CyberWire Daily Podcast Summary Episode Title: No Click, All Tricks
Release Date: March 26, 2025
Host: Dave Bittner | Produced by N2K Networks

Introduction

On March 26, 2025, the CyberWire Daily episode titled "No Click, All Tricks" delved into a range of pressing cybersecurity issues, from newly discovered vulnerabilities to sophisticated cyber-espionage campaigns. The episode also featured an insightful interview with Brian Levine, CEO of FormerGov.com, and highlighted the UK's National Cyber Security Centre (NCSC) innovative approach to promoting two-factor authentication (2FA).

Security News Highlights

1. New Windows Zero-Day Vulnerability

A critical zero-day vulnerability has been uncovered affecting all Windows versions from Windows 7 and Server 2008 R2 through to Windows 11 and Server 2025. Researchers at Zero Patch identified that this flaw enables attackers to steal NTLM authentication credentials without requiring user interaction—"No clicks required," as highlighted by Dave Bittner at [00:02].

• Technical Details: The vulnerability can be exploited via shared folders, USB drives, or maliciously downloaded files, allowing unauthorized access by manipulating Windows Explorer.
• Response: Zero Patch has released temporary micro patches, offering protection free of charge until Microsoft provides an official fix. This marks the fourth zero-day vulnerability identified by the same research team.
• Impact: The patches are designed for a broad array of Windows systems and are deployable automatically without necessitating a system reboot.

2. Covert Chinese-Linked Network Targeting Former US Government Workers

Researchers uncovered a covert network, allegedly linked to China, targeting recently laid-off US government employees through deceptive job advertisements. Max Lesser reported that these fake consulting firms, such as River Merge Strategies, disseminate job ads requiring government experience to harvest sensitive information.

• Deployment Channels: The fraudulent ads appeared on platforms like LinkedIn and Craigslist before being removed.
• Government Response: U.S. officials likened these tactics to past Chinese espionage operations, with the FBI confirming that foreign intelligence frequently employs fake recruiters to exploit former federal employees.
• National Security Concerns: The scheme raises significant national security alarms, especially amidst recent federal workforce reductions.

3. Malicious NPM Packages Injecting Reverse Shell Backdoors

Reversing Labs discovered two malicious NPM packages that inject persistent reverse shell backdoors into legitimate local packages. These backdoors remain active even after the removal of the malicious packages, posing a stealthy and dangerous threat to developers.

• Mechanism: The attack involves replacing files in the popular ETHERS package with Trojanized versions that retrieve additional payloads from remote servers.
• Developer Advisory: Developers are urged to meticulously scan their environments and validate the legitimacy of the packages they utilize to mitigate this threat.

4. Evolution of macOS Malware Loader “Reader Update”

SentinelOne reported an evolution in the macOS malware loader known as "Reader Update," now existing in five variants compiled using Python, Crystal, Nim, Rust, and Go.

• Original Deployment: Initially observed in 2020, it primarily deployed Genio adware.
• Current Capabilities: The Go variant can collect system information and execute remote commands, indicating potential for more severe malware applications under a Malware-as-a-Service model.
• Distribution: The malware now spreads through Trojanized software installers hosted on third-party download sites.

5. Global Draytek Router Disruptions

A surge of disruptions affecting Draytek routers has been reported globally, causing devices to enter persistent reboot loops. This issue, commencing around March 22, is linked to the exploitation of known vulnerabilities in Draytek firmware.

• Vulnerabilities Exploited: The attacks target three Draytek flaws, including remote code execution and directory traversal bugs.
• Affected Regions: The disruptions span the UK, Vietnam, Germany, and other countries.
• Mitigation Steps: Users are advised to disconnect from the WAN, update firmware immediately, disable remote access features, enable 2FA, and apply Access Control Lists (ACLs).

6. Growing Cyber Risks to the Commercial Space Sector

The European Union's cybersecurity agency, ENISA, released a comprehensive Space Threat Landscape Report highlighting escalating cyber risks in the commercial space sector.

• Critical Services Supported: Over 10,000 satellites provide essential services such as internet access, logistics tracking, and remote monitoring.
• Identified Vulnerabilities: These include weaknesses from commercial off-the-shelf components, legacy systems, inadequate encryption, and human error.
• Recommendations: ENISA advocates for security by design, robust encryption, regular patching, and the adoption of zero-trust principles to safeguard against increasingly sophisticated digital threats.

7. CISA Issues Four ICS Advisories

The Cybersecurity and Infrastructure Security Agency (CISA) released four Industrial Control Systems (ICS) advisories addressing critical vulnerabilities in products from ABB, Rockwell Automation, and Inaba Denki Sangyo.

• Severity: Vulnerabilities have CVSS scores reaching up to 9.3, capable of enabling denial-of-service (DoS) attacks, device takeovers, or unauthorized system access.
• Patch Status: While ABB and Rockwell have issued patches, Inaba Denki Sangyo's devices remain unpatched.
• Protective Measures: CISA recommends immediate firmware updates, network segmentation, restricting physical access, and securing remote access to protect critical infrastructure.

8. Arrest in Multimillion-Dollar Cryptocurrency Heist

U.S. Marshals apprehended Veer Sheetal, aka "Whiz," a central figure in a $243 million cryptocurrency heist that unfolded in September 2024.

• Modus Operandi: The scam involved phishing tactics where perpetrators impersonated support teams from Google and Gemini to deceive victims into resetting their 2FA, subsequently allowing the theft of crypto holdings.
• Investigation: Blockchain investigator ZacxBT traced the stolen funds, revealing laundering activities that funded an opulent lifestyle for the conspirators.
• Implications: This case underscores the paramount importance of robust personal cybersecurity practices, as Brian Levine emphasized the irreplaceable role of user vigilance against sophisticated phishing threats.

Interview: Brian Levine, Co-Founder and CEO of FormerGov.com

Timestamp: [11:29] - [20:44]

Dave Bittner engages in a conversation with Brian Levine, who shares his journey and the rationale behind launching FormerGov.com—a specialized networking directory for former government and military professionals.

• Background of Brian Levine:

  • Former cybercrime Prosecutor with the U.S. Department of Justice.
  • National coordinator for over 300 cybercrime prosecutors across the country.
  • Maintains a vast network with approximately 13,000 LinkedIn connections.

• Genesis of FormerGov.com:

  • Faced challenges in fulfilling referral requests for specific former government professionals, leading Levine to recognize a gap in existing networking tools.
  • Quote [12:34]: "The problem is actually the Internet. And what he meant by that was that Internet search, AI search, all of these tools that we use, they're all looking for structured data. And everybody is naturally structuring their data based on what they currently do, not what they used to do."

• Platform Features:

  • A comprehensive directory enabling easy search and discovery of former government and military personnel based on their past roles and expertise.
  • Structured profiles that detail former positions, facilitating connections for consultancy, media inquiries, and more.

• Value Proposition:

  • Quote [15:21]: "If you can find someone who has the most direct knowledge as possible because they're going to be the most helpful and the most insightful."
  • Addresses the inefficiencies of traditional job boards by offering a passive, searchable repository that connects demand with specialized expertise effortlessly.

• Market Need:

  • Quote [17:06]: "We are trying to make this very simple. We're trying to make this a directory, a place to find and be found."
  • Recognizes that former government employees often have reduced visibility post-service and lack effective channels for business development.

• Timeliness and Relevance:

  • Amidst significant workforce changes in Washington D.C., FormerGov.com emerges as a timely resource to support the influx of former government professionals seeking new opportunities.

UK’s NCSC Goes Full Influencer to Promote Two-Factor Authentication

The UK's National Cyber Security Centre (NCSC) has adopted an unconventional strategy to bolster cyber resilience by partnering with social media influencers to advocate for two-factor authentication (2FA).

• Campaign Approach:

  • Utilizes Instagram skits and TikTok sketches featuring comedy creators who parody hacker clichés, ultimately emphasizing the importance of 2FA.

• Messaging Highlights:

  • Funny Scenarios: Hackers frustrated by the simplicity and effectiveness of 2FA, depicted humorously to engage a broader audience.
  • Serious Reminders: Influencer Millennial Money UK underscores the dangers of weak passwords and the necessity of 2FA with a more earnest tone.

• Strategic Objective:

  • Transition from traditional, often mundane cybersecurity tips to engaging, relatable content that resonates with the general public, thereby increasing adoption rates of 2FA.

• Impact and Reception:

  • While the campaign's effectiveness remains to be fully assessed, it represents a significant shift in the NCSC's communication strategy, aiming to reach diverse demographics through popular social media platforms.

Conclusion

The "No Click, All Tricks" episode of CyberWire Daily encapsulated a spectrum of critical cybersecurity developments, from emergent threats and vulnerabilities to innovative mitigation strategies and community-driven solutions. The interview with Brian Levine provided a deeper understanding of the challenges faced by former government professionals in the private sector and introduced a promising platform to bridge that gap. Additionally, the NCSC's creative approach to promoting 2FA highlights the evolving tactics necessary to enhance cybersecurity awareness and adoption in an increasingly digital world.

For a comprehensive overview of today’s stories and more, listeners are encouraged to visit the CyberWire Daily Briefing.

Notable Quotes:

• "No clicks required." – Dave Bittner [00:02]
• "If you can find someone who has the most direct knowledge as possible because they're going to be the most helpful and the most insightful." – Brian Levine [15:21]
• "The problem is actually the Internet. And what he meant by that was that Internet search, AI search, all of these tools that we use, they're all looking for structured data..." – Brian Levine [12:34]

Credits:

• Host: Dave Bittner
• Producer: Liz Stokes
• Senior Producer: Alice Carruth
• Executive Producer: Jennifer Ivan
• Publisher: Peter Kilpe
• Sound Design: Elliot Peltzman
• Mixed by: Trey Hester

For further details and to share feedback, visit CyberWire Daily or connect via email at cyberwire@thecyberwire.com.