CyberWire Daily - Beware of BADBOX.
Episode Date: June 6, 2025The DOJ files to seize over $7 million linked to illegal North Korean IT workers. The FBI warns of BADBOX 2.0 malware targeting IoT devices. Researchers uncover a major security flaw in Chrome extensi...ons. ESET uncovers Iranian hackers targeting Kurdish and Iraqi government officials. Hitachi Energy, Acronis and Cisco patch critical vulnerabilities. 20 suspects are arrested in a major international CSAM takedown. Hackers exploit a critical flaw in Roundcube webmail. Today’s guest is Ian Bramson, Global Head of Industrial Cybersecurity at Black & Veatch, exploring how organizations can close the cyberattack readiness gap. ChatGPT logs are caught in a legal tug-of-war. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest is Ian Bramson, Global Head of Industrial Cybersecurity at Black & Veatch. Ian joins us to explore how organizations can close the cyberattack readiness gap in industrial environments—especially as cyber threats grow more sophisticated and aggressive. Selected Reading Department Files Civil Forfeiture Complaint Against Over $7.74M Laundered on Behalf of the North Korean Government (U.S. Department of Justice) FBI: BADBOX 2.0 Android malware infects millions of consumer devices (Bleeping Computer) Chrome Extensions Vulnerability Exposes API Keys, Secrets, and Tokens (Cyber Security News) Iran-linked hackers target Kurdish and Iraqi officials in long-running cyberespionage campaign (The Record) CISA reports critical flaw in Hitachi Energy Relion devices (Beyond Machines) Critical security vulnerabilities discovered in Acronis Cyber Protect software (Beyond Machines) Cisco Patches Critical ISE Vulnerability With Public PoC (SecurityWeek) Police arrests 20 suspects for distributing child sexual abuse content (Bleeping Computer) Hacker selling critical Roundcube webmail exploit as tech info disclosed (Bleeping Computer)– mentioning this in the Briefing OpenAI slams court order to save all ChatGPT logs, including deleted chats (Ars Technica) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. The DOJ files to seize over $7 million linked to illegal North Korean IT workers.
The FBI warns of bad box malware targeting IoT devices.
Researchers uncover a major security flaw in Chrome extensions.
ESET uncovers Iranian hackers targeting Kurdish and Iraqi government officials.
Hitachi Energy, Acronis, and Cisco patch critical vulnerabilities.
20 suspects are arrested in a major international CSAM takedown.
Hackers exploit a critical flaw in RoundCube webmail.
Our guest today is Ian Bramson,
global head of industrial cybersecurity at Black and Veatch,
exploring how organizations can close the cyber attack readiness gap.
And chat GPT logs are caught in a legal tug of war. It's Friday, June 6, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today and happy Friday.
Great as always to have you with us.
The U.S. Department of Justice has filed a civil forfeiture complaint to seize over $7.7
million in cryptocurrency linked to North Korean IT workers who used stolen identities
to gain illegal remote employment.
These workers, often based in China and Russia, secretly funneled earnings to fund North Korea's
weapons program, skirting U.S. sanctions.
The scheme was allegedly orchestrated with Sim Hyun-Sop, a foreign trade bank rep, and
Kim Sang-Man, head of Cheong, a Ministry of Defense-linked firm.
The IT workers laundered funds through tactics like chain-hopping, token-swapping, and buying
NFTs.
The action is part of a broader crackdown, DPRK RevGen Domestic Enabler Initiative,
targeting North Korea's global revenue networks and their U.S. enablers.
The FBI and DOJ are leading the investigations.
The FBI is warning about Bad Box 2.0, a malware campaign that's infected over 1 million consumer IoT devices worldwide,
found mostly on low-cost Android-based TVs, tablets, and projectors, often made in China,
Badbox 2.0 turns these gadgets into residential proxies for cybercriminals.
The malware comes preloaded or is installed during setup via malicious apps or firmware updates.
Once infected, devices can be used for ad fraud, credential stuffing, and masking criminal traffic.
Despite earlier disruptions, the botnet continues to grow.
Most infections are in Brazil, the U.S., Mexico, and Argentina. The FBI urges consumers to avoid unofficial app stores,
monitor home network traffic, keep devices updated,
and disconnect any suspected compromised devices
to halt the malware's activity.
Researchers have uncovered a major security flaw
in Chrome extensions affecting over 15 million users.
The issue centers around developers hard-coding sensitive credentials directly in their JavaScript
code, things like API keys, authentication tokens, and cloud access secrets.
Since Chrome extension code is public, these credentials are easily accessible to attackers. Exposed secrets include
Google Analytics, Azure Speech APIs, and even AWS Keys. The risks range from corrupting
analytics data to incurring massive cloud costs or exposing broader infrastructure.
Symantec found the problem across multiple high-profile extensions,
including those from Avast and EquatIO. This points to a widespread issue in extension
development. Convenience often overrides secure coding practices. Attackers could exploit
these keys to spam devices, hijack cloud resources, or even pivot into connected systems with elevated
permissions.
Iran-linked hackers, identified as Bladed Feline, have been conducting a years-long
cyberespionage campaign targeting Kurdish and Iraqi government officials, according
to ESET.
Believed to be a subgroup of Iran's oil rig, Bladed Feline has operated since at least
2017, initially breaching the Kurdistan Regional Government and later expanding to Iraq's Central
Government and even a telecom provider in Uzbekistan.
The group uses custom malware like Shamaran, Whisper, and PrimeCache to spy on systems,
exfiltrate data, and maintain remote access.
Entry points likely include exploited server vulnerabilities and web shells.
Researchers say the campaign likely supports Iran's geopolitical goals by monitoring the
KRG's Western ties and countering US influence in Iraq.
Oil rig has a history of targeting critical sectors and using
compromised networks for supply chain attacks.
Hitachi Energy has patched two critical vulnerabilities in its Relion 670-650 series and SAM600io
devices, which are widely used in power grid protection and
control.
The flaws could allow remote attackers to trigger memory corruption, risking grid stability.
Hitachi Energy has released targeted updates and recommends users upgrade to secure revisions.
No public exploitation has been reported, but mitigation steps are advised
for older systems.
Acronis CyberProtect users are urged to update immediately due to multiple critical vulnerabilities,
including three with the highest CVSS score of 10.0. These flaws allow attackers to bypass
authentication, access sensitive data, and escalate privileges.
Updates have been available for a month.
If updating isn't possible right away,
restrict network access and monitor systems for suspicious activity.
Cisco has patched 12 vulnerabilities across its products,
including a critical flaw in cloud deployment of identity
service engine. This bug affects AWS, Azure, and Oracle Cloud ISE instances where shared
credentials are improperly generated, allowing attackers to access sensitive data or modify
configurations. No workarounds exist and proof of concept code is public.
Cisco also addressed two high severity SSH flaws in its IMC and Nexus dashboard fabric controller,
which could allow unauthorized access or man-in-the-middle attacks.
Additionally, nine medium severity bugs were patched across various Cisco communication and management tools.
Two have public proof-of-concept code, though no active exploitation is reported.
Cisco strongly urges users to apply updates immediately.
An international law enforcement operation has led to the arrest of 20 suspects involved in producing and distributing child sexual
abuse material, CSAM.
Launched after Spanish police uncovered messaging groups sharing CSAM in late 2024, Operation
Vibora identified 88 suspects globally.
Interpol and Europol coordinated efforts across the Americas, Europe, Asia, and Oceania.
Spain arrested seven individuals, including a teacher and health care worker.
Ten more were arrested in Latin America, including three in El Salvador and a teacher in Panama.
Additional arrests occurred in Europe and the U.S.
This operation follows earlier global actions against CSAM platforms,
including Operation Stream, which dismantled the dark website KidFlix, and another that
targeted AI-generated CSAM. These efforts have collectively identified hundreds of suspects
and seized thousands of devices. Cybersecurity company Fears Off reports that hackers are now exploiting a critical
post-authentication remote code execution flaw in round cube webmail.
The bug, present for over a decade, was patched on June 1st, but attackers quickly
reverse-engineered the fix and began selling a working exploit online.
Dubbed Email Armageddon, the flaw stems from unsanitized session variables leading to PHP
object injection.
Despite requiring login access, attackers claim credentials can be extracted from logs,
brute-forced, or obtained via CSRF.
RoundCube is widely used by hosting providers and organizations across government, education,
and tech sectors.
With over 1.2 million instances online, the attack surface is significant.
Security researchers urge immediate patching, given the vulnerability severity, CVSS score of
9.9, and the active exploitation in the wild.
Coming up after the break, my conversation with Ian Bramson, Global Head of Industrial
Cybersecurity at Black & Veatch,
we're exploring how organizations can close the cyberattack readiness gap.
And chat GPT logs are caught in a legal tug of war.
Stay with us. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or wrangling manual
processes just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger,
yes, even helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC,
teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So, if you're ready to trade in chaos for clarity, check out Vanta and bring some serious
efficiency to your GRC game.
Vanta GRC, how much easier trust can be.
Get started at Vanta.com slash cyber. Ian Bramson is global head of industrial cyber security at Black and Veatch.
I recently spoke with him about how organizations can close the cyber attack readiness gap.
The state of things is, I would say in flux and what I mean by that is we're at a
Right a change point right now
Where you're seeing a convergence of a lot of different factors from you know increased attacks
to
Different type of regulatory environments to lots of digitalization, lots of things pushing people in different ways.
And so what you get as a result of that is a lot of different activity depending on what
specific companies are doing.
Meaning I've been asked, hey, is there a sector that's going better or worse or faster?
And I'm saying it's companies. Companies that clue in are moving more quickly on it,
while others are not.
So it's sort of this emerging primordial soup of stuff
where you have all this activity happening
and it's just all worked out in different ways.
So it's inconsistent.
When you think about the haves and the have-nots out there,
and as you say, it's company-based,
I mean, how much of that, or say,
how does that interact with the regulatory regime
that these organizations have to operate under?
Well, when we look at industrial cybersecurity,
we look at it both from the lens of compliance,
so that regulatory environment, and we look at it both from the lens of compliance, so that regulatory environment,
and we look at it from being secure.
And we see absolutely that there's a difference between being compliant and being secure.
Meaning I've got clients who are very focused on being compliant, and they are, but there's
still lots of gaps in there and I've got
other clients who are much more focused on security and they'll check the box
on compliance but they're doing what they need to do so again it's in that
arena that that it's all emerging attack surfaces and everything are changing
quickly regulations are usually struggling to keep up.
And so the focus really needs to be on security more than just compliance.
And for the organizations out there who are seeing success, what are the common elements that they share? Common elements that companies that are really making progress share are a few. One is they have commitment from the board of directors
and an understanding and appreciation of what industrial cybersecurity is,
meaning it's not just about data, it's about safety, and it's about uptime.
Bad guys are trying to blow stuff up and they're trying to shut stuff down.
And if they fully appreciate that,
then they're dedicated to doing something about it.
The second part of that is that the companies that
are really into this understand how
to answer some of the basic questions, things like,
do I know what I need to protect?
That's asset inventory and asset management.
Do I know where my holes are?
That's vulnerability management and patch management. Can I see where my holes are? That's vulnerability management and patch
management. Can I see someone in my system? Can I get them out? That's monitoring and
response. So they ask those basic questions to set those foundations and they understand
that setting that strong foundation is what's important. And that's the most common parts
of that, having that executive commitment and then answering the block and then tackling
types of questions that you have to have out there
to set their strong foundation.
And in terms of getting that executive commitment,
I mean, what, in your experience,
what's been the effective mode of messaging
to get them to understand the problem
and to buy into the solution.
Yeah, you know, senior executives,
boards of directors, they speak the language of risk.
They understand consequence,
they understand the idea of probability and impact,
and you need to translate all those technical terms
into that type of concept.
This is risk management.
This is about how your operations run.
So it's about, again, safety and uptime risks.
But you need to break it down into that.
And once you can put it into that risk language and risk
concept, build a risk register, understand
how it relates to strategic goals,
that type of language and that type of presentation,
that gets you a lot farther than talking about bits and bytes
about what's happening.
We often will say, build that risk register,
prioritize your risk, and then bang on that risk register
until money comes out.
When you go to the senior executives.
That's a great way to put it.
What about public utilities?
And I was thinking specifically of water utilities,
who I'm sure we have some folks listening
who are thinking, you know, this all sounds great,
but I don't have a penny to spare in my organization.
You know, how do I set priorities?
Yeah, and that is one of the major issues
that we're coming across, particularly in water,
but in the across the different utilities
is the motivation is there, right?
They understand it, they get it, they're getting attacked,
but it's the, what do I do now?
What's next?
And how do I afford that?
So there's no one silver bullet or clear answer,
but there are things you can do.
You can look into grants and funding options.
You can look at what that means to your rate cases.
And you can also look about building it in earlier.
When you're doing either new projects
or major modifications,
capex type things, cyber is usually left off the table. If you can bring it in earlier,
you can do things a lot cheaper, meaning in a lot better, right? Build it in is better than
bolting it on. Well, if you get it, move that starting point into that greenfield build or that major modification, that's a great way
that you can manage the costs on this
while also increasing your security posture.
What are your recommendations for the security person
who knows they wanna spend more time
and attention with this, but maybe feels a little overwhelmed
by the size of the project in front of them.
Well, I can appreciate that
because there is certainly a lot to do
and there's a lot at risk.
But when you approach it, when things get complex,
I like to simplify, right?
When you're looking at this,
we're not looking at the whiz bang, next gen, fantastic stuff.
You're looking at the basics, the foundation.
So ask yourself those core questions,
kind of the ones I brought up earlier,
the ones of companies being successful,
things like do I know what I need to protect?
Acid inventory, do I know where my holes are?
Do I know who my suppliers and supply chains are?
And do I have a good hold of what's coming in how to protect that?
Can I see someone in my system? Can I get them out?
Basically translate all the different types of technologies and technology vendors back down to the basics of
What you need to do to cover of what you need to protect
And prioritize that and and it's not it sounds simple, but it's not easy, right?
You do still have to have a lot of questions in it,
but the best advice I can give is start breaking it down
into those simple steps or clear steps, shall we say,
and start working through those.
What sort of work are you doing to help close this gap?
What's the types of things that you're offering
with the folks that you work with?
Sure, we offer a variety.
We know that our clients,
this is a lifetime life cycle approach,
meaning we call it cyber asset life cycle management
or calm, which is always a good thing for cyber.
But we look at this from the very beginning,
meaning when you're building it into a green field
or major modification, when you're building that utility,
that site, that power station, that water treatment center,
what do you need to build in?
But then as you're running it,
what do you need to do there?
How do you also deal with the rest of what you have? So we offer everything from
Consulting meaning what do I do next? How do I where do I go now? I just got the rose pinned on me
What now to the actual implementation meaning help me build this from the ground up?
both on a site level and technology level,
and all the way through to the programmatic level,
and help me operate it.
Because our clients have this journey
that they're going through, from the what now
to help me build it to help me run it.
And we're there throughout that process
and throughout
all their new builds and and their existing operations. It's a big
challenge with a lot of facets to it but that we found that our clients really do
need a partner who has been there who knows how to build this stuff knows how
everything fits together and can see them through that journey.
That's Ian Bramson from Black & Veatch.
And finally, OpenAI is squaring off with a federal judge over a sweeping court order
that, in essence, forces it to save everything.
Every deleted chat GPT message, every temporary chat, even the API-based confessions of businesses
panicking about quarterly earnings.
Why? Because the New York Times and others
suing OpenAI over copyright concerns suspect that users are deleting chats to
cover their digital tracks. The judge agreed and ordered OpenAI to preserve
all logs. OpenAI, now somewhere between concerned and hair on fire, argues this defies logic, privacy
policy and possibly several international laws.
They say we didn't destroy data, we just honored users' decisions.
Now they're being told to keep everything, even your wedding vow drafts and that ill-fated
budget spreadsheet. Caught between litigation and privacy commitments,
OpenAI wants the order tossed. Until then, users everywhere are side-eyeing their chat And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey
to learn more about our listeners.
We're collecting your insights
through the end of this summer.
There is a link in the show notes.
Please do check it out.
Be sure to check out this weekend's Research Saturday
and my conversation with Michael Gorlick from Morphosec.
We're discussing their research,
new Noodle-file Stealer distributes
via fake AI video generation
platforms.
That's Research Saturday, check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher. And I'm Dave Bittner. Thanks for listening, we'll see you back here next week. Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The Delete Me team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
Delete Me also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k.