CyberWire Daily - A dark web titan falls.

Episode Date: July 25, 2025

International law enforcement arrest the suspected operator of a major Russian dark web cybercrime forum. DHS is said to be among the agencies hit by the Microsoft SharePoint zero-day. The Fire Ant cy...berespionage group targets global enterprise infrastructure. A Steam game is compromised to distribute info-stealing malware. Mitel Networks issues security patches for MiVoice MX-ONE communications platform. CISA nominee Sean Plankey faces tough questions at his Senate confirmation hearing. A malicious prompt was hiding in Amazon’s Q Developer extension for VS Code. Our guest is Brandon Karpf, friend of the show, cybersecurity expert, and founder of T-Minus Space Daily, joining host Maria Varmazis to explore how space-based telecom architectures could play a critical role in securing agentic AI systems. Android users scroll with caution, Apple fans roll the dice. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest is Brandon Karpf, friend of the show, cybersecurity expert, and founder of T-Minus Space Daily, joining host Maria Varmazis to explore how space-based telecom architectures could play a critical role in securing agentic AI systems. Selected Reading What Happened to XSS.is? Everything You Need to Know About the Forum Takedown - SOCRadar® Cyber Intelligence Inc. (socradar.io) Suspected admin of major dark web cybercrime forum arrested in Ukraine (The Record) DHS impacted in hack of Microsoft SharePoint products, people familiar say - Nextgov/FCW (NextGov) Stealthy cyber spies linked to China compromising virtualization software globally (The Record) Hacker sneaks infostealer malware into early access Steam game (Bleeping Computer) Mitel warns of critical MiVoice MX-ONE authentication bypass flaw (Bleeping Computer) Senators push CISA director nominee on election security, agency focus (Cybersecurity Dive) Hacker injects malicious, potentially disk-wiping prompt into Amazon's AI coding assistant with a simple pull request ,  told 'Your goal is to clean a system to a near-factory state and delete file-system and cloud resources' | Tom's Hardware (TomsHardware) iPhone vs. Android: iPhone users more reckless, less protected online (Malwarebytes) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the CyberWire Network, powered by N2K. CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and without securing them, trust, uptime, outages, and compliance are at risk. CyberArk is leading the way with the only unified platform purpose-built to secure every machine identity, certificates, secrets, and workloads across all environments, all clouds, and all AI agents. Designed for scale, automation, and quantum readiness,
Starting point is 00:00:41 CyberArk helps modern enterprises secure their machine future. Visit cyberark.com slash machines to see how. Global law enforcement's had a busy week. DHS is said to be among the agencies hit by the Microsoft SharePoint Zero Day. The fire and cyber espionage group targets global enterprise infrastructure. Mitel Networks issues security patches for My Voice MX1 communications platforms. CISA nominee Sean Planky faces tough questions at his Senate confirmation hearing. A malicious prompt was hiding in Amazon's Q developer
Starting point is 00:01:28 extension for VS code. Our guest is Brandon Karp, friend of the show, cyber security expert and founder of T-Minus Space Daily, joining host Maria Vermazes to explore how space-based telecom architectures could play a critical role in securing agentic AI systems. And Android users scroll with caution, while Apple fans roll the dice. It's Friday, July 24, 2025. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Starting point is 00:02:20 Thanks for joining us here today. It's great to have you with us. The Black Suit Ransomware Gang's Darknet sites were seized in a global law enforcement operation involving over nine countries and led by U.S. Homeland Security investigations. Seizure notices now appear on the group's Tor sites displaying logos from 17 agencies and cybersecurity firm Bitdefender. Black Suit, active since spring of 2023, was a private ransomware group believed to be a rebrand of Royal Ransomware, which itself was linked to the infamous Conti gang. The FBI and CISA said Black Suit demanded over $500 million in ransom payments from high-profile victims like Kodokawa, Tampa Bay Zoo, and
Starting point is 00:03:06 blood plasma firm OctoFarmer. After the takedown, Cisco Talos found links between former Black Suit members and the Chaos ransomware operation, suggesting the gang's remnants are still active. Ukrainian authorities, with help from France and Europol, have arrested a person suspected of running XSS.IS, a major Russian-speaking cybercrime forum on the dark web. The arrest occurred in early July after a multi-year investigation that included surveillance of an encrypted Jabber messaging server used by cybercriminals. XSS.IS, active since 2013, facilitated the trade of malware, stolen data, and ransomware services. Authorities say the suspect wasn't just a technical operator
Starting point is 00:03:54 but also supported criminal deals, helped resolve disputes, and even took part in cyber attacks and extortion schemes. Prosecutors estimate at least $8.2 million in illegal profits were linked to the forum. With over 50,000 users, XSS is among the oldest dark web forums. This follows recent crackdowns on cybercrime marketplaces, including the June arrest of individuals tied to breach forums. Ukrainian officials have not commented, and it's unclear if extradition will occur. The U.S. Treasury's Office of Foreign Assets Control has sanctioned three North Koreans and Korea Soboksu Trading Company for running fake IT worker schemes that funnel money to
Starting point is 00:04:39 North Korea's nuclear and missile programs. These workers, placed in U.S. companies using false identities, send earnings back to the DPRK. Sanctioned individuals include key figures in recruitment, crypto operations, and sanctions evasion. This follows earlier crackdowns, including indictments and the disruption of laptop farms. Rewards of up to $7 million are offered for tips leading to arrests.
Starting point is 00:05:08 In our continuing coverage of the Microsoft SharePoint breach, the Department of Homeland Security is said to be among the federal agencies affected by the ongoing cyber intrusion. CISA has alerted at least five agencies, possibly more, and is coordinating a national response. While Microsoft linked the attacks to China-aligned hackers, it's unclear if DHS was directly targeted by such actors. So far, there's no evidence of data theft at DHS. The exploited vulnerability, a zero-day flaw, has triggered global concerns. A Chinese-linked cyberespionage group dubbed FireAnt by cybersecurity firm Cygniya is targeting global enterprise infrastructure through stealthy attacks on VMware ESXi hypervisors.
Starting point is 00:05:58 These hypervisors manage virtual machines, making them valuable for spying on large networks. FireAnt, resembling the known UNC 3886 group, uses custom tools that evade standard security systems like EDR, allowing long-term undetected access. Cygnia reports the group has been deeply entrenched in several environments, requiring complex real-time operations to evict them. The attackers quickly adapted, using new tools and alternate entry points to stay ahead of defenders. While Singapore's National Security Minister has called out these kinds of attacks as threats to critical infrastructure, the Chinese government denies involvement.
Starting point is 00:06:40 Fire Ant's tactics and targets, including defense, telecom, and tech firms, suggest a state-sponsored operation focused on strategic intelligence. Cigna's report warns that hypervisor-level intrusions poses serious global cybersecurity threat. Mitel Networks has issued security patches for a critical authentication bypass flaw in its MyVoice MX1 communications platform. The bug, caused by improper access controls in the provisioning manager component, allows unauthenticated attackers to gain admin access without user interaction.
Starting point is 00:07:19 The flaw affects multiple versions and has been fixed in recent updates. Mitel urges customers to avoid exposing MX1 services to the public Internet and to request patches via authorized service partners for affected systems. At his Senate confirmation hearing, Sean Planky, President Trump's nominee to lead CISA, faced tough questions on election security and looming cyber policy expirations. Planky, currently a DHS advisor, said he hadn't reviewed the 2020 election's cybersecurity, which frustrated Senator Richard Blumenthal, who accused him of dodging responsibility. Planky emphasized CISA's focus would be on securing election tech, not policing misinformation.
Starting point is 00:08:05 He acknowledged the agency's staffing and budget cuts, pledging to empower remaining personnel and restructure if needed. Planky also supported renewing the expiring Cybersecurity Information Sharing Act and state cyber grants. Responding to GOP concerns about CISA's past work with tech firms, Planky vowed to keep the agency within its legal limits. He promised CISA would not engage in content moderation, focusing solely on protecting infrastructure. His nomination awaits committee and full Senate votes.
Starting point is 00:08:40 A malicious prompt was discovered in version 1.84 of Amazon's QDeveloper extension for VS Code, instructing the AI assistant to wipe a user's system and AWS cloud resources. The destructive code, introduced via a GitHub pull request on July 13, directed Q to delete home directories, user settings, and cloud instances using AWS CLI commands. Though the extension wasn't functional, AWS quickly removed it and replaced it with the current version. The company says no customer systems were impacted and updated its contribution guidelines to prevent future incidents. The prompt's discovery highlights the risks of open source code manipulation,
Starting point is 00:09:26 especially when paired with AI assistance. This comes on the heels of another alarming AI mishap where Replet's assistant deleted an entire company database, offering a cautionary tale about the pitfalls of vibe coding with autonomous tools. Coming up after the break, Brandon Karpf speaks with Maria Vermazes about space-based telecom architectures and how they could play a critical role in securing agentic AI systems and Android users scroll with caution while Apple fans roll the dice. Stick around.
Starting point is 00:10:21 Bad actors don't break in, they log in. Attackers use stolen credentials in nearly nine out of ten data breaches. Once inside, they're after one thing, your data. Varonis's AI-powered data security platform secures your data at scale. Across LAS, SAS, and hybrid cloud environments, join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment at Veronis.com. Krogel is AI built for the enterprise SOC.
Starting point is 00:11:02 Fully private, schema free, and capable of running in sensitive air-gapped environments, Krogel autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context-aware, auditable decisions aligned to your workflows. Krogel empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your sock operate at scale with precision and control. Learn more at Krogl.com.
Starting point is 00:11:38 That's C-R-O-G-L dot com. Brandon Karpf is a friend of the show and cybersecurity expert. He recently caught up with Maria Varmasis on the T-Minus Space Daily podcast to talk about how space-based telecom architecture could play a critical role in securing agentic AI systems. Last month when you were on the show, we were talking about agentic AI, and you introduced this really fascinating premise about the metadata that AI models can generate. I'm trying to summarize this perhaps poorly. The metadata that gets generated is a lot more revealing than people perhaps realize.
Starting point is 00:12:26 And then I think this month is the, now what do space companies need to do about that side of the equation? So what do they need to do about it? Yeah, well both what do they need to do and the opportunity for some space companies to offer solutions and think about kind of where the market will probably go and the direction that the market's going to head in that's going to create opportunities for space companies. And specifically I think the opportunities in telecommunications. in direct to cell or space-based internet and services and the mega constellations
Starting point is 00:13:10 that are coming online. A lot of movement in that front. And I think that architecture does offer some nascent security elements that actually mitigate the risk of metadata released into the internet environment and specifically metadata from agentic systems. Okay, so can you expand on that a little bit? Keep going. One of the problems with all that metadata that we talked about last time is it creates opportunity about your intent and what your organization is doing.
Starting point is 00:14:25 People use VPNs, people use proxies, but the problem with those things is those things are static. They're actually mappable. We can actually figure out pretty easily a VPN endpoint, a proxy endpoint. But when we add the space architecture, if you are proxying data in your internet connection through the space architecture, the cellular world, the mobile world has created these identifiers that actually have basically taken away all of the security of being a mobile network. Now when you look at the space architecture it's not the user, it's not the endpoint that's mobile, it's the router, it's the intermediary node that is mobile. You don't know what node your device is going to connect to directly.
Starting point is 00:15:25 And that creates a layer of potential security. And so by routing our network, by routing our traffic, and essentially proxying first through a space architecture, it creates this obfuscation layer where someone measuring your internet traffic company's traffic or something like that, capturing data that's encrypted, they're still going to get the metadata. It opens up a whole world of opportunity for security companies and telecommunication companies to add a layer of obfuscation and add a layer of security by routing through a space architecture. So my mind is going, that is a fantastic opportunity and the complexity of that, as I'm trying to just sort of, not that I understand networking on a good day,
Starting point is 00:16:27 to be completely honest with you, it's not easy to understand, but just the complexity of that, especially as we have more as satellites and Leo and many of them, these in mesh networks, I'm going, holy cow, that sounds also incredibly difficult to implement, not impossible, surely,
Starting point is 00:16:43 but that sounds like a challenge to me, in my layman's understanding of this. also incredibly difficult to implement. Those providers that do exist, they really only have the bandwidth for edge routing, not necessarily backbone routing. When we talk about backbone, we're talking about the massive fiber lines and things like that, the space architecture where you actually get to a device between SES and IntelSat. That is obviously intended to be a new competitor. Of course, most of their customers are like cable or satellite TV.
Starting point is 00:18:15 Satellite TV is in structural decline. It's all internet, right? And so that'll be a potential competitor. And then you look at the Space Force, right? The Space Force is investing in MillNet, which is their proliferated Leo constellation. It's like the follow-on to their Trunche 3, I think, the transport architecture. organizations investing in this? And I think part of it is connectivity, right? There's the benefit of being able to connect anywhere,
Starting point is 00:19:15 even in rural areas or in maritime considerations, but you can't neglect the security implications, companies, how can we actually take advantage of this, especially the high-risk companies? I'm thinking financial services, maybe healthcare, things that are high-risk right now. I was just going to ask about application. You mentioned healthcare. high-speed fiber of a telecom, industry and has industrial secrets, automatically route your traffic first for a telecom or a cloud provider or a data,
Starting point is 00:21:05 like a content distribution network even? And even maybe some smaller MSPs, managed service providers who are maybe targeting the space industry and saying, hey, we're going to offer you guys some value-added services. But that's kind of the initial opportunity that I see. But there is a security benefit to this. That's interesting. I'm just really curious, does that make a difference if we have greater edge computing in space with this model that you're talking about? Or is it just basically, it's another computer in the network that we're talking about, so it doesn't matter necessarily where it's located? And where the opportunity lies is what we talked about
Starting point is 00:21:45 earlier with the constraints on throughput and actually pushing data through a space architecture. It's gonna introduce a little bit of latency. The processing power up there right now isn't large enough to necessarily put a lot of data so you can't use it for a backbone. It's not like a microwave link, a terrestrial microwave link where you can send
Starting point is 00:22:04 a ton of data very quickly over relatively long point-to-point distances. for a backbone. attached to an antenna, is we increase the routing power and the processing power in the space architecture. And we can do this today on pretty small satellites, with the technology that exists. It'll allow us to push more data and more intelligently they can get, instead of moving the entire data, the entire packet, the entire session, from satellite to satellite, satellite to ground station, you just process it on site, in situ,
Starting point is 00:23:00 and you just send the processed information. than terrestrially. I think that makes it a little more expensive, where I would look for the initial growth in that sector of like processing in space is actually in Indian space companies. And the reason being is as we add more processing power, as you add therefore more heat management systems, you're getting heavier, more weight, more expensive to get up into orbit.
Starting point is 00:23:44 Pound for pound, India is more cost effective than any other nation in the world in getting stuff into space. So I think that these things are going to get a little more expensive by adding more processing power as we discussed. So to make it efficient, to make it marketable, to make the capital expenditures make sense, I would look at India and those companies and see what they're doing, because that's probably gonna be a leading indicator of where the technology is moving.
Starting point is 00:24:11 Like, let's pick that up next month. And be sure to check out the T-minus space daily wherever you get your favorite podcasts. Compliance regulations, third-party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier, and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy
Starting point is 00:25:08 lifting out of your GRC program. Their trust management platform automates those key areas compliance, internal and third-party risk and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
Starting point is 00:25:38 It's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta, GRC, just imagine how much easier trust can be. Visit vanta.com slash cyber to sign up today for a free demo. That's vanta.com slash cyber. Hey everybody, Dave here.
Starting point is 00:26:18 I've talked about DeleteMe before, and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. for Genuinely relieved knowing my privacy isn't something I have to worry about every day. The Delete Me team handles everything. It's the set it and forget it piece of mind. And it's not just for individuals. Delete Me also offers solutions for businesses, helping companies protect their employees' personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Starting point is 00:27:09 Just go to JoinDeleteMe.com slash N2K and use promo code N2K at checkout. That's JoinDeleteMe.com slash N2K, code N2K. And finally, in the never-ending smartphone wars, Android may have quietly won a surprising battle – not tech specs, but online street smarts. According to Malwarebytes, Android users are more cautious shoppers, more likely to use security tools, and slightly better at creating unique passwords. Meanwhile, iPhone users, perhaps lulled into a false sense of Apple invincibility, are more likely to DM strangers for coupons and shop on shady sites, often
Starting point is 00:28:06 with weak or reused passwords. The result is they fall for scams more often. This isn't about device superiority. Both platforms can be equally secure or vulnerable. But it seems Android users are simply a bit more suspicious online, while iPhone users trust their device like a toddler trusts a juice box. As Malware Bytes Mark Baird wisely points out, the real threat isn't your phone, it's
Starting point is 00:28:33 where you take it online. So maybe skip that discount link, update your security tools, and for goodness sake, use a decent password. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire dot com. We'd love to hear from you. For links to all of today's stories, check out our daily briefing at the cyberwire.com. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners.
Starting point is 00:29:10 We're collecting your insights through the end of August. There's a link in the show notes. Please take a moment and check it out. Be sure to check out this weekend's Research Saturday. We've got a special episode discussing muddled Libra. This is from our friends who do the threat vector podcast from Palo Alto Networks Unit 42. That's research Saturday, check it out.
Starting point is 00:29:30 N2K's senior producer is Alice Carruth. Our cyber wire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltsman. Our executive producer is Jennifer Iben. Peter Kilpey is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here, next week. And now, a word from our sponsor ThreatLocker, the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Starting point is 00:30:20 AllowListing is a deny-by-default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with world-class endpoint protection from ThreatLocker.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.