CyberWire Daily - Behind the firewall, trouble brews.

Starting point is 00:00:00 You're listening to the CyberWire Network, powered by N2K. Hey everybody, Dave here. I've talked about DeleteMe before, and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. DeleteMe keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved knowing my privacy isn't something I have to worry about every

Starting point is 00:00:40 day. The DeleteMe team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Delete Me also offers solutions for businesses, helping companies protect their employees' personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal, 20% off your Delete Me plan.

Starting point is 00:01:05 Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout. That's joindeleteeme.com slash n2k, code n2k. For the net patches a critical flaw in its for the web web application firewall. Hackers are exploiting a critical vulnerability in a wing FTP server. U.S. Cyber Command's fiscal 2026 budget includes a new AI project. Chechia's cybersecurity agency has issued a formal warning about Chinese AI company DeepSeek. The Do Not APT group targets Italy's Ministry of Foreign Affairs.

Starting point is 00:01:57 Mexico's former president is under investigation for alleged bribes to secure spyware contracts. The FBI seizes a major Nintendo Switch piracy site. CISA releases 13 ICS advisories. A retired U.S. Army Lieutenant Colonel pleads guilty to oversharing classified information on a dating app. Our guest is Catherine Wanus, VP of Product at Fingerprint,

Starting point is 00:02:20 discussing how bots are being used to facilitate music royalty fraud. And a federal judge is not impressed with a crypto thief's lack of restitution. It's Friday, July 11th, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Happy Friday and thanks for joining us. It's great as always to have you here with us. Fortinet has patched a critical flaw in its FortiWeb web application firewall affecting multiple versions. With a CVSS score of 9.6, the vulnerability allows unauthenticated attackers to run unauthorized SQL commands

Starting point is 00:03:21 and potentially achieve remote code execution via the GUI component. If you run FortiWeb, isolate its Web Admin interface from the Internet and plan to patch quickly. If patching is going to be delayed, consider disabling the Web Admin interface entirely, although this blocks normal Admin access. Disabling the Admin interface is only a temporary mitigation, not a permanent fix. Patching remains the safest and easiest solution. Hackers are exploiting a critical vulnerability in Wing FTP Server to execute arbitrary code

Starting point is 00:03:59 remotely. The flaw stems from mishandling null bytes, allowing attackers to inject Lua code into user session files and gain root or system privileges. While authentication is required, the exploit works with anonymous FTP accounts if enabled. Wing FTP patched this in a version released on May 14. However, after technical details and a proof-of-concept exploit were published on June 30, attacks began immediately. Huntress reports exploitation attempts including fetching files, system fingerprinting, and

Starting point is 00:04:37 deploying remote access tools. About 8,100 Wing FTP servers are Internet accessible, with over 5,000 exposing web interfaces, increasing their risk of compromise. U.S. Cyber Command's fiscal 2026 budget includes $5 million to launch a new AI project under its $1.3 billion R&D plan, Defense Scoop reports. This initiative follows a 2023 congressional mandate requiring Cybercom and other defense agencies to create a five-year roadmap for rapidly adopting AI in cyber operations. The project, called Artificial Intelligence for Cyberspace Operations, focuses on developing core data standards to curate and tag data for AI and machine learning integration.

Starting point is 00:05:27 Housed within the Cyber National Mission Force, it will pilot AI technologies using agile 90-day cycles for rapid testing and validation. Efforts include improving threat detection, automating data analysis, and enhancing decision making. The budget also outlines five AI application categories. Vulnerabilities and exploits, network security and monitoring, modeling and predictive analytics, persona and identity, and infrastructure and transport. This reflects CyberCom's broader push to operationalize AI for evolving cyber threats efficiently and effectively. Cheche's cybersecurity agency has issued a formal warning about Chinese AI company Deep

Starting point is 00:06:16 Seek calling it a national security threat and banning its software from government devices. Deep Seek, known for its low-cost large language model released in January, has faced bans in several countries over privacy concerns. The Czech agency Nukib found DeepSeq's app collects and stores user data in ways accessible to Chinese authority under laws like China's National Intelligence Law. It also warned the company's founder has ties to dual use military technologies. DeepSeek stores user data on servers in China and Russia,

Starting point is 00:06:54 raising further security risks. This follows similar warnings from countries, including Australia, India, and the Netherlands. US lawmakers are also considering banning its use in government. DeepSeek has not commented on the ban. The Do Not APT Group, believed linked to India, has targeted Italy's Ministry of Foreign Affairs in a recent cyber-espionage campaign, Trellex reports. Known for South Asian espionage, Do Not APT is expanding to European diplomatic targets.

Starting point is 00:07:30 Attackers sent spearfishing emails impersonating European defense officials discussing an Italian defense attache visit to Bangladesh. The emails contained malicious Google Drive links leading to a RAR archive deploying malware. This infection chain used notflog.exe and a scheduled task called performTaskMaintain for persistent access. The payload was linked to LoptikMod malware used exclusively by DoNotapt since 2018. The operation aimed to exfiltrate sensitive diplomatic data while evading detection. Trellix warns this sophisticated attack underscores the group's growing interest in European intelligence and highlights the need for enhanced cyber defenses.

Starting point is 00:08:19 Mexico's attorney general has launched an investigation into claims that former President Enrique Peña Nieto took up to $25 million in bribes from Israeli businessmen to secure spyware contracts, including the Pegasus spyware from NSO Group. The allegations stem from an Israeli business publication, The Marker, citing arbitration documents between businessman Yuri Ansbacher and Avishai Naria. These documents reportedly describe bribes paid to Peña Nieto in exchange for lucrative government security contracts. Peña Nieto denied the claims, calling them baseless.

Starting point is 00:09:02 During his presidency, Pegasus spyware was used to target journalists, scientists, and activists in Mexico. The investigation seeks international legal assistance to access documents from Israeli courts. NSO Group did not comment on the allegations. Peña Nieto has faced previous corruption probes but has never been charged. The FBI has seized NSW2U, a major Nintendo Switch piracy site, as part of a law enforcement operation with Dutch financial crime agency FIOD.

Starting point is 00:09:38 NSW2U hosted Switch game ROMs for use on hacked consoles and emulators. The takedown follows Nintendo's ongoing crackdown on piracy, including lawsuits against emulator creators and ROM sites. NSW2U was added to the EU piracy watchlist in May. Users reported downloading games shortly before its seizure. Nintendo aims to tighten security further with the recent Switch 2 launch. Yesterday, CISA released 13 advisories detailing vulnerabilities in industrial control systems, affecting products from Siemens, Delta, Advantech, Qoombus, and others. The flaws range from issues in Siemens' TIA components and somatic hardware to Qunbus'

Starting point is 00:10:29 RevPy, Delta's DTM soft, and Advantech's iView, among others. CISA urges organizations using ICS equipment to review these advisories promptly and implement recommended mitigations to secure critical infrastructure. David Franklin Slater, a 64-year-old retired U.S. Army Lieutenant Colonel and civilian Air Force employee, has pleaded guilty to sharing national defense secrets with a woman he met on a dating app. From February to April 2022, Slater, who held top-secret clearance at strategic command in Nebraska, shared classified details about Russia's war in Ukraine, including

Starting point is 00:11:13 military targets and Russian capabilities. The woman, identified only as Co-Conspirator One, called him her secret informant love and repeatedly requested sensitive information. Despite signing non-disclosure agreements acknowledging potential harm to US security, Slater shared these secrets via email and online messages. He faces up to 10 years in prison, supervised release, and a $250,000 fine. Sentencing is set for October 8. Coming up after the break, my conversation with Catherine Wanis, VP of Product at Fingerprint, we're discussing how bots are being used to facilitate music royalty fraud.

Starting point is 00:12:05 And a federal judge was not impressed with a crypto thief's lack of restitution. Stick around. Compliance regulations, third-party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier, and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes

Starting point is 00:13:03 the heavy lifting out of your GRC program. Their trust management platform automates those key areas, compliance, internal and third party risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business.

Starting point is 00:13:24 And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. It's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta, GRC, just imagine how much easier trust can be.

Starting point is 00:13:51 Visit vanta.com slash cyber to sign up today for a free demo. That's vanta.com slash cyber. And now a word from our sponsor, Cloudrange. At Cloudrange, they believe cybersecurity readiness starts with people, not just technology. That's why their proactive simulation-based training helps security teams build confidence and skill from day one. By turning potential into performance, they empower SOC and incident response teams

Starting point is 00:14:33 to respond quickly, smartly, and in sync with evolving threats. Learn how CloudRange is helping organizations stay ahead of cyber risks at www.cloudrange.com. Catherine Juannis is VP of Product at Fingerprint. I recently caught up with her to discuss how bots are being used to facilitate music royalty fraud. So I'm talking today about really fraudsters that are creating fake artists, releasing AI-generated music, and launching thousands of AI bots to inflate streams and steal royalties

Starting point is 00:15:19 from music streaming platforms. So in a recent case, a fraudster reportedly operated 10,000 bot accounts at once to stream his own AI-generated catalog and really get over $10 million, allegedly, using his bot army to stream his fake artists' AI-generated music. Well, help us understand for folks who may not be familiar with how the payment system works with streaming music, what sort of things did this person have to do to generate this income stream? Yeah, so basically the first thing that he did was he signed up for many different artist accounts on a variety of different streaming services. So he signed up with various music distribution services that said,

Starting point is 00:16:06 okay, I'm this artist, I'm that artist, I'm the other artist. He then tried to bring on several different folks to co-create music with him, but realized soon that he couldn't scale that. So he then enlisted the help of AI to create thousands and thousands and thousands of independent songs,

Starting point is 00:16:25 each of which lasted about one minute. So many streaming services have a minimum of 30 seconds of length for a given song. And so he made them one minute in length so that it wouldn't trip up any sort of fraudulent pieces. And then what he did is he set up racks and racks of laptops with 30, 40 different tabs open in each one and programmed each one to be able to play randomized playlists of his own music, sprinkling in a couple of other artists along the way to try not to trip up things as well, to make it look as if there were hundreds of different artists who were being streamed by thousands of different people. He then got paid for all of these different streams for all of his different artists that he had.

Starting point is 00:17:12 And that's sort of how the fraud itself was actually perpetrated. Wow. Now it seems to me like, I suppose that the case could be made, that the generation of AI generated music isn't the problem here. Certainly there are plenty of accounts I've seen on places like YouTube and the streaming accounts where people have AI generated music and they're very upfront about it. And I know lots of people enjoy that as sort of background music, that sort of thing. But it seems to me like the real fraud here was setting up that army of bots to stream the music to trigger those

Starting point is 00:17:51 plays, and that's how we got paid. Yeah, so definitely AI-generated music does have its own challenges in terms of, especially if it's pulled from other artists, how do you appropriately copyright, protect those different artists and things like that as well. So this has been around since the days when you could do sampling and include things or potentially copy other pieces. But in this particular case,

Starting point is 00:18:16 the main fraud was that it was someone who was trying to look as if there were multiple people. And this is called multi-accounting fraud. This is used a lot to try to perform things like promo abuse or in this particular case, to pretend to be not only a bunch of different artists, but also to be a bunch of different humans listening to those different tracks.

Starting point is 00:18:39 There are really four basic classes of fraud that we see automations and fraudsters trying to commit. One is someone trying to look like they're multiple people, which is again, this multi-accounting fraud. The second one is someone trying to look like they are someone else in an account takeover situation. And the third one is really someone who's trying to look like they're somewhere else.

Starting point is 00:19:00 So this could be something like regional abuse. And in this particular case, this was a case of multi-accounting fraud where he was trying to pretend to be thousands of real listeners listening to his music. And what ultimately led to his downfall? What ultimately led to his downfall is that the different streaming services fraud systems did eventually pick up on the fraud, looking at a variety of different clues that the systems generated that were involved in perpetrating the fraud.

Starting point is 00:19:33 So many streaming services don't necessarily do real time fraud detection, they do fraud detection at the point of paying out the royalties and so forth. So even though the case itself talked about $10 million worth of fraud, that was scattered across a wide variety of different streaming services.

Starting point is 00:19:49 So it's not like one streaming service got hit with $10 million. The way that they found this out was through a variety of different techniques. One was being able to detect location obfuscation. So he was using VPNs, residential proxies, different IP addresses and so forth. And there are ways that you can detect whether or not that's in use.

Starting point is 00:20:11 Things like your time zone not matching, even what fonts they have installed on their machines and things like that that can tell them that. Secondly was that they were able to detect that these automated scripts were being used. So that had bot detection as a part of it. The third is the use of things like multi-accounting browsers or having multiple tabs open in the same browser. Sometimes using device intelligence, you can detect that thing as well as all being part of the same machine, the same visitor, and so forth.

Starting point is 00:20:43 What are some of the lessons to be taken away from this? For folks in our audience who are tasked with protecting their own organizations for the cybersecurity, are there general lessons here to be learned? Yeah, I think the main thing is that although he was using scripts to be able to facilitate streaming these different pieces in a world where ordinary users are increasingly going to be using

Starting point is 00:21:09 automations to perform a variety of tasks. So for example, Gartner estimates that 50% of all service requests in the next five years are going to be generated by automated agents as opposed to humans. It's not just a matter of looking to see whether or not there's an automation in use, but also what the intent of that automation might be. So being able to look at things, clues that can tell you, is this someone pretending to be multiple people or not? And whether that's through the use

Starting point is 00:21:36 of multi-accounting browsers, there was another case of a rapper who used racks and racks of Android phones in his office, each of which was streaming that. So being able to detect device farms, being able to detect device tampering, which a lot of fraudsters are using. So things like signal tampering, jailbroken phones

Starting point is 00:21:56 and so forth, as well as location obfuscation. Those are all different clues that folks need to be looking for in terms of detecting these broadsters and they all need to be used in conjunction with each other. It's not enough these days to just say, oh, this is a bot or this isn't. You have to be looking for these other clues. Yeah. I mean, I suppose this is the sort of cat and mouse game that we've seen with so many

Starting point is 00:22:19 other things in this world of, you know, as each side ups their game, they will both evolve. Yes, definitely. We definitely will see that. And if bot detection and automation detection ever becomes really robust and sophisticated, I think we'll start seeing people even paying people again, like the old days of click farming and things like that. So fraudsters are always staying one step. We're always trying to catch up with them.

Starting point is 00:22:46 They've come a long way since people used to have a little notebook to write down their Nielsen viewing habits, right? Definitely, definitely. That's Catherine Wanus, VP of product at fingerprint. And now a word from our sponsor ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allow listing is a deny by default software that makes application

Starting point is 00:23:29 control simple and fast. Ring fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cyber criminals with world-class endpoint protection from ThreatLocker. There's regular cold. And then there's the mountains are blue cold. Mountain cold refreshment.

Starting point is 00:23:58 Coors light. The chill choice. Celebrate responsibly. Must be legal drinking age. And finally, our F around and find out desk tells us the tale of one Nicholas Trulia, who once thought 18 months in prison was a steep price for stealing $22 million in crypto. Turns out, not paying back your victim can make life much steeper. A U.S. judge just bumped his sentence to 12 years after Trulia willfully failed to return nearly $20.4 million.

Starting point is 00:24:39 Trulia, part of a crew dubbed Evil Computer Geniuses, helped hijack blockchain mogul Michael Turpin's SIM card to drain his crypto. Court records revealed Trulia had $53 million in assets from Bitcoin to fine art. His lawyer insisted he surrendered everything accessible. Apparently he just couldn't access enough to avoid learning that while crypto can be volatile, so can sentencing when you keep the loot. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. We'd love to hear from you.

Starting point is 00:25:34 We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There is a link in the show notes. Please do check it out. Be sure to check out this weekend's Research Saturday and my conversation with Selena Larson from Proofpoint. We're discussing their research Amatera Steeler, re-branded ACR Steeler with improved evasion and sophistication. That's Research Saturday, do check it out. N2K's senior producer is Alice Carruth, our Cyberwire producer is Liz Stokes, we're

Starting point is 00:26:05 mixed by Trey Hester with original music by Elliot Pelksman, our executive producer is Jennifer Ivan, Peter Kelpe is our publisher, and I'm Dave Bittner. Thanks for listening, we'll see you back here, next week. And And now a word from our sponsor, Spy Cloud. Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware, and phishing to neutralize identity-based threats like account takeover, fraud, and ransomware. Don't let invisible threats compromise your business.

Starting point is 00:27:19 Get your free corporate darknet exposure report at spycloud. com slash cyber wire and see what attackers already know That's spy cloud dot com slash cyber wire

Your Ad Here

CyberWire Daily - Behind the firewall, trouble brews.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.