This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Johna Till Johnson, CEO and founder, Nemertes
Missed the live show? Check it out on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Citrix RCE flaw under active exploitation
Citrix released updates for NetScaler ADC and Gateway devices to address a vulnerability that allows for remote code execution. The Shadowserver Foundation reports there are over 28,000 vulnerable devices online, with about 35% located in the US. Citrix did not provide any other mitigations, workarounds, or indicators of compromise. CISA and Citrix found evidence that these are already being exploited by malicious actors, and the flaw has already been added to the Known Exploited Vulnerabilities catalog. Federal agencies have until August 28th to patch.
When NDA stands for “New Download Attack”
Researchers at Check Point detailed a new campaign where threat actors deliver malware to American industrial and tech firms disguised as non-disclosure agreements. The threat actors initially approach victims through their “Contact Us” forms, posing as potential business partners and maintaining communication for several weeks. Eventually, they will ask the firm to sign an NDA, send it as a ZIP archive on Heroku, but containing a custom malware called MixShell. This appears to be a highly tailored approach; in some instances, the threat actors sent completely innocuous ZIP files, seemingly depending on the victim’s IP address or browser information. The threat actors set up fake websites using domains tied to real US businesses for added veracity.
South Korea telecom punished for security bungle
Following up on a story we covered in May, South Korea’s SK Telecom has been fined the equivalent of $97 million, after the country’s privacy commission found that the mobile giant had “left its network wide open to hackers through a catalog of bungles.” The breach had been announced in April. Hackers had gained access to the universal subscriber identity module (USIM) data of almost 27 million subscribers. The country’s Personal Information Protection Commission (PIPC) said that the country’s biggest carrier “did not even implement basic access controls between its internet-facing systems and internal management network.” It added that “SKT failed at almost every layer of defense,” including dumped thousands of server credentials in plaintext on a management network server.” A more complete accounting of this incident is available as a link in the show notes to this episode.
Huge thanks to our sponsor, Prophet Security
Steganography isn’t a dinosaur: Researchers revive it in AI injection attack
Security researchers at Trail of Bits, Kikimora Morozova and Suha Sabi Hussain, have uncovered a new attack that hides malicious prompts inside everyday images. The method, called an image-scaling attack, exploits the fact that most AI tools automatically shrink pictures before analyzing them. At full size, the images look harmless. But once downscaled, hidden instructions appear, telling the AI to leak data or execute commands. It’s an updated spin on steganography (the art of hiding secrets in images), but it’s engineered to exploit how AIs process images. The researchers warn this could be used for prompt injection attacks.
US DoD using software maintained by Russians
A new report from Hunted Labs found that the open-source tool fast-glob is solely maintained by a Yandex employee based in Russia. This helpful tool enables developers to perform actions on a group of files without requiring additional code. It’s a highly useful tool that the US Department of Defense utilizes in at least 30 pre-built software packages, as well as approximately 5,000 other projects globally, resulting in around 70 million downloads per week. Hunted Labs researchers found no malicious code in fast-glob and contacted the DoD’s Office of the Chief Information Officer three weeks before publishing findings. Over the summer, Secretary of Defense Pete Hegseth signed a memo directing DoD to “not procure any hardware or software susceptible to adversarial foreign influence.”
(NextGov)
Anthropic warns about “vibe-hacking”
The AI company released a new Threat Intelligence report, which warns that “Agentic AI systems are being weaponized.” The report profiled a threat actor using Claude Code to run a data extortion operation end-to-end, which targeted at least 17 organizations across various verticals within a month. Anthropic’s Claude chatbot was used for everything from technical consultation to crafting “psychologically targeted extortion demands.” The report also detailed the use of Claude by North Korean IT workers to get jobs at Fortune 500 US companies, and saw ads for romance scams using its chatbot on Telegram. While Anthropic created new controls to prevent similar types of abuse, it warned that the examples it found “likely reflect consistent patterns of behaviour across all frontier AI models.”
North Korean remote worker scheme boosted by generative AI
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has announced new sanctions against two individuals and two entities “for their role in the North Korean remote information technology (IT) worker scheme,” in which overseas IT workers, embed malware, steal data and credentials and demand ransoms. A report published Wednesday from Anthropic shows how this operation uses generative AI powered tools like Claude “to create convincing professional backgrounds and technical portfolios, tailor resumes to specific job descriptions and even deliver actual technical work.” Anthropic stated, “the most striking finding is the actors’ complete dependency on AI to function in technical roles…these operators do not appear to be able to write code, debug problems, or even communicate professionally without Claude’s assistance. Yet they’re successfully maintaining employment at Fortune 500 companies (according to public reporting), passing technical interviews, and delivering work that satisfies their employers.”