CyberWire Daily - A picture worth a thousand breaches.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker Allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with Threat Locker, DAC, defense against configurations, you get real assurance that your environment is free, of misconfigurations and clear visibility into whether you meet compliance standards. Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.

Starting point is 00:00:46 It's powerful protection that gives CISO's real visibility, real control, and real peace of mind. Threat Locker makes zero-trust attainable, even for small security teams. See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source, and regain control over their own. environments. Schedule your demo at Threatlocker.com slash N2K today. The FBI warns of Kimsuki-Quishing. Singapore warns of a critical vulnerability in Advantec IOT management platforms. Russia's fancy bear targets energy research, defense collaboration, and government communications. Malaysia and Indonesia suspend access to

Starting point is 00:01:44 X Twitter. Researchers warn a large-scale fraud. operation is using AI-generated personas to trap mobile users in a social engineering scam. Breach forums gets breached. The NSA names a new deputy director. We got our Monday business brief. Our guest is Sasha Ingber, host of the International Spy Museum's Spycast podcast. And the commuter who hacked his scooter. It's Monday, January 12, 2025.

Starting point is 00:02:26 I'm Dave Bittner, and this is your Cyberwire Intel briefing. Thanks for joining us here today. It's great as always to have you with us. The FBI is warning that North Korea-linked advanced persistent threat group Kim Suu Kyi is using QR-code-based spearfishing, known as Quishing, to target governments, think tanks, and academic institutions. According to the FBI, the campaigns embed malicious QR codes in emails that bypass traditional security tools by hiding destination URLs. When scanned, the codes redirect victims through attacker-controlled infrastructure that profiles devices and presents mobile-optimized fake login pages impersonating services like Microsoft 365, Google, or VPN portals.

Starting point is 00:03:30 The activity observed in May and June of last year involved impersonation of trusted figures such as foreign advisors and embassy staff, with lures including fake questionnaires and conference invitations. These attacks often begin on unmanaged mobile devices and can enable session token theft, allowing attackers to bypass multi-factor authentication. The FBI says this makes quishing a highly effective MFA resilient identity attack vector and urges layered defenses, including user training, mobile security controls, and fishing-resistant authentication to reduce risk from groups, like Kemsuki. The Cybersecurity Agency of Singapore is warning of a critical vulnerability in multiple Advantec IOT management platforms. The flaw is a SQL injection bug that allows unauthenticated

Starting point is 00:04:29 attackers to run database commands and achieve remote code execution. Effected products include several IoT Suite and IOTE edge versions on Linux, Windows, and Docker, Advantec urges immediate patching, noting some fixes require direct customer coordination. Researchers at Recorded Future report that Russian state-sponsored threat group APT-28 is conducting an ongoing credential harvesting campaign against organizations tied to energy research, defense collaboration, and government communications. Also known as Fancy Bear and Sophocy, the group has been active since at least 2004 and is linked to Russia's GRU. The campaign relies on fishing pages impersonating Microsoft Outlook Web Access, Google, and Sophos VPN portals, often paired with PDF

Starting point is 00:05:26 lures and redirection to legitimate sites after credentials are stolen. Recorded Future says APT-28 heavily abuses free hosting, tunneling, and link-shortening services to host fishing infrastructure, collect victim data and obscure attribution, suggesting the activity is likely to continue. Malaysia and Indonesia have suspended access to X Twitter, citing concerns that the service enables the creation of non-consensual sexual imagery. Malaysia's communications regulator said X failed to implement safeguards required under local law, prompting a block until compliance is achieved.

Starting point is 00:06:11 Indonesia's communications ministers said sexual deepfakes violate human rights and digital safety. India has also warned X over similar issues. Owner Elon Musk has argued the actions amount to censorship, though the countries have a history of restricting platforms over objectionable content. Security researchers at Checkpoint warned that a large-scale fraud operations, dubbed Opco Pro is using AI-generated personas and fake communities to trap mobile users in a long-running social engineering scam. The campaign begins with SMS messages impersonating brands like Goldman Sachs, promising outsized investment returns. Victims who click the links are funneled into private

Starting point is 00:06:59 WhatsApp groups populated largely by bots posing as enthusiastic investors and guided by fictional experts with AI-generated profiles. After weeks of trust-building, targets are directed to download a fraudulent Opco Pro app from the Apple App Store or Google Play Store lending false legitimacy. The app contains no real trading functionality but collects identity documents and selfies under the guise of Know Your Customer Checks. Researchers say the stolen identities enable financial theft, account takeovers, and sim swapping, making Opco Pro a highly scalable industrialized fraud model. The latest version of breach forums has suffered another data breach with a leaked user database

Starting point is 00:07:49 and administrative PGP key circulating online. The leak appeared in a 7-Zip archive posted on a site named after the Shiny Hunter's gang, though Shiny Hunters denied involvement, according to Bleeping Computer. The archive contains a MyBB users table with nearly 324,000 records, including usernames, registration dates, and IP addresses, while most IPs resolve to a local loopback address, more than 70,000 mapped to public IPs, raising operational security concerns. Breach Forum's administrator said the data originated from an August 2025 backup briefly exposed during site recovery and claimed it was downloaded only once.

Starting point is 00:08:38 However, researchers later confirmed the leaked PGP key password was also published, increasing potential risk to users. The National Security Agency has named veteran intelligence official Tim Kosiba as its new deputy director, ending months of leadership uncertainty. Koseba returns after more than three decades of government service, including senior roles at the NSA and FBI, and most recently as deputy commander of NSA Georgia. The appointment follows the administration's decision to drop a previous nominee amid political backlash, a move first reported by recorded future news. As deputy, Kosovo will oversee daily operations and support the NSA director, who also leads U.S. Cyber Command.

Starting point is 00:09:28 attention now shifts to Senate confirmation hearings for the agency's permanent leader scheduled later this month. Turning to our Monday business brief, a wave of global funding and consolidation highlights continued investor confidence in cybersecurity and adjacent markets. Israeli security analytics firm Vega raised $120 million in a Series B led by Excel, valuing the company at $700 million, while Saudi OT security provider DS Shield secured $54 million to scale operations and prepare for a potential public listing. Israeli AI Identity Startup Act Security closed a $40 million Series A, and U.S.-based Armadin, founded by Kevin Mandia, raised $24 million in seed funding amid talks of a much larger round. Smaller raises included South Korea's Logpresso, Utah-based Paramify, Belgium's Wodon AI, and Turkey's Guardian.

Starting point is 00:10:35 The sector also saw multiple MSSP acquisitions across Australia, Europe, and the United States, underscoring ongoing market consolidation. Coming up after the break, my conversation with Sasha Ingber, host of the International Spy Museum's Spycast podcast and the commuter who hacked his scooter. Stay with us. Sasha Ingber is host of the International Spy Museum's Spycast podcast. We sat down to discuss that show's return to the N2K Cyberwire Network. Sasha, I am so pleased to welcome you here to the Cyberwire Daily podcast. Welcome back, I suppose I should say. Well, thank you for having me, Dave. It's very exciting that Spycast is joining the N2K Cyberwire Network. You were with us for a few years there and then went away for a little while, but now you're back, and we couldn't be more excited.

Starting point is 00:11:57 Well, we're glad to be back with you. Well, let's talk about the Spycast podcast. What's the origin story and what's the value proposition for your listeners? Oh, I didn't know we were starting from all the way back. I wasn't really ready for that one. But all right, all right, I got you. I got a little something I can share with you, Dave. So Spycast is actually the first podcast on espionage and spying in the United States.

Starting point is 00:12:29 This is our 20th year. And our first host was the founding director of the International Spy Museum, Peter Ernest, who himself was a spy. So some good credentials there for starting a spy focused podcast. Yeah, we're not making things up. No, no, not at all. And I'll add that anyone who has had the chance to visit your facilities in Washington, D.C., if you haven't, you're in for a treat. It really is one of the premier museums in Washington.

Starting point is 00:13:02 I mean, how many places can you go where you can see a bra with a camera between the bulges and also crawl through a duct. That's right. And let's not forget James Bond's car, right? Yeah, we have that. We used to have a Iranian drone in the lobby that had actually been taken from Ukraine during the full-scale invasion. I mean, we have a lot here.

Starting point is 00:13:31 Well, let's talk about the podcast itself. What do you all talk about week to week? Well, every week it's a different voice from the spy community here in the United States or abroad. Some of my favorite episodes in the past year when I started hosting it include Bill Evanina, who was the former director of counterintelligence. And we talked about how the massive layoffs that we were seeing across the federal government opened up this new threat vector for foreign intelligence services to start recruiting. China and Russia on places like LinkedIn. And that conversation we had actually led the federal government to institute a new policy

Starting point is 00:14:15 to educate people before they left their jobs. I also remember a conversation with a former CIA officer named Ralph Mariani, who talked about he was serving, who talked about how he was serving in Athens. And the station chief was assassinated by a terrorist organization. called the 17 of November. This led the agency to start building in more protections for their officers. There's this guy, Nick F. Timiades, who used to work at the CIA, and is just an encyclopedia of information about Chinese espionage tactics,

Starting point is 00:14:53 from the impressive to the laughably bad. And he's been building this database of more than 900 cases from around the world that he's continued to follow. There's one woman named Christine Kuhn. She talked about how her family history was really a mystery to her. She gets a phone call one day asking her about her grandfather. And this ultimately unfolds what becomes years of research where she learns that her family actually spied for the Japanese and the Nazis. And her grandfather was the only person who was ever convicted and charged of gathering information on the eve. of Pearl Harbor for the Japanese. How you handle the shame of that.

Starting point is 00:15:41 She wrote a book called Family of Spies. And one other person who stands out to me was this journalist, Fariba Nawa. She is based in Turkey, and she talked about how this is a country that is rife with spy games between the Israelis and the Iranians, who are both looking to recruit those who have left Iran and how dangerous it really ultimately becomes. Well, tell us a little bit about yourself, Sasha. How did you find yourself hosting this podcast? Well, my story definitely starts before this moment when I, as a journalist who specializes in the intelligence community, was just looking for a job, looking to pay my bills in Washington, D.C., where I live. I couldn't find a job in journalism, so I ended up taking a job as a writer and an editor at the State Department.

Starting point is 00:16:33 Somehow I got pulled into this tiny team that was tasked with debunking Russian disinformation after Russia seized the Crimean Peninsula from Ukraine. And that catapulted me into this fascinating world where all of a sudden now I'm meeting with the CIA and Ukrainians who are trying to dispel the Russian propaganda that has been pervading their country. When I left that job, I did eventually break into journalism. became a breaking news reporter at NPR, where I got to cover the dissolution of important treaties between the United States and Russia. And then I moved into a job at an organization called Scripps

Starting point is 00:17:18 News, where I became their national security correspondent. A lot of my reporting had to do with intelligence. It took me into China's secret police station above a ramen shop in New York City. I was the only journalist who got in. The FBI had just raided it. I was shocked that they actually let me in, Dave. And then I started my own media outlet. It's on substack. It's called Human, standing for Human Intelligence.

Starting point is 00:17:48 And I do these reports. I do these reports on what's happening inside the intelligence community a couple times a week. It could be the developments in Venezuela and the United States' involvement in taking Maduro out of the country, China, Russia, Iran, what's happening inside the CIA and NSA, all of it is fair game. So I come into this role with all of those experiences, and for some reason, this museum pays me to ask questions. I joke, half joke, I suppose, that that is one of the things I love most about my job is that I get to talk to smart people about interesting things. And it sounds like you have,

Starting point is 00:18:36 you enjoy the same privilege. It's one of the coolest things that any human can ever do. And it's weird to kind of consider yourself a professional conversationalist. But I definitely like the side of asking questions more than what you're making me do right now. Fair enough. Well, can you give us a preview of some of the things that you have, things that you have planned for this coming year? Our first interview of the year, and again, it's our 20th year, so we wanted to start off big. Features a person who you've probably never, ever heard of, you've never seen, you don't even know his name. It's Brian Carbaugh. He's the head of the Special Activities Center. That's the CIA's Armed for Covert Action, which is authorized by the president. They do the most secretive, dangerous work in our country.

Starting point is 00:19:25 and we ticked through what it was like to serve in this center in the years where we saw the fall of Afghanistan, COVID, China rising up. So that's one example of what we have awaiting listeners. We're also about to do a month of content on operations in Latin America. So we start off by talking about the anniversary of the U.S. invasion of Panama. And then we're, we also move into other topics. And then we also move into the stories of a former DEA agent who created the country's first intelligence database on gangs and how he literally walked from prison to prison in Guatemala to gather the data for this database. And we end on Brian Stern, a man who actually went into Venezuela a few weeks ago and extracted Maria Carina Machado,

Starting point is 00:20:28 the Nobel Peace Prize winner, who is the opposition leader, who wants to go back into Venezuela and try to run that country. So explain to me how the podcast has evolved over time, how this new version differs from some of the previous ones. Well, Peter Ernest was Peter Ernest. He got to do whatever he wanted. we were living in a very, very different kind of world than we are today. It was also just a free-flowing conversation.

Starting point is 00:21:00 By this time, we have a format that is specific to about 30 minutes, basically to try to join you on your commute home. And it's tighter, it's more focused, but still retains the intimacy as well as the expertise. And, you know, we have just gotten some really, really exclusive voices from the spy world that you will not hear anywhere else. Well, I can say with confidence that the crossover of interests of the folks who are listening to us here on the Cyberwire and Spycast is huge. I mean, it is the type of thing that if you enjoy listening to this every day, you really should do yourself a favor and check out the Spycast podcast. It's really compelling edge of your seat stories quite regularly. So, Sasha, thank you so much for taking the time.

Starting point is 00:21:55 And like I said, we're really thrilled to have you back joining our network. Thanks. It's good to be with you. And we're really excited for the year ahead. Be sure to check out the Spy Museum's Spycast podcast wherever you get your favorite podcasts. You can also find a link to it on our website. And finally, a few years ago, a self-described ethical hacker named Rasmith Moratz bought a new electric scooter, not because it was the best on paper, but because it was proudly local, custom-built in his home nation of Estonia, and that felt right.

Starting point is 00:22:49 The charm dulled when the scooter maker went bankrupt and their cloud-dependent app began quietly losing features, Since even basic functions like unlocking depended on servers that might disappear, Moratz did what any calm, rational commuter would do, and reverse-engineered the entire system. Digging through a React native app, Bluetooth traffic, and some unhelpfully obscure bytecode, he uncovered an awkward truth. Every scooter shared the same default Bluetooth authentication key. In practice, that meant any more. nearby could unlock any of this particular brand of scooter.

Starting point is 00:23:31 Oops. With a bit more work, he mapped the scooter's command structure, wrote his own control app, and restored independence from the cloud. The scooter still works, the servers can vanish, and the lesson stands. Local pride is great, but cryptographic defaults are forever. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian's show every week.

Starting point is 00:24:23 You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Pelsman.

Starting point is 00:24:57 Our executive producer is Jennifer Ivan. Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year, make it RASAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands-on learning, and real innovation. I'll say this plainly, I never miss this conference.

Starting point is 00:25:54 The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today at RSA conference dot com slash cyberwire 26. I'll see you in San Francisco.

CyberWire Daily - A picture worth a thousand breaches.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.