The CyberWire Daily Podcast 1.29.25
Ep 2234 | 1.29.25

Cats and RATS are all the rage.

Transcript

Hackers linked to China and Iran are using AI to enhance cyberattacks. An AI-powered messaging tool for Slack and Discord is reportedly leaking user data. British engineering giant Smiths Group suffers a cyberattack. Rockwell Automation details critical and high-severity vulnerabilities. Researchers warn of new side-channel vulnerabilities in Apple CPUs. The Hellcat ransomware gang looks to humiliate its victims. SparkRAT targets macOS users and government entities. Flashpoint looks at FleshStealer malware. Cybercriminals leverage trust in government websites. Our guest is Ivan Novikov, CEO at Wallarm, sharing insights on the recent United States ruling that bars certain Chinese and Russian connected car tech from being imported into the US. QR code shenanigans.

Today is Wednesday January 29th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Hackers linked to China and Iran are using AI to enhance cyberattacks. 

The Wall Street journal, in an exclusive, says Hackers linked to China, Iran, and other foreign governments are using AI, including Google’s Gemini chatbot, to enhance cyberattacks. These groups leverage AI for tasks like writing malicious code, identifying vulnerabilities, and researching targets. While Western officials have long warned about AI’s misuse, Google’s new findings provide concrete examples of adversaries utilizing generative AI.

Chinese and Iranian hacking groups are the most active users of Gemini, treating it as a research tool rather than a game-changing cyberweapon. North Korean hackers use AI for job application cover letters, aiding espionage efforts, while Russian groups use it sparingly for coding tasks.

In contrast, researchers at Sophos conclude Cybercriminals on underground forums remain largely skeptical about generative AI, with little evidence of its use in developing new exploits or malware. While some actors discuss ambitious AI applications, these remain theoretical. The primary concern is AI’s potential misuse for automating tasks like spamming, mass mailing, and data analysis, rather than creating novel threats. Many cybercriminals see AI as overhyped and unsuitable for complex operations. For now, most are taking a wait-and-see approach, assessing how AI could integrate into their workflows over time.

Meanwhile, China’s DeepSeek AI, with open-source code, raises concerns about unregulated misuse. U.S. intelligence officials warn that AI is becoming a crucial factor in global cyber and military strategies. Google urges tighter export controls and faster AI adoption in U.S. defense to maintain its technological edge.

An AI-powered messaging tool for Slack and Discord is reportedly leaking user data. 

Struct Chat, an AI-powered messaging tool for Slack and Discord, claims to prioritize privacy. However, Cybernews researchers found an exposed Apache Kafka Broker instance streaming user data without security measures. Despite multiple disclosure attempts, the leak remains open as of January 27, 2025, posing a severe risk to users.

The leak includes sensitive Slack data such as user names, emails, conversations, team details, and internal URLs. In just one hour, data from over 1,000 users across 200 companies was exposed. This information could be exploited for phishing, identity theft, or corporate espionage.

Struct Chat, which uses OpenAI’s ChatGPT for summaries, has not responded to inquiries. 

British engineering giant Smiths Group suffers a cyberattack. 

British engineering giant Smiths Group is working to restore systems following a cyberattack that led to unauthorized access. The company quickly isolated affected systems and activated business continuity plans. Smiths is collaborating with cybersecurity experts to assess the impact and comply with regulations. While the exact nature of the attack remains unclear, it may involve ransomware, as taking systems offline is a common response. No ransomware group has claimed responsibility. The company, with 15,000 employees worldwide, promises updates as needed.

Rockwell Automation details critical and high-severity vulnerabilities. 

Rockwell Automation has released six security advisories detailing critical and high-severity vulnerabilities in its products. In the FactoryTalk software, critical flaws in View Machine Edition and high-severity issues in View Site Edition could allow remote and local attackers to execute commands or access system configurations.

Other vulnerabilities include a critical SQLite flaw in DataMosaix Private Cloud, a DoS issue in the ICE2 controller, and credential exposure in PowerFlex 755. While there is no evidence of active exploitation, CISA has issued advisories, urging organizations to apply patches to protect industrial automation systems from potential threats.

Researchers warn of new side-channel vulnerabilities in Apple CPUs. 

Security researchers from The Georgia Institute of Technology and Ruhr University Bochum have discovered new side-channel vulnerabilities in modern Apple processors that could leak sensitive information from web browsers. Named FLOP and SLAP, these attacks exploit flaws in speculative execution, the same underlying issue behind Spectre and Meltdown.

The attacks target M2/A15 and newer Apple CPUs, which predict memory addresses and data values to speed up processing. However, mispredictions can expose sensitive information, potentially allowing attackers to bypass browser sandboxes and steal data in Safari and Chrome via malicious JavaScript or WebAssembly code.

The researchers disclosed SLAP in March 2024 and FLOP in September 2024. Apple acknowledged the flaws and pledged to address them, but no fixes have been released. The company stated that it does not see an immediate risk to users, though researchers warn of real-world security implications.

The Hellcat ransomware gang looks to humiliate its victims. 

The Hellcat ransomware gang, emerging in 2024, employs a ransomware-as-a-service (RaaS) model but stands out for its humiliating tactics against victims. According to Cato researchers, Hellcat uses psychological pressure alongside standard double extortion, threatening to leak stolen data if ransoms aren’t paid.

Notable attacks include Schneider Electric, where hackers demanded $125,000 in baguettes instead of cash. They also leaked 40GB of sensitive data. Other targets include a U.S. university ($1,500 for root access), a French energy company ($500), and an Iraqi city government ($300).

Hellcat prioritizes public embarrassment over financial gain, selling access to compromised systems cheaply rather than demanding large ransoms. Their approach signals an evolution in cyber extortion, blending traditional financial motives with psychological warfare to pressure victims.

SparkRAT targets macOS users and government entities. 

Moving from cats to rats, researchers from Hunt.io have uncovered new SparkRAT operations, exposing its persistent use in cyber espionage against macOS users and government entities. Originally released on GitHub in 2022 by XZB-1248, SparkRAT is a cross-platform Remote Access Trojan (RAT) targeting Windows, macOS, and Linux.

Linked to North Korean (DPRK) cyber campaigns, SparkRAT has been distributed via fake meeting platforms and gaming sites. Researchers Hunt and Cato Networks identified C2 servers in Korea and Singapore using port 8000 for communication. An Android APK (one68[.]top) linked to SparkRAT further extends its attack surface.

Analysts recommend monitoring HTTP headers, JSON error messages, and network traffic for detection. Hunt, Cato Networks, and other cybersecurity researchers continue investigating SparkRAT’s evolving infrastructure and tactics to mitigate this growing threat.

Flashpoint looks at FleshStealer malware. 

Researchers at Flashpoint look at FleshStealer, a credential-stealing malware that first emerged in September 2024. Written in C#, it uses encryption to evade detection and terminates itself if debugging is detected. It also avoids execution in virtual machine (VM) environments, preventing forensic analysis.

FleshStealer targets Chromium and Mozilla-based browsers, extracting credentials, crypto wallet data, and 2FA extensions from 70+ sources. It can reset Google cookies for further exploitation. The malware is lightweight (150–300KB) and offers 24/7 support for cybercriminals, with logs decrypted directly on its web-based control panel.

Cybercriminals leverage trust in government websites. 

For nearly two years, cybercriminals have been quietly exploiting vulnerabilities in government websites, using their trusted .gov domains to launch phishing campaigns. According to Cofense Intelligence, attackers have turned these sites into weapons, leveraging them to host credential phishing pages, act as command-and-control (C2) servers, and redirect unsuspecting users to malicious destinations.

A particularly insidious tactic is the abuse of open redirects, where a compromised government site unknowingly forwards visitors to phishing links. Victims, seeing a trusted government address, click without hesitation—only to land on pages designed to steal their credentials.

The United States, Brazil, and Colombia have been among the hardest hit, with U.S. government domains accounting for 9% of total cases. In most instances, these domains were exploited to bypass email security gateways (SEGs) like Microsoft ATP, Proofpoint, and Mimecast, ensuring phishing emails reached inboxes undetected.

What’s most alarming is how deliberate this campaign appears. Instead of opportunistically attacking any vulnerable site, cybercriminals first design their phishing campaigns and then seek out compromised government domains to give their attacks credibility. Their strategy is methodical, their execution precise.

 

After the break, I speak with Wallarm’s CEO Ivan Novikov about the recent United States ruling that bars certain Chinese and Russian connected car tech from being imported into the US and its impact. And, it really is all how you look at things. We’ll be right back.

Welcome back.

QR code shenanigans. 

And finally, there’s a popular optical illusion that features the faces of Albert Einstein and Marilyn Monroe superimposed over one another. Depending on how far away you are from the image, you see either Albert or Marilyn, and if you vary your distance the two faces seemingly morph back and forth. The illusion takes advantage of the way our visual systems interpret contrast and sharpness, and how our brains prefer to lock in to the familiar. 

Curious researchers wondered if the same effect could be applied to QR codes. In a post on Mastodon, Guy Dupont experimented with using lenticular lenses on QR codes to activate one of two different URLs, depending on the angle the code was viewed at. Christian Walther took it to the next level, creating a version with no lens required, taking advantage of the previously mentioned peculiarities of perceived contrast and sharpness.

Spoiler alert - it works! Depending on the distance your camera is from the QR code, you will be directed to one of two unrelated URLs. 

Needless to say, this opens up a whole new world of possibilities for QR code shenanigans. We will have a link in the show notes. See for yourself - it’s fun, and not just a little bit unnerving. 

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.