Episodes

  • Cyber Bites - 16th May 2025

    Cyber Bites - 16th May 2025
    May 15 2025

    Pearson Educational Giant Suffers Major Cyberattack Through Exposed GitLab Token

    https://plc.pearson.com/en-GB/news-and-insights/news/cyber-security-incident

    https://www.bleepingcomputer.com/news/security/education-giant-pearson-hit-by-cyberattack-exposing-customer-data/

    Malicious npm Packages Target Cursor Editor Users, Affecting Over 3,200 Developers

    https://socket.dev/blog/malicious-npm-packages-hijack-cursor-editor-on-macos

    Cyber Scammers Deploy Fake AI Creation Tools to Spread Noodlophile Malware via Facebook

    https://www.morphisec.com/blog/new-noodlophile-stealer-fake-ai-video-generation-platforms/

    Google Deploys On-Device AI to Combat Scams Across Chrome, Search, and Android

    https://blog.google/technology/safety-security/how-were-using-ai-to-combat-the-latest-scams/

    New Investment Scams Employ Sophisticated Techniques to Target Victims

    https://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/



    This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com
    Show More Show Less
    12 mins
  • Cyber Bites - 9th May 2025

    Cyber Bites - 9th May 2025
    May 8 2025
    * Banks at Risk: Nearly 100 Staff Logins Stolen by Cybercriminals* 'AirBorne' Vulnerabilities Expose Apple Devices to Remote Code Execution Attacks* WhatsApp Introduces 'Private Processing' for Secure Cloud-Based AI Features* Microsoft Warns Default Kubernetes Helm Charts Create Security Vulnerabilities* Security Concerns Grow Over Electric Vehicles as Potential Surveillance PlatformsBanks at Risk: Nearly 100 Staff Logins Stolen by Cybercriminalshttps://www.abc.net.au/news/2025-05-01/bank-employee-data-stolen-with-malware-and-sold-online/105232872Cyber criminals have stolen almost 100 staff logins from Australia's "Big Four" banks, potentially exposing these financial institutions to serious cyber threats including data theft and ransomware attacks, according to recent findings from cyber intelligence firm Hudson Rock.The compromised credentials belong to current and former employees and contractors at ANZ, Commonwealth Bank, NAB, and Westpac, with ANZ and Commonwealth Bank experiencing the highest number of breaches. All stolen credentials included corporate email addresses with access to official bank domains."There are around 100 compromised employees that are related to those four banks," said Hudson Rock analyst Leonid Rozenberg. While this number is significantly smaller than the 31,000 customer banking passwords recently reported stolen, the security implications could be more severe."Technically, [attackers] need only one [login] to do a lot of damage," Rozenberg warned.The credentials were stolen between 2021 and April 2025 using specialized "infostealer" malware designed to harvest sensitive data from infected devices. These stolen credentials have subsequently appeared on Telegram and dark web marketplaces.Security experts explain that these breaches could potentially give hackers "initial access" to the banks' corporate networks. While banks employ additional security measures such as Multi-Factor Authentication (MFA), specialized cybercriminals known as "initial access brokers" focus on finding ways around these protections, often targeting employees working from home.The investigation also uncovered a concerning number of compromised third-party service credentials connected to these banks, with ANZ having more than 100 such breaches and NAB more than 70. These compromised services could include critical communication and project management tools like Slack, JIRA, and Salesforce.All four banks have responded by stating they have multiple safeguards in place to prevent unauthorized access. NAB reports actively scanning cybercrime forums to monitor threats, while CommBank noted investing over $800 million in cybersecurity and financial crime prevention last financial year.The Australian Signals Directorate has already warned that infostealer infections have led to successful attacks on Australian businesses, highlighting that this threat extends beyond the banking sector to organizations across all industries.'AirBorne' Vulnerabilities Expose Apple Devices to Remote Code Execution Attackshttps://www.oligo.security/blog/airborneSecurity researchers at Oligo Security have uncovered a serious set of vulnerabilities in Apple's AirPlay protocol and software development kit (SDK) that could allow attackers to remotely execute code on affected devices without user interaction. These flaws, collectively dubbed "AirBorne," affect millions of Apple and third-party devices worldwide.The security team discovered 23 distinct vulnerabilities that enable various attack vectors, including zero-click and one-click remote code execution, man-in-the-middle attacks, denial of service attacks, and unauthorized access to sensitive information. Perhaps most concerning are two specific flaws (CVE-2025-24252 and CVE-2025-24132) that researchers demonstrated could create "wormable" zero-click attacks, potentially spreading from device to device across networks.Another critical vulnerability (CVE-2025-24206) enables attackers to bypass the "Accept" prompt normally required for AirPlay connections, creating a pathway for truly zero-interaction compromises when combined with other flaws."This means that an attacker can take over certain AirPlay-enabled devices and do things like deploy malware that spreads to devices on any local network the infected device connects to," warned Oligo. "This could lead to the delivery of other sophisticated attacks related to espionage, ransomware, supply-chain attacks, and more."While exploitation is limited to attackers on the same network as vulnerable devices, the potential impact is extensive. Apple reports over 2.35 billion active devices worldwide, and Oligo estimates tens of millions of additional third-party AirPlay-compatible products like speakers, TVs, and car infotainment systems could be affected.Apple released security updates on March 31 to address these vulnerabilities across their product line, including patches for iOS 18.4, iPadOS 18.4, macOS versions (Ventura 13.7.5...
    Show More Show Less
    12 mins
  • Cyber Bites - 2nd May 2025

    Cyber Bites - 2nd May 2025
    May 1 2025
    We hit a milestone today as this is our 50th Podcast Episode! A Big thank you to You, our listeners for your continued support!* Kali Linux Users Face Update Issues After Repository Signing Key Loss* CISOs Advised to Secure Personal Protections Against Scapegoating and Whistleblowing Risks* WhatsApp Launches Advanced Chat Privacy to Safeguard Sensitive Conversations* Samsung Confirms Security Vulnerability in Galaxy Devices That Could Expose Passwords* Former Disney Menu Manager Sentenced to 3 Years for Malicious System AttacksKali Linux Users Face Update Issues After Repository Signing Key Losshttps://www.kali.org/blog/new-kali-archive-signing-key/Offensive Security has announced that Kali Linux users will need to manually install a new repository signing key following the loss of the previous key. Without this update, users will experience system update failures.The company recently lost access to the old repository signing key (ED444FF07D8D0BF6) and had to create a new one (ED65462EC8D5E4C5), which has been signed by Kali Linux developers using signatures on the Ubuntu OpenPGP key server. OffSec emphasized that the key wasn't compromised, so the old one remains in the keyring.Users attempting to update their systems with the old key will encounter error messages stating "Missing key 827C8569F2518CC677FECA1AED65462EC8D5E4C5, which is needed to verify signature."To address this issue, the Kali Linux repository was frozen on February 18th. "In the coming day(s), pretty much every Kali system out there will fail to update," OffSec warned. "This is not only you, this is for everyone, and this is entirely our fault."To avoid update failures, users are advised to manually download and install the new repository signing key by running the command: sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpgFor users unwilling to manually update the keyring, OffSec recommends reinstalling Kali using images that include the updated keyring.This isn't the first time Kali Linux users have faced such issues. A similar incident occurred in February 2018 when developers allowed the GPG key to expire, also requiring manual updates from users.CISOs Advised to Secure Personal Protections Against Scapegoating and Whistleblowing Riskshttps://path.rsaconference.com/flow/rsac/us25/FullAgenda/page/catalog/session/1727392520218001o5wvhttps://www.theregister.com/2025/04/28/ciso_rsa_whistleblowing/Chief Information Security Officers should negotiate personal liability insurance and golden parachute agreements when starting new roles to protect themselves in case of organizational conflicts, according to a panel of security experts at the RSA Conference.During a session on CISO whistleblowing, experienced security leaders shared cautionary tales and strategic advice for navigating the increasingly precarious position that has earned the role the nickname "chief scapegoat officer" in some organizations.Dd Budiharto, former CISO at Marathon Oil and Philips 66, revealed she was once fired for refusing to approve fraudulent invoices for work that wasn't delivered. "I'm proud to say I've been fired for not being willing to compromise my integrity," she stated. Despite losing her position, Budiharto chose not to pursue legal action against her former employer, a decision the panel unanimously supported as wise to avoid industry blacklisting.Andrew Wilder, CISO of veterinarian network Vetcor, emphasized that security executives should insist on two critical insurance policies before accepting new positions: directors and officers insurance (D&O) and personal legal liability insurance (PLLI). "You want to have personal legal liability insurance that covers you, not while you are an officer of an organization, but after you leave the organization as well," Wilder advised.Wilder referenced the case of former Uber CISO Joe Sullivan, noting that Sullivan's Uber-provided PLLI covered PR costs during his legal proceedings following a data breach cover-up. He also stressed the importance of negotiating severance packages to ensure whistleblowing decisions can be made on ethical rather than financial grounds.The panelists agreed that thorough documentation is essential for CISOs. Herman Brown, CIO for San Francisco's District Attorney's Office, recommended documenting all conversations and decisions. "Email is a great form of documentation that doesn't just stand for 'electronic mail,' it also stands for 'evidential mail,'" he noted.Security leaders were warned to be particularly careful about going to the press with complaints, which the panel suggested could result in even worse professional consequences than legal action. Similarly, Budiharto cautioned against trusting internal human resources departments or ethics panels, reminding attendees that HR ultimately works to protect the company, not individual employees.The panel underscored that proper governance, documentation, and clear ...
    Show More Show Less
    14 mins
  • Cyber Bites - 25th April 2025

    Cyber Bites - 25th April 2025
    Apr 24 2025

    I'm currently on a break and instead of sharing the latest cybersecurity news, I'll be doing a replay of an episode from our sister podcast, AppSec Unlocked. It's an interview episode with seasoned CISO Saut on Executive Security Awareness - Speaking the Board's language. We'll be returning next week with out normal programming of weekly cyber security news. Enjoy the show.



    This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com
    Show More Show Less
    23 mins
  • Cyber Bites - 18th April 2025

    Cyber Bites - 18th April 2025
    Apr 17 2025

    I'm currently taking a break and instead of sharing the latest cybersecurity news, I'll be doing a replay of an episode from our sister podcast, AppSec unlocked. It's an episode on Crisis response training, preparing for the inevitable. I hope you enjoy it and I'll be bringing you more of the latest in cybersecurity news when we return in May.



    This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com
    Show More Show Less
    27 mins
  • Cyber Bites - 11th April 2025

    Cyber Bites - 11th April 2025
    Apr 10 2025
    * Cyber Attacks Target Multiple Australian Super Funds, Half Million Dollars Stolen* Intelligence Agencies Warn of "Fast Flux" Threat to National Security* SpotBugs Token Theft Revealed as Origin of Multi-Stage GitHub Supply Chain Attack* ASIC Secures Court Orders to Shut Down 95 "Hydra-Like" Scam Companies* Oracle Acknowledges "Legacy Environment" Breach After Weeks of DenialCyber Attacks Target Multiple Australian Super Funds, Half Million Dollars Stolenhttps://www.itnews.com.au/news/aussie-super-funds-targeted-by-fraudsters-using-stolen-creds-616269https://www.abc.net.au/news/2025-04-04/superannuation-cyber-attack-rest-afsa/105137820Multiple Australian superannuation funds have been hit by a wave of cyber attacks, with AustralianSuper confirming that four members have lost a combined $500,000 in retirement savings. The nation's largest retirement fund has reportedly faced approximately 600 attempted cyber attacks in the past month alone.AustralianSuper has now confirmed that "up to 600" of its members were impacted by the incident. Chief member officer Rose Kerlin stated, "This week we identified that cyber criminals may have used up to 600 members' stolen passwords to log into their accounts in attempts to commit fraud." The fund has taken "immediate action to lock these accounts" and notify affected members.Rest Super has also been impacted, with CEO Vicki Doyle confirming that "less than one percent" of its members were affected—equivalent to fewer than 20,000 accounts based on recent membership reports. Rest detected "unauthorised activity" on its member access portal "over the weekend of 29-30 March" and "responded immediately by shutting down the member access portal, undertaking investigations and launching our cyber security incident response protocols."While Rest stated that no member funds were transferred out of accounts, "limited personal information" was likely accessed. "We are in the process of contacting impacted members to work through what this means for them and provide support," Doyle said.HostPlus has confirmed it is "actively investigating the situation" but stated that "no HostPlus member losses have occurred" so far. Several other funds including Insignia and Australian Retirement were also reportedly affected.Members across multiple funds have reported difficulty accessing their accounts online, with some logging in to find alarming $0 balances displayed. The disruption has caused considerable anxiety among account holders.National cyber security coordinator Lieutenant General Michelle McGuinness confirmed that "cyber criminals are targeting individual account holders of a number of superannuation funds" and is coordinating with government agencies and industry stakeholders in response. The Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) are engaging with all potentially impacted funds.AustralianSuper urged members to log into their accounts "to check that their bank account and contact details are correct and make sure they have a strong and unique password that is not used for other sites." The fund also noted it has been working with "the Australian Signals Directorate, the National Office of Cyber Security, regulators and other authorities" since detecting the unauthorised access.If you're a member of any of those funds, watch for official communications and be wary of potential phishing attempts that may exploit the situation.Intelligence Agencies Warn of "Fast Flux" Threat to National Securityhttps://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/fast-flux-national-security-threatMultiple intelligence agencies have issued a joint cybersecurity advisory warning organizations about a significant defensive gap in many networks against a technique known as "fast flux." The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), FBI, Australian Signals Directorate, Canadian Centre for Cyber Security, and New Zealand National Cyber Security Centre have collaborated to raise awareness about this growing threat.Fast flux is a domain-based technique that enables malicious actors to rapidly change DNS records associated with a domain, effectively concealing the locations of malicious servers and creating resilient command and control infrastructure. This makes tracking and blocking such malicious activities extremely challenging for cybersecurity professionals."This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection," states the advisory. Threat actors employ two common variants: single flux, where a single domain links to numerous rotating IP addresses, and double flux, which adds an additional layer by frequently changing the DNS name servers responsible for resolving the domain.The advisory highlights several advantages that fast flux networks provide to cybercriminals: increased resilience ...
    Show More Show Less
    8 mins
  • Cyber Bites - 4th April 2025

    Cyber Bites - 4th April 2025
    Apr 3 2025

    * Australian Court System Breach Exposes Thousands of Sensitive Legal Documents, Including Restraining Orders

    * Nine Newspapers Subscribers Have Data Exposed Online in Breach

    * Sydney Tools Hammered by Massive Customer Data Exposure

    * Russian Phishing Sites Target Citizens Seeking to Join Anti-Kremlin Forces

    * Cybersecurity Expert Troy Hunt Falls Victim to Sophisticated Mailchimp Phishing Attack

    Special thanks to Justin Butterfield for contributing to this week’s Cyber Bites.



    This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com
    Show More Show Less
    9 mins
  • Cyber Bites - 28th March 2025

    Cyber Bites - 28th March 2025
    Mar 27 2025
    * Critical Flaw in Next.js Allows Authorization Bypass* Hackers Can Now Weaponize AI Coding Assistants Through Hidden Configuration Rules* Hacker Claims Oracle Cloud Data Theft, Company Refutes Breach* Chinese Hackers Infiltrate Asian Telco, Maintain Undetected Network Access for Four Years* Cloudflare Launches Aggressive Security Measure: Shutting Down HTTP Ports for API AccessCritical Flaw in Next.js Allows Authorization Bypasshttps://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middlewareA critical vulnerability, CVE-2025-29927, has been discovered in the Next.js web development framework, enabling attackers to bypass authorization checks. This flaw allows malicious actors to send requests that bypass essential security measures.Next.js, a popular React framework used by companies like TikTok, Netflix, and Uber, utilizes middleware components for authentication and authorization. The vulnerability stems from the framework's handling of the "x-middleware-subrequest" header, which normally prevents infinite loops in middleware processing. Attackers can manipulate this header to bypass the entire middleware execution chain.The vulnerability affects Next.js versions prior to 15.2.3, 14.2.25, 13.5.9, and 12.3.5. Users are strongly advised to upgrade to patched versions immediately. Notably, the flaw only impacts self-hosted Next.js applications using "next start" with "output: standalone." Applications hosted on Vercel and Netlify, or deployed as static exports, are not affected. As a temporary mitigation, blocking external user requests containing the "x-middleware-subrequest" header is recommended.Hackers Can Now Weaponize AI Coding Assistants Through Hidden Configuration Ruleshttps://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agentsResearchers Uncover Dangerous "Rules File Backdoor" Attack Targeting GitHub Copilot and CursorIn a groundbreaking discovery, cybersecurity researchers from Pillar Security have identified a critical vulnerability in popular AI coding assistants that could potentially compromise software development processes worldwide. The newly unveiled attack vector, dubbed the "Rules File Backdoor," allows malicious actors to silently inject harmful code instructions into AI-powered code editors like GitHub Copilot and Cursor.The vulnerability exploits a fundamental trust mechanism in AI coding tools: configuration files that guide code generation. These "rules files," typically used to define coding standards and project architectures, can be manipulated using sophisticated techniques including invisible Unicode characters and complex linguistic patterns.According to the research, nearly 97% of enterprise developers now use generative AI coding tools, making this attack particularly alarming. By embedding carefully crafted prompts within seemingly innocent configuration files, attackers can essentially reprogram AI assistants to generate code with hidden vulnerabilities or malicious backdoors.The attack mechanism is particularly insidious. Researchers demonstrated that attackers could:* Override security controls* Generate intentionally vulnerable code* Create pathways for data exfiltration* Establish long-term persistent threats across software projectsWhen tested, the researchers showed how an attacker could inject a malicious script into an HTML file without any visible indicators in the AI's response, making detection extremely challenging for developers and security teams.Both Cursor and GitHub have thus far maintained that the responsibility for reviewing AI-generated code lies with users, highlighting the critical need for heightened vigilance in AI-assisted development environments.Pillar Security recommends several mitigation strategies:* Conducting thorough audits of existing rule files* Implementing strict validation processes for AI configuration files* Deploying specialized detection tools* Maintaining rigorous manual code reviewsAs AI becomes increasingly integrated into software development, this research serves as a crucial warning about the expanding attack surfaces created by artificial intelligence technologies.Hacker Claims Oracle Cloud Data Theft, Company Refutes Breachhttps://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/Threat Actor Offers Stolen Data on Hacking Forum, Seeks Ransom or Zero-Day ExploitsOracle has firmly denied allegations of a data breach after a threat actor known as rose87168 claimed to have stolen 6 million data records from the company's Cloud federated Single Sign-On (SSO) login servers.The threat actor, posting on the BreachForums hacking forum, asserts they accessed Oracle Cloud servers approximately 40 days ago and exfiltrated data from the US2 and EM2 cloud regions. The purported stolen data includes encrypted SSO passwords, Java Keystore files, key files, and enterprise manager JPS ...
    Show More Show Less
    10 mins