CyberWire Daily - Appetite for tracking: A feast on private data.
Episode Date: June 4, 2025Researchers uncover a major privacy violation involving tracking scripts from Meta and Yandex. A compliance automation firm discloses a data breach. PumaBot stalks vulnerable IoT devices. The Ramnit b...anking trojan gets repurposed for ICS intrusions. The North Face suffers a credential stuffing attack. Kaspersky says the Black Owl team is a cyber threat to Russia. CISA releases ISC advisories. An Indian grocery delivery startup suffers a devastating data wiping attack. The UK welcomes their new Cyber and Electromagnetic (CyberEM) Command. Our guest is Rohan Pinto, CTO of 1Kosmos, discussing the implications of AI deepfakes for biometric security. The cybersecurity sleuths at Sophos unravel a curious caper. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Rohan Pinto, CTO of 1Kosmos, and he is discussing the implications of AI deepfakes for biometric security. Selected Reading Meta and Yandex are de-anonymizing Android users’ web browsing identifiers (Ars Technica) Vanta leaks customer data due to product code change (Beyond Machines) New Linux PumaBot Attacking IoT Devices by Brute-Forcing SSH Credentials (Cyber Security News) Ramnit Malware Infections Spike in OT as Evidence Suggests ICS Shift (SecurityWeek) The North Face warns customers of April credential stuffing attack (Bleeping Computer) Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says (The Record) CISA Releases ICS Advisories Covering Vulnerabilities & Exploits (Cyber Security News) Indian grocery startup KiranaPro was hacked and its servers deleted, CEO confirms (TechCrunch) UK CyberEM Command to spearhead new era of armed conflict (The Register) Widespread Campaign Targets Cybercriminals and Gamers (Infosecurity Magazine) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. The North Face suffers a credential stuffing attack. talks about The UK welcomes their new cyber and electromagnetic command.
Our guest is Rohan Pinto, CEO of One Cosmos, discussing the implications of AI deepfakes
for biometric security.
And the cybersecurity sleuth Setsofos unravel a curious caper. It's Wednesday, June 4, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Researchers have uncovered a major privacy violation involving tracking scripts from
Meta and Yandex embedded in millions of websites, Ars Technica reports.
These scripts exploit legitimate browser features to link web activity with identities in Android
apps like Facebook, Instagram, and Yandex.
This bypasses Android's security model and browser privacy protections, effectively breaking
the sandbox that separates web and app data.
Meta began this tracking in 2023, while Yandex has used similar methods since 2017.
The abuse involves covert communication via local ports and misused protocols like WebRTC.
Although Meta and Yandex claim no sensitive data is collected, the technique de-anonymizes
users, even in private browsing. Chrome, DuckDuckGo, Brave, and Vivaldi have introduced partial fixes, but researchers
warn these are temporary.
They urge platform-level reforms to control local port access and enhance transparency.
Google says they're investigating, and both Meta and Yandex say they've paused the feature.
However, the issue does underscore ongoing risks in how mobile ecosystems handle privacy
and app-browser interactions.
Vanta, a compliance automation firm, disclosed a data breach incident affecting fewer than
four percent of its customers, although potentially impacting
hundreds of organizations. The breach stemmed from a product code change that
broke data isolation in Vanta's multi-tenant platform, leading to cross-
customer data leakage. As a result, a subset of data from under 20% of
third-party integrations was exposed and shared bidirectionally between accounts.
Leaked information included employee names, roles, security configurations, MFA usage,
and integration details.
While the number of affected individuals remains undisclosed, Vanta confirmed all impacted
customers have been notified. The issue was identified on May 26, with full remediation expected today.
Vanta supports compliance with frameworks like SOC 2, ISO 27001, HIPAA, and GDPR, making
the incident especially sensitive for its security-conscious clientele. Researchers at Polyswarm have uncovered a stealthy new Linux-based botnet called PumaBot,
targeting vulnerable IoT devices, especially surveillance systems.
Written in Go, PumaBot differs from typical malware by using curated IP lists from command-and-control
servers instead of scanning the Internet broadly.
This targeted approach helps it avoid detection.
Pumabot brute-forces SSH credentials to gain access, with a particular focus on devices
from Pumatronics, a surveillance equipment maker.
Once inside, it establishes persistence by disguising itself as legitimate services like Redis or
MySQL and embeds into system directories to survive reboots.
Its main goal is cryptocurrency mining, executing tools like XMRIG to generate illicit profits.
The malware also gathers system data and sends it back to attackers who maintain inventories of infected
devices.
Humabot's emergence underscores growing IoT risks tied to default credentials and weak
security practices.
Honeywell's latest security report reveals a sharp rise in ransomware attacks targeting
industrial organizations, with over half of
2024's SEC-reported incidents affecting operational technology.
More notably, data from Honeywell's SMX USB scanning solution uncovered nearly 1,800 unique
threats among 31 million scanned files, including 124 previously unseen.
The standout malware was Win32.Worm.Ramnet, responsible for 42% of all detections, and
showing a staggering 3,000% spike in the fourth quarter of 2024 versus quarter two.
Ramnet, originally a banking trojan, appears to be repurposed to extract industrial control
system credentials.
Its surge aligns with the widespread use of Windows-based ICS platforms, making it a potent
threat via USB-borne infections.
Honeywell's cybersecurity lead, Paul Smith, suggests that its effectiveness in stealing credentials
and use of built-in system tools may explain its dominance, whether by accident or targeted
design.
On April 23, outdoor apparel brand The North Face suffered a credential stuffing attack
where hackers used stolen login details from other breaches to access customer accounts.
Though payment data remained secure, personal details like contact info, shipping addresses, and purchase history were exposed.
The attackers exploited users' tendency to reuse passwords across sites.
The company responded by disabling compromised credentials, forcing password resets, and
urging customers to use unique passwords to reduce cross-platform security risks.
No internal systems were breached.
The pro-Ukraine hacker group BO team, also known as Black Owl, has emerged as a major
cyber threat to Russian institutions, according to Kaspersky.
Active since early 2024, the group operates independently with its own tools, often targeting
Russian government agencies and industries.
A notable attack recently disrupted a third of Russia's national court filing system.
BO team gains access via phishing and delays actions to avoid detection,
unusual for hacktivists. Their toolkit includes back doors like Darkgate, Brockendor, and
Remcos, and they often delete backups or use Babuk ransomware for extortion. The group disguises
malware as legitimate software and shares details of attacks on Telegram.
Despite their pro-Ukraine stance, BO team works solo without ties to other hacktivist groups,
setting them apart in Russia's threat landscape.
CISA issued critical advisories for severe vulnerabilities in Schneider Electric and Mitsubishi Electric industrial products,
threatening critical infrastructure like energy and manufacturing.
The most serious flaw with a CVSS of 9.3 affects Schneider's now unsupported home automation
devices, enabling remote code execution via buffer overflow.
Another Schneider vulnerability allows local code execution
in EcoStruxure software.
Mitsubishi's Melsec IQF PLCs face a CVSS 9.1 info disclosure
flaw from improper input validation.
CISA urges immediate mitigations,
including firmware updates and network security enhancements.
Indian grocery delivery startup Kirana Pro suffered a devastating cyberattack that wiped
all its data, including app code and sensitive customer information.
The breach, discovered on May 26, occurred after hackers accessed root accounts on AWS
and GitHub, likely via a
former employee's credentials. The attack rendered Kirana Pro's app unable to
process orders, halting operations for its over 30,000 active users across 50
cities. Founded in December 2024, Kirana Pro runs on India's open network for
digital commerce and supports voice-based
grocery ordering in multiple languages.
The startup had ambitious expansion plans, now stalled by the breach.
Despite using Google Authenticator for multi-factor authentication, hackers deleted all EC2 instances,
leaving no logs or recovery options.
Kirana Pro is pursuing legal action and investigating the incident with GitHub.
The UK's Ministry of Defence has unveiled its Strategic Defence Review, emphasizing
the critical role of the new Cyber and Electromagnetic Command, Cyber-EM. This new domain integrates cyber operations and electromagnetic warfare, now recognized
as foundational to modern military strategy.
The Cyber-EM command will lead both offensive and defensive cyber missions, coordinate across
services and work alongside the National Cyber Force without overlapping authority.
It will also anchor the UK's new digital targeting web, designed to connect military
assets for rapid, precision strikes.
The government aims to have the command operational by year's end, and will invest over £1 billion
to support it.
These moves come amid rising cyber threats and follow a damning
report on UK military readiness. UK Defence Secretary John Healy promises to reverse years
of decline by growing force size, expanding tech capabilities and returning the military a war-ready posture by 2027.
Coming up after the break, my conversation with Rohan Pinto, CTO of One Cosmos, we're
discussing the implications of AI deepfakes for biometric security, and the cybersecurity
sleuths at Sophos unravel a curious caper.
Stay with us.
Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Vanta's Trust Management Platform takes the headache out of governance, risk, and
compliance. It automates the essentials from internal and third-party risk to
consumer trust, making your security posture stronger, yes, even helping to
drive revenue. And this isn't just nice to have. According to a
recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact. So if you're ready to trade in chaos for
clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta. GRC. How much easier trust can be.
Get started at vanta.com slash cyber.
Rohan Pinto is CTO of One Cosmos.
I recently caught up with him to discuss implications of AI deepfakes for biometric security.
I think the reliance on biometric security should increase given the time period that
we are in right now with the exponential increase of deep fakes and AI generated content.
Because deep fakes in itself, they can mimic facial features, they can mimic voice patterns,
they can even mimic iris scans, thereby having the ability for an attacker to bypass a biometric
authentication or verification system. So I think it is pretty crucial for
any organization that works with biometrics to not
discount the fact that deepfakes are being used extensively,
especially given the whole North Korean hackers actually being
able to secure themselves jobs in the US Department of Defense by using deepfakes.
So it is pretty crucial that every organization that looks at biometrics to increase or enhance
their security posture does consider looking at methodologies and processes to thwart deep fakes as well?
You know, I think like a lot of people, the most frequent interaction I have with this sort of thing is on my mobile device.
I have an iPhone, I use Face ID to log in, and it works remarkably well.
And then I'll go to the airport and they might ask me to have my face scanned.
I was at a theme park recently and they used facial ID instead of tickets to get into the theme park.
I'm curious, what is the state of the art these days?
What is happening at the highest level with this sort of technology?
I know you and your colleagues there get very high marks for the products that you all provide.
Where do we stand?
We got to remember one thing.
When we talk in terms of systems or mobile devices or even kiosks at a theme park using
Face ID to authenticate an individual, we got to remember that the authenticity is what
matters. Because end of the day, Face ID is local to the mobile,
and you can actually have multiple individuals register
their Face ID on the same device.
So Face ID in itself is not sufficient to thwart deep fakes.
When you look at mobile apps or kiosks that rely on systems that purely
base identification or presence of an individual is not sufficient. Because what FaceID and
TouchID does is that it identifies presence. It does not actually bind the identity of
the user to the actual authentication mechanism.
For example, on my mobile device,
I have my face registered and I also have my son's face registered.
Which means that if I now use Face ID to access or authenticate into any corporate system,
you have very low assurance that it's actually Rohan Pinto that's logging or accessing the system, you have very low assurance that it's actually
Rohan Pinto that's logging or accessing the system,
because it could be any face ID that is registered on that device.
So at One Cosmos, we have approached the entire biometric
aspect of authentication and security from a completely different angle.
We have something called as Live ID, which means that we verify the authenticity of the individual in real time
by doing a lot of forensics in real time with the face that is being presented.
Also match that particular face to the face that was actually registered during the onboarding
event to ensure that it is not just cryptographically signed like what FaceID does, but also asserts
the fact that this is a live individual by doing a liveness check at the time of authentication to have additional assurance
that there is an actual identity that is tied
to that particular authentication attempt
regardless of the form of biometrics that are used.
I hope that.
Well, I mean, let's dig into some of the details of that.
When you say a live individual, I mean we are we looking for things like eye movement? Are we looking for things like a heartbeat?
What what sets me apart from say a a highly accurate?
Silicon mask
Yeah, absolutely. So when it comes up to silicon masks again
We do a lot of forensics on the face itself.
I'll give you an example.
I'll run through a couple of examples.
For example, we just don't look at the face.
We look at the depth between the ears and the nose,
the distance between the eyes, the position of the iris,
the angle from which you're looking at, the shadows,
the depth patterns,
and even we do some infrared as well
to ensure that the person is a living breathing individual.
However, this might not thwart a silicon mask
in the equation,
but it does enable us to identify that the person on the other end of the line
is a living, breathing individual, regardless of whether the user is using a silicon mask
or not.
Now, that combined with other passive detection techniques to analyze whether it is a deep
fake, whether there is noise in the equation,
whether there is granularity in the clarity of
the image that is being captured,
whether the camera being used is
a default camera of the device or is being
overridden by a third-party video streaming service.
A combination of a multitude of these elements enable us to have
a very high level of accuracy when it comes up to
identifying the individual.
Well, and it sounds like I mean, I think you captured one of the key points here and perhaps it's a point of
misunderstanding for a lot of folks, which is that this is a multi-layered thing, right? It's not just the biometrics.
There are many other factors that that you and the other folks
who do this kind of thing rely on.
Absolutely, it's a combination of biometric factors
and it could also include behavioral analytics.
And what I mean by behavioral analytics is that,
let's say the user is authenticating into a system,
he's typing in his user ID and password,
and once he authenticates into the system, the's typing in his user ID and password. And once he authenticates into the system,
the user performs certain actions.
So we also have the ability to detect
the user's behavioral patterns, typing patterns,
voice and face, and a combination of them increases
our accuracy level to reduces the success rate
of spoofing attempts.
How do you make sure that you're not introducing
undue friction with these sorts of systems?
Yes, that's a very interesting question.
Because when it comes up to the friction,
it's one of the elements that could actually thwart
a user from using biometrics.
So we try to make it as simple as possible when it comes up to user experience. elements that could actually thwart a user from using biometrics.
So we try to make it as simple as possible when it comes up to user experience.
And we have a lot of focus within our organization on enhancing the user experience.
So we do not want the user to go through a multitude of steps to prove who he or she
claims to be.
We want the user to be able to authenticate using face ID,
like what they always do,
except that the camera being launched for face ID
is not the default device camera,
but actually the camera that gets triggered
from within our mobile application itself.
So from a user experience perspective,
the user does exactly what the user does
on a day-to-day basis, which is look at his phone and log in.
But what we do additionally with that two-second or a one-second video that is
captured or a sequence of frames from the images that are captured,
the keystrokes that are captured,
the voice analytics that are captured and sent to
our analysis engine to give us real-time results,
is all transparent to the user experience.
So from a user experience perspective, all the user does is picks up his phone, the mobile
app would tell the user to smile, maybe look left or look right or maybe even blink.
You know, a few simplistic actions that do not confuse the user and the complexity is
all on the passive scanning side on the server side.
What are your recommendations for organizations
that are looking into this sort of thing?
How do they decide how to align the degree of complexity
here versus their own appetite for risk?
Yeah, so risk is another important factor out here, right?
Because various organizations have got various
risk thresholds that they would like to adhere to.
So let's factor in risk in addition
to the kind of tool sets
that an organization would need to use.
Now, either an organization can go out
and use tool sets provided by valid third parties
or third party organizations,
be it Microsoft or Google or Apple by themselves,
or even third parties like Plard or even Twilio
offer services that do liveness detection as such.
But one Cosmos per se, we offer the entirety as
a singular platform that the customer can use,
where the customer can choose to use things like liveness detection,
micro-expression analysis that could evolve alongside
a lot of sophisticated generative models
that we use for deep fake detection as well. So the integration of the security aspect of an organization's infrastructure
could be as simple as making an API call over to us.
We carry on with the user journey from there on, ensure that the biometrics are
authentic, ensure that it is not deep fake,
ensure that there are no silicon masks used.
We ensure that micro-expression analysis is also done,
run through a whole bunch of AI models that enable us to
determine whether this is AI-generated content or
otherwise before we can return back,
not just a success of the authentication attempt,
but also a risk threshold that the consuming organization
can adjust based on their own risk thresholds or appetite.
I see.
All right, well Rohan,
I think I have everything I need for our story here.
Is there anything I missed?
Anything I haven't asked you
that you think it's important to share?
Well, I think one of the most important things
that everybody talks about
is what are the mitigation strategies
for deepfake detection or for using deepfakes.
So one thing that I would, what I tell everybody
is that you got to ensure that
liveness detection is enabled and not rely on a static biometric authentication mechanism
just like FaceID.
Because FaceID does liveness detection on the edge and you would need to do a combination
of both liveness detection on the edge as well as on the server side. Additionally, add behavioral analytics onto it,
which is keystrokes or gate,
or traditional biometric verification systems as well.
On top of it, also ensure that you've got data governance rules in place so that you're
using products and technologies that are based on standards and
not something that's just available off of the internet.
That's Rohan Pinto, CTO of One Cosmos.
And finally, cybersecurity sleuths at Sophos have unraveled a curious caper. Over 130 open-source GitHub projects booby-trapped with back doors, all courtesy of a mystery
dev known only as ISCHHFDA3.
The plot kicked off when a user questioned the safety of Securirat, a so-called malware
tool that was less weapon, more whoopee cushion.
Upon inspection, researchers found the code discreetly downloaded extra malware mid-compilation,
targeting not businesses, but, in a karmic twist, other
hackers and wannabes.
What followed was a journey through a thicket of copy-pasted chaos, automated commits, copycat
accounts and layers of obfuscation cloaking nasties like LumaStealer.
Sophos suspects this is part of a broader distribution as a service racket.
They conclude the digital supply chain's underbelly remains as shady as ever, and if you're downloading
free hacking tools from strangers on GitHub, well, maybe you're the mark. And that's the CyberWire.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights until the end of August.
There's a link in the show notes.
Please do check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with Original Music
and Sound Design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for listening, we'll see you back here, tomorrow. Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The Delete Me team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
Delete Me also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal,
20% off your DeleteMe plan.
Just go to JoinDeleteMe.com slash N2K
and use promo code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.