Summary

CyberWire Daily: "FamousSparrow’s Sneaky Resurgence" Summary

Release Date: March 27, 2025
Host: Dave Bittner
Guest: Tal Skverer, Research Team Lead at Asterix

1. Episode Overview

In this episode of CyberWire Daily, host Dave Bittner delves into a spectrum of pressing cybersecurity issues, from the resurgence of the notorious hacking group Famous Sparrow to critical vulnerabilities in industrial systems. The episode features an insightful interview with Tal Skverer from Asterix, discussing the OWASP NHI Top 10 framework, and concludes with a heartfelt tribute to the late Matt Stevenson, a beloved figure in the cybersecurity community.

2. Resurgence of Famous Sparrow

[02:45] Dave Bittner: "The China-linked hacking group Famous Sparrow has resurfaced after years of apparent inactivity, now targeting a broader range of organizations across the U.S., Mexico, and Honduras."

Background: Famous Sparrow, once notorious for exploiting the ProxyLogon vulnerability and primarily targeting the hospitality sector, has expanded its targets to include governments, research institutions, and law firms.
Technical Evolution: The group employs enhanced versions of their signature SparrowDoor backdoor and has introduced the ShadowPad backdoor, traditionally associated with other Chinese Advanced Persistent Threats (APTs).
Operational Tactics: According to ESET's March 26 report, the resurgence began in June 2024, utilizing web shells on outdated Windows Server and Exchange systems. Their toolkit combines custom malware with shared resources linked to other Chinese-aligned threats, showcasing an evolving cyber espionage strategy.
Distinct Identity: Although Microsoft previously grouped Famous Sparrow with other entities like Ghost Emperor and Salt Typhoon, ESET categorizes it as a distinct group with limited overlap.

3. Data Exposure at Australian Fintech Firm Vroom by UX

[07:15] Dave Bittner: "Cybersecurity researcher Jeremiah Fowler uncovered a major data exposure involving Australian fintech firm Vroom by UX, formerly DriveIQ."

Incident Details: A misconfigured Amazon S3 bucket left 27,000 sensitive records, including driver's licenses, medical records, bank details, and partial credit card numbers, publicly accessible without password protection or encryption.
Extended Exposure: Additionally, a MongoDB instance containing 3.2 million documents was discovered, amplifying security concerns.
Company Response: Vroom swiftly secured the exposed data and committed to a post-incident review. The records spanned from 2022 to 2025, underscoring persistent risks in data management practices.
Recommendations from Fowler: Emphasized the necessity for fintech firms to implement end-to-end encryption, conduct regular security audits, and practice data minimization to mitigate risks like fraud, identity theft, and social engineering attacks.

4. Orpah Crab: A Sophisticated Linux-Based Backdoor

[10:50] Dave Bittner: "Researchers at Qianjin X Lab have unearthed Orpah Crab, a sophisticated Linux-based backdoor targeting industrial systems linked to fuel services."

Technical Insights: Discovered in January 2024, Orpah Crab utilizes the MQTT protocol for stealthy command and control (C2), blending malicious traffic with legitimate communications.
Persistence Mechanism: The malware maintains its presence through startup scripts and encrypts configuration data, employing DNS over HTTPS to evade detection.
Attribution: Linked to the Cyber Avengers hacking group, Orpah Crab has potentially compromised Gas Boy Fuel systems, threatening payment terminals and customer data integrity.

5. Blacklock Ransomware Group's Infrastructure Breach

[14:30] Dave Bittner: "Cybersecurity firm Resecurity identified a critical vulnerability in Blacklock Ransomware's data leak site, allowing infiltration of their infrastructure."

Breach Details: The vulnerability enabled Resecurity's Hunter team to access Blacklock's operations, network configurations, and storage methods, including the use of Mega accounts for data exfiltration.
Impact: Blacklock had compromised at least 46 organizations globally across various sectors before the breach.
Rival Exploitation: Early 2025 developments indicate that the rival ransomware group Dragonforce exploited similar vulnerabilities, leading to the defacement and shutdown of Blacklock's data leak site.
Implications: This highlights the volatile nature of cybercriminal enterprises and the continuous battle between competing ransomware factions.

6. Critical Vulnerabilities in Solar Inverters

[18:00] Dave Bittner: "Researchers at 4Scout's Videri Labs uncovered 46 critical vulnerabilities in solar inverters from top manufacturers like Sungrow, Growatt, and SMA."

Vulnerability Types:
- Remote Code Execution (RCE): SMA's Sunny portal allows RCE through malicious file uploads.
- API Exploits: Growatt inverters suffer from easily exploitable APIs.
- Architectural Flaws: Sungrow's inverters have multiple vulnerabilities, including stack overflows and hard-coded credentials.
Potential Risks:
- Grid Disruption: Attackers could remotely control inverter fleets, destabilizing power grids.
- Privacy Breaches: Compromised smart devices and hijacked user data.
- Ransomware: Potential launch of ransomware attacks leveraging these vulnerabilities.
Vendor Response: All affected vendors have issued patches, emphasizing the urgent need for enhanced security in renewable energy infrastructures.

7. Evolution of Credential Stuffing with Atlantis AIO

[21:10] Dave Bittner: "Credential stuffing has evolved with the advent of Atlantis AIO, an advanced automation tool facilitating mass account compromises."

Tool Capabilities: Atlantis AIO enables attackers to test millions of stolen credentials across cloud platforms and email services rapidly, requiring minimal expertise.
Evasion Techniques: Utilizes rotating proxies and distributed login attempts to bypass traditional detection mechanisms.
Underground Adoption: Since early 2025, Atlantis AIO has gained traction in underground forums, empowering both novice and seasoned attackers to execute large-scale account breaches, data theft, and fraudulent activities.

8. CISA Updates on Sitecore CMS Vulnerabilities

[24:25] Dave Bittner: "The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical Sitecore CMS vulnerabilities to its Known Exploited Vulnerabilities catalog."

Vulnerability Details:
- Unauthenticated RCE: Exploits a deserialization flaw in Sitecore's Security Anti-CSRF module.
- Authenticated Exploitation: Uses the same attack vector but requires authentication.
Affected Versions: All Sitecore versions up to 9.1.0 are impacted.
CISA's Directive: Federal agencies must apply available patches or implement temporary access restrictions by April 16th to mitigate these vulnerabilities.

9. UK's National Crime Agency Warns of Sadistic Cybercrime Groups

[27:40] Dave Bittner: "The UK's National Crime Agency (NCA) has issued a stark warning about the rise of online groups involved in sadistic cybercrime and real-world violence."

Group Characteristics:
- Demographics: Predominantly teenage males engaged in cybercrime.
- Activities: Sharing extremist, violent, and child abuse content; committing phishing, SIM swapping, ransomware attacks, and fraud.
- Increase in Threats: A six-fold increase in reported threats between 2022 and 2024.
NCA's Concerns:
- Youth Involvement: A surge in homegrown youth participation poses new challenges, despite the dominance of foreign actors like those from Russia.
- Digital Spaces: These groups thrive in mainstream digital environments rather than hidden dark web forums.
- Victim Impact: Grooming of young girls into self-harm or abuse.
Law Enforcement Actions: Recent convictions highlight the severity of these groups, emphasizing the need for vigilant monitoring and intervention.

10. Arrests Linked to Ghost Encrypted Communication Platform

[30:55] Dave Bittner: "Authorities have arrested 12 individuals linked to the now-defunct Ghost encrypted communication platform."

Background: Ghost, launched in 2015, offered ultra-secure messaging through modified smartphones with layered encryption and self-destruct features. It was dismantled in September 2024 during a Europol-led international operation.
Criminal Activities: Used by organized crime groups to coordinate drug shipments between Spain and Ireland, specifically facilitating cocaine and marijuana smuggling via vehicles with hidden compartments and cloned license plates.
Investigation Outcome: Despite Ghost's strong encryption, investigators traced user accounts to suspects, leading to arrests. The takedown previously resulted in 52 global arrests, including its alleged administrator. Europol anticipates further arrests as digital evidence is analyzed.

11. Interview with Tal Skverer on OWASP NHI Top 10 Framework

[13:19] Dave Bittner: "My conversation with Tal Skverer focuses on the OWASP NHI Top 10 framework and the emerging challenges of non-human identities in cybersecurity."

Key Insights from Tal Skverer:

OWASP's Evolution: Originally renowned for the Top 10 Web Application Security Risks, OWASP has expanded to include projects like Mobile Security, API Security, and recently, LLM Top 10 Risks addressing challenges posed by large language models and AI agents.
Focus on Non-Human Identities (NHI): With the surge in automated processes and cloud services, NHIs have become increasingly prevalent, often outnumbering human identities by ratios ranging from 1:20 to 1:50.
Top Risk – Improper Offboarding:
- Description: Failure to properly disable or remove non-human identities when they are no longer needed or when associated human users depart the organization.
- Real-World Example: A forgotten service account on a Kubernetes cluster remains active, providing unauthorized access to the entire cluster.
- Mitigation Strategies:
  - Implement Robust Offboarding Processes: Ensure that all non-human identities are reviewed and appropriately handled during employee offboarding.
  - Automation: Integrate offboarding steps with HR systems to automatically manage the rotation or deactivation of NHIs.
Importance of Addressing NHIs: As organizations increasingly rely on automation and cloud services, managing NHIs is critical to maintaining security posture and preventing unauthorized access.

Notable Quote:

[18:20] Tal Skverer: "The number one risk is improper offboarding... Anyone gaining access to your pod that contains this service account now has access to your entire cluster."

12. Tribute to Matt Stevenson

[23:50] Dave Bittner: "The cybersecurity community mourns the loss of Matt Stevenson, a vibrant and influential figure known for his charismatic presence and impactful contributions."

Personal Remembrance: Matt was celebrated for his bold style, including his signature bow ties and curated sneakers. Described as the "voice," Matt's charisma and genuine connections left a lasting impression on colleagues and peers.
Professional Legacy: Matt made cybersecurity approachable and enjoyable, fostering connections through shared interests in music, comics, and technology. His storytelling and enthusiasm were instrumental in humanizing the field.
Final Moments: Matt's life was portrayed as a celebration of connections, adventures, and unwavering loyalty, leaving behind cherished memories and a quieter cybersecurity landscape.

Notable Tribute:

[23:50] Dave Bittner: "The cybersecurity world is quieter today without Matt's booming voice, his trademark style, and his unshakable warmth... Rest well, Matt Stevenson. You were unforgettable."

Conclusion

This episode of CyberWire Daily offers a comprehensive look into the evolving landscape of cybersecurity threats and defenses. From the resurgence of sophisticated hacking groups to critical vulnerabilities in emerging technologies, the discussions underscore the necessity for robust security measures and proactive threat intelligence. The interview with Tal Skverer provides valuable insights into managing non-human identities, a growing concern in today's automated environments. Additionally, the heartfelt tribute to Matt Stevenson serves as a poignant reminder of the human element within the cybersecurity community.

For more detailed stories and updates, listeners are encouraged to visit CyberWire Daily Briefing.

Transcript timestamps are approximate and based on the provided transcript content.

Summary

CyberWire Daily: "FamousSparrow’s Sneaky Resurgence" Summary

Release Date: March 27, 2025
Host: Dave Bittner
Guest: Tal Skverer, Research Team Lead at Asterix

1. Episode Overview

2. Resurgence of Famous Sparrow

Background: Famous Sparrow, once notorious for exploiting the ProxyLogon vulnerability and primarily targeting the hospitality sector, has expanded its targets to include governments, research institutions, and law firms.
Technical Evolution: The group employs enhanced versions of their signature SparrowDoor backdoor and has introduced the ShadowPad backdoor, traditionally associated with other Chinese Advanced Persistent Threats (APTs).
Operational Tactics: According to ESET's March 26 report, the resurgence began in June 2024, utilizing web shells on outdated Windows Server and Exchange systems. Their toolkit combines custom malware with shared resources linked to other Chinese-aligned threats, showcasing an evolving cyber espionage strategy.
Distinct Identity: Although Microsoft previously grouped Famous Sparrow with other entities like Ghost Emperor and Salt Typhoon, ESET categorizes it as a distinct group with limited overlap.

3. Data Exposure at Australian Fintech Firm Vroom by UX

[07:15] Dave Bittner: "Cybersecurity researcher Jeremiah Fowler uncovered a major data exposure involving Australian fintech firm Vroom by UX, formerly DriveIQ."

Incident Details: A misconfigured Amazon S3 bucket left 27,000 sensitive records, including driver's licenses, medical records, bank details, and partial credit card numbers, publicly accessible without password protection or encryption.
Extended Exposure: Additionally, a MongoDB instance containing 3.2 million documents was discovered, amplifying security concerns.
Company Response: Vroom swiftly secured the exposed data and committed to a post-incident review. The records spanned from 2022 to 2025, underscoring persistent risks in data management practices.
Recommendations from Fowler: Emphasized the necessity for fintech firms to implement end-to-end encryption, conduct regular security audits, and practice data minimization to mitigate risks like fraud, identity theft, and social engineering attacks.

4. Orpah Crab: A Sophisticated Linux-Based Backdoor

[10:50] Dave Bittner: "Researchers at Qianjin X Lab have unearthed Orpah Crab, a sophisticated Linux-based backdoor targeting industrial systems linked to fuel services."

Technical Insights: Discovered in January 2024, Orpah Crab utilizes the MQTT protocol for stealthy command and control (C2), blending malicious traffic with legitimate communications.
Persistence Mechanism: The malware maintains its presence through startup scripts and encrypts configuration data, employing DNS over HTTPS to evade detection.
Attribution: Linked to the Cyber Avengers hacking group, Orpah Crab has potentially compromised Gas Boy Fuel systems, threatening payment terminals and customer data integrity.

5. Blacklock Ransomware Group's Infrastructure Breach

[14:30] Dave Bittner: "Cybersecurity firm Resecurity identified a critical vulnerability in Blacklock Ransomware's data leak site, allowing infiltration of their infrastructure."

Breach Details: The vulnerability enabled Resecurity's Hunter team to access Blacklock's operations, network configurations, and storage methods, including the use of Mega accounts for data exfiltration.
Impact: Blacklock had compromised at least 46 organizations globally across various sectors before the breach.
Rival Exploitation: Early 2025 developments indicate that the rival ransomware group Dragonforce exploited similar vulnerabilities, leading to the defacement and shutdown of Blacklock's data leak site.
Implications: This highlights the volatile nature of cybercriminal enterprises and the continuous battle between competing ransomware factions.

6. Critical Vulnerabilities in Solar Inverters

[18:00] Dave Bittner: "Researchers at 4Scout's Videri Labs uncovered 46 critical vulnerabilities in solar inverters from top manufacturers like Sungrow, Growatt, and SMA."

Vulnerability Types:
- Remote Code Execution (RCE): SMA's Sunny portal allows RCE through malicious file uploads.
- API Exploits: Growatt inverters suffer from easily exploitable APIs.
- Architectural Flaws: Sungrow's inverters have multiple vulnerabilities, including stack overflows and hard-coded credentials.
Potential Risks:
- Grid Disruption: Attackers could remotely control inverter fleets, destabilizing power grids.
- Privacy Breaches: Compromised smart devices and hijacked user data.
- Ransomware: Potential launch of ransomware attacks leveraging these vulnerabilities.
Vendor Response: All affected vendors have issued patches, emphasizing the urgent need for enhanced security in renewable energy infrastructures.

7. Evolution of Credential Stuffing with Atlantis AIO

[21:10] Dave Bittner: "Credential stuffing has evolved with the advent of Atlantis AIO, an advanced automation tool facilitating mass account compromises."

Tool Capabilities: Atlantis AIO enables attackers to test millions of stolen credentials across cloud platforms and email services rapidly, requiring minimal expertise.
Evasion Techniques: Utilizes rotating proxies and distributed login attempts to bypass traditional detection mechanisms.
Underground Adoption: Since early 2025, Atlantis AIO has gained traction in underground forums, empowering both novice and seasoned attackers to execute large-scale account breaches, data theft, and fraudulent activities.

8. CISA Updates on Sitecore CMS Vulnerabilities

[24:25] Dave Bittner: "The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical Sitecore CMS vulnerabilities to its Known Exploited Vulnerabilities catalog."

Vulnerability Details:
- Unauthenticated RCE: Exploits a deserialization flaw in Sitecore's Security Anti-CSRF module.
- Authenticated Exploitation: Uses the same attack vector but requires authentication.
Affected Versions: All Sitecore versions up to 9.1.0 are impacted.
CISA's Directive: Federal agencies must apply available patches or implement temporary access restrictions by April 16th to mitigate these vulnerabilities.

9. UK's National Crime Agency Warns of Sadistic Cybercrime Groups

[27:40] Dave Bittner: "The UK's National Crime Agency (NCA) has issued a stark warning about the rise of online groups involved in sadistic cybercrime and real-world violence."

Group Characteristics:
- Demographics: Predominantly teenage males engaged in cybercrime.
- Activities: Sharing extremist, violent, and child abuse content; committing phishing, SIM swapping, ransomware attacks, and fraud.
- Increase in Threats: A six-fold increase in reported threats between 2022 and 2024.
NCA's Concerns:
- Youth Involvement: A surge in homegrown youth participation poses new challenges, despite the dominance of foreign actors like those from Russia.
- Digital Spaces: These groups thrive in mainstream digital environments rather than hidden dark web forums.
- Victim Impact: Grooming of young girls into self-harm or abuse.
Law Enforcement Actions: Recent convictions highlight the severity of these groups, emphasizing the need for vigilant monitoring and intervention.

10. Arrests Linked to Ghost Encrypted Communication Platform

[30:55] Dave Bittner: "Authorities have arrested 12 individuals linked to the now-defunct Ghost encrypted communication platform."

Background: Ghost, launched in 2015, offered ultra-secure messaging through modified smartphones with layered encryption and self-destruct features. It was dismantled in September 2024 during a Europol-led international operation.
Criminal Activities: Used by organized crime groups to coordinate drug shipments between Spain and Ireland, specifically facilitating cocaine and marijuana smuggling via vehicles with hidden compartments and cloned license plates.
Investigation Outcome: Despite Ghost's strong encryption, investigators traced user accounts to suspects, leading to arrests. The takedown previously resulted in 52 global arrests, including its alleged administrator. Europol anticipates further arrests as digital evidence is analyzed.

11. Interview with Tal Skverer on OWASP NHI Top 10 Framework

[13:19] Dave Bittner: "My conversation with Tal Skverer focuses on the OWASP NHI Top 10 framework and the emerging challenges of non-human identities in cybersecurity."

Key Insights from Tal Skverer:

OWASP's Evolution: Originally renowned for the Top 10 Web Application Security Risks, OWASP has expanded to include projects like Mobile Security, API Security, and recently, LLM Top 10 Risks addressing challenges posed by large language models and AI agents.
Focus on Non-Human Identities (NHI): With the surge in automated processes and cloud services, NHIs have become increasingly prevalent, often outnumbering human identities by ratios ranging from 1:20 to 1:50.
Top Risk – Improper Offboarding:
- Description: Failure to properly disable or remove non-human identities when they are no longer needed or when associated human users depart the organization.
- Real-World Example: A forgotten service account on a Kubernetes cluster remains active, providing unauthorized access to the entire cluster.
- Mitigation Strategies:
  - Implement Robust Offboarding Processes: Ensure that all non-human identities are reviewed and appropriately handled during employee offboarding.
  - Automation: Integrate offboarding steps with HR systems to automatically manage the rotation or deactivation of NHIs.
Importance of Addressing NHIs: As organizations increasingly rely on automation and cloud services, managing NHIs is critical to maintaining security posture and preventing unauthorized access.

Notable Quote:

[18:20] Tal Skverer: "The number one risk is improper offboarding... Anyone gaining access to your pod that contains this service account now has access to your entire cluster."

12. Tribute to Matt Stevenson

[23:50] Dave Bittner: "The cybersecurity community mourns the loss of Matt Stevenson, a vibrant and influential figure known for his charismatic presence and impactful contributions."

Personal Remembrance: Matt was celebrated for his bold style, including his signature bow ties and curated sneakers. Described as the "voice," Matt's charisma and genuine connections left a lasting impression on colleagues and peers.
Professional Legacy: Matt made cybersecurity approachable and enjoyable, fostering connections through shared interests in music, comics, and technology. His storytelling and enthusiasm were instrumental in humanizing the field.
Final Moments: Matt's life was portrayed as a celebration of connections, adventures, and unwavering loyalty, leaving behind cherished memories and a quieter cybersecurity landscape.

Notable Tribute:

[23:50] Dave Bittner: "The cybersecurity world is quieter today without Matt's booming voice, his trademark style, and his unshakable warmth... Rest well, Matt Stevenson. You were unforgettable."

Conclusion

For more detailed stories and updates, listeners are encouraged to visit CyberWire Daily Briefing.

Transcript timestamps are approximate and based on the provided transcript content.

wavePod

FamousSparrow’s sneaky resurgence.

Powered by Wave AI

Summary

1. Episode Overview

2. Resurgence of Famous Sparrow

3. Data Exposure at Australian Fintech Firm Vroom by UX

4. Orpah Crab: A Sophisticated Linux-Based Backdoor

5. Blacklock Ransomware Group's Infrastructure Breach

6. Critical Vulnerabilities in Solar Inverters

7. Evolution of Credential Stuffing with Atlantis AIO

8. CISA Updates on Sitecore CMS Vulnerabilities

9. UK's National Crime Agency Warns of Sadistic Cybercrime Groups

10. Arrests Linked to Ghost Encrypted Communication Platform

11. Interview with Tal Skverer on OWASP NHI Top 10 Framework

Key Insights from Tal Skverer:

12. Tribute to Matt Stevenson

Conclusion

Summary

1. Episode Overview

2. Resurgence of Famous Sparrow

3. Data Exposure at Australian Fintech Firm Vroom by UX

4. Orpah Crab: A Sophisticated Linux-Based Backdoor

5. Blacklock Ransomware Group's Infrastructure Breach

6. Critical Vulnerabilities in Solar Inverters

7. Evolution of Credential Stuffing with Atlantis AIO

8. CISA Updates on Sitecore CMS Vulnerabilities

9. UK's National Crime Agency Warns of Sadistic Cybercrime Groups

10. Arrests Linked to Ghost Encrypted Communication Platform

11. Interview with Tal Skverer on OWASP NHI Top 10 Framework

Key Insights from Tal Skverer:

12. Tribute to Matt Stevenson

Conclusion