homepage
Menu
Open menu

SANS NewsBites

Cryptocurrency Stolen in Zoom Social Engineering Campaign; Cursor AI Bot Hallucinates Company Policy; Scammers Claim to be FBI IC3

April 22, 2025  |  Volume XXVII - Issue #31

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2025-04-21

Threat Actors Target Zoom's Remote Control Feature to Install malware and Gain System Access

The Security Alliance (SEAL) has published a security advisory warning of a social engineering campaign targeting cryptocurrency users that has already led to significant thefts. The campaign hinges on luring a target to Zoom and abusing the remote control functionality to install infostealer or remote access Trojan (RAT) malware. The threat actor, dubbed "Elusive Comet," leverages a comprehensively-established online appearance and social media presence to build credibility as Aureon Capital, a supposed venture capital firm, and associated Aureon Press and "OnChain Podcast"; the attackers have also reportedly claimed to represent a "Bloomberg Crypto" interview. The threat actor invites the target through X direct messages or email to participate in a podcast via Zoom call, engineering a balance of normalcy and urgency in the scheduling process. The threat actor prompts the victim to present their work by sharing their screen once on the call, and then uses Zoom's remote control feature to request control of the victim's computer. "If the potential victim is not paying close attention, they may accidentally grant remote access, which allows ELUSIVE COMET to install their malware to the victim's device." SEAL provides indicators of compromise (IoCs) including known social media profiles, and urges users and organizations to disable Zoom's remote control request functionality, which is on by default.

Editor's Note

This vulnerability is currently exploited using Zoom, but this idea will likely work with many different platforms. Remote meeting platforms do not usually prevent duplicate display names (names are often not unique). Users will likely only have their own intuition to flag suspect behaviour.

Johannes Ullrich
Johannes Ullrich

2025-04-19

Cursor AI eMail Bot Invents Irksome Policy, Company Apologizes

The AI chatbot for AI-powered code editor Cursor appears to have invented a policy that upset some users enough to cancel their subscriptions with the service. Last week, a developer using Cursor noticed that switching between devices immediately logged those devices out. The developer contacted Cursor support by email and received a reply from an 'agent' named Sam saying that the logouts were 'expected behavior' under a new company policy. However, the agent was a bot, and Cursor has no such policy. Cursor has apologized for the incident and says that 'any AI responses used for email support are now clearly labeled as such.' This is not the first time AI has hallucinated a policy. In 2024, A Canadian tribunal rejected Air Canada's argument that 'the chatbot is a separate legal entity that is responsible for its own actions' and ordered Air Canada to abide by a refund policy the company's AI chatbot had invented.

Editor's Note

More and more auto-response services are leveraging AI to provide an improved customer experience in an attempt to reduce reliance on humans. Unfortunately, AI hallucinations, which you may also see called confabulations, are a challenge, so you really need to monitor and train your responder carefully. Unlike the Air Canada issue from February 2024, Cursor acknowledged the issue and took steps to make amends. Even when labelling generated responses as such, particularly email or SMS responses which appear to come from an official company source, realize that users may miss the distinction, so you need a clear path to a human resource to resolve any issues.

Lee Neely
Lee Neely

AI has created a new acronym: GIGMBAO or Garbage In Gets Magnified to Bad Advice Out. I'm pretty sure adding labels to customer advice that say ÒAI created this, so use at your own risk' is not a winning business strategy.

John Pescatore
John Pescatore

Not sure that is reason to cancel a subscription but different rules for different folks. Errors, hallucinations, confabulations, whatever we choose to call them will happen, that's a risk in using AI in its early days. That said, care must be given when using AI for customer facing operations. It's best to have a human monitor response and be transparent in labeling its use for that business function. Transparency will usually 'buy' a lot of good will, should something go wrong.

Curtis Dukes
Curtis Dukes

2025-04-18

FBI Warning: Scammers Pretending to be IC3 are Revictimizing Fraud Victims

The FBI has published a public service announcement warning of scammers pretending to be FBI Internet Crime Complaint Center (IC3) employees. "Between December 2023 and February 2025, the FBI received more than 100 reports of IC3 impersonation scams." The scammers have reached out to victims, who have already lost money to scammers, in a variety of ways: phone calls, email, social media, or online forums. They then claim "to have recovered the victim's lost funds or offered to assist in recovering funds," but instead gain access to the victims' account information and steal from them again.

Editor's Note

IC3 reminds us they will never make contact with users in this fashion and provides information for identifying or reporting such a scam. Local law enforcement or FBI office are well versed in scams such as these and can help determine if a contact is legitimate. Look them up for contact information, do not use the scammer provided contact number, email/etc.

Lee Neely
Lee Neely

The cunning of scammers never ceases to amaze. It's the perfect ruse to get a victim talking and gain access. We, as humans, typically trust law enforcement, especially if they call. The reality though, is that one should never grant anyone access to their account.

Curtis Dukes
Curtis Dukes

IC3 does not come to you. You must go to it.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News

2025-04-21

Japan's Financial Services Agency Warns of Increase in Fraudulent Online Securities Transactions

Japan's Financial Services Agency (FSA) has published a warning regarding "a sharp increase in the number of cases of unauthorized access and unauthorized trading (trading by third parties) on Internet trading services using stolen customer information (login IDs, passwords, etc.) from fake websites (phishing sites) disguised as websites of real securities companies." Between February 1 and April 16 of this year, FSA recorded reports of 3,312 unauthorized accesses of securities firms resulting in 1,454 fraudulent transactions. In all, a dozen securities companies reported fraudulent transactions totaling $350 million in sales and $315 million in purchases.

Editor's Note

As a customer, keep a sharp eye on your credentials associated with your finances, both financial institutions and investments. Make sure these are unique and strong, and any MFA capabilities are enabled and required. Make sure you've implemented available transaction monitoring/alerting. If you're a broker or other financial services provider, verify your MFA is comprehensively applied and that you've got automated credential breach monitoring, in addition to existing transaction limits and monitoring. Verify alerts are properly logged and responded to.

Lee Neely
Lee Neely

Digital watering holes have been around for decades. Even with periodic awareness training, we can still fall victim to this sort of attack. What's surprising though, is the relatively large number of unauthorized accesses and fraudulent transactions over such a short period of time. This speaks to a level of sophistication by the evildoers and a lapse in user awareness of mitigation strategies.

Curtis Dukes
Curtis Dukes

Think strong authentication and out-of-band confirmation.

William Hugh Murray
William Hugh Murray

2025-04-21

Critical Vulnerability in ASUS AiCloud Routers

ASUS has released firmware updates to address a critical authentication bypass flaw affecting routers with the AiCloud remote access feature enabled. The "vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions." ASUS has released firmware updates for 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102 series. ASUS advises users who are unable to update right away to disable services that can be accessed from the internet.

Editor's Note

AiCloud is a remote access service built into ASUS routers, enabling file sharing via USB devices connected to the router or on home networks. CVE-2025-2492, improper authentication control, CVSS score 9.2, can be triggered by an unauthenticated user. The fix is to both apply the firmware update and make sure that you're using strong, unique, passwords as well as limiting access to the admin interface. If you're on an EOL ASUS product, there is no update; you should replace it. Until you do, disable internet-facing services (AiCloud, WAN Internet access, port forwarding, DDNS, VPN Server, DMZ, port triggering, and FTP). Note to self, create a reminder, upon acquisition, to replace devices prior to EOL.

Lee Neely
Lee Neely

Seems like authentication bypass flaws are a fruitful ground for attackers - which makes sense as slow adoption of phishing-resistant MFA is increasing. But putting a steel door and deadbolt lock on a door next to an open window is obviously not raising the security bar. The 2021 OWASP Top Ten Software Vulnerabilities list had dropped the priority of auth bypass flaws (under Identification and Authentication Failures) - I'm sure it will show up much higher in the coming 2025 Top Ten.

John Pescatore
John Pescatore

2025-04-21

Cisco Updates Address Three Issues, Including High-Severity Webex Vulnerability

Cisco has published a security advisory disclosing a vulnerability in the Webex video/audio conferencing app on all operating systems, affecting version 44.6 (fixed release 44.6.2.30589) and 44.7 (fixed release 44.8 and later); 44.5 and earlier is not vulnerable. CVE-2025-20236, CVSS score 8.8, is an insufficient input validation flaw in the custom URL parser allowing an unauthenticated remote attacker to execute arbitrary commands with the targeted user's privileges by persuading that user to click a crafted a meeting invite link and download arbitrary files. Users must update to a fixed version, as there are no workarounds. At the same time, Cisco also released updates to address two medium severity vulnerabilities: one in the web-based management interface of Cisco Secure Network Analytics, and a second in Cisco Nexus Dashboard.

Editor's Note

CVE-2025-20236, URL parser flaw, CVSS score 8.8, is another example of not validating input, reminding us that you need to do this comprehensively. If you're a Webex shop, you should have auto-updates set for the client. There are no workarounds, you need to update the client, regardless of configuration or OS. Consider that while version 44.6 has a fix, you really need to get to 44.8.

Lee Neely
Lee Neely

2025-04-19

Florida Senate Will Vote on Bill Opening E2EE Upon Subpoena

Draft bill SB 868, "Social Media Use by Minors," has passed committee votes and will soon reach the Florida State Senate floor, amending existing law to include an obligation by social media platforms "to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena," as well as opening minor account holders' messages to their parents and guardians, and prohibiting minors' use of and access to disappearing message features. The Electronic Frontier Foundation urges senators to reject the bill, stating in concert with other advocates that by weakening encrypted privacy these changes further endanger those the bill aims to protect. This bill follows similar legislative initiatives in the UK and EU to break end-to-end-encrypted communication on behalf of law enforcement.

Editor's Note

It's not clear if this bill can be technically implemented, let alone if the social media providers would be inclined to do so. Florida passed a bill last year restricting social media access for users under 16, which is still having its constitutionality under review in the courts. The EFF notes that there are other forensic approaches which can be used without requiring decryption or weakened security. Sadly, until we get legal precedence, initiatives such as this will continue to arise.

Lee Neely
Lee Neely

The bill is another attempt to weaken E2EE 'for the children'. The proposed measures only apply to accounts held by minors, but implementation would likely make the same measure available for all accounts. In addition to restricting E2EE, the bill also aims to limit the use of self-deleting messages and allow them to be recoverable. The unanimous vote for the bill is a testimony to a lack of technical competency among the Florida legislators and staff.

Johannes Ullrich
Johannes Ullrich

Digital media has been a gift to investigative efficiency. Instead of saying thank you, government continues to whine and demand more. One must be careful not to harm the goose that lays the golden egg.

William Hugh Murray
William Hugh Murray

2025-04-18

Cybersec CEO Charged with Violating Oklahoma's Computer Crimes Act for Allegedly Putting Malware on Hospital Computer

Police in Oklahoma City have arrested Jeffrey Bowie, charging him with two counts of violating Oklahoma's Computer Crimes Act. Bowie, who is the CEO of a cybersecurity firm in Oklahoma, allegedly deliberately placed malware on a computer at SSM Health's St. Anthony Hospital in August 2024. While Bowie maintained he needed to use the computer while a family member was undergoing surgery at the hospital, security camera footage revealed that he attempted to enter several offices in the hospital and used two computers, one of which was for employees only. A forensic investigation revealed "malware [on one of the computers that] was programmed to take screenshots every 20 seconds and transmit the images to an external IP address."

Editor's Note

Note that the hospital was able to detect the malware in real-time, shut it down and launch an investigation. Beyond EDR, having external/environment monitoring, such as security cameras, is valuable for investigations. Validate where and how long this data is stored, as well as ensuring access is available when needed. Walk through protections on common area and office computers to understand the mitigations from an unauthorized user attempting to use them, adjusting where needed.

Lee Neely
Lee Neely

While Mr. Bowie should be prosecuted under the full weight of the law, it also speaks to the state of security at the hospital. The assumption being that the account on the computer was left logged on and accessible by anyone that wandered by. While this was a near miss for the hospital, simply designating a computer for 'employee use only' is not sufficient to pass any cybersecurity audit.

Curtis Dukes
Curtis Dukes

2025-04-21

Healthcare Brief: Guam Hospital Pays Fine for HIPAA Violations; Lab Sues Managed Service Provider; Change Healthcare Faces Another Class Action Lawsuit

The US Department of Health and Human Services' Office for Civil Rights has reached a settlement with Guam Memorial Hospital Authority (GMHA) over a 2018 ransomware incident that affected personal information of 5,000 people and a subsequent discovery that in March 2023, former employees accessed the hospitals network after they were no longer employed there. GMHA will pay a fine of $25,000. Molecular Testing Labs (MTL) in Vancouver, Washington, is suing managed service provider and business associate Ntirety for failing to abide by the business associate agreement, including failure to implement HIPAA safeguards. MGTL learned in mid-March that patient data had been compromised through a cyberattack against Ntirety. Fairview Health Services in Minnesota has filed a class action lawsuit against Change Healthcare over the latter's ransomware 2024 attack. The lawsuit seeks to recover $7 million in losses, much of which was incurred as a result of having been unable to bill for anesthesia services.

Editor's Note

There is no get-out-of-jail-free card for HIPAA violations/breaches. Beyond any HHS penalty is a requirement to implement a risk analysis and corrective action plan, which will be monitored by HHS, likely being more expensive than the fine. Beyond HHS actions, lawsuits are becoming more common, so you not only need to assess and manage your risks but also include your legal team in your incident response plan to ensure your actions are defendable in court.

Lee Neely
Lee Neely

While it is important to understand the causes and contributions to breaches, we have been punishing the victims for almost a generation while the problem only gets worse. When something does not work, do something different rather than simply doing harder that which is not working. Perhaps more carrots, fewer sticks?

William Hugh Murray
William Hugh Murray

2025-04-21

Microsoft Secure Future Initiative Progress Report

Microsoft's most recent Secure Future Initiative (SFI) Progress Report details steps the company has taken toward "improv[ing] the security posture of Microsoft, [their] customers, and the industry at large." Of the 28 objectives identified at SFIÕs outset nearly a year and a half ago, five are nearly complete and significant progress has been made on 11 more. The accomplishments recognized in the report include the launch of a Secure by Design Toolkit for Microsoft developers that has been deployed to 22,000 employees; phishing-resistant multi-factor authentication is being used on 92 percent of employee productivity accounts and 100 percent of production system accounts; and "90% of identity tokens from Microsoft Entra ID for Microsoft apps are validated using one standard identity SDK."

Editor's Note

A lot of strong progress discussed in some critical areas. Since SANS core belief is that a well-managed, highly skilled security staff leading to security operations excellence is the most efficient and effective path to risk avoidance and reduction, I'll focus on the 'Security-First Culture' progress: 'Every Microsoft employee now has a Security Core Priority tied directly to performance reviews. 50,000 employees have participated in the Microsoft Security Academy to improve their security skills. 99% of employees have completed our Security Foundations and Trust Code courses.' Good to see, my only quibble: 50,000 trained employees is about 25% of Microsoft's staff - room to improve there.

John Pescatore
John Pescatore

Most of the protections they are implementing are a good idea in most shops, including both technical and training activities. Make sure that you're implementing the latest security protections in Azure, not just MFA, but also dormant/idle account management, detection and response. Ask how often you are checking for updated security best practices from your service providers, as well as the process for implementing and validating them. Offer to assist with any roadblocks.

Lee Neely
Lee Neely

This report is more about effort than results. It is about features and functions rather than the quality of their code, the real security problem for Microsoft's customers. A useful metric of code quality is the rate of patches and that shows no sign of going down.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

SANS Internet Storm Center StormCast Tuesday, April 22, 2025

Phishing via Google; ChatGPT Fingerprint; Asus AI Cloud Vuln; PyTorch RCE

https://isc.sans.edu/podcastdetail/9418

It's 2025, so why are malicious advertising URLs still going strong?

Phishing attacks continue to take advantage of GoogleÕs advertising services. Sadly, this is still the case for obviously malicious links, even after various anti-phishing services flag the URL.

https://isc.sans.edu/diary/Its+2025+so+why+are+obviously+malicious+advertising+URLs+still+going+strong/31880

ChatGPT Fingerprinting Documents via Unicode

ChatGPT apparently started leaving fingerprints in texts, which it creates by adding invisible Unicode characters like non-breaking spaces.

https://www.rumidocs.com/newsroom/new-chatgpt-models-seem-to-leave-watermarks-on-text

Asus AI Cloud Security Advisory

Asus warns of a remote code execution vulnerability in its routers. The vulnerability is related to the AI Cloud feature. If your router is EoL, disabling the feature will mitigate the vulnerability

https://www.asus.com/content/asus-product-security-advisory/

PyTorch Vulnerability

PyTorch fixed a remote code execution vulnerability exploitable if a malicious model was loaded. This issue was exploitable even with the Òweight_only=True" setting selected

https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6

SANS Internet Storm Center StormCast Monday, April 21, 2025

MSFT Entra Lockouts; Erlang/OTP SSH Exploit; SonicWall Exploit; bubble.io bug

https://isc.sans.edu/podcastdetail/9416

Microsoft Entra User Lockout

Multiple organizations reported widespread alerts and account lockouts this weekend from Microsoft Entra. The issue is caused by a new feature Microsoft enabled. This feature will lock accounts if Microsoft believes that the password for the account was compromised.

https://www.bleepingcomputer.com/news/microsoft/widespread-microsoft-entra-lockouts-tied-to-new-security-feature-rollout/

https://learn.microsoft.com/en-us/entra/identity/authentication/feature-availability

Erlang/OTP SSH Exploit

An exploit was published for the Erlang/OTP SSH vulnerability. The vulnerability is easy to exploit, and the exploit and a Metasploit module allow for easy remote code execution.

https://github.com/exa-offsec/ssh_erlangotp_rce/blob/main/ssh_erlangotp_rce.rb

SonicWall Exploited

An older command injection vulnerability is now exploited on Sonicwall devices after initially gaining access by brute-forcing credentials.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022

Unpatched Vulnerability in Bubble.io

An unpatched vulnerability in the no-code platform bubble.io can be used to access any project hosted on the site.

https://github.com/demon-i386/pop_n_bubble