Risky Bulletin: FBI says online file converters are nasty - Risky Bulletin

Summary7 min read

Risky Bulletin: FBI Says Online File Converters Are Nasty
Hosted by risky.biz | Released on March 14, 2025

In this episode of Risky Bulletin, host Claire Aird and co-host Panu Catalyn delve into a series of pressing cybersecurity issues, ranging from FBI warnings about malicious online tools to international cyber espionage activities. The episode provides a comprehensive overview of current threats, regulatory changes, and significant cyber incidents impacting various sectors globally.

FBI Alerts on Malicious Online File Converters

Claire Aird opens the bulletin with a crucial warning from the FBI regarding the misuse of online file conversion tools. According to the FBI, cybercriminals are exploiting both web-based and downloadable file converters to extract personal data from documents and deploy malware, including ransomware.

"The FBI says cybercriminals are using file format conversion tools to scrape personal data from documents and deploy malware such as ransomware."
— Claire Aird [00:04]

The FBI emphasizes that while this tactic isn't entirely new, the surge in its usage necessitates heightened vigilance. Users are encouraged to report any suspicious incidents to aid the agency in assessing the scale of the problem.

Chinese Cyber Espionage Targets Juniper Routers

The discussion shifts to a significant cyber espionage campaign attributed to a Chinese group known as UNC3886. This group has been embedding backdoors into Juniper MX routers by obtaining legitimate credentials and leveraging a zero-day privilege escalation vulnerability.

"The group has previously used zero days in Fortinet and VMware systems."
— Claire Aird [00:56]

Google's Mandiant division links these activities to targeting defense technology and telecommunications organizations across Asia and the United States. Despite Juniper MX routers reaching their end-of-life status, Juniper has proactively released security updates to mitigate the vulnerability.

North Korean Spyware Infiltrates Google Play Store

North Korea's hacking faction, Skycraft, has successfully inserted the Android spyware cospy into the Google Play Store. Disguised within a seemingly innocuous file management app catering to English and Korean-speaking users, cospy has been active since 2022, as confirmed by security firm Lookout.

This sophisticated spyware underscores the ongoing threats posed by state-sponsored actors aiming to infiltrate widely used platforms to harvest sensitive information.

Greynoise Identifies SSRF Vulnerability Exploits

Panu Catalyn highlights Greynoise's recent detection of a coordinated campaign exploiting Server-Side Request Forgery (SSRF) vulnerabilities across multiple software products, including GitLab, VMware, Avanti, and Zimbra.

"The pattern suggests structured exploitation automation or pre-compromise intelligence gathering."
— Panu Catalyn [03:24]

The campaign, which commenced on March 9, originated from approximately 400 IP addresses. Additionally, Greynoise notes that threat actors have exploited a zero-day vulnerability in the FreeType font rendering library, with attacks being traced back to the Facebook security team.

U.S. Senators Advocate for Enhanced Cyber Operations Against China

A group of Republican senators has urged former President Donald Trump to bolster the United States' offensive cyber capabilities against China. They cite recent Chinese intrusions into U.S. telecommunications, critical infrastructure, and the Treasury as pressing reasons for this call to action.

"The senators say the US needs to re-establish cyber deterrence against China because that's worked so well over the last 20 years."
— Claire Aird [02:46]

This push comes amidst strategic discussions on national cybersecurity measures and the balance between offensive and defensive cyber operations.

DHS Discontinues Advisory Boards Amid Cost-Cutting Measures

Amidst the cybersecurity discourse, Claire Aird reports that the U.S. Department of Homeland Security (DHS) has terminated eight advisory boards, including those focused on AI and cybersecurity. The DHS attributes these closures to a Trump-era executive order aimed at reducing expenditures.

"The agency cited a Trump executive order that mandated cost-cutting as a reason for the shutdowns."
— Claire Aird [02:48]

These advisory boards were previously instrumental in providing industry expertise to inform DHS strategies and policies.

Kazakhstan Implements Filtered Mobile Networks for Children

Panu Catalyn shares that Kazakhstan is introducing a mandate requiring smartphones used by children to connect through a new filtered mobile network. Parents must purchase specialized SIM cards for their children's devices, ensuring restricted access to social media and potentially harmful websites. Additionally, an accompanying app will relay the children's locations to their parents, enhancing oversight and safety.

"Parents will need to buy special SIM cards for their children's devices. The network will restrict access to social media and dangerous websites and will report children's locations to parents through an app."
— Claire Aird [03:14]

This measure reflects a growing global trend toward safeguarding minors in the digital landscape.

Spain Enforces AI-Generated Content Labeling

In a significant regulatory development, Spain has enacted a law imposing substantial fines on companies that fail to label AI-generated content. Non-compliant organizations could face penalties up to €35 million or 7% of their annual global turnover.

"Failure to comply could result in fines of up to 35 million euros, or 7% of their annual global turnover."
— Panu Catalyn [03:30]

This legislation aims to combat the proliferation of deepfakes and non-consensual adult content, making Spain the first EU country to incorporate provisions from the EU AI Act into its national framework.

Meta's Privacy Fine Upheld by South Korea's Supreme Court

South Korea's Supreme Court has dismissed Meta's appeal against a $4.6 million fine imposed for privacy violations. The privacy watchdog had penalized Meta in 2020 for unlawfully sharing the data of over 3.3 million South Korean users with third parties.

"South Korea's Supreme Court has rejected Meta's appeal to reverse a $4.6 million fine for privacy law violations."
— Panu Catalyn [03:24]

This case marks the final judicial avenue for Meta concerning this specific infraction, highlighting the increasing scrutiny tech giants face over data privacy practices.

"Crazy Hunter" Ransomware Targets Taiwanese Institutions

A new ransomware strain dubbed "Crazy Hunter" has emerged, targeting critical infrastructure in Taiwan. Within the month, the ransomware has compromised three hospitals, a university, and a power grid operator. The Taiwanese health ministry has reported that core functions at the affected hospitals have been restored following the attacks.

"A new ransomware operation called Crazy Hunter has compromised three hospitals, a university and a power grid operator in Taiwan."
— Claire Aird [04:33]

The attacks underscore the vulnerability of essential services to sophisticated ransomware threats.

Cyber Attack Disrupts Australian Hotel Group TFE

TFE, an Australian hotel conglomerate managing brands like Edina, Vibe, and Travelodge across Australia, Europe, and Asia, experienced a significant cyberattack. The incident has rendered the company's systems offline, forcing a rerouting of phone calls to a central call center and necessitating in-person guest assistance. As of now, no group has claimed responsibility for the breach.

"A cyber attack has disrupted services at... Australian hotel group TFE."
— Claire Aird [04:33]

This breach highlights the persistent threat of cyberattacks on the hospitality sector.

Data Breaches at Jaguar Land Rover and Other Corporations

A hacker has reportedly leaked hundreds of internal documents from the Jaguar Land Rover automotive group, following a breach earlier this month. This individual has a history of leaking sensitive data, having previously exposed information from Orange in Romania, the Zurich Insurance Group, and the Russian social media network VK.

"A hacker has leaked hundreds of internal documents from the Jaguar Land Rover automotive group."
— Panu Catalyn [04:36]

These data leaks pose significant risks to corporate security and intellectual property.

NIST Selects HQC as Backup for Post-Quantum Encryption

The National Institute of Standards and Technology (NIST) has chosen Hamming Quasi Cyclic (HQC) as a backup algorithm for post-quantum encryption operations. Last year, NIST had selected MLChem as the primary algorithm to safeguard data against potential quantum computing attacks.

"NIST says HQC is a backup standard and should be used only if a weakness were to be discovered in MLChem."
— Panu Catalyn [05:30]

This decision reflects ongoing efforts to future-proof encryption methodologies in anticipation of advancements in quantum computing.

ICANN Plans to Retire the .su Top-Level Domain

ICANN has announced its intention to retire the .su top-level domain (TLD) by 2030. The .su domain, originally assigned to the Soviet Union, is currently managed by Russian authorities. Although the ISO standard for country codes removed .su in 1992, ICANN only commenced the removal process in 2022. Additionally, there is speculation that the .io domain, representing the British Indian Ocean Territory, might also face discontinuation.

"Another domain could also be on the chopping block. Is .io the domain for the soon to be non-existent British Indian Ocean territories?"
— Panu Catalyn [05:50]

This move signifies efforts to streamline and update the global domain name system.

Rise in Remote Monitoring and Management (RMM) Tools in Email Attacks

Proofpoint has observed an uptick in the utilization of Remote Monitoring and Management (RMM) tools as initial payloads in email-based attack campaigns. The most frequently exploited RMM tools include Screen Connect, NetSupport, and Atera.

"Proofpoint is seeing an increase in the use of remote monitoring and management tools as an initial payload in email delivered campaigns."
— Claire Aird [05:50]

This trend indicates a shift in attackers' strategies, leveraging legitimate management tools to facilitate malicious activities.

Conclusion

The Risky Bulletin episode provides a thorough examination of the evolving cybersecurity landscape, highlighting the multifaceted challenges posed by state-sponsored cyber espionage, ransomware threats, regulatory changes, and the exploitation of software vulnerabilities. By incorporating expert analysis and timely insights, Claire Aird and Panu Catalyn deliver an informative session that underscores the critical importance of vigilance and proactive measures in safeguarding against cyber threats.

For more detailed updates and analysis, listeners are encouraged to tune into future episodes of Risky Bulletin.

Loading summary

Transcript18 lines

[00:04]
Claire Aird
The FBI warns of online file converters that distribute malware China backdoors, Juniper routers A wave of ransomware hits Taiwan and North Korean spyware slips into the Play Store. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire Aird. Today is the 14th of March and this podcast episode is brought to you by Grey Noise. The FBI says cybercriminals are using file format conversion tools to scrape personal data from documents and deploy malware such as ransomware. The warning applies to both online websites and downloadable apps alike. This type of Internet badness isn't new, but the FBI has asked users to report incidents so the agency can get a better idea of how big the problem is. In other news, A Chinese cyber espionage group has been installing backdoors on Juniper MX routers. The attackers obtain legitimate credentials and then use a privilege escalation zero day to bypass security protections and install the backdoors. Google's Mandiant division has linked the attack to a group it tracks as UNC3886. The group has previously used zero days in Fortinet and VMware systems. The group is targeting defence technology and telecommunication organisations located in Asia and the us. Juniper has released security updates to patch the privilege escalation vulnerability even though the devices reached end of life. In 2020, North Korean hacking group Skycraft snuck Android spyware into the Google Play store. The spyware cospy was hidden in a file management app for English and Korean speaking users. Security firm Lookout says cospy has been around since 2022. Security firm Greynoise has detected a coordinated campaign exploiting SSRF vulnerabilities across several software products. The Spike began on March 9 and originated from a group of 400 IP addresses. The attacks targeted SSRF bugs in GitLab, VMware, Avanti, Zimbra and many other software packages. Gray Noise says the pattern suggests structured exploitation automation or pre compromise intelligence gathering. Threat actors have exploited a zero day in the FreeType font rendering library. The attacks were detected by the Facebook security team. Freetype is widely used by Linux and other open source systems. A group of Republican senators has urged President Donald Trump to increase US offensive cyber operations against China. The senators called for a response to recent Chinese intrusions into US telcos, Critical infrastructure and the US Treasury.
[02:46]
Panu Catalyn
The senators say the US needs to.
[02:48]
Claire Aird
Re establish cyber deterrence against China because that's worked so well over the last 20 years. Not the U.S. department of Homeland Security has shut down eight advisory boards including AI and cybersecurity boards. The boards provided industry expertise to the dhs. The agency cited a Trump executive order that mandated cost cutting as a reason for the shutdowns. The government in Kazakhstan will require children's.
[03:15]
Panu Catalyn
Smartphones to use a new filtered mobile network. Parents will need to buy special SIM cards for their children's devices. The network will restrict access to social.
[03:25]
Claire Aird
Media and dangerous websites and will report children's locations to parents through an app.
[03:31]
Panu Catalyn
The Spanish government passed a bill this week to impose hefty fines on companies that don't label AI generated content. Failure to comply could result in fines of up to 35 million euros, or 7% of their annual global turnover. The law is an attempt to curb the spread of deep fakes and non consensual adult content. Spain is the first country in the EU bloc to incorporate provisions from the EU AI act into its national legislation. South Korea's supreme court has rejected Meta's appeal to reverse a $4.6 million fine for privacy law violations. The country's privacy watchdog fined Meta in 2020 for sharing the data of at least 3.3 million South Koreans with third parties. This was Meta's last avenue of appeal. A new ransomware operation called Crazy Hunter has compromised three hospitals, a university and a power grid operator in Taiwan. All of the attacks took place this month. The Taiwanese health MIN says it's restored core functions at the hospitals.
[04:34]
Claire Aird
A cyber attack has disrupted services at.
[04:36]
Panu Catalyn
Australian hotel group tfe. The company says its systems are currently offline while it works to resolve the issue. Phone calls have been rerouted to a central call centre while its staff assist guests in person. No one's taken credit for the attack. TFE manages hotel brands in Australia, Europe and Asia, including Edina, Vibe and Travelodge. A hacker has leaked hundreds of internal documents from the Jaguar Land Rover automotive group. The files were allegedly stolen during a breach earlier this month. The same hacker previously leaked data from Orange in Romania, the Zurich Insurance Group and Russian social media network vk. NIST has selected Hamming Quasi Cyclic, or hqc, as the backup algorithm for post quantum encryption operations.
[05:25]
Claire Aird
Last year, the agency selected MLChem to be the primary algorithm for securing data.
[05:30]
Panu Catalyn
Against post quantum computing attacks. NIST says HQC is a backup standard.
[05:36]
Claire Aird
And should be used only if a.
[05:38]
Panu Catalyn
Weakness were to be discovered in MLCam. ICANN will retire the SU top level domain in 2030. The domain was previously assigned to the Soviet Union and is currently managed by Russian authorities.
[05:50]
Claire Aird
The SU country code was removed from.
[05:53]
Panu Catalyn
The ISO standard for country codes in 1992, but ICANN didn't kick off the.
[05:58]
Claire Aird
Removal process until 2022.
[06:01]
Panu Catalyn
Another domain could also be on the chopping block. Is IO the domain for the soon to be non existent British Indian Ocean territories? And finally, Proofpoint is seeing an increase in the use of remote monitoring and management tools as an initial payload in email delivered campaigns. The most common RMM tools seen in attacks include Screen Connect, NetSupport and Atera. And that is all for this podcast edition.
[06:27]
Claire Aird
Today's show was brought to you by.
[06:29]
Panu Catalyn
Our sponsor Grey Noise. Find them at greynoise IO. Thanks Ian company.