CyberWire Daily: When Fake Fixes Hide Real Attacks Release Date: April 21, 2025
Host: Dave Bittner, N2K Networks

1. Adversary Nations Exploiting ClickFix in Cyber Espionage

Timestamp: 02:08

Government-backed hacking groups from North Korea, Iran, and Russia are increasingly utilizing a technique known as ClickFix in their cyber espionage campaigns. According to Dave Bittner, ClickFix deceives users into executing malicious commands by presenting fake error messages or security alerts, leading victims to believe they're addressing a legitimate issue.

• North Korea's TA427 employed ClickFix in early 2025 to target think tanks via deceptive meeting invites.
• Iran's TA450 used the method in late 2024 against Middle Eastern financial and government sectors by sending bogus Microsoft email updates.
• Russian groups TA4.22 and UNK Remote Rogue incorporated ClickFix in their phishing campaigns.

Dave Bittner notes, “While ClickFix isn't replacing all attack methods, its adoption by multiple state-backed groups indicates a significant trend in streamlining infection processes” (02:08).

Proofpoint highlights that although Chinese hackers haven't yet adopted ClickFix, its rising usage among other nation-states suggests potential future incorporation.

2. Japan's Financial Services Agency Issues Urgent Security Warning

Timestamp: 06:15

Japan's Financial Services Agency (FSA) has issued an urgent alert after hackers manipulated brokerage accounts, resulting in over $665 million in unauthorized trades. Attackers utilized phishing sites masquerading as legitimate financial institutions to steal customer credentials. These credentials were then used to:

• Access and manipulate accounts.
• Sell Japanese stocks to acquire Chinese ones, which remained in victim accounts.

Key statistics reported include:

• Over 1,400 fraudulent trades
• More than 3,300 illegal access attempts
• 12 security firms involved, including notable names like Nomura and Rakuten

Dave Bittner states, "Brokerages will cover customer losses, but the incident underscores the escalating threat from China-backed cyber attacks" (06:15).

3. Critical Erlang OTP SSH Vulnerability Exploited Publicly

Timestamp: 08:45

A severe vulnerability in Erlang OTP's SSH daemon now has public exploits, putting thousands of systems at risk. This flaw allows unauthenticated remote code execution and affects all devices utilizing the daemon. Although recent versions have patched this vulnerability, many systems in sectors like telecom and database infrastructure remain unpatched.

Dave Bittner emphasizes, “Security experts urge immediate updates as attackers are expected to begin scanning and exploiting vulnerable systems” (08:45).

Recent proof-of-concept exploits shared on platforms like GitHub and Pastebin have heightened the risk of widespread exploitation.

4. Microsoft Entra ID's Mace App Flawed Rollout Causes Account Lockdowns

Timestamp: 10:05

A problematic deployment of Microsoft's Entra ID's Mace credential revocation app has led to widespread false positive alerts and mass account lockouts across various organizations. Administrators reported that up to one-third of accounts were locked due to alleged leaked credentials. Investigations revealed:

• Passwords were unique and protected by multi-factor authentication (MFA).
• No signs of actual compromise were detected.
• The issue correlates with Mace's sudden and flawed deployment.

Dave Bittner notes, “Despite the disruption, there were no breach checks matching any known compromises” (10:05).

Microsoft has yet to officially confirm the root cause of the issue.

5. Alleged Operator of Smoke Loader Malware Faces Federal Charges

Timestamp: 11:20

Nicholas Moses, also known as Scrublord, is facing federal hacking charges in Vermont for allegedly operating the Smoke Loader malware. Between January 2022 and May 2023, Moses is accused of:

• Stealing personal data from over 65,000 victims globally.
• Maintaining a command server in the Netherlands.
• Selling stolen credentials for $1 to $5 each, claiming possession of over half a million logs.

Dave Bittner reports, “Moses' case follows Europol's Operation Endgame, which targeted major malware droppers, including Smoke Loader” (11:20).

Smoke Loader is renowned among Russian cybercriminals for its modular design, enabling various attacks and making it a persistent threat since 2011.

6. SuperCardX: A New NFC-Enabled Banking Scam Emerges

Timestamp: 12:30

Researchers at Kleefi have identified a new scam named SuperCardX, which combines social engineering, malware, and Near Field Communication (NFC) technology to drain victims' bank accounts. The scam operates as follows:

1. Initial Deception: Victims receive fake bank fraud alerts, prompting them to call a provided number.
2. Data Harvesting: Scammers collect PINs and convince users to remove card limits.
3. NFC Exploitation: The malware uses NFC to silently capture card data, facilitating instant theft outside traditional banking fraud channels.

Dave Bittner explains, “SuperCardX is linked to a malware-as-a-service model operated by Chinese-speaking developers but is being utilized by diverse groups globally” (12:30).

Authorities warn that NFC-based fraud is on the rise and may spread to more regions soon.

7. GSA Employees' Oversharing of Sensitive Documents Raises Concerns

Timestamp: 13:00

An internal review by the Washington Post revealed that employees of the General Services Administration (GSA), across both Biden and Trump administrations, improperly shared sensitive files. These documents included:

• White House blueprints
• Vendor banking details
• Files marked as controlled unclassified information

The oversharing involved over 11,000 federal workers and highlighted systemic weaknesses in document handling. Dave Bittner comments, “This incident underscores the importance of strict data governance, even for non-classified information” (13:00).

Despite annual security training and scanning tools, the breach revealed vulnerabilities in how sensitive information is managed across administrations.

8. Interview with Yoni Shohed, CEO of Valence Security

Timestamp: 13:19

Dave Bittner interviews Yoni Shohed, co-founder and CEO of Valence Security, who discusses the emerging threats posed by Chinese open-source AI tools and their implications for financial organizations.

Key Discussion Points:

• Chinese Influence & Open Source: Shohed highlights concerns over AI tools originating from China, emphasizing that these tools are governed by Chinese regulations, which may compromise data privacy and security. He states, “The fact that it's open source means that everybody can access the source code and elements, unlike most AI models which remain closed” (13:19).

• Risks in Financial Services: Shohed warns that financial institutions may inadvertently expose sensitive data by using unvetted AI models. “Employees may share sensitive information with these tools, leading to potential data exposure or compliance breaches” (17:59).

• Recommendations for Organizations:

  • Identify and Sanction Tools: Companies should approve specific AI tools that meet security standards and ensure employees use only these vetted options.
  • Redirect Usage: Instead of banning unapproved tools, provide alternative sanctioned tools to fulfill the same business needs.
  • Promote Secure Adoption: Focus on enabling employees to use approved tools effectively, reducing the temptation to bypass security measures.

Dave Bittner summarizes, “Shohed emphasizes a proactive approach, where organizations facilitate the use of secure, approved AI tools rather than attempting to block the influx of new technologies” (19:28).

9. Malicious Modification of Urban Crosswalk Systems

Timestamp: 21:33

In a peculiar incident, crosswalk buttons in cities such as Seattle and Silicon Valley were hijacked to play AI-generated voices impersonating tech billionaires like Jeff Bezos, Elon Musk, and Mark Zuckerberg. Instead of standard audio cues indicating "walk" or "wait," pedestrians were greeted with messages promoting services or making jokes about taxation.

Dave Bittner explains, “While some view it as harmless fun, the stunt poses serious safety risks, especially for visually impaired pedestrians who rely on these audio cues to cross safely” (21:33).

Technical Details:

• The crosswalk systems, made by Polara, were managed via the Polara Field Service app, which was protected only by the default password 1234.
• Pranksters exploited this weak security to reprogram the devices with custom AI-generated audio.
• The app has been removed from app stores, but archived versions persist, making future exploits possible.
• Municipal crews are now tasked with manually updating credentials across thousands of devices to prevent recurrence.

Dave Bittner concludes, “This incident not only highlights the importance of securing critical infrastructure with strong authentication measures but also the broader implications of default credentials in facilitating cyber mischief” (21:33).

Conclusion

The April 21, 2025 episode of CyberWire Daily underscores the evolving landscape of cybersecurity threats, from sophisticated nation-state espionage techniques like ClickFix to the even more unconventional manipulation of urban infrastructure. The insights shared by Yoni Shohed shed light on the nuanced risks of integrating open-source AI tools within sensitive sectors, particularly in finance. Meanwhile, the crosswalk incident serves as a stark reminder of the vulnerabilities inherent in IoT devices and the critical need for robust security protocols.

Notable Quotes:

• Dave Bittner on ClickFix: “While ClickFix isn't replacing all attack methods, its adoption by multiple state-backed groups indicates a significant trend in streamlining infection processes” (02:08).
• Yoni Shohed on open-source AI risks: “The fact that it's open source means that everybody can access the source code and elements, unlike most AI models which remain closed” (13:19).
• Dave Bittner on crosswalk hijacking: “This incident not only highlights the importance of securing critical infrastructure with strong authentication measures but also the broader implications of default credentials in facilitating cyber mischief” (21:33).

For more detailed insights and daily cybersecurity news, visit CyberWire Daily.