CyberBakery Chronicles (16 June 2025)

Your Weekly Cybersecurity Update (16 June 2025)

• Anubis Ransomware Evolves: Now Armed with a Destructive Wiper Module

• Spyware Scandal: European Journalists Targeted by Israeli-Made Surveillance Tool

• Dutch Police Find Children Among Users of Cybercrime Forum Cracked.io

• TeamFiltration Abused in Entra ID Account Hijack Campaign

• How Hackers Use Smartwatches to Steal Data from Air-Gapped Systems

Anubis Ransomware Evolves: Now Armed with a Destructive Wiper Module

The Anubis ransomware-as-a-service (RaaS) operation has recently enhanced its malware with a destructive wiper module, designed to irreversibly destroy files, thereby rendering recovery impossible, even if the ransom is paid. 

Key Developments

• Introduction of Wiper Functionality: Trend Micro researchers have identified that the latest Anubis samples include a file-wiping capability. This feature appears to be a strategic move to intensify pressure on victims, compelling them to pay the ransom promptly rather than delaying negotiations.

• Ransomware-as-a-Service Model: Anubis operates on a RaaS model, offering affiliates a significant share of the proceeds—80% for ransomware affiliates, 60% for data extortion, and 50% for initial access brokers. This incentivises a broader distribution of the malware. 

• Limited Victim Exposure: As of the latest reports, Anubis’s dark web extortion page lists only eight victims. This suggests that while the operation is still in its early stages, the addition of the wiper module could signal a forthcoming increase in attack volume as the operators refine their tactics.

Implications

The integration of a wiper module into ransomware attacks marks a concerning evolution in cyber threats. By ensuring that files are destroyed beyond recovery, attackers eliminate the possibility of data restoration, even if victims comply with ransom demands. This tactic not only amplifies the urgency for victims but also underscores the importance of robust cybersecurity measures.

Recommendations

To mitigate the risks posed by such destructive ransomware:

• Regular Backups: Maintain frequent, offline backups of critical data to ensure recovery options in the event of an attack.

• Security Updates: Keep all systems and software up to date with the latest security patches to close known vulnerabilities.

• Employee Training: Educate staff about phishing and other common attack vectors to reduce the likelihood of initial compromise.

• Incident Response Plan: Develop and regularly update an incident response plan to ensure swift action in the event of a breach.

Spyware Scandal: European Journalists Targeted by Israeli-Made Surveillance Tool

Researchers from the Citizen Lab have uncovered new evidence indicating that European journalists have been targeted using Graphite, a military-grade spyware developed by Israeli firm Paragon Solutions. This revelation adds to the growing controversy surrounding the use of surveillance tools against members of the press. 

Key Findings

• Targeted Individuals: The investigation identified Ciro Pellegrino, head of the Naples bureau at Fanpage.it, and an unnamed prominent European journalist as victims of the spyware. Both individuals’ devices showed digital fingerprints consistent with Graphite infections. 

• Connection to Previous Cases: The same spyware had previously been detected on the phone of Francesco Cancellato, editor-in-chief of Fanpage.it. The similarities in these cases suggest a common operator behind the attacks. 

• Government Involvement: While the Italian government has admitted to using Graphite against certain activists, it has denied involvement in the surveillance of journalists. Paragon Solutions, on its part, maintains that its products are sold exclusively to democratic nations under strict usage agreements prohibiting targeting of journalists or civil society members. 

Broader Implications

These incidents have sparked outrage among press freedom advocates and have led to calls for greater transparency and regulation of surveillance technologies. The European Parliament is scheduled to debate the matter on June 16, reflecting the seriousness of the issue at the continental level.

Dutch Police Find Children Among Users of Cybercrime Forum Cracked.io

In a surprising twist to an international cybercrime investigation, Dutch police have uncovered a stark reality: cybercrime isn’t just the domain of seasoned hackers operating from dark basements — it’s also attracting children.

Following the January 2025 takedown of Cracked.io, a notorious online hacking forum, Dutch authorities have identified 126 Dutch users. Among them were teenagers, university students, and an 11-year-old child.

Cracked.io wasn’t some niche message board. It was a full-fledged cybercrime marketplace where users could buy and sell stolen credentials, cracked accounts, malware tools, and guides to commit fraud. Law enforcement estimates that the forum’s activities affected over 17 million U.S. victims alone, making it a key target in “Operation Talent,” an international cybercrime disruption campaign.

Digital Crime, Real Consequences

When Dutch investigators gained access to the seized server data, they weren’t expecting to find a digital trail leading back to children. But they did — and the findings were sobering.

Some users were passive — reading posts, asking questions. Others were actively buying or distributing hacked information. What they had in common was a lack of awareness of just how real the consequences could be.

Instead of arresting these young users outright, police chose a proactive and restorative path. Most received official warnings — sent via email or postal mail — spelling out the seriousness of their involvement. Around 20 individuals were invited to meet with police in person. The goal wasn’t just to reprimand them but to redirect them — to make them aware that their curiosity had crossed a legal line and that they still had time to turn around.

Parents: Your Kids Might Be Cybercriminals Without Even Knowing It

This case highlights an uncomfortable truth: some kids aren’t learning to code to build the next big app — they’re experimenting with crime. What might begin as curiosity or a way to “look cool” online can quickly spiral into illegal behaviour, especially with forums like Cracked.io, which gamifies hacking by offering rankings, achievements, and a toxic community that encourages such behaviour.

Authorities are urging parents and schools to have serious conversations with kids about digital ethics. It’s no longer enough to talk about stranger danger or screen time — today’s conversation needs to include topics like:

• Why buying hacked Netflix accounts is a crime

• How participating in hacking forums leaves a permanent digital fingerprint

• What a criminal record could mean for university applications, scholarships, jobs — even travel

The Forum May Be Gone, But the Problem Isn’t

While Cracked.io’s domain has been seized and is now controlled by law enforcement, reports suggest that the site has resurfaced under a new address — a disturbing reminder that cybercrime forums are like digital weeds: uproot one, and another pops up elsewhere.

This resurgence raises another concern: former users’ data might be exposed in the transition, increasing the risk of retaliation or further exploitation.

What Can Be Done?

• Talk to kids and teens: Frame it not as punishment, but as empowerment — helping them understand the real-world impact of online actions.

• Support positive cyber engagement: Point them toward ethical hacking, cybersecurity competitions like Capture the Flag (CTF), or platforms like Hack The Box and TryHackMe.

• Monitor digital behaviour: Without invading privacy, stay aware of the websites, forums, and communities they’re part of.

• Report and educate: If you come across forums like Cracked.io, report them. And if you know someone involved, educate them on how to exit that world safely.

In an increasingly digital age, cybercrime is evolving — and so are its perpetrators. But with awareness, guidance, and the right interventions, we can stop kids from becoming the next generation of hackers… before it’s too late.

TeamFiltration Abused in Entra ID Account Hijack Campaign

A recent large-scale cyberattack has exploited the open-source penetration testing tool TeamFiltration to compromise over 80,000 Microsoft Entra ID (formerly Azure Active Directory) user accounts across hundreds of organisations. This campaign, active since December 2024 and peaking in January 2025, has been tracked by Proofpoint under the codename UNK_SneakyStrike. 

How the Attack Works

TeamFiltration, initially developed for ethical hacking and security assessments, offers features such as:

• Account Enumeration: Identifying valid user accounts within a target environment.

• Password Spraying: Attempting to compromise accounts using common or systematically varied passwords.

• Data Exfiltration: Extracting emails, files, and other valuable data.

• Persistent Access via OneDrive: Uploading malicious files to a victim’s OneDrive, potentially containing malware, to establish ongoing access. 

In the UNK_SneakyStrike campaign, attackers utilised Amazon Web Services (AWS) infrastructure across various regions to launch password spraying attacks through the Microsoft Teams API. These attacks occurred in concentrated bursts, followed by periods of inactivity, making detection more challenging. 

Indicators of Compromise

Security researchers identified specific indicators associated with this campaign, including:

• User Agent Strings: A distinctive user agent linked to an outdated version of Microsoft Teams.

• OAuth Application IDs: Attempts to access specific sign-in applications from incompatible devices, linked to application IDs pre-configured in TeamFiltration. 

Mitigation Strategies

Organisations are advised to implement the following measures to protect against such attacks:

• Enforce Multi-Factor Authentication (MFA): Ensure MFA is enabled for all accounts, including service accounts.

• Monitor for Unusual Activity: Regularly review logs for signs of password spraying and unauthorised access attempts.

• Restrict Access from Unusual Locations: Implement geofencing to limit access from regions not relevant to your organisation.

• Audit OAuth Applications: Regularly review and manage OAuth applications and permissions within your environment. 

How Hackers Use Smartwatches to Steal Data from Air-Gapped Systems

Researchers from Ben-Gurion University have uncovered a mind-bending new way hackers could steal data from even the most secure systems — by using smartwatches to listen to ultrasonic signals emitted from air-gapped computers.

Yes, you read that right: your smartwatch could become a spy device.

What Is SmartAttack?

Codenamed “SmartAttack,” this newly documented method turns a wearable device into a receiver for high-frequency signals coming from an otherwise isolated computer. It’s a chilling example of how air-gapped systems — often assumed to be unhackable due to their physical separation from networks — can still be compromised through clever side-channel attacks.

Here’s how it works:

Step 1: Compromising the Air-Gapped Computer

To execute this attack, the attacker first needs to infiltrate malware into the air-gapped system. This typically requires:

• A malicious insider

• A planted USB device

• Or another covert delivery mechanism

Once inside, the malware silently collects sensitive data, such as passwords, encryption keys, or keystrokes.

Step 2: Ultrasonic Data Transmission

With the data in hand, the malware then uses the infected computer’s built-in speakers to emit ultrasonic signals in the 18 kHz to 22 kHz range. This is well beyond what the human ear can detect, but not beyond what modern microphones — like those in smartwatches — can pick up.

The data is encoded using a method called Binary Frequency Shift Keying (B-FSK), where small frequency shifts are used to represent 1s and 0s. Essentially, the air-gapped computer is “whispering” sensitive data into the air, undetectable to people nearby.

Step 3: Smartwatch Becomes the Middleman

If a smartwatch worn by someone nearby is also infected with malware, it can act as a listening device. The watch records the ultrasonic signals and decodes the transmitted information. From there, it sends the stolen data to an external server — completing the exfiltration from what was supposed to be a physically isolated system.

Why This Matters

Air-gapped systems are typically used in environments where absolute security is essential, such as:

• Critical infrastructure (e.g., nuclear power plants)

• Military command centres

• Government intelligence facilities

• Highly classified R&D labs

SmartAttack shows that these environments are no longer invulnerable simply because they’re disconnected from the internet. Every day, consumer electronics — smartwatches, earbuds, fitness trackers — can now be exploited to bypass the air gap entirely.

Defensive Measures

While this type of attack is sophisticated and requires multiple layers of compromise, it’s a wake-up call for security leaders. The researchers recommend:

• Banning or restricting smartwatches and other wearables in sensitive environments

• Disabling or removing speakers from air-gapped systems if they’re not strictly necessary

• Implementing ultrasonic jamming or white noise generators to mask any covert audio signals

• Increasing surveillance and detection of insider threats and anomalous system behaviour

The Bigger Picture

SmartAttack is part of a growing trend of covert data exfiltration techniques that exploit physical channels — light, sound, temperature, electromagnetic waves — instead of traditional network connections. Past research from the same university has showcased similar concepts using:

• Computer fans (Fansmitter)

• Screen brightness (BRIGHTNESS)

• Keyboard LEDs (LED-it-GO)

These are not science fiction. They are real-world attack vectors, and organisations relying on air gaps alone must start thinking beyond traditional security assumptions.