When fake fixes hide real attacks. - CyberWire Daily

Summary7 min read

CyberWire Daily: When Fake Fixes Hide Real Attacks Release Date: April 21, 2025
Host: Dave Bittner, N2K Networks

1. Adversary Nations Exploiting ClickFix in Cyber Espionage

Timestamp: 02:08

Government-backed hacking groups from North Korea, Iran, and Russia are increasingly utilizing a technique known as ClickFix in their cyber espionage campaigns. According to Dave Bittner, ClickFix deceives users into executing malicious commands by presenting fake error messages or security alerts, leading victims to believe they're addressing a legitimate issue.

North Korea's TA427 employed ClickFix in early 2025 to target think tanks via deceptive meeting invites.
Iran's TA450 used the method in late 2024 against Middle Eastern financial and government sectors by sending bogus Microsoft email updates.
Russian groups TA4.22 and UNK Remote Rogue incorporated ClickFix in their phishing campaigns.

Dave Bittner notes, “While ClickFix isn't replacing all attack methods, its adoption by multiple state-backed groups indicates a significant trend in streamlining infection processes” (02:08).

Proofpoint highlights that although Chinese hackers haven't yet adopted ClickFix, its rising usage among other nation-states suggests potential future incorporation.

2. Japan's Financial Services Agency Issues Urgent Security Warning

Timestamp: 06:15

Japan's Financial Services Agency (FSA) has issued an urgent alert after hackers manipulated brokerage accounts, resulting in over $665 million in unauthorized trades. Attackers utilized phishing sites masquerading as legitimate financial institutions to steal customer credentials. These credentials were then used to:

Access and manipulate accounts.
Sell Japanese stocks to acquire Chinese ones, which remained in victim accounts.

Key statistics reported include:

Over 1,400 fraudulent trades
More than 3,300 illegal access attempts
12 security firms involved, including notable names like Nomura and Rakuten

Dave Bittner states, "Brokerages will cover customer losses, but the incident underscores the escalating threat from China-backed cyber attacks" (06:15).

3. Critical Erlang OTP SSH Vulnerability Exploited Publicly

Timestamp: 08:45

A severe vulnerability in Erlang OTP's SSH daemon now has public exploits, putting thousands of systems at risk. This flaw allows unauthenticated remote code execution and affects all devices utilizing the daemon. Although recent versions have patched this vulnerability, many systems in sectors like telecom and database infrastructure remain unpatched.

Dave Bittner emphasizes, “Security experts urge immediate updates as attackers are expected to begin scanning and exploiting vulnerable systems” (08:45).

Recent proof-of-concept exploits shared on platforms like GitHub and Pastebin have heightened the risk of widespread exploitation.

4. Microsoft Entra ID's Mace App Flawed Rollout Causes Account Lockdowns

Timestamp: 10:05

A problematic deployment of Microsoft's Entra ID's Mace credential revocation app has led to widespread false positive alerts and mass account lockouts across various organizations. Administrators reported that up to one-third of accounts were locked due to alleged leaked credentials. Investigations revealed:

Passwords were unique and protected by multi-factor authentication (MFA).
No signs of actual compromise were detected.
The issue correlates with Mace's sudden and flawed deployment.

Dave Bittner notes, “Despite the disruption, there were no breach checks matching any known compromises” (10:05).

Microsoft has yet to officially confirm the root cause of the issue.

5. Alleged Operator of Smoke Loader Malware Faces Federal Charges

Timestamp: 11:20

Nicholas Moses, also known as Scrublord, is facing federal hacking charges in Vermont for allegedly operating the Smoke Loader malware. Between January 2022 and May 2023, Moses is accused of:

Stealing personal data from over 65,000 victims globally.
Maintaining a command server in the Netherlands.
Selling stolen credentials for $1 to $5 each, claiming possession of over half a million logs.

Dave Bittner reports, “Moses' case follows Europol's Operation Endgame, which targeted major malware droppers, including Smoke Loader” (11:20).

Smoke Loader is renowned among Russian cybercriminals for its modular design, enabling various attacks and making it a persistent threat since 2011.

6. SuperCardX: A New NFC-Enabled Banking Scam Emerges

Timestamp: 12:30

Researchers at Kleefi have identified a new scam named SuperCardX, which combines social engineering, malware, and Near Field Communication (NFC) technology to drain victims' bank accounts. The scam operates as follows:

Initial Deception: Victims receive fake bank fraud alerts, prompting them to call a provided number.
Data Harvesting: Scammers collect PINs and convince users to remove card limits.
NFC Exploitation: The malware uses NFC to silently capture card data, facilitating instant theft outside traditional banking fraud channels.

Dave Bittner explains, “SuperCardX is linked to a malware-as-a-service model operated by Chinese-speaking developers but is being utilized by diverse groups globally” (12:30).

Authorities warn that NFC-based fraud is on the rise and may spread to more regions soon.

7. GSA Employees' Oversharing of Sensitive Documents Raises Concerns

Timestamp: 13:00

An internal review by the Washington Post revealed that employees of the General Services Administration (GSA), across both Biden and Trump administrations, improperly shared sensitive files. These documents included:

White House blueprints
Vendor banking details
Files marked as controlled unclassified information

The oversharing involved over 11,000 federal workers and highlighted systemic weaknesses in document handling. Dave Bittner comments, “This incident underscores the importance of strict data governance, even for non-classified information” (13:00).

Despite annual security training and scanning tools, the breach revealed vulnerabilities in how sensitive information is managed across administrations.

8. Interview with Yoni Shohed, CEO of Valence Security

Timestamp: 13:19

Dave Bittner interviews Yoni Shohed, co-founder and CEO of Valence Security, who discusses the emerging threats posed by Chinese open-source AI tools and their implications for financial organizations.

Key Discussion Points:

Chinese Influence & Open Source: Shohed highlights concerns over AI tools originating from China, emphasizing that these tools are governed by Chinese regulations, which may compromise data privacy and security. He states, “The fact that it's open source means that everybody can access the source code and elements, unlike most AI models which remain closed” (13:19).
Risks in Financial Services: Shohed warns that financial institutions may inadvertently expose sensitive data by using unvetted AI models. “Employees may share sensitive information with these tools, leading to potential data exposure or compliance breaches” (17:59).
Recommendations for Organizations:
- Identify and Sanction Tools: Companies should approve specific AI tools that meet security standards and ensure employees use only these vetted options.
- Redirect Usage: Instead of banning unapproved tools, provide alternative sanctioned tools to fulfill the same business needs.
- Promote Secure Adoption: Focus on enabling employees to use approved tools effectively, reducing the temptation to bypass security measures.

Dave Bittner summarizes, “Shohed emphasizes a proactive approach, where organizations facilitate the use of secure, approved AI tools rather than attempting to block the influx of new technologies” (19:28).

9. Malicious Modification of Urban Crosswalk Systems

Timestamp: 21:33

In a peculiar incident, crosswalk buttons in cities such as Seattle and Silicon Valley were hijacked to play AI-generated voices impersonating tech billionaires like Jeff Bezos, Elon Musk, and Mark Zuckerberg. Instead of standard audio cues indicating "walk" or "wait," pedestrians were greeted with messages promoting services or making jokes about taxation.

Dave Bittner explains, “While some view it as harmless fun, the stunt poses serious safety risks, especially for visually impaired pedestrians who rely on these audio cues to cross safely” (21:33).

Technical Details:

The crosswalk systems, made by Polara, were managed via the Polara Field Service app, which was protected only by the default password 1234.
Pranksters exploited this weak security to reprogram the devices with custom AI-generated audio.
The app has been removed from app stores, but archived versions persist, making future exploits possible.
Municipal crews are now tasked with manually updating credentials across thousands of devices to prevent recurrence.

Dave Bittner concludes, “This incident not only highlights the importance of securing critical infrastructure with strong authentication measures but also the broader implications of default credentials in facilitating cyber mischief” (21:33).

Conclusion

The April 21, 2025 episode of CyberWire Daily underscores the evolving landscape of cybersecurity threats, from sophisticated nation-state espionage techniques like ClickFix to the even more unconventional manipulation of urban infrastructure. The insights shared by Yoni Shohed shed light on the nuanced risks of integrating open-source AI tools within sensitive sectors, particularly in finance. Meanwhile, the crosswalk incident serves as a stark reminder of the vulnerabilities inherent in IoT devices and the critical need for robust security protocols.

Notable Quotes:

Dave Bittner on ClickFix: “While ClickFix isn't replacing all attack methods, its adoption by multiple state-backed groups indicates a significant trend in streamlining infection processes” (02:08).
Yoni Shohed on open-source AI risks: “The fact that it's open source means that everybody can access the source code and elements, unlike most AI models which remain closed” (13:19).
Dave Bittner on crosswalk hijacking: “This incident not only highlights the importance of securing critical infrastructure with strong authentication measures but also the broader implications of default credentials in facilitating cyber mischief” (21:33).

For more detailed insights and daily cybersecurity news, visit CyberWire Daily.

Loading summary

Transcript15 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K and now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire adversary nations are using click fix in cyber espionage campaigns. Japan's Financial Services Agency issues an urgent warning after hundreds of millions in unauthorized trades, the critical Erlang OTP SSH vulnerability now has public exploits A flawed rollout of a new Microsoft Entre app triggers widespread account lockdown. The alleged operator of smoke loader malware faces federal hacking charges. A new scam blends social engineering, malware and NFC tech to drain bank accounts. GSA employees may have been oversharing sensitive documents. Our guest is Yoni Shohed, co founder and CEO of Valence Security, who cautions financial organizations of coming Chinese open source AI and crosswalks in the crosshairs of satirical hacking.
[02:02]
Yoni Shohed
Foreign.
[02:08]
Dave Bittner
It's Monday, April 21, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us. Happy Monday. It's great to have you with us. Government backed hackers from North Korea, Iran and Russia are now using a technique called click fix in cyber espionage campaigns. According to proofpoint, this method tricks users into running malicious commands by displaying fake error messages or security alerts. Victims believe they're fixing a problem, but instead activate malware. North Korea's TA427 used ClickFix in early 2025 to target think tanks via fake meeting invites. Iran's TA450 deployed it in late 2024 against Middle Eastern financial and government sectors through bogus Microsoft email Updates. Russian group TA4.22 and UNK remote rogue also used it in phishing campaigns. While not replacing all attack methods, QlikFix is being used to streamline infection steps. Proofpoint notes that Chinese hackers haven't used ClickFix yet, but its growing use signals a rising trend among state backed groups. In spring of 2024, Russian linked hackers breached water plants in rural Texas, including in mule shoe triggering system malfunctions. While no ransom was demanded. The attack highlighted critical infrastructure vulnerabilities, an urgent concern for cybersecurity professionals. These incidents weren't isolated, experts say. They represent a growing state backed actors probing US Systems to test digital defenses. Similar threats include China's Volt Typhoon and Salt typhoon campaigns, which targeted telecom networks and government communications for long term espionage. Despite this rising threat landscape, the US has weakened cyber defenses under the Trump administration, firing NSA leadership, cutting election security budgets and slashing cybersecurity staff. Some say the cybersecurity workforce gap remains a pressing issue, with over half a million professionals needed, while others are skeptical that the so called gap even exists. Either way, as global tensions escalate and adversaries cooperate digitally, cyber professionals must prepare for more complex, persistent and politically motivated attacks. Japan's Financial Services Agency has issued an urgent warning after hackers conducted over $665 million in unauthorized trades via compromised brokerage accounts. Using phishing sites posing as legitimate firms, attackers stole customer credentials to access and manipulate accounts, often selling Japanese stocks to purchase Chinese ones, which remain in the victims accounts. At least 12 security firms, including Nomura and Rakuten, reported over 1,400 fraudulent trades and over 3,300 illegal access attempts. Brokerages will cover customer losses. Japan links rising threats to China backed cyber attacks. The critical vulnerability in Erlang OTP's SSH daemon now has public exploits, putting thousands of systems at risk. The flaw allows unauthenticated remote code execution and affects all devices using the daemon. Although patched in recent versions, many systems, especially in telecom and database infrastructure, remain unpatched. Proof of concept Exploits were recently shared on GitHub and Pastebin, raising the risk of mass exploitation. Security experts urge immediate updates as attackers are expected to begin scanning and exploiting vulnerable systems. A flawed rollout of Microsoft's Entra ID's new Mace credential revocation app has triggered widespread false positive alerts and account lockouts across organizations. Admins reported that up to one third of accounts were locked due to supposed leaked credentials, though the passwords were unique and protected by mfa, no signs of compromise were found and breach checks showed no matches. The issue appears tied to Mace's sudden deployment. Microsoft has yet to officially confirm the cause. Nicholas Moses, also known as Scrublord, is facing federal hacking charges in Vermont for allegedly operating the Smoke Loader malware stealing personal data from over 65,000 victims worldwide. Prosecutors say Moses used the malware to harvest passwords and sensitive information from infected devices between January 2022 and May 2023. Maintaining a command server in the Netherlands he allegedly sold stolen credentials for a dollar to $5 each and claimed to have over half a million logs. Smokeloader, a malware strain active since 2011, is popular among Russian cybercriminals for its modular design and ability to perform various attacks. Moses case follows Europol's Operation Endgame, which recently targeted major malware droppers, including Smokeloader. Authorities continue to investigate and arrest individuals linked to the botnet's distribution and resale operations. A new scam blending social engineering, malware and NFC tech is targeting Android users and their payment cards. Researchers at kleefi report dubbed SuperCardX the malware tricks victims via fake bank fraud alerts, urging them to call a number where scammers then collect pins and convince users to remove card limits. Victims are later prompted to place their card near their infected device. The malware then uses NFC to silently capture card data, enabling instant theft outside traditional bank fraud channels. SuperCard X is linked to a malware as a service model operated by Chinese speaking developers but used by different groups globally. Unlike past scams targeting specific banks, this campaign targets any debit or credit card. Authorities warn such NFC based fraud is growing and may appear in more regions soon. Internal records reviewed by the Washington Post reveal that General Services Administration employees under both the Biden and Trump administrations improperly shared sensitive files, including White House blueprints and vendor banking details, with over 11,000 federal workers. The documents, stored in a Google Drive folder, included at least nine files marked controlled unclassified information, which, while not classified, still require protection. Some files allowed editing access. The oversharing, ongoing since 2021, triggered a cybersecurity investigation last week. The breach included sensitive plans for the White House's east and west wings and details for a proposed blast door. Though not necessarily classified, experts say such data should be tightly secured. The GSA has annual security training and scanning tools, but the incident highlights systemic weaknesses in document handling across administrations. Coming up after the break, my conversation with Yoni Shohed, co founder and CEO of Valence Security, who cautions financial organizations of coming Chinese open source AI and crosswalks in the crosshairs of satirical hacking. Stay with us. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks. With attack path management, you can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to SpectorOps IO today to learn more. Spectrops see your attack paths the way adversaries do. Do you know the status of your compliance controls right now? Right now we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off Yoni Shohet is co founder and CEO of Valence Security. I recently got together with him to discuss financial organizations being wary of coming Chinese open source AI.
[13:19]
Yoni Shohed
So I think there's two layers here of concerns in areas that most people are focusing on. The first is the fact that it's coming from China and the second is the fact that it's open source. I think the best way that most people can probably understand today is the fact that just looking at Deep SEQ as the latest example that really hit the headlines. But it's eventually tools that are encouraging users or adopters of the open source capabilities to leverage open source models that include can include a wide variety of open source capabilities from the code or to or algorithms to the data itself. That is the core aspect in most AI models. And the fact that it's open source, meaning that everybody has access to see exactly the source code and the source elements in an open source fashion, which is atypical to how most AI models were released until recently. Even OpenAI, even in the name, OpenAI is not open source. So a lot of the ChatGPT capabilities and others are closed source, meaning that you have limited transparency in terms of how the logic in the backend operates.
[14:31]
Dave Bittner
So in your estimation, what are the specific risks here?
[14:36]
Yoni Shohed
Yeah, so I think the main thing that concerns a lot of people is really the fact that it's Chinese in terms of the infrastructure and the people behind these types of open source models, which means that it's governed by the Chinese government regulations, not by more Western society in terms of how the data is treated, in terms of privacy and potential security concerns, and also in terms of their obligations and requirements to disclose some of this data to potential government. The data that you feed to the AI models to the potential government, which I think is the first order of most of the risks and concerns that we see today within the industry is eventually am I giving away my data to the Chinese government by leveraging these tools? Basically, I think the second, second aspect is really the fact that these tools are open source. There's pros and cons of fact that it's open source AI tools. Obviously it can lead to better collaboration and to more inputs from the broader industry in terms of what you can do with these tools or how you can make them applicable. But also these types of open source AI tools are typically also less focused on enterprise grade capabilities. Ensuring proper security, reducing chances of vulnerabilities, or patching potential vulnerabilities in the logics that they implement and how they handle the data. And also the fact that specifically some of these models have a open source also the data models themselves then also could potentially the data that I'm feeding to a prompt or to a tool eventually get open sourced itself because it's going to be leveraged for potential learning of these AI models which are very data hungry as we all know.
[16:32]
Dave Bittner
So help me understand here. I mean, the models being open source, would they typically be running locally or will they be running remotely?
[16:42]
Yoni Shohed
So it could be either or eventually you could download it and run it locally and own the infrastructure that it's running. But also you can just log in to Deep seq's prompt and work with the chat directly. Which I think also leads to other concerns because there could be a lot of variations that are based on very high quality models and data and they can market it in separate in different ways that would make it look very legitimate. But you don't have precisely a good understanding of who's behind these capabilities and tools because we're making them more accessible for potentially malicious or adversary organizations to leverage high quality AI models and data to build commercial tools that will look if they're like powered by Deep SEQ or try to build credibility based on a well known brand name, even though they're not precisely the same people behind these original tools. Even if you can question their credibility.
[17:48]
Dave Bittner
Regardless, I know one of the concerns that you've expressed is the use of these tools within financial services institutions. What is the specific risk there?
[18:00]
Yoni Shohed
Yeah, so I think their main concerns from what we've seen, and this is probably when we look at what we do at valence as a SaaS security company, and we highlighted for some of our customers the adoption of Deep SEQ within the organization. It's just the unknown on how employees are sharing data, because again, AI is as good as the data that you feed it. And if you're trying to use an AI model or an AI application to get your job done, you most likely need to tell it something about your work or about the nature of what you're doing, or even specific information that could be sensitive. Eventually, when you feed this data to an AI model that nobody has vetted and nobody's trusting, and these AI models can pop up and become the hottest trend and make the headlines and everybody's curious to see, oh, is this going to be better than ChatGPT or Gemini or one of the other tools that I'm already leveraging, Then potentially there could be misuse of data that could lead to either exposure of that data because it will become open source, or because it's not going to be protected capabilities or the right standards that the organization has. Or in case of these specifically Chinese tools, it could eventually end up in the hands of the Chinese government. At least what we've seen in terms of customers pretty concerned in terms of their risk there.
[19:18]
Dave Bittner
Yeah. So what are your recommendations then? I mean, for the folks who are tasked with protecting their organizations, how should they approach this reality?
[19:28]
Yoni Shohed
Yeah, what we've seen being very affected over the past couple of years with the rise of AI in general is that, first of all, you can't really stop it. So I think most organizations are past the point of saying, I'm not going to let anybody adopt AI, and we're going to use just the traditional tools because if you block it that aggressively, eventually employees will just find a workaround. What we've seen successful organizations implement is basically identify the approved and sanctioned capabilities and tools that they want to use for the different business requirements, whether if it's prompt questions, data analysis, recording analysis, transcriptions, whatever the purpose that the business is raising, that they need the specific tools, code analysis or code improvements that we see today is also a hot topic. And make sure that these sanction capabilities are highly accessible and that people know how to use them in the organization, know how to use them and how to adopt them when they need. And then instead of saying when a new tool comes out, saying, hey, this is not approved, don't use it. It's if the message is, hey, we have these alternatives that we already approved. This is not something you can use, but we want to redirect you to something else that could get the same purpose done. But it's already approved and governance sanctioned and therefore we have less concerns from a security perspective around it. Or it's more controlled in terms of the risk when we accepted it. And focusing on how to do something rather than how not to do something has been proven to be very effective, especially with the adoption of innovative tools by business users and business admins.
[21:13]
Dave Bittner
That's Yoni Shohet from Valence Security.
[21:28]
Yoni Shohed
Foreign.
[21:34]
Dave Bittner
Secure access is crucial for US Public sector missions, ensuring that only authorized users can access certain systems, networks or data. Are your defenses ready? Cisco's security service Edge delivers comprehensive protection for your network and users. Experience the power of zero trust and secure your workforce wherever they are. Elevate your security Strategy by visiting Cisco.com Go SSE that's Cisco.com Go SSE and finally, our malicious jaywalking desk tells us that crosswalk buttons in cities like Seattle and Silicon Silicon Valley have been hijacked to play AI generated voices of tech billionaires like Jeff Bezos, Elon Musk, and Mark Zuckerberg. Instead of the usual robotic walk or wait, pedestrians were greeted with Bezos promoting Amazon prime or joking about billionaires moving to Florida if taxed. Classic parody wrapped in high tech mischief. The culprit? A mix of social commentary and shoddy security. The devices made by crosswalk hardware giant Polara are managed via a Bluetooth enabled app called the Polara Field Service app. It was publicly available and protected only by the worst password in tech 1234. Pranksters easily reprogram the devices to play custom AI generated audio. While some call it harmless fun, the stunt raises serious issues. Visually impaired pedestrians depend on those audio cues to cross safely. Swapping them for tech tycoon impersonations isn't just a laugh, it's a hazard. It also highlights the risks of default credentials in critical infrastructure. The app has since been pulled from app stores, but archived versions remain, meaning this could happen again. Municipal crews now face the tedious task of manually updating credentials on thousands of devices one intersection at a time. So let this be a friendly PSA Customizable Crosswalk Audio Great billionaire bedtime banter at intersections? Not so much. And for the love of pedestrians, change your default passwords. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapid, rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now a message from Black Cloak did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Blackcloak's award winning digital executive protection platform secures their personal devices, home networks and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 247365 with BlackCloak. Learn more at BlackCloak IO.