Risky Bulletin: Major Browsers Patch Passkey Phishing Flaw

Host: Claire Aird
Release Date: March 10, 2025
Podcast: Risky Bulletin by risky.biz

Introduction

In the March 10, 2025 episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest developments in the cybersecurity landscape. From major browser security patches to significant cyber attacks and government policy changes, this episode encapsulates a wide array of critical issues affecting both individuals and organizations worldwide.

Major Browsers Patch Passkey Phishing Flaw

Claire Aird opens the episode by highlighting a significant security update from major web browsers.

"All the major browsers have released security updates to patch a novel passkey phishing attack." (00:04)

This newly discovered phishing vector exploited Bluetooth connections, allowing attackers to deceive a victim's smartphone into authenticating maliciously. Browsers including Safari, Chrome, and Firefox have issued patches to mitigate this vulnerability. For listeners seeking a deeper dive into this topic, Aird recommends tuning into the weekly Risky Business podcast hosted by Patrick and Adam.

US Government Cuts Funding for Election and Ukraine Cybersecurity Initiatives

Aird discusses the United States government's recent decision to withdraw funding from two pivotal cybersecurity initiatives.

Election Infrastructure Information Sharing and Analysis Centre (EI ISAC)

Established in 2018 under the Department of Homeland Security, EI ISAC was instrumental in safeguarding election infrastructures against cyber threats. However, funding was terminated in February, raising concerns about the future security of electoral systems.

TALON Mechanism

Similarly, the TALON Mechanism, a collaborative project between the US government, NATO, and the EU launched in late 2023, aimed to support Ukraine's IT systems against Russian cyber aggression. With over 200 million euros allocated—half of which came from the US—the cessation of funding poses challenges to Ukraine's cybersecurity posture.

Swiss Critical Infrastructure Reporting Requirements

Starting April 1, Swiss critical infrastructure operators must adhere to new regulations mandating the reporting of serious cyber attacks within 24 hours. Following the initial alert, organizations have a two-week window to provide detailed reports. The Swiss Cyber Security Agency will oversee the support mechanism and inform other potentially affected entities.

Security Flaws in Espressif ESP32 WiFi and Bluetooth Chips

A significant vulnerability was uncovered in the widely-used ESP32 chips by security firm Tarlogic.

"The hidden commands cannot be exploited over the air... they appear to be part of a testing or development interface left active in the firmware rather than backdoors." (00:04)

These undocumented commands could potentially be abused by malware on devices, impacting over a billion systems, including smartphones, laptops, and various IoT devices. Notably, the flaw does not allow remote exploitation via WiFi or Bluetooth but poses risks if malware gains local access.

Cyber Attack on Presto Home Appliance Company

Presto, an American home appliance manufacturer, experienced a cyber attack on March 1, disrupting manufacturing and shipping operations. The company is currently working to restore its systems, with no ransomware group taking responsibility for the breach thus far.

Crypto Theft and Security Incidents

1inch DeFi Platform Fund Theft and Return

A hacker stole over $5 million in crypto assets from the DeFi platform 1inch but returned the majority of the funds a day later, retaining only a $450,000 bounty after negotiations. The breach stemmed from a vulnerability in 1inch's smart contracts. Importantly, 1inch assured users that their funds remained secure despite the technical bug.

FBI Recovers Crypto Stolen from Ripple's Chris Larson

The FBI has successfully recovered $23 million in crypto stolen from Chris Larson, co-founder and executive chairman of Ripple, in January 2024. The theft involved exploiting encrypted passwords obtained from the password manager LastPass in 2022. Although a portion of the funds has been retrieved, the majority remains unrecovered. Research indicates that over $250 million in crypto assets may have been siphoned using compromised LastPass data.

North Korean Hackers Compromise SafeWallet

A sophisticated attack by North Korean hackers targeted SafeWallet, a multi-signature wallet provider. The breach involved a malicious Dockerfile executed on a developer's machine, deploying malware to steal local credentials. Subsequently, attackers leveraged the developer's AWS account to inject malicious code into SafeWallet, ultimately stealing $1.5 billion from the Bybit cryptocurrency exchange.

Largest Crypto Heist: Theft of DVDs and Blu-rays

In an unprecedented move, the FBI arrested a Memphis man responsible for stealing and selling DVDs and Blu-rays of blockbuster movies prior to their official release. Allegedly, Stephen R. Hale accessed films from Presto's manufacturing facilities, leading to leaks of titles from franchises such as Dune, Fast and Furious, and Marvel.

Australian Mobile Number Porting Attacks

Australian authorities detained a Melbourne man for orchestrating over 190 malicious mobile number porting attempts. The attacker aimed to hijack 86 mobile numbers to bypass multi-factor authentication (MFA) and gain unauthorized access to banking accounts. Of these attempts, 44 numbers were successfully ported, posing significant security risks to the affected users.

Cobalt Strike Usage Trends and Discrepancies

The cybersecurity community observed conflicting reports regarding the use of Cobalt Strike, a popular penetration testing tool often exploited by attackers.

"The number does not align with a recent industry report which found that Cobalt Strike use had actually increased by more than 65% in the past year." (00:04)

While the manufacturer claims an 80% decrease in malicious usage over the past two years, security firm Recorded Future reports that two-thirds of command and control servers in malware attacks last year utilized Cobalt Strike. This discrepancy highlights challenges in accurately tracking and mitigating the misuse of cybersecurity tools.

Akira Ransomware Group Targets Linux-Based Webcams

The Akira ransomware group made headlines by infecting a Linux-based webcam, deploying ransomware to encrypt the victim's network. This shift from their usual targets was a strategic move after their attempts to deploy ransomware on Windows systems were thwarted by endpoint detection and response (EDR) mechanisms. The group leveraged AnyDesk for initial access and utilized SMB for network drive encryption.

Moonstone Sleet Joins Killin Ransomware Platform

The North Korean APT group Moonstone Sleet has integrated with the Killin ransomware platform as of late February. This alliance has seen Moonstone Sleet deploy Killin payloads in multiple intrusions. Notably, Microsoft indicates that while Moonstone Sleet previously deployed its proprietary ransomware, the shift to Killin suggests a reliance on Russian-origin ransomware solutions. Threat researchers associate Killin with Russian cyber activities, aligning with broader geopolitical cyber threats.

Russian Propaganda Poisoning AI Models

A concerning development in the intersection of disinformation and artificial intelligence involves the Pravda network's extensive fake news dissemination.

"A third of responses from leading generative AI tools are now returning pro-Kremlin falsehoods." (00:04)

According to research from a disinformation group, the sheer volume of Russian propaganda online has contaminated the training data for large language models and AI chatbots. NewsGuard reports that Pravda published over 3.6 million fake news articles across 200 domains in the past year, significantly influencing AI-generated content towards pro-Kremlin narratives.

Google Bug Bounty Program Achieves $12 Million Payout in 2024

Closing the episode, Aird highlights Google's commitment to cybersecurity through its robust bug bounty program.

"Google has paid more than $65 million for vulnerability reports since it began in 2010." (00:04)

In 2024 alone, Google distributed nearly $12 million in bug bounties to 660 researchers, with the highest single payout reaching $110,000. The majority of these rewards were allocated for vulnerabilities discovered in Android and Chrome. This ongoing investment underscores Google's dedication to fostering a secure digital ecosystem through collaboration with the global cybersecurity community.

Conclusion

The March 10, 2025 episode of Risky Bulletin provides listeners with a thorough overview of current cybersecurity threats, responses, and policy shifts. From critical vulnerabilities in widely-used technologies to significant geopolitical cyber maneuvers, the episode underscores the dynamic and often perilous nature of the cyber landscape. As always, staying informed and vigilant remains paramount for both individuals and organizations navigating these challenges.

Disclaimer: This summary is based on the transcript provided and aims to capture key discussions and insights from the podcast episode. For more detailed information, listeners are encouraged to tune into the full episode.