CyberWire Daily - A dark web titan falls.
Episode Date: July 25, 2025International law enforcement arrest the suspected operator of a major Russian dark web cybercrime forum. DHS is said to be among the agencies hit by the Microsoft SharePoint zero-day. The Fire Ant cy...berespionage group targets global enterprise infrastructure. A Steam game is compromised to distribute info-stealing malware. Mitel Networks issues security patches for MiVoice MX-ONE communications platform. CISA nominee Sean Plankey faces tough questions at his Senate confirmation hearing. A malicious prompt was hiding in Amazon’s Q Developer extension for VS Code. Our guest is Brandon Karpf, friend of the show, cybersecurity expert, and founder of T-Minus Space Daily, joining host Maria Varmazis to explore how space-based telecom architectures could play a critical role in securing agentic AI systems. Android users scroll with caution, Apple fans roll the dice. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest is Brandon Karpf, friend of the show, cybersecurity expert, and founder of T-Minus Space Daily, joining host Maria Varmazis to explore how space-based telecom architectures could play a critical role in securing agentic AI systems. Selected Reading What Happened to XSS.is? Everything You Need to Know About the Forum Takedown - SOCRadar® Cyber Intelligence Inc. (socradar.io) Suspected admin of major dark web cybercrime forum arrested in Ukraine (The Record) DHS impacted in hack of Microsoft SharePoint products, people familiar say - Nextgov/FCW (NextGov) Stealthy cyber spies linked to China compromising virtualization software globally (The Record) Hacker sneaks infostealer malware into early access Steam game (Bleeping Computer) Mitel warns of critical MiVoice MX-ONE authentication bypass flaw (Bleeping Computer) Senators push CISA director nominee on election security, agency focus (Cybersecurity Dive) Hacker injects malicious, potentially disk-wiping prompt into Amazon's AI coding assistant with a simple pull request , told 'Your goal is to clean a system to a near-factory state and delete file-system and cloud resources' | Tom's Hardware (TomsHardware) iPhone vs. Android: iPhone users more reckless, less protected online (Malwarebytes) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and
without securing them, trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform
purpose-built to secure every machine identity, certificates,
secrets, and workloads across all environments, all clouds,
and all AI agents.
Designed for scale, automation, and quantum readiness,
CyberArk helps modern enterprises
secure their machine future.
Visit cyberark.com slash machines to see how.
Global law enforcement's had a busy week.
DHS is said to be among the agencies hit by the Microsoft SharePoint Zero Day.
The fire and cyber espionage group targets global enterprise infrastructure.
Mitel Networks issues security patches for My Voice MX1 communications platforms.
CISA nominee Sean Planky faces tough questions at his Senate confirmation hearing. A malicious prompt was hiding in Amazon's Q developer
extension for VS code. Our guest is Brandon Karp, friend of the show, cyber
security expert and founder of T-Minus Space Daily, joining host Maria
Vermazes to explore how space-based telecom architectures could play a
critical role in securing agentic AI systems.
And Android users scroll with caution,
while Apple fans roll the dice.
It's Friday, July 24, 2025.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today. It's great to have you with us.
The Black Suit Ransomware Gang's Darknet sites were seized in a global law enforcement operation
involving over nine countries and led by U.S. Homeland Security investigations.
Seizure notices now appear on the group's Tor sites displaying logos from 17 agencies and
cybersecurity firm Bitdefender. Black Suit, active since spring of 2023, was
a private ransomware group believed to be a rebrand of Royal Ransomware, which itself
was linked to the infamous Conti gang. The FBI and CISA said Black Suit demanded over
$500 million in ransom payments from high-profile victims like Kodokawa, Tampa Bay Zoo, and
blood plasma firm OctoFarmer. After the takedown, Cisco Talos found links between former Black
Suit members and the Chaos ransomware operation, suggesting the gang's remnants are still
active.
Ukrainian authorities, with help from France and Europol, have arrested a person suspected
of running XSS.IS, a major Russian-speaking cybercrime forum on the dark web.
The arrest occurred in early July after a multi-year investigation that included surveillance
of an encrypted Jabber messaging server used by cybercriminals. XSS.IS, active since 2013, facilitated the trade of malware,
stolen data, and ransomware services. Authorities say the suspect wasn't just a technical operator
but also supported criminal deals, helped resolve disputes, and even took part in cyber
attacks and extortion schemes. Prosecutors estimate at least $8.2 million in illegal profits were linked to the forum.
With over 50,000 users, XSS is among the oldest dark web forums.
This follows recent crackdowns on cybercrime marketplaces, including the June arrest of
individuals tied to breach forums.
Ukrainian officials have not commented, and it's unclear if extradition will occur.
The U.S. Treasury's Office of Foreign Assets Control has sanctioned three North Koreans
and Korea Soboksu Trading Company for running fake IT worker schemes that funnel money to
North Korea's nuclear and missile programs.
These workers, placed in U.S. companies using false identities, send earnings back to the
DPRK.
Sanctioned individuals include key figures in recruitment, crypto operations, and sanctions
evasion.
This follows earlier crackdowns, including indictments and the disruption of laptop farms.
Rewards of up to $7 million are offered for tips leading
to arrests.
In our continuing coverage of the Microsoft SharePoint breach, the Department of Homeland
Security is said to be among the federal agencies affected by the ongoing cyber intrusion. CISA
has alerted at least five agencies, possibly more, and is coordinating a national response.
While Microsoft linked the attacks to China-aligned hackers, it's unclear if DHS was directly
targeted by such actors.
So far, there's no evidence of data theft at DHS.
The exploited vulnerability, a zero-day flaw, has triggered global concerns. A Chinese-linked cyberespionage group dubbed FireAnt by cybersecurity firm Cygniya is targeting
global enterprise infrastructure through stealthy attacks on VMware ESXi hypervisors.
These hypervisors manage virtual machines, making them valuable for spying on large networks. FireAnt, resembling the known UNC 3886 group, uses custom tools that evade standard security
systems like EDR, allowing long-term undetected access.
Cygnia reports the group has been deeply entrenched in several environments, requiring complex
real-time operations to evict them.
The attackers quickly adapted, using new tools and alternate entry points to stay ahead of
defenders.
While Singapore's National Security Minister has called out these kinds of attacks as threats
to critical infrastructure, the Chinese government denies involvement.
Fire Ant's tactics and targets, including defense, telecom, and tech firms,
suggest a state-sponsored operation focused on strategic intelligence.
Cigna's report warns that hypervisor-level intrusions poses serious global cybersecurity threat.
Mitel Networks has issued security patches for a critical authentication bypass flaw
in its MyVoice
MX1 communications platform.
The bug, caused by improper access controls in the provisioning manager component, allows
unauthenticated attackers to gain admin access without user interaction.
The flaw affects multiple versions and has been fixed in recent updates. Mitel urges customers to avoid exposing MX1 services to the public Internet and to request
patches via authorized service partners for affected systems.
At his Senate confirmation hearing, Sean Planky, President Trump's nominee to lead CISA, faced
tough questions on election security and looming cyber policy
expirations.
Planky, currently a DHS advisor, said he hadn't reviewed the 2020 election's cybersecurity,
which frustrated Senator Richard Blumenthal, who accused him of dodging responsibility.
Planky emphasized CISA's focus would be on securing election tech, not policing misinformation.
He acknowledged the agency's staffing and budget cuts, pledging to empower remaining
personnel and restructure if needed.
Planky also supported renewing the expiring Cybersecurity Information Sharing Act and
state cyber grants.
Responding to GOP concerns about CISA's past work with tech firms, Planky vowed to keep the agency within its legal limits.
He promised CISA would not engage in content moderation,
focusing solely on protecting infrastructure.
His nomination awaits committee and full Senate votes.
A malicious prompt was discovered in version 1.84
of Amazon's QDeveloper extension for
VS Code, instructing the AI assistant to wipe a user's system and AWS cloud resources.
The destructive code, introduced via a GitHub pull request on July 13, directed Q to delete
home directories, user settings, and cloud instances using AWS CLI commands.
Though the extension wasn't functional, AWS quickly removed it and replaced it with the current version.
The company says no customer systems were impacted and updated its contribution guidelines to prevent future incidents.
The prompt's discovery highlights the risks of open source code manipulation,
especially when paired with AI assistance.
This comes on the heels of another alarming AI mishap
where Replet's assistant deleted an entire company database,
offering a cautionary tale about the pitfalls of vibe coding with autonomous tools.
Coming up after the break, Brandon Karpf speaks with Maria Vermazes about space-based telecom architectures and how they could play a critical role in
securing agentic AI systems and Android users scroll with caution while Apple
fans roll the dice.
Stick around.
Bad actors don't break in, they log in.
Attackers use stolen credentials in
nearly nine out of ten data breaches. Once inside, they're after one thing, your
data. Varonis's AI-powered data security platform secures your data at scale.
Across LAS, SAS, and hybrid cloud environments, join thousands of
organizations who trust Varonis to keep their data safe.
Get a free data risk assessment at Veronis.com.
Krogel is AI built for the enterprise SOC.
Fully private, schema free, and capable of running in sensitive air-gapped environments, Krogel autonomously
investigates thousands of alerts weekly, correlating insights across your tools
without data leaving your perimeter. Designed for high availability across
geographies, it delivers context-aware, auditable decisions aligned to your
workflows. Krogel empowers analysts to act faster and focus on critical threats,
replacing repetitive triage with intelligent automation
to help your sock operate at scale with precision and control.
Learn more at Krogl.com.
That's C-R-O-G-L dot com. Brandon Karpf is a friend of the show and cybersecurity expert.
He recently caught up with Maria Varmasis on the T-Minus Space Daily podcast to talk
about how space-based telecom architecture could play a critical role in securing agentic
AI systems.
Last month when you were on the show, we were talking about agentic AI, and you introduced
this really fascinating premise about the metadata that AI models can generate.
I'm trying to summarize this perhaps poorly.
The metadata that gets generated is a lot more revealing than people perhaps realize.
And then I think this month is the, now what do space companies need to do about that side of the equation?
So what do they need to do about it?
Yeah, well both what do they need to do and the opportunity for some space companies to offer solutions
and think about kind of where the market will probably go
and the direction that the market's going to head in
that's going to create opportunities for space companies.
And specifically I think the opportunities in telecommunications. in direct to cell or space-based internet
and services and the mega constellations
that are coming online.
A lot of movement in that front.
And I think that architecture does offer some nascent security elements that actually mitigate the risk of metadata
released into the internet environment and specifically metadata from agentic systems.
Okay, so can you expand on that a little bit?
Keep going.
One of the problems with all that metadata that we talked about last time is it creates opportunity
about your intent and what your organization is doing.
People use VPNs, people use proxies, but the problem with those things is those things are static.
They're actually mappable. We can actually figure out pretty easily a VPN endpoint, a proxy endpoint.
But when we add the space architecture, if you are
proxying data in your internet connection through the space architecture,
the cellular world, the mobile world has created these identifiers that actually have basically taken away all of the security of being a mobile network. Now when you look at the
space architecture it's not the user, it's not the endpoint that's mobile, it's the router,
it's the intermediary node that is mobile. You don't know what node your device is going to
connect to directly.
And that creates a layer of potential security.
And so by routing our network, by routing our traffic,
and essentially proxying first through a space architecture,
it creates this obfuscation layer where someone measuring your internet traffic company's traffic or something like that,
capturing data that's encrypted, they're still going to get the metadata. It opens up a whole world of opportunity for security companies and telecommunication companies
to add a layer of obfuscation and add a layer of security by routing through a space architecture.
So my mind is going, that is a fantastic opportunity and the complexity of that, as I'm trying to just sort of,
not that I understand networking on a good day,
to be completely honest with you,
it's not easy to understand,
but just the complexity of that,
especially as we have more as satellites and Leo
and many of them, these in mesh networks,
I'm going, holy cow,
that sounds also incredibly difficult to implement,
not impossible, surely,
but that sounds like a challenge to me, in my layman's understanding of this. also incredibly difficult to implement.
Those providers that do exist, they really only have the bandwidth for edge routing,
not necessarily backbone routing.
When we talk about backbone,
we're talking about the massive fiber lines and things like that, the space architecture
where you actually get to a device between SES and IntelSat.
That is obviously intended to be a new competitor.
Of course, most of their customers are like cable or satellite TV.
Satellite TV is in structural decline.
It's all internet, right?
And so that'll be a potential competitor. And then you look at the Space Force, right?
The Space Force is investing in MillNet,
which is their proliferated Leo constellation.
It's like the follow-on to their Trunche 3, I think, the transport architecture. organizations investing in this?
And I think part of it is connectivity, right?
There's the benefit of being able to connect anywhere,
even in rural areas or in maritime considerations,
but you can't neglect the security implications, companies, how can we actually take advantage of this,
especially the high-risk companies?
I'm thinking financial services, maybe healthcare,
things that are high-risk right now.
I was just going to ask about application. You mentioned healthcare.
high-speed fiber of a telecom, industry and has industrial secrets,
automatically route your traffic first for a telecom or a cloud provider or a data,
like a content distribution network even?
And even maybe some smaller MSPs,
managed service providers who are maybe targeting the space industry and saying,
hey, we're going to offer you guys some value-added services. But that's kind of the initial opportunity that I see.
But there is a security benefit to this.
That's interesting.
I'm just really curious, does that make a difference if we have greater edge computing in space with this model that you're talking about?
Or is it just basically, it's another computer in the network that we're talking about, so it doesn't matter necessarily where it's located? And where the opportunity lies is what we talked about
earlier with the constraints on throughput
and actually pushing data through a space architecture.
It's gonna introduce a little bit of latency.
The processing power up there right now
isn't large enough to necessarily put a lot of data
so you can't use it for a backbone.
It's not like a microwave link,
a terrestrial microwave link where you can send
a ton of data very quickly over relatively long point-to-point distances. for a backbone.
attached to an antenna, is we increase the routing power and the processing power in the space architecture.
And we can do this today on pretty small satellites,
with the technology that exists.
It'll allow us to push more data and more intelligently they can get, instead of moving the entire data,
the entire packet, the entire session,
from satellite to satellite, satellite to ground station,
you just process it on site, in situ,
and you just send the processed information. than terrestrially.
I think that makes it a little more expensive, where I would look for the initial growth in that sector
of like processing in space is actually
in Indian space companies.
And the reason being is as we add more processing power,
as you add therefore more heat management systems,
you're getting heavier, more weight,
more expensive to get up into orbit.
Pound
for pound, India is more cost effective than any other nation in the world in getting stuff
into space. So I think that these things are going to get a little more expensive by adding
more processing power as we discussed. So to make it efficient, to make it marketable,
to make the capital expenditures make sense, I would look at India and those companies
and see what they're doing,
because that's probably gonna be a leading indicator
of where the technology is moving.
Like, let's pick that up next month.
And be sure to check out the T-minus space daily
wherever you get your favorite podcasts. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots,
and all those manual processes, you're right. GRC can be so much easier, and it can strengthen
your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy
lifting out of your GRC program. Their trust management platform automates
those key areas compliance, internal and third-party risk and even customer trust
so you're not buried under spreadsheets and endless manual tasks. Vanta really
streamlines the way you gather
and manage information across your entire business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams
using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy
to focus
on what actually matters, like strengthening your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be. Visit vanta.com slash cyber to sign
up today for a free demo. That's vanta.com slash cyber.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed up. for Genuinely relieved knowing my privacy isn't something I have to worry about every day.
The Delete Me team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
Delete Me also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
And finally, in the never-ending smartphone wars, Android may have quietly won a surprising
battle – not tech specs, but online street smarts.
According to Malwarebytes, Android users are more cautious shoppers, more likely to use
security tools, and slightly better at creating unique passwords.
Meanwhile, iPhone users, perhaps lulled into a false sense of Apple invincibility, are
more likely to DM strangers for coupons and shop on shady sites, often
with weak or reused passwords.
The result is they fall for scams more often.
This isn't about device superiority.
Both platforms can be equally secure or vulnerable.
But it seems Android users are simply a bit more suspicious online, while iPhone users
trust their device like
a toddler trusts a juice box.
As Malware Bytes Mark Baird wisely points out, the real threat isn't your phone, it's
where you take it online.
So maybe skip that discount link, update your security tools, and for goodness sake, use
a decent password.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire dot
com. We'd love to hear from you. For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of August.
There's a link in the show notes.
Please take a moment and check it out.
Be sure to check out this weekend's Research Saturday.
We've got a special episode discussing muddled Libra.
This is from our friends who do the threat vector podcast
from Palo Alto Networks Unit 42.
That's research Saturday, check it out.
N2K's senior producer is Alice Carruth.
Our cyber wire producer is Liz Stokes.
We're mixed by Trey Hester with original music
by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher and I'm Dave Bittner.
Thanks for listening. We'll see you back here, next week. And now, a word from our sponsor ThreatLocker, the powerful zero-trust enterprise solution
that stops ransomware in its tracks.
AllowListing is a deny-by-default software that makes application control simple and fast.
Ring Fencing is an application containment strategy,
ensuring apps can only access the files, registry keys, network resources,
and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from ThreatLocker.