April 2, 2025 • 14 mins
In this episode of Cyber Security Today, host Jim Love covers several major cybersecurity incidents and vulnerabilities. Key stories include the compromise of Windows Defender and other Endpoint Detection and Response (EDR) systems, a data breach on X (formerly known as Twitter) exposing over 200 million user records, and a security flaw in several UK-based dating apps that led to the exposure of approximately 1.5 million private images. The discussion highlights how attackers are increasingly using legitimate software tools to bypass security measures, the implications of these breaches for users, and offers practical tips for maintaining robust cybersecurity.
00:00 Introduction to Today's Cyber Security News
00:29 Compromised Endpoint Detection and Response Systems
01:06 Bypassing Windows Defender: Methods and Implications
02:52 Ransomware Tactics and Legitimate Tool Exploits
04:20 Time Traveling Attacks and EDR Limitations
06:33 Massive Data Breach on X (Twitter)
08:30 UK Dating Apps Expose Private Images
10:47 Fraud Alerts and Scams
13:25 Conclusion and Final Thoughts
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:02):
Windows Defender and otherendpoint detection and response
software is compromised.
X or Twitter has a hack thatexposes over 200 million records.
A UK based dating site is hacked.
Revealing well a lot, and a couple offraud alerts, tips from our listeners.
This is Cybersecurity today.
I'm your host, Jim Love.
(00:23):
I put together from three or more storiesthat I've seen over the past few days.
They all have a similar theme, . Oneof the mainstays of protection
against cyber attacks is endpointdetection and response or EDR systems.
These systems are crucial fordetecting and mitigating malicious
activities on the endpoint.
For many home office workers, thesemight be the only defense that they have.
(00:46):
Indeed, these users might thinkthat if they have this software
installed and it's automaticallyupdated, well what could go wrong?
A lot apparently recent reportshave highlighted several innovative
methods employed by attackers tobypass these security measures,
posing significant challenges fororganizations and individuals.
(01:06):
I. Windows Defender is one of themore popular EDR tools and it has
a reasonably good reputation forrestricting application execution
to trusted software packages.
But recently, an article inForbes confirmed that there's a
way to bypass Windows Defender,and it may be being used.
Attackers use a variant of what'sbeen termed living off the Land
(01:28):
Binaries, which has an acronymthat just rolls off your tongue.
LOL bins, which causes many toshorten it to LOL, but it's not
funny, not in the slightest.
What it means is finding a wayto hide an attack in legitimate
software and processes to give ahigh level and simplistic summary.
(01:49):
One current attack that Microsoft hasacknowledged has the attackers using a
trusted binary like MS. Build dot Exe.
It's a standard pre-installed toolfor compiling and linking code.
Then they would side load a trustedapplication from an untrusted library,
and by modifying the malicious codeto appear benign or by fragmenting the
(02:12):
payloads to avoid signature detection,the cyber criminals can bypass the
analysis and heuristic detectionmechanisms that drive Windows Defender.
The net effect is Windows.
Defender doesn't see this as malware.
And the hackers are free to executeon targeted systems without triggering
alerts, compromising the systemintegrity and the data security.
(02:35):
The bottom line is that the user maythink they're safe, but they're not.
This has been recently reported, andMicrosoft has established that there
are bypasses for Windows Defender, butit's not new, and nor is it restricted
to attacks merely on Windows Defender.
Ransomware groups have increasinglybeen adopting tactics, exploiting
(02:56):
legitimate but vulnerable drivers.
Often within the Windows operatingsystems to disable EDR solutions.
By leveraging these drivers, attackersare gaining kernel level access,
allowing them to terminate securityprocesses and then operate undetected.
They're using tools such as EDR,silencer, EDR, sandblast, and.
(03:16):
Terminator and these all make useof legitimate functions and tools.
So their activity may not be seenas a threat and they may fool the
endpoint defenses and then facilitatemalicious activities like data
exfiltration or ransomware deployment.
One of these tools, EDR KillShifter was first seen deployed
by Ransom Hub in August, 2024.
(03:39):
It too exploits legitimate, butvulnerable drivers on Windows machines
to terminate the EDR products.
but even fully legitimate toolscan be compromised and used
hR Sword is part of a securitysoftware suite developed by China
based Huong network technology.
It's designed to monitor systemactivity, and it has been
(04:01):
used in ransomware attacks.
As one expert noted.
It's a legitimate commercialtool, but now threat actors are
co-opting it for their own purposes.
But there are other ways used to getpast EDR and other security measures, and
there was another story on one of thesetoday that I was watching again in Forbes.
One of these involves what's beencalled time traveling using valid but
(04:25):
expired security certificates and howmanipulate the system clock by altering
the system time attackers make expiredsecurity certificates appear valid, and
they evade the detection mechanisms.
Now, does this mean thatEDR isn't a valid defense?
Of course not.
The problem arises when we treatit as the only line of defense or,
(04:49):
and this is also important whenit's not configured correctly.
EDR unfortunately is not aset it and forget it defense.
Ensuring automated updatesis critically important.
Companies like Microsoft Pay bigbounties for people who can crack
their EDR software and they'll getpatches out as quickly as possible.
(05:10):
But some of the patches won'tonly be in the EDR software.
You may need to keep all ofyour software up to date and
ensuring that your users only loadsoftware from legitimate sources.
I know we go on about this, butthis is important if you're gonna
go to places, even legitimate placeslike GitHub, you need to make sure
you really know what you're doing.
(05:31):
And of course, never ever load softwarethat doesn't come from a legitimate
vendor or where you're not certain orhave carefully researched the source.
That's the usual wisdom that we try tofollow and impart to our user community.
But in a world where EDR can be fooled,you also have to continuously monitor
the configuration to ensure that it wasdone properly at the start, but that
(05:55):
also nothing has changed or bypassed it.
a favorite trick of hackers is to set theEDR to monitor and alert, but not prevent.
So the user gets an alarm, butthe attack's not really blocked.
And of course, as much as peoplemight hate us, those of you in
corporate roles have to fightlike mad to enforce these rules.
(06:17):
But also, depending on your budgetsand resources, you may wanna start
looking at monitoring tools and securitysolutions that focus on detecting
anomalous behavior rather than relyingsolely on signature based detection.
Recent reports indicate a significantdata breach involving X, formerly
known as Twitter, potentially affectingup to 200 million user profiles.
(06:43):
Just this weekend, a team atSafety Detectives found a post
on a hacking message board.
Breach forums that came from a posterwith the handle ThinkingOne, and
this follows on other reports thatclose to 3 billion affected profiles
were leaked earlier this year.
But the reality on that one isthe estimates of how many people
actually use X or Twitter rangebetween 300 and 600 million.
(07:05):
So if that large amount is reported,chances are that they've got a lot of bots
in there, or that it's an exaggeration.
but the post they found on theweekend, whether it's related to
this earlier rumored breach or not,did include a 34 gigabyte CVS file.
And that file contained morethan 200 million entries of data
reportedly belonging to X users.
(07:26):
The origin of the breachremains uncertain.
Some sources suggest itmight be this original big.
Hack that occurred earlier that somesaid was the result of an insider threat.
A disgruntled employee purportedlyexfiltrating the data during the
mass layoffs following Elon Musk'sacquisition of the company in 2022.
But whatever the source, this breach datareportedly involves a vast number of user
(07:49):
profiles and contains a lot of metadata,
it doesn't have email addresses, butaccording to one expert, this data could
be used in conjunction with an earlierdata breach, which might be able to match
up this data with emails that would makethis a huge source for phishing attacks.
At the time we recorded X had stillnot officially acknowledged the breach.
(08:12):
A little transparency would bewelcome from the proponents of
free speech, but apparently we'lljust have to wait at this point.
All we can say is that users areadvised to remain vigilant by
monitoring their accounts for unusualactivity and updating their security
settings as a precautionary measure.
another significant data breach hasexposed approximately 1.5 million private
(08:35):
images from several dating apps, cateringto, let's just say, open-minded people.
Uh, the affected applications, BDSMpeople, Chica, trans Love, pink and
British, are all developed by UK basedMAD or mobile apps developers limited.
Due to a coding flaw, these appsstored user images in Google Cloud
(08:57):
storage buckets without passwordprotection, leaving sensitive
content publicly accessible.
BDSM people.
AKA Kinky Fetish dating leaked over541,000 private images, including
90,000 from direct Messages.
Chica, which describes itselfas selective dating exposed
(09:20):
approximately 133,000 photos.
Some again from privatechats and trans love.
Pink and British collectivelyleaked over 1.1 million images
encompassing profile photos.
Private messages and images.
The breach was discovered by cybersecurityresearchers who found the app's developers
had left sensitive data, includingthe API keys and database details
(09:44):
exposed within the application code.
This oversight allowed unauthorizedaccess to user uploaded images, profile
photos, and of course private messages.
Users of these apps now face increasedrisks of extortion, identity theft,
and some social engineering attacks.
, cybersecurity experts warned thatmalicious actors could exploit this data,
(10:07):
especially targeting public figures orindividuals in vulnerable situations.
MAD mobile apps developers limited,acknowledges the security flaws,
stating the vulnerabilities havebeen addressed and assures users
that their data's now secure.
They emphasized that the issue wasidentified through a controlled experiment
by cybersecurity researchers with noevidence of malicious exploitation.
(10:31):
so at this point, we don't know alot about the leaked data, but it is
sensitive and it's an important subject.
When people put intensely personalinformation on any site, they have to
presume those sites could be hacked.
And a couple of fraud alertsthat came from our listeners.
Both of these come from Canada,but I'm betting they have
(10:52):
parallels in the US and elsewhere.
Telephone scammers have been tryingto steal credit card and other
personal information from Canadiansby claiming they're winners of one
of the country's biggest and mostrecognizable charity lotteries.
The scammers call people claiming they'resecond place winners of a Dodge Ram truck
in the Princess Margaret Hospital lottery.
(11:13):
a potential target, told me thatthe scammer who called them asked
if they'd be home the next day.
when the would-be victim asked questionsabout this, the caller simply hung up.
Probably what they were looking for wasthe person's credit card number or some
other information that they could use,
How do we know this?
Well, according to a news report lastsummer, that's what the scammer was after.
(11:34):
When this scam was tried in Stratford,Ontario, and before the scammer
hung up, they said they'd come bythe next day and the victim should
have their credit card ready.
And while all our listeners will knowthat if someone phones you claiming
to be from a lottery or the police orgovernment department, even if they
know your home address, you don't giveout personal information, especially
(11:56):
a credit card number, but otherinformation could be just as dangerous.
And there's a parallel note tothis, especially for Canadians.
During the election, there'sbeen an explosion of fraudulent
news pages on Facebook.
In one example, the page was set to looklike a news page from the website of
the CBC Canada's National Broadcaster,and it looks stunningly authentic.
(12:20):
And while these are prevalent inthis Canadian election, we've seen
similar spoofs on both Facebookand Microsoft Edge's browser.
Although the ones on Edge were primarilyinvestment related scams,. But they
all follow the same line of attack.
They look like an authentic news article.
They feature some well-known individualand they claim that there's a secret
that's been revealed, or they wantyou to call them for a poll, or they
(12:43):
feature crypto type investments.
The bottom line is theywant you to contact them and
give them some information.
Now in the case of Canada, due to anotherargument between our government and
meta, we aren't allowed to share anynews stories, but apparently Facebook
can block those news stories, but it'shappy to take money from fraudsters who
(13:06):
are putting in fake news stories thatcan trap individuals and exploit them.
It's yet another thing to put intoyour training information programs,
and it's yet another thing to puton the Facebook wall of shame.
. Where there's money involved, therereally is something called fake news.
And that's our show.
(13:27):
Took me longer than usualto write today's show.
I kept thinking, had to watch out forApril Fool's stories, and I must confess,
I almost got fooled by one of them, but Idug around a little more than usual today.
. Thank God we'll be back to normaltomorrow, although normal is you.
Can't make this stuff up.
I'm your host, Jim Love.
(13:47):
Thanks for listening.
I.
Windows Defender and otherendpoint detection and response
software is compromised.
X or Twitter has a hack thatexposes over 200 million records.
A UK based dating site is hacked.
Revealing well a lot, and a couple offraud alerts, tips from our listeners.
This is Cybersecurity today.
I'm your host, Jim Love.
(00:23):
I put together from three or more storiesthat I've seen over the past few days.
They all have a similar theme, . Oneof the mainstays of protection
against cyber attacks is endpointdetection and response or EDR systems.
These systems are crucial fordetecting and mitigating malicious
activities on the endpoint.
For many home office workers, thesemight be the only defense that they have.
(00:46):
Indeed, these users might thinkthat if they have this software
installed and it's automaticallyupdated, well what could go wrong?
A lot apparently recent reportshave highlighted several innovative
methods employed by attackers tobypass these security measures,
posing significant challenges fororganizations and individuals.
(01:06):
I. Windows Defender is one of themore popular EDR tools and it has
a reasonably good reputation forrestricting application execution
to trusted software packages.
But recently, an article inForbes confirmed that there's a
way to bypass Windows Defender,and it may be being used.
Attackers use a variant of what'sbeen termed living off the Land
(01:28):
Binaries, which has an acronymthat just rolls off your tongue.
LOL bins, which causes many toshorten it to LOL, but it's not
funny, not in the slightest.
What it means is finding a wayto hide an attack in legitimate
software and processes to give ahigh level and simplistic summary.
(01:49):
One current attack that Microsoft hasacknowledged has the attackers using a
trusted binary like MS. Build dot Exe.
It's a standard pre-installed toolfor compiling and linking code.
Then they would side load a trustedapplication from an untrusted library,
and by modifying the malicious codeto appear benign or by fragmenting the
(02:12):
payloads to avoid signature detection,the cyber criminals can bypass the
analysis and heuristic detectionmechanisms that drive Windows Defender.
The net effect is Windows.
Defender doesn't see this as malware.
And the hackers are free to executeon targeted systems without triggering
alerts, compromising the systemintegrity and the data security.
(02:35):
The bottom line is that the user maythink they're safe, but they're not.
This has been recently reported, andMicrosoft has established that there
are bypasses for Windows Defender, butit's not new, and nor is it restricted
to attacks merely on Windows Defender.
Ransomware groups have increasinglybeen adopting tactics, exploiting
(02:56):
legitimate but vulnerable drivers.
Often within the Windows operatingsystems to disable EDR solutions.
By leveraging these drivers, attackersare gaining kernel level access,
allowing them to terminate securityprocesses and then operate undetected.
They're using tools such as EDR,silencer, EDR, sandblast, and.
(03:16):
Terminator and these all make useof legitimate functions and tools.
So their activity may not be seenas a threat and they may fool the
endpoint defenses and then facilitatemalicious activities like data
exfiltration or ransomware deployment.
One of these tools, EDR KillShifter was first seen deployed
by Ransom Hub in August, 2024.
(03:39):
It too exploits legitimate, butvulnerable drivers on Windows machines
to terminate the EDR products.
but even fully legitimate toolscan be compromised and used
hR Sword is part of a securitysoftware suite developed by China
based Huong network technology.
It's designed to monitor systemactivity, and it has been
(04:01):
used in ransomware attacks.
As one expert noted.
It's a legitimate commercialtool, but now threat actors are
co-opting it for their own purposes.
But there are other ways used to getpast EDR and other security measures, and
there was another story on one of thesetoday that I was watching again in Forbes.
One of these involves what's beencalled time traveling using valid but
(04:25):
expired security certificates and howmanipulate the system clock by altering
the system time attackers make expiredsecurity certificates appear valid, and
they evade the detection mechanisms.
Now, does this mean thatEDR isn't a valid defense?
Of course not.
The problem arises when we treatit as the only line of defense or,
(04:49):
and this is also important whenit's not configured correctly.
EDR unfortunately is not aset it and forget it defense.
Ensuring automated updatesis critically important.
Companies like Microsoft Pay bigbounties for people who can crack
their EDR software and they'll getpatches out as quickly as possible.
(05:10):
But some of the patches won'tonly be in the EDR software.
You may need to keep all ofyour software up to date and
ensuring that your users only loadsoftware from legitimate sources.
I know we go on about this, butthis is important if you're gonna
go to places, even legitimate placeslike GitHub, you need to make sure
you really know what you're doing.
(05:31):
And of course, never ever load softwarethat doesn't come from a legitimate
vendor or where you're not certain orhave carefully researched the source.
That's the usual wisdom that we try tofollow and impart to our user community.
But in a world where EDR can be fooled,you also have to continuously monitor
the configuration to ensure that it wasdone properly at the start, but that
(05:55):
also nothing has changed or bypassed it.
a favorite trick of hackers is to set theEDR to monitor and alert, but not prevent.
So the user gets an alarm, butthe attack's not really blocked.
And of course, as much as peoplemight hate us, those of you in
corporate roles have to fightlike mad to enforce these rules.
(06:17):
But also, depending on your budgetsand resources, you may wanna start
looking at monitoring tools and securitysolutions that focus on detecting
anomalous behavior rather than relyingsolely on signature based detection.
Recent reports indicate a significantdata breach involving X, formerly
known as Twitter, potentially affectingup to 200 million user profiles.
(06:43):
Just this weekend, a team atSafety Detectives found a post
on a hacking message board.
Breach forums that came from a posterwith the handle ThinkingOne, and
this follows on other reports thatclose to 3 billion affected profiles
were leaked earlier this year.
But the reality on that one isthe estimates of how many people
actually use X or Twitter rangebetween 300 and 600 million.
(07:05):
So if that large amount is reported,chances are that they've got a lot of bots
in there, or that it's an exaggeration.
but the post they found on theweekend, whether it's related to
this earlier rumored breach or not,did include a 34 gigabyte CVS file.
And that file contained morethan 200 million entries of data
reportedly belonging to X users.
(07:26):
The origin of the breachremains uncertain.
Some sources suggest itmight be this original big.
Hack that occurred earlier that somesaid was the result of an insider threat.
A disgruntled employee purportedlyexfiltrating the data during the
mass layoffs following Elon Musk'sacquisition of the company in 2022.
But whatever the source, this breach datareportedly involves a vast number of user
(07:49):
profiles and contains a lot of metadata,
it doesn't have email addresses, butaccording to one expert, this data could
be used in conjunction with an earlierdata breach, which might be able to match
up this data with emails that would makethis a huge source for phishing attacks.
At the time we recorded X had stillnot officially acknowledged the breach.
(08:12):
A little transparency would bewelcome from the proponents of
free speech, but apparently we'lljust have to wait at this point.
All we can say is that users areadvised to remain vigilant by
monitoring their accounts for unusualactivity and updating their security
settings as a precautionary measure.
another significant data breach hasexposed approximately 1.5 million private
(08:35):
images from several dating apps, cateringto, let's just say, open-minded people.
Uh, the affected applications, BDSMpeople, Chica, trans Love, pink and
British, are all developed by UK basedMAD or mobile apps developers limited.
Due to a coding flaw, these appsstored user images in Google Cloud
(08:57):
storage buckets without passwordprotection, leaving sensitive
content publicly accessible.
BDSM people.
AKA Kinky Fetish dating leaked over541,000 private images, including
90,000 from direct Messages.
Chica, which describes itselfas selective dating exposed
(09:20):
approximately 133,000 photos.
Some again from privatechats and trans love.
Pink and British collectivelyleaked over 1.1 million images
encompassing profile photos.
Private messages and images.
The breach was discovered by cybersecurityresearchers who found the app's developers
had left sensitive data, includingthe API keys and database details
(09:44):
exposed within the application code.
This oversight allowed unauthorizedaccess to user uploaded images, profile
photos, and of course private messages.
Users of these apps now face increasedrisks of extortion, identity theft,
and some social engineering attacks.
, cybersecurity experts warned thatmalicious actors could exploit this data,
(10:07):
especially targeting public figures orindividuals in vulnerable situations.
MAD mobile apps developers limited,acknowledges the security flaws,
stating the vulnerabilities havebeen addressed and assures users
that their data's now secure.
They emphasized that the issue wasidentified through a controlled experiment
by cybersecurity researchers with noevidence of malicious exploitation.
(10:31):
so at this point, we don't know alot about the leaked data, but it is
sensitive and it's an important subject.
When people put intensely personalinformation on any site, they have to
presume those sites could be hacked.
And a couple of fraud alertsthat came from our listeners.
Both of these come from Canada,but I'm betting they have
(10:52):
parallels in the US and elsewhere.
Telephone scammers have been tryingto steal credit card and other
personal information from Canadiansby claiming they're winners of one
of the country's biggest and mostrecognizable charity lotteries.
The scammers call people claiming they'resecond place winners of a Dodge Ram truck
in the Princess Margaret Hospital lottery.
(11:13):
a potential target, told me thatthe scammer who called them asked
if they'd be home the next day.
when the would-be victim asked questionsabout this, the caller simply hung up.
Probably what they were looking for wasthe person's credit card number or some
other information that they could use,
How do we know this?
Well, according to a news report lastsummer, that's what the scammer was after.
(11:34):
When this scam was tried in Stratford,Ontario, and before the scammer
hung up, they said they'd come bythe next day and the victim should
have their credit card ready.
And while all our listeners will knowthat if someone phones you claiming
to be from a lottery or the police orgovernment department, even if they
know your home address, you don't giveout personal information, especially
(11:56):
a credit card number, but otherinformation could be just as dangerous.
And there's a parallel note tothis, especially for Canadians.
During the election, there'sbeen an explosion of fraudulent
news pages on Facebook.
In one example, the page was set to looklike a news page from the website of
the CBC Canada's National Broadcaster,and it looks stunningly authentic.
(12:20):
And while these are prevalent inthis Canadian election, we've seen
similar spoofs on both Facebookand Microsoft Edge's browser.
Although the ones on Edge were primarilyinvestment related scams,. But they
all follow the same line of attack.
They look like an authentic news article.
They feature some well-known individualand they claim that there's a secret
that's been revealed, or they wantyou to call them for a poll, or they
(12:43):
feature crypto type investments.
The bottom line is theywant you to contact them and
give them some information.
Now in the case of Canada, due to anotherargument between our government and
meta, we aren't allowed to share anynews stories, but apparently Facebook
can block those news stories, but it'shappy to take money from fraudsters who
(13:06):
are putting in fake news stories thatcan trap individuals and exploit them.
It's yet another thing to put intoyour training information programs,
and it's yet another thing to puton the Facebook wall of shame.
. Where there's money involved, therereally is something called fake news.
And that's our show.
(13:27):
Took me longer than usualto write today's show.
I kept thinking, had to watch out forApril Fool's stories, and I must confess,
I almost got fooled by one of them, but Idug around a little more than usual today.
. Thank God we'll be back to normaltomorrow, although normal is you.
Can't make this stuff up.
I'm your host, Jim Love.
(13:47):
Thanks for listening.
I.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com