CyberWire Daily - A blast from the breached past.
Episode Date: June 20, 2025An historic data breach that wasn’t. Aflac says it stopped a ransomware attack. Cloudflare thwarts a record breaking DDoS attack. Mocha Manakin combines clever social engineering with custom-built m...alware. The Godfather Android trojan uses a sophisticated virtualization technique to hijack banking and crypto apps. A British expert on Russian information warfare is targeted in a sophisticated spear phishing campaign. A federal judge dismisses a lawsuit against CrowdStrike filed by airline passengers. Banana Squad disguises malicious code as legitimate open-source software. The U.S. Justice Department wants to seize over $225 million in cryptocurrency linked to romance and investment scams. Ben Yelin explains the recent Oversight Committee request for Microsoft to hand over GitHub logs related to alleged DOGE misconduct. This one weird audio trick leaves AI scam calls speechless. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we are joined Ben Yelin, co host of Caveat podcast and Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, discussing the recent Oversight Committee request for Microsoft to hand over GitHub logs related to alleged misconduct by Elon Musk’s "Department of Government Efficiency" (DOGE). You can learn more here. Selected Reading No, the 16 billion credentials leak is not a new data breach (Bleeping Computer) Aflac says it stopped ransomware attack launched by ‘sophisticated cybercrime group’ (The Record) Record-Breaking 7.3 Tbps DDoS Attack Targets Hosting Provider (SecurityWeek) New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack (Hackread) Godfather Android Trojan Creates Sandbox on Infected Devices (SecurityWeek) Russia Expert Falls Prey to Elite Hackers Disguised as US Officials (Infosecurity Magazine) Judge Axes Flight Disruption Suit Tied to CrowdStrike Outage (GovInfo Security) Banana Squad Hides Data-Stealing Malware in Fake GitHub Repositories (Hackread) DOJ moves to seize $225 million in crypto stolen by scammers (The Record) Boffins devise voice-altering tech to jam 'vishing' ploys (The Register) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it
piece of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k. An historic data breach that wasn't.
Affleck says it stopped a ransomware attack.
Cloudflare thwarts a record-breaking DDoS attack.
Mocha Mannequin combines clever social engineering
with custom-built malware, the godfather Android Trojan uses a sophisticated virtualization
technique to hijack banking and crypto apps, a British expert on Russian information warfare
is targeted in a sophisticated spear-fishing campaign, a federal judge dismisses a lawsuit
against CrowdStrike filed by airline passengers. Banana Squad disguises malicious code as legitimate open-source software.
The U.S. Justice Department wants to seize over $225 million in cryptocurrency linked
to romance and investment scams.
Ben Yellen explains the recent Oversight Committee request for Microsoft to hand over GitHub
logs related to alleged Doge misconduct.
And this one weird audio trick leaves AI scam calls speechless.
It's Friday, June 20th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It's great to have you with us.
Happy Friday.
News broke yesterday about a so-called historic data breach.
Except it's not a breach at all.
What actually happened is that someone exposed a massive database of stolen credentials online.
But the catch is these credentials weren't freshly stolen.
They were scraped from older breaches, infosteeler malware logs and credential stuffing attacks.
In other words, this is a giant compilation of already compromised data, some of it years old.
CyberNews, who found the exposed Trove, said the format matched what's commonly used by
Infosteeler malware. That malware quietly grabs passwords stored in browsers and
apps then ships them off to cyber criminals. These logs get traded or
dumped on sites like Telegram all the time. So no, the sky isn't falling again.
But yes, you should still update your security hygiene.
Aflac says it stopped a ransomware attack launched by a sophisticated cybercrime group
on June 12, though some data was stolen before the breach was contained.
While the ransomware didn't disrupt operations, the stolen files may include sensitive personal
and health data from customers, employees, and agents. Aflac suspects the hackers used social engineering, possibly impersonating IT staff, to access
systems, a tactic linked to Scattered Spider, a group recently targeting insurance firms.
Google and cybersecurity experts warn this campaign is ongoing and highly coordinated.
Aflac has alerted the SEC, set up a helpline,
and is offering identity protection.
The company emphasized its ability
to continue business as usual.
This is the second breach Aflac has faced in two years
following a 2023 incident involving
1.3 million customers in Japan.
Cloudflare recently stopped a massive DDoS attack that peaked at 7.3 terabits per second,
the largest it has ever seen.
The attack hit a hosting provider in mid-May and lasted just 45 seconds, but still delivered
37.4 terabytes of traffic.
It targeted nearly 22,000 destination ports per second on a single IP.
Over 99% of the traffic was from UDP floods, with smaller amounts from other attack types.
The assault came from 122,000 IPs spread across 161 countries, highlighting growing threats
to core Internet infrastructure.
A new cyber threat called Mocha Mannequin has emerged, combining clever social engineering
with custom-built malware.
Discovered by Red Canary back in January, it tricks users with fake instructions, like
CAPTCHA tests, that get them to copy and run harmful PowerShell commands.
These commands download and launch a backdoor named node-init-rat, hidden in a zip file
with a legitimate node.exe.
Once running, node-init-rat can collect data, execute commands, and potentially install
ransomware.
While no ransomware has yet been linked directly,
Red Canary sees a strong possibility,
citing links to interlock ransomware.
Mocha Manakin hides its traffic using Cloudflare tunnels,
making it harder to detect.
Red Canary urges organizations to train users,
monitor systems, and block suspicious network activity
to guard against this evolving
and deceptive threat.
A new version of the Godfather Android Trojan is using a sophisticated virtualization technique
to hijack banking and crypto apps, according to Zimperium.
Based on the Anubis Trojan, Godfather now sets up a sandbox on infected devices to run real copies of target apps, making it harder to detect.
When users open their apps, they're redirected to virtualized versions controlled by the malware, which captures everything in real time. Godfather uses open-source tools like Exposed and Virtual App to pull this off, allowing
attackers full visibility and control over user interactions.
It also alters APK and Android manifest files to evade detection and uses Android's accessibility
services to trick users into granting permissions.
Currently it's being used against Turkish banks.
Kier Giles, a British expert on Russian information warfare, was recently targeted in a sophisticated
spear-phishing campaign using advanced social engineering. The attacker posed as a U.S.
State Department official named Claudia S. Weber and invited Giles to a fake consultation.
The ploy was convincing, complete with official sounding emails and cc'd State Department
addresses that didn't actually exist.
Backed by a PDF that mimicked government documentation, the attacker asked Giles to generate an app-specific
password to access a secure platform.
In reality, this would have granted them persistent access to his Gmail.
Google and CitizenLab investigated the attack and linked it with low confidence to Russian
state-sponsored actor APT29.
Although Giles didn't use the targeted email account, he believes attackers may still manipulate
stolen data as part
of a broader disinformation effort. Researchers say the campaign was unusually patient and adaptive,
likely using a large language model to craft replies.
A federal judge has dismissed a lawsuit against CrowdStrike filed by airline passengers over its 2024
software update that disrupted airline operations.
The judge ruled that the claims were preempted by the Airline Deregulation Act, even though
CrowdStrike isn't an airline.
The court found that the disruptions affecting ticketing, boarding, and scheduling were directly tied to airline services, which
the ADA protects from inconsistent state laws.
Plaintiffs accused CrowdStrike of negligence, claiming it failed to test or warn about the
update, which crashed critical systems and stranded travelers.
While the plaintiffs argued that CrowdStrike shouldn't benefit from ADA preemption as a third-party vendor,
the court disagreed, emphasizing the company's central role in airline operations.
Even claims of stress and physical injury were dismissed, as the court maintained the harm stemmed from service disruptions, not direct personal harm.
The decision sets a precedent protecting vendors closely tied to airline operations from certain
lawsuits.
Researchers at Reversing Labs have uncovered a new cyber threat led by Banana Squad, a
group known for disguising malicious code as legitimate open-source software.
The group created over 60 fake repositories on GitHub
posing as Python hacking tools but secretly containing malware designed to
steal sensitive data from Windows systems targeting apps, browsers, and even
cryptocurrency wallets. One tactic involves hiding harmful code in long
invisible lines pushed off screen making it hard for developers
to detect.
Banana Squad previously released hundreds of malicious packages, downloaded nearly 75,000
times before removal.
Despite a 70% drop in malware across open-source platforms in 2024, threats are evolving.
Attackers now use stealthier, more sophisticated methods.
Reports also show rising risks from secret leaks and vulnerable code in popular open-source
software packages.
The U.S. Justice Department is seeking to seize over $225 million in cryptocurrency
linked to romance and investment scams run from Vietnam
and the Philippines.
The funds, traced via blockchain analysis by the FBI and Secret Service, were laundered
through hundreds of wallets and thousands of transactions.
Over 430 victims across multiple U.S. states were defrauded, often through fake social
media connections offering crypto investments.
Victims sent millions, only to be locked out of their accounts after being asked for fake
fees to withdraw funds.
The scheme, linked to Vietnamese nationals operating in Philippine scam compounds, used
fake documents and centralized IP addresses. Exchange OKX and blockchain firm Tether help track the activity.
This marks the largest crypto seizure in U.S. Secret Service history
and highlights growing law enforcement capabilities in recovering stolen digital assets
amid a broader surge in global crypto scams, which cost victims $5.8 billion last year.
Coming up after the break, Ben Yellen explains the recent oversight committee request for
Microsoft to hand over GitHub logs related to alleged Doge misconduct.
And this one weird audio trick leaves AI scam calls speechless.
Stick around. And now, a word from our sponsor, ThreatLocker.
Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software
can run in your environment.
If it's not approved, it doesn't run.
Simple as that.
It's a way to stop ransomware and other attacks before they start without adding extra complexity
to your day.
See how ThreatLocker can help you lock down your environment at www.threatlocker.com. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your
GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and
compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even
helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So if you're ready to trade in chaos for clarity, check out Vanta and
bring some serious efficiency to your GRC game. Vanta. GRC. How much easier trust
can be. Get started at Vanta.com slash cyber.
And joining me once again is Ben Yellen. He is from the University of Maryland Center for Health and Homeland Security and also Reform. This is from the Democrats side of the House,
and they dropped a press release here.
It's titled, Following Whistleblower Reports,
Acting Ranking Member Lynch Demands Microsoft Handover Information on
Doge's Misconduct at NLRB.
Can you unpack this for us, Ben? What's going on here?
Sure. So we have this whistleblower disclosure and also some public reporting from NPR.
The acting ranking member of the committee is
Representative Stephen Lynch of Massachusetts, the
permanent ranking member unfortunately passed away recently.
And he has issued a demand for information from Microsoft alleging
misconduct involving NLRB systems so that's the National Labor Relations
Board. This has to do with the group known as DOGE, Department of Government
Efficiency. Right, Elon Musk's gang. Exactly, so Elon himself is now gone from
this effort he's back to managing his own
companies. But Doge itself is still in existence. They have a bunch of young engineers on staff.
And a lot has come out both as to what they're currently doing and to what they've done since
Doge was set up in January. And the alleged misconduct here was accessing NLRB systems to delete records, install backdoors,
and exfiltrate data, potentially including sensitive labor and corporate information.
So the NLRB manages labor relations.
They have high-profile cases with big companies and organized labor, so SEIU, AFL-CIO.
The evidence actually comes from GitHub,
which is owned by Microsoft.
And that's why the request for information
has gone to Microsoft.
So according to the whistleblower,
one of the Doge engineers is said to have posted
a project entitled NXGen B-Door Extract,
which I'm just gonna go ahead and say
was not the best idea for a title.
If you don't wanna- If you're gonna be stealthy, yeah.
Yeah, way to make it look extremely suspicious.
Right, right.
Cause that obviously implies that there is a back door
targeting NLRB's internal system.
One potential impact of this is that this could be a conflict of interest for Elon Musk
since his companies like Tesla and X potentially could be under NLRB scrutiny.
They have been in the past.
And of course, Musk was the head of Doge.
And then we just don't know what information possibly was released or compromised. So this letter requests from
Microsoft prior to June 30th a complete clone of the next gen BDoor extract GitHub repository,
including the entire history. Clones of any repositories committed to by Jordan Wick,
which I believe is the identified representative from the Doge team,
from January 1st to May 15th of this year, and a list of all private GitHub repositories
accessed from NLRB during that period.
I'm not sure if Microsoft is going to be compelled to respond to this.
A response is voluntary.
That was my next question.
This is a request but not a demand, I suppose.
Right. You can't really issue demands when you're in
the minority because you have to have a vote among
the full committee to issue a legal subpoena.
So unless they can
conjure up a couple of Republican members to join them,
the Democrats are a minority in the House,
therefore a minority on this committee, and they don't have
subpoena power.
Which means it's very likely that this is not going to be a legally binding request and Microsoft is free to ignore it.
Which they might, they might choose to volunteer this information or this just might be a way for
information or this just might be a way for Democratic members of the committee to raise awareness of this issue and draw more eyes on what they see as shoddy practices from
the Department of Government Efficiency in protecting data.
So the House Oversight Committee, they have investigatory authority, but not because it's
the Democratic side, not subpoena authority.
Is that right?
That is correct.
So the full committee does have subpoena authority, but you have to have a vote of the full committee.
And I'm guessing if Democratic members called for a vote on this, they would lose.
I think there are some Republicans who have expressed problems here and there with the
Department of Government efficiency efforts, but not enough that they would
put Elon Musk and potentially President Trump under the microscope through a legally binding subpoena.
I see.
So, chances are that this might not go anywhere other than public awareness.
Exactly. I think the letter itself is the effort. It's designed to get into the news articles,
maybe into some daily cybersecurity-themed
podcasts.
It's to have a conversation about some of these shoddy practices and to raise awareness
of both the whistleblower report and further public reporting done on this by news organizations.
So I think that's the main purpose of this.
Maybe they'll get lucky and there'll be bipartisan support
for a binding subpoena.
I doubt that that's the case.
Does it strike you as, I don't know, concerning,
disturbing how matter of fact these sorts of things are,
that there could be massive data exfiltration from the NLRB and
eh, you know, it's just par for the course these days.
Yeah, I think part of it is just we are on information overload and things start to blend together.
I mean, there have been a lot of allegations of shoddy data security practices coming out of Doge.
And unless you follow the stuff very closely like we do it just kind of all gets lost in the shuffle
I think people have a general impression that
There's some level of controversy here. Certainly they got into records of the Office of Personnel Management and there have been lawsuits
But it's just hard for any story to break through in the snooze environment where a million other things are happening
I guarantee you that the insults lobbed by Elon Musk and Donald Trump against one another
will get one million times the eyeballs as a story about shoddy data practices.
And that's just the way our news environment is.
Yeah. All right. Well, Ben Yellen is from the University of Maryland Center for Health and Homeland Security.
But more importantly than that, he is my co-host on the Caveat Podcast, which if you have not
done so, you should absolutely check out.
Ben Yellen, thanks so much for joining us.
Thank you. And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity
threat protection helps security teams uncover and automatically remediate
hidden exposures across your users from breaches, malware, and phishing to
neutralize identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyber wire
and see what attackers already know.
That's spycloud.com slash cyber wire.
And finally, in a world where AI powered scammers
And finally, in a world where AI-powered scammers can sweet-talk their way into your bank account, researchers from Israel and India have decided it's time to fight fire with weird noises.
Their new tool, ASR Jam, is a crafty defense against vishing scams, those charming robot calls pretending to be
helpful strangers with urgent investment opportunities.
ASR Jam uses EchoGuard, a sound-bending algorithm that warps your voice just enough to confuse
AI speech recognition while still letting humans understand you.
It's like mumbling in just the right frequency to fluster a robot, but not your grandma.
The defense works in real time, invisibly, and unlike previous efforts, it's subtle,
not the audio equivalent of nails on a chalkboard.
Against most AI models, including OpenAI's Whisper,
it's highly effective at scrambling Scammerbots mid-chat.
The researchers call it pleasantly disruptive.
Let's hope scam artists hate it as much as we love the idea of giving them a taste of
their own digital medicine. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Dustin
Childs, head of Thread Awareness at Trend Micro's Zero Day Initiative.
The research we're discussing is titled, The Potential Impact of Overly Permissive
SaaS Tokens on PC Manager Supply Chains.
That's Research Saturday, check it out.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights until the end of August this year.
There's a link in the show notes.
Please do check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben. Peter Kielpe is our publisher, and I'm Dave Bittner. Thanks for listening,
we'll see you back here next week. Did you know Active Directory is targeted in 9 out of 10 cyber attacks?
Once attackers get in, they can take control of your entire network. That's
why Sempris created PurpleKnight, the free security assessment tool that scans your Active
Directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands
of IT pros using PurpleKnight to stay ahead of threats. Download it now at sempris.com slash purple-knight.
That's sempris.com slash purple-knight.