FamousSparrow’s sneaky resurgence. - CyberWire Daily

Summary

CyberWire Daily: "FamousSparrow’s Sneaky Resurgence" Summary

Release Date: March 27, 2025
Host: Dave Bittner
Guest: Tal Skverer, Research Team Lead at Asterix

1. Episode Overview

In this episode of CyberWire Daily, host Dave Bittner delves into a spectrum of pressing cybersecurity issues, from the resurgence of the notorious hacking group Famous Sparrow to critical vulnerabilities in industrial systems. The episode features an insightful interview with Tal Skverer from Asterix, discussing the OWASP NHI Top 10 framework, and concludes with a heartfelt tribute to the late Matt Stevenson, a beloved figure in the cybersecurity community.

2. Resurgence of Famous Sparrow

[02:45] Dave Bittner: "The China-linked hacking group Famous Sparrow has resurfaced after years of apparent inactivity, now targeting a broader range of organizations across the U.S., Mexico, and Honduras."

Background: Famous Sparrow, once notorious for exploiting the ProxyLogon vulnerability and primarily targeting the hospitality sector, has expanded its targets to include governments, research institutions, and law firms.
Technical Evolution: The group employs enhanced versions of their signature SparrowDoor backdoor and has introduced the ShadowPad backdoor, traditionally associated with other Chinese Advanced Persistent Threats (APTs).
Operational Tactics: According to ESET's March 26 report, the resurgence began in June 2024, utilizing web shells on outdated Windows Server and Exchange systems. Their toolkit combines custom malware with shared resources linked to other Chinese-aligned threats, showcasing an evolving cyber espionage strategy.
Distinct Identity: Although Microsoft previously grouped Famous Sparrow with other entities like Ghost Emperor and Salt Typhoon, ESET categorizes it as a distinct group with limited overlap.

3. Data Exposure at Australian Fintech Firm Vroom by UX

[07:15] Dave Bittner: "Cybersecurity researcher Jeremiah Fowler uncovered a major data exposure involving Australian fintech firm Vroom by UX, formerly DriveIQ."

Incident Details: A misconfigured Amazon S3 bucket left 27,000 sensitive records, including driver's licenses, medical records, bank details, and partial credit card numbers, publicly accessible without password protection or encryption.
Extended Exposure: Additionally, a MongoDB instance containing 3.2 million documents was discovered, amplifying security concerns.
Company Response: Vroom swiftly secured the exposed data and committed to a post-incident review. The records spanned from 2022 to 2025, underscoring persistent risks in data management practices.
Recommendations from Fowler: Emphasized the necessity for fintech firms to implement end-to-end encryption, conduct regular security audits, and practice data minimization to mitigate risks like fraud, identity theft, and social engineering attacks.

4. Orpah Crab: A Sophisticated Linux-Based Backdoor

[10:50] Dave Bittner: "Researchers at Qianjin X Lab have unearthed Orpah Crab, a sophisticated Linux-based backdoor targeting industrial systems linked to fuel services."

Technical Insights: Discovered in January 2024, Orpah Crab utilizes the MQTT protocol for stealthy command and control (C2), blending malicious traffic with legitimate communications.
Persistence Mechanism: The malware maintains its presence through startup scripts and encrypts configuration data, employing DNS over HTTPS to evade detection.
Attribution: Linked to the Cyber Avengers hacking group, Orpah Crab has potentially compromised Gas Boy Fuel systems, threatening payment terminals and customer data integrity.

5. Blacklock Ransomware Group's Infrastructure Breach

[14:30] Dave Bittner: "Cybersecurity firm Resecurity identified a critical vulnerability in Blacklock Ransomware's data leak site, allowing infiltration of their infrastructure."

Breach Details: The vulnerability enabled Resecurity's Hunter team to access Blacklock's operations, network configurations, and storage methods, including the use of Mega accounts for data exfiltration.
Impact: Blacklock had compromised at least 46 organizations globally across various sectors before the breach.
Rival Exploitation: Early 2025 developments indicate that the rival ransomware group Dragonforce exploited similar vulnerabilities, leading to the defacement and shutdown of Blacklock's data leak site.
Implications: This highlights the volatile nature of cybercriminal enterprises and the continuous battle between competing ransomware factions.

6. Critical Vulnerabilities in Solar Inverters

[18:00] Dave Bittner: "Researchers at 4Scout's Videri Labs uncovered 46 critical vulnerabilities in solar inverters from top manufacturers like Sungrow, Growatt, and SMA."

Vulnerability Types:
- Remote Code Execution (RCE): SMA's Sunny portal allows RCE through malicious file uploads.
- API Exploits: Growatt inverters suffer from easily exploitable APIs.
- Architectural Flaws: Sungrow's inverters have multiple vulnerabilities, including stack overflows and hard-coded credentials.
Potential Risks:
- Grid Disruption: Attackers could remotely control inverter fleets, destabilizing power grids.
- Privacy Breaches: Compromised smart devices and hijacked user data.
- Ransomware: Potential launch of ransomware attacks leveraging these vulnerabilities.
Vendor Response: All affected vendors have issued patches, emphasizing the urgent need for enhanced security in renewable energy infrastructures.

7. Evolution of Credential Stuffing with Atlantis AIO

[21:10] Dave Bittner: "Credential stuffing has evolved with the advent of Atlantis AIO, an advanced automation tool facilitating mass account compromises."

Tool Capabilities: Atlantis AIO enables attackers to test millions of stolen credentials across cloud platforms and email services rapidly, requiring minimal expertise.
Evasion Techniques: Utilizes rotating proxies and distributed login attempts to bypass traditional detection mechanisms.
Underground Adoption: Since early 2025, Atlantis AIO has gained traction in underground forums, empowering both novice and seasoned attackers to execute large-scale account breaches, data theft, and fraudulent activities.

8. CISA Updates on Sitecore CMS Vulnerabilities

[24:25] Dave Bittner: "The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical Sitecore CMS vulnerabilities to its Known Exploited Vulnerabilities catalog."

Vulnerability Details:
- Unauthenticated RCE: Exploits a deserialization flaw in Sitecore's Security Anti-CSRF module.
- Authenticated Exploitation: Uses the same attack vector but requires authentication.
Affected Versions: All Sitecore versions up to 9.1.0 are impacted.
CISA's Directive: Federal agencies must apply available patches or implement temporary access restrictions by April 16th to mitigate these vulnerabilities.

9. UK's National Crime Agency Warns of Sadistic Cybercrime Groups

[27:40] Dave Bittner: "The UK's National Crime Agency (NCA) has issued a stark warning about the rise of online groups involved in sadistic cybercrime and real-world violence."

Group Characteristics:
- Demographics: Predominantly teenage males engaged in cybercrime.
- Activities: Sharing extremist, violent, and child abuse content; committing phishing, SIM swapping, ransomware attacks, and fraud.
- Increase in Threats: A six-fold increase in reported threats between 2022 and 2024.
NCA's Concerns:
- Youth Involvement: A surge in homegrown youth participation poses new challenges, despite the dominance of foreign actors like those from Russia.
- Digital Spaces: These groups thrive in mainstream digital environments rather than hidden dark web forums.
- Victim Impact: Grooming of young girls into self-harm or abuse.
Law Enforcement Actions: Recent convictions highlight the severity of these groups, emphasizing the need for vigilant monitoring and intervention.

10. Arrests Linked to Ghost Encrypted Communication Platform

[30:55] Dave Bittner: "Authorities have arrested 12 individuals linked to the now-defunct Ghost encrypted communication platform."

Background: Ghost, launched in 2015, offered ultra-secure messaging through modified smartphones with layered encryption and self-destruct features. It was dismantled in September 2024 during a Europol-led international operation.
Criminal Activities: Used by organized crime groups to coordinate drug shipments between Spain and Ireland, specifically facilitating cocaine and marijuana smuggling via vehicles with hidden compartments and cloned license plates.
Investigation Outcome: Despite Ghost's strong encryption, investigators traced user accounts to suspects, leading to arrests. The takedown previously resulted in 52 global arrests, including its alleged administrator. Europol anticipates further arrests as digital evidence is analyzed.

11. Interview with Tal Skverer on OWASP NHI Top 10 Framework

[13:19] Dave Bittner: "My conversation with Tal Skverer focuses on the OWASP NHI Top 10 framework and the emerging challenges of non-human identities in cybersecurity."

Key Insights from Tal Skverer:

OWASP's Evolution: Originally renowned for the Top 10 Web Application Security Risks, OWASP has expanded to include projects like Mobile Security, API Security, and recently, LLM Top 10 Risks addressing challenges posed by large language models and AI agents.
Focus on Non-Human Identities (NHI): With the surge in automated processes and cloud services, NHIs have become increasingly prevalent, often outnumbering human identities by ratios ranging from 1:20 to 1:50.
Top Risk – Improper Offboarding:
- Description: Failure to properly disable or remove non-human identities when they are no longer needed or when associated human users depart the organization.
- Real-World Example: A forgotten service account on a Kubernetes cluster remains active, providing unauthorized access to the entire cluster.
- Mitigation Strategies:
  - Implement Robust Offboarding Processes: Ensure that all non-human identities are reviewed and appropriately handled during employee offboarding.
  - Automation: Integrate offboarding steps with HR systems to automatically manage the rotation or deactivation of NHIs.
Importance of Addressing NHIs: As organizations increasingly rely on automation and cloud services, managing NHIs is critical to maintaining security posture and preventing unauthorized access.

Notable Quote:

[18:20] Tal Skverer: "The number one risk is improper offboarding... Anyone gaining access to your pod that contains this service account now has access to your entire cluster."

12. Tribute to Matt Stevenson

[23:50] Dave Bittner: "The cybersecurity community mourns the loss of Matt Stevenson, a vibrant and influential figure known for his charismatic presence and impactful contributions."

Personal Remembrance: Matt was celebrated for his bold style, including his signature bow ties and curated sneakers. Described as the "voice," Matt's charisma and genuine connections left a lasting impression on colleagues and peers.
Professional Legacy: Matt made cybersecurity approachable and enjoyable, fostering connections through shared interests in music, comics, and technology. His storytelling and enthusiasm were instrumental in humanizing the field.
Final Moments: Matt's life was portrayed as a celebration of connections, adventures, and unwavering loyalty, leaving behind cherished memories and a quieter cybersecurity landscape.

Notable Tribute:

[23:50] Dave Bittner: "The cybersecurity world is quieter today without Matt's booming voice, his trademark style, and his unshakable warmth... Rest well, Matt Stevenson. You were unforgettable."

Conclusion

This episode of CyberWire Daily offers a comprehensive look into the evolving landscape of cybersecurity threats and defenses. From the resurgence of sophisticated hacking groups to critical vulnerabilities in emerging technologies, the discussions underscore the necessity for robust security measures and proactive threat intelligence. The interview with Tal Skverer provides valuable insights into managing non-human identities, a growing concern in today's automated environments. Additionally, the heartfelt tribute to Matt Stevenson serves as a poignant reminder of the human element within the cybersecurity community.

For more detailed stories and updates, listeners are encouraged to visit CyberWire Daily Briefing.

Transcript timestamps are approximate and based on the provided transcript content.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire Network powered by N2K. Investigating is hard enough. Your tools shouldn't make it harder. Maltego brings all your intelligence into one platform and gives you curated data along with a full suite of tools to handle any digital investigation. Plus with on demand courses and live training, you your team won't just install the platform, they'll actually use it and connect the dots so fast cybercriminals won't realize they're already in cuffs. Maltego is trusted by global law enforcement, financial institutions and security teams worldwide. See it in action now@maltego.com China's famous sparrow is back A misconfigured Amazon S3 bucket exposes data from an Australian fintech firm. Researchers uncover a sophisticated Linux based backdoor targeting industrial systems, infiltrating the Blacklock Ransomware group's infrastructure solar inverters. In the security spotlight, credential stuffing gets automated CISA updates the known Exploited vulnerabilities catalog. The UK's NCA warns of online groups involved in sadistic cybercrime and real world violence. Authorities arrest a dozen individuals linked to the now defunct Ghost encrypted communication platform. Our guest is Tal Skverer, research team lead from Asterix, discussing the OWASP NHI Top 10 framework and remembering our friend Matt Stephenson. It's Thursday, March 27th, 2025. I'm Dave Bitt and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is great to have you with us. The China linked hacking group Famous Sparrow has resurfaced after years of apparent inactivity targeting organizations in the U.S. mexico and Honduras, according to a March 26 report from ESET. Once known for exploiting the proxy logon flaw and focusing on hotels, the group has broadened its scope to include governments, research institutions and law firms. The group used upgraded versions of its signature Sparrow door backdoor and for the first time deployed the Shadow pad backdoor often associated with other Chinese APTs. Although Microsoft previously suggested Famous Sparrow as part of a larger cluster including Ghost Emperor and Salt Typhoon, ESET maintains it is a distinct group with limited overlap. The recent campaign began in June of last year through web shells on outdated Windows Server and Exchange systems. The tool set combined custom malware and shared resources tied to other Chinese Aligned Threat act, showing a renewed and evolving cyber espionage capability. Cybersecurity researcher Jeremiah Fowler uncovered a major data exposure involving Australian fintech Firm Vroom by UX, formerly DriveIQ, a misconfigured Amazon S3 bucket left 27,000 sensitive records, including driver's licenses, medical records, bank details and partial credit card numbers, publicly accessible without password protection or encryption. Fowler also found evidence of a MongoDB instance holding 3.2 million documents, raising additional security concerns. Vroom, an AI powered vehicle financing platform, quickly secured the exposed data and pledged a post incident review. The records dated from 2022 through 2025, highlighting ongoing risks in data handling. Fowler stressed the potential for fraud, including identity theft and social engineering, and urged fintech firms to adopt stronger security measures. He emphasized end to end encryption, regular audits and data minimization as key defenses. Researchers at Qianjin X Lab uncovered Orpah Crab, a sophisticated Linux based backdoor targeting or pack industrial systems tied to fuel services. Discovered in January 2024. The malware uses the MQTT protocol for covert command and control, blending in with legitimate traffic. It persists via startup scripts and encrypts configuration data. It also uses DNS over HTTPs to evade detection. Linked to the Cyber Avengers hacking group ORPA Crab may have compromised Gas Boy Fuel systems, posing risks to payment terminals and customer data. Earlier this month, cybersecurity firm Resecurity identified a critical vulnerability in the data leak site of Blacklock Ransomware, a ransomware as a service group active since March 2024. The flaw allowed Re Security's Hunter team to infiltrate Blacklock's infrastructure, gathering intelligence on their operations, network configurations and storage methods, including the use of mega accounts for exfiltrated data. The breach revealed that Blacklock had compromised at least 46 organizations across various sectors globally. Subsequent events in early 2025 suggest that rival ransomware group Dragonforce may have exploited similar vulnerabilities, leading to the defacement and shutdown of Blacklock's data leak site and associated projects. These developments underscore the dynamic and volatile nature of cybercriminal enterprises. Researchers at 4 Scout's Videri Labs uncovered 46 critical vulnerabilities in solar inverters from Sungrow, Growwatt, and SMA, three of the world's top manufacturers. These flaws could allow attackers to remotely execute code, hijack devices via cloud platforms, and even disrupt power grids by altering inverter output. One vulnerability in SMA's Sunny portal allows remote code execution through malicious file uploads. Grow Watt inverters are particularly exposed due to easily exploitable APIs, while Sungrow's architecture involves multiple vulnerabilities across components, including stack overflows and hard coded credentials. Exploiting these could let attackers control fleets of inverters, potentially destabilizing grid operations by coordinating power surges or drops. Beyond grid disruption, attackers could compromise user privacy, hijack smart devices, or launch ransomware attacks. All vendors have reportedly issued patches. The findings highlight the urgent need for stronger security in renewable energy infrastructure and the potential consequences of compromised smart energy systems. Credential stuffing A long standing cyber threat has become more dangerous with the rise of Atlantis aio, an advanced automation tool. This software allows attackers to test millions of stolen credentials rapidly across cloud platforms and email services requiring minimal expertise. Its modular design evades detection through rotating proxies and distributed login attempts. Abnormal Security reports that since early 2025, Atlantis AIO has gained popularity in underground forums, enabling both novice and advanced attackers to carry out large scale account compromises, data theft and fraud. CISA has added two critical sitecore CMS vulnerabilities to its known Exploited Vulnerabilities catalog due to confirmed active exploitation. The first allows unauthenticated remote code execution via a deserialization flaw in the sitecore Security anti CSRF module, while the second requires authentication but uses the same attack Vector. Both impact Sitecore versions up to 9.1.0. CISA has mandated that federal agencies patch affected systems by April 16th. Organizations should apply available fixes or implement temporary access restrictions immediately. The UK's National Crime Agency, the NCA, has issued a stark warning about the rise of calm networks online groups of sadistic, predominantly teen boys involved in cybercrime and real world violence. These loosely organized groups use social media and messaging platforms to share extremist, violent and child abuse content while engaging in crimes like phishing, sim swapping, ransomware and fraud. The NCA's latest National Strategic Assessment highlights a six fold increase in reported threats between 2022 and 2024. With thousands of offenders and victims in the UK and beyond, these networks often groom young girls, coercing them into self harm or abuse. While foreign actors, particularly from Russia, still dominate the cybercrime landscape, the rise in homegrown youth involvement is alarming. Offenders seek profit, status and notoriety. Recent convictions illustrate the danger and the NCA stresses these groups aren't hidden on the dark web. They thrive in mainstream digital spaces frequented by young users daily. Yesterday, Irish and Spanish authorities arrested 12 individuals linked to a high risk criminal network using the now defunct Ghost encrypted communication platform. Ghost, dismantled in September 2024 during a Europol led international operation, was used by organized crime groups to coordinate drug shipments between Spain and Ireland. Despite attempts to evade detection, investigators traced Ghost user accounts to the suspects who smuggled cocaine and marijuana using vehicles with hidden compartments and cloned license plates. Ghost, launched in 2015, offered ultra secure messaging through modified smartphones with layered encryption and self destruct features. The platform's takedown previously resulted in 52 global arrests, including its alleged administrator. Europol continues to support ongoing investigations and further arrests are expected as digital evidence from the platform is analyzed. Coming up after the break, my conversation with Tal Skverer, research team lead from Asterix. We're discussing the OWASP NHI Top Table Framework and remembering our friend Matt Stephenson. Stay with us. Do you know the status of your compliance controls right now? Like right now we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off.