Risky Bulletin: cPanel auth bypass exploited in wild

The copy fell vulnerability impacts all Linux distros going back to 2017.

Hackers are exploiting a C-panel auth bypass.

Every Moldovan citizen has their data stolen and some scam compounds get raided into buy.

This is The Risky Bulletin, prepared by Catalan Kim Panu and read by me, Claire Eard.

Today is the first of May and this podcast episode is brought to you by Run Zero.

In today's top story, hackers are exploiting a major vulnerability in the C-panel web hosting

management software. The bug allows attackers to bypass authentication to access C-panel accounts.

Users are advised to patch their C-panel instances or block TCP ports 2083 and 2087,

which will block access to the C-panel back end. Cesar has confirmed the bug is being exploited

in the wild. In other news, all Linux distributions since 2017 are vulnerable to a new privilege

escalation vulnerability. Exploitation relies on running a small script of 732 bytes to get

root access. Named Copy Fail, the vulnerability is considered a straightforward way to gain root

access on Linux systems. It was discovered using AI tools by South Korean Security firm Theoree.

Hackers have stolen the personal and financial information of all Moldovan citizens.

The data was stolen from the country's National Healthcare Database in March.

Moldova's National Health Insurance Agency confirmed that data was stolen,

but denied earlier reports that one third of the database was destroyed in the attack.

Moldova's Cybersecurity Agency says it hasn't received a ransom demand. It did not rule out

Russian involvement. Chinese hackers breached an exchange server at the Cuban Embassy

and downloaded inboxes of 68 diplomats. The breach coincided with the Trump administration's

call to halt oil deliveries to Cuba. The same group has hit more than 5,000 exchange

servers in a hacking campaign this year. Congress has passed another temporary extension to the

Pfizer Section 702 surveillance authority. The Pfizer surveillance powers have been extended

for 45 days until June 15. They were set to expire on Thursday. The US House of Representatives

passed a three-year Pfizer extension this week, but the Senate refused to waive it through.

The Italian government says spyware-maker Paragon Solutions is refusing to cooperate with

its investigations into a surveillance scandal. The company hasn't responded to a formal

request for information that was delivered via the Israeli government. Paragon cut ties with

the Italian government last June. The company has previously claimed it was the Italian government

that refused its help with investigating Italian intelligence services alleged abuse of its tools.

Meanwhile, a Supreme Court prosecutor in Greece has shut down that country's investigation into

the Predator spyware scandal. The decision was made despite a request from lower criminal courts

to continue. Last month, four intellectuals were sentenced in Greece for selling the spyware.

They were sentenced to 126 years in prison. No government officials were investigated over their

roles in deploying the spyware against opposition figures, journalists, and prosecutors.

Canada will ban cryptocurrency ATMs due to an increase in scams.

Officials say crypto ATMs are now the primary method used by scammers to defraud victims in the

country. Globally, Canada has the most crypto ATMs per capita with more than 4,000 kosks.

German MPs have been instructed to switch from signal to wire for

secure communications. Government officials said the app is more secure than signal because it's

not associated with public phone numbers. Earlier this year, Bundestag President Yulia Klockner

fell victim to a signal phishing attack. The incident was blamed on Russian hackers.

The US Department of War has announced a cyber apprenticeship program. The 12-month program will

launch as a pilot this summer. Its aim is to help recruit and onboard more cyber security professionals.

The program will not have degree requirements. Early this year, the US Office of

Personnel Management removed the criteria across the US government.

The Canadian government says repatriated Asian scam compound workers pose security risks.

Officials are concerned that rescued scammers, originally lured by job offers, will establish

their own compounds when they return to Kenya. The government has proposed strengthening its laws

and running a nationwide awareness campaign about finding legitimate overseas employment.

Albanian authorities have rated three call centres that ran cryptocurrency investment scams.

10 suspects were also arrested during last month's operation. All three call centres were

located in the capital of Tarana. They allegedly operated on an industrial scale since at least

2023. The scams targeted users in Canada and Western Europe, including Germany, Italy,

and Spain. Financial damages have been estimated at more than 50 million euros.

Nine cyber scam compounds have been rated in Dubai. 276 suspects were arrested during the

joint operation between China, the US and the UAE. Four compound managers have been detained

in the UAE and Thailand, two are still at large. This is the first crackdown on scam compounds

in the United Arab Emirates. Last year, meta warned that compounds had expanded from Southeast Asia

to the Middle East. Cambodia and authorities have deported 635 Thai nationals over their involvement

in online scams. The individuals cross the border illegally to work at cyber scam compounds

in Cambodia. The country is cracking down on cyber scam operations following international

pressure from China and the US. 10 members of the Black Axe Nigerian criminal syndicate have

been arrested in Switzerland. The suspects were involved in cyber fraud operations,

including romance scams. Europe poll believes one of the individuals is the group's

regional leader for Southern European operations.

French authorities have arrested a 15-year-old for hacking the ANTS government database.

The team is accused of stealing data and selling it on hacking forums last month.

ANTS is the French government agency that manages identity documents, driving licenses,

and vehicle registrations. The teenager faces up to 7 years in jail and a fine of up to 300,000

euros. A Romanian national has been sentenced to four years in federal prison for

swatting more than 75 US public officials. Thomas Zabo's victims included a former US president,

members of Congress, state governance, and US law enforcement agencies. Zabo, together with

a Serbian national, was identified and arrested in 2024 when the pair used Google Voice to place

the swatting calls. The FBI says hackers are helping criminal groups physically steal cargo loads.

The campaigns include compromises of cargo brokers and transport companies. From there,

they gain control of accounts that manage cargo loading and movement processes.

The access is exploited to redirect legitimate cargo halls to complicit drivers.

The Jerry's World Carning Forum has leaked more than 345,000 stolen credit card numbers

due to a misconfigured web server. The leak was traced back to a server configuration that was

generated with an AI-based code editor. The code left the server and its contents exposed without

any kind of authentication. Crowdstrike says it's tracking two new groups that are mimicking

lapsus and scattered spiders tactics. Cordial spider and snarky spider target large companies

by posing as IT support. Group members, trick employees into running malware or accessing

phishing sites. The groups have been active since October. A cyber espionage group is attempting

to steal GIS files and geolocation data from Russia's aviation industry and government agencies.

The campaign began last September. The GIS format is used in CAD engineering to store

geographic data such as terrain, roads and construction information. Kaspersky attributed the

hacking campaign to an APT it tracks as heartless soul. A new worm is targeting the NPM

JavaScript ecosystem. The mini-shy-hallued malware spreads via SAP themed NPM packages.

Once it infects a host, it downloads the bun JavaScript runtime to execute an info

stealer. It then steals credentials and tokens. The malware also contains logic to copy itself

inside infected developers accounts and packages. Researchers believe the malware might be the

work of team PCP. That group has been targeting code developers this year across multiple supply

chain attacks. The Zen project has released security updates for its open source virtualisation

software. The updates patch some of the 89 bugs disclosed last week by researcher Jacob Wolfhenshel.

The bugs are in the XAPI management interface. They affect every Zen version released in the

last 20 years. They also impact the Citrix Zen server hypervisor. Sonic Ball has patched three bugs

in its firewall devices. The vulnerabilities were discovered by a security firm, CrowdStrike.

Sonic Ball advised customers to apply the patches immediately or disable access to the

device's web management interface. Device management should be carried out via SSH only.

The company did not specify if the bugs were being actively exploited.

A Canadian security firm has released a decryption utility to recover files encrypted by the

gentleman ransomware. The decryptor can be used if companies can recover at least one memory dump

taken during the ransomware encryption process. The firm Bedrock Safeguard says the ransomware stores

any encryption keys used throughout the process in memory. The Iranian government is losing an

estimated $80 million a day due to its country-wide internet blackout. The blackout began on February

28, amid Israeli and US military strikes against the Iranian regime. According to Bloomberg,

Iran's civil government opposes the shutdown, but the IRGC is insisting on keeping it in place.

The White House is opposed to anthropic providing 17 new companies with access to the Mythos AI

model. The proposed increase would have more than doubled the number of organisations with access,

bringing the total to 120. US officials cited national security risks to anthropic. They also

said it would put a strain on the company's computing resources, which could hamper the government's

own Mythos access. Meta has cancelled a contract with a Kenyan company that reviewed footage from

its AI smart glasses. Meta said it was cancelled after employees at the company spoke with journalists

from a Swedish news site. The workers revealed the glasses were capturing people having sex,

undressing, and going to the toilet. Seven organisations involved in AI security

standards have formed a collective to reduce fragmented industry standards. The initiative is

named Mosaic or multi-organisation secure AI coordination. Founding members include NIST,

OWOSP, SANS and the Cloud Security Alliance. And finally, OpenAI is rolling out a more secure

mode for chat GPT accounts. The Advanced Account Security mode will disable password logins,

and will only allow access via passkeys or physical security keys. The mode also has a more

secure account recovery process. When enabled, users' pass conversations will automatically be

excluded from being used to train new models. And that is all for this podcast edition.

Today's show was brought to you by our sponsor RunZero. Find them at RunZero.com.

Thanks for your company.