This is your easyDNS #AxisOfEasy Briefing for the week of February 17th, 2025 our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the 'net and how it affects your business, security and privacy.

To Listen/watch this podcast edition with commentary and insight from Joey and Len the Lengend click here.

In this issue: 

• Russian Hackers Exploit Signal's Device-Linking Feature to Spy on Military and Civilian Communications
• New XCSSET Malware Variant Targets macOS Developers With Advanced Persistence and Obfuscation Techniques
• North Korean Cyber Group Kimsuky Escalates Stealth Attacks With Dropbox and PowerShell
• Chinese Programmer Burns $1.65M in Ethereum, Donates $5.35M Amid Allegations Against Hedge Fund Executives
• Google’s Fingerprinting Policy Sparks Privacy Backlash and Regulatory Scrutiny

Elsewhere Online:

• Compromised Military and Defense Accounts Threaten US Security
• CISA Issues Urgent Warning Palo Alto Firewall Vulnerability
• Australian IVF Clinic Genea Reports Data Breach
• New Snake Keylogger Variant Hits Millions Via Phishing and Scripting
• X Disputes German Court Order for User Data Before Election
  
  

Russian Hackers Exploit Signal's Device-Linking Feature to Spy on Military and Civilian Communications

Russian-aligned hackers, including UNC5792, UNC4221 (UAC-0185), Sandworm (APT44), Turla, and UNC1151, exploit Signal's "linked devices" feature to intercept messages in real-time. UNC5792 distributes malicious QR codes disguised as Signal group invites, security alerts, or device pairing instructions hosted on infrastructure mimicking Signal servers. UNC4221 targets Ukrainian military personnel using a phishing kit resembling Kropyva, Ukraine's artillery guidance app. PINPOINT, a JavaScript payload, extracts user information and geolocation data from phishing pages. Sandworm employs WAVESIGN, a Windows Batch script; Turla uses a lightweight PowerShell script; and UNC1151 exfiltrates Signal messages via Robocopy.

Google's report follows Microsoft attributing spear-phishing attacks on WhatsApp to Russia's Star Blizzard. Microsoft and Volexity also exposed Russian actors using device code phishing to infiltrate Signal, WhatsApp, and Teams. Tactics extend beyond remote phishing to close-access operations involving physical device access. Additionally, a search engine optimization (SEO) poisoning campaign delivers malware disguised as Signal, LINE, Gmail, and Google Translate downloads. Malware follows a pattern of temporary file extraction, process injection, security modifications, and network communications, resembling the MicroClip infostealer. Google warns these attacks signal a growing threat to secure messaging platforms, underscoring the evolving tactics of Russian-aligned actors across military, civilian, and digital communication targets.

Read: https://thehackernews.com/2025/02/hackers-exploit-signals-linked-devices.html

New XCSSET Malware Variant Targets macOS Developers With Advanced Persistence and Obfuscation Techniques

Microsoft detected a new XCSSET malware variant targeting macOS developers, marking its first known update since 2022. Initially identified by Trend Micro in 2020, XCSSET spreads through compromised Xcode projects, exploiting zero-day vulnerabilities. This latest variant employs two new persistence methods: creating ~/.zshrc_aliases with malicious payloads launched via ~/.zshrc during shell sessions and replacing Launchpad with a fake version that executes malware upon activation from the macOS dock. Infection methods now include options—TARGET, RULE, and FORCED_STRATEGY—that control payload activation or embedding payloads in the TARGET_DEVICE_FAMILY key within build settings for delayed execution. Enhanced obfuscation techniques involve randomized payload generation within Xcode projects and Base64-encoded module names, making detection more difficult. The malware retains previous capabilities, such as stealing digital wallet data, exfiltrating Notes app content, and extracting system information.

Although Microsoft Defender for Endpoint on Mac now detects the variant, indicators of compromise, including file hashes, have not yet been released. Apple's involvement remains unaddressed despite its ecosystem being the malware's primary target. GitHub and similar repositories, where developers frequently share Xcode projects, serve as potential malware distribution channels. To mitigate risks, developers should thoroughly inspect downloaded or cloned projects. Further details, including indicators of compromise, are expected in an upcoming Microsoft blog post.

Read: https://arstechnica.com/security/2025/02/microsoft-warns-that-the-powerful-xcsset-macos-malware-is-back-with-new-tricks/

North Korean Cyber Group Kimsuky Escalates Stealth Attacks With Dropbox and PowerShell

North Korean cyber group Kimsuky, the most prolific among its peers by mid-2023, is intensifying cyberattacks using stealthy living-off-the-land (LotL) techniques. In the DEEP#DRIVE campaign, identified by cybersecurity firm Securonix, Kimsuky used fake work logs, insurance documents, and cryptocurrency files to trick victims into downloading a zipped shortcut file that collects system configuration data via PowerShell and .NET scripts. The stolen data—host IP addresses, OS details, security software, and running processes—was uploaded to Dropbox folders using OAuth-based authentication, bypassing URL-blocking defenses. Attack scripts also downloaded additional malware, facilitating lateral movement across networks, evidenced by usernames linked to dozens of IP addresses. Over 8,000 configuration files were found, though some were duplicates.

Kimsuky targets South Korean government agencies, enterprises, and cryptocurrency users, aligning with its historical focus on espionage and financial theft. In September 2024, the FBI warned of increased attacks against cryptocurrency organizations. Unlike Lazarus and Andariel, Kimsuky prioritizes high-volume phishing over tailored spear phishing, occasionally targeting international entities. Companies in targeted sectors should turn off hidden file extensions, block unsigned PowerShell scripts, and bolster email security with phishing training. Recorded Future, which tracks Kimsuky's five overlapping subgroups, noted the healthcare and hospitality sectors also face increased risk.

Read: https://www.darkreading.com/cyberattacks-data-breaches/north-koreans-kimsuky-attacks-rivals-trusted-platforms

Chinese Programmer Burns $1.65M in Ethereum, Donates $5.35M Amid Allegations Against Hedge Fund Executives

Hu Lezhi, a self-identified Chinese programmer, burned 603 ETH ($1.65 million) and donated 1,950 ETH ($5.35 million) across several blockchain transactions while accusing Kuande Investment's CEOs—Feng Xin, Columbia University PhD and Chief Risk Officer, and Xu Yuzhi, Renmin University mathematics graduate and Chief Investment Officer—of using "brain-computer weapons" against employees. Kuande, known as WizardQuant, specializes in quantitative trading. Donations included 711.52 ETH ($1.97 million) to WikiLeaks, 700 ETH ($1.94 million) to Ukraine, and 1,238 ETH ($3.4 million) to undisclosed addresses. The largest burn—500 ETH ($1.38 million)—occurred on the final day, permanently removing the funds by sending them to an Ethereum null address. Transactions originated from wallets linked to OKX and Binance.

The crypto community reacted on social media, scrutinizing wallet activity, while Solana-based meme coins emerged in response. Missing entities include Ethereum's null address—critical for irreversible burns—and the Solana blockchain, whose meme coins highlight crypto culture's reflexive nature. Additionally, OKX and Binance underscore the role of centralized exchanges in decentralized finance incidents. Hu's choice of WikiLeaks and Ukraine suggests political undertones, aligning with crypto's reputation for borderless, cause-driven donations. This incident illustrates blockchain's transparency, where financial acts double as public statements.

Read: https://x.com/crypto_briefing/status/1891524229243240644?s=43&mx=2

Google’s Fingerprinting Policy Sparks Privacy Backlash and Regulatory Scrutiny

Google's new policy, effective Sunday, permits "fingerprinting," which collects device and browser data—screen size, language settings, time zone, battery level—combined with IP addresses to profile users, often for targeted ads. Previously condemned by Google in 2019 as violating user choice, fingerprinting is now justified as essential for tracking users on devices like smart TVs and gaming consoles where cookies fail. Google argues competitors already use this data and asserts responsible IP usage for fraud prevention.

Critics, including Mozilla's Martin Thomson, warn fingerprinting reduces user control and grants Google and advertisers persistent tracking capabilities. Lena Cohen of the Electronic Frontier Foundation accuses Google of prioritizing profit over privacy, exposing sensitive data to brokers, surveillance firms, and law enforcement. Pete Wallace of ad tech firm GumGum decries the shift from consumer-centric data use, noting his company employs contextual advertising—targeting ads via website content, not personal data.

The UK's Information Commissioner's Office (ICO), led by Stephen Almond, condemns fingerprinting as unfair, reducing consumer choice and complicating legal compliance. The ICO demands companies using fingerprinting prove adherence to privacy laws, calling the industry's current use unlikely to meet legal standards. Google pledges continued user choice for personalized ads and ongoing dialogue with regulators.

Read: https://www.bbc.com/news/articles/cm21g0052dno

Elsewhere Online:

Compromised Military and Defense Accounts Threaten US Security
Read: https://www.infosecurity-magazine.com/news/us-military-defense-credentials/

CISA Issues Urgent Warning Palo Alto Firewall Vulnerability
Read: https://www.darkreading.com/remote-workforce/patch-now-cisa-researchers-warn-palo-alto-flaw-exploited-wild

Australian IVF Clinic Genea Reports Data Breach
Read: https://www.infosecurity-magazine.com/news/australian-ivf-data-breach-cyber/

New Snake Keylogger Variant Hits Millions Via Phishing and Scripting
Read: https://thehackernews.com/2025/02/new-snake-keylogger-variant-leverages.html

X Disputes German Court Order for User Data Before Election
Read: https://reclaimthenet.org/germany-election-x-court-data-dispute