The CyberWire Daily Podcast 1.8.25
Ep 2220 | 1.8.25

A new Mirai-based botnet.

Transcript

Researchers ID a new Mirai-based botnet. Android devices get their first round of updates for the new year. Criminals exploit legitimate Apple and Google services in sophisticated voice phishing attacks. Japan attributes over 200 cyberattacks to the Chinese hacking group MirrorFace. A PayPal phishing scam exploits legitimate platform functionality. SonicWall addresses critical vulnerabilities in its SonicOS software. CISA warns of active exploitation of vulnerabilities in Mitel MiCollab. A new government backed labelling program hopes to help consumers choose more secure devices. On today’s CertByte segment, Chris Hare and Steven Burnley unpack a question from N2K’s ISC2® Certified in Cyber Security (CC) Practice Test. Streaming license plate readers - no password required.

Today is January 8th, 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Researchers ID a new Mirai-based botnet. 

Security researchers have identified a new Mirai-based botnet, offensively named “gayfemboy,” which uses zero-day exploits to target industrial routers and smart home devices. Discovered by Qi’anxin XLab in February 2024, the botnet evolved from a standard Mirai variant to a sophisticated threat. It exploits over 20 vulnerabilities, including a zero-day flaw in Four-Faith routers (CVE-2024-12856) and unassigned vulnerabilities in Neterbit routers and Vimar smart home devices.

With around 15,000 active IPs across China, Russia, the US, Iran, and Turkey, the botnet launches frequent DDoS attacks, peaking in late 2024. Its targets span multiple sectors, and even XLab researchers were attacked after registering command-and-control domains for analysis. Lacking DDoS mitigation, XLab eventually ceased their investigation to avoid further disruptions.

Android devices get their first round of updates for the new year. 

Google has released its first Android security updates for 2025, addressing 36 vulnerabilities, including five critical remote code execution (RCE) bugs in the System component. The update, split into two parts, begins with the 2025-01-01 patch level, which fixes 24 issues in Android’s Framework, Media Framework, and System components. The critical RCE flaws (CVE-2024-43096, CVE-2024-43770, CVE-2024-43771, CVE-2024-49747, CVE-2024-49748) affect Android versions 12 through 15.

The 2025-01-05 patch level resolves an additional 12 vulnerabilities in Imagination Technologies, MediaTek, and Qualcomm components, covering all 36 flaws. Google also patched a critical RCE bug in Pixel devices’ baseband subcomponent (CVE-2024-53842).

While there’s no evidence of exploitation in the wild, Google urges users to update promptly. Android Automotive OS and Wear OS devices will also receive the 2025-01-05 patch.

Criminals exploit legitimate Apple and Google services in sophisticated voice phishing attacks. 

Cybercriminals are exploiting legitimate Apple and Google services in sophisticated voice phishing attacks, as revealed by KrebsOnSecurity. These scammers trick users into believing they’re interacting with Apple or Google by sending notifications, emails, and account recovery prompts using spoofed identities.

One case involved a cryptocurrency investor who lost $4.7 million after scammers used Google Assistant and fake recovery emails to deceive him. The scammers leveraged Apple’s support line to generate legitimate “account confirmation” prompts, reinforcing their authenticity. A leaked phishing panel video demonstrated how scammers tricked a musician into revealing his Apple credentials.

A phishing group, dubbed “Crypto Chameleon,” also targeted cryptocurrency exchanges and high-profile individuals, including billionaire Mark Cuban, who lost $43,000 in crypto. These groups rely on leaked data, phishing kits, and tools like “autodoxers” to refine targets. Despite their innovation, internal betrayal and law enforcement remain persistent threats to these criminal operations.

Japan attributes over 200 cyberattacks to the Chinese hacking group MirrorFace. 

Japan has attributed over 200 cyberattacks since 2019 to the Chinese hacking group MirrorFace, targeting national security and advanced technology data. The attacks focused on the Foreign and Defense ministries, the space agency, and private sector entities, using tactics like phishing emails referencing geopolitical topics and exploiting VPN vulnerabilities. Notable incidents include breaches at JAXA and disruptions at Nagoya’s port and Japan Airlines. Experts urge Japan to strengthen cybersecurity as it enhances defense cooperation with the U.S. and allies.

Elsewhere in Japan, Casio confirmed a ransomware attack in October compromised the personal data of nearly 8,500 individuals, including 6,500 employees, 1,900 business partners, and 91 customers. Data exposed included names, email addresses, and sensitive information like taxpayer IDs and birth dates. The Russia-linked Underground ransomware gang claimed responsibility, stealing over 200GB of data. Casio attributed the breach to phishing and declined to negotiate with the attackers. While most systems are restored, some services remain offline. No credit card data was compromised.

A PayPal phishing scam exploits legitimate platform functionality. 

Fortinet’s FortiGuard Labs has uncovered a sophisticated PayPal phishing scam exploiting legitimate platform functionality. Scammers use genuine-looking emails with valid sender addresses to direct users to PayPal’s login page under the guise of investigating a payment request. The attack leverages a Microsoft 365 test domain and Distribution Lists to send legitimate PayPal money requests, bypassing traditional phishing checks through Microsoft 365’s Sender Rewriting Scheme (SRS).

Victims unknowingly link their PayPal accounts to the scammer’s, granting attackers potential control over finances. Unlike traditional phishing, this scam uses authentic emails and URLs, making detection harder. Fortinet’s CISO Carl Windsor emphasized the need for vigilance, urging users to verify URLs, avoid unsolicited links, and enable two-factor authentication (2FA). The scam highlights the critical role of cybersecurity awareness in protecting against increasingly sophisticated attacks.

SonicWall addresses critical vulnerabilities in its SonicOS software. 

SonicWall has issued a security advisory addressing four critical vulnerabilities in its SonicOS software, affecting various firewall models and cloud platforms. These include a weak pseudo-random number generator (CVE-2024-40762), improper authentication in SSLVPN (CVE-2024-53704), a server-side request forgery flaw (CVE-2024-53705), and privilege escalation in Gen7 Cloud platforms (CVE-2024-53706). With CVSS scores ranging from 6.5 to 8.2, these vulnerabilities could allow attackers to bypass authentication, escalate privileges, or establish unauthorized connections. SonicWall urges immediate updates and limiting SSLVPN and SSH management access to trusted sources. No exploitation in the wild has been reported.

CISA warns of active exploitation of vulnerabilities in Mitel MiCollab. 

CISA has warned of active exploitation of two vulnerabilities in Mitel MiCollab: CVE-2024-41713, a critical path traversal flaw (CVSS 9.8), and CVE-2024-55550, a low-severity issue (CVSS 2.7). The critical bug allows unauthorized administrative actions, while the low-severity flaw requires admin credentials and cannot modify files or escalate privileges. Mitel addressed the critical flaw and mitigated the other in MiCollab version 9.8 SP2. CISA urges organizations to patch by January 28, per federal mandates, to mitigate potential risks.

A new government backed labelling program hopes to help consumers choose more secure devices. 

The U.S. government is launching the Cyber Trust Mark Initiative, a voluntary labeling program to help consumers identify smart devices with robust cybersecurity protections. Devices like baby monitors, security cameras, fitness trackers, and smart appliances can carry the label if they meet federal cybersecurity standards. The label includes a shield logo and QR code for detailed security information, such as whether manufacturers provide software updates.

Major brands like Amazon, Google, and Samsung are participating, with labeled products expected this year. The initiative, led by the FCC and inspired by the Energy Star program, aims to inform consumers while encouraging manufacturers to improve device security. With the average home containing 21 connected devices, this program seeks to reduce vulnerabilities that cybercriminals could exploit.

 

We’ve got our CertByte segment up next. N2K’s Chris Hare is joined by Steven Burnley to break down a question from N2K’s ISC2® Certified in Cyber Security (CC) Practice Test. And, turning your insecure license plate cameras into a DIY Big Brother kit! We’ll be right back.

Welcome back. Be sure to visit our show notes for links to the practice test and other helpful resources that Chris and Steven talked about. 

We’ll be right back.

Welcome back.

Streaming license plate readers - no password required. 

And finally, Motorola’s automated license plate readers (ALPRs) are unintentionally moonlighting as livestreaming surveillance tools, thanks to misconfigurations exposing them to the unsecured internet. Security researcher Matt Brown found that some of these cameras, intended for private networks, are accidentally broadcasting video and license plate data online for anyone with the right tools to access. Using the IoT search engine Censys, Brown located streams showing color and infrared footage, along with real-time plate data, no login required.

Privacy advocate Will Freeman turned this oversight into a proof-of-concept nightmare, crafting a tool that decodes and timestamps car movements into spreadsheets. Want to track a stranger’s daily commute? There’s an app for that (theoretically, of course). Freeman warns this exposure underscores how risky ALPRs are to privacy, despite claims they’re “harmless unless you’re a criminal.”

Motorola promises a firmware update to address these issues. Until then, some cameras remain accidental livestreamers, mapping your every move.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.