CyberBakery Chronicles (25 April 2025)

Your Weekly Cybersecurity Update (25 April 2025)

• Ex-Cybersecurity Chief Chris Krebs Vows to Take on Trump’s 2024 Election Misinformation

• WhatsApp introduces a new feature called “Advanced Chat Privacy” 

• Car rental giant Hertz confirmed exposure

• Japan issues warning about unauthorised stock trading using stolen credentials

• Hackers are misusing Zoom's remote control feature to carry out cryptocurrency theft attacks

Ex-Cybersecurity Chief Chris Krebs Vows to Take on Trump’s 2024 Election Misinformation

Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA), has announced his commitment to oppose Donald Trump’s political endeavours actively. Krebs, who was dismissed by Trump in 2020 after refuting claims of election fraud, is now dedicating his efforts to countering what he perceives as threats to democratic institutions.

In April 2025, during Trump’s second term, an executive order was issued to revoke the security clearances of Krebs and Miles Taylor, a former Department of Homeland Security chief of staff. The order also initiated investigations into their previous governmental roles. Krebs and his supporters view these actions as politically motivated retribution. 

The inclusion of SentinelOne in the clearance revocation is a particularly eyebrow-raising development. SentinelOne, a leading provider of AI-driven cybersecurity solutions, services major public and private sector clients, including critical infrastructure and defence organisations. Revoking the company’s security clearance not only impacts Krebs but also jeopardises its ability to contribute to national cyber defence.

A spokesperson for SentinelOne said the company is “evaluating all legal options” and reaffirmed its commitment to cybersecurity and democratic values. Industry analysts have expressed concern that such actions could discourage private companies from employing experts with government experience or voicing dissent. Further to these comments on 09 April 2025, Chris has stepped away from SentineOne. SentinelOne has since updated the official statement.

Krebs has expressed his determination to defend democratic principles and institutions, emphasising the importance of truth and integrity in governance. His stance underscores the ongoing tensions between former officials and the current administration over issues of election integrity and political accountability.

WhatsApp introduces a new feature called “Advanced Chat Privacy” 

WhatsApp has introduced a new feature called “Advanced Chat Privacy” to enhance user privacy by restricting the sharing and storage of chat content.

Key Features of Advanced Chat Privacy

• Prevent Chat Exports: When enabled, this feature stops participants in both individual and group chats from exporting the conversation history. 

• Disable Auto-Downloads: This prevents media files, such as photos and videos, from being automatically saved to users’ devices, reducing unintended data sharing.

• Restrict AI Features: This setting disables the use of Meta AI tools within the chat, including AI-generated responses and image creation. 

Despite these enhancements, it’s worth noting that users can still manually take screenshots or download media files. WhatsApp acknowledges this limitation and refers to the current rollout as the “first version” of the feature, with plans for additional protections in future updates. 

Usage Recommendations

WhatsApp suggests using Advanced Chat Privacy in scenarios involving sensitive conversations, especially in group chats where not all participants are familiar with each other. To activate this feature, users can navigate to the chat’s settings and select “Advanced Chat Privacy.” 

This update is part of WhatsApp’s broader efforts to enhance user privacy and control over personal data. Users are encouraged to keep their apps up to date to access the latest privacy features.

Car rental giant Hertz confirmed personal data exposure

Car rental giant Hertz has confirmed that personal data of Australian customers may have been compromised due to a breach involving a third-party file transfer platform.

The incident stems from unauthorised access to Cleo Communications’ file transfer software, which Hertz utilises for specific data exchanges. Attackers exploited zero-day vulnerabilities in Cleo’s platform during October and December 2024, leading to the acquisition of specific Hertz data. 

Initially, Hertz reported no evidence of impact from the breach. However, after completing a thorough data analysis in April 2025, the company acknowledged that the personal information of Australian individuals may have been affected. This includes names, contact details, dates of birth, driver’s license numbers, and payment card information. A very small number of individuals may have also had their passport information compromised. 

Hertz has reported the incident to law enforcement and is notifying relevant regulatory bodies. To support affected customers, the company has engaged cybersecurity firm Kroll to provide identity monitoring services. Hertz emphasised that, to date, there is no evidence that the compromised personal information has been used for fraudulent purposes. 

The company reiterated its commitment to data privacy and security, noting that the breach was confined to the third-party platform and did not impact Hertz’s internal systems.

Japan issues warning about unauthorised stock trading using stolen credentials

Japan’s Financial Services Agency (FSA) has issued a warning about a surge in unauthorised stock trading activities, where attackers are exploiting stolen credentials to access online brokerage accounts. These credentials are primarily obtained through phishing websites that closely mimic the homepages of legitimate securities firms, deceiving users into divulging their login information.

Scale of the Breach

The issue first came to light in February 2025, when two security firms reported instances of fraudulent transactions. Since then, the number of affected firms has increased to six, with a total of 3,312 unauthorised access incidents reported. Out of these, 1,454 have resulted in fraudulent transactions. Typically, attackers gain access to victims’ accounts, liquidate their existing stock holdings, and use the proceeds to buy Chinese stocks, which are then left in the compromised accounts. 

FSA’s Recommendations

To mitigate the risk of falling victim to such attacks, the FSA advises users of online trading services to:

• Avoid clicking on links in unsolicited emails or text messages.

• Bookmark the official websites of their securities firms to ensure they are accessing legitimate platforms.

• Enable enhanced security features offered by their brokerage services, such as multifactor authentication (MFA) and real-time notifications for logins, trades, and fund withdrawals.

• Remain vigilant for any suspicious transactions or activities within their accounts.

The FSA also cautions users to be wary of counterfeit e-trading advertisements and phishing emails that impersonate financial institutions.

Hackers are misusing Zoom's remote control feature to carry out cryptocurrency theft attacks.

Trail of Bits recently uncovered a sophisticated social engineering campaign by the threat actor known as ELUSIVE COMET, which exploits Zoom’s remote control feature to compromise systems and steal cryptocurrency. This operation underscores the growing trend of attackers leveraging legitimate tools within standard workflows to bypass traditional security measures.

The Attack Strategy

The campaign begins with attackers impersonating journalists from reputable outlets, such as Bloomberg Crypto. They reach out via social media platforms, such as X (formerly Twitter), using accounts like @EditorStacy and @KOanhHa, and direct targets to schedule interviews through fraudulent Calendly links (e.g., calendly[.]com/bloombergseries). Notably, they avoid email communications to maintain the facade.

During the Zoom meeting, the attacker shares their screen and requests remote control access. By changing their display name to “Zoom,” the request prompt misleadingly reads, “Zoom is requesting remote control of your screen.” If the target approves, the attacker gains full control over the victim’s system, enabling data exfiltration, malware installation, or unauthorised cryptocurrency transactions.

Defensive Measures

Trail of Bits recommends a multi-layered defence approach to mitigate such threats:

• System-wide Protection: Implement Privacy Preferences Policy Control (PPPC) profiles to restrict unauthorised accessibility access.

• Active Monitoring: Regularly audit the Transparency, Consent, and Control (TCC) database to detect and respond to unexpected permission changes.

• Application Management: Consider removing or restricting the use of Zoom on systems handling sensitive operations.

• User Training: Educate employees about the risks of social engineering and the importance of verifying the authenticity of meeting requests and participants.

These measures aim to bolster operational security and protect against human-centric attack vectors that exploit trust and routine workflows.