CyberWire Daily - AI on the offensive.

Starting point is 00:00:00 You're listening to the CyberWire Network, powered by N2K. Traditional pen testing is resource-intensive, slow, and expensive, providing only a point-in-time snapshot of your application's security, leaving it vulnerable between development cycles. Automated scanners alone are unreliable in detecting faults within application logic and critical vulnerabilities. Outpost24's continuous pen testing as a service solution offers year-round protection, with recurring manual penetration testing conducted by Crest-certified pen testers, allowing you to stay ahead of threats and ensure your web applications are always secure. Updates from RSA C 2025. Former NSA Cyber Chief Rob Joyce warns that AI is rapidly approaching the ability to develop

Starting point is 00:01:15 high-level software exploits. An FBI official warns that China is the top threat to U.S. critical infrastructure. Mandiant and Google raise alarms over widespread infiltration of global companies by North Korean IT workers. France accuses Russia's fancy bear of targeting at least a dozen French government and institutional entities. Sonic Wall has issued an urgent alert about active exploitation of a high severity vulnerability in its secure mobile access appliances. A China-linked APT group known as the Wizards is abusing an IPv6 networking feature. Gremlin's stealer emerges as a

Starting point is 00:01:51 serious threat. A 23 year old Scottish man linked to the scattered spider hacking group has been extradited from Spain to the United States. Senators urge FTC action on consumer neural data. New WordPress malware masquerades as an anti-malware plugin. Our guest is Andy Chow from Project Discovery, the winner of the 20th annual RSAC Innovation Sandbox Contest. Our intern Kevin returns with some Kevin on the Street interviews from the RSAC floor. And research reveals the risk of juice jacking isn't entirely imaginary.

Starting point is 00:02:41 Today is Thursday, May 1st, 2025. I'm Maria Varmazes in for Dave Bittner, and this is your CyberWire intel briefing. [♪ Music playing. [♪ Music playing. Happy Thursday everybody. Let's get into it. Day three of the RSAC 2025 conference concluded, having delivered a packed agenda of insights, warnings, and inspiration. The day opened with Dmitri Alperovitch's keynote, World on the Brink, offering a sobering look at rising Indo-Pacific tensions and how cyber warfare is now central to geopolitical

Starting point is 00:03:18 instability. Kevin Mandia followed with his annual State of Cyber address, highlighting the evolving CISO role, AI's growing influence, and resilience strategies. He was joined by journalist Nicole Pearl-Roth for a sharp analysis of the year's major threats and what lies ahead. In a shift from technical talk, NBA legend Magic Johnson took the stage, drawing parallels between sports leadership and cybersecurity teamwork in The art of the assist. A fireside chat between GCHQ director Anne Keast Butler and Chris Inglis

Starting point is 00:03:52 emphasized the need for cross-sector collaboration. And the day closed with a SANS Institute's breakdown of the five most dangerous new attack techniques and how to prepare for them. We will continue our coverage of RSAC 2025 over the next few days. Speaking of, at RSAC, former NSA Cyber Chief Rob Joyce warned that AI is rapidly approaching the ability to develop high-level software exploits. Joyce, who is now an advisor to Sandfly Security, predicted that AI could become a reliable exploit developer as soon as this year or the next.

Starting point is 00:04:29 He pointed to AI's strong performance in coding contests and the recent Hack the Box challenge where an AI team nearly matched top human competitors. While he's not worried about AI creating script kiddie attackers, he cautions that AI will enable skilled hackers to work faster and at scale. AI also enhances phishing attacks by generating convincing personalized emails, even with fake email threads and PDFs. On defense, AI offers speed advantages, like reversing complex code in seconds instead

Starting point is 00:05:01 of hours. Joyce also shared a clever ransomware attack that pivoted to a Linux video camera to encrypt data, highlighting how attackers exploit weak spots in unexpected places. Elsewhere at the RSAC conference, FBI Deputy Assistant Director Cynthia Kaiser called China the top threat to US critical infrastructure. She said Chinese state-backed hackers are increasingly using AI to boost their cyber capabilities. This includes crafting fake business profiles, launching more convincing spearfishing campaigns,

Starting point is 00:05:34 and improving early-stage network scans. While AI isn't yet creating shapeshifting malware, it's enhancing targeting efforts. Kaiser stressed the importance of multi-factor authentication as a defense against these evolving AI-powered threats. Joining us this week from RSAC 2025, we have our partner, Kevin McGee, Global Director of Cybersecurity Startups at Microsoft for Startups. Today, Kevin is joined by Shane Harding,

Starting point is 00:06:01 CEO of Devicey, and Nathan Ostrosky, co-founder of Petra Security. I'm Nathan Ostrovsky. I'm one of the founders at Petra Security. We detect M365 breaches. We live in San Francisco, so the trip here was pretty short and pretty sweet. Awesome.

Starting point is 00:06:22 So how was the trip here? Not too bad. Kind of great, kind of great. Hey, 20 minute Uber, you can't beat it. Awesome, that was better than mine. What themes are you looking to see at the show this year? To talk my own book, I feel like BECs are going up like crazy

Starting point is 00:06:40 and I'm always looking for people who are solving them in cool ways. Also, agentic AI is without a doubt the theme of every presentation this entire year, so I'm interested in what people are doing. Any cool sessions you're looking forward to seeing? Also going to give a biased take, one of my friends runs a company called Runcivil. They are doing some really, really cool things with automated red teaming, and I'm super excited to see what they have on stock.

Starting point is 00:07:04 Anyone else you're looking to connect with here at RSA? Hey, RSA is the craziest event of the year. There's always something unexpected and that's what I'm looking for, frankly, the unexpected. Awesome. Thanks a lot. Shane Harding, CEO of Devicey. Just flew in 22 hours from Melbourne, Australia. So feeling a little bit jet lag, but absolutely pumped to be here, right?

Starting point is 00:07:26 You know, for us, I think, you know, this year's a really big year for us as we're having a look at what we're going to, the impact we're going to have across cyber. And particularly from an RSA perspective, and we've really kicked it off, is this movement around sort of the agenic impact that's going to happen.

Starting point is 00:07:38 And for us, we think about this more from a software as a service transitioning to services software. And maybe finally, the ability to actually drive outcomes, right, instead of just additional workflows and buttons. And for us, and why that's important for what we do and for organizations is we think we focus on what is the hardest but often boring part of cyber and that's getting the foundations right,

Starting point is 00:07:59 particularly across the end points, right? Getting your policies, your applications, all of that in order initially and then consistently and forever. The things that no one else wants to do. And so what better way than to provide knowledge-based, dynamically driven workflows into an organization while still keeping them in control.

Starting point is 00:08:17 And even the kickoff from Microsoft perspective talked about this, right? How do agents, or sort of this agentic movement, allow for humans to still be involved in the workflow at the right time, but without having to do the mundane, boring things, right? And so we really find the synthesis of human and agent as we move forward.

Starting point is 00:08:35 And if I compare it to last year, I think when we have a look at the patterning that started to develop, we can see the sophistication in the space and the real acceleration of trying to understand how we're going to move into this area. A year ago it felt new, it felt clunky. Now we're starting to understand that interplay

Starting point is 00:08:54 and just to see how many companies are innovating in the space sort of gives us, and I know my broader team, so much encouragement in the direction that we're heading because for the first time I think we can taste actually solving meaningful problems in a complete way so much encouragement in the direction that we're heading, because for the first time I think we can taste actually solving meaningful problems in a complete way, instead of pretending that those problems are being solved, while just giving someone another button to click,

Starting point is 00:09:13 and forcing them down another clunky workflow that they're going to build their business around. Thank you to Kevin McGee from Microsoft for coming to us from RSAC 2025. Mandiant and Google are raising alarms over widespread infiltration of global companies by North Korean IT workers, a threat more pervasive than previously believed. At RSAC 2025, Mandiant CTO Charles Carmichael revealed that most Fortune 500 firms have unknowingly received job applications and often hired North Korean nationals. These operatives earn high salaries, often holding multiple jobs, funneling millions of dollars back to Pyongyang.

Starting point is 00:09:58 While initially seen as a revenue strategy, the risk has escalated, with some ex-employees resorting to extortion after termination. Mandiant and Google warned that these insiders could leak data or disrupt critical systems, especially under pressure. Evidence links some of the operatives to IP addresses used by North Korea's intelligence bureau, suggesting potential handovers of access to state-sponsored threat actors. Though companies are catching and removing infiltrators more quickly, the embedded nature of these actors poses a significant long-term cybersecurity risk to corporate and national infrastructure. France has publicly accused Russian state-backed hacking group APT-28,

Starting point is 00:10:40 also known as Fancy Bear and linked to the GRU, of targeting or compromising at least a dozen French government and institutional entities. Active since 2004, APT28 has increasingly focused on espionage using phishing, vulnerability exploitation, and brute force attacks, often with low-cost, disposable infrastructure. The French cybersecurity agency ANSI and Cyber Crisis Coordination Center identified attacks on local governments, ministries, research institutions, and think tanks, including efforts targeting the 2024 Olympics.

Starting point is 00:11:16 APT28 has used tools like the Headlace, Backdoor, and OceanMaps dealer, hiding infrastructure behind compromised routers and free services. France condemned these cyber attacks as a violation of UN norms and vowed to respond, highlighting past incidents including interference in the 2017 French elections and attacks on TV5 Monde. The government pledged continued vigilance and coordinated defense with international partners. Sonic Wall has issued an urgent alert about active exploitation of a high severity vulnerability in its secure mobile access appliances.

Starting point is 00:11:53 The flaw allows authenticated attackers with admin access to execute arbitrary commands risking full system compromise. Initially disclosed in December 2023, it is now being weaponized in real attacks. Sonic Wall urges customers to upgrade firmware, audit devices for unauthorized access, and strengthen authentication practices immediately. A China-linked APT group known as The Wizards is abusing an IPv6 networking feature to conduct adversary-in-the-middle attacks and hijack software updates on Windows systems, according to ESET. Active since at least 2022, the group targets entities in Asia and the Middle East, including individuals and gambling firms.

Starting point is 00:12:36 Their tool, called Spellbinder, exploits IPv6's stateless address autoconfiguration by sending spoofed router advertisement messages, tricking nearby systems into routing traffic through attacker-controlled gateways. Spellbinder is deployed via a fake AVG archive and uses DLL side-loading to load malicious code into memory. It captures traffic to Chinese software update domains, redirects requests, and installs the Wizard.Net backdoor for persistent access. ESET warns that organizations should monitor IPv6 traffic or disable IPv6 if not required.

Starting point is 00:13:13 This tactic mirrors similar supply chain hijacking seen in January by another APT group called Blackwood. A new malware dubbed Gremlin Stealer has emerged as a serious threat, targeting sensitive data like credit cards, browser cookies, and credentials. Discovered by Palo Alto Networks' Unit 42, the malware, written in C-sharp by the way, is aggressively promoted on Telegram and uses advanced techniques to bypass browser protections. It harvests data from browsers, cryptocurrency wallets, apps like Telegram and Discord, and exfiltrates it all via a Telegram bot or a dedicated server. With ongoing

Starting point is 00:13:51 development and a polished user interface, Gremlin's dealer signals a growing professionalized cybercrime threat. Krebs on Security reports that Tyler Robert Buchanan, a 23-year-old Scottish man linked to the Scattered Spider hacking group, has been extradited from Spain to the United States to face charges of wire fraud, conspiracy, and identity theft. Prosecutors allege that Buchanan and co-conspirators hacked dozens of companies, stealing over $26 million, primarily through SMS phishing and SIM swapping attacks back in 2022. Victims included Twilio, DoorDash, and MailChimp. The FBI tied Buchanan to the phishing campaign using domain registration data and IP addresses

Starting point is 00:14:35 linked to his UK residence. Buchanan fled the UK after being targeted by a rival gang and was arrested in Mallorca in 2024. U.S. authorities seized 20 digital devices, revealing stolen credentials and crypto wallet transactions involving 391 Bitcoin. Buchanan is one of five indicted in November 2024 as investigators continue probing scattered spiders' broader cybercrime operations, including links to ransomware attacks on MGM and Caesars. On April 28th 2025, US Senators Chuck Schumer, Maria Cantwell, and Ed Markey urged the Federal Trade Commission or FTC to scrutinize consumer

Starting point is 00:15:18 neuro technology companies over the handling of neural data. They highlighted concerns that brain-computer interface or BCI devices, ranging from medical implants to consumer-grade wearables, collect sensitive neural information capable of revealing mental health conditions and emotional states, often without adequate user consent or transparency.

Starting point is 00:15:40 The senators called for the FTC to investigate potential unfair or deceptive practices under Section 5 of the FTC Act, to assess data transfers to foreign entities under Section 6B, to clarify how existing privacy standards apply to neural data, and to enforce the Children's Online Privacy Protection Act, or COPPA, to safeguard miners' neural information. They also recommend initiating rulemaking to establish clear safeguards for neural data, ensuring that protections extend beyond existing biometric and health data rules, and setting appropriate limits on secondary uses such as AI training or behavioral profiling.

Starting point is 00:16:22 A sophisticated malware strain is targeting WordPress sites by masquerading as a legitimate anti-malware plugin. Discovered by Wordfence on January 22, 2025, this malware grants attackers persistent access through remote code execution, admin privilege escalation, and JavaScript injection for adware. It employs stealth tactics, such as hiding from the plugin dashboard and modifying WP-CRON.PHP to reinstall itself upon deletion. The malware communicates with a CNC server in Cypress every minute, reporting site details. Wordfence released detection signatures to premium users in January, with free users

Starting point is 00:17:00 receiving updates by May 23rd, 2025. Stick around after the break, Dave Bittner sits down with Andy Chow from Project Discovery, winner of the 20th annual RSAC Innovation Sandbox contest. Plus, juice jacking! Not just a myth. Let's be real. Navigating security compliance can feel like assembling IKEA furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right. That's where Vanta comes in.

Starting point is 00:17:53 Vanta is a trust management platform that automates up to 90% of the work for frameworks like SOC 2, ISO 27001, and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer, or managing IT and security for the first time, Vanta helps you prove your security posture without taking over your life. More than 10,000 companies, including names like Atlassian and Quora,

Starting point is 00:18:19 trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times. And the ROI? A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time, you can get $1,000 off Vanta at vanta.com slash cyber. That's vanta.com slash cyber. That's v-a-n-t-a dot com slash cyber.

Starting point is 00:19:01 Secure access is crucial for U.S. public sector missions, ensuring that only authorized users can access certain systems, networks, or data. Are your defenses ready? Cisco's Security Service Edge delivers comprehensive protection for your network and users. Experience the power of Zero Trust and secure your workforce wherever they are. Elevate your security strategy by visiting cisco.com slash go dot sse. That's c-i-s-c-o dot com slash g-o slash s-s-e. Andy Chow of Project Discovery was recently named the winner of the 20th Annual RSAC Innovation Sandbox Contest at RSAC 2025. While at the conference, Dave Bittner caught up with him to discuss the event.

Starting point is 00:20:01 Here's their conversation. Who is the winner of the 2025 20th anniversary Innovation Sandbox Competition? Project Discovery. You got your award. Well, congratulations. Thank you. You crossed the finish line. You must be full of adrenaline right now. How are you feeling?

Starting point is 00:20:30 I mean, I am absolutely thrilled. And I think this is really a testament to our contributors, our global community, people who have believed in our open source tools from day one, and the people who wrote the first lines of code to nuclei. And I think it's really an opportunity to show the industry that open source really is possible in security. So for folks who aren't familiar with your tools who couldn't be here today give us the the really brief description of what you all do. We're solving vulnerability management with a open source tool that thinks like an attacker. So we're not looking at traditional version matching

Starting point is 00:21:06 that generate tons of noise that traditional scanners do. We help to identify exploitable risks and help teams automate their vulnerability management workflows. Why was the Innovation Sandbox on your radar to be here? I mean, this is the event. I have sat for years in the seats, wishing that one day I'd have an opportunity to tell the story about Project Discovery.

Starting point is 00:21:30 And today is just really a dream come true. But I think in security it's such a crowded landscape it can be really hard to tell a unique story and just to have the stage and the audience to be able to tell that is just such a special opportunity. As you sat out there today and you saw who you were up against, what sort of things were going through your mind? Oh my God, I mean every single one of these companies deserve to get this. I mean the stuff that we're all working on, I mean security is just so big

Starting point is 00:21:58 and I really wish that everyone could walk away with one of these, but I have nothing but respect for all the other presenters. They did such a good job. What's next? Growing. I mean, we have a big pipeline, but we're so excited to scale this even more and get the word out there.

Starting point is 00:22:14 So many people love nuclei. They have no idea that there's a company behind it with a cloud solution that can bring value in minutes. And so we're really excited to get that out there. And yeah, just grow and bring on in minutes. And so we're really excited to get that out there and yeah, just grow and bring on more customers. For that person who's sitting out there today, just the way you were year after year, who's thinking maybe we have a shot at it,

Starting point is 00:22:36 what's your advice? Practice. I rehearsed thousands of times in front of the mirror and yeah, just believe in the vision, tell a differentiated story, and come with energy. You know, the crowd's looking for something unique and just really, really sell it. Yeah.

Starting point is 00:22:57 Congratulations to you and your team. Thank you so much, Dave. That was Andy Chow from Project Discovery, winner of the 20th Annual RSAC Innovation Sandbox Contest, speaking with Dave Bittner. If you'd like to learn more about the Innovation Sandbox Contest, check out the link in our show notes. Cyber threats are evolving every second and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.

Starting point is 00:23:42 ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, despite years of skepticism and scaremongering about juice jacking, new research reveals that the risk isn't entirely imaginary. Imagine that. Security researchers have uncovered a method called choice jacking that defeats both

Starting point is 00:24:29 Apple and Google's decade-old mitigations designed to stop malicious chargers from accessing your phone's data. The attack abuses weaknesses in the USB protocol and OS level trust models, allowing chargers to spoof user input and hijack file access permissions. It works on 10 of 11 tested devices and can steal files in under 30 seconds if the attacker controls the charger and the device is vulnerable. Still, it's worth noting that there are no known real-world attacks of this kind. The biggest risk remains for Android phones with USB debugging enabled.

Starting point is 00:25:08 Apple and Google have issued fixes, but many Android devices haven't adopted them. So while juice jacking still sounds like a hacker horror story, some caution around public chargers might be justified... barely. [♪ MUSIC PLAYING, VINCENT HALLELUYS, THE CYBERWIRE, AND THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE CYBERWIRE DECLARATION OF THE the CyberWire. For links to all of today's story, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show,

Starting point is 00:25:56 please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter.

Starting point is 00:26:28 Learn how at n2k.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester, with original music and sound design by Elliot Peltsman. Our executive producer is Jennifer Iben. Peter Kilpe is our publisher. and I'm Maria Varmasis, in for Dave Bittner. Thanks for listening, we'll see you tomorrow. And now a word from our sponsor, Spy Cloud.

Starting point is 00:27:14 Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat Protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware, and phishing to neutralize identity-based threats like account takeover, fraud, and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what attackers already know. That's spycloud.com slash cyberwire.

CyberWire Daily - AI on the offensive.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.