Daily News Update: Thursday, April 3, 2025 (Australia/Melbourne)
Hunters International's transition to Data Extortion model could indicate the "impose cost" offensive targeting Ransomware is paying off. Trump Administration uses commercial email for sensitive military discussions. Verizon API flaw allowed unrestricted access to customer call history.
Hunters International Ransomware Gang Considers Shift to Data Theft & Extorsion
Is the ransomware game getting too hot to handle? According to researchers at Group-IB, the leadership of the Hunters International ransomware crew told their affiliates back in November that the ransomware business model has become "unpromising, low-converting, and extremely risky."
In internal communications obtained by Group-IB, the gang's leaders cited increased pressure from international law enforcement, the potential designation of ransomware as terrorism (leading to state-level crackdowns even in previously safer havens like Russia), and diminishing returns as reasons for a potential shift in tactics.
They announced plans for a rebrand to "World Leaks," a new operation focused purely on data theft and extortion, abandoning the file encryption component entirely. World Leaks reportedly launched its dark web site in January, offering affiliates custom data exfiltration tools, though it apparently suffered early technical issues and hasn't listed victims yet.
Interestingly, a follow-up message weeks after the initial announcement seemed to suggest Hunters International was "back," creating some confusion. Group-IB believes a split or transition might be occurring, but the original Hunters group still appears operational for now (they recently claimed attacks on Tata Technologies and ICBC's London HQ).
If Hunters International does fully pivot away from encryption, they'd join a growing trend. Groups like Karakurt and BianLian made similar moves previously, and newer groups like Mad Liberator launched with extortion-only models.
The Register | "Crimelords at Hunters International told lackeys ransomware now too 'risky'"
White House Adviser Accused of Using Personal Gmail for Sensitive Comms
Senior US National Security Council members, including National Security Adviser Michael Waltz, are reportedly being accused of using personal Gmail accounts for exchanging sensitive, albeit unclassified, government information.
This follows the recent "Signalgate" incident where Waltz accidentally added a journalist to a Signal group chat discussing military operations, including details about an airstrike in Yemen.
According to the Washington Post, citing government sources, a senior aide to Waltz used Gmail to discuss "sensitive military positions and powerful weapons systems relating to an ongoing conflict" with officials. Waltz himself allegedly copied his personal schedule from Gmail into Signal messages. While not classified, using commercial services like Gmail for government business raises concerns about security and compliance with record-keeping laws (like the Presidential Records Act).
Waltz's spokesperson, Brian Hughes, denied classified information was sent via open accounts, stating staff were instructed to use secure platforms for such data and that Waltz cc'ed official business to government accounts for record-keeping. Ironically, Waltz, a former Green Beret and Republican representative, had previously criticised Hillary Clinton for her use of a private email server.
Despite President Trump expressing support, Waltz reportedly came close to being fired over the Signal leak (more for the leak itself than the platform choice). Whether this latest Gmail issue impacts his position remains uncertain, but hey - fingers crossed.
The Register | "Forget Signal. National Security Adviser Waltz now accused of using Gmail for work"
Verizon Call Filter API Flaw Exposed User Call Logs
Hereβs a weird but impactful privacy blunder to take note of - a vulnerability in the API used by Verizon's Call Filter app allowed any Verizon Wireless customer to potentially access the incoming call history of any other Verizon Wireless customer.
Security researcher Evan Connelly discovered the flaw on February 22nd, 2025. When the Call Filter app (which comes pre-installed on many Verizon Android/iOS devices for spam blocking) fetched a user's incoming call log, it made a request to an API endpoint (https://clr-aqx.cequintvzwecid.com/clr/callLogRetrieval).
This request included a JSON Web Token (JWT) in the Authorization header for authentication and a separate X-Ceq-MDN header specifying the phone number (MDN) whose call log was being requested.
The critical mistake? The API failed to validate that the phone number embedded within the authenticated user's JWT matched the phone number specified in the X-Ceq-MDN header. This meant Connelly (or anyone else) could use their own valid JWT but simply change the phone number in the X-Ceq-MDN header to that of another Verizon customer and retrieve their incoming call history.
Connelly notes that while call metadata might seem innocuous, it could be used for surveillance, mapping routines, identifying contacts, and inferring relationships, posing a particular risk to high-profile individuals. He saw no evidence of rate limiting on the API endpoint, potentially allowing for mass scraping, although this wasn't confirmed.
Verizon fixed the vulnerability sometime in March after Connelly's disclosure. However, the duration for which the flaw existed is unknown. The researcher also raised concerns about the API endpoint being hosted by a third-party company, Cequint, whose own website is offline, questioning the handling of sensitive call data.
Bleeping Computer | "Verizon Call Filter API flaw exposed customers' incoming call history"
Cisco Warns of Exploited Backdoor in Smart Licensing Utility
Heads up, Cisco admins! Cisco is urging users to patch a critical vulnerability (CVE-2024-20439) in its Cisco Smart Licensing Utility (CSLU) software for Windows. This flaw involves a hardcoded, static credential for a built-in administrative account - essentially a backdoor.
This isn't just theoretical; Cisco confirmed on Tuesday that its Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild just last month.
The vulnerability allows an unauthenticated, remote attacker to log into the CSLU application's API with administrative privileges. It's important to note that CSLU doesn't run in the background by default; the flaw is only exploitable if a user has started the application.
Cisco initially patched this flaw back in September 2024. However, technical details, including the decoded static password, were published online shortly after by a security researcher, making exploitation easier for attackers.
Johannes Ullrich from the SANS Technology Institute observed attackers chaining CVE-2024-20439 with a second CSLU flaw, CVE-2024-20440 (an information disclosure vulnerability), to access log files containing sensitive data like API credentials.
Reflecting the active exploitation, CISA added CVE-2024-20439 to its Known Exploited Vulnerabilities (KEV) catalog on Monday, mandating US federal agencies patch it by April 21st.
This isn't the first time Cisco has had to remove hardcoded credentials from its products, with similar issues previously found in IOS XE, WAAS, DNA Center, and Emergency Responder software.
Bleeping Computer | "Cisco warns of CSLU backdoor admin account used in attacks"
Minnesota Native Tribe Hit by Cyberattack Affecting Casino, Healthcare
A cyberattack claimed by the RansomHub ransomware gang has caused significant disruption for the Lower Sioux Indian Community in Minnesota. Systems for essential services like the health centre, dental clinic, optical facility, and pharmacy were impacted, but so too were the tribe's Casino operations - because why wouldn't you run healthcare and gambling infrastructure on the same networks, I guess?
RansomHub has rapidly gained notoriety, particularly after law enforcement actions against LockBit and AlphV. RansomHub previously claimed responsibility for an attack on the Sault Tribe of Chippewa Indians in Michigan back in February.
Researchers from ESET recently highlighted RansomHub's use of a specialised malware tool called EDRKillShifter, designed specifically to disable or evade endpoint detection and response (EDR) security products commonly used by organisations. Offering such a tool as part of a ransomware-as-a-service (RaaS) package is considered rare, according to ESET, and indicates a degree of sophistication.
ESET also noted ties between RansomHub and affiliates of other major ransomware gangs like Play, Medusa, and BianLian, who have also been observed using EDRKillShifter.
The Record | "Native tribe in Minnesota says cyber incident knocked out healthcare, casino systems"
Royal Mail Investigates Data Leak via Third-Party Supplier
Royal Mail is looking into claims of a significant data leak after a threat actor dumped over 144GB of data allegedly stolen from its systems onto a hacking forum.
While Royal Mail hasn't confirmed a direct breach of its own systems, it acknowledged an incident at one of its third-party suppliers, Spectos GmbH, a German company providing data collection and analytics services.
Spectos GmbH confirmed it suffered a cyberattack starting March 29th, resulting in unauthorised access to systems and personal customer data. Forensic investigations are ongoing to determine the full scope.
The threat actor, using the handle "GHNA" on BreachForums, claims the leaked data includes 16,549 files containing Royal Mail customer PII (names, addresses, delivery dates), internal documents, Mailchimp lists, delivery/post office location datasets, a WordPress database for mailagents.uk, and even internal Zoom meeting recordings between Spectos and Royal Mail.
Cybersecurity firm Hudson Rock suggests the breach originated from compromised credentials belonging to a Spectos employee, stolen via infostealer malware back in 2021. CTO Alon Gal stated, "The infected Spectos employee's credentials provided a gateway to Royal Mail Group's systems... The stolen data sat dormant until recently, when it was weaponized in these high-profile leaks."
This incident follows a LockBit ransomware attack on Royal Mail in January 2023 that disrupted international shipping for weeks.
Bleeping Computer | "Royal Mail investigates data leak claims, no impact on operations"
US Cyber Command Finds Chinese Malware in South America
Fancy hearing about Uncle Sam's cyber defenders playing away games? US Cyber Command's "hunt forward" operations, where cyber protection teams visit partner nations (at their request) to sniff out threats, have apparently uncovered Chinese malware lurking in networks within the US Southern Command's area of responsibility (Central/South America and the Caribbean).
This nugget came from retired Lt. Gen. Dan Caine, President Trump's nominee for Chairman of the Joint Chiefs of Staff, in written responses ahead of his confirmation hearing. These ops are a win-win: they help allies shore up their defences and give the US a heads-up on adversary tactics, techniques, and procedures (TTPs), allowing for proactive defence back home.
While specific countries weren't named due to sensitivities, it's known China has interests and cyber capabilities deployed in the region. Cybercom itself didn't confirm Caine's specific claim, citing policy and operational security, but stated it routinely assists partners globally against foreign threats.
These hunt forward missions aren't new, with the Cyber National Mission Force (CNMF) conducting around two dozen per year globally against threats from China, Russia, and Iran. Last year, Gen. Timothy Haugh noted 22 deployments to 17 nations resulted in over 90 malware samples being publicly released, bolstering global cyber defence.
Caine also weighed in on the "dual-hat" debate, supporting the arrangement where the Cybercom commander also leads the NSA, citing benefits in agility and operationalising intelligence, despite the burden on one leader.
CyberScoop | "Cybercom discovered Chinese malware in South American nations β Joint Chiefs chairman nominee"
Counterfeit Android Devices Preloaded with Triada Malware
Be wary of suspiciously cheap smartphones online. Kaspersky researchers have uncovered a new campaign where counterfeit Android devices, mimicking popular models, are being sold pre-infected with a new variant of the Triada trojan.
This malware gets embedded deep within the phone's firmware before it even reaches the customer, likely via a compromised supply chain. This makes it incredibly stealthy and persistent β a standard factory reset won't remove it; you'd need to reflash the ROM entirely.
Once the unsuspecting buyer sets up their new (counterfeit) phone, Triada gets to work. It hides within Android's system framework and injects itself into every running process. Its capabilities include:
- Stealing account credentials from messaging and social media apps.
- Sending/deleting WhatsApp and Telegram messages (impersonation).
- Hijacking crypto transactions by replacing wallet addresses.
- Tracking browsing activity and swapping links.
- Spoofing phone numbers during calls.
- Intercepting, sending, and deleting SMS messages (potentially enabling premium SMS fraud).
- Downloading and running additional malicious apps remotely.
- Blocking network connections to hinder detection or defence.
Kaspersky observed at least 2,600 infections, primarily affecting Russian users, between March 13th and 27th, 2025. Analysis suggests the malware has already siphoned off at least $270,000 in cryptocurrency (including hard-to-trace Monero), though the true total is likely higher.
The advice? Stick to buying phones from authorised retailers. If you suspect your device might be compromised, consider reflashing it with a clean system image from Google or a trusted third-party ROM like LineageOS or GrapheneOS.
Bleeping Computer | "Counterfeit Android devices found preloaded With Triada malware"
GitHub Boosts Security After Millions of Secrets Leaked
It seems developers are still struggling to keep secrets, well, secret. GitHub revealed that its secret scanning service detected a staggering 39 million leaked secrets (like API keys, tokens, passwords) exposed in repositories throughout 2024. Ouch.
Despite preventative measures like Push Protection (which blocks commits containing secrets and is now default for public repos), leaks persist, often due to developers prioritising convenience or accidentally exposing secrets in commit history.
In response, GitHub is rolling out several enhancements and changes to its Advanced Security platform:
- Standalone Security Products: Secret Protection (including secret scanning and push protection) and Code Security (CodeQL, etc.) can now be purchased separately, without needing the full GitHub Advanced Security license. This makes advanced secret scanning more accessible, especially for smaller organisations.
- Free Secret Risk Assessment: A one-time, organisation-wide scan across all repo types (public, private, internal, archived) to identify existing exposed secrets is now available free for all GitHub orgs.
- Enhanced Push Protection: Now includes delegated bypass controls, allowing organisations to define specific policies and users who are permitted to bypass the secret blocking mechanism when necessary.
- AI-Powered Detection: GitHub is using Copilot AI to improve the detection of unstructured secrets (like passwords embedded in code), aiming for better accuracy and fewer false positives.
- Cloud Provider Partnerships: Collaboration with AWS, Google Cloud, OpenAI, and others to build more accurate detectors and enable faster response when partner secrets are leaked.
GitHub also reiterates best practices: enable Push Protection, avoid hardcoding secrets (use vaults, environment variables), manage secrets programmatically in CI/CD pipelines, and follow OWASP guidance on secrets management.
Bleeping Computer | "GitHub expands security tools after 39 million secrets leaked in 2024"
