FamousSparrow’s sneaky resurgence.

China’s FamousSparrow is back. A misconfigured Amazon S3 bucket exposes data from an Australian fintech firm. Researchers uncover a sophisticated Linux-based backdoor targeting industrial systems. Infiltrating the BlackLock Ransomware group’s infrastructure. Solar inverters in the security spotlight. Credential stuffing gets automated. CISA updates the Known Exploited Vulnerabilities catalog. The UK’s NCA warns of online groups involved in sadistic cybercrime and real-world violence. Authorities arrest a dozen individuals linked to the now-defunct Ghost encrypted communication platform. Our guest is Tal Skverer, Research Team Lead from Astrix, discussing the OWASP NHI Top 10 framework. Remembering our friend Matt Stephenson. 

Today is Thursday March 27th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

China’s FamousSparrow is back. 

China-linked hacking group FamousSparrow has resurfaced after years of apparent inactivity, targeting organizations in the U.S., Mexico, and Honduras, according to a March 26 report from ESET. Once known for exploiting the ProxyLogon flaw and focusing on hotels, the group has broadened its scope to include governments, research institutions, and law firms. The group used upgraded versions of its signature SparrowDoor backdoor and, for the first time, deployed the ShadowPad backdoor, often associated with other Chinese APTs. Although Microsoft previously suggested FamousSparrow is part of a larger cluster including Ghost Emperor and Salt Typhoon, ESET maintains it is a distinct group with limited overlap. The recent campaign began in June 2024 through web shells on outdated Windows Server and Exchange systems. The toolset combined custom malware and shared resources tied to other Chinese-aligned threat actors, showing a renewed and evolving cyber espionage capability.

A misconfigured Amazon S3 bucket exposes data from an Australian fintech firm. 

Cybersecurity researcher Jeremiah Fowler uncovered a major data exposure involving Australian fintech firm Vroom by YouX (formerly Drive IQ). A misconfigured Amazon S3 bucket left 27,000 sensitive records—including driver’s licenses, medical records, bank details, and partial credit card numbers—publicly accessible without password protection or encryption. Fowler also found evidence of a MongoDB instance holding 3.2 million documents, raising additional security concerns. Vroom, an AI-powered vehicle financing platform, quickly secured the exposed data and pledged a post-incident review. The records dated from 2022 to 2025, highlighting ongoing risks in data handling. Fowler stressed the potential for fraud, including identity theft and social engineering, and urged fintech firms to adopt stronger security measures. He emphasized end-to-end encryption, regular audits, and data minimization as key defenses. 

Researchers uncover a sophisticated Linux-based backdoor targeting industrial systems. 

Researchers at QiAnXin XLab uncovered OrpaCrab, a sophisticated Linux-based backdoor targeting ORPAK industrial systems tied to fuel services. Discovered in January 2024, the malware uses the MQTT protocol for covert command-and-control, blending in with legitimate traffic. It persists via startup scripts and encrypts configuration data with AES-256-CBC. It also uses DNS over HTTPS to evade detection. Linked to the CyberAv3ngers hacking group, OrpaCrab may have compromised Gasboy fuel systems, posing risks to payment terminals and customer data.

Infiltrating the BlackLock Ransomware group’s infrastructure. 

Earlier this month, cybersecurity firm Resecurity identified a critical vulnerability in the Data Leak Site (DLS) of BlackLock Ransomware, a ransomware-as-a-service group active since March 2024. This flaw allowed Resecurity’s HUNTER team to infiltrate BlackLock’s infrastructure, gathering intelligence on their operations, network configurations, and storage methods, including the use of MEGA accounts for exfiltrated data. The breach revealed that BlackLock had compromised at least 46 organizations across various sectors globally. Subsequent events in early 2025 suggest that rival ransomware group DragonForce may have exploited similar vulnerabilities, leading to the defacement and shutdown of BlackLock’s DLS and associated projects. These developments underscore the dynamic and volatile nature of cybercriminal enterprises. 

Solar inverters in the security spotlight. 

Researchers at Forescout’s Vedere Labs uncovered 46 critical vulnerabilities in solar inverters from Sungrow, Growatt, and SMA—three of the world’s top manufacturers. These flaws could allow attackers to remotely execute code, hijack devices via cloud platforms, and even disrupt power grids by altering inverter output. One vulnerability in SMA’s SunnyPortal allows remote code execution through malicious file uploads. Growatt inverters are particularly exposed due to easily exploitable APIs, while Sungrow’s architecture involves multiple vulnerabilities across components, including stack overflows and hard-coded credentials. Exploiting these could let attackers control fleets of inverters, potentially destabilizing grid operations by coordinating power surges or drops. Beyond grid disruption, attackers could compromise user privacy, hijack smart devices, or launch ransomware attacks. All vendors have reportedly issued patches. The findings highlight the urgent need for stronger security in renewable energy infrastructure and the potential consequences of compromised smart energy systems.

Credential stuffing gets automated. 

Credential stuffing, a long-standing cyber threat, has become more dangerous with the rise of Atlantis AIO, an advanced automation tool. This software allows attackers to test millions of stolen credentials rapidly across cloud platforms and email services, requiring minimal expertise. Its modular design evades detection through rotating proxies and distributed login attempts. Abnormal Security reports that since early 2025, Atlantis AIO has gained popularity in underground forums, enabling both novice and advanced attackers to carry out large-scale account compromises, data theft, and fraud.

CISA updates the Known Exploited Vulnerabilities catalog. 

CISA has added two critical Sitecore CMS vulnerabilities, CVE-2019-9874 and CVE-2019-9875, to its Known Exploited Vulnerabilities catalog due to confirmed active exploitation. CVE-2019-9874 allows unauthenticated remote code execution via a deserialization flaw in the Sitecore.Security.AntiCSRF module, while CVE-2019-9875 requires authentication but uses the same attack vector. Both impact Sitecore versions up to 9.1.0. CISA has mandated that federal agencies patch affected systems by April 16, 2025. Organizations should apply available fixes or implement temporary access restrictions immediately.

The UK’s NCA warns of online groups involved in sadistic cybercrime and real-world violence. 

The UK’s National Crime Agency (NCA) has issued a stark warning about the rise of “Com” networks—online groups of sadistic, predominantly teen boys involved in cybercrime and real-world violence. These loosely organized groups use social media and messaging platforms to share extremist, violent, and child abuse content while engaging in crimes like phishing, SIM swapping, ransomware, and fraud. The NCA’s latest National Strategic Assessment highlights a six-fold increase in reported threats between 2022 and 2024, with thousands of offenders and victims in the UK and beyond. These networks often groom young girls, coercing them into self-harm or abuse. While foreign actors, particularly from Russia, still dominate the cybercrime landscape, the rise in homegrown youth involvement is alarming. Offenders seek profit, status, and notoriety. Recent convictions illustrate the danger, and the NCA stresses these groups aren’t hidden on the dark web—they thrive in mainstream digital spaces frequented by young users daily.

Authorities arrest a dozen  individuals linked to the now-defunct Ghost encrypted communication platform. 

Yesterday, Irish and Spanish authorities arrested 12 individuals linked to a high-risk criminal network using the now-defunct Ghost encrypted communication platform. Ghost, dismantled in September 2024 during a Europol-led international operation, was used by organized crime groups to coordinate drug shipments between Spain and Ireland. Despite attempts to evade detection, investigators traced Ghost user accounts to the suspects, who smuggled cocaine and marijuana using vehicles with hidden compartments and cloned plates. Ghost, launched in 2015, offered ultra-secure messaging through modified smartphones with layered encryption and self-destruct features. The platform’s takedown previously resulted in 52 global arrests, including its alleged administrator. Europol continues to support ongoing investigations, and further arrests are expected as digital evidence from the platform is analyzed. 

Remembering our friend Matt Stephenson. 

The cybersecurity community has lost a true original. Matt Stephenson has passed away. Always the boldest dresser in the room, the man with the bowtie, the bright suit, the perfectly curated sneakers. And though he’s gone, his impact remains vivid in the hearts and minds of everyone lucky enough to orbit his world.

To me, Matt was more than a colleague or a professional voice. He was the voice—charismatic, quick-witted, endlessly curious, and instantly magnetic. He had a rare gift: the ability to make every interaction feel like a reunion with an old friend, whether you were meeting him for the first time or the hundredth. His energy was larger than life, and yet it was never about him. It was about connection—finding common ground in music, comics, sports, tech, sneakers, or whatever topic would light up a stranger’s face.

Even in the most professional spaces, Matt brought levity and humanity. His presence made cybersecurity feel a little less intimidating, a little more approachable, and a whole lot more fun.

He was a storyteller, a traveler, a collector, a showman—and from the stories shared by those closest to him, a fiercely loyal friend. He lived widely and openly, chasing memories across continents, from late-night karaoke to early morning flights, from deep conversations to laugh-until-you-cry moments in bars with bad music and questionable food. He officiated weddings. He got lost in London. He made the ordinary feel epic.

In the end, he was surrounded by the people he loved, wrapped in music, stories, and shared memories—a fitting sendoff for someone who lived his life as a celebration.

The cybersecurity world is quieter today without Matt’s booming voice, his trademark style, and his unshakable warmth. But the echo of his laugh, the weight of his kindness, and the stories he left behind will carry on in every room he once lit up.

Rest well, Matt Stephenson. You were unforgettable.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.