Sign up to save your podcasts
Or
Share Cyber Bites - 21st February 2025
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Cyber Bites - 21st February 2025
* "whoAMI" Attack Exploits AWS for Code Execution
* Chinese Hackers Exploit Cisco Devices in Global Telecom Attacks
* Australian National University Investigates Alleged Ransomware Attack
* Phishing Season 2025: Zscaler Predicts Increased Sophistication and New Threats
* Chinese Cybercriminals Revive Carding with Mobile Wallet Attacks
"whoAMI" Attack Exploits AWS for Code Execution
https://www.bleepingcomputer.com/news/security/whoami-attacks-give-hackers-code-execution-on-amazon-ec2-instances/
Security researchers have discovered a critical vulnerability in Amazon Web Services (AWS) that allows attackers to gain unauthorized code execution on EC2 instances.
Dubbed "whoAMI," the attack exploits a flaw in how users select Amazon Machine Images (AMIs), the pre-configured templates used to create virtual servers.
Attackers can publish malicious AMIs with names that mimic those of legitimate AMIs, tricking users into selecting and launching these malicious images.
This can occur when users:
* Fail to specify the owner of the AMI: When retrieving AMIs, users should always specify the owner to ensure they are selecting trusted images.
* Use wildcards in their AMI searches: This can inadvertently include malicious AMIs that match the search criteria.
* Utilize "most_recent=true" in tools like Terraform: This setting automatically selects the latest matching AMI, which could be a malicious one.
AWS has acknowledged the vulnerability and implemented a fix. However, organizations must update their code and configurations to mitigate the risk.
This attack highlights the importance of secure coding practices and careful consideration of security measures when utilizing cloud services.
Chinese Hackers Exploit Cisco Devices in Global Telecom Attacks
https://cyberinsider.com/chinese-hackers-breach-cisco-devices-in-global-telecom-attacks/
A new report reveals that the Chinese state-sponsored hacking group Salt Typhoon has compromised Cisco devices worldwide, targeting telecommunications providers and universities across multiple countries, including the United States, the United Kingdom, and South Africa.
The attacks exploit critical vulnerabilities in Cisco IOS XE software, allowing the hackers to gain unauthorized access and establish persistent backdoors within targeted networks.
Salt Typhoon leverages these compromised devices to eavesdrop on sensitive communications, manipulate data traffic, and potentially disrupt critical infrastructure.
This campaign highlights the growing threat of state-sponsored cyberattacks targeting critical infrastructure and underscores the need for robust cybersecurity measures to protect against these sophisticated threats.
Australian National University Investigates Alleged Ransomware Attack
https://www.cyberdaily.au/security/11716-exclusive-australian-national-university-investigating-alleged-cyber-attack
The Australian National University (ANU) is investigating a potential ransomware attack after the hacking group FSociety claimed to have breached the institution's systems and threatened to leak sensitive data.
FSociety, known for its ransomware-as-a-service operations, listed ANU on its dark web leak site, threatening to release stolen data within seven days if a ransom is not paid.
While the university is currently investigating the claims, the incident has raised concerns about the growing cyber threat landscape and the increasing sophistication of ransomware attacks.
This is not the first time ANU has faced a data breach. In 2019, a significant data breach impacted 19 years of personal data from both students and staff, with Chinese state actors suspected to be behind the attack.
The incident underscores the critical importance of robust cybersecurity measures for educational institutions and the ongoing challenge of protecting sensitive data in the face of evolving cyber threats.
Phishing Season 2025: Zscaler Predicts Increased Sophistication and New Threats
https://www.zscaler.com/blogs/security-research/phishing-season-2025-latest-predictions-unveiled
Zscaler's ThreatLabz has released its predictions for phishing attacks in 2025, highlighting a surge in sophistication and new attack vectors.
Key predictions include:
* I-powered phishing: Both attackers and defenders will leverage AI, with attackers using AI to craft more convincing and personalized phishing emails and security vendors utilizing AI to enhance threat detection.
* MFA bypass: Phishing attacks will increasingly focus on bypassing multi-factor authentication (MFA) through techniques like adversary-in-the-middle attacks and localized phishing content.
* Vishing attacks on the rise: Voice phishing (vishing) attacks will become more sophisticated, utilizing AI-powered voice cloning technology to mimic trusted individuals and deceive victims.
* Mobile device targeting: Attackers will exploit vulnerabilities in mobile devices and platforms, leveraging social engineering tactics and exploiting trust in common communication channels like push notifications.
* Politically motivated attacks: Phishing attacks will capitalize on political events and heightened emotions, targeting voters and political campaigns with deceptive communications.
* Exploitation of encrypted messaging platforms: Cybercriminals will increasingly utilize encrypted messaging platforms to launch phishing attacks, leveraging bots to automate malicious activities and evade detection.
* Browser-in-the-browser attacks: These attacks will become more sophisticated, with AI-driven customization to mimic browser environments more convincingly and adapt to user interactions.
These predictions underscore the evolving threat landscape and the need for organizations and individuals to remain vigilant against increasingly sophisticated phishing attacks.
Chinese Cybercriminals Revive Carding with Mobile Wallet Attacks
https://krebsonsecurity.com/2025/02/how-phished-data-turns-into-apple-google-wallets/
Chinese cybercriminal groups have revitalized the carding industry by turning phished credit card data into mobile wallets, enabling widespread fraud.
These groups utilize sophisticated phishing techniques, primarily through iMessage and RCS, to capture victims' payment card information and one-time codes used for mobile wallet provisioning. They then link the stolen card data to new mobile wallets on devices they control, often selling these pre-loaded phones in bulk.
These cybercriminals are also using innovative techniques like "ghost tap" software, which relays NFC transactions from anywhere in the world, enabling them to cash out stolen funds at local payment terminals or ATMs.
The phishing operations are highly organized, with vendors selling sophisticated phishing kits that include features like real-time data capture, back-end databases for storing stolen information, and automated tools for creating fake payment card images for easy mobile wallet enrollment.
This resurgence of carding through mobile wallets has resulted in significant financial losses, highlighting the need for enhanced security measures in mobile wallet provisioning and payment systems.
Special Thanks to Justin Butterfield for contributing some of the interesting stories for this week’s cyber bites.
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com
View all episodes
By Edwin Kwan* "whoAMI" Attack Exploits AWS for Code Execution
* Chinese Hackers Exploit Cisco Devices in Global Telecom Attacks
* Australian National University Investigates Alleged Ransomware Attack
* Phishing Season 2025: Zscaler Predicts Increased Sophistication and New Threats
* Chinese Cybercriminals Revive Carding with Mobile Wallet Attacks
"whoAMI" Attack Exploits AWS for Code Execution
https://www.bleepingcomputer.com/news/security/whoami-attacks-give-hackers-code-execution-on-amazon-ec2-instances/
Security researchers have discovered a critical vulnerability in Amazon Web Services (AWS) that allows attackers to gain unauthorized code execution on EC2 instances.
Dubbed "whoAMI," the attack exploits a flaw in how users select Amazon Machine Images (AMIs), the pre-configured templates used to create virtual servers.
Attackers can publish malicious AMIs with names that mimic those of legitimate AMIs, tricking users into selecting and launching these malicious images.
This can occur when users:
* Fail to specify the owner of the AMI: When retrieving AMIs, users should always specify the owner to ensure they are selecting trusted images.
* Use wildcards in their AMI searches: This can inadvertently include malicious AMIs that match the search criteria.
* Utilize "most_recent=true" in tools like Terraform: This setting automatically selects the latest matching AMI, which could be a malicious one.
AWS has acknowledged the vulnerability and implemented a fix. However, organizations must update their code and configurations to mitigate the risk.
This attack highlights the importance of secure coding practices and careful consideration of security measures when utilizing cloud services.
Chinese Hackers Exploit Cisco Devices in Global Telecom Attacks
https://cyberinsider.com/chinese-hackers-breach-cisco-devices-in-global-telecom-attacks/
A new report reveals that the Chinese state-sponsored hacking group Salt Typhoon has compromised Cisco devices worldwide, targeting telecommunications providers and universities across multiple countries, including the United States, the United Kingdom, and South Africa.
The attacks exploit critical vulnerabilities in Cisco IOS XE software, allowing the hackers to gain unauthorized access and establish persistent backdoors within targeted networks.
Salt Typhoon leverages these compromised devices to eavesdrop on sensitive communications, manipulate data traffic, and potentially disrupt critical infrastructure.
This campaign highlights the growing threat of state-sponsored cyberattacks targeting critical infrastructure and underscores the need for robust cybersecurity measures to protect against these sophisticated threats.
Australian National University Investigates Alleged Ransomware Attack
https://www.cyberdaily.au/security/11716-exclusive-australian-national-university-investigating-alleged-cyber-attack
The Australian National University (ANU) is investigating a potential ransomware attack after the hacking group FSociety claimed to have breached the institution's systems and threatened to leak sensitive data.
FSociety, known for its ransomware-as-a-service operations, listed ANU on its dark web leak site, threatening to release stolen data within seven days if a ransom is not paid.
While the university is currently investigating the claims, the incident has raised concerns about the growing cyber threat landscape and the increasing sophistication of ransomware attacks.
This is not the first time ANU has faced a data breach. In 2019, a significant data breach impacted 19 years of personal data from both students and staff, with Chinese state actors suspected to be behind the attack.
The incident underscores the critical importance of robust cybersecurity measures for educational institutions and the ongoing challenge of protecting sensitive data in the face of evolving cyber threats.
Phishing Season 2025: Zscaler Predicts Increased Sophistication and New Threats
https://www.zscaler.com/blogs/security-research/phishing-season-2025-latest-predictions-unveiled
Zscaler's ThreatLabz has released its predictions for phishing attacks in 2025, highlighting a surge in sophistication and new attack vectors.
Key predictions include:
* I-powered phishing: Both attackers and defenders will leverage AI, with attackers using AI to craft more convincing and personalized phishing emails and security vendors utilizing AI to enhance threat detection.
* MFA bypass: Phishing attacks will increasingly focus on bypassing multi-factor authentication (MFA) through techniques like adversary-in-the-middle attacks and localized phishing content.
* Vishing attacks on the rise: Voice phishing (vishing) attacks will become more sophisticated, utilizing AI-powered voice cloning technology to mimic trusted individuals and deceive victims.
* Mobile device targeting: Attackers will exploit vulnerabilities in mobile devices and platforms, leveraging social engineering tactics and exploiting trust in common communication channels like push notifications.
* Politically motivated attacks: Phishing attacks will capitalize on political events and heightened emotions, targeting voters and political campaigns with deceptive communications.
* Exploitation of encrypted messaging platforms: Cybercriminals will increasingly utilize encrypted messaging platforms to launch phishing attacks, leveraging bots to automate malicious activities and evade detection.
* Browser-in-the-browser attacks: These attacks will become more sophisticated, with AI-driven customization to mimic browser environments more convincingly and adapt to user interactions.
These predictions underscore the evolving threat landscape and the need for organizations and individuals to remain vigilant against increasingly sophisticated phishing attacks.
Chinese Cybercriminals Revive Carding with Mobile Wallet Attacks
https://krebsonsecurity.com/2025/02/how-phished-data-turns-into-apple-google-wallets/
Chinese cybercriminal groups have revitalized the carding industry by turning phished credit card data into mobile wallets, enabling widespread fraud.
These groups utilize sophisticated phishing techniques, primarily through iMessage and RCS, to capture victims' payment card information and one-time codes used for mobile wallet provisioning. They then link the stolen card data to new mobile wallets on devices they control, often selling these pre-loaded phones in bulk.
These cybercriminals are also using innovative techniques like "ghost tap" software, which relays NFC transactions from anywhere in the world, enabling them to cash out stolen funds at local payment terminals or ATMs.
The phishing operations are highly organized, with vendors selling sophisticated phishing kits that include features like real-time data capture, back-end databases for storing stolen information, and automated tools for creating fake payment card images for easy mobile wallet enrollment.
This resurgence of carding through mobile wallets has resulted in significant financial losses, highlighting the need for enhanced security measures in mobile wallet provisioning and payment systems.
Special Thanks to Justin Butterfield for contributing some of the interesting stories for this week’s cyber bites.
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com