Cybersecurity Incidents: Eddie Steeler Malware, ConnectWise Breach, and Nova Scotia Power Data Theft - Cybersecurity Today

Summary

Cybersecurity Incidents: Eddie Steeler Malware, ConnectWise Breach, and Nova Scotia Power Data Theft
Cybersecurity Today
Host: Jim Love
Release Date: June 2, 2025

1. Eddie Stealer Malware and ClickFix CAPTCHA Phishing

The episode kicks off with an in-depth analysis of a new malware campaign involving the Eddie Stealer, a Rust-based information stealer. This malware is being distributed through the ClickFix CAPTCHA phishing tactic, which manipulates users into executing malicious PowerShell scripts via deceptive CAPTCHA verification pages.

Key Points:

Deployment Method: Threat actors compromise legitimate websites by injecting malicious JavaScript payloads that display fake CAPTCHA verification prompts, urging users to perform a three-step verification process.
Execution Process: Users are tricked into copying and pasting obscured PowerShell commands into the Windows Run dialog, which then fetches and executes further malicious scripts from external servers.
Payload Details: The initial JavaScript payload (G_verify_GJS) downloads the Eddie Stealer binary, which is stored in the Downloads folder with a randomized 12-character filename. Eddie Stealer is capable of harvesting sensitive information, including credentials, browser data, and cryptocurrency wallets.

Notable Quote:

"The main goal of this intermediate script is to fetch the eddystealer binary from the same remote server and store it in the Downloads folder with the SIDO random 12 character file name."
— David Shipley [02:15]

Impact: According to Elastic Security Labs, Eddie Stealer can extract system metadata and siphon data from various applications, posing a significant threat to personal and organizational security.

2. ConnectWise Cyberattack Linked to Nation State Actors

The discussion transitions to a significant breach at ConnectWise, a Florida-based IT management software firm. The breach is suspected to be orchestrated by sophisticated nation-state threat actors, targeting a limited number of ScreenConnect customers.

Key Points:

Company Response: ConnectWise has engaged Mandiant for forensic investigations and is coordinating with law enforcement to address the breach.
Affected Services: The primary impact was on the ScreenConnect remote access and support tool, which is widely used by managed service providers and IT departments.
Scope of Breach: Initial reports suggest the breach occurred in August 2024 and was discovered in May 2025, affecting only cloud-based ScreenConnect instances.
Vulnerability Details: The incident is linked to a high-severity vulnerability (CVE-2025-3935) in ScreenConnect, patched on April 24th.

Notable Quotes:

"We have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all the affected customers and are now coordinating with law enforcement."
— ConnectWise Advisory [05:30]

"Only a very small number of customers were impacted, suggesting the threat actor carried out a targeted attack against specific organizations."
— Jason Slagle, President of CNWR [08:45]

Impact: While the exact number of affected customers remains undisclosed, sources indicate that the breach was highly targeted, emphasizing the persistent threats posed by nation-state actors to specialized software solutions.

3. Abuse of Google Apps Scripts in Phishing Attacks

Howard Solomon highlights a novel phishing strategy where attackers exploit Google Apps Scripts to bypass traditional phishing defenses, embedding malicious links within trusted Google-hosted environments.

Key Points:

Attack Mechanism: Users receive phishing emails containing links that direct them to script.google.com, leveraging the trust associated with Google services to establish legitimacy.
Google Apps Script Capabilities: This cloud-based JavaScript platform allows developers to automate tasks and integrate with various Google products, making it an attractive medium for attackers to host malicious content without raising immediate suspicions.
User Deception: By utilizing a trusted domain, threat actors aim to lower the victim's guard, encouraging them to input sensitive information like email credentials without thorough scrutiny.

Notable Quotes:

"By using a trusted platform to host the phishing page, the threat actor creates the false sense of security, obscuring the underlying threat with the goal of getting the recipient to enter their email and password without thinking about it."
— David Shipley [12:05]

"If your team believes that no possible phishes can get by your email filter, they can actually click 140% more on phishing scams."
— Report from Cofens [14:50]

Mitigation Strategies: CISOs are urged to reinforce regular security awareness training, emphasizing vigilance against even seemingly legitimate messages and recognizing that brand association does not guarantee safety.

4. Nova Scotia Power Data Breach Involving Social Insurance Numbers

The final segment addresses a major data breach at Nova Scotia Power, where cyber thieves accessed sensitive customer information, including up to 140,000 social insurance numbers.

Key Points:

Breach Details: On May 23rd, a ransomware attack compromised the data of approximately 280,000 customers, with around half containing confidential nine-digit social insurance numbers.
Data Usage: The utility collects Social Insurance Numbers (SINs) to authenticate customer identities, especially in cases of duplicate names, ensuring precise identification and service delivery.
Corporate Response: Peter Gregg, CEO of Nova Scotia Power, confirmed the breach to the Canadian Press and highlighted the extensive nature of the compromised data.

Notable Quotes:

"We needed the social insurance numbers to differentiate people who had the same name. If there are a number of John McDonald's in the province, the social insurance number determines which one the utility was talking to."
— Peter Gregg, CEO of Nova Scotia Power [19:30]

Impact: This breach stands as one of the largest in Canada, reflecting the escalating risk to utilities that manage highly sensitive customer data. The exposure of SINs poses significant risks for identity theft and fraud among affected individuals.

Conclusion

The episode underscores the evolving landscape of cybersecurity threats, from sophisticated malware distribution methods and targeted nation-state attacks to innovative phishing strategies leveraging trusted platforms. The highlighted incidents emphasize the critical need for robust security measures, continuous monitoring, and comprehensive employee training to mitigate risks and protect sensitive data.

Listener Takeaway: Stay informed about the latest cybersecurity threats, maintain vigilant security practices, and ensure that both technological defenses and human factors are addressed to safeguard against increasingly complex cyberattacks.

This summary was prepared based on the transcript of the June 2, 2025, episode of Cybersecurity Today, hosted by Jim Love. For more insights and updates, consider listening to the full episode.

Transcript

David Shipley (0:00)

New Eddie Stealer malware distributed via ClickFix CAPTCHA Phishing ConnectWise breached in cyber attack linked to nation state threat actors now abusing Google Apps script in phishing attacks and thieves gain access to about 140,000 social insurance numbers in the Nova Scotia Power Breach. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. A new malware campaign is distributing a novel Rust based information stealer dubbed Eddie Stealer using the popular Clicks Fix social engineering tactic initiated via fake Captcha verification pages. The campaign leverages deceptive Captcha verification pages that trick users into executing a malicious PowerShell script which ultimately deploys the info stealer harvesting sensitive data such as credentials, browser information and cryptocurrency wallet details. According to Elastic Security Labs, the attck chain begins with threat actors compromising legitimate websites with malicious JavaScript payloads that serve bogus Captcha check pages which prompt site visitors to prove you are not a robot by following a three step process. A prevalent tactic called Click Fix Click Fix involves instructing potential victims to open the windows Run dialog prompt, paste an already copied command into the verification window, for example, the Run dialog and press Enter. This effectively causes the obfuscated PowerShell command to be executed, resulting in the retrieval of the next stage of the payload from an external server. The JavaScript payload G verify GJS is subsequently saved to the victim's download folder and executed using C script in a hidden window. The main goal of this intermediate script is to fetch the eddysteeler binary from the same remote server and store it in the Downloads folder with the SIDO random 12 character file name. Remember written in Rust. Eddystealer is a commodity stealer malware that can gather system metadata, receive tasks from a Command and control or C2 server, and siphon data of interest from infected hosts. The exfiltration targets include cryptocurrency wallets, web browsers, password managers, FTP clients and messaging apps. IT management software firm Connectwise says a suspected state sponsored cyberattack breached its environment and impacted a quote, limited number of Screen Connect customers. Connectwise said that it recently learned of suspicious activity within its environment that it believed was tied to a sophisticated nation state actor which they say affected a very small number of Screen Connect customers. In a brief advisory note quote we have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all the affected customers and are now coordinating with law enforcement and end quote. Connectwise is a Florida based software company that provides IT management remote monitoring and management RMM cybersecurity and automation solutions for managed service providers and IT departments. One of its products is ScreenConnect, a remote access and support tool that allows technicians to securely connect to client systems for troubleshooting, patching and system maintenance. As first reported by crn, the company now says it has implemented an enhanced monitoring and hardening of security access across its network. They also state that they have not seen any further suspicious activity in customer instances. ConnectWise did not answer questions from Bleeping Computer about how many customers were impacted when the breach occurred or whether any malicious activity was observed in customer Screen Connect instances. However, a source told Bleeping Computer that a breach occurred in August 2024, that ConnectWise discovered this activity in May 2025, and that it only impacted cloud based Screen Connect instances. Bleeping Computer says they have not been able to independently confirm those breach dates. Jason Slagle, president of managed service provider cnwr, told Bleeping Computer that only a very small number of customers were impacted, suggesting the threat actor carried out a targeted attack against specific organizations. In a Reddit threat, customers shared further details stating the incident is linked to a high severity Screen Connect Vulnerability tracked as CVE2025 3935, which a patch was issued on April 24th. Howard Solomon has a great story that gives a Google twist to the abuse of the Microsoft domain that Jim reported on earlier this week. Threat actors have discovered a way to abuse Google Apps scripts to sneak links into malicious websites past phishing defenses. According to new research from Cofens, this new attack has been discovered and if an employee clicks on a link in a phishing email, they get taken to a page on script.google.com now what is a Google Apps script? Apps Script is A cloud based JavaScript platform powered by Google Drive that lets developers integrate with and automate tasks across different Google products. With it, Google says developers can add custom menus, dialogues and sidebars to Google Docs sheets and forms, write custom functions and macros for Google Sheets, publish web apps either standalone or embedded in Google Sites interact with other Google services including AdSense Analytic, Calendar Drive, Gmail Maps and more. The attacker is betting the user will see and trust the Google brand and therefore trust the content. By using a trusted platform to host the phishing page, the threat actor creates the false sense of security, obscuring the underlying threat with the goal of getting the recipient to enter their email and password without thinking about it, says the report from Cofens. CISOs need to remind employees in regular security awareness training sessions to not let their guard down and to read your email closely for scam clues. They also need to be reminded that a caution popping up that a message is using a tool from a well known brand like Google is no guarantee the message is safe and a reminder for all listeners. Email filters are fallible. If your team believes that no possible phishes can get by your email filter, they can actually click 140% more on phishing scams. So make sure they know their vigilance can make all the difference. Nova Scotia Power CEO says up to 140,000 social insurance numbers could have been stolen by cyber thieves who recently hacked into the utility's customer records. Peter Gregg said in an interview with the Canadian Press Thursday that the privately owned utility collected the numbers from customers to authenticate their identities. For example, Greg said that they needed the social insurance numbers to differentiate people who had the same name. If there are a number of John McDonald's in the province, the social insurance number determines which one the utility was talking to. On May 23, Greg said the data of about 280,000 Nova Scotia Power customers was breached in a ransomware attack, more than half of the total. Asked Thursday about how many of those records contain the confidential nine digit social insurance numbers, Greg said approximately half. This breach continues to be among the largest, at least in Canada, but likely increasingly in North America, of a utility with highly sensitive customer data exposed. If you've enjoyed today's episode, please consider liking and sharing it. We want to help even more people stay on top of the crazy world of cybersecurity. We are always interested in your opinion and you can contact us@EditorialEchnewsDay CA or leave a comment under the YouTube video. I've been your host, David Shipley, sitting in for Jim Love, who will be back on Wednesday. Thanks for listening.

Summary

Cybersecurity Incidents: Eddie Steeler Malware, ConnectWise Breach, and Nova Scotia Power Data Theft
Cybersecurity Today
Host: Jim Love
Release Date: June 2, 2025

1. Eddie Stealer Malware and ClickFix CAPTCHA Phishing

Key Points:

Deployment Method: Threat actors compromise legitimate websites by injecting malicious JavaScript payloads that display fake CAPTCHA verification prompts, urging users to perform a three-step verification process.
Execution Process: Users are tricked into copying and pasting obscured PowerShell commands into the Windows Run dialog, which then fetches and executes further malicious scripts from external servers.
Payload Details: The initial JavaScript payload (G_verify_GJS) downloads the Eddie Stealer binary, which is stored in the Downloads folder with a randomized 12-character filename. Eddie Stealer is capable of harvesting sensitive information, including credentials, browser data, and cryptocurrency wallets.

Notable Quote:

"The main goal of this intermediate script is to fetch the eddystealer binary from the same remote server and store it in the Downloads folder with the SIDO random 12 character file name."
— David Shipley [02:15]

2. ConnectWise Cyberattack Linked to Nation State Actors

Key Points:

Company Response: ConnectWise has engaged Mandiant for forensic investigations and is coordinating with law enforcement to address the breach.
Affected Services: The primary impact was on the ScreenConnect remote access and support tool, which is widely used by managed service providers and IT departments.
Scope of Breach: Initial reports suggest the breach occurred in August 2024 and was discovered in May 2025, affecting only cloud-based ScreenConnect instances.
Vulnerability Details: The incident is linked to a high-severity vulnerability (CVE-2025-3935) in ScreenConnect, patched on April 24th.

Notable Quotes:

"We have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all the affected customers and are now coordinating with law enforcement."
— ConnectWise Advisory [05:30]

"Only a very small number of customers were impacted, suggesting the threat actor carried out a targeted attack against specific organizations."
— Jason Slagle, President of CNWR [08:45]

3. Abuse of Google Apps Scripts in Phishing Attacks

Key Points:

Attack Mechanism: Users receive phishing emails containing links that direct them to script.google.com, leveraging the trust associated with Google services to establish legitimacy.
Google Apps Script Capabilities: This cloud-based JavaScript platform allows developers to automate tasks and integrate with various Google products, making it an attractive medium for attackers to host malicious content without raising immediate suspicions.
User Deception: By utilizing a trusted domain, threat actors aim to lower the victim's guard, encouraging them to input sensitive information like email credentials without thorough scrutiny.

Notable Quotes:

"By using a trusted platform to host the phishing page, the threat actor creates the false sense of security, obscuring the underlying threat with the goal of getting the recipient to enter their email and password without thinking about it."
— David Shipley [12:05]

"If your team believes that no possible phishes can get by your email filter, they can actually click 140% more on phishing scams."
— Report from Cofens [14:50]

4. Nova Scotia Power Data Breach Involving Social Insurance Numbers

The final segment addresses a major data breach at Nova Scotia Power, where cyber thieves accessed sensitive customer information, including up to 140,000 social insurance numbers.

Key Points:

Breach Details: On May 23rd, a ransomware attack compromised the data of approximately 280,000 customers, with around half containing confidential nine-digit social insurance numbers.
Data Usage: The utility collects Social Insurance Numbers (SINs) to authenticate customer identities, especially in cases of duplicate names, ensuring precise identification and service delivery.
Corporate Response: Peter Gregg, CEO of Nova Scotia Power, confirmed the breach to the Canadian Press and highlighted the extensive nature of the compromised data.

Notable Quotes:

"We needed the social insurance numbers to differentiate people who had the same name. If there are a number of John McDonald's in the province, the social insurance number determines which one the utility was talking to."
— Peter Gregg, CEO of Nova Scotia Power [19:30]

Conclusion

This summary was prepared based on the transcript of the June 2, 2025, episode of Cybersecurity Today, hosted by Jim Love. For more insights and updates, consider listening to the full episode.