CyberBakery Chronicles

Your Weekly Cybersecurity Update (14 Mar 2025)

• Medusa Ransomware Advisory: Attack Methods, Affected Sectors, and Mitigation Steps

• Over 1,000 WordPress Sites Compromised with Multiple Backdoors

• OpenAI’s Call to Action: Resolving AI Copyright Issues to Maintain Global Competitiveness

• Malvertising Campaign Exploits GitHub to Infect Nearly 1 Million Windows PCs

• Melbourne Man Charged in Mobile Number Porting Scam

Medusa Ransomware Advisory: Attack Methods, Affected Sectors, and Mitigation Steps

On March 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI and MS-ISAC, issued a cybersecurity advisory detailing the Medusa ransomware threat. This ransomware-as-a-service (RaaS) variant has been active since June 2021, targeting more than 300 organisations across critical industries such as healthcare, education, legal services, insurance, technology, and manufacturing.

Medusa ransomware operators use a double extortion strategy, encrypting victim data while threatening to release stolen information unless a ransom is paid. They typically infiltrate networks through phishing attacks and exploit unpatched software vulnerabilities, including CVE-2024-1709 and CVE-2023-48788. Once inside, they leverage legitimate administrative tools like PowerShell and network scanners to move laterally and gather information while deploying various evasion techniques, such as command obfuscation and deletion of activity logs.

Recommended Security Measures

To defend against Medusa ransomware, organizations should:

• Keep all systems, software, and firmware up to date to close known security gaps.

• Implement network segmentation to limit the spread of potential infections.

• Restrict network access to prevent unauthorized connections from external sources.

By taking these steps, organisations can strengthen their defenses and minimise the risks of Medusa ransomware.

Over 1,000 WordPress Sites Compromised with Multiple Backdoors

In a recent cybersecurity incident, over 1,000 WordPress websites have been infiltrated by malicious JavaScript code, resulting in the installation of four distinct backdoors. This multi-backdoor approach ensures attackers maintain persistent access, even if one backdoor is discovered and removed. 

Details of the Backdoors:

1. Fake Plugin Installation: A counterfeit plugin named “Ultra SEO Processor” is uploaded and installed, allowing attackers to execute commands on the compromised site.

2. JavaScript Injection: Malicious JavaScript is inserted into the wp-config.php file, facilitating further exploitation.

3. SSH Key Addition: An attacker-controlled SSH key is added to the ~/.ssh/authorized_keys file, granting persistent remote access to the server.

4. Remote Command Execution: This backdoor fetches additional payloads from external sources, potentially opening a reverse shell for deeper infiltration.

Indicators of Compromise:

The malicious JavaScript is served via cdn.csyndication[.]com. As of the latest analysis, approximately 908 websites reference this domain, indicating a widespread campaign.

Recommended Mitigation Steps:

• Remove Unauthorised SSH Keys: Audit and delete any SSH keys that were not intentionally added.

• Rotate Admin Credentials: Change WordPress administrator passwords to prevent unauthorised access.

• Monitor System Logs: Regularly review logs for unusual activities or unauthorised actions.

Website administrators are urged to implement these measures promptly to secure their sites against this threat.

OpenAI’s Call to Action: Resolving AI Copyright Issues to Maintain Global Competitiveness

In a recent appeal, OpenAI has urged the Trump administration to address the pressing issue of AI and copyright law, emphasising that unresolved legal ambiguities could hinder the United States’ position in the global AI race, particularly against China.

The Crux of the Matter

Using copyrighted materials to train generative AI models is at the heart of the debate. These models, such as OpenAI’s ChatGPT, rely on vast datasets that often include copyrighted works. The legal community is currently divided on whether this practice constitutes fair use or infringes upon copyright laws. This uncertainty has led to numerous lawsuits against AI developers, with plaintiffs arguing that their copyrighted content is being used without permission. 

Global Responses to AI Regulation

While the U.S. grapples with these legal challenges, other nations are advancing their AI regulatory frameworks:

• European Union: The EU’s proposed Artificial Intelligence Act mandates that AI systems disclose any copyrighted material used during training and label AI-generated outputs accordingly. 

• China: China’s Interim Measures for the Management of Generative AI Services require AI-generated content to align with socialist core values and impose strict regulations on training data and personal data collection. 

The Implications for the U.S.

OpenAI warns that without clear and supportive regulations, the U.S. risks falling behind in AI innovation. The company stresses that lacking legal clarity could stifle technological advancement and cede leadership to countries with more defined AI policies.

A Call for Prompt Action

The U.S. must swiftly address these copyright concerns to maintain its competitive edge. Establishing clear guidelines will protect creators and foster an environment where AI can continue to evolve responsibly and ethically.

OpenAI’s appeal underscores the urgent need for the U.S. to clarify AI copyright laws. Doing so is essential to safeguarding innovation, protecting intellectual property rights, and ensuring that the nation remains at the forefront of AI development.

Malvertising Campaign Exploits GitHub to Infect Nearly 1 Million Windows PCs

A recent malvertising campaign has leveraged illegal streaming websites and GitHub to distribute data-stealing malware, compromising approximately 1 million Windows computers across various sectors. 

Attack Vector: From Streaming Sites to Malware Infection

The attack commenced on illegal streaming platforms embedded with malicious advertising redirectors. Users visiting these sites were funneled through multiple intermediary pages, ultimately leading to GitHub, where the malware was hosted. In some instances, payloads were also found on platforms like Discord and Dropbox. 

Modular Malware Deployment

Once executed, the malware employed a modular, multistage strategy to establish persistence and execute payloads. This approach enabled system information collection and facilitated the exfiltration of documents and data from the compromised systems. 

Scope of Impact

The campaign affected both consumer and enterprise Windows devices, spanning a diverse array of industries and organizations. The widespread attack underscores the critical need for heightened cybersecurity measures across all sectors. 

Recommendations for Users

To mitigate such threats, users are advised to:

• Avoid Untrusted Websites: Avoid visiting illegal streaming sites or other unverified platforms that may host malicious content.

• Maintain Updated Security Software: Ensure that antivirus and anti-malware solutions are current to detect and prevent potential threats.

• Exercise Caution with Downloads: Be vigilant when downloading files, especially from platforms like GitHub, Discord, or Dropbox, and verify the source's legitimacy.

By adopting these practices, users can enhance their defenses against sophisticated malvertising campaigns and other cyber threats. 

Melbourne Man Charged in Mobile Number Porting Scam

A Melbourne man is facing court after allegedly attempting to steal mobile numbers from identity theft victims. The man, 34, is accused of making 193 unauthorized "port-in" attempts, successfully transferring 44 mobile numbers to his control.

The Australian Federal Police (AFP) began investigating in July 2024 after a telecommunications company reported suspicious porting activity. Porting scams allow criminals to bypass multi-factor authentication and access victims' bank accounts.

A search warrant executed at the man's residence resulted in the seizure of mobile phones, a computer, SIM cards, and suspected drug items. He has been charged with unauthorised modification of data, which carries a maximum penalty of 10 years imprisonment.

The AFP urges individuals to be vigilant for unexpected text messages or service disruptions, which could indicate an unauthorized porting attempt. Victims are advised to immediately contact their mobile provider and bank and report the incident to ReportCyber.