Podcasts
CyberWire Daily
Ep 2275
The CyberWire Daily Podcast 3.28.25
Ep 2275 | 3.28.25

New sandbox escape looks awfully familiar.

Show Notes
Transcript

Mozilla patches Firefox flaw similar to actively exploited Chrome vulnerability. Russia-based RedCurl gang deploys ransomware for the first time. Ukraine's railway operator recovers from cyberattack. India cracks down on Google’s billing monopoly. Morphing Meerkat's phishing kit abuses DNS mail exchange records. 300,000 attacks in three weeks. Our guest is Chris Wysopal (Wise-so-pal), Founder and Chief Security Evangelist of Veracode, who sits down with Dave to discuss the increase in the average fix time for security flaws. And Liz Stokes joins with another Fun Fact Friday.

Today is Friday, Mar 28, 2025 I’m Maria Varmazis, in for Dave Bittner. And this is your CyberWire Intel Briefing.

Mozilla patches Firefox flaw similar to actively exploited Chrome vulnerability.

Mozilla has issued a patch for a critical Firefox vulnerability that could allow attackers to perform sandbox escapes on Windows, the Register reports. The flaw is similar to an actively exploited vulnerability (CVE-2025-2783) patched by Google in the Chrome browser earlier this week. The Chrome vulnerability, which Kaspersky says was being exploited to target Russian entities and individuals, enabled attackers to bypass the browser's sandbox protections as soon as the victim clicked on a phishing link.

Mozilla stated, "Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our inter-process communication (IPC) code. Attackers were able to confuse the parent process into leaking handles to unprivileged child processes leading to a sandbox escape."

Russia-based RedCurl gang deploys ransomware for the first time.

Bitdefender says the Russia-based threat actor "RedCurl," which has been conducting data theft since 2018, has launched its first ransomware campaign. RedCurl is a mysterious group whose motivations are unclear: the threat actor seems to be financially motivated, but there's no evidence that it extorts its victims after stealing their data. Bitdefender hypothesizes that RedCurl is either a mercenary hacker group conducting corporate espionage or that it conducts extortion negotiations discreetly. The researchers note that the former hypothesis "could potentially explain their current interest in ransomware that targets infrastructure, rather than endpoint computers. In a mercenary model, ransomware could serve as a diversion, masking the true objective: a targeted data exfiltration operation."

In this recent campaign, the group deployed a new strain of ransomware dubbed "QWCrypt," targeting only hypervisors. Bitdefender explains, "This focused targeting can be interpreted as an attempt to inflict maximum damage with minimum effort. By encrypting the virtual machines hosted on the hypervisors, making them unbootable, RedCurl effectively disables the entire virtualized infrastructure, impacting all hosted services. Interestingly, they deliberately excluded specific VMs that acted as network gateways, demonstrating their familiarity with the network implementation."

Ukraine's railway operator recovers from cyberattack.

Ukraine's state railway operator, Ukrzaliznytsia, has restored online ticket sales following a cyberattack earlier this week, the Record reports. The incident didn't affect train schedules, but online services were disrupted for several days. The company hasn't shared details on the attack, but said no sensitive information was compromised. Ukraine's Ministry of Justice assisted in the recovery.

Passengers who purchased paper tickets during the cyberattack will be offered free tea onboard.

India cracks down on Google’s billing monopoly.

​In a significant ruling, an Indian appeals court has upheld the Competition Commission of India's (CCI) determination that Google's app store billing policies are anti-competitive and detrimental to developers. This decision mandates that Google must permit alternative billing systems for in-app purchases on its platform, challenging its current practices. The ruling aligns with increasing global scrutiny over Google's dominance in the app marketplace and its imposition of restrictive billing practices. This ruling illustrates the mounting regulatory challenges Google faces worldwide regarding its app store operations.

Morphing Meerkat's phishing kit abuses DNS mail exchange records.

Infoblox has published a report on a phishing kit that uses DNS mail exchange (MX) records to dynamically serve phishing pages that spoof over a hundred brands. MX records specify which mail server is responsible for receiving incoming emails sent to a domain. In this case, the phishing kit uses MX records "to identify the victim’s email service provider and dynamically serve fake login pages." The kit is designed to harvest email user login credentials, and is currently able to impersonate 114 brands.

The threat actor behind this activity, dubbed "Morphing Meerkat," has been peddling its phishing-as-a-service (PhaaS) platform since at least January 2020.

A banking trojan that just won’t die.

The Grandoreiro banking trojan has resurfaced in new phishing campaigns targeting users in Latin America and Europe. Active since at least 2016, Grandoreiro initially focused on Brazil but expanded to Mexico, Portugal, and Spain around 2020. Despite law enforcement efforts in 2021 and 2024, including the arrest of several operators, the trojan persists. By early 2024, it targeted over 1,500 banking applications across more than 60 countries, impersonating government entities from Argentina, Mexico, and South Africa. Later that year, its scope widened to 1,700 banks and 276 cryptocurrency wallets, extending into Asia and establishing it as a global financial threat. Recent campaigns involve phishing emails masquerading as tax agency communications, particularly in Argentina, Mexico, and Spain. These emails utilize legitimate hosting services like Contabo and OVHcloud, directing victims to download malicious files from platforms such as Mediafire. Once executed, the malware steals credentials, searches for Bitcoin wallet directories, and connects to a command-and-control server. To mitigate risks, users should exercise caution with unsolicited emails, especially those claiming to be from tax authorities, and employ robust cybersecurity tools to detect and prevent such threats.

Beware—malicious ads deliver malware.

Threat actors are exploiting the growing popularity of the Chinese artificial intelligence platform DeepSeek by distributing malware through counterfeit sponsored ads on Google. Users searching for DeepSeek encounter malicious advertisements that redirect them to convincingly crafted fake websites. These sites prompt users to download a file, which, when executed, deploys a Microsoft Intermediate Language-based trojan identified as Malware.AI.132 373 8514. This malware poses significant security risks, including unauthorized access and data theft. Security experts advise users to exercise caution by avoiding sponsored search results, verifying website URLs before downloading software, and considering the use of ad-blockers to minimize exposure to such threats. This campaign coincides with increasing scrutiny of DeepSeek, leading to bans in regions like Texas over data privacy concerns. ​

300,000 attacks in three weeks.

GorillaBot, a sophisticated botnet built upon the Mirai framework, has executed over 300,000 attack commands across more than 100 countries within a three-week period. Discovered by the NSFOCUS Global Threat Hunting team, GorillaBot targets industries including telecommunications, finance, and education. It infects devices by exploiting vulnerabilities in Internet of Things (IoT) systems and poorly secured endpoints, converting them into instruments for distributed denial-of-service (DDoS) attacks and other malicious activities. The malware employs advanced encryption and anti-debugging techniques, such as a custom XTEA-like cipher for securing command-and-control communications and mechanisms to detect virtualized analysis environments, making detection and analysis challenging. To mitigate the risk posed by GorillaBot, organizations are advised to regularly patch vulnerabilities in IoT devices, deploy advanced intrusion detection systems capable of identifying encrypted communications, and utilize real-time malware behavior analysis tools.

Stick around—after the break, Dave chats with Chris Wysopal, Founder and Chief Security Evangelist at Veracode, about why the average time to fix security flaws is on the rise. Plus, our very own Producer, Liz Stokes, has a fun fact about passwords that you won’t want to miss!  

Dave recently caught up with Chris Wysopal, Founder and Chief Security Evangelist at Veracode. They explored the growing delays in security flaw remediation and the surprising percentage of organizations that carry critical security debt for over a year. Here’s their conversation. 

That was Chris Wysopal, Founder and Chief Security Evangelist at Veracode. If you enjoyed the discussion, make sure to tune in daily for more expert insights on the latest industry trends. 

That was Liz Stokes with Fun Fact Friday! If you enjoyed that and want to hear more of her fascinating facts, head over to our N2K YouTube page for a treasure trove of fun and interesting tidbits.
Be sure to join us for an all new Research Saturday where, Dave sits down with Jon Williams, Vulnerability Researcher from Bishop Fox, as they are discussing research on "Tearing Down (Sonic)Walls: Decrypting SonicOSX Firmware." That’s research Saturday, check it out. 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.