🚨Week 14 Debrief: Oracle Data Breach, Cloudflare Phishing Campaigns, Royal Mail Data Leak, "TsarBot" Android Trojan Targets Financial Apps & DPRK IT Workers Expand Globally...

DPRK IT Workers Expand Global Operations, Targeting Europe: Google Threat Intelligence Group reports a significant expansion in the scope and scale of IT operations conducted by workers from the Democratic People's Republic of Korea (DPRK). These individuals pose as legitimate remote workers to infiltrate companies for espionage, data theft, and revenue generation for the regime. While the United States remains a target, increased awareness and law enforcement actions have likely driven a global expansion, with a notable focus on Europe. DPRK IT workers employ evolving tactics, including intensified extortion campaigns and operating within corporate virtualized infrastructure. They utilize fabricated identities, build rapport with recruiters, and leverage facilitators in countries like the UK and US to secure employment and handle funds. Their technical skills are diverse, ranging from web and bot development to advanced blockchain and AI projects. The use of cryptocurrency and services like TransferWise and Payoneer helps obfuscate the origin of funds. Companies with BYOD policies face increased risk as these environments lack traditional security measures.

KEY TAKEAWAYS:

• The operations of DPRK IT workers have expanded beyond the United States, with increased activity identified in Europe.

• Europe has become a significant focus, with workers seeking employment in sectors like defense and government.

• Tactics have evolved to include intensified extortion attempts against former employers.

• DPRK IT workers are operating within corporate virtualized infrastructure, exploiting the lack of security monitoring in BYOD environments.

• They use fabricated references and multiple personas to gain employment.

• A broad range of technical expertise has been observed, including web development, blockchain, and AI.

• Facilitators located in Europe and the US assist with job acquisition, identity verification, and fund transfers.

• Cryptocurrency, TransferWise, and Payoneer are used to handle payments.

💻 Malware and Vulnerabilities

Critical Vulnerability Found in Canon Printer Drivers: Microsoft warned Canon about a critical vulnerability in some printer drivers, tracked as CVE-2025-1268 with a high severity score of 9.4. Exploitation could allow attackers to prevent printing or execute arbitrary code when a malicious application processes a print job. Users of Canon production, office multifunction, and laser printers with driver versions 3.12 and earlier are advised to check for patched versions on Canon websites.

Apple Releases Security Updates and Advises on Staying Protected: Apple has published a document listing recent security updates and Rapid Security Responses for its software. The document details recent releases for various operating systems like iOS 18.4, macOS 15.4, watchOS 11.4, and visionOS 2.4, along with supported devices and release dates.

Ghostscript Faces Critical Security Vulnerabilities: Multiple critical vulnerabilities have been discovered in Artifex Ghostscript, a widely used interpreter for PostScript and PDF files. These flaws, including buffer overflows and unauthorized file access, could allow attackers to execute arbitrary code and compromise systems. Users are strongly advised to update to version 10.05.0 or later to mitigate these serious risks.

📈 Breaches and Incidents

ICO Fines Software Provider £3m for Ransomware Attack: The UK's data protection watchdog, the ICO, has fined Advanced Computer Software Group Ltd £3.07m after a 2022 ransomware attack compromised the personal data of over 79,000 individuals. The investigation revealed security failings, notably the incomplete implementation of multi-factor authentication. The ICO stressed the critical need for robust security measures like MFA to protect against cyber threats.

Ransomware Group Claims Attack on Defense Contractor: Home appliance and ammunition company National Presto Industries was targeted by the InterLock ransomware group in March. The attackers claim to have stolen a vast amount of data from its subsidiary, National Defense Corporation, and encrypted systems across multiple entities, including AMTEC, which makes ammunition for the military and law enforcement. Negotiations reportedly failed after the company downplayed the incident.

API Security Firm APIsec Exposes Customer Data: API testing firm APIsec confirmed a security lapse where an internal database containing customer data was exposed online without a password for several days. The exposed data, dating back to 2018, included names, email addresses, and details about customers' security posture. Initially downplayed as "test data," APIsec later admitted that personal information of customers' employees and users was indeed exposed.

Oracle Confirms Cloud and Health Data Breaches: Oracle has privately acknowledged a breach of an old "legacy environment" from 2017, where attackers stole client credentials. Separately, Oracle Health (formerly Cerner) also suffered a breach impacting patient data after compromised customer credentials were used. Investigations by CrowdStrike and the FBI are underway for the cloud breach, while Oracle Health faces extortion demands.

Royal Mail Group Hit by 144GB Data Leak: A hacker leaked a massive 144GB of Royal Mail Group data, including customer and internal information, allegedly due to a breach at their supplier, Spectos. The leaked files contain customer PII, meeting recordings, delivery data, and marketing details. Royal Mail is investigating the alleged incident.

🚨 Threat Intel & Info Sharing

Coinbase Users Hit by $46 Million Social Engineering Scams: Coinbase users reportedly lost over $46 million in March due to social engineering scams, as highlighted by blockchain investigator ZachXBT. The scams involved elaborate theft, including one instance of a user losing approximately 400 BTC. ZachXBT also noted Coinbase's alleged failure to flag associated theft addresses.

Cloudflare Exploited for Advanced Phishing Attacks: A sophisticated phishing campaign by a Russian-speaking actor abuses Cloudflare services and Telegram. The attacks use Cloudflare-hosted phishing pages mimicking DMCA takedown notices to deliver malware disguised as PDFs. The malware uses malicious .lnk files and PowerShell scripts to infect systems and uses Telegram for victim tracking. Despite advanced tactics, attackers show operational security errors.

New Android Trojan "TsarBot" Targets Financial Apps: Researchers have uncovered a new Android banking trojan named TsarBot that targets over 750 financial and cryptocurrency applications. This malware employs overlay attacks to steal credentials, record screens, log keystrokes, and intercept SMS messages. TsarBot spreads through phishing sites and abuses Accessibility services to maintain a low profile. Users should be cautious of unofficial app downloads and enable security measures.

Massive JavaScript Attack Redirects 150,000 Sites to Gambling Platforms: A widespread campaign has compromised approximately 150,000 websites by injecting malicious JavaScript. This injects an iframe to display a full-screen overlay, redirecting visitors to Chinese-language gambling platforms. The JavaScript is hosted on multiple domains. Another tactic involves injecting scripts impersonating legitimate betting sites. This highlights the increasing trend of client-side attacks.

African Cybercrime Crackdown Nets Over 300 Arrests: An INTERPOL-led operation, "Red Card," across seven African countries resulted in the arrest of 306 suspects involved in cyber attacks and scams targeting banking, investment, and messaging apps. The operation (November 2024 – February 2025) disrupted cross-border criminal networks, affected over 5,000 victims, and led to the seizure of 1,842 devices.

⚖️ Laws, Policies and Regulations

EU Invests €1.3 Billion to Advance Digital Technologies: The European Commission will invest €1.3 billion through the Digital Europe Programme (DIGITAL) work programme for 2025-2027 to bolster Europe's tech sovereignty. The funding will focus on the deployment and uptake of Artificial Intelligence (AI), cloud and data, cyber resilience, and digital skills by businesses and public administrations. Upcoming calls for proposals are expected to be released starting in April 2025 and are open to entities from EU Member States, EFTA/EEA countries, and associated countries.

National Cyber Awareness Campaign Targets Students: A large-scale cybersecurity awareness operation, CACTUS, targeted 2.5 million middle and high school students with a simulated phishing attack, prompting over 210,000 to click. Launched by authorities like the CNIL and education ministries, the campaign aims to educate young people about cyber risks and encourage safer online practices due to increasing threats on digital workspaces. Long-term awareness efforts will continue in classrooms.

Apple Fined €150 Million Over App Tracking Transparency: The French Autorité de la concurrence has imposed a €150 million fine on Apple for abusing its dominant position in the distribution of mobile applications on iOS and iPadOS. The Autorité found that the implementation of the App Tracking Transparency (ATT) framework, while not inherently problematic, was neither necessary nor proportionate for protecting personal data. This implementation made third-party app use excessively complex and caused economic harm to application publishers and advertising service providers, particularly smaller publishers.

Thailand and Google Cloud Join Forces Against Cyber Threats: Thailand's National Cyber Security Agency (NCSA) and Google Cloud are partnering to enhance the nation's cyber resilience. The collaboration involves threat intelligence sharing and development of incident response capabilities. Google Cloud will provide access to threat intelligence and Mandiant's expertise to strengthen Thailand's cyber defenses and protect citizens from online scams. The initiative aims to secure Thailand's growing digital economy.

⚖️ Cybersecurity Start Ups and VCs

AI cybersecurity company Adaptive Security announced a $43 million funding round.

ReliaQuest, the AI-driven cybersecurity leader, raised more than $500 million in its latest funding round. The big funding round, led by EQT, KKR, and FTV Capital, estimates the cybersecurity company at $3.4 billion, a growth milestone.

📊 Trends, Reports, Analysis

Cyberattacks Mirrored World Events in 2024, Reveals Threat Report: CERT-EU's latest report highlights how cyberattacks in 2024 closely tracked global events like elections and conflicts. They identified 110 threat actors, with Union entities facing critical exposure to 20. Notably, 44% of malicious activities were for cyberespionage. Attackers favored supply-chain compromises, and service providers and sectors like defence, transport, and tech were heavily targeted.

Web3 Security Breaches Cost Over $2.3 Billion in 2024: CertiK's Hack3d report reveals that over $2.3 billion was lost across 760 Web3 security incidents in 2024, a 31.6% increase from the previous year. Phishing and private key compromises were the leading attack methods, accounting for approximately $1 billion and $855 million in losses, respectively. While the total value stolen increased, excluding phishing incidents suggests an improvement in ecosystem security.

📅 Upcoming Events

🚀 Join us for an exclusive virtual event in APril, where AI and cybersecurity experts will discuss how AI and Machine Learning are revolutionizing cyber defense. This session will feature expert panel discussions exploring AI-driven threat detection, automated response strategies, and the future of intelligent security.

This is a limited virtual event tailored for CISOs and executives. It is free to join so register today Form

We hope you enjoyed our email briefing! ☕🥮If you want to sponsor our next edition or advertise on our site, drop us an email [email protected].

Thank you for being a part of our newsletter community and you can be part of the community by joining our LinkedIn Group.