Risky Bulletin: Targeted supply chain attack hits DAEMON Tools

The Demon Tools website was hit in a targeted supply chain attack. Australia gets its own CSRB. The US arrests a wanted VOIP server hacker after 17 years, and Oracle switches to monthly security updates. This is the Risky Bulletin, prepared by Katalin Kim Panu and read by me, Claire Aird. Today is the 6th of May, and this podcast episode is brought to you by Portswigger. In today's top story, the Daemon Tools website was compromised and distributed malware for almost a month. Installers for Daemon Tools apps were bundled with a backdoor since April 8. The malware collected information on the hosts it infected and deployed a secondary payload to just a dozen of them. Security firm Kaspersky says the first stage infected thousands of hosts but the second payload only executed on a small number of systems in Russia, Belarus and Thailand. The attack is still ongoing and is believed to be the work of a Chinese-speaking threat actor. In other news, a major c-panel vulnerability was secretly exploited as a zero-day for more than two months before a patch was released. Attacks have been recorded as far back as February 23, 64 days before a patch came out. Web hosting providers have been rushing to take down and secure cPanel systems, but more than 44,000 servers are believed to have been hacked already. Recorded cases include threat actors defacing websites, deploying ransomware, crypto miners and DDoS malware. The Australian government has created a special board to investigate cybersecurity incidents. The Cyber Incident Review Board will conduct no-fault post-incident reviews of major cyber attacks to help organisations learn and avoid similar incidents. The board is modelled after America's Cyber Safety Review Board, which the Trump administration disbanded in January 2025. The first board will have seven members and will be chaired by Narelle Devine the global CISO at Australian Telco Telstra CISA launched a new project this week to help critical infrastructure operators defend their networks in the case of an armed conflict The CI Fortify project is designed to help operators defend against destructive attacks and to operate without an internet connection. The project encourages organisations to set up their networks to operate in isolation from the wider internet and to have recovery plans in place. The Trump administration wants to limit the ability of tech companies to restrict how their technology is used by the US government. Officials started drafting the policy after AI companies said they'd only work with the government if their tools were used for lawful purposes. The Trump administration is also considering introducing government oversight over the release of new AI models. The new rules are expected to arrive as an executive order this month. The oversight would represent a complete reversal of the Trump administration's initial non-interventionist approach to AI regulation. The White House rescinded Biden-era AI rules shortly after President Trump was sworn in. A Romanian national has been extradited to the US to face charges stemming from a complex banking fraud scheme. Gavril Sandu hacked into VOIP service and deployed automated scripts that contacted Americans. The scheme posed as banks and financial institutions and collected credit card details and pins from victims. Sandhu and his co-conspirators created copies of the cards with the stolen data and emptied bank accounts at ATMs. He was arrested in Romania in January, but the scheme dates back to the late 2000s. A Latvian national has been sentenced to eight and a half years in prison for ransomware attacks. Denis Zolotoriov was a member of the Karakert gang. He was involved in 54 attacks, including on a government entity whose 911 system was forced offline. He also targeted hospitals and deliberately used children's health information for extortion Thai officials have arrested two Chinese nationals last month for using an SMS blaster in Bangkok The fake cell tower was allegedly hidden inside the front passenger footwell of their car The device had been detected by local telcos a month earlier after it interfered with their signals in populated areas. Taiwanese police have detained a 23-year-old student who hacked the country's railway network radio systems. The hack took place on April 5 and caused at least three high-speed rail trains to activate their emergency brakes. The student, only identified as Lin, was released on bail. He faces up to 10 years in prison. Sri Lankan authorities have arrested 37 Chinese nationals following a raid on a scam centre in the capital, Colombo. This is the third scam centre raided by Sri Lankan authorities in the last two months. They also detained 152 foreign nationals running a scam operation out of a hotel in April and another 135 in March. Most were Chinese nationals. A Twitter user tricked the Grok and BankerBot AI agents into sending them $200,000 in crypto tokens. The user wrote the malicious instructions in Morse code to bypass the two agents' safety features. The user deleted their Twitter account after the transaction went through. The U.S. Federal Trade Commission has settled its lawsuit against data broker Cochava. The company is now banned from selling precise geolocation data without explicit user consent. The ban also applies to Cochava's subsidiary, Collective Data Solutions. The FTC sued Cochava in 2022 for selling geolocation data that exposed visits to sensitive locations such as healthcare providers. Criminal groups can track the precise location of police officers that wear body-worn cameras and carry Bluetooth-capable tasers. Devices sold by Axon do not employ MAC address randomisation, allowing threat actors to keep track of their precise movements. Mobile apps and a mesh of Bluetooth scanners can be used to create a live map of cops in a city The company has been notified but officers will need new hardware to be fully protected Cisco Talus has discovered a never piece of malware that targets PhoneLink, a Microsoft app for syncing smartphones to Windows. The CloudZ remote access Trojan watches the app's database for new synced SMS messages in order to steal one-time passcodes. The feature is likely used to bypass MFA on accounts that rely on SMS for the second factor. Iranian hackers have breached 12 Armani government ministries. At least 26,000 user records and case data have been stolen from the Ministry of Justice alone. The intrusions were discovered after the hackers left some of the impacted servers misconfigured online. North Korean hackers have breached a Chinese gaming platform and backdoored its Android and Windows apps. The hack's been ongoing since 2024. The gaming platform is popular in a Chinese region near the North Korean border. According to ESET, the campaign's goal appears to be to spy on refugees and defectors. Oracle has updated its security policies and will release monthly security updates going forward. The company had been previously releasing security updates every quarter. The first monthly security updates will start this month. Oracle cited AI as the reason for the change. And finally, a collection of Reuters cybersecurity stories on Meta's fraudulent ad ecosystem has won the Pulitzer Prize for Beat Reporting this week. Reuters cybersecurity reporters Raphael Satter and AJ Vichens were also among the winners for the National Affairs category. Yael Grauer, an independent privacy and security reporter for more than 15 years, also won the Pulitzer with the AP staff for her reporting on how US tech companies helped China build its mass surveillance machine. Huge congratulations. And then it's all for this podcast edition. Today's show was brought to you by our sponsor, Portswigger. Find them at portswigger.net. Thanks for your company.