Summary6 min read

Risky Bulletin: Major Browsers Patch Passkey Phishing Flaw

Host: Claire Aird
Release Date: March 10, 2025
Podcast: Risky Bulletin by risky.biz

Introduction

In the March 10, 2025 episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest developments in the cybersecurity landscape. From major browser security patches to significant cyber attacks and government policy changes, this episode encapsulates a wide array of critical issues affecting both individuals and organizations worldwide.

Major Browsers Patch Passkey Phishing Flaw

Claire Aird opens the episode by highlighting a significant security update from major web browsers.

"All the major browsers have released security updates to patch a novel passkey phishing attack." (00:04)

This newly discovered phishing vector exploited Bluetooth connections, allowing attackers to deceive a victim's smartphone into authenticating maliciously. Browsers including Safari, Chrome, and Firefox have issued patches to mitigate this vulnerability. For listeners seeking a deeper dive into this topic, Aird recommends tuning into the weekly Risky Business podcast hosted by Patrick and Adam.

US Government Cuts Funding for Election and Ukraine Cybersecurity Initiatives

Aird discusses the United States government's recent decision to withdraw funding from two pivotal cybersecurity initiatives.

Election Infrastructure Information Sharing and Analysis Centre (EI ISAC)

Established in 2018 under the Department of Homeland Security, EI ISAC was instrumental in safeguarding election infrastructures against cyber threats. However, funding was terminated in February, raising concerns about the future security of electoral systems.

TALON Mechanism

Similarly, the TALON Mechanism, a collaborative project between the US government, NATO, and the EU launched in late 2023, aimed to support Ukraine's IT systems against Russian cyber aggression. With over 200 million euros allocated—half of which came from the US—the cessation of funding poses challenges to Ukraine's cybersecurity posture.

Swiss Critical Infrastructure Reporting Requirements

Starting April 1, Swiss critical infrastructure operators must adhere to new regulations mandating the reporting of serious cyber attacks within 24 hours. Following the initial alert, organizations have a two-week window to provide detailed reports. The Swiss Cyber Security Agency will oversee the support mechanism and inform other potentially affected entities.

Security Flaws in Espressif ESP32 WiFi and Bluetooth Chips

A significant vulnerability was uncovered in the widely-used ESP32 chips by security firm Tarlogic.

"The hidden commands cannot be exploited over the air... they appear to be part of a testing or development interface left active in the firmware rather than backdoors." (00:04)

These undocumented commands could potentially be abused by malware on devices, impacting over a billion systems, including smartphones, laptops, and various IoT devices. Notably, the flaw does not allow remote exploitation via WiFi or Bluetooth but poses risks if malware gains local access.

Cyber Attack on Presto Home Appliance Company

Presto, an American home appliance manufacturer, experienced a cyber attack on March 1, disrupting manufacturing and shipping operations. The company is currently working to restore its systems, with no ransomware group taking responsibility for the breach thus far.

Crypto Theft and Security Incidents

1inch DeFi Platform Fund Theft and Return

A hacker stole over $5 million in crypto assets from the DeFi platform 1inch but returned the majority of the funds a day later, retaining only a $450,000 bounty after negotiations. The breach stemmed from a vulnerability in 1inch's smart contracts. Importantly, 1inch assured users that their funds remained secure despite the technical bug.

FBI Recovers Crypto Stolen from Ripple's Chris Larson

The FBI has successfully recovered $23 million in crypto stolen from Chris Larson, co-founder and executive chairman of Ripple, in January 2024. The theft involved exploiting encrypted passwords obtained from the password manager LastPass in 2022. Although a portion of the funds has been retrieved, the majority remains unrecovered. Research indicates that over $250 million in crypto assets may have been siphoned using compromised LastPass data.

North Korean Hackers Compromise SafeWallet

A sophisticated attack by North Korean hackers targeted SafeWallet, a multi-signature wallet provider. The breach involved a malicious Dockerfile executed on a developer's machine, deploying malware to steal local credentials. Subsequently, attackers leveraged the developer's AWS account to inject malicious code into SafeWallet, ultimately stealing $1.5 billion from the Bybit cryptocurrency exchange.

Largest Crypto Heist: Theft of DVDs and Blu-rays

In an unprecedented move, the FBI arrested a Memphis man responsible for stealing and selling DVDs and Blu-rays of blockbuster movies prior to their official release. Allegedly, Stephen R. Hale accessed films from Presto's manufacturing facilities, leading to leaks of titles from franchises such as Dune, Fast and Furious, and Marvel.

Australian Mobile Number Porting Attacks

Australian authorities detained a Melbourne man for orchestrating over 190 malicious mobile number porting attempts. The attacker aimed to hijack 86 mobile numbers to bypass multi-factor authentication (MFA) and gain unauthorized access to banking accounts. Of these attempts, 44 numbers were successfully ported, posing significant security risks to the affected users.

Cobalt Strike Usage Trends and Discrepancies

The cybersecurity community observed conflicting reports regarding the use of Cobalt Strike, a popular penetration testing tool often exploited by attackers.

"The number does not align with a recent industry report which found that Cobalt Strike use had actually increased by more than 65% in the past year." (00:04)

While the manufacturer claims an 80% decrease in malicious usage over the past two years, security firm Recorded Future reports that two-thirds of command and control servers in malware attacks last year utilized Cobalt Strike. This discrepancy highlights challenges in accurately tracking and mitigating the misuse of cybersecurity tools.

Akira Ransomware Group Targets Linux-Based Webcams

The Akira ransomware group made headlines by infecting a Linux-based webcam, deploying ransomware to encrypt the victim's network. This shift from their usual targets was a strategic move after their attempts to deploy ransomware on Windows systems were thwarted by endpoint detection and response (EDR) mechanisms. The group leveraged AnyDesk for initial access and utilized SMB for network drive encryption.

Moonstone Sleet Joins Killin Ransomware Platform

The North Korean APT group Moonstone Sleet has integrated with the Killin ransomware platform as of late February. This alliance has seen Moonstone Sleet deploy Killin payloads in multiple intrusions. Notably, Microsoft indicates that while Moonstone Sleet previously deployed its proprietary ransomware, the shift to Killin suggests a reliance on Russian-origin ransomware solutions. Threat researchers associate Killin with Russian cyber activities, aligning with broader geopolitical cyber threats.

Russian Propaganda Poisoning AI Models

A concerning development in the intersection of disinformation and artificial intelligence involves the Pravda network's extensive fake news dissemination.

"A third of responses from leading generative AI tools are now returning pro-Kremlin falsehoods." (00:04)

According to research from a disinformation group, the sheer volume of Russian propaganda online has contaminated the training data for large language models and AI chatbots. NewsGuard reports that Pravda published over 3.6 million fake news articles across 200 domains in the past year, significantly influencing AI-generated content towards pro-Kremlin narratives.

Google Bug Bounty Program Achieves $12 Million Payout in 2024

Closing the episode, Aird highlights Google's commitment to cybersecurity through its robust bug bounty program.

"Google has paid more than $65 million for vulnerability reports since it began in 2010." (00:04)

In 2024 alone, Google distributed nearly $12 million in bug bounties to 660 researchers, with the highest single payout reaching $110,000. The majority of these rewards were allocated for vulnerabilities discovered in Android and Chrome. This ongoing investment underscores Google's dedication to fostering a secure digital ecosystem through collaboration with the global cybersecurity community.

Conclusion

The March 10, 2025 episode of Risky Bulletin provides listeners with a thorough overview of current cybersecurity threats, responses, and policy shifts. From critical vulnerabilities in widely-used technologies to significant geopolitical cyber maneuvers, the episode underscores the dynamic and often perilous nature of the cyber landscape. As always, staying informed and vigilant remains paramount for both individuals and organizations navigating these challenges.

Disclaimer: This summary is based on the transcript provided and aims to capture key discussions and insights from the podcast episode. For more detailed information, listeners are encouraged to tune into the full episode.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Mobile browsers patch a passkey phishing vector Researchers find undocumented commands in a common IOT chip the US government cuts election security funding and a hacker steals and then returns Funds from DeFi Platform 1 inch this is the Risky Bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 10th of March and this podcast episode is brought to you by Gray Noise. All the major browsers have released security updates to patch a novel passkey phishing attack. The trick lets a hacker within Bluetooth range trick a victim's smartphone into connecting back to the attacker and authenticating for them. Patches have been released for Safari, Chrome and Firefox. For more details on this one, check out the weekly Risky Business podcast with Patrick and Adam this Wednesday. In other news, the US has cut funding for the Elections Infrastructure Information Sharing and Analysis Centre. The group was established in the Department of homeland security in 2018. It was set up to help state and local governments safeguard election infrastructure against cyber threats. The DHS terminated funding for EI ISAC in February. The US government has also cut funding for the TALON Mechanism, a project that provided cybersecurity support to Ukraine. The project was launched by the US government, NATO and the EU in late 2023 to help Ukraine protect IT systems from Russian hackers. The received more than 200 million euros in funding, half of which came from the US. Swiss Critical Infrastructure operators will be required to report serious cyber attacks within 24 hours from April 1. Following the initial report, organisations will have two weeks to provide more detail. The country's Cyber Security Agency will provide support and alert other operators that may be affected. Security flaws have been discovered in the widely used ESP32 WiFi and Bluetooth chips. The chips, from manufacturer Espressif, contain undocumented commands that can be abused by malware running on the devices. Security firm Tarlogic discovered the flaws, which may impact more than a billion systems, including phones, laptops and IoT devices. The hidden commands cannot be exploited over the air, despite being in WI Fi and Bluetooth chips, they appear to be part of a testing or development interface left active in the firmware rather than backdoors. A cyber attack on American home appliance company Presto is causing manufacturing and shipping delays. The Incident occurred on the 1st of March and the company says it's restoring systems. As yet, no major ransomware group has taken credit. A hacker stole more than $5 million worth of crypto assets from DeFi platform 1inch, but returned the funds the next day minus a $450,000 negotiated bounty. The hack was the result of a vulnerability in the company's smart contracts. One inch says user funds were never in danger because of the nature of the bug. The FBI has recovered $23 million worth of crypto stolen from Chris Larson, the co founder and executive chairman of the Ripple Cryptocurrency. The recovered funds are a small percentage of the tokens stolen from Larson in January 2024. Hackers allegedly stole Larson's funds using encrypted passwords looted from password manager LastPass in 2022. Since the attack, the theory is that hackers have been slowly cracking LastPass data and emptying crypto wallets. Research in May 2024 suggested over $250 million worth of crypto assets had been stolen using the LastPass data. North Korean hackers compromised multi signature wallet provider SafeWallet by targeting one of its developers. According to a new post mortem report, the point of entry appears to have been a malicious Dockerfile that was executed on a developer's computer. The Dockerfile deployed mal stole local credentials. The attackers then used the developer's AWS account to add malicious code to SafeWallet. The malicious code targeted a specific multisig wallet used by the Bybit cryptocurrency exchange, and the attackers later stole $1.5 billion from Bybit. In the largest crypto heist yet, the FBI has arrested a Memphis man for stealing DVDs and Blu Rays of blockbuster movies and selling them before official release. Stephen R. Hale allegedly stole the films while employed at a company manufactures and distributes DVDs. Officials have linked hail to leaks from Dune, Fast and Furious and Marvel franchises. Australian police detained a Melbourne man over more than 190 malicious mobile number porting attempts. Officials believe the man attempted to hijack 86 mobile numbers in order to bypass MFA and access banking accounts. The Australian Federal police says 44 of the numbers were successfully ported. The manufacturer of Cobalt Strike says that its use by attackers is down 80% over the past two years. Software company Fortra says it worked with Microsoft and Health ISAC to take down cracked Cobalt Strike servers that were abused for malicious activity. Fortra's number does not align with a recent industry report which found that Cobalt Strike use had actually increased by more than 65% in the past year. According to security firm Recorded Future two thirds of command and control servers used in malware attacks last year ran Cobalt Strike. The Akira ransomware group infected a Linux based webcam and used it to encrypt a victim's network. The group targeted the webcam after its attempt to deploy ransomware on Windows systems was detected and blocked by edr. Security firm SRM says. Akira made its initial entry with Anydesk, deployed its ransomware on the webcam, and then mounted the network's drives for encryption via SMB. North Korean APT group Moonstone Sleet joined the Killin ransomware platform in late February. The group has been observed deploying Killin payloads during multiple intrusions. It also has a history of deploying ransomware for financial gain. Microsoft says Moonstone Sleet previously used its own ransomware before switching to Killin Threat Researchers believe the Killin ransomware is Russian in origin. The sheer volume of Russian propaganda online is poisoning large language models and AI chatbots. A disinformation research group says that a third of responses from leading generative AI tools are now returning pro Kremlin falsehoods. The bad training data can be traced back to a Russian disinformation network named Pravda. NewsGuard says that the network published more than 3.6 million fake news articles across 200 domains last year. And finally, Google paid almost $12 million in bug bounties in 2024. The money was shared among six hundred and sixty researchers. The highest single bounty last year was $110,000. More than half was for Android and Chrome vulnerabilities. Google's bug bounty program has paid more than $65 million for vulnerability reports since it began in 2010. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Grey Noise. Find them at Greyn. Thanks to your company.