I'm currently taking a break and instead of sharing the latest cybersecurity news, I'll be doing a replay of an episode from our sister podcast, AppSec unlocked. It's an episode on Crisis response training, preparing for the inevitable. I hope you enjoy it and I'll be bringing you more of the latest in cybersecurity news when we return in May.

* Cyber Attacks Target Multiple Australian Super Funds, Half Million Dollars Stolen

* Intelligence Agencies Warn of "Fast Flux" Threat to National Security

* SpotBugs Token Theft Revealed as Origin of Multi-Stage GitHub Supply Chain Attack

* ASIC Secures Court Orders to Shut Down 95 "Hydra-Like" Scam Companies

* Oracle Acknowledges "Legacy Environment" Breach After Weeks of Denial

Cyber Attacks Target Multiple Australian Super Funds, Half Million Dollars Stolen

https://www.itnews.com.au/news/aussie-super-funds-targeted-by-fraudsters-using-stolen-creds-616269

https://www.abc.net.au/news/2025-04-04/superannuation-cyber-attack-rest-afsa/105137820

Multiple Australian superannuation funds have been hit by a wave of cyber attacks, with AustralianSuper confirming that four members have lost a combined $500,000 in retirement savings. The nation's largest retirement fund has reportedly faced approximately 600 attempted cyber attacks in the past month alone.

AustralianSuper has now confirmed that "up to 600" of its members were impacted by the incident. Chief member officer Rose Kerlin stated, "This week we identified that cyber criminals may have used up to 600 members' stolen passwords to log into their accounts in attempts to commit fraud." The fund has taken "immediate action to lock these accounts" and notify affected members.

Rest Super has also been impacted, with CEO Vicki Doyle confirming that "less than one percent" of its members were affected—equivalent to fewer than 20,000 accounts based on recent membership reports. Rest detected "unauthorised activity" on its member access portal "over the weekend of 29-30 March" and "responded immediately by shutting down the member access portal, undertaking investigations and launching our cyber security incident response protocols."

While Rest stated that no member funds were transferred out of accounts, "limited personal information" was likely accessed. "We are in the process of contacting impacted members to work through what this means for them and provide support," Doyle said.

HostPlus has confirmed it is "actively investigating the situation" but stated that "no HostPlus member losses have occurred" so far. Several other funds including Insignia and Australian Retirement were also reportedly affected.

Members across multiple funds have reported difficulty accessing their accounts online, with some logging in to find alarming $0 balances displayed. The disruption has caused considerable anxiety among account holders.

National cyber security coordinator Lieutenant General Michelle McGuinness confirmed that "cyber criminals are targeting individual account holders of a number of superannuation funds" and is coordinating with government agencies and industry stakeholders in response. The Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) are engaging with all potentially impacted funds.

AustralianSuper urged members to log into their accounts "to check that their bank account and contact details are correct and make sure they have a strong and unique password that is not used for other sites." The fund also noted it has been working with "the Australian Signals Directorate, the National Office of Cyber Security, regulators and other authorities" since detecting the unauthorised access.

If you're a member of any of those funds, watch for official communications and be wary of potential phishing attempts that may exploit the situation.

Intelligence Agencies Warn of "Fast Flux" Threat to National Security

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/fast-flux-national-security-threat

Multiple intelligence agencies have issued a joint cybersecurity advisory warning organizations about a significant defensive gap in many networks against a technique known as "fast flux." The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), FBI, Australian Signals Directorate, Canadian Centre for Cyber Security, and New Zealand National Cyber Security Centre have collaborated to raise awareness about this growing threat.

Fast flux is a domain-based technique that enables malicious actors to rapidly change DNS records associated with a domain, effectively concealing the locations of malicious servers and creating resilient command and control infrastructure. This makes tracking and blocking such malicious activities extremely challenging for cybersecurity professionals.

"This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection," states the advisory. Threat actors employ two common variants: single flux, where a single domain links to numerous rotating IP addresses, and double flux, which adds an additional layer by frequently changing the DNS name servers responsible for resolving the domain.

The advisory highlights several advantages that fast flux networks provide to cybercriminals: increased resilience against takedown attempts, rendering IP blocking ineffective due to rapid address turnover, and providing anonymity that complicates investigations. Beyond command and control communications, fast flux techniques are also deployed in phishing campaigns and to maintain cybercriminal forums and marketplaces.

Notably, some bulletproof hosting providers now advertise fast flux as a service differentiator. One such provider boasted on a dark web forum about protecting clients from Spamhaus blocklists through easily enabled fast flux capabilities.

The advisory recommends organizations implement a multi-layered defense approach, including leveraging threat intelligence feeds, analyzing DNS query logs for anomalies, reviewing time-to-live values in DNS records, and monitoring for inconsistent geolocation. It also emphasizes the importance of DNS and IP blocking, reputation filtering, enhanced monitoring, and information sharing among cybersecurity communities.

"Organizations should not assume that their Protective DNS providers block malicious fast flux activity automatically, and should contact their providers to validate coverage of this specific cyber threat," the advisory warns.

Intelligence agencies are urging all stakeholders—both government and providers—to collaborate in developing scalable solutions to close this ongoing security gap that enables threat actors to maintain persistent access to compromised systems while evading detection.

SpotBugs Token Theft Revealed as Origin of Multi-Stage GitHub Supply Chain Attack

https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/

Security researchers have traced the sophisticated supply chain attack that targeted Coinbase in March 2025 back to its origin point: the theft of a personal access token (PAT) associated with the popular open-source static analysis tool SpotBugs.

Palo Alto Networks Unit 42 revealed in their latest update that while the attack against cryptocurrency exchange Coinbase occurred in March 2025, evidence suggests the malicious activity began as early as November 2024, demonstrating the attackers' patience and methodical approach.

"The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs," Unit 42 explained. This initial compromise allowed the threat actors to move laterally between repositories until gaining access to reviewdog, another open-source project that became a crucial link in the attack chain.

Investigators determined that the SpotBugs maintainer was also an active contributor to the reviewdog project. When the attackers stole this maintainer's PAT, they gained the ability to push malicious code to both repositories.

The breach sequence began when attackers pushed a malicious GitHub Actions workflow file to the "spotbugs/spotbugs" repository using a disposable account named "jurkaofavak." Even more concerning, this account had been invited to join the repository by one of the project maintainers on March 11, 2025 – suggesting the attackers had already compromised administrative access.

Unit 42 revealed the attackers exploited a vulnerability in the repository's CI/CD process. On November 28, 2024, the SpotBugs maintainer modified a workflow in the "spotbugs/sonar-findbugs" repository to use their personal access token while troubleshooting technical difficulties. About a week later, attackers submitted a malicious pull request that exploited a GitHub Actions feature called "pull_request_target," which allows workflows from forks to access secrets like the maintainer's PAT.

This compromise initiated what security experts call a "poisoned pipeline execution attack" (PPE). The stolen credentials were later used to compromise the reviewdog project, which in turn affected "tj-actions/changed-files" – a GitHub Action used by numerous organizations including Coinbase.

One puzzling aspect of the attack is the three-month delay between the initial token theft and the Coinbase breach. Security researchers speculate the attackers were carefully monitoring high-value targets that depended on the compromised components before launching their attack.

The SpotBugs maintainer has since confirmed the stolen PAT was the same token later used to invite the malicious account to the repository. All tokens have now been rotated to prevent further unauthorized access.

Security experts remain puzzled by one aspect of the attack: "Having invested months of effort and after achieving so much, why did the attackers print the secrets to logs, and in doing so, also reveal their attack?" Unit 42 researchers noted, suggesting there may be more to this sophisticated operation than currently understood.

ASIC Secures Court Orders to Shut Down 95 "Hydra-Like" Scam Companies

https://asic.gov.au/about-asic/news-centre/find-a-media-release/2025-releases/25-052mr-asic-warns-of-threat-from-hydra-like-scammers-after-obtaining-court-orders-to-shut-down-95-companies/

The Australian Securities and Investments Commission (ASIC) has successfully obtained Federal Court orders to wind up 95 companies suspected of involvement in sophisticated online investment and romance baiting scams, commonly known as "pig butchering" schemes.

ASIC Deputy Chair Sarah Court warned consumers to remain vigilant when engaging with online investment websites and mobile applications, describing the scam operations as "hydra-like" – when one is shut down, two more emerge in its place.

"Scammers will use every tool they can think of to steal people's money and personal information," Court said. "ASIC takes action to frustrate their efforts, including by prosecuting those that help facilitate their conduct and taking down over 130 scam websites each week."

The Federal Court granted ASIC's application after the regulator discovered most of the companies had been incorporated using false information. Justice Stewart described the case for winding up each company as "overwhelming," citing a justifiable lack of confidence in their conduct and management.

ASIC believes many of these companies were established to provide a "veneer of credibility" by purporting to offer genuine services. The regulator has taken steps to remove numerous related websites and applications that allegedly facilitated scam activity by tricking consumers into making investments in fraudulent foreign exchange, digital assets, or commodities trading platforms.

In some cases, ASIC suspects the companies were incorporated using stolen identities, highlighting the increasingly sophisticated techniques employed by scammers. These operations often create professional-looking websites and applications designed to lull victims into a false sense of security.

The action represents the latest effort in ASIC's ongoing battle against investment scams. The regulator reports removing approximately 130 scam websites weekly, with more than 10,000 sites taken down to date – including 7,227 fake investment platforms, 1,564 phishing scam hyperlinks, and 1,257 cryptocurrency investment scams.

Oracle Acknowledges "Legacy Environment" Breach After Weeks of Denial

https://www.bloomberg.com/news/articles/2025-04-02/oracle-tells-clients-of-second-recent-hack-log-in-data-stolen

Oracle has finally admitted to select customers that attackers breached a "legacy environment" and stole client credentials, according to a Bloomberg report. The tech giant characterized the compromised data as old information from a platform last used in 2017, suggesting it poses minimal risk.

However, this account conflicts with evidence provided by the threat actor from late 2024 and posted records from 2025 on a hacking forum. The attacker, known as "rose87168," listed 6 million data records for sale on BreachForums on March 20, including sample databases, LDAP information, and company lists allegedly stolen from Oracle Cloud's federated SSO login servers.

Oracle has reportedly informed customers that cybersecurity firm CrowdStrike and the FBI are investigating the incident. According to cybersecurity firm CybelAngel, Oracle told clients that attackers gained access to the company's Gen 1 servers (Oracle Cloud Classic) as early as January 2025 by exploiting a 2020 Java vulnerability to deploy a web shell and additional malware.

The breach, detected in late February, reportedly involved the exfiltration of data from the Oracle Identity Manager database, including user emails, hashed passwords, and usernames.

When initially questioned about the leaked data, Oracle firmly stated: "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data." However, cybersecurity expert Kevin Beaumont noted this appears to be "wordplay," explaining that "Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident."

* Australian Court System Breach Exposes Thousands of Sensitive Legal Documents, Including Restraining Orders

* Nine Newspapers Subscribers Have Data Exposed Online in Breach

* Sydney Tools Hammered by Massive Customer Data Exposure

* Russian Phishing Sites Target Citizens Seeking to Join Anti-Kremlin Forces

* Cybersecurity Expert Troy Hunt Falls Victim to Sophisticated Mailchimp Phishing Attack

Special thanks to Justin Butterfield for contributing to this week’s Cyber Bites.

* Critical Flaw in Next.js Allows Authorization Bypass

* Hackers Can Now Weaponize AI Coding Assistants Through Hidden Configuration Rules

* Hacker Claims Oracle Cloud Data Theft, Company Refutes Breach

* Chinese Hackers Infiltrate Asian Telco, Maintain Undetected Network Access for Four Years

* Cloudflare Launches Aggressive Security Measure: Shutting Down HTTP Ports for API Access

Critical Flaw in Next.js Allows Authorization Bypass

https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

A critical vulnerability, CVE-2025-29927, has been discovered in the Next.js web development framework, enabling attackers to bypass authorization checks. This flaw allows malicious actors to send requests that bypass essential security measures.

Next.js, a popular React framework used by companies like TikTok, Netflix, and Uber, utilizes middleware components for authentication and authorization. The vulnerability stems from the framework's handling of the "x-middleware-subrequest" header, which normally prevents infinite loops in middleware processing. Attackers can manipulate this header to bypass the entire middleware execution chain.

The vulnerability affects Next.js versions prior to 15.2.3, 14.2.25, 13.5.9, and 12.3.5. Users are strongly advised to upgrade to patched versions immediately. Notably, the flaw only impacts self-hosted Next.js applications using "next start" with "output: standalone." Applications hosted on Vercel and Netlify, or deployed as static exports, are not affected. As a temporary mitigation, blocking external user requests containing the "x-middleware-subrequest" header is recommended.

Hackers Can Now Weaponize AI Coding Assistants Through Hidden Configuration Rules

https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents

Researchers Uncover Dangerous "Rules File Backdoor" Attack Targeting GitHub Copilot and Cursor

In a groundbreaking discovery, cybersecurity researchers from Pillar Security have identified a critical vulnerability in popular AI coding assistants that could potentially compromise software development processes worldwide. The newly unveiled attack vector, dubbed the "Rules File Backdoor," allows malicious actors to silently inject harmful code instructions into AI-powered code editors like GitHub Copilot and Cursor.

The vulnerability exploits a fundamental trust mechanism in AI coding tools: configuration files that guide code generation. These "rules files," typically used to define coding standards and project architectures, can be manipulated using sophisticated techniques including invisible Unicode characters and complex linguistic patterns.

According to the research, nearly 97% of enterprise developers now use generative AI coding tools, making this attack particularly alarming. By embedding carefully crafted prompts within seemingly innocent configuration files, attackers can essentially reprogram AI assistants to generate code with hidden vulnerabilities or malicious backdoors.

The attack mechanism is particularly insidious. Researchers demonstrated that attackers could:

* Override security controls

* Generate intentionally vulnerable code

* Create pathways for data exfiltration

* Establish long-term persistent threats across software projects

When tested, the researchers showed how an attacker could inject a malicious script into an HTML file without any visible indicators in the AI's response, making detection extremely challenging for developers and security teams.

Both Cursor and GitHub have thus far maintained that the responsibility for reviewing AI-generated code lies with users, highlighting the critical need for heightened vigilance in AI-assisted development environments.

Pillar Security recommends several mitigation strategies:

* Conducting thorough audits of existing rule files

* Implementing strict validation processes for AI configuration files

* Deploying specialized detection tools

* Maintaining rigorous manual code reviews

As AI becomes increasingly integrated into software development, this research serves as a crucial warning about the expanding attack surfaces created by artificial intelligence technologies.

Hacker Claims Oracle Cloud Data Theft, Company Refutes Breach

https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/

Threat Actor Offers Stolen Data on Hacking Forum, Seeks Ransom or Zero-Day Exploits

Oracle has firmly denied allegations of a data breach after a threat actor known as rose87168 claimed to have stolen 6 million data records from the company's Cloud federated Single Sign-On (SSO) login servers.

The threat actor, posting on the BreachForums hacking forum, asserts they accessed Oracle Cloud servers approximately 40 days ago and exfiltrated data from the US2 and EM2 cloud regions. The purported stolen data includes encrypted SSO passwords, Java Keystore files, key files, and enterprise manager JPS keys.

Oracle categorically rejected the breach claims, stating, "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

To substantiate their claims, the hacker shared an Internet Archive URL indicating they uploaded a text file containing their ProtonMail email address to the login.us2.oraclecloud.com server. The threat actor also suggested that SSO passwords, while encrypted, could be decrypted using available files.

The hacker's demands are multifaceted: they are selling the allegedly stolen data for an undisclosed price or seeking zero-day exploits. Additionally, they proposed offering partial data removal for companies willing to pay a specific amount to protect their employees' information.

In a provocative move, rose87168 claimed to have emailed Oracle, demanding 100,000 Monero (XMR) in exchange for breach details. According to the threat actor, Oracle refused the offer after requesting comprehensive information for fixing and patching the vulnerability.

The threat actor alleges that Oracle Cloud servers are running a vulnerable version with a public CVE (Common Vulnerabilities and Exposures) that currently lacks a public proof-of-concept or exploit.

Chinese Hackers Infiltrate Asian Telco, Maintain Undetected Network Access for Four Years

https://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/

Sophisticated Espionage Campaign Exploits Vulnerable Home Routers

Cybersecurity researchers from Sygnia have uncovered a sophisticated four-year cyber espionage campaign by Chinese state-backed hackers targeting a major Asian telecommunications company. The threat actor, dubbed "Weaver Ant," demonstrated extraordinary persistence and technical sophistication in maintaining undetected access to the victim's network.

The attack began through a strategic compromise of home routers manufactured by Zyxel, which served as the initial entry point into the telecommunications provider's environment. Sygnia attributed the campaign to Chinese actors based on multiple indicators, including the specific targeting, campaign objectives, hacker working hours, and the use of the China Chopper web shell—a tool frequently employed by Chinese hacking groups.

Oren Biderman, Sygnia's incident response leader, described the threat actors as "incredibly dangerous and persistent," emphasizing their primary goal of infiltrating critical infrastructure and collecting sensitive information. The hackers demonstrated remarkable adaptability, continuously evolving their tactics to maintain network access and evade detection.

A key tactic in the attack involved operational relay box (ORB) networks, a sophisticated infrastructure comprising compromised virtual private servers, Internet of Things devices, and routers. By leveraging an ORB network primarily composed of compromised Zyxel routers from Southeast Asian telecom providers, the hackers effectively concealed their attack infrastructure and enabled cross-network targeting.

The researchers initially discovered the campaign during the final stages of a separate forensic investigation, when they noticed suspicious account restoration and encountered a web shell variant deployed on a long-compromised server. Further investigation revealed multiple layers of web shells that allowed the hackers to move laterally within the network while remaining undetected.

Sygnia's analysis suggests the campaign's ultimate objective was long-term espionage, enabling continuous information collection and potential future strategic operations. The hackers' ability to maintain access for four years, despite repeated elimination attempts, underscores the sophisticated nature of state-sponsored cyber intrusions.

Cloudflare Launches Aggressive Security Measure: Shutting Down HTTP Ports for API Access

https://blog.cloudflare.com/https-only-for-cloudflare-apis-shutting-the-door-on-cleartext-traffic/

Company Takes Bold Step to Prevent Potential Data Exposures

Cloudflare has announced a comprehensive security initiative to completely eliminate unencrypted HTTP traffic for its API endpoints, marking a significant advancement in protecting sensitive digital communications. The move comes as part of the company's ongoing commitment to enhancing internet security by closing cleartext communication channels that could potentially expose critical information.

Starting immediately, any attempts to connect to api.cloudflare.com using unencrypted HTTP will be entirely rejected, rather than simply redirected. This approach addresses a critical security vulnerability where sensitive information like API tokens could be intercepted during initial connection attempts, even before a secure redirect could occur.

The decision stems from a critical observation that initial plaintext HTTP requests can expose sensitive data to network intermediaries, including internet service providers, Wi-Fi hotspot providers, and potential malicious actors. By closing HTTP ports entirely, Cloudflare prevents the transport layer connection from being established, effectively blocking any potential data exposure before it can occur.

Notably, the company plans to extend this feature to its customers, allowing them to opt-in to HTTPS-only traffic for their websites by the last quarter of 2025. This will provide users with an additional layer of security at no extra cost.

While the implementation presents challenges—with approximately 2-3% of requests still coming over plaintext HTTP from "likely human" clients and over 16% from automated sources—Cloudflare has developed sophisticated technical solutions to manage the transition. The company has leveraged tools like Tubular to intelligently manage IP addresses and network connections, ensuring minimal disruption to existing services.

The move is part of Cloudflare's broader mission to make the internet more secure, with the company emphasizing that security features should be accessible to all users without additional charges. Developers and users of Cloudflare's API will need to ensure they are using HTTPS connections exclusively moving forward.

* Sydney Law Firm Targeted by Foreign Cyber Attackers in Extortion Attempt

* AI Coding Assistant Refuses to Generate Code, Suggests User Learn Programming

* Widely Used GitHub Action Compromised, Leaking Secrets

* Fake "Security Alert" Phishing on GitHub Hijacks Accounts

* MyGov Passkey Adoption Surges in Australia

Sydney Law Firm Targeted by Foreign Cyber Attackers in Extortion Attempt

https://www.smh.com.au/national/nsw/prominent-sydney-law-firm-hit-with-cyberattack-massive-data-breach-20250313-p5ljd8.html

Brydens Lawyers, a prominent Sydney law firm with ties to major sports leagues, has been targeted by foreign cyber attackers who stole over 600 gigabytes of confidential data. The data includes information related to the firm, its clients, cases, and staff.

The firm discovered the security breach around February 20th and immediately took its digital systems offline, engaging external advisors, lawyers, and security experts. The attackers are now extorting the firm for a ransom.

Brydens has reported the incident to the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. The firm has also restored its IT system's security and is conducting investigations to determine the full extent of the breach and notify affected individuals. This incident highlights the vulnerability of legal firms, which handle highly sensitive information, to ransomware attacks.

AI Coding Assistant Refuses to Generate Code, Suggests User Learn Programming

https://arstechnica.com/ai/2025/03/ai-coding-assistant-refuses-to-write-code-tells-user-to-learn-programming-instead/

An AI coding assistant, Cursor, has surprised users by refusing to generate code and instead advising them to learn programming. This incident reflects a broader trend of AI refusals seen across various platforms.

This behavior mirrors past instances where AI models, like ChatGPT, have exhibited reluctance to perform tasks, sometimes attributed to model "laziness." Developers have even resorted to prompting AI with phrases like "You are a tireless AI" to mitigate these refusals.

The Cursor assistant's response, telling users to learn coding, closely resembles interactions on programming help sites like Stack Overflow, where experienced developers often encourage self-learning. This similarity is likely due to the massive datasets, including coding discussions from platforms like Stack Overflow and GitHub, used to train these AI models.

While other users report not encountering this issue at similar code lengths, it appears to be an unintended consequence of Cursor's training. The developers of Cursor have been contacted for comment.

Widely Used GitHub Action Compromised, Leaking Secrets

https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066

The widely used GitHub Action "tj-actions/changed-files" was compromised before March 14, 2025, injecting malicious code that leaked secrets from affected public repositories into workflow logs. This supply chain attack, tracked as CVE-2025-30066, exposed sensitive information like AWS access keys, GitHub Personal Access Tokens, and private RSA keys.

The compromise occurred when an attacker gained access to update tags, pointing them to malicious code. While the malicious commits have since been reverted and the associated GitHub gist has been deleted, the risk of leaked secrets in logs remains.

The primary risk is to public repositories, where secrets were exposed in plain view. Security teams are urged to identify affected repositories, review workflow logs for base64 encoded secrets, and immediately rotate any compromised credentials. It is recommended to stop using the compromised action, pin GitHub Actions to specific commit hashes, audit past workflow runs, and use GitHub's allow-listing feature to prevent future attacks.

Fake "Security Alert" Phishing on GitHub Hijacks Accounts

https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/

A widespread phishing campaign is targeting GitHub users with fake "Security Alert" issues, attempting to trick them into authorizing a malicious OAuth app. The campaign has targeted nearly 12,000 repositories, warning users of unusual login attempts from Iceland.

The fake alerts provide links that lead to an OAuth authorization page for a "gitsecurityapp" app, which requests extensive permissions, including full access to repositories, user profiles, and GitHub Actions workflows. If authorized, the app gains complete control over the user's account and code.

The phishing campaign, which began recently, directs authorized users to callback addresses hosted on onrender.com. Users who have authorized the malicious app are advised to immediately revoke its access through GitHub Settings, check for unfamiliar GitHub Actions or gists, and rotate their credentials and authorization tokens.

MyGov Passkey Adoption Surges in Australia

https://www.itnews.com.au/news/over-200000-mygov-users-disable-passwords-in-passkey-shift-615664

Over half a million myGov users have adopted passkeys as their login method since the feature launched in June 2024, with over 200,000 users exclusively relying on passkeys and abandoning traditional passwords. The Australian government implemented passkeys to enhance security and combat phishing attacks, investing $5.6 million in the project.

Passkeys utilize biometric authentication, PINs, swipe patterns, or physical USB devices, leveraging cryptographic keypair technology. This approach makes myGov accounts resistant to phishing, as passkeys are specific to the website or app they are created for. Australia is among the first countries to implement passkeys for government services.

* Critical PHP Vulnerability Under Mass Exploitation Worldwide

* Hacktivist Group Claims Responsibility for X Outages, Musk Blames "Massive Cyberattack"

* Cybercriminals Use Bogus Copyright Claims to Spread Malware on YouTube

* Former Software Developer Found Guilty of Sabotaging Employer's Systems

* Melbourne Man Charged in Mobile Number Porting Scam

Critical PHP Vulnerability Under Mass Exploitation Worldwide

https://www.bleepingcomputer.com/news/security/critical-php-rce-vulnerability-mass-exploited-in-new-attacks/

A critical PHP remote code execution vulnerability, CVE-2024-4577, is being actively exploited in widespread attacks targeting Windows systems globally.

The vulnerability, patched in June 2024, allows unauthenticated attackers to execute arbitrary code, leading to complete system compromise.

While initial reports indicated targeted attacks against Japanese organizations, new data reveals a significant increase in exploitation attempts worldwide, including the United States, Singapore, Germany, and China.

Threat intelligence firm GreyNoise reports observing a surge in exploitation attempts since January 2025, with numerous exploit codes available online.

The attacks involve attempts to steal credentials, establish persistence, elevate privileges, and deploy adversarial tools. This vulnerability has also been previously exploited by ransomware groups and to deploy new malware.

Hacktivist Group Claims Responsibility for X Outages, Musk Blames "Massive Cyberattack"

https://www.bleepingcomputer.com/news/security/x-hit-by-massive-cyberattack-amid-dark-storms-ddos-claims/

https://www.abc.net.au/news/2025-03-11/elon-musk-says-x-outages-result-of-cyber-attack/105035078

The hacktivist group Dark Storm has claimed responsibility for distributed denial-of-service (DDoS) attacks that caused multiple worldwide outages on the X platform. X owner Elon Musk confirmed a "massive cyberattack" against the platform, stating it was conducted with significant resources and potentially involved a large, coordinated group or a nation-state.

Dark Storm, a pro-Palestinian group active since 2023, posted evidence of their attacks on Telegram, including screenshots and links to website availability monitoring tools. X has since implemented DDoS protection from Cloudflare, displaying captchas to users connecting from suspicious IP addresses.

Musk later stated that the cyberattack involved IP addresses originating from Ukraine, but Dark Storm denied any connection to Ukraine. DDoS attacks often utilize botnets and compromised devices from various global locations to generate overwhelming traffic, disrupting targeted websites.

Cybercriminals Use Bogus Copyright Claims to Spread Malware on YouTube

https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtube/115788/

Cybercriminals are exploiting YouTube's copyright claim system to coerce creators into promoting malware and cryptocurrency miners. They are targeting YouTubers who publish tutorials on Windows Packet Divert (WPD) tools, which are popular in Russia for bypassing internet censorship.

The attackers pose as copyright holders of these tools, filing false copyright claims and then contacting creators with a "resolution" that involves adding download links to trojanized versions of the software. These malicious versions, hosted on GitHub, contain a cryptominer downloader.

Creators, fearing channel bans, often comply. Kaspersky reports that one such video, with over 400,000 views, led to 40,000 malicious downloads before the link was removed. A Telegram channel with 340,000 subscribers also promoted the malware.

The malware uses a multi-stage loader, including a Python-based loader and a bloated second-stage executable to evade detection. It disables Microsoft Defender, establishes persistence, and downloads SilentCryptoMiner, a modified XMRig miner. The miner uses process hollowing and pauses activity when monitoring tools are active.

While currently targeting Russian users, this tactic could be used to distribute other malware, such as info-stealers or ransomware, on a broader scale. Users are advised to avoid downloading software from links provided in YouTube videos, especially from smaller channels.

Former Software Developer Found Guilty of Sabotaging Employer's Systems

https://www.justice.gov/opa/pr/texas-man-convicted-sabotaging-his-employers-computer-systems-and-deleting-data

A federal jury in Cleveland has convicted a senior software developer, Davis Lu, of sabotaging his former employer, Eaton Corporation's, computer systems. Lu, 55, faces up to ten years in prison.

Lu, who worked at Eaton from 2007 to 2019, began deploying malicious code after a demotion in 2019. He created a Java program that crashed production systems by generating infinite resource-consuming threads. He also developed a "kill switch" that locked out thousands of employees worldwide when his employment was terminated. The “kill switch” code was named “IsDLEnabledinAD”, abbreviating “Is Davis Lu enabled in Active Directory”.

Investigators found Lu's malware and related code on internal development servers, linking his user account to the sabotage. He attempted to delete data and wipe his company laptop before returning it. Lu confessed to federal investigators in 2019 but pleaded not guilty, leading to the jury trial and his subsequent conviction.

Melbourne Man Charged in Mobile Number Porting Scam

https://www.afp.gov.au/news-centre/media-release/victorian-man-charged-over-alleged-bulk-phone-porting-scam

A Melbourne man is facing court after allegedly attempting to steal mobile numbers from identity theft victims. The man, 34, is accused of making 193 unauthorized "port-in" attempts, successfully transferring 44 mobile numbers to his control.

The Australian Federal Police (AFP) began investigating in July 2024 after a telecommunications company reported suspicious porting activity. Porting scams allow criminals to bypass multi-factor authentication and access victims' bank accounts.

A search warrant executed at the man's residence resulted in the seizure of mobile phones, a computer, SIM cards, and suspected drug items. He has been charged with unauthorized modification of data, which carries a maximum penalty of 10 years imprisonment.

The AFP urges individuals to be vigilant for unexpected text messages or service disruptions, as these could indicate an unauthorized porting attempt. Victims are advised to contact their mobile provider and bank immediately, and report the incident to ReportCyber.

* Disney Engineer's Life Destroyed by Malicious AI Download

* Global Security Flaw Exposes Sensitive Employee Data and Physical Vulnerabilities

* Malicious PyPi Package Pirating Deezer Music for Years

* Code Security Remains Crucial, Even in Hardened Environments

* Google Introduces AI Scam Detection for Android2025_03_07 - Google

Disney Engineer's Life Destroyed by Malicious AI Download

https://www.wsj.com/tech/cybersecurity/disney-employee-ai-tool-hacker-cyberattack-3700c931

A former Disney engineer, Matthew Van Andel, had his life turned upside down after downloading a seemingly harmless AI tool from GitHub. The software, intended for creating AI images, contained malware that granted hackers access to his computer and sensitive data.

The hackers stole his Disney login credentials, leading to the leak of over 44 million Disney internal slack messages, including customer information, employee passport numbers, and financial data. They also accessed his personal accounts, stealing credit card numbers, leaking his social security number, and even gaining access to his home Ring cameras.

Matthew was subsequently fired from Disney after a forensic analysis of his work computer found he had accessed pornographic material, which he denies. He lost his health insurance and $200,000 in bonuses.

The incident highlights the dangers of downloading software from untrusted sources and the vulnerability of personal and corporate data to sophisticated cyberattacks. Lot of people think that content from GitHub are trustworthy and they couldn't be more wrong. Matthew's case underscores the importance of strong password security, two-factor authentication, and vigilance against malicious software. He was using 1Password as his password manager but didn't have any 2FA access on it.

Global Security Flaw Exposes Sensitive Employee Data and Physical Vulnerabilities

https://www.modat.io/post/doors-wide-open-critical-risks-in-ams

A widespread security risk has been discovered involving misconfigured and exposed Access Management Systems (AMS) across numerous industries and countries.

This exposure has resulted in hundreds of thousands of employee records, including personal identification details, biometric data, photographs, and work schedules, being accessible online. Additionally, the physical security of thousands of organizations has been compromised, allowing potential unauthorized entry into buildings and bypassing physical security measures.

The affected sectors include construction, healthcare, education, manufacturing, oil, and government entities, with a high concentration of exposed systems found in European countries, the US, and the MENA region.

The consequences of these vulnerabilities range from financial losses and regulatory penalties, such as GDPR fines, to severe breaches leading to identity theft, unauthorized access, and disclosure of confidential business information.

The report emphasizes the critical need for organizations to implement robust security measures, including restricting internet access to AMS, regularly updating security patches, changing default credentials, and implementing continuous monitoring to protect sensitive data and maintain physical security.

Malicious PyPi Package Pirating Deezer Music for Years

https://socket.dev/blog/malicious-pypi-package-exploits-deezer-api-for-coordinated-music-piracy

A PyPi package named 'automslc,' downloaded over 100,000 times since 2019, has been pirating music from the Deezer streaming service using hardcoded credentials.

The package bypasses Deezer's limitations and downloads full-length, high-quality audio files for offline listening and distribution, violating Deezer's terms of service and copyright laws.

Security firm Socket discovered the package, noting that while it functions as a piracy tool, it also utilizes command-and-control infrastructure, potentially turning users into a distributed network.

This raises concerns about the potential for the tool to be repurposed for other malicious activities.

The package remains available on PyPi at the time of reporting, and users are warned of the legal risks associated with its use.

Code Security Remains Crucial, Even in Hardened Environments

https://www.sonarsource.com/blog/why-code-security-matters-even-in-hardened-environments/

A recent study demonstrates that even in hardened environments with read-only file systems, attackers can exploit file write vulnerabilities in Node.js applications to achieve remote code execution. This is accomplished by manipulating exposed pipe file descriptors, bypassing typical security restrictions.

The research highlights the limitations of infrastructure hardening as a sole security measure. Attackers can leverage vulnerabilities in the application's source code, even when the underlying infrastructure is fortified.

The attack involves writing crafted data structures to anonymous pipes used by Node.js's event loop, ultimately triggering the execution of arbitrary code. This technique exploits the "everything is a file" philosophy in Unix-based systems and demonstrates the importance of code security.

Key findings include:

* Bypassing Read-Only Restrictions: Attackers can write to pipe file descriptors, even when the file system is mounted read-only.

* Manipulating Event Handlers: Attackers can craft data structures to manipulate Node.js's event handler and execute arbitrary code.

* The Importance of Code Security: Infrastructure hardening alone is insufficient; vulnerabilities in the source code must be addressed.

This research underscores the need for developers to prioritize code security, even in environments with robust infrastructure hardening. Vulnerabilities at the source code level can be exploited, regardless of other security measures.

Google Introduces AI Scam Detection for Android

https://security.googleblog.com/2025/03/new-ai-powered-scam-detection-features.html

Google has launched AI-powered scam detection features for Android devices, designed to protect users from conversational fraud. These features target scams that start innocently but escalate into harmful situations, as well as phone call scams using spoofed numbers.

Google partnered with financial institutions to develop AI models that can identify suspicious patterns in conversations and provide real-time warnings. These models operate entirely on-device, ensuring user privacy. Users can choose to dismiss or report and block suspicious senders. The feature is enabled by default for conversations with unknown numbers.

A similar AI-powered scam detection feature for phone calls is being expanded to English-speaking Pixel 9+ users in the U.S. This feature, which is optional, processes call audio ephemerally and notifies participants when it is active.

These developments follow Google's announcement that over one billion Chrome users are using Enhanced Protection mode, which utilizes AI and machine learning to detect phishing, social engineering, and scam techniques.

* Russian Threat Actors Target Signal Messenger Accounts

* Australian Fertility Services Giant Genea Suffers Data Breach

* Australia Bans Kaspersky Products on Government Systems Over Security Concerns

* PayPal "New Address" Feature Abused in Widespread Phishing Scam

* Apple Disables iCloud End-to-End Encryption in UK Following Government Demand

Russian Threat Actors Target Signal Messenger Accounts

https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/

Google's Threat Intelligence Group (GTIG) has observed a surge in efforts by multiple Russian state-aligned threat actors to compromise Signal Messenger accounts, particularly those belonging to individuals of interest to Russian intelligence services.

These groups are exploiting Signal's "linked devices" feature by using malicious QR codes to link victim accounts to attacker-controlled devices, allowing them to eavesdrop on secure conversations in real-time. This tactic has proven effective due to its low-signature nature, making it difficult to detect.

GTIG has identified several threat actors involved in these campaigns, including:

* UNC5792: This group modifies legitimate Signal group invite pages to redirect victims to malicious URLs that link their accounts to attacker devices.

* UNC4221: This group operates a tailored Signal phishing kit that mimics applications used by the Ukrainian military, embedding malicious QR codes or redirecting victims to fake device-linking instructions.

* APT44 (Sandworm): This group has been observed using malware and scripts to steal Signal database files from compromised Android and Windows devices.

* Turla: This Russian threat actor uses PowerShell scripts to exfiltrate Signal Desktop messages.

* UNC1151: This Belarus-linked group uses command-line utilities to stage Signal Desktop files for exfiltration.

The targeting of Signal, along with other messaging apps like WhatsApp and Telegram, highlights a growing trend of state-sponsored actors seeking to intercept secure communications. GTIG recommends users take several precautions, including:

* Enabling strong screen locks on mobile devices.

* Keeping operating systems and messaging apps updated.

* Regularly auditing linked devices.

* Exercising caution with QR codes and suspicious links.

* Using two-factor authentication.

This increased activity underscores the importance of heightened security awareness and proactive measures to protect against these sophisticated attacks.

Australian Fertility Services Giant Genea Suffers Data Breach

https://www.genea.com.au/pages/important-update-about-a-cyber-incident-MCI2XUN2KJWRFXNMZI2ZZ3QVD2JA

Genea, a major Australian fertility services provider, has confirmed a security breach after detecting unauthorized access to its network.

The company is currently investigating the extent of the data breach and working to restore affected systems.

Genea has stated that it will notify individuals if their personal information has been compromised. The breach comes days after a phone and app outage at Genea's clinics, raising questions about the timeline of the cyber incident.

The company has apologized for any concern caused and reassured patients that they are working to minimize disruptions to treatment schedules. Genea is a significant player in the Australian fertility services market, operating 22 clinics across the country.

Australia Bans Kaspersky Products on Government Systems Over Security Concerns

https://www.protectivesecurity.gov.au/system/files/2025-02/PSPF-Direction-002-2025.pdf

The Australian government has banned all Kaspersky Lab products and web services from its systems, citing an "unacceptable security risk" due to potential foreign interference, espionage, and sabotage.

The decision, made by the Department of Home Affairs, requires all non-corporate Commonwealth entities to identify, remove, and prevent the future installation of Kaspersky products.

While an exemption exists for national security or regulatory purposes, the ban signals a strong policy stance against the use of Kaspersky software.

Kaspersky has refuted the allegations, claiming the ban is politically motivated and lacks technical justification. The company argues that the decision was made without due process or engagement, highlighting the growing trend of Western governments restricting the use of Kaspersky products due to national security concerns.

PayPal "New Address" Feature Abused in Widespread Phishing Scam

https://www.bleepingcomputer.com/news/security/beware-paypal-new-address-feature-abused-to-send-phishing-emails/

A widespread phishing scam is exploiting PayPal's "new address" feature to send fraudulent purchase notifications to users, tricking them into granting remote access to scammers.

The scam involves adding a fake address to a PayPal account, along with a fabricated purchase confirmation message, which triggers a legitimate PayPal email notification to the account holder.

The email, sent directly from PayPal, includes a fake purchase confirmation for a high-value item, such as a MacBook, and instructs the recipient to call a provided phone number if the purchase was unauthorized.

When victims call the number, scammers pose as PayPal support and convince them to download remote access software, such as ConnectWise ScreenConnect, allowing the scammers to take control of their computers.

The scammers then attempt to steal money, deploy malware, or steal sensitive data.

This scam is made possible by PayPal's lack of character limits in address form fields, allowing scammers to inject their fraudulent messages. PayPal needs to implement character limits to prevent this abuse. Users are advised to ignore these emails and verify any account changes directly through the PayPal website.

Apple Disables iCloud End-to-End Encryption in UK Following Government Demand

https://www.bloomberg.com/news/articles/2025-02-21/apple-removes-end-to-end-encryption-feature-from-uk-after-backdoor-order

Apple has removed its Advanced Data Protection (ADP) feature, which provides end-to-end encryption for iCloud data, for new users in the United Kingdom.

This decision follows a secret order from the UK government demanding Apple create a backdoor to access encrypted user data.

Apple expressed disappointment with the situation, emphasizing the importance of end-to-end encryption in protecting user privacy, particularly in the face of increasing data breaches.

While existing ADP users in the UK will initially retain the feature, they will eventually be required to disable it to continue using their iCloud accounts.

Apple maintains its commitment to user privacy and hopes to offer enhanced security features in the UK in the future. iMessage, FaceTime, Health data, and iCloud Keychain remain end-to-end encrypted in the UK.

* "whoAMI" Attack Exploits AWS for Code Execution

* Chinese Hackers Exploit Cisco Devices in Global Telecom Attacks

* Australian National University Investigates Alleged Ransomware Attack

* Phishing Season 2025: Zscaler Predicts Increased Sophistication and New Threats

* Chinese Cybercriminals Revive Carding with Mobile Wallet Attacks

"whoAMI" Attack Exploits AWS for Code Execution

https://www.bleepingcomputer.com/news/security/whoami-attacks-give-hackers-code-execution-on-amazon-ec2-instances/

Security researchers have discovered a critical vulnerability in Amazon Web Services (AWS) that allows attackers to gain unauthorized code execution on EC2 instances.

Dubbed "whoAMI," the attack exploits a flaw in how users select Amazon Machine Images (AMIs), the pre-configured templates used to create virtual servers.

Attackers can publish malicious AMIs with names that mimic those of legitimate AMIs, tricking users into selecting and launching these malicious images.

This can occur when users:

* Fail to specify the owner of the AMI: When retrieving AMIs, users should always specify the owner to ensure they are selecting trusted images.

* Use wildcards in their AMI searches: This can inadvertently include malicious AMIs that match the search criteria.

* Utilize "most_recent=true" in tools like Terraform: This setting automatically selects the latest matching AMI, which could be a malicious one.

AWS has acknowledged the vulnerability and implemented a fix. However, organizations must update their code and configurations to mitigate the risk.

This attack highlights the importance of secure coding practices and careful consideration of security measures when utilizing cloud services.

Chinese Hackers Exploit Cisco Devices in Global Telecom Attacks

https://cyberinsider.com/chinese-hackers-breach-cisco-devices-in-global-telecom-attacks/

A new report reveals that the Chinese state-sponsored hacking group Salt Typhoon has compromised Cisco devices worldwide, targeting telecommunications providers and universities across multiple countries, including the United States, the United Kingdom, and South Africa.

The attacks exploit critical vulnerabilities in Cisco IOS XE software, allowing the hackers to gain unauthorized access and establish persistent backdoors within targeted networks.

Salt Typhoon leverages these compromised devices to eavesdrop on sensitive communications, manipulate data traffic, and potentially disrupt critical infrastructure.

This campaign highlights the growing threat of state-sponsored cyberattacks targeting critical infrastructure and underscores the need for robust cybersecurity measures to protect against these sophisticated threats.

Australian National University Investigates Alleged Ransomware Attack

https://www.cyberdaily.au/security/11716-exclusive-australian-national-university-investigating-alleged-cyber-attack

The Australian National University (ANU) is investigating a potential ransomware attack after the hacking group FSociety claimed to have breached the institution's systems and threatened to leak sensitive data.

FSociety, known for its ransomware-as-a-service operations, listed ANU on its dark web leak site, threatening to release stolen data within seven days if a ransom is not paid.

While the university is currently investigating the claims, the incident has raised concerns about the growing cyber threat landscape and the increasing sophistication of ransomware attacks.

This is not the first time ANU has faced a data breach. In 2019, a significant data breach impacted 19 years of personal data from both students and staff, with Chinese state actors suspected to be behind the attack.

The incident underscores the critical importance of robust cybersecurity measures for educational institutions and the ongoing challenge of protecting sensitive data in the face of evolving cyber threats.

Phishing Season 2025: Zscaler Predicts Increased Sophistication and New Threats

https://www.zscaler.com/blogs/security-research/phishing-season-2025-latest-predictions-unveiled

Zscaler's ThreatLabz has released its predictions for phishing attacks in 2025, highlighting a surge in sophistication and new attack vectors.

Key predictions include:

* I-powered phishing: Both attackers and defenders will leverage AI, with attackers using AI to craft more convincing and personalized phishing emails and security vendors utilizing AI to enhance threat detection.

* MFA bypass: Phishing attacks will increasingly focus on bypassing multi-factor authentication (MFA) through techniques like adversary-in-the-middle attacks and localized phishing content.

* Vishing attacks on the rise: Voice phishing (vishing) attacks will become more sophisticated, utilizing AI-powered voice cloning technology to mimic trusted individuals and deceive victims.

* Mobile device targeting: Attackers will exploit vulnerabilities in mobile devices and platforms, leveraging social engineering tactics and exploiting trust in common communication channels like push notifications.

* Politically motivated attacks: Phishing attacks will capitalize on political events and heightened emotions, targeting voters and political campaigns with deceptive communications.

* Exploitation of encrypted messaging platforms: Cybercriminals will increasingly utilize encrypted messaging platforms to launch phishing attacks, leveraging bots to automate malicious activities and evade detection.

* Browser-in-the-browser attacks: These attacks will become more sophisticated, with AI-driven customization to mimic browser environments more convincingly and adapt to user interactions.

These predictions underscore the evolving threat landscape and the need for organizations and individuals to remain vigilant against increasingly sophisticated phishing attacks.

Chinese Cybercriminals Revive Carding with Mobile Wallet Attacks

https://krebsonsecurity.com/2025/02/how-phished-data-turns-into-apple-google-wallets/

Chinese cybercriminal groups have revitalized the carding industry by turning phished credit card data into mobile wallets, enabling widespread fraud.

These groups utilize sophisticated phishing techniques, primarily through iMessage and RCS, to capture victims' payment card information and one-time codes used for mobile wallet provisioning. They then link the stolen card data to new mobile wallets on devices they control, often selling these pre-loaded phones in bulk.

These cybercriminals are also using innovative techniques like "ghost tap" software, which relays NFC transactions from anywhere in the world, enabling them to cash out stolen funds at local payment terminals or ATMs.

The phishing operations are highly organized, with vendors selling sophisticated phishing kits that include features like real-time data capture, back-end databases for storing stolen information, and automated tools for creating fake payment card images for easy mobile wallet enrollment.

This resurgence of carding through mobile wallets has resulted in significant financial losses, highlighting the need for enhanced security measures in mobile wallet provisioning and payment systems.

Special Thanks to Justin Butterfield for contributing some of the interesting stories for this week’s cyber bites.

* Chinese AI App DeepSeek Banned From Australian Government Devices

* OpenAI Data Breach Alleged: 20 Million Logins Reportedly Stolen

* Apple Removes Apps Infected with "SparkCat" Malware

* Australian Healthcare Sector Hardest Hit by Cyberattacks: Report

* Securing the No-Code SDLC: A New Approach Needed

Chinese AI App DeepSeek Banned From Australian Government Devices

https://www.sbs.com.au/news/article/chinese-ai-app-deepseek-banned-on-all-australian-government-devices/lm9udv4et

The Australian government has banned the use of the Chinese AI chatbot DeepSeek on all government-issued devices, citing national security concerns. This decision, effective immediately, follows warnings from intelligence agencies about the potential risks associated with the app.

The ban comes amidst growing global concerns about the security and privacy implications of AI technologies developed in China.

While the ban applies only to government entities, the government has urged Australians to be mindful of how their data is used online. This move follows a similar ban on the Chinese social media app TikTok earlier this year.

DeepSeek's rapid rise to prominence has sparked a global debate about the future of AI development and the potential for geopolitical competition in this emerging field.

OpenAI Data Breach Alleged: 20 Million Logins Reportedly Stolen

https://gbhackers.com/openai-data-breach/

A concerning claim has emerged on dark web forums, alleging the theft and subsequent sale of over 20 million OpenAI user login credentials.

The anonymous threat actor, who posted the claim, is offering the credentials for sale, raising serious concerns about the security of OpenAI's user data.

While the authenticity of this claim remains unconfirmed, the potential impact of such a breach is significant. OpenAI accounts are often used for critical tasks, including academic research, professional projects, and sensitive content generation.

OpenAI has not yet publicly addressed these claims. However, users are advised to take immediate precautions, such as changing passwords and enabling two-factor authentication, to protect their accounts.

This incident serves as a stark reminder of the ever-evolving cyber threat landscape and the importance of robust security measures for all online platforms, especially those handling sensitive user data.

Apple Removes Apps Infected with "SparkCat" Malware

https://www.macrumors.com/2025/02/06/apple-removed-screen-reading-malware-apps/

Apple has removed 11 iOS apps from the App Store after they were found to contain malicious code designed to steal sensitive information from users' devices.

Security firm Kaspersky discovered the malware, dubbed "SparkCat," which utilizes Optical Character Recognition (OCR) to scan user photos for sensitive data, such as cryptocurrency recovery phrases.

The malware targeted users in Europe and Asia, attempting to gain access to user photos and extract valuable information.

Apple also identified an additional 89 apps that had previously been rejected or removed from the App Store due to fraud concerns and found to contain similar malicious code.

This incident serves as a reminder for users to be cautious when downloading and installing apps from the App Store, particularly those from unknown developers. Apple recommends utilizing the App Privacy Report feature within the Settings app to monitor app access to sensitive data and avoid granting unnecessary permissions.

By taking these precautions and exercising caution when downloading apps, users can significantly reduce their risk of exposure to malware and other malicious threats.

Australian Healthcare Sector Hardest Hit by Cyberattacks

https://cybercx.com.au/resource/dfir-threat-report-2025/

https://www.smh.com.au/technology/healthcare-and-finance-the-hardest-hit-by-cyberattacks-20250205-p5l9ns.html

The Australian healthcare sector faced the brunt of cyberattacks in the past year, according to a new report from cybersecurity firm CyberCX.

The report revealed that healthcare accounted for 17% of all cyberattacks in Australia, followed by the financial services sector at 11%. The 2024 MediSecure data breach, impacting over 12 million Australians, stands as a stark reminder of the severity of these attacks.

The report highlights a concerning trend: a significant increase in the time it takes to detect cyber espionage incidents, now averaging over 400 days. This suggests that attackers are becoming more sophisticated and persistent, operating within networks for extended periods.

The report also emphasizes the growing prevalence of financially motivated attacks, with 65% of incidents driven by financial gain.

These findings underscore the critical need for enhanced cybersecurity measures across all sectors, particularly in healthcare and finance where sensitive data is highly valuable.

Securing the No-Code SDLC: A New Approach Needed

https://www.forbes.com/councils/forbestechcouncil/2025/02/10/securing-the-sdlc-for-no-code-environments/

Traditional software development relies heavily on a structured SDLC (Software Development Lifecycle) with security baked in at every stage. However, the rise of no-code development platforms has disrupted this model, presenting unique challenges for security teams.

No-code platforms, which empower citizen developers to create applications with minimal coding, often bypass crucial SDLC stages like planning, analysis, and design. This lack of structured oversight can lead to critical security vulnerabilities.

Traditional security measures, such as threat modeling and secure coding practices, are often impractical or inapplicable in the no-code environment.

To effectively secure no-code development, organizations must adapt their approach. This involves:

* Focusing on later stages: Shifting the focus towards later stages of the SDLC, such as implementation, testing, and maintenance, where security measures can be most effectively applied.

* Implementing real-time security detection: Integrating automated tools that can detect vulnerabilities in real-time within the no-code platform itself.

* Establishing robust testing and deployment policies: Mandating rigorous testing procedures and enforcing strict security checks before applications are deployed to production environments.

* Leveraging platform-level security: Advocating for no-code platforms to incorporate built-in security features, such as pre-configured secure connectors and automated compliance checks.

By adapting their approach and focusing on these key areas, organizations can empower citizen developers to innovate while ensuring the security and integrity of their no-code applications.

Special Thanks to Bradley Busch for contributing some of the interesting stories for this week’s cyber bites.