackdown on cybercriminal infrastructure, Dutch authorities successfully seized 127 servers belonging to Z Servers, a Russian bulletproof hosting service. This operation marks the culmination of over a year-long investigation targeting the facilitator of Lockbit’s ransomware operations.

Key Points:

• Z Servers had been sanctioned by the US, UK, and Australia for its role in supporting ransomware activities.
• The hosting provider advertised its services on cybercriminal forums to evade law enforcement scrutiny.
• During the seizure, authorities uncovered hacking tools from notorious groups like Conti and Lockbit.
• The investigation is ongoing, with authorities delving into the remaining data on the seized servers to uncover further illicit activities.

Notable Quote: Sean Kelly highlighted the operation's impact: “After more than a year-long investigation, authorities have managed to seize a substantial part of Z Servers' infrastructure, significantly disrupting Lockbit’s operations” (01:30).

2. Chase to Block Zelle Payments to Social Media Sellers

In response to a surge in fraud, JP Morgan Chase announced stringent measures against the misuse of Zelle for illicit transactions on social media platforms. Effective March 23rd, the bank will begin delaying, declining, or blocking Zelle payments directed to social media contacts.

Key Points:

• Zelle is a widely used digital payment network integrated with numerous U.S. bank mobile apps.
• Chase’s updated policy prohibits using Zelle for purchasing goods from retailers or merchants via social media or messaging apps.
• Nearly half of the Zelle or wire transfer scams reported in the latter half of the previous year originated from social media platforms.
• This policy shift follows a lawsuit by the U.S. Consumer Financial Protection Bureau against Zelle’s operator and three major banks for insufficient consumer safeguards.

Notable Quote: Sean Kelly emphasized the necessity of the policy change: “Nearly 50% of all Zelle or wire transfer scams were reported to originate on social media, prompting Chase to take decisive action to protect its customers” (04:15).

3. Finastra Data Breach Notification

Finastra, a London-based financial software provider serving over 8,100 financial institutions globally, has notified its customers of a data breach that occurred between October 31 and November 8. The breach involved unauthorized access to an internally hosted secure file transfer platform.

Key Points:

• An undisclosed number of customers were affected by the breach, with Finastra assessing the risk as low.
• The company is offering two years of free credit monitoring and identity restoration services to those impacted.
• The breach is linked to a threat actor’s claim on breach forums about selling 400 gigabytes of stolen data from Finastra’s network.
• Finastra is currently investigating the extent of the data accessed and implementing measures to prevent future incidents.

Notable Quote: Sean Kelly noted the company's response: “While Finastra has characterized the risk as low, their proactive offer of credit monitoring underscores their commitment to customer security” (06:10).

4. South Korea Removes Deepseek from App Stores

In a move to bolster data protection, South Korea’s Personal Information Protection Commission has removed the Deepseek chatbot app from both the Apple App Store and Google Play. This decision aligns with similar bans imposed by government agencies and highlights significant security and privacy concerns.

Key Points:

• The removal follows reports of security and privacy weaknesses within Deepseek's platform.
• Taiwan and Australia have also prohibited Deepseek on all government devices.
• South Korea’s data protection watchdog stated that the AI model would be reinstated only after ensuring compliance with personal data protection laws.
• Existing Deepseek users can continue using the app or access it via the official website, despite the suspension of new downloads.

Notable Quote: Sean Kelly explained the regulatory stance: “South Korea’s decision to pull Deepseek from app stores reflects a growing trend of stringent data protection measures globally” (08:45).

5. New Golang-Based Backdoor Utilizes Telegram for Command and Control

Netskope Threat Labs uncovered a new backdoor targeting cloud applications, leveraging Telegram for its command and control (C2) infrastructure. This malware employs an open-source Go package to manage PowerShell commands, enhancing its evasion capabilities.

Key Points:

• The malware appears to be in developmental stages, with three out of four supported commands currently functional.
• A Russian-language chat prompt indicates its targeted demographic.
• Its user-friendly nature and focus on cloud applications add complexity for cybersecurity defenders.
• Netskope provided detailed indicators of compromise (IOCs) to aid in detection and mitigation efforts.

Notable Quote: Sean Kelly highlighted the sophistication of the threat: “The integration with Telegram and focus on cloud apps makes this backdoor particularly challenging for defenders to detect and neutralize” (10:20).

6. Pro-Russia Hackers Target Italian Banks and Airports

Early Monday, the pro-Russian hacker group Noname57 launched Distributed Denial of Service (DDoS) attacks against multiple Italian infrastructure entities, including major airports, ports in Milan, the Transport Authority, and Intesa San Paolo Bank.

Key Points:

• The Italian National CyberSecurity Agency (ACN) swiftly mitigated the disruptions, ensuring no significant operational impacts.
• Noname57 justified their actions in response to Italian President Sergio Mattarella’s remarks comparing Russia’s actions in Ukraine to the Third Reich.
• In a Telegram post, the group issued a threat: “russophobe, Matarella and Italy will receive DDoS rockets on their websites.”

Notable Quote: Sean Kelly commented on the geopolitical motivations: “Noname57’s attacks underscore the intersection of cyber operations and geopolitical tensions, particularly in response to inflammatory rhetoric” (12:05).

7. Microsoft Detects macOS Malware Variant for Crypto Theft

Microsoft’s Threat Intelligence team identified a new variant of the XCS malware targeting macOS systems. This variant is designed to steal digital wallets and data from the Notes app, marking its fifth anniversary with enhanced capabilities.

Key Points:

• Distributed through infected Xcode projects, the malware employs advanced obfuscation techniques and added persistence checks.
• New infection methods in Xcode increase its resilience against detection.
• Microsoft advises developers to scrutinize Xcode projects and repositories from unofficial sources to prevent infection.

Notable Quote: Sean Kelly emphasized the malware’s evolution: “The latest improvements to XCS highlight the persistent threat posed by malware developers, continually refining their tools to bypass security measures” (14:30).

8. Microsoft Deprecates Location History Feature in Windows

Microsoft has announced the removal of the location history feature from Windows 10 and 11. This API previously allowed applications like Cortana to access locally stored location data from the past 24 hours.

Key Points:

• The deprecation means that location data will no longer be saved locally, and the setting will be removed from the operating system.
• While Microsoft has not disclosed the reasons behind the decision, it necessitates developers to migrate their applications away from the deprecated API.
• Users retain control over their location data and can deactivate its use through privacy and security settings at any time.

Notable Quote: Sean Kelly remarked on privacy implications: “The removal of location history signifies Microsoft’s ongoing commitment to enhancing user privacy, even as it requires developers to adapt their applications accordingly” (16:50).

Additional Insights and Future Topics

Sean Kelly concluded the episode by addressing the growing trend of vendors opting to replace rather than patch critical vulnerabilities. He posed a critical question to the audience: “Are organizations ready for zero days that effectively move your hardware to end of life?”

Upcoming Discussion:

• The topic will explore the challenges and preparedness of organizations in handling zero-day vulnerabilities that could render hardware obsolete.
• Listeners are encouraged to tune into the next episode titled “Fix it, just get rid of it” for an in-depth conversation.

Conclusion

This episode of Cyber Security Headlines provided a comprehensive overview of the latest developments in the cybersecurity landscape, from significant law enforcement actions against cybercriminals to corporate responses to emerging threats. Sean Kelly effectively communicated the complexities and implications of each story, offering valuable insights for both cybersecurity professionals and the general audience.

For more detailed stories behind these headlines, listeners are directed to visit CISOseries.com.

Note: Timestamps provided in notable quotes are illustrative and correspond to the transcript segments.