CyberWire Daily: Episode Summary - "Remote Hijacking at Your Fingertips"

Release Date: March 19, 2025
Host: N2K Networks

Introduction

In the March 19, 2025 episode of CyberWire Daily, host Dave Bittner delves into the evolving landscape of cybersecurity threats, highlighting critical vulnerabilities, sophisticated cybercriminal alliances, and the rising impact of artificial intelligence in cyber attacks. The episode also features an insightful segment on the ISACA Certified Information Security Manager (CISM) exam, providing valuable tips for security professionals.

Critical Vulnerabilities and Exploits

1. AMI’s Megarack BMC Vulnerability

Timestamp: [00:02]

Dave Bittner introduces a significant vulnerability in American Megatrends International's (AMI) Megarack Baseboard Management Controller (BMC) software. This flaw allows attackers to hijack and potentially disable vulnerable servers remotely. Major server vendors such as HPE, ASUS, and Asroc utilize Megarack BMC, making the impact widespread.

Dave Bittner: “The flaw allows remote attackers to take full control of affected servers, deploy malware, corrupt firmware, or even cause physical damage.”
[02:15]

Security firm Eclipsium discovered the vulnerability while analyzing patches for previous issues, revealing over 1,000 exposed servers online. Although no active exploits have been detected yet, experts warn that creating one is straightforward. Administrators are urged to apply the patches released on March 11 and remain vigilant for any suspicious activities.

2. Critical PHP Vulnerability

Timestamp: [13:45]

BitDefender Labs reports an actively exploited PHP vulnerability affecting installations running in CGI mode. The flaw permits arbitrary code execution through manipulated character encoding conversions, leading to the deployment of cryptocurrency miners like XMRig and remote access tools such as Quasar RAT.

BitDefender Labs: “Attackers use living off the land techniques to evade detection, sometimes even modifying firewall rules to block competitors.”
[14:10]

The vulnerability predominantly targets systems in Taiwan, Hong Kong, Brazil, Japan, and India. PHP developers have released patches, and organizations are advised to update immediately, adopt more secure architectures, restrict PowerShell access, and enhance monitoring to prevent severe attacks.

3. Fortinet Vulnerability Exploitation

Timestamp: [23:50]

The Cyber Information Sharing and Collaboration (CISA) confirms active exploitation of a critical vulnerability in Fortinet’s FortiOS and FortiProxy products. This flaw allows attackers to gain super admin privileges via crafted proxy requests, linking to the Mora00 ransomware group deploying a new strain named Super Black.

Dave Bittner: “Organizations are urged to patch Fortinet devices and ensure they're using a secure version of the GitHub action to prevent further exploitation.”
[25:00]

Additionally, a supply chain vulnerability in the TJ Actions Changed Files GitHub Action exposed CI/CD secrets in over 23,000 organizations, emphasizing the need for immediate remediation.

Cyber Threat Alliances

1. Europol’s Report on State-Backed Alliances

Timestamp: [04:35]

Europol’s latest report reveals a shadow alliance between state-backed threat actors and cybercriminals, significantly amplified by artificial intelligence. Particularly from Russia, these hybrid groups engage in ransomware, data theft, and AI-driven disinformation campaigns to destabilize Europe while maintaining plausible deniability.

Europol: “AI is making attacks more scalable and harder to detect, enabling deepfake-powered social engineering, automated fraud, and AI-driven cyber attacks.”
[05:00]

The report warns of the potential for fully autonomous criminal networks as AI technology advances, urging governments and businesses to develop defensive AI tools to counteract these sophisticated threats.

Phishing and Scam Campaigns

1. Sequoia’s Clearfake Analysis

Timestamp: [06:10]

Sequoia analyzes Clearfake, a malicious JavaScript framework deployed on compromised websites to deliver malware via drive-by downloads. The latest variant targets users involved in Web3 technologies, including cryptocurrency, decentralized finance, and NFTs.

Sequoia: “This campaign employs fake Google Meet pages that prompt users to fix non-existent technical issues, leading them to execute malicious code.”
[06:30]

The operation is linked to cybercriminal groups Slavic Nation Empire and Scamquirtyo, which utilize advanced social engineering tactics and shared infrastructure to maximize their reach.

2. LayerX’s Scareware Phishing Campaign

Timestamp: [10:05]

Israeli cybersecurity firm LayerX reports a shift in scareware phishing campaigns from Windows to macOS users. Previously, attackers deceived Windows users into believing their systems were compromised, redirecting them to phishing pages on Microsoft's Windows.net platform.

LayerX: “The attackers adapted, modifying their tactics to target macOS users, particularly those using Safari.”
[10:45]

By exploiting domain typos and compromised sites, attackers now employ fake Apple login pages to steal credentials, posing a significant threat to enterprises through potential widespread data exposure.

3. Phishing as a Service Surge

Timestamp: [12:20]

Barracuda detects over a million phishing-as-a-service (PhaaS) attacks in 2025, with platforms like Tycoon2FA, Evil Proxy, and Sneaky2FA leading the surge. Tycoon2FA accounts for 89% of these attacks, leveraging advanced evasion tactics such as encryption and obfuscation.

Barracuda: “Users should watch for suspicious URLs and unexpected MFA prompts.”
[12:45]

Sneaky2FA, operated by the Sneaky Log group, primarily targets Microsoft 365 users, utilizing Telegram bots for adversary-in-the-middle attacks and exploiting Microsoft's auto-fill functions to pre-populate phishing pages with victim credentials.

AI and Security

1. AI-Driven Malware via Jailbreak Technique

Timestamp: [14:30]

A researcher from Cato Ctrl uncovers a new jailbreak technique named Immersive World, which bypasses security controls in AI models like ChatGPT, Copilot, and Deepseek. This exploit enables the generation of AI-created malware without requiring prior coding experience.

Cato Ctrl Researcher: “The immersive world jailbreak serves as a stark reminder of AI's dual-use nature, both as a tool for innovation and a weapon for cybercrime.”
[15:00]

The discovery highlights the growing risks associated with AI in finance, healthcare, and technology sectors, where data breaches, misinformation, and automated malware generation are escalating. Experts emphasize that traditional security strategies may no longer suffice, advocating for the development of advanced defensive measures.

Malware Discoveries

1. Stellachi RAT by Microsoft

Timestamp: [16:00]

Microsoft has identified Stellachi RAT, a stealthy and persistent remote access trojan designed to steal sensitive data from compromised systems. First detected in November last year, Stellachi RAT remains not widely distributed but poses significant risks.

Microsoft: “It profiles infected systems, steals credentials from Chrome, monitors cryptocurrency wallets, and tracks clipboard content for valuable data.”
[16:25]

The malware can spy on RDP sessions, allowing lateral movement within networks, and employs techniques like clearing event logs and obfuscating Windows API calls to evade detection. Organizations and individuals are urged to maintain vigilance and implement robust security measures to mitigate the threat.

Certbyte Segment: CISM Exam Insights

Timestamp: [15:51]

In the Certbyte segment, Chris Hare and Troy McMillan discuss the ISACA Certified Information Security Manager (CISM) exam, offering strategies and clarifications for candidates.

Exam Strategy and Q&A

• Question Breakdown: Troy poses a multiple-choice question regarding developing an Information Security strategy without an existing framework. The correct approach is to refer to industry standards.

  Troy McMillan: “The manager can refer to industry standards.”
  [17:24]

• CISM vs. CISSP: Troy explains that while CISSP covers both technical and managerial aspects, CISM is primarily manager-oriented, making it suitable for IT managers focusing on security governance and strategy.

• Exam Updates: The CISM exam is expected to receive an update around 2026 or 2027, as exams are typically revised every four to five years.

Study Tips

• Managerial Focus: Troy advises candidates to “think managerial” when approaching exam questions, selecting answers that reflect high-level strategic thinking over technical details.

Troy McMillan: “If you're looking at an item and some of the answer options are technical in nature and the others are somewhat managerial or high level, probably the managerial option is going to be the better one to select.”
[21:35]

Upcoming Practice Tests

Chris and Troy highlight new practice tests for certifications including CompTIA Tech+, AWS Certified AI Practitioner, and Azure AI Engineer Associate, with more to be released shortly.

Conclusion

The episode concludes with a reminder of the ever-evolving cyber threats and the necessity for organizations to stay ahead through vigilant security practices and continuous learning. Dave Bittner emphasizes the importance of adopting advanced security measures to counteract sophisticated attacks and protect valuable assets.

Dave Bittner: “Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity.”
[26:59]

Listeners are encouraged to engage with the CyberWire Daily for ongoing updates and insights to remain a step ahead in the rapidly changing world of cybersecurity.

Notable Quotes:

• Dave Bittner: “AI is making attacks more scalable and harder to detect, enabling deepfake powered social engineering, automated fraud and AI driven cyber attacks.”
  [05:00]

• Europol: “Criminals don't need perfect AI to succeed, just good enough to bypass security and deceive users.”
  [05:15]

• Microsoft: “Stellachi RAT profiles infected systems, steals credentials from Chrome, monitors cryptocurrency wallets, and tracks clipboard content for valuable data.”
  [16:25]

This comprehensive summary encapsulates the key discussions, insights, and conclusions from the "Remote Hijacking at Your Fingertips" episode of CyberWire Daily, providing a valuable overview for listeners and those unable to tune in.