Cyber Security Headlines - Episode Summary

Title: Slopsquatting Risks, Morocco Leak, EC Ups US-Based Staff Security
Host: Rich Stroffelino, CISO Series
Release Date: April 15, 2025

1. Slopsquatting Risks and AI Code Dependencies

In the opening segment, host Rich Stroffelino delves into the emerging threat of slopsquatting, a term introduced by security researcher Seth Larson to describe a new type of software supply chain attack. Drawing parallels to typo squatting, slopsquatting involves threat actors proactively creating malicious packages on code repositories. These deceptive packages often have names fabricated by Large Language Models (LLMs) during code generation.

Rich explains, "AI code dependencies are Supply Chain Risk. Security researcher Seth Larson coined slop squatting to describe this new software supply chain attack type" ([00:00]). Unlike traditional phishing attacks, slopsquatting isn't merely opportunistic; it's a calculated tactic exploiting the high rate of LLM-generated package hallucinations. Depending on the programming language, open-source LLMs can hallucinate software packages upwards of 35%, whereas commercial models maintain rates below 5%.

A recent study by Socket further illustrates the persistence of these hallucinated packages. Rich notes, "58% of hallucinated packages were repeated more than once across 10 runs of the same code generation prompt" ([00:00]). Encouragingly, advanced models like GPT-4 Turbo and Deep Seq have demonstrated the capability to identify these malicious packages with over 75% accuracy, mitigating some of the associated risks.

2. Moroccan National Social Security Fund Data Leak

Transitioning to international cybersecurity incidents, Rich reports on a significant data breach affecting Morocco's National Social Security Fund. The fund disclosed that a cyber attack led to the exfiltration of over 54,000 files, compromising data related to nearly 2 million individuals. Sensitive information such as names, national ID numbers, and bank account details were leaked on the messaging platform Telegram.

According to Rich, "a cyber attack caused a significant amount of data to be leaked on Telegram. Local media reports that over 54,000 files were exfiltrated from the fund, resulting in data leaked on almost 2 million individuals" ([00:00]). However, not all leaked documents were accurate, with some containing false, incomplete, or truncated information. The hacking group Jaba Root has taken credit for the attack, though officials have refrained from making public attributions.

3. European Commission Enhances Security for US-Based Staff

In response to heightened surveillance and espionage threats, the European Commission (EC) is implementing enhanced security measures for its staff traveling to the United States for the upcoming IMF and World Bank spring meetings. Rich highlights, "The European Commission will issue burner phones and stripped-down temporary laptops to staff coming to the US for the IMF and World Bank spring meetings next week due to higher surveillance and espionage risks" ([00:00]).

This proactive stance mirrors the EC's usual precautions taken when delegations travel to high-risk regions like China or Ukraine. An EC spokesperson confirmed that while security advice has been updated, specific details remain undisclosed. This move aligns with a 2011 ruling by the 9th U.S. Circuit Court of Appeals, which expanded the government's authority to search devices at U.S. borders without warrants. Rich contextualizes, "So this doesn't appear to be a reaction to new surveillance powers per se, but how they're being applied" ([00:00]).

4. Surge in AI-Driven Tax Day Scams

As Tax Day approaches, cybersecurity firms have observed a notable increase in AI-driven scams targeting both taxpayers and tax preparers. Rich outlines the sophistication of these scams, which utilize AI-enabled voice and video phishing techniques to impersonate IRS officials or accountants. These tactics aim to deceive victims into divulging financial documents through convincingly fake interactions.

Rich states, "These use AI-enabled voice and video phishing attacks to impersonate officials from the IRS or accountants to obtain financial documents on top of text-based phishing that we usually see around this time of year" ([00:00]). The scams often direct victims to create profiles on counterfeit IRS portals, prompting them to upload sensitive information. Additionally, consumer-level deepfake tools empower threat actors to scale their operations and enhance the believability of their fraudulent schemes, making these attacks particularly challenging to detect and prevent.

5. Ransomware Attack on DaVita Healthcare Provider

In the healthcare sector, DaVita Inc., a leading provider of kidney dialysis services with over 2,600 outpatient centers in the U.S., disclosed a ransomware attack on April 12 via an SEC filing. Rich reports, "DaVita suffered a ransomware attack on April 12 that impacted some operations. The company did not announce any disruption to care facilities due to the attack" ([00:00]).

DaVita is actively investigating the incident, with no information available yet regarding potential data theft or ransom payments. As of now, the company has not identified or named the group responsible for the attack, and no hacker group has claimed credit. The absence of immediate operational disruptions suggests that the impact, while significant, may be contained, but ongoing investigations will shed more light on the full extent of the breach.

6. Critical Vulnerability Exploited in WordPress Plugin Sure Triggers

A rapid exploitation of a critical flaw in the Sure Triggers WordPress plugin underscores the persistent vulnerabilities in widely used software. Researchers at Patchstack identified a vulnerability that allows unauthorized users to create admin accounts by exploiting improper validation of the StAuthorization HTTP header.

Rich details, "On April 10, researchers at Patchstack disclosed a critical flaw in the Sure Triggers WordPress plugin that allows unauthorized users to create admin accounts due to improper validation of the StAuthorization HTTP header" ([00:00]). The flaw arose when sites failed to define an internal secret key, causing the plugin to return null values for both the header and the key, inadvertently treating them as a match. Although Sure Triggers promptly patched the vulnerability, exploitation began within four hours of the patch release through the plugin's APIs. Developers are urgently advised to apply the patch immediately and inspect their sites for any unauthorized modifications.

7. Resolver RAT Targets Healthcare and Pharmaceutical Firms

Security researchers at Morphisec Labs have uncovered a new campaign deploying the Resolver RAT malware, specifically targeting organizations within the healthcare and pharmaceutical industries. First observed on March 10, this campaign employs localized phishing lures, utilizing region-specific languages and messages to increase click-through rates. The phishing content often revolves around themes related to legal investigations, making the scams appear more credible.

Rich explains, "Resolver RAT starts off with a DLL sideloading technique to launch an in-memory loader and then communicate to a C2 server" ([00:00]). The malware employs an IP rotation system and certificate pinning to maintain resilient communication with command and control (C2) servers, even in the event of server takedowns. Additionally, Resolver RAT uses irregular beaconing patterns to evade detection by traditional security measures.

Once established within a network, Resolver RAT attempts to exfiltrate data in 16-kilobyte chunks, maintaining stealthy operations. The malware shares infrastructure and overlapping delivery mechanisms with other threats like Luma and Radamanthis, indicating a concerted effort to target and compromise sensitive sectors within the healthcare landscape.

8. Google Chrome Addresses Two-Decade-Old Privacy Vulnerability

In a significant update, Google Chrome announced that the upcoming Chrome 136 release will implement triple key partitioning of visited links as a default feature, effectively addressing a long-standing privacy vulnerability. Rich outlines the issue, stating, "Before this feature, Chrome stored links visited globally, allowing sites to show visited links in a color other than the familiar default blue" ([00:00]).

Researchers had previously identified multiple attack vectors that exploited this behavior, enabling third parties to track users' browsing histories through color-based link indicators. The new partitioning mechanism enhances privacy by storing each visited site with three distinct keys based on the link URL, top-level site, and frame origin. For a link to be displayed as visited, all three keys must match, thereby preventing unauthorized tracking, profiling, and phishing attempts that leveraged the prior vulnerabilities.

9. Measuring a CISO's Performance in the Evolving Cybersecurity Landscape

Concluding the episode, Rich touches upon an upcoming discussion within the CISO Series podcast focused on evaluating the performance of Chief Information Security Officers (CISOs). Traditionally, CISOs were often scrutinized in the aftermath of security breaches, viewed as potential scapegoats. However, as security incidents become more commonplace and less indicative of individual performance, there's a pressing need to develop more nuanced metrics for assessing a CISO's effectiveness.

Rich introduces the topic with, "That's one of the topics we'll be talking about on this week's CISO Series podcast. Look for 'Welcome to Cybersecurity, where everything is made up and the points don't matter' ([00:00]). This introspective discussion aims to explore beyond blame-centric evaluations, seeking comprehensive frameworks that accurately reflect a CISO's role in safeguarding organizational assets amidst an increasingly complex threat landscape.

Note: For more in-depth coverage of each headline, visit CISOseries.com.