CyberWire Daily - A free speech showdown.
Episode Date: August 22, 2025The FTC warns one country’s “online safety” may be another’s “censorship.” A new bipartisan bill aims to reduce barriers to federal cyber jobs. MURKY PANDA targets government, technology, ...academia, legal, and professional services in North America. MITRE updates their hardware weaknesses list. Customs and Border Protection conducts a record number of device searches at U.S. borders. A recent hoax exposes weaknesses in the cybersecurity community’s verification methods. A Houston man gets four years in prison for sabotaging his employer’s computer systems. A Florida-based provider of sleep apnea equipment suffers a data breach. Interpol dismantles a vast cybercriminal network spanning Africa. Brandon Karpf shares his experience with fake North Korean job applicants. Being a smooth-talking English speaker can land you a gig in the cybercrime underworld. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Brandon Karpf, friend of the show discussing his experience with fake North Korean job applicants. You can also hear more from Brandon on our show T-Minus Daily, where he’s a regular guest on a monthly space segment—catch his latest episode this Monday! Selected Reading US warns tech companies against complying with European and British ‘censorship’ laws (The Record) House lawmakers take aim at education requirements for federal cyber jobs (CyberScoop) MURKY PANDA: Trusted-Relationship Cloud Threat (CrowdStrike) MITRE Updates List of Most Common Hardware Weaknesses (SecurityWeek) Phone Searches at the US Border Hit a Record High (WIRED) The Cybersecurity Community's Wake-Up Call: A Fake Reward and Its Lessons (The DefendOps Diaries) Chinese national who sabotaged Ohio company’s systems handed four-year jail stint (The Record) CPAP Medical Data Breach Impacts 90,000 People (SecurityWeek) Interpol-Led African Cybercrime Crackdown Leads to 1209 Arrests (Infosecurity Magazine) 'Impersonation as a service' next big thing in cybercrime (The Register) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators
to engage in meaningful discussions and celebrate the innovation happening in and around the Washington
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of
cyber innovation. Visit DMV.Rising.com to secure your spot.
And now a word from our sponsor. The Johns Hopkins University
the Information Security Institute, is seeking qualified applicants for its innovative Master of
of Science and Security Informatics degree program. Study alongside world-class interdisciplinary
experts and gain unparalleled educational, research, and professional experience in
information security and assurance. Interested U.S. citizens should consider the Department
of Defense's Cyber Service Academy program, which covers tuition, textbooks, and a laptop,
as well as providing a $34,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at c.j.j.u.edu slash MSSI.
The FTC warns one country's online safety may be another's censorship.
A new bipartisan bill aims to reduce barriers to federal cyber jobs.
Merky Panda targets government technology, academia, legal, and professional services in North America.
Miter updates their hardware weaknesses list.
Customs and border protection conducts a record number of device searches at U.S. borders.
A recent hoax exposes weaknesses in the cybersecurity community's verification methods.
A Houston man gets four years in prison for sabotaging his employer's computer systems.
A Florida-based provider of sleep apnea equipment suffers a data breach.
Interpol dismantles a vast cybercriminal network spanning Africa.
Brandon Karp shares his experience with fake North Korean job applicants.
And being a smooth-talking English speaker can land you a gig in the cybercrime,
world.
It's Friday, August 22, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great to have you with us. Happy Friday. The Federal Trade Commission warned U.S. tech companies that complying with European and UK online content rules could violate American law. FTC chairman Andrew Ferguson said following foreign censorship efforts, including the EU's Digital Services Act and Britain's Online Safety Act, may breach Section 5 of the
FTC Act, which prohibits unfair or deceptive practices.
He argued Americans do not expect platforms to restrict speech to satisfy foreign governments
and warned against weakening encryption protections.
Ferguson cited British attempts to access Apple ICloud data as an example.
The warning comes amid broader U.S. criticism of Europe's regulation of online speech.
Ferguson invited tech executives to discuss how they'll balance
global pressures with their legal obligations to American consumers.
Lawmakers on the House Cybersecurity Subcommittee introduced the Cybersecurity Hiring Modernization Act,
aiming to reduce barriers to federal cyber jobs by prioritizing skills over degrees.
Sponsored by Representative Nancy Mace, Republican from South Carolina, and Representative
Chantal Brown, a Democrat from Ohio, the bipartisan bill seeks to be a Republican.
to expand the talent pool at a time of rising cyber threats.
Mace said the bill would cut red tape and allow skilled applicants without four-year diplomas
to serve, while Brown called expanding the workforce imperative for secure systems.
The bill directs the Office of Personnel Management to track and report changes to education
requirements and collect data on new hires backgrounds.
Agencies could still require degrees if mandated by law.
or if education is directly tied to job competencies.
Since 2003, CrowdStrike has tracked Murky Panda, a China-linked cyber adversary targeting government,
technology, academia, legal, and professional services in North America.
The group is highly cloud-focused, conducting trusted relationship compromises, and exploiting
internet-facing appliances for initial access.
They rapidly weaponize end-day and zero-day vulnerabilities, including Citrix and ComValt flaws,
and use tools like the Neo-ReGeorge Webshell and their custom malware clouded hope to maintain persistence.
Murky Panda has compromised SaaS providers and Microsoft Cloud Solutions partners to move laterally into downstream customers,
often exfiltrating emails and sensitive documents.
They employ strong operational security by altering logs and timestamps to avoid detection.
CrowdStrike assesses their activity as espionage-driven, aimed at intelligence collection,
and warns that cloud-heavy organizations remain especially vulnerable to these advanced operations.
Midor has released an updated CWE Most Important Hardware Weaknesses List,
first published in 2021 to reflect evolving hardware security challenges.
The 2025 version highlights 11 key weaknesses, including six new entries,
while retaining five persistent flaws such as improper debug access and memory protection issues.
Topping the list is CWE 226,
sensitive information in resource not removed before reuse,
which risks exposing data if memory.
or resources aren't properly cleared.
Maiter stresses that hardware flaws propagate upward, limiting software and firmware mitigations.
Customs and Border Protection is conducting record numbers of electronic device searches at U.S. borders,
Wired Reports.
Between April and June of this year, officials searched just under 15,000 devices,
a 16.7% increase over the previous high in early 2022.
CBP can inspect phones, laptops, and cameras without a warrant, with searches divided into
basic manual checks and more invasive advanced forensic extractions.
Civil Liberties advocates warn this unchecked authority has a chilling effect on travelers,
including journalists and lawyers with sensitive data.
Device searches have risen steadily over the past decade, from 8,500 in 2015 to over 46,000,
thousand in 2024.
While CBP stresses, searches affect less than 0.01% of travelers, critics say new investments
in forensic tools may expand advanced inspections, raising further privacy concerns.
A recent hoax has exposed weaknesses in how the cybersecurity community verifies information.
A telegram channel, impersonating Europol, announced a fake $50,000.
reward for details on Keelan ransomware operators, Hayes, and X Oracle.
Many researchers and journalists initially reported the claim before Europol confirmed it was
false. The impostors later admitted the stunt was designed to troll the community and highlight
poor fact-checking. The incident shows how easily misinformation can spread on platforms like
telegram and the risks of relying on unverified sources. While Europol,
quickly debunked the claim, the episode underscored the need for stronger verification
practices, better communication from law enforcement, and closer collaboration among journalists,
researchers, and officials to prevent future disinformation campaigns from misleading the
cybersecurity ecosystem.
A Houston man, Davis-Lew, age 55, was sentenced to four years in prison and three years of
supervised release for sabotaging his employer's computer systems. Prosecutors said Lou,
longtime employee of Eaton Corporation, deployed malicious code in 2018 through 2019 after his role was
reduced. He deleted co-workers' profiles, caused system crashes, and created a kill switch,
named after himself, that locked out thousands of users worldwide. The sabotage caused hundreds of
thousands in damages. Lou faced up to 10 years and plans to appeal.
CPAP medical supplies and services, a Florida-based provider of sleep apnea equipment,
has disclosed a data breach affecting over 90,000 people, including U.S. military members and
families. Hackers accessed its systems in December 2024 for more than a week,
potentially stealing social security numbers and protected health information.
CPAP reported the breach to state authorities and HHS, but says there's no evidence of misuse.
No ransomware group has claimed responsibility, raising speculation.
Attackers may be avoiding publicity or that CPAP paid to prevent data leaks.
Interpol's Operation Serengeti 2.0 dismantled a vast cybercriminal network spanning Africa,
leading to over 1,200 arrests, the seizure of $97 million and the takedown of over 11,000
malicious infrastructures.
Running from June through August of this year, the operation involved law enforcement
from 18 African nations, the U.K., private cybersecurity firms, and non-profits.
Authorities estimate the network defrauded nearly 88,000 victims, causing $485 million in losses
through ransomware, scams, and business email compromise.
Highlights include dismantling illegal crypto mining centers in Angola,
a $300 million investment scam in Zambia,
and a multi-million dollar inheritance fraud in Cote de Livor.
Interpol praised growing global cooperation,
noting the operation not only disrupted cybercrime,
but also boosted prevention through partnerships like the inter-copped cybercrime.
Prevention Network.
Coming up after the break,
Brandon Karp shares his experience
with fake North Korean job applicants
and being a smooth-talking English speaker
can land you a gig in the cybercrime underworld.
Stay with us.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's sponsored jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you,
23 hires were made on Indeed, according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75-sponsored job credit
to get your jobs more visibility at Indeed.com slash Cyberwire.
Just go to Indeed.com slash Cyberwire right now,
and support our show by saying you heard about Indeed on this podcast.
Indeed.com slash Cyberwire.
Terms and conditions apply.
Hiring, Indeed is all you need.
CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1.
And without securing them, trust, uptime,
outages, and compliance are at risk.
CyberArc is leading the way
with the only unified platform purpose-built
to secure every machine identity,
certificates, secrets, and workloads
across all environments, all clouds, and all AI agents.
Designed for scale, automation, and quantum readiness,
CyberArk helps modern enterprises
secure their machine future.
Visit cyberarc.com slash machines to see how.
It is always my pleasure to welcome back to the show,
Brandon Karp, who used to be my boss.
David is so great to come back and see you on this side of the camera.
That's right.
So Brandon was a colleague here at N2K Cyberwire and has moved on to do bigger and better things.
And one of those bigger.
and better things that you were chasing after was a startup of your very own. And as part of that
process, you were looking to hire some folks and had experienced an interesting turn of events.
What happened, Brandon? Yeah, and this should come as no surprise to folks in this industry.
But hearing these stories, I think, is always helpful and informative. But I caught a couple
North Korean IT workers running an IT worker scam.
A couple.
A couple, yes, more than one.
And the surprising thing here is we weren't hiring that many people
and we weren't hiring for very long.
So just in the short period of time about a few weeks
that we were reviewing resumes to what we assumed to be North Koreans
ended up in my top 10 candidate list.
We'll walk us through how this came to pass.
Sure. So we posted some job descriptions on, you know, a few of the standard sites that you've heard of. And, you know, within, and these were technical roles, core backend engineering roles for a platform. And so, you know, pretty sophisticated and complex technical skills that we were looking to hire. And within a few days, we had hundreds of applicants. So we shut up.
down the open job wrecks and began reviewing the hundreds and narrowed probably about 200
applicants down to our top 10. And we decided we were going to interview our top 10 and ultimately
hire one. And within about a week, we had that first interview. And it became quite obvious
within about five, ten minutes of the interview that this person is not who they
claimed to be. Okay, obvious how. What went down here, Brandon? Yeah, well, I want to start
actually with the resumes themselves, because the resume was perfect. It was exactly what we were
looking for. It covered every core technology we were looking for expertise in. It covered the
amount of experience that we were looking for. All of the key technologies and platforms that we
were looking for this person to have experience with was bolded. So it was very obvious to the eye that
this person had the expertise. That being said, it was a pretty simple resume. I wouldn't say that
there was a lot of metrics. There's a lot of impact statements. It was simple black and white
PDF, no additional colors, not a whole lot going on there. And that should have been our first clue,
but again, the resume of this first worker, and actually the second worker too, covered everything
we needed so clearly that it was an easy slot in. And so it seemed like they're probably using
AI systems to optimize the resumes for these applicant tracking systems to hit each of the
keywords.
Right.
And I guess it's fair to say, contextually, you're also under an avalanche of hopeful resumes.
Right.
Hundreds.
And we're reviewing these, you know, quickly to see, okay, we got all the keywords.
We got the right programming languages, the right platforms, the right, you know, we were doing
some stuff with cryptography, so they needed some prior experience there.
And so we invited this gentleman for an interview.
And in preparation for the interview, I started looking this person up online.
I looked for a LinkedIn page.
No LinkedIn page.
Now, not totally unusual for some of these core backend engineers.
However, what I noticed is when I Googled the guy's name, there was a LinkedIn page with the right location.
And then when I clicked the link on Google, it went to a, this page does not exist.
So there was a LinkedIn, and then the person deleted the LinkedIn, which was another clue.
Okay. So you get the person on the line. What happens next?
Red flags. So the trend we noticed was in both of these people, and I'm using one example,
because this is where we really discover the trends, had an anglicized first name.
You know, think of like Frank, Albert, Ian, some sort of kind of anglicized first name.
and a Hispanic last name, which fairly usual.
This person said that they were living in San Antonio, Texas.
So, okay, makes sense to me.
And when they come on the camera, they are most certainly not Hispanic,
which could be, but that was kind of a little unusual.
The person was clearly Asian.
And they were on camera, but they were definitely not Hispanic.
And so, you know, some people might be a little uncomfortable there,
but some profiling does have to occur
to not get trapped by these things.
But it was unusual, and when I wasn't the only one on this call from the company,
we surmised at the end that they were using Hispanic last names,
hoping that some Americans aren't used to distinguishing between races very well,
especially through camera.
The Hispanic name was far enough away our normal use,
the thing that we're typically used to seeing,
that they were potentially using that to get through your initial gut check filters.
Okay. Interesting.
So the other red flag was this person wasn't showing their background,
which was, okay, you know, not everyone shows their background.
But that's just kind of as these things start to stack, it gets more and more unusual.
Okay, can't find this guy online, has a name that doesn't actually match his ethnicity,
is not showing his background, very thick accent.
And something that is unique to me is I grew up with folks from South Korea.
I went to school with a whole bunch of folks from South Korea.
And it sounded to me like a native Korean speaker trying to speak English.
Oh, interesting. Okay.
So just by pure luck of the draw, you had a little background expertise or at least experience
on this sort of regional accent.
Right.
And I've traveled to Korea as well.
and I have a number of friends from high school and college from Korea.
So I was kind of used to this, just what Korean speakers sound like when they're speaking English.
And it sounded like that region of East Asia to me.
The other, and the other red flag, as we got into the interview, was this person said that they had lived in L.A.,
this person said that they had lived in New York, that they currently live in San Antonio.
know, myself and the other person on the interview have spent both of us a good amount of time in
each of those places. And so as we're getting to know this person, we want to kind of reminisce
about some of our favorite places in each of those regions. And the candidate couldn't
offer any specific details about any of those regions. And so kind of one lesson learned, I think,
for folks listening to this is get into the personal side a little bit, right? Ask specifics.
What was your favorite thing to do in those, you know, cities? Or, you know, where did you like to go
I love restaurants.
I have some favorites in L.A.
You know, what are some of your favorites from that region?
And this person couldn't offer any specifics.
It's interesting to me the high number, you know, relatively speaking, two out of 10.
And as you said at the outset, this was not a huge drag net for folks to be hired.
This is a small startup.
You're looking to hire one person.
and I wouldn't have thought that the odds would have been in your favor of scooping up one,
much less two, of these folks.
And not only that, the startup itself doesn't have much of a presence online.
And so that was a little unusual.
And then when we were looking at the timestamps of when these folks actually applied,
they applied almost immediately.
So they have some system that is ready to go as soon as these things,
align. The other element that I would note, though, is we did conduct the technical interview.
We did go through the interview. This person knew their stuff. They were actually answering quite
well some pretty technical deep questions around cryptography and core back-end systems,
especially in the networking stack. And so either in real time, this person was getting fed
answers, or they actually do have the knowledge to do the job, which we found fascinating.
was the story pretty much the same with the second candidate yeah so after that first candidate
and after we got off the call and we said yeah that that definitely was not what we thought it was
that was a IT worker scam and and we actually did challenge him a little bit on where he's from and he said
oh I'm I'm from the Philippines and again the accent wasn't Filipino I spent a lot of time in the
Navy there's a lot of Filipinos in the Navy again I know
what that accent sounds like. But we said, okay, let's look at the 10 candidates we've invited
to interview again. And we found another candidate with the exact same model. The resume,
very similar format, right? Simple black and white format, very simple outline, all of the key
words from our job opening, bolded, covered everything we needed in a similar way, but not exactly
the same way. The name, anglicized first name, Hispanic class.
name. The LinkedIn profile, exactly the same situation where I looked up this person on
LinkedIn, Google said there was a profile, I clicked it, it said that profile no longer exists.
They get on the call, same game, right? A gentleman who looked Asian, had a Hispanic last name,
the background was, it looked like a beach scene or something like that, but it was one of
the fake backgrounds. And within a five minutes, similar accent.
we said, we're going to actually end the interview here and move on.
But it was, it checked each of those boxes.
Did you and your colleagues at any point doubt yourselves and wonder like,
are, you know, is this really what's happening here or, you know,
a little healthy skepticism of your own senses?
Totally.
And I think that's why we went through the entire first interview, you know, a full hour
with this person.
You know, myself and my colleague jumped on a call right afterwards, and he kind of looked at me and said, is that what I think it was?
And I said, I think it might be.
And then we started running through the experience again, and we got more and more sure that what we had experienced was one of these IT workers scams.
Now, we second-guessed ourselves, you know, as someone who's sensitive culturally, you know, you don't want to profile.
you don't want to do things that necessarily maybe rejects a good qualified candidate.
But at the end of the day, when you're looking at the sum total of the evidence,
how uncomfortable we were, how few specifics there were about their experiences in America.
I actually did follow up with a couple of the companies on his resume that he said he worked at,
and none of them had ever heard of him.
And so I did that, though, weeks after.
It was bothering me, and I wanted to double check.
So what are your recommendations then?
I mean, if this really is that rampant,
why has you been thinking about this?
Have you thought of any shortcuts to weed these folks out?
Yeah, practically speaking, and this is hard at scale,
but it has to come from that high touch face to face,
at least through a video camera,
of getting into the personal specifics of,
oh, I see you worked at this company,
give us some specific examples.
And the less specific they can get, the more red flags there are.
Now, of course, people can make things up.
So that's not a panacea.
It's not a perfect solution.
But that's the area, that's when we really started getting uncomfortable on the calls.
When we started asking specifics, digging into this person's story,
oh, why did they move to New York?
Why did they move to L.A.?
What took them to San Antonio?
What other things outside of work were you doing at those places?
What are some of your favorite things in those places?
kind of getting to know the candidate.
I think universally, that'll actually make you hire better candidates in general
because these are your colleagues, hopefully.
And so you get to know them.
But at the same time, it also will demonstrate if someone really does not know what they're talking,
if someone's really from a foreign country, especially a North Korean type person who genuinely
wouldn't have the cultural awareness to talk about it, trust your gut there.
That's kind of the first.
the second is these automated applicant review systems at scale people have to use them,
but it's very easy now with Gen AI to build a model that is just going to send out the perfect
resume. And that's what we saw. These were literally the perfect resumes. That actually could also
be a signal that this isn't quite right. If you're getting a resume that is absolutely perfect,
everything you want, what are the chances of that? Right. Right. All right. All right.
Well, Brandon, thank you for sharing your experience with us.
Brendan Karp is my former colleague here at N2K Cyberwire,
and has since moved on to bigger and better things that we will talk about in the future.
Looking forward to having you back, Brandon.
Thanks for taking the time for us.
Thanks, Dave.
daily every single day. Now we'd love to hear from you. Your voice can help shape the future of
N2K networks. Tell us what matters most to you by completing our annual audience survey. Your
insights help us grow to better meet your needs. There's a link to the survey in our show notes.
We're collecting your comments through August 31st. Thanks.
And now a word from our sponsor, Threat Locker.
the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy,
ensuring apps can only access the files, registry keys, network resources,
and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from threat locker.
Summer is Tim's ice latte season.
It's also hike season, pool season, picnic season,
and yeah, I'm down season.
So drink it up with Tim's ice lattes,
now whipped for a smooth taste.
Order yours on the Tim's app today
at participating restaurants in Canada for a limited time.
And finally, it turns out that being a smooth-talking English speaker
can now land you a gig in the cybercrime underworld.
No resume required, just a knack for sounding like IT support.
RelyaQuest says demand for English-language social engineering
has more than doubled since last year,
with job ads hawking impersonation-as-a-service packages,
coaching, scripts, even tech support for your scams.
Gangs like Scattered Spider and shiny hunters have been perfecting the art,
tricking Dior, Chanel, Google, and others into handing over Salesforce credentials.
With AI lending crooks' superpowers and nation-state tactics trickling down to the masses,
fishing calls have evolved far beyond prank territory.
instead of that old chestnut is your refrigerator running it's more like this is workday it's more like
this is workday it's more like this is workday i t can i have your password unfortunately people keep saying yes
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at theCiberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey
to learn more about our listeners.
We're collecting your insights through the end of August.
There's a link in the show notes.
Please take a moment and check it out.
Be sure to check out this weekend's research Saturday
and my conversation with Dr. Renee Burton,
VP of Info Blocks Threatentel, we're discussing their work on Vex Trio, a notorious traffic distribution system involved in digital fraud.
That's Research Saturday. Check it out.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilfey is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here.
week.