Remote hijacking at your fingertips. - CyberWire Daily

Summary

CyberWire Daily: Episode Summary - "Remote Hijacking at Your Fingertips"

Release Date: March 19, 2025
Host: N2K Networks

Introduction

In the March 19, 2025 episode of CyberWire Daily, host Dave Bittner delves into the evolving landscape of cybersecurity threats, highlighting critical vulnerabilities, sophisticated cybercriminal alliances, and the rising impact of artificial intelligence in cyber attacks. The episode also features an insightful segment on the ISACA Certified Information Security Manager (CISM) exam, providing valuable tips for security professionals.

Critical Vulnerabilities and Exploits

1. AMI’s Megarack BMC Vulnerability

Timestamp: [00:02]

Dave Bittner introduces a significant vulnerability in American Megatrends International's (AMI) Megarack Baseboard Management Controller (BMC) software. This flaw allows attackers to hijack and potentially disable vulnerable servers remotely. Major server vendors such as HPE, ASUS, and Asroc utilize Megarack BMC, making the impact widespread.

Dave Bittner: “The flaw allows remote attackers to take full control of affected servers, deploy malware, corrupt firmware, or even cause physical damage.”
[02:15]

Security firm Eclipsium discovered the vulnerability while analyzing patches for previous issues, revealing over 1,000 exposed servers online. Although no active exploits have been detected yet, experts warn that creating one is straightforward. Administrators are urged to apply the patches released on March 11 and remain vigilant for any suspicious activities.

2. Critical PHP Vulnerability

Timestamp: [13:45]

BitDefender Labs reports an actively exploited PHP vulnerability affecting installations running in CGI mode. The flaw permits arbitrary code execution through manipulated character encoding conversions, leading to the deployment of cryptocurrency miners like XMRig and remote access tools such as Quasar RAT.

BitDefender Labs: “Attackers use living off the land techniques to evade detection, sometimes even modifying firewall rules to block competitors.”
[14:10]

The vulnerability predominantly targets systems in Taiwan, Hong Kong, Brazil, Japan, and India. PHP developers have released patches, and organizations are advised to update immediately, adopt more secure architectures, restrict PowerShell access, and enhance monitoring to prevent severe attacks.

3. Fortinet Vulnerability Exploitation

Timestamp: [23:50]

The Cyber Information Sharing and Collaboration (CISA) confirms active exploitation of a critical vulnerability in Fortinet’s FortiOS and FortiProxy products. This flaw allows attackers to gain super admin privileges via crafted proxy requests, linking to the Mora00 ransomware group deploying a new strain named Super Black.

Dave Bittner: “Organizations are urged to patch Fortinet devices and ensure they're using a secure version of the GitHub action to prevent further exploitation.”
[25:00]

Additionally, a supply chain vulnerability in the TJ Actions Changed Files GitHub Action exposed CI/CD secrets in over 23,000 organizations, emphasizing the need for immediate remediation.

Cyber Threat Alliances

1. Europol’s Report on State-Backed Alliances

Timestamp: [04:35]

Europol’s latest report reveals a shadow alliance between state-backed threat actors and cybercriminals, significantly amplified by artificial intelligence. Particularly from Russia, these hybrid groups engage in ransomware, data theft, and AI-driven disinformation campaigns to destabilize Europe while maintaining plausible deniability.

Europol: “AI is making attacks more scalable and harder to detect, enabling deepfake-powered social engineering, automated fraud, and AI-driven cyber attacks.”
[05:00]

The report warns of the potential for fully autonomous criminal networks as AI technology advances, urging governments and businesses to develop defensive AI tools to counteract these sophisticated threats.

Phishing and Scam Campaigns

1. Sequoia’s Clearfake Analysis

Timestamp: [06:10]

Sequoia analyzes Clearfake, a malicious JavaScript framework deployed on compromised websites to deliver malware via drive-by downloads. The latest variant targets users involved in Web3 technologies, including cryptocurrency, decentralized finance, and NFTs.

Sequoia: “This campaign employs fake Google Meet pages that prompt users to fix non-existent technical issues, leading them to execute malicious code.”
[06:30]

The operation is linked to cybercriminal groups Slavic Nation Empire and Scamquirtyo, which utilize advanced social engineering tactics and shared infrastructure to maximize their reach.

2. LayerX’s Scareware Phishing Campaign

Timestamp: [10:05]

Israeli cybersecurity firm LayerX reports a shift in scareware phishing campaigns from Windows to macOS users. Previously, attackers deceived Windows users into believing their systems were compromised, redirecting them to phishing pages on Microsoft's Windows.net platform.

LayerX: “The attackers adapted, modifying their tactics to target macOS users, particularly those using Safari.”
[10:45]

By exploiting domain typos and compromised sites, attackers now employ fake Apple login pages to steal credentials, posing a significant threat to enterprises through potential widespread data exposure.

3. Phishing as a Service Surge

Timestamp: [12:20]

Barracuda detects over a million phishing-as-a-service (PhaaS) attacks in 2025, with platforms like Tycoon2FA, Evil Proxy, and Sneaky2FA leading the surge. Tycoon2FA accounts for 89% of these attacks, leveraging advanced evasion tactics such as encryption and obfuscation.

Barracuda: “Users should watch for suspicious URLs and unexpected MFA prompts.”
[12:45]

Sneaky2FA, operated by the Sneaky Log group, primarily targets Microsoft 365 users, utilizing Telegram bots for adversary-in-the-middle attacks and exploiting Microsoft's auto-fill functions to pre-populate phishing pages with victim credentials.

AI and Security

1. AI-Driven Malware via Jailbreak Technique

Timestamp: [14:30]

A researcher from Cato Ctrl uncovers a new jailbreak technique named Immersive World, which bypasses security controls in AI models like ChatGPT, Copilot, and Deepseek. This exploit enables the generation of AI-created malware without requiring prior coding experience.

Cato Ctrl Researcher: “The immersive world jailbreak serves as a stark reminder of AI's dual-use nature, both as a tool for innovation and a weapon for cybercrime.”
[15:00]

The discovery highlights the growing risks associated with AI in finance, healthcare, and technology sectors, where data breaches, misinformation, and automated malware generation are escalating. Experts emphasize that traditional security strategies may no longer suffice, advocating for the development of advanced defensive measures.

Malware Discoveries

1. Stellachi RAT by Microsoft

Timestamp: [16:00]

Microsoft has identified Stellachi RAT, a stealthy and persistent remote access trojan designed to steal sensitive data from compromised systems. First detected in November last year, Stellachi RAT remains not widely distributed but poses significant risks.

Microsoft: “It profiles infected systems, steals credentials from Chrome, monitors cryptocurrency wallets, and tracks clipboard content for valuable data.”
[16:25]

The malware can spy on RDP sessions, allowing lateral movement within networks, and employs techniques like clearing event logs and obfuscating Windows API calls to evade detection. Organizations and individuals are urged to maintain vigilance and implement robust security measures to mitigate the threat.

Certbyte Segment: CISM Exam Insights

Timestamp: [15:51]

In the Certbyte segment, Chris Hare and Troy McMillan discuss the ISACA Certified Information Security Manager (CISM) exam, offering strategies and clarifications for candidates.

Exam Strategy and Q&A

Question Breakdown: Troy poses a multiple-choice question regarding developing an Information Security strategy without an existing framework. The correct approach is to refer to industry standards.

Troy McMillan: “The manager can refer to industry standards.”
[17:24]
CISM vs. CISSP: Troy explains that while CISSP covers both technical and managerial aspects, CISM is primarily manager-oriented, making it suitable for IT managers focusing on security governance and strategy.
Exam Updates: The CISM exam is expected to receive an update around 2026 or 2027, as exams are typically revised every four to five years.

Study Tips

Managerial Focus: Troy advises candidates to “think managerial” when approaching exam questions, selecting answers that reflect high-level strategic thinking over technical details.

Troy McMillan: “If you're looking at an item and some of the answer options are technical in nature and the others are somewhat managerial or high level, probably the managerial option is going to be the better one to select.”
[21:35]

Upcoming Practice Tests

Chris and Troy highlight new practice tests for certifications including CompTIA Tech+, AWS Certified AI Practitioner, and Azure AI Engineer Associate, with more to be released shortly.

Conclusion

The episode concludes with a reminder of the ever-evolving cyber threats and the necessity for organizations to stay ahead through vigilant security practices and continuous learning. Dave Bittner emphasizes the importance of adopting advanced security measures to counteract sophisticated attacks and protect valuable assets.

Dave Bittner: “Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity.”
[26:59]

Listeners are encouraged to engage with the CyberWire Daily for ongoing updates and insights to remain a step ahead in the rapidly changing world of cybersecurity.

Notable Quotes:

Dave Bittner: “AI is making attacks more scalable and harder to detect, enabling deepfake powered social engineering, automated fraud and AI driven cyber attacks.”
[05:00]
Europol: “Criminals don't need perfect AI to succeed, just good enough to bypass security and deceive users.”
[05:15]
Microsoft: “Stellachi RAT profiles infected systems, steals credentials from Chrome, monitors cryptocurrency wallets, and tracks clipboard content for valuable data.”
[16:25]

This comprehensive summary encapsulates the key discussions, insights, and conclusions from the "Remote Hijacking at Your Fingertips" episode of CyberWire Daily, providing a valuable overview for listeners and those unable to tune in.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire network. Powered by N2K Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door. The login Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs, and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today. A critical vulnerability could let attackers hijack and potentially disable vulnerable servers Europol warns of a shadow alliance between state backed threat actors and cyber criminals. Sequoia examines clear fake A critical PHP vulnerability is under active exploitation A sophisticated scareware phishing campaign has shifted its focus to macOS users. Phishing as a service Attacks are on the rise. A new jailbreak technique bypasses security controls in popular LLMs. Microsoft has uncovered Stellachi Rat CISA confirms active exploitation of a critical fortinet vulnerability on our Certbyte segment, Chris Hare is joined by Troy McMillan to break down a question targeting the ISACA Certified Information Security Manager exam and AI coding assistance. Get judgy it's Wednesday, March 19, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief. A critical vulnerability in American Megatrends International's Megarack baseboard management controller. That's AMI's BMC software could let attackers hijack and potentially disable vulnerable servers. Megarack bmc, used by major server vendors like hpe, ASUS and asroc, enables remote system management. The flaw allows remote attackers to take full control of affected servers, deploy malware, corrupt firmware, or even cause physical damage. Security firm Eclipsium discovered a flaw while analyzing patches for a previous vulnerability. Over 1,000 exposed servers were found online and more devices may be affected. While no exploits have been detected in the wild, researchers warn that creating one is easy. Admins are urged to apply patches released on March 11 and monitor for suspicious activity, as patching is complex and requires downtime. The latest report from Europol warns of a growing shadow alliance between state backed threat actors and cybercriminals with AI, amplifying their impact. The EU, Sirius and Organized Crime Threat Assessment 2025 highlights how groups, especially from Russia, use cybercrime to destabilize Europe while maintaining deniability. These hybrid threats involve ransomware, data theft and AI driven disinformation campaigns. AI is making attacks more scalable and harder to detect, enabling deepfake powered social engineering, automated fraud and AI driven cyber attacks. Europol warns that future AI advancements could lead to fully autonomous criminal networks. Experts stress the need for defensive AI tools to counteract these evolving threats. Criminals don't need perfect AI to succeed, just good enough to bypass security and deceive users. Europol urges governments and businesses to stay ahead in this digital arms race. An interesting blog post From Sequoia examines Clearfake, a malicious JavaScript framework deployed on compromised websites deliver malware through drive by downloads. A recent variant has expanded its reach by exploiting Web3 technologies targeting users involved in cryptocurrency, decentralized finance and NFTs. This campaign employs fake Google Meet pages that prompt users to fix non existent technical issues, leading them to execute malicious code. Windows users are tricked into running scripts that download infostealers like Steelsea and Radamanthes, while macOS users receive the Amos stealer. The operation is linked to cyber criminal group Slavic Nation Empire and Scamquirtyo, both active in the Russian speaking cybercrime ecosystem. These groups use sophisticated social engineering tactics and share infrastructure to maximize their reach. A critical PHP vulnerability is being actively exploited to compromise Windows based Systems, according to BitDefender Labs. The flaw, which affects PHP installations running in CGI mode, allows attackers to execute arbitrary code by manipulating character encoding conversions. Since June of last year, attackers have used it to deploy cryptocurrency miners like xmrig and remote access tools such as Quasar Rat. Most attacks target systems in Taiwan, Hong Kong and Brazil, with some in Japan and India. Attackers use living off the land techniques to evade detection, sometimes even modifying firewall rules to block competitors. In a cryptojacking rivalry, the PHP team has released patches urging immediate updates. Organizations should switch to more secure architectures, restrict PowerShell access and enhance monitoring. With ransomware groups eyeing this vulnerability, proactive threat detection is essential to prevent severe attacks. A sophisticated scareware phishing campaign has shifted its focus from Windows to macOS users, according to Israeli cybersecurity firm LayerX. Previously, the attackers tricked Windows users into believing their systems were locked due to a security breach. Victims were lured into entering their credentials on phishing pages hosted on Microsoft's windows.net platform, allowing attackers to bypass security checks. However, new anti scareware features in Chrome, Firefox and Edge led to a 90% drop in Windows targeted attacks within two weeks, the attackers adapted, modifying their tactics to target macOS users, particularly those using Safari. The phishing pages remained nearly identical but were adjusted to appear legitimate for Apple users. By exploiting domain typos and compromised sites, the attackers redirected victims to fake login pages. LayerX warns that this evolving campaign is a significant threat to enterprises, as compromised corporate accounts could lead to widespread data exposure. Barracuda has detected over a million phishing as a service attacks in 2025, with platforms like Tycoon2FA, Evil Proxy, and the newly emerging Sneaky2FA leading the surge. Tycoon2FA dominates, accounting for 89% of attacks, while Evil Proxy holds 8% and Sneaky2FA just 3%. Sneaky2FA operated by the cybercrime group Sneaky Log bypasses two factor authentication and uses Telegram bots for adversary in the middle attacks, primarily targeting Microsoft 365 users. Attackers leverage Microsoft's autograb function to pre fill phishing pages with victims credentials. Meanwhile, Tycoon 2 FA has upgraded its evasion tactics, using encryption and obfuscation techniques to hide malicious activity. Evil Proxy remains a major threat due to its accessibility, allowing less skilled attackers to run phishing campaigns. Barracuda warns users to watch for suspicious URLs and unexpected MFA prompts. As these attacks continue to evolve and evade detection, a researcher from Cato Ctrl has discovered a new jailbreak technique, Immersive World, that bypasses security controls in ChatGPT, Copilot, and Deepseek, enabling AI generated malware creation. This exploit tricked AI models into writing malware to steal Chrome credentials without requiring prior coding experience. The discovery highlights the rise of zero knowledge cybercriminals, where AI lowers the technical barrier for launching attacks. As AI adoption grows in finance, healthcare and technology, security risks like data breaches, misinformation and automated malware generation are escalating. Experts warn that traditional security strategies may no longer be sufficient. The immersive world jailbreak serves as a stark reminder of AI's dual use nature, both as a tool for innovation and a weapon for cybercrime. Microsoft has uncovered Stelochi Rat, a stealthy and persistent remote access trojan designed to steal sensitive data from compromised systems. First detected in November of last year, the malware is not yet widely distributed, but Microsoft warns it can spread through Trojanized software, malicious sites, and phishing emails. Stelachi RAT profiles infected systems, steals credentials from Chrome, monitors cryptocurrency wallets, and tracks clipboard content for valuable data. It can also spy on RDP sessions, allowing lateral movement within networks to evade detection. It clears event logs, checks for analysis tools, and obfuscates Windows API calls. The malware maintains persistence through watchdog threads and Windows services, making it difficult to remove. Microsoft has not attributed steloci Rat to any known threat actor, but stresses the need for vigilance as it poses a serious risk to organizations and individuals alike. CISA has confirmed active exploitation of a critical Fortinet vulnerability in ransomware attacks. The flaw affecting fortaos and fortaproxy allows attackers to gain super admin privileges via crafted proxy requests linked to the Mora00 ransomware group. It has been exploited to deploy a new strain called Super Black. Additionally, CISA flagged a supply chain Vulnerability in the TJ actions changed files GitHub Action, which impacted over 23,000 organizations. Attackers modified the code, exposing CI CD secrets in GitHub Actions logs. Organizations are urged to patch Fortinet devices and ensure they're using a secure version of the GitHub action to prevent further exploitation. Coming up after the break on our Certbyte segment, Chris Hare is joined by Troy McMillan to break down a question targeting the ISACA Certified Information Security Manager exam and AI Coding assistance. Get all judgy Stay with us. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed. When it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored jobs on Indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed. Plus we with sponsored jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. VANTA brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. In the latest edition of our ongoing Cert Bytes segment, Chris Hare is joined by Troy McMillan. They break down a question targeting the ISACA Certified Information Security Manager exam.