No click, all tricks. - CyberWire Daily

Summary

CyberWire Daily Podcast Summary Episode Title: No Click, All Tricks
Release Date: March 26, 2025
Host: Dave Bittner | Produced by N2K Networks

Introduction

On March 26, 2025, the CyberWire Daily episode titled "No Click, All Tricks" delved into a range of pressing cybersecurity issues, from newly discovered vulnerabilities to sophisticated cyber-espionage campaigns. The episode also featured an insightful interview with Brian Levine, CEO of FormerGov.com, and highlighted the UK's National Cyber Security Centre (NCSC) innovative approach to promoting two-factor authentication (2FA).

Security News Highlights

1. New Windows Zero-Day Vulnerability

A critical zero-day vulnerability has been uncovered affecting all Windows versions from Windows 7 and Server 2008 R2 through to Windows 11 and Server 2025. Researchers at Zero Patch identified that this flaw enables attackers to steal NTLM authentication credentials without requiring user interaction—"No clicks required," as highlighted by Dave Bittner at [00:02].

Technical Details: The vulnerability can be exploited via shared folders, USB drives, or maliciously downloaded files, allowing unauthorized access by manipulating Windows Explorer.
Response: Zero Patch has released temporary micro patches, offering protection free of charge until Microsoft provides an official fix. This marks the fourth zero-day vulnerability identified by the same research team.
Impact: The patches are designed for a broad array of Windows systems and are deployable automatically without necessitating a system reboot.

2. Covert Chinese-Linked Network Targeting Former US Government Workers

Researchers uncovered a covert network, allegedly linked to China, targeting recently laid-off US government employees through deceptive job advertisements. Max Lesser reported that these fake consulting firms, such as River Merge Strategies, disseminate job ads requiring government experience to harvest sensitive information.

Deployment Channels: The fraudulent ads appeared on platforms like LinkedIn and Craigslist before being removed.
Government Response: U.S. officials likened these tactics to past Chinese espionage operations, with the FBI confirming that foreign intelligence frequently employs fake recruiters to exploit former federal employees.
National Security Concerns: The scheme raises significant national security alarms, especially amidst recent federal workforce reductions.

3. Malicious NPM Packages Injecting Reverse Shell Backdoors

Reversing Labs discovered two malicious NPM packages that inject persistent reverse shell backdoors into legitimate local packages. These backdoors remain active even after the removal of the malicious packages, posing a stealthy and dangerous threat to developers.

Mechanism: The attack involves replacing files in the popular ETHERS package with Trojanized versions that retrieve additional payloads from remote servers.
Developer Advisory: Developers are urged to meticulously scan their environments and validate the legitimacy of the packages they utilize to mitigate this threat.

4. Evolution of macOS Malware Loader “Reader Update”

SentinelOne reported an evolution in the macOS malware loader known as "Reader Update," now existing in five variants compiled using Python, Crystal, Nim, Rust, and Go.

Original Deployment: Initially observed in 2020, it primarily deployed Genio adware.
Current Capabilities: The Go variant can collect system information and execute remote commands, indicating potential for more severe malware applications under a Malware-as-a-Service model.
Distribution: The malware now spreads through Trojanized software installers hosted on third-party download sites.

5. Global Draytek Router Disruptions

A surge of disruptions affecting Draytek routers has been reported globally, causing devices to enter persistent reboot loops. This issue, commencing around March 22, is linked to the exploitation of known vulnerabilities in Draytek firmware.

Vulnerabilities Exploited: The attacks target three Draytek flaws, including remote code execution and directory traversal bugs.
Affected Regions: The disruptions span the UK, Vietnam, Germany, and other countries.
Mitigation Steps: Users are advised to disconnect from the WAN, update firmware immediately, disable remote access features, enable 2FA, and apply Access Control Lists (ACLs).

6. Growing Cyber Risks to the Commercial Space Sector

The European Union's cybersecurity agency, ENISA, released a comprehensive Space Threat Landscape Report highlighting escalating cyber risks in the commercial space sector.

Critical Services Supported: Over 10,000 satellites provide essential services such as internet access, logistics tracking, and remote monitoring.
Identified Vulnerabilities: These include weaknesses from commercial off-the-shelf components, legacy systems, inadequate encryption, and human error.
Recommendations: ENISA advocates for security by design, robust encryption, regular patching, and the adoption of zero-trust principles to safeguard against increasingly sophisticated digital threats.

7. CISA Issues Four ICS Advisories

The Cybersecurity and Infrastructure Security Agency (CISA) released four Industrial Control Systems (ICS) advisories addressing critical vulnerabilities in products from ABB, Rockwell Automation, and Inaba Denki Sangyo.

Severity: Vulnerabilities have CVSS scores reaching up to 9.3, capable of enabling denial-of-service (DoS) attacks, device takeovers, or unauthorized system access.
Patch Status: While ABB and Rockwell have issued patches, Inaba Denki Sangyo's devices remain unpatched.
Protective Measures: CISA recommends immediate firmware updates, network segmentation, restricting physical access, and securing remote access to protect critical infrastructure.

8. Arrest in Multimillion-Dollar Cryptocurrency Heist

U.S. Marshals apprehended Veer Sheetal, aka "Whiz," a central figure in a $243 million cryptocurrency heist that unfolded in September 2024.

Modus Operandi: The scam involved phishing tactics where perpetrators impersonated support teams from Google and Gemini to deceive victims into resetting their 2FA, subsequently allowing the theft of crypto holdings.
Investigation: Blockchain investigator ZacxBT traced the stolen funds, revealing laundering activities that funded an opulent lifestyle for the conspirators.
Implications: This case underscores the paramount importance of robust personal cybersecurity practices, as Brian Levine emphasized the irreplaceable role of user vigilance against sophisticated phishing threats.

Interview: Brian Levine, Co-Founder and CEO of FormerGov.com

Timestamp: [11:29] - [20:44]

Dave Bittner engages in a conversation with Brian Levine, who shares his journey and the rationale behind launching FormerGov.com—a specialized networking directory for former government and military professionals.

Background of Brian Levine:
- Former cybercrime Prosecutor with the U.S. Department of Justice.
- National coordinator for over 300 cybercrime prosecutors across the country.
- Maintains a vast network with approximately 13,000 LinkedIn connections.
Genesis of FormerGov.com:
- Faced challenges in fulfilling referral requests for specific former government professionals, leading Levine to recognize a gap in existing networking tools.
- Quote [12:34]: "The problem is actually the Internet. And what he meant by that was that Internet search, AI search, all of these tools that we use, they're all looking for structured data. And everybody is naturally structuring their data based on what they currently do, not what they used to do."
Platform Features:
- A comprehensive directory enabling easy search and discovery of former government and military personnel based on their past roles and expertise.
- Structured profiles that detail former positions, facilitating connections for consultancy, media inquiries, and more.
Value Proposition:
- Quote [15:21]: "If you can find someone who has the most direct knowledge as possible because they're going to be the most helpful and the most insightful."
- Addresses the inefficiencies of traditional job boards by offering a passive, searchable repository that connects demand with specialized expertise effortlessly.
Market Need:
- Quote [17:06]: "We are trying to make this very simple. We're trying to make this a directory, a place to find and be found."
- Recognizes that former government employees often have reduced visibility post-service and lack effective channels for business development.
Timeliness and Relevance:
- Amidst significant workforce changes in Washington D.C., FormerGov.com emerges as a timely resource to support the influx of former government professionals seeking new opportunities.

UK’s NCSC Goes Full Influencer to Promote Two-Factor Authentication

The UK's National Cyber Security Centre (NCSC) has adopted an unconventional strategy to bolster cyber resilience by partnering with social media influencers to advocate for two-factor authentication (2FA).

Campaign Approach:
- Utilizes Instagram skits and TikTok sketches featuring comedy creators who parody hacker clichés, ultimately emphasizing the importance of 2FA.
Messaging Highlights:
- Funny Scenarios: Hackers frustrated by the simplicity and effectiveness of 2FA, depicted humorously to engage a broader audience.
- Serious Reminders: Influencer Millennial Money UK underscores the dangers of weak passwords and the necessity of 2FA with a more earnest tone.
Strategic Objective:
- Transition from traditional, often mundane cybersecurity tips to engaging, relatable content that resonates with the general public, thereby increasing adoption rates of 2FA.
Impact and Reception:
- While the campaign's effectiveness remains to be fully assessed, it represents a significant shift in the NCSC's communication strategy, aiming to reach diverse demographics through popular social media platforms.

Conclusion

The "No Click, All Tricks" episode of CyberWire Daily encapsulated a spectrum of critical cybersecurity developments, from emergent threats and vulnerabilities to innovative mitigation strategies and community-driven solutions. The interview with Brian Levine provided a deeper understanding of the challenges faced by former government professionals in the private sector and introduced a promising platform to bridge that gap. Additionally, the NCSC's creative approach to promoting 2FA highlights the evolving tactics necessary to enhance cybersecurity awareness and adoption in an increasingly digital world.

For a comprehensive overview of today’s stories and more, listeners are encouraged to visit the CyberWire Daily Briefing.

Notable Quotes:

"No clicks required." – Dave Bittner [00:02]
"If you can find someone who has the most direct knowledge as possible because they're going to be the most helpful and the most insightful." – Brian Levine [15:21]
"The problem is actually the Internet. And what he meant by that was that Internet search, AI search, all of these tools that we use, they're all looking for structured data..." – Brian Levine [12:34]

Credits:

Host: Dave Bittner
Producer: Liz Stokes
Senior Producer: Alice Carruth
Executive Producer: Jennifer Ivan
Publisher: Peter Kilpe
Sound Design: Elliot Peltzman
Mixed by: Trey Hester

For further details and to share feedback, visit CyberWire Daily or connect via email at cyberwire@thecyberwire.com.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire Network, powered by N2K. Investigating is hard enough. Your tools shouldn't make it harder. Maltego brings all your intelligence into one platform and gives you curated data along with a full suite of tools to handle any digital investigation. Plus with on demand courses and live training, you your team won't just install the platform, they'll actually use it and connect the dots so fast cybercriminals won't realize they're already in cuffs. Maltego is trusted by global law enforcement, financial institutions and security teams worldwide. See it in action now@maltego.com Researchers uncover a new Windows zero day a covert Chinese linked network targets recently laid off US government workers. Malicious NPM packages are found injecting persistent reverse shell backdoors. A macOS malware loader evolves Draytek router disruptions affect users worldwide. A new report warns of growing cyber risks to the commercial space sector. CISA issues four ICS advisories U.S. marshals arrest a key suspect in a multimillion dollar cryptocurren heist our guest is Brian Levine, co founder and CEO of FormerGov.com, speaking about creating a networking directory for former government and military professionals and the UK's NCSC goes full influencer to promote 2fa it's Wednesday, March 26, 2025. I'm Dave Buett and this is your CyberWire Intel Briefing. Thanks for joining us here today. It's great to have you with us. A new zero day vulnerability affects all Windows versions from Windows 7 and Server 2008 R2 up through Windows 11 and Server 2025. Researchers at Zero Patch say the flaw allows attackers to steal NTLM authentication credentials just by tricking users into viewing a malicious file in Windows Explorer. No clicks required. It can be triggered through shared folders, USB drives or files downloaded from malicious websites. Though similar in impact to a previously recorded cve, this issue is technically distinct and previously undocumented. Security researchers have reported the flaw to Microsoft and released temporary micro patches via Zero Patch, free until an official fix is issued. This marks the fourth zero day from the same research team. The patches cover a broad range of Windows systems and deploy automatically with no reboot needed. A covert Chinese linked network is allegedly targeting recently laid off U.S. government workers with fake job ads aiming to gather sensitive information. Researcher Max Lesser found the campaign uses bogus consulting firms with overlapping websites and fake contact details. One firm, River Merge Strategies, posted ads for roles requiring government experience with connections traced to a Chinese tech company. Some ads ran on LinkedIn and Craigslist, but were later deleted. Reuters couldn't confirm if any hires occurred or direct ties to the Chinese government. U.S. officials warn these tactics mirror past Chinese espionage operations. The FBI confirmed that foreign intelligence often uses fake recruiters to exploit former federal workers. Financial vulnerability the firm's activity raises concerns about national security, especially amid recent federal workforce layoffs. Two malicious NPM packages were found injecting persistent reverse shell back doors into legitimate, locally installed packages. Even if the malicious packages were removed, the back door remains active, discovered by Reversing Labs. The attack replaces files in the popular ETHERS package with Trojanized versions that fetch further payloads from a remote server. The tactic is stealthy and dangerous, targeting developers through clever installer scripts. Additional linked packages were also identified. Developers are urged to scan environments and verify package legitimacy. The macOS malware loader reader update has evolved, now existing in five variants compiled in Python, Crystal, Nim, Rust, and go, according to SentinelOne. Originally seen in 2020, it still deploys the Genio adware, but now spreads through Trojanized software installers on third party download sites. The Go variant collects system information and can execute remote commands, hinting at broader malware potential. While current payloads are adware, Reader Update's design suggests it could be used for more serious threats under a Malware as a service model A wave of Draytek router disruptions is affecting users worldwide, causing devices to enter constant reboot loops. The issue began around March 22 and appears linked to the exploitation of known vulnerabilities. Security firm Graynoise observed active attacks on three Draytek flaws, including remote code execution and directory traversal bugs. Affected regions include the UK, Vietnam, Germany and others. ISPs confirm that outdated firmware is a key risk factor. Draytek urges users to disconnect from the WAN and update firmware immediately. Additional steps include disabling remote access features, enabling two factor authentication, and applying ACLs. The disruptions impact both consumers and businesses, with instability reported across various sectors. Security researchers continue to track live attacks, urging quick action to prevent further outages. The EU's cybersecurity agency ENISA has released a new Space Threat Landscape Report warning of growing cyber risks to the commercial space sector. With over 10,000 satellites in orbit, most privately owned space infrastructure now supports critical services like Internet access, logistics tracking and remote monitoring. Enisa warns that cyberattacks could trigger cascading effects from service disruptions to geopolitical tensions. The report highlights vulnerabilities from commercial off the shelf components, legacy systems, weak encryption and human error. ANISA recommends security by design, strong encryption, regular patching, and adopting zero trust principles. Despite space being classified as an essential sector under the NIS 2 directive, many operators still struggle with compliance. The report underscores the urgent need for robust cybersecurity as digital threats to space systems grow alongside sector expansion. CISA issued four ICS advisories revealing critical vulnerabilities in abb, Rockwell Automation, and Inaba Denki Sangyo products. Flaws with CVSS scores up to 9.3 could enable denial of service device takeovers or unauthorized access in systems used across oil, gas and manufacturing sectors. While ABB and Rockwell have released patches, Anaba Denki Sangyo's device remains unpatched. CISA urges immediate mitigation, including firmware updates, network segmentation, limiting physical access, and secure remote access to protect critical infrastructure. U.S. marshals have reportedly arrested Veer Sheetal, also known as Whiz, a key suspect in a $243 million cryptocurrency heist. According to blockchain investigator ZacxBT, the September 2024 scam involved phishing tactics where hackers impersonated Google and Gemini's support to trick a victim into resetting their two factor authentication. Sheetal, along with two co conspirators, then looted the victim's crypto holdings. Zach XBT traced the stolen funds and exposed how the group laundered money to fund a lavish lifestyle. Chetal's arrest marks a major breakthrough in the case. The incident highlights the critical need for strong personal cybersecurity practices. No software can replace user vigilance when facing sophisticated phishing threats. Investigations into the broader scam and remaining suspects are ongoing. Coming up after the break, my conversation with Brian Levine from about creating a networking directory for former government and military professionals and the UK's NCSC goes full influencer. Stay with us. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off.