6 Year Old Sleeper Attack Uncovered, Fake Bank Draft Scam, and Signal Tool Breach - Cybersecurity Today

Summary5 min read

Cybersecurity Today: Episode Summary Hosted by Jim Love | Release Date: May 7, 2025

In this episode of Cybersecurity Today, host Jim Love delves into three significant cybersecurity incidents that highlight the evolving threat landscape businesses and government agencies face today. The episode covers a long-dormant supply chain attack, a sophisticated financial scam targeting small businesses, and breaches involving a messaging archiving tool used by high-level U.S. officials. Below is a comprehensive summary of the key discussions, insights, and conclusions drawn during the episode.

1. Six-Year-Old Sleeper Supply Chain Attack Uncovered

Overview: Jim Love begins by discussing a coordinated supply chain attack that compromised between 500 and 1,000 e-commerce websites. This attack exploited vulnerabilities in 21 Magento extensions from vendors Tigran, Mitenchi, and Mage Solutions.

Key Points:

Attack Vector: The attackers injected backdoors into Magento extensions as early as 2019. The malicious code remained dormant until its activation in April 2025.
Affected Extensions:
- Tigran: AJAX Suite, AJAX Cart, multicod
- Mitenchi: Cookie Notice, Currency Switcher, Defer JS
- Mage Solutions (MGS): Lookbook Store Locator, GDPR modules
Malicious Mechanism: The backdoor operates through a malicious license check within files named License PHP or License API php, allowing remote code execution via functions like admin_load_license.
Security Firm Involvement: Sansec discovered the breach and advised immediate auditing of installations, removal of affected files, scanning for additional malware, and restoring from clean backups to ensure system integrity.

Notable Quote: Jim Love emphasizes the gravity of the situation, stating, “[...] This incident is just another in a series that underscores the importance of supply chain security and the need for vigilant monitoring of third-party software components.” [04:20]

Insights:

The longevity of the attack highlights how malicious actors can embed threats deep within supply chains, remaining undetected for years.
The use of open-source tools in critical systems amplifies the potential impact of such attacks.

2. Vulnerability in the Easyjson Open Source Library

Overview: The episode transitions to a concerning revelation about the easyjson library, a widely-used open-source JSON serialization tool for the GO programming language.

Key Points:

Ownership and Maintenance: Easyjson is maintained by developers based in Moscow and hosted on GitHub under mail.ru, a subsidiary of the sanctioned Russian company VK Group.
Potential Risks: Although no current vulnerabilities have been identified, the library's pervasive use across healthcare, finance, defense, and government systems makes it a high-value target for exploitation by Russian state actors.
Integration Concerns: Easyjson is integral to essential tools like Kubernetes, Prometheus, and Grafana, meaning any compromise could have cascading effects across dependent systems.
Expert Recommendations: Organizations are urged to audit their dependencies, consider forking critical libraries to maintain control, and implement robust monitoring to detect anomalies.

Notable Quote: Jim Love underscores the potential threat, noting, “[...] Experts warn that easyjson could serve as a sleeper cell, enabling supply chain attacks, data exfiltration, or system disruptions if it was manipulated.” [12:45]

Insights:

The reliance on open-source libraries necessitates rigorous vetting and monitoring to prevent supply chain compromises.
Geopolitical tensions can directly influence cybersecurity risks, especially when software dependencies are tied to sanctioned entities.

3. Ontario Business Falls Prey to Fake Bank Draft Scam

Overview: A small business in Ontario, Canada, lost $108,000 in a sophisticated bank draft scam targeting the purchase of construction equipment.

Key Points:

Modus Operandi: The scam involved the presentation of counterfeit bank drafts that appeared legitimate, deceiving both the business and a bank teller into believing the payment was genuine.
Outcome: The business released the machinery to the fraudulent buyer, who then absconded with the equipment once the bank identified the draft as fake.
Financial Recovery: Thankfully, the company's insurance covered the theft, reimbursing them for the loss.
Expert Advice:
- Verify bank drafts directly with issuing banks before releasing goods.
- Allow drafts to fully clear to add an extra layer of security.
- Encourage collaboration between CISOs and CFOs to address financial fraud risks.

Notable Quote: Jim Love highlights the increasing sophistication of such scams, stating, “[...] The incident underscores the increasing sophistication of financial scams targeting businesses.” [20:30]

Insights:

Financial transactions, while not purely cybersecurity issues, intersect significantly with information security practices.
Cross-departmental communication within organizations is crucial to safeguard against diverse fraud tactics.

4. Signal Tool Breach Raises Concerns Over Messaging Security

Overview: The final segment addresses breaches involving Telemessage, an Israeli-based tool used to archive encrypted messages from platforms like Signal, Telegram, and WeChat, utilized by Trump administration officials.

Key Points:

Breach Details:
- Two separate hackers claimed to have breached Telemessage's system, accessing names, contact details of U.S. officials, internal credentials, and client indicators.
- One breach occurred via fast access to Telemessage’s backend, and another involved downloading a large cache of files.
Company Response: Telemessage suspended operations out of caution and is investigating the incidents.
Security Concerns:
- Telemessage's approach potentially undermines Signal's end-to-end encryption by storing message copies.
- This raises alarms about the protection of high-level U.S. communications and the possible exploitation by malicious actors.
Expert Commentary:
- The breach calls into question the effectiveness of security advisories provided to senior government officials.
- Suggestion to involve competent security advisors, such as Chris Krebs, to oversee and rectify the vulnerabilities.

Notable Quote: Jim Love critiques the security oversight, remarking, “[...] Now it makes you wonder who, if anyone, is actually advising the most senior members of the Trump Cabinet on security.” [35:10]

Insights:

The compromise of messaging archiving tools used by government officials highlights the critical need for secure communication channels.
The balance between archiving communications for transparency and maintaining encryption integrity is delicate and must be managed with utmost security considerations.

Conclusion

In this episode, Jim Love effectively sheds light on the multifaceted nature of contemporary cybersecurity threats. From long-dormant supply chain attacks and vulnerabilities in widely-used open-source libraries to financial scams and breaches in government communication tools, the discussions underscore the imperative for continuous vigilance, robust security practices, and interdepartmental collaboration. As businesses and government agencies navigate an increasingly perilous digital landscape, the insights provided offer valuable guidance on safeguarding against both existing and emerging threats.

Engage with Us: Jim Love invites listeners to share their thoughts and comments via email at me@EditorialEchnewsDay.cat, on LinkedIn, or through YouTube comments.

Loading summary

Transcript1 lines

[00:04]
Jim Love
Sleeper supply chain attack activates after six years Russian controlled open source tool raises alarms over US Cybersecurity A fake bank draft fools the bank and signal archiving tool used by Trump Admin is breached, raising alarms over messaging security. This is Cybersecurity today. I'm your host Jim Love A coordinated supply chain attack has compromised between 500 and 1000 e commerce websites by exploiting vulnerabilities in 21 Magento extensions from vendors Tigran, Mitenchi and Mage Solutions. Security firm Sansec discovered the attackers had injected backdoors into these extensions as early as 2019, with the malicious code remaining dormant until activated in April 2025. The backdoor allows remote code execution, enabling attackers to upload and execute arbitrary PHP code on affected servers. The compromised extensions include Tigran's AJAX Suite, AJAX Cart, multicod, Matanchi's cookie notice, currency switcher and defer JS, and MGS's lookbook store locator and GDPR modules. The backdoor operates through a malicious license check in files named License PHP or License API php, which execute attacker controlled code via functions like admin load license. Earlier versions required no authentication, while later versions used hard coded keys for access. Sansec advises merchants using these extensions to audit their installations immediately. Affected files should be removed and servers should be scanned for additional malware. Restoring from clean backups is recommended to ensure system integrity. This incident is just another in a series that underscores the importance of supply chain security and the need for vigilant monitoring of third party software components. In a similar story, a widely used open source GO library, easyjson, used in healthcare, finance and even defense, has come under scrutiny after cybersecurity firm Hunted Labs revealed its deep ties to a sanctioned Russian company, the VK Group. The tool, integral to numerous US government and enterprise systems, is maintained by developers based in Moscow, raising concerns about potential exploitation by Russian state actors. Easyjson is a JSON serialization library for the GO programming language employed extensively across cloud native infrastructures. Hunted Labs investigation uncovered that the library is hosted on GitHub under mail.ru a subsidiary of VK Group, whose CEO Vladimir Karenko is sanctioned by the US and the eu. While no vulnerabilities have been detected, the potential for future compromise is significant given the library's pervasive use in critical sectors like defense, finance and healthcare. Experts warn that easyjson could serve as a sleeper cell, enabling supply chain attacks, data exfiltration or system disruptions if it was manipulated. Its integration into essential tools like Kubernetes Prometheus and Granfana amplify the risk, as any comprom could cascade through dependent systems. The situation underscores the need for heightened vigilance. In assessing the provenance of open source software modules, organizations are advised to audit their dependencies, consider forking critical libraries to ensure control, and implement robust monitoring to detect anomalous activities. As the open source ecosystem remains a cornerstone of modern infrastructure, ensuring its integrity is paramount to national and organizational security. Security now just how this tool can be replaced is going to be no easy feat given how prevalent it is in so many open source packages and tools. A small business in Ontario, Canada, has fallen victim to a sophisticated bank draft scam, losing $108,000 after accepting what appeared to be a legitimate payment for construction equipment. The fraudulent draft was so convincing that even a bank teller at the company's bank initially deemed it authent. The scam involved a buyer presenting a counterfeit bank draft to purchase the equipment. Believing the draft to be genuine, the business released the machinery. It wasn't until later that the bank that supposedly issued the draft identified it as a fake, by which time the buyer had vanished with the equipment. Fortunately, the company's insurance company honored this as theft and the company got its money back. The incident underscores the increasing sophistication of financial scams targeting businesses. Experts advise that when dealing with large transactions, sellers should verify bank drafts directly with the issuing bank before releasing the goods. Additionally, waiting for the draft to clear fully could provide an extra layer of security against such fraudulent activities. And while this isn't strictly a cybersecurity issue, it might behoove our CISOs to have a quick chat with the CFO about this and other types of fraud that are increasingly attacking the finance functions. If you thought that the scandal about the signal tool being used by the U.S. department of Defense couldn't go any further, it turns out that a messaging tool used by the Trump administration officials to archive encrypted signal messages has been hacked twice, forcing its suspension and raising new concerns over high level US Communications and how they're being protected. Telemessage, an Israel based tool used by government agencies to archive encrypted messages from platforms like Signal, Telegram and WeChat, has shut down its services after two hackers separately claimed to have breached the system. The company confirmed it's investigating a potential security incident and suspended operations out of an abundance of caution, according to a spokesperson for Smarsh, which owns the app. The breach came to light after Reuters published a photo of then National Security Advisor Mike Waltz using Telemessage on a Signal like interface. Days later, 404Media reported, a hacker accessed Telemessage's back end in about 15 to 20 minutes, gaining access to names and contact details of US officials, internal credentials and client indicators. A second hacker reportedly told NBC News they independently accessed and downloaded a large cache of files. Screenshots from April preserved by the Internet Archive show that Telemessage's now defunct website previously advertised support for archiving messages from Signal, Telegram and WeChat. Today, those pages redirect to a placeholder homepage, removing any mention of those services. But the problems with Telemessage are not new. Security experts have long questioned Telemessage's approach. The tool appeared to bypass signals end to end encryption designed so messages are readable only to the sender and receiver. By storing copies of those messages for later retrieval, that process, critics warned, could undermine the core security that Signal was built to protect. Now it makes you wonder who, if anyone, is actually advising the most senior members of the Trump Cabinet on security. Either that person or persons are incompetent or they've been overruled. If they need someone good. I hear Chris Krebs is free and apparently not afraid to speak truth to power. And that's our show. Love to hear your comments. You can reach me@EditorialEchnewsDay cat or on LinkedIn. And if you're watching this on YouTube, just drop a comment under the video. I'm your host, Jim Love. Thanks for listening.

Cybersecurity Today: Episode Summary Hosted by Jim Love | Release Date: May 7, 2025

1. Six-Year-Old Sleeper Supply Chain Attack Uncovered

Key Points:

Attack Vector: The attackers injected backdoors into Magento extensions as early as 2019. The malicious code remained dormant until its activation in April 2025.
Affected Extensions:
- Tigran: AJAX Suite, AJAX Cart, multicod
- Mitenchi: Cookie Notice, Currency Switcher, Defer JS
- Mage Solutions (MGS): Lookbook Store Locator, GDPR modules
Malicious Mechanism: The backdoor operates through a malicious license check within files named License PHP or License API php, allowing remote code execution via functions like admin_load_license.
Security Firm Involvement: Sansec discovered the breach and advised immediate auditing of installations, removal of affected files, scanning for additional malware, and restoring from clean backups to ensure system integrity.

Insights:

The longevity of the attack highlights how malicious actors can embed threats deep within supply chains, remaining undetected for years.
The use of open-source tools in critical systems amplifies the potential impact of such attacks.

2. Vulnerability in the Easyjson Open Source Library

Overview: The episode transitions to a concerning revelation about the easyjson library, a widely-used open-source JSON serialization tool for the GO programming language.

Key Points:

Ownership and Maintenance: Easyjson is maintained by developers based in Moscow and hosted on GitHub under mail.ru, a subsidiary of the sanctioned Russian company VK Group.
Potential Risks: Although no current vulnerabilities have been identified, the library's pervasive use across healthcare, finance, defense, and government systems makes it a high-value target for exploitation by Russian state actors.
Integration Concerns: Easyjson is integral to essential tools like Kubernetes, Prometheus, and Grafana, meaning any compromise could have cascading effects across dependent systems.
Expert Recommendations: Organizations are urged to audit their dependencies, consider forking critical libraries to maintain control, and implement robust monitoring to detect anomalies.

Insights:

The reliance on open-source libraries necessitates rigorous vetting and monitoring to prevent supply chain compromises.
Geopolitical tensions can directly influence cybersecurity risks, especially when software dependencies are tied to sanctioned entities.

3. Ontario Business Falls Prey to Fake Bank Draft Scam

Overview: A small business in Ontario, Canada, lost $108,000 in a sophisticated bank draft scam targeting the purchase of construction equipment.

Key Points:

Modus Operandi: The scam involved the presentation of counterfeit bank drafts that appeared legitimate, deceiving both the business and a bank teller into believing the payment was genuine.
Outcome: The business released the machinery to the fraudulent buyer, who then absconded with the equipment once the bank identified the draft as fake.
Financial Recovery: Thankfully, the company's insurance covered the theft, reimbursing them for the loss.
Expert Advice:
- Verify bank drafts directly with issuing banks before releasing goods.
- Allow drafts to fully clear to add an extra layer of security.
- Encourage collaboration between CISOs and CFOs to address financial fraud risks.

Insights:

Financial transactions, while not purely cybersecurity issues, intersect significantly with information security practices.
Cross-departmental communication within organizations is crucial to safeguard against diverse fraud tactics.

4. Signal Tool Breach Raises Concerns Over Messaging Security

Key Points:

Breach Details:
- Two separate hackers claimed to have breached Telemessage's system, accessing names, contact details of U.S. officials, internal credentials, and client indicators.
- One breach occurred via fast access to Telemessage’s backend, and another involved downloading a large cache of files.
Company Response: Telemessage suspended operations out of caution and is investigating the incidents.
Security Concerns:
- Telemessage's approach potentially undermines Signal's end-to-end encryption by storing message copies.
- This raises alarms about the protection of high-level U.S. communications and the possible exploitation by malicious actors.
Expert Commentary:
- The breach calls into question the effectiveness of security advisories provided to senior government officials.
- Suggestion to involve competent security advisors, such as Chris Krebs, to oversee and rectify the vulnerabilities.

Insights:

The compromise of messaging archiving tools used by government officials highlights the critical need for secure communication channels.
The balance between archiving communications for transparency and maintaining encryption integrity is delicate and must be managed with utmost security considerations.

Conclusion

Engage with Us: Jim Love invites listeners to share their thoughts and comments via email at me@EditorialEchnewsDay.cat, on LinkedIn, or through YouTube comments.