Podcasts
CyberWire Daily
Ep 2336
The CyberWire Daily Podcast 6.25.25
Ep 2336 | 6.25.25

Open-source, open season.

Show Notes
Transcript

Cybercriminals target financial institutions across Africa using open-source tools. Threat actors are using a technique called Authenticode stuffing to abuse ConnectWise remote access software. A fake version of SonicWall’s NetExtender VPN app steals users’ credentials. CISA and the NSA publish a guide urging the adoption of Memory Safe Languages. Researchers identify multiple security vulnerabilities affecting Brother printers. Fake AI-themed websites spread malware. Researchers track a sharp rise in signup fraud. A new Common Good Cyber Fund has been launched to support nonprofits that provide essential cybersecurity services. Tim Starks from CyberScoop joins us to discuss calls for a federal cyberinsurance backstop. A Moscow court says ‘nyet’ to more jail time for cyber crooks.

Today is Wednesday, June 25th, 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Cybercriminals target financial institutions across Africa using open-source tools. 

Research from Palo Alto Networks’ Unit 42 reveal that cybercriminals tracked as CL-CRI-1014 are targeting financial institutions across Africa using open-source tools in a consistent attack playbook. These actors likely act as initial access brokers, selling access on the dark web. Tools like PoshC2, Chisel, and Classroom Spy, normally used for penetration testing and remote administration, are repurposed to move laterally, maintain persistence, and exfiltrate data. The attackers disguise these tools using forged signatures and names resembling legitimate software. Notably, they’ve shifted from using MeshAgent to Classroom Spy, which enables full remote control and monitoring. They also employ tunneling via Chisel and tailor implants to each environment. The attackers use PowerShell scripts, stolen credentials, and proxy setups to evade detection and maintain access. This campaign highlights growing threats to Africa’s financial sector from actors leveraging free tools with professional-level precision.

Threat actors are using a technique called Authenticode stuffing to abuse ConnectWise remote access software. 

Threat actors are abusing ConnectWise remote access software by injecting malicious code using a technique called Authenticode stuffing, according to G Data. This method hides malware inside the software’s certificate table without breaking its digital signature, allowing the altered application to pass security checks. The attackers exploit a ConnectWise workaround that stores config data in the certificate table, intended for customizing installers, by stuffing it with malicious payloads instead. In a campaign dubbed EvilConwi, modified ConnectWise clients are disguised as tools like AI image converters. These versions even fake Windows updates and hide installation indicators to avoid detection. Since March 2025, G Data has seen a spike in such attacks. ConnectWise revoked the compromised signatures after being alerted, but the issue raises concerns about exploitable trust in signed software.

A fake version of SonicWall’s NetExtender VPN app steals users’ credentials. 

Threat actors are distributing a fake version of SonicWall’s NetExtender VPN app to steal users’ credentials. SonicWall and Microsoft discovered that attackers were using a modified NetExtender 10.3.2.27 installer, signed with a fake certificate, and hosted on spoofed download sites. Users who downloaded the fake app unknowingly installed malware that captured VPN credentials, usernames, passwords, and domain info, and sent them to a remote server. The attackers altered two files in the installer to bypass certificate validation and enable data exfiltration. While the malicious sites and certificate were taken down, the ease of setting up new domains poses an ongoing risk. Users are advised to download software only from trusted sources, like official vendor websites, to avoid falling victim to similar credential-stealing campaigns.

CISA and the NSA publish a guide urging the adoption of Memory Safe Languages. 

CISA and the NSA have released a guide urging the adoption of Memory Safe Languages (MSLs) to reduce software vulnerabilities. Memory-related bugs such as buffer overflows and use-after-free errors account for up to 75% of CVEs in major platforms. The report highlights high-profile cases like Heartbleed and BadAlloc to stress the risks these flaws pose. MSLs such as Rust, Java, Go, and Python offer built-in protections like bounds checking and automated memory management, helping prevent entire classes of security issues. The guide recommends starting with MSLs in new projects and high-risk components rather than rewriting all existing code. It also addresses transition challenges, such as performance trade-offs and training needs. Overall, the report promotes MSL adoption as a critical step toward more secure software development practices.

Researchers identify multiple security vulnerabilities affecting Brother printers. 

Researchers at Rapid7 have identified eight security vulnerabilities affecting 689 Brother printer, scanner, and label maker models, as well as devices from Fujifilm, Ricoh, Konica Minolta, and Toshiba. Millions of home and enterprise printers are potentially exposed. The most critical flaw, CVE-2024-51978, lets attackers bypass authentication by generating a default admin password using the device’s serial number. This can be combined with another flaw, CVE-2024-51977, to extract that serial number. Six of the vulnerabilities can be exploited without authentication and could lead to denial-of-service attacks, unauthorized configuration changes, or data exposure. Brother patched most flaws but cannot fully fix CVE-2024-51978 in existing firmware. A workaround is available, and future devices will be manufactured differently. Other vendors have also issued advisories addressing the risks.

Fake AI-themed websites spread malware. 

Zscaler ThreatLabz researchers have uncovered a malware campaign using fake AI-themed websites. Attackers are exploiting interest in tools like ChatGPT and Luma AI by using Black Hat SEO to push malicious sites to the top of search engine results. These sites deploy JavaScript to collect browser data, perform fingerprinting, and redirect users through several layers to deliver malware. The malware includes Vidar Stealer, Lumma Stealer, and Legion Loader. These payloads are often hidden in large, deceptive installer files and use tricks like antivirus checks, DLL sideloading, and process hollowing to evade detection. The infrastructure is hosted through trusted platforms like AWS CloudFront, making the campaign harder to detect. Users are urged to download AI tools only from verified vendor websites to avoid infection.

Researchers track a sharp rise in signup fraud. 

Okta’s 2025 Customer Identity Trends Report reveals bots were behind 46% of customer registration attempts in 2024, marking a sharp rise in signup fraud. Okta attributes this increase to AI-driven attack workflows, which are reshaping trust in digital identities. Retail and e-commerce sectors were most affected, followed by financial services and utilities. Attackers exploit signup processes to claim rewards, locate existing accounts, and execute resource-draining attacks. While users care about identity protection, many abandon signups due to complex forms. Okta recommends defense strategies such as DDoS mitigation, bot filtering, CAPTCHA escalation, IP blocking, and WAF rules. The company also advocates for passkey adoption to reduce friction while maintaining security.

A new Common Good Cyber Fund has been launched to support nonprofits that provide essential cybersecurity services. 

A new Common Good Cyber Fund has been launched to support nonprofits that provide essential cybersecurity services for public benefit. Backed by the UK and Canadian governments, and endorsed by all G7 leaders, the fund aims to strengthen the resilience and sustainability of civil society groups working to counter threats like transnational repression. Managed by the Internet Society with strategic input from an expert advisory board, the fund will assist organizations that secure core digital infrastructure and provide cybersecurity aid to high-risk communities. This includes tools, training, and rapid response services. The initiative is led by Common Good Cyber, a coalition of seven nonprofit groups, including the Global Cyber Alliance and CyberPeace Institute. These organizations emphasize the importance of protecting journalists, human rights groups, and other vulnerable communities from cyber-enabled threats. Application and funding details will be announced soon, marking a significant step in securing the broader digital ecosystem.

Next up, Tim Starks from CyberScoop returns. We discuss his piece, “Federal cyber insurance backstop should be tied to expiring terrorism insurance law, report recommends.” We’ll be right back.

Welcome back. You can find a link to the story Tim discussed in our show notes.  

Moscow court says ‘nyet’ to more jail time for cyber crooks. 

In a move that might make Kafka do a double take, a Russian court handed four REvil gang members five-year sentences for trafficking stolen credit card data, then promptly let them walk free. The reason? They’d already served their time in pre-trial limbo. Convicted cybercrooks Andrei Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotaev avoided additional jail time but did part ways with a pair of luxury cars and nearly $1.2 million in seized assets. Their crimes weren’t tied to REvil’s infamous ransomware rampage but rather old-school carding fraud, mostly targeting Americans. The arrests came in 2022, shortly after a Biden-Putin chat where the U.S. president gently suggested Russia do something about its thriving hacker scene. The crackdown didn’t last long, soon overshadowed by tanks rolling into Ukraine and whispers that Russia might be outsourcing cyber ops to the very crooks it briefly jailed.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.