The CyberWire Daily Podcast 1.3.25
Ep 2217 | 1.3.25

AI-powered propaganda.

Transcript

The U.S. sanctions Russian and Iranian groups over election misinformation. Apple settles a class action lawsuit over Siri privacy allegations. DoubleClickjacking exploits a timing vulnerability in browser behavior. FireScam targets sensitive info on Android devices. ASUS issues a critical security advisory for several router models. A former crypto boss faces extradition amidst allegations of defrauding investors out of more than $40 billion. HHS unveils proposed updates to HIPAA. Millions of email servers have yet to enable encryption. Our guest is Joe Saunders, Co-Founder & CEO of RunSafe Security discussing the complexities of safeguarding critical infrastructure. Using Doom to prove you’re human.

Today is Friday January 3rd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The U.S. sanctions Russian and Iranian groups over election misinformation. 

The United States has sanctioned two groups tied to Iranian and Russian disinformation campaigns targeting American voters. The Treasury accused these organizations of spreading fake videos, news, and social media posts to deepen divisions and undermine trust in U.S. elections. The Moscow-based Center for Geopolitical Expertise used AI to create deepfake videos and fake news websites. Its director allegedly collaborated with Russian military intelligence to support cyberattacks.

Iran’s Cognitive Design Production Center, linked to the Revolutionary Guard, has incited U.S. political tensions since 2023 and targeted officials with cyberattacks. U.S. intelligence also blames Iran for promoting protests related to Israel’s conflict with Hamas. Both nations denied the allegations. U.S. officials say Russia aimed to bolster Trump, while Iran opposed him due to policies like reimposing sanctions and the killing of Iranian General Qassem Soleimani. The broader effort included actions by China to undermine U.S. democracy.

Apple settles a class action lawsuit over Siri privacy allegations. 

Apple has agreed to a $95 million settlement in a class action lawsuit claiming Siri violated user privacy. The lawsuit alleged Siri unintentionally activated, recorded, and shared private communications without user consent. Eligible U.S. residents who owned Siri-enabled devices between September 17, 2014, and December 31, 2024, can file claims for pro-rata payments, capped at $20 per device. Devices include iPhones, iPads, Apple Watches, Macs, and HomePods.

Plaintiffs accused Apple of violating privacy and consumer protection laws. Apple denied wrongdoing but settled after five years of litigation. The settlement covers 10-15% of estimated damages, with attorney fees up to 30% of the fund. The preliminary settlement was filed in federal court in Oakland, California. Notifications will go to affected Siri device owners, as the class size is expected to be substantial.

It’s worth noting that no definitive proof has emerged from reputable cybersecurity researchers or investigations that Apple intentionally uses Siri to listen to conversations and then sells that data to advertisers. Apple’s privacy policies explicitly state that it does not sell user data, including Siri recordings, to third parties. 

Meanwhile, security researchers have discovered “SysBumps,” a novel attack targeting macOS systems on Apple Silicon processors. The attack exploits speculative execution vulnerabilities in system calls to bypass Kernel Address Space Layout Randomization (KASLR), a key security feature.

The research, led by a team from Korea University, demonstrates how SysBumps leverages speculative execution and Translation Lookaside Buffer (TLB) side-channel analysis to infer kernel memory layouts. Using a prime+probe technique, attackers identify valid kernel addresses with 96% accuracy, breaking KASLR and exposing systems to further exploitation.

The attack highlights challenges in securing modern processors, particularly Apple’s ARM-based M-series chips. While no immediate fixes exist, the researchers proposed mitigation strategies and responsibly disclosed their findings to Apple. Users are advised to update their systems as patches become available. 

DoubleClickjacking exploits a timing vulnerability in browser behavior. 

Hackers are exploiting a timing vulnerability in browser behavior with a technique called “DoubleClickjacking,” a sophisticated evolution of clickjacking attacks. Security researcher Paulos Yibelo identified this method, which manipulates the delay between two mouse clicks to trick users into authorizing sensitive actions, such as granting OAuth permissions, enabling account takeovers, or confirming transactions.

DoubleClickjacking bypasses modern browser protections like SameSite cookies and X-Frame-Options by exploiting the mousedown and click event sequence. The attack starts with a deceptive browser window, such as a CAPTCHA prompt, which closes after the first click, revealing a sensitive action like an authorization form. The second click, intended for the initial prompt, unwittingly triggers malicious actions.

Yibelo demonstrated the technique on major platforms like Salesforce, Slack, and Shopify. He proposed defenses, including client-side JavaScript disabling critical buttons until intentional interaction is detected and introducing a “Double-Click-Protection” HTTP header. Platforms like Dropbox and GitHub have already adopted these mitigations.

FireScam targets sensitive info on Android devices. 

A new threat has emerged in the Android ecosystem, a stealthy malware known as FireScam, capable of harvesting sensitive information and monitoring user activities, according to research from Cyfirma. Disguised as “Telegram Premium,” FireScam spreads through a phishing website imitating the RuStore app store, hosted on a GitHub.io domain.

Once downloaded, FireScam’s installer gains control over the device by requesting extensive permissions. It lists installed apps, modifies storage, and prevents updates from other sources, ensuring its persistence. The malware tricks users into granting unrestricted background operation, further solidifying its grip on the system.

FireScam doesn’t stop at merely existing—it actively observes. It fingerprints devices, monitors applications, and registers a backdoor using Firebase Cloud Messaging, enabling remote commands. It tracks interactions, intercepts USSD communications, and exfiltrates data to a Firebase database.

By exploiting legitimate services and phishing tactics, FireScam showcases a chilling capacity to compromise privacy and security, highlighting the need for vigilance against evolving cyber threats.

ASUS issues a critical security advisory for several router models. 

ASUS has issued a critical security advisory for several router models, highlighting vulnerabilities (CVE-2024-12912 and CVE-2024-13062) in firmware versions 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102. These flaws could allow authenticated attackers to execute arbitrary commands via the AiCloud feature, potentially compromising network security.

ASUS has released firmware updates and urges users to update immediately. To enhance security, the company advises using strong, unique passwords and disabling internet-accessible services on older routers. 

A former crypto boss faces extradition amidst allegations of defrauding investors out of more than $40 billion. 

Do Hyeong Kwon, the co-founder and former CEO of a cryptocurrency firm, has been extradited to the U.S. from Montenegro to face fraud charges. Appearing in a Manhattan court, Kwon, 33, is accused of defrauding investors in Terraform cryptocurrencies between 2018 and 2022, leading to losses exceeding $40 billion.

According to the Department of Justice, Kwon allegedly misrepresented Terraform’s stability and success, inflating the value of its cryptocurrencies. He claimed the Terra Protocol maintained a stablecoin’s dollar peg, exaggerated the independence of the Luna Foundation Guard, and fabricated partnerships, including with payment processor Chai. Despite early efforts to mask issues, a collapse in 2022 exposed systemic vulnerabilities, causing massive losses.

Kwon faces charges of commodities and securities fraud, wire fraud, and money laundering, with a potential 130-year prison sentence if convicted.

HHS unveils proposed updates to HIPAA. 

The U.S. Department of Health and Human Services (HHS) today unveiled a proposed overhaul of the HIPAA Security Rule, the first major update in over 20 years. The revisions aim to shift from a flexible, process-oriented approach to more prescriptive requirements, including mandatory encryption, multifactor authentication, and vulnerability scanning every six months.

Key proposals include annual technology asset inventories, network mapping, and a requirement to restore critical systems within 72 hours. Additionally, business associates must verify compliance with technical safeguards annually. Critics argue the 72-hour restoration mandate is unrealistic and could increase risks if systems are restored prematurely.

The update responds to surging healthcare data breaches, with incidents increasing 102% between 2018 and 2023. Compliance costs are estimated at $9 billion in the first year and $6 billion annually thereafter, raising concerns about the financial strain on small and rural healthcare providers. Public comments on the rule are open until March.

Millions of email servers have yet to enable encryption. 

Millions of email servers worldwide are sitting exposed, vulnerable to network sniffing attacks. According to ShadowServer, over 3.3 million IMAP and POP3 mail servers lack TLS encryption, leaving sensitive email data, including usernames and passwords, transmitted in plain text. IMAP, often used for accessing email across multiple devices, and POP3, which downloads emails to a single device, rely on TLS to protect data during transmission. Without it, these servers become easy targets for attackers.

ShadowServer has alerted mail server operators, urging them to enable TLS encryption or reassess the necessity of exposed services. Despite modern TLS 1.3 being introduced in 2018 and outdated versions retired by major tech companies in 2020, many servers remain unsecured. The NSA has also warned that outdated configurations allow attackers to intercept and manipulate traffic. The message is clear: without secure protocols, sensitive data is at significant risk.

Today, I speak with Co-Founder & CEO of RunSafe Security Joe Saunders about the complexities of safeguarding critical infrastructure amid the looming threat of cyber attacks and military conflict. And, CAPTCHAs now require you to beat Doom on nightmare mode—because identifying traffic lights was just too easy. We’ll be right back.

Welcome back.

Using Doom to prove you’re human. 

And finally, our classic gaming desk tells us that Guillermo Rauch,  CEO at web platform provider Vercel, spent the holidays doing something a bit more intense than sipping eggnog—he created a CAPTCHA that requires users to slay three monsters in Doom on nightmare mode. Yes, instead of squinting at blurry traffic lights or clicking on crosswalks, you’ll need to channel your inner demon slayer.

CAPTCHAs have evolved from distorted text puzzles in 1997 to Google’s reCAPTCHA, which works quietly in the background. But bots are now better at solving CAPTCHAs than humans. Rauch’s Doom CAPTCHA, announced on New Year’s Eve, might be the most entertaining workaround yet—if you can survive the nightmare-level difficulty, where enemies are relentless, and your health bar drains faster than post-holiday enthusiasm.

It’s a fun tech demo, though admittedly unlikely to gain mainstream adoption. And while bots may one day conquer Doom, for now, it’s a CAPTCHA worth trying—if you dare.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening