A new ransomware as a service group fills the void created by law enforcement takedowns. An automated tool to breach VPNs. The backup for your WordPress system could be compromised. A surge in toll payment scans critical vulnerabilities in Microsoft's remote desktop. And DOGE employees send treasury data by email without encryption. This is cybersecurity today.
I'm your host, Jim Love. The Black Basta Ransomware Group has developed an automated brute force framework dubbed bru to infiltrate edge networking devices such as firewalls and virtual private networks, or VPNs. This tool streamlines their initial network access, enabling more Efficient ransomware attacks on vulnerable internet exposed endpoints.
BRUTED has been in operation since 2023, conducting large scale credential stuffing and brute force attacks on various VPN and remote access products including SonicWalls net Extender, Palo Alto's Global Protect, Cisco's any Connect Fortinets, S-S-L-V-P-N, Citrix's NetScaler. Microsoft's Rd, web and WatchGuards, S-S-L-V-P-N. The framework identifies publicly accessible devices by enumerating the subdomains resolving IP addresses, and appending prefixes like VPN or remote.
It retrieves password candidates from a remote server and combines them with locally generated guesses to execute numerous authentication requests simultaneously to evade detection. Bruted utilizes a list of SOCKS5 proxies, masking the attacker's infrastructure behind an intermediate layer. The primary infrastructure is located in Russia and is registered under Proton 66.
organizations can defend against brute force attacks by implementing some measures like strong, unique passwords, multifactor authentication monitoring, authentication attempts, implementing rate limiting, and account lockout policies, and applying security updates promptly.
The Federal Bureau of Investigation and the cybersecurity and infrastructure security agencies, CISA, have issued an urgent advisory warning to users of popular email services, including Gmail and outlook about the Medusa ransomware. active since 2021. Medusa has compromised over 300 organizations across critical sectors such as healthcare, education, legal insurance, technology, and manufacturing. Medusa operates on a double extortion model.
It encrypts victims' data and threatens to publicly release it unless a ransom is paid. The group primarily gains access through phishing emails and exploiting unpatched software vulnerabilities. Notably Medusa maintains a data leak site listing victims with countdowns to data release offering to delay the timer for a $10,000 cryptocurrency payment.
To mitigate the risk of ransomware attacks like Medusa, the FBI and CSA recommend multifactor authentication regularly updating systems and maintaining secure backups. Because the FBI and CSA both advise against paying ransoms as payment does not guarantee the recovery of files and may encourage further criminal activity. Victims are urged to report ransomware incidents, however, to the FBI or CISA promptly. A significant security vulnerability has been identified in the Updraft Plus plugin.
It's a widely used backup for WordPress websites. This flaw potentially allows unauthorized users to have access to sensitive backup files, posing substantial risks to affected sites. The vulnerability stems from inadequate access controls within the plugin, enabling users with lower privileges to download backup files that should be restricted to administrators.
These backups may contain critical information including database credentials and user data, which could be exploited by malicious actors. Updraft Plus boasts over 3 million active installations making this security flaw particularly concerning Due to its extensive reach across WordPress sites globally, it has been reported that the issue will not affect sites until they've been restored using a backup with the plugin.
So don't restore even test versions of sites until you've dealt with this issue. To protect your website from potential exploitation, you can update the plugin, review user permissions, but monitor your site's activity. Keep an eye on your site's logs for unusual activity that could indicate attempted exploitation. As an aside, this is probably a good step to take with any WordPress site, regardless of whether it's for this particular exploit or not.
The Federal Bureau of Investigation has reported a significant increase in complaints related to toll payment scams with over 2000 incidents recorded in a single month. The fraudulent messages are tailored to appear as if they originate from legitimate toll agencies enhancing their credibility. Several toll agencies and state authorities have issued warnings to alert drivers The Illinois Tollway advises they don't send unsolicited text messages requesting payment.
Toll roads California warns customers to disregard phishing texts, detailing specific outstanding toll amounts or notices of toll evasion to safeguard against these scams. The FBI and FTC both commend that you do not click on links and verify any text requests through official channels. you can use your phone's report junk feature or forward the message to 7 7 2 6 spam. But this will have limited impact on the spammers because they just changed the numbers.
But the recommendation is that you don't respond even with the classic stop message. This only lets the scammers know that you are a valid number. While this is the latest scam to exploit text messaging, it's only one of many. For our corporate listeners, if you don't have a specific communications program regarding safe use of text messaging, it may be time to add this to your anti phishing training.
Microsoft's March, 2025 Security update has addressed two critical remote code execution vulnerabilities in Windows remote desktop services or RDS identified as CVE 20 25, 24 0 3 5, and CVE 20 25, 24 0 4 5. Both vulnerabilities have been assigned A-C-V-S-S-V three score of 8.1 indicating a high severity level. CVE 20 25 24 0 3 5 is a vulnerability that arises from sensitive data being stored in improperly locked memory. Within RDS.
Exploitation could allow an unauthorized attacker to execute arbitrary code over a network, potentially leading to a complete system compromise. CVE 2025. 24 0 4 5 is a flaw that involves a race condition within RDS, an attacker who successfully exploits this vulnerability could execute code remotely, compromising system confidentiality, integrity, and availability.
These vulnerabilities impact multiple versions of Windows servers and desktops, making it imperative for organizations to assess their systems and apply necessary patches promptly to protect against potential exploitation in addition to applying them. Patches organizations are advised to implement best practices for securing RDS, such as enabling network level authentication and restricting RDP access through firewalls and utilizing strong authentication mechanisms.
And of course, it is crucial to apply the security patches provided by Microsoft in the March, 2025 update. Organizations should prioritize these updates to safeguard their systems against unauthorized access and potential attacks. Only one problem with this. Once again, Microsoft's updates have been a cluster. I won't use that technical term, but let's just say there have been huge problems reported with the latest update.
So we have updates available announcements of these vulnerabilities and articles that say you might wanna wait to do updates until they get it right. This is a recipe for disaster. No sysadmin in this world wants to report. I kept you safe by ensuring no one could use their computer. Microsoft is a huge organization. Capable of immense technical feats. Couldn't one of them be getting their security updates out so they don't crash computers? Just a thought.
And for those of you who know how old I am, there was a TV show with a character called Gomer Pile, whose famous line was surprise, surprise, surprise. Well. Court documents reveal that Marco Eloz, a staff member of the Department of Government Efficiency, DOGE breached Treasury Department protocols by emailing unencrypted personal information to officials at the General Services Administration. The spreadsheet contained names, transaction types, and monetary amounts. It did.
In fairness, excludes sensitive identifiers like social security numbers. Now, prior to his role at DOGE Eloz was employed by companies associated with Elon Musk, including X and SpaceX. He resigned from DOGE in early February following the emergence of racist social media posts linked to him, but he was subsequently rehired by the Social Security Administration. And Eloz was mistakenly granted, read and write access to treasury systems, a privilege that should have been restricted.
So the question you have to ask is, what other security protocols have been violated by these junior IT jockeys? We may find out more as 19 attorneys General have filed a lawsuit accusing DOGE of compromising the integrity of federal payment systems. The lawsuit alleges that unauthorized access could lead to misuse of information and undermines established protocols designed to protect citizen data.
Now. Anyone out there up for bets that every nation state opposed to the US from North Korea and China to the Russians and more, didn't know who these kids were and hadn't tried to compromise them, or at least monitor them. I don't think for a second that these kids could beat these security services even if they were at their best, but sending plain text emails just prove they're not only inexperienced. They're sloppy, which makes it so much easier. And that's our show for today.
You can reach me at [email protected]. Thanks to our donors, we are on our way to being self-sustaining. You can still help out at buy me a coffee.com/podcast. I'm your host, Jim Love. Thanks for listening.