CyberWire Daily - China's chatbot sends tech stocks into tailspin.
Episode Date: January 27, 2025Chinese AI startup DeepSeek shakes up the market. Trump freezes cyber diplomacy funding and puts a vital U.S.-EU data-sharing agreement at risk. A trojanized RAT targets script kiddies. U.K. telecom g...iant TalkTalk investigates a data breach. Researchers uncover a critical flaw in Meta’s Llama Stack AI framework. Attackers leverage hidden text salting in emails. The “FlowerStorm” phishing framework targets multiple brands to steal customer credentials. A critical zero-day hits SonicWall VPN appliances. Swedish authorities seized a cargo ship suspected of damaging a key fiber optic cable. Freezing out crypto-kidnappers. Our guest is Jon Miller, CEO and Co-founder from Halcyon, sharing trends in ransomware and insights on Brain Cipher. The British Museum defends its artefacts from IT attacks. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is Jon Miller, CEO and Co-founder from Halcyon, sharing trends in ransomware along with some insights on Brain Cipher. For more detail, check out Halcyon’s Power Rankings: Ransomware Malicious Quartile Q4-2024. Selected Reading A shocking Chinese AI advancement called DeepSeek is sending US stocks plunging (CNN Business) Politicization of intel oversight board could threaten key US-EU data transfer agreement (The Record) Cyber diplomacy funding halted as US issues broad freeze on foreign aid (The Record) Weaponised XWorm RAT builder Attacking script kiddies to Steal Sensitive Data (GB Hackers) Change Healthcare Breach Almost Doubles in Size to 190 Million Victims (Infosecurity Magazine) TalkTalk investigating data breach after hacker claims theft of customer data (TechCrunch) Meta rushes to fix critical Llama Stack AI flaw (Cybernews) Seasoning email threats with hidden text salting (Cisco Talos) New Phishing Framework Attacking Multiple Brands To Steal Customer Logins (Cyber Security News) More than 2,000 SonicWall devices vulnerable to critical zero-day (The Record) Sweden seizes vessel after another undersea cable damaged (The Register) Nicolas Bacca: "We have invented a unique organisational model for intervening in cryptocurrency ransom" (The Big Whale) British Museum hit by alleged IT attack by ex-worker (BBC News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n two k and use promo code and two k at checkout the only way to
get twenty percent off is to go to join delete me dot com slash n two k and enter code and
two k at checkout that's join delete me dot com slash n two k code and two k. Chinese AI startup DeepSeek shakes up the market.
Trump freezes cyber diplomacy funding and puts a vital US-EU data sharing agreement
at risk.
A trojanized rat targets script kitties.
UK telecom giant TalkTalk investigates a data breach.
Researchers uncover a critical flaw
in Meta's LamaStack AI framework.
Attackers leverage hidden text salting in emails.
The Flower Storm fishing framework
targets multiple brands to steal customer credentials.
A critical zero day hits Sonic Wall VPN appliances,
Swedish authorities seize a cargo ship suspected of damaging a key fiber optic cable, freezing
out crypto-kidnappers, our guest is John Miller, CEO and co-founder from Halcyon, sharing
trends in ransomware and insights on BrainCypher, and the British Museum defends its artifacts from IT attacks.
It's Monday, January 27, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us.
It is great to have you with us. US tech stocks took a hit Monday after Chinese AI startup DeepSeek unveiled its R1 model,
a chat GPT competitor developed at a fraction of the cost of American AI models.
While US companies like Meta and OpenAI spend billions on AI development, DeepSeek claimed to have trained R1 for just $5.6 million,
sparking investor concerns about the sustainability of U.S. tech spending and dominance in AI.
The announcement sent shockwaves through markets with Nvidia shares dropping 12% and the NASDAQ
falling 2.3%.
Analysts questioned whether DeepSeek's breakthrough is as transformative as it appears or if the
market overreacted.
Critics noted that the model, while cost-effective, hasn't proven it can match the industrial-grade
capabilities of American AI.
DeepSeek's rise also highlights China's AI progress despite US chip restrictions.
As earnings reports loom, tech companies' responses to DeepSeek's challenge could fuel
further market volatility.
Investors remain cautious but intrigued.
DeepSeek's platform reportedly strained under the load of its newfound popularity, with
outages reported.
The Trump administration's move to remove Democratic members from the Privacy and Civil
Liberties Oversight Board threatens the Transatlantic Data Privacy Framework, a vital U.S.-EU data-sharing
agreement.
The EU relies on the agreement to ensure U.S. intelligence agencies' data collection aligns
with European privacy standards.
A weakened or non-functional agreement could undermine trust in the transatlantic data
privacy framework, forcing U.S. companies to adopt alternative, less feasible mechanisms
under GDPR, potentially disrupting transatlantic business operations. Meanwhile, the U.S. State Department froze nearly all foreign aid, including cyber diplomacy
funding following an executive order from President Trump.
This halt affects the Bureau of Cyberspace and Digital Policy established to advance
U.S. tech diplomacy.
The freeze jeopardizes initiatives like cyber-response efforts in
Costa Rica and digital infrastructure projects. Critics warn these moves weaken U.S. credibility
on privacy and cyber diplomacy, raising concerns about long-term consequences for international
cooperation and commerce.
A Trojanized version of the XWorm remote access Trojan builder has
infected over 18,000 devices globally targeting novice users through GitHub,
Telegram, and other platforms. The malware exfiltrates browser credentials,
discord tokens, and system data while maintaining persistence via registry
manipulation and anti-detection
features.
Researchers disrupted the botnet using its own kill switch, though many devices remain
infected.
Experts emphasize proactive defenses like endpoint detection and response, blocking
known indicators of compromise, and educating users to prevent future attacks.
United Health Group has confirmed that a ransomware attack on change healthcare in 2024 impacted
90 million more customers than initially reported, bringing the total to nearly 190 million.
Compromised data includes health insurance, billing, social security numbers, and banking
details accessed
via a Citrix portal lacking multi-factor authentication.
The attack, led by the Black Cat Ransomware Group, resulted in a $22 million ransom payment.
United Health Group claims no evidence of data misuse so far, with breach notifications
largely completed. This breach surpasses the 2015 Anthem incident as the largest healthcare data breach in U.S.
history.
U.K. telecom giant TalkTalk is investigating a data breach after a hacker, Bond, claimed
to have stolen personal data of over 18.8 million customers, including names, emails, IPs, phone
numbers, and PINs.
TokTok disputes the figure, stating it is significantly overstated, as they currently
have only 2.4 million customers.
The breach reportedly involves CSG's Ascendant platform, used for subscription management, but no financial data was stored
there.
TalkTalk previously faced scrutiny for weak cybersecurity after a 2015 breach.
Investigations continue.
Researchers at Oligo uncovered a critical flaw in Meta's LamaStack AI framework, enabling
attackers to execute remote code on servers hosting
AI apps.
The vulnerability, tied to misuse of the PyZmq library for message handling, allowed untrusted
data to be processed without validation, exposing systems to malware deployment.
The bug received a critical severity score of 9.3 but was rated lower by Meta.
Meta quickly patched the issue, and PyZMQ improved its documentation.
Cisco Talos observed a rise in email threats leveraging hidden text salting, a technique
used to evade email parsers, spam filters, and detection engines by embedding invisible text
in email HTML. Threat actors misuse CSS and HTML features to conceal content, making it
difficult for detection systems to parse. Techniques include inserting zero-width characters,
hiding text with CSS properties, or adding misleading content to confuse language
detection and file parsers.
These methods have been used in phishing campaigns impersonating brands like Wells Fargo, Norton
LifeLock, and Harbor Freight.
Experts recommend advanced filtering systems to detect suspicious CSS usage and abnormal
HTML structures. The FlowerStorm phishing framework, active since June 2024,
targets multiple brands to steal customer credentials.
Uncovered by CloudSec, this phishing-as-a-service platform
enables large-scale adversary-in-the-middle attacks
by dynamically adapting phishing pages with customized URLs and realistic backgrounds based on victims email domains. Hosted on Cloud
Flare's workers.dev platform, Flower Storm enhances legitimacy and employs
obfuscated JavaScript to evade detection. Victims are lured to generic
webmail pages that impersonate brands, exfiltrating credentials
to remote servers.
Flower storms rise coincides with a surge in phishing, including a 692% increase during
the 2024 holiday season.
A critical zero-day vulnerability affecting SonicWall's secure Mobile Access 1000 series VPN appliances is
being actively exploited by hackers, prompting urgent warnings.
The flaw, rated 9.8 in severity, impacts over 2,300 Internet-exposed devices, mainly in
the U.S., Germany, and Hong Kong.
SonicWall and Microsoft urge users to apply a hotfix immediately.
Swedish authorities have seized the cargo ship Vezhin, suspected in its involvement
in damaging a key fiber-optic cable between Sweden and Latvia.
The cable, owned by the Latvian State Radio and Television Center, LVRTC, was damaged yesterday.
While Vezhin's proximity to the site raises suspicion, involvement is unconfirmed.
This incident follows several recent cable disruptions in the Baltic Sea, raising fears
of sabotage potentially linked to Russia's shadow fleet.
NATO and EU nations, already on high high alert have deployed warships and surveillance to
safeguard undersea infrastructure.
Investigations into similar incidents, including Finland's Christmas Day cable damage allegedly
caused by a tanker dragging its anchor, remain ongoing.
NATO is advancing plans to deploy submarine drones for cable monitoring, while the UK
recently intercepted a suspected Russian spy ship near its waters, heightening regional
tensions.
David Balland is co-founder of Ledger, a prominent French company specializing in secure hardware
wallets for cryptocurrencies.
When Baland and his wife were kidnapped and held for ransom, Nicholas Baca, co-founder
and former CTO of Ledger, knew he had to act.
As the ransom demanded was in cryptocurrency, Baca saw an opportunity to help authorities
neutralize the financial aspect of the crime.
I thought about how I could contribute, he explained, and decided to focus on freezing
the funds quickly once the hostages were freed.
Baca assembled a specialized team, including legal expert Sara Campani, with strong ties
to platforms like Tether and KuCoin and Seal911, a group skilled in rapid cryptocurrency interventions.
Together, they created a system capable of sending freeze requests to multiple platforms
within minutes.
Coordination was key.
Every move had to be perfectly timed.
When the moment came, the plan worked.
A significant portion of the funds was frozen, denying the kidnappers access.
This groundbreaking effort, Baca said, could become a model for future cases, creating
a new standard for tackling crypto-related crimes.
Despite challenges like managing decentralized mixers, Baca remains optimistic.
Every effort counts, he said, confident that such coordinated responses can reshape how
authorities handle these complex situations.
Coming up after the break, I'm joined by Halcyon's CEO and co-founder John Miller
to talk about trends in ransomware and some background on BrainCypher.
Also, the British Museum experiences an unexpected shutdown by a former IT worker.
Stay with us.
Cyber threats are evolving every second and staying ahead is more than just a challenge, it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to
give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point in time
checks.
Look at this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. John Miller is CEO and co-founder of Halcyon.
I sat down with him to discuss trends in ransomware,
along with his insights on BrainCypher.
Can we start off with some high-level stuff here?
I mean, as we're kicking off 2025,
can you give us a little bit of level setting?
Like, where do we find ourselves when it comes to ransomware?
In the worst state we've ever been. The techniques of the groups are on the rise. They're starting to
use more zero-day vulnerabilities than phishing and compromised passwords, which were previously the most
common ways for them to get access.
I think the biggest impact has really been the success of ransomware as a service, right?
The birth of the ransomware economy that we've seen over the last 12 and 24 months has started to spread out and we're seeing
attackers come online that historically have never been cyber actors on the internet before.
Foreign countries where previously we've just really experienced nation state kind of level attacks, you know,
specifically with Russia have really given birth to like this sophistication
in these tools and they've franchised it out.
So now you have these systems administrators, right?
People that understand how to administer endpoints on a network are becoming incredibly successful
at ransomware by just joining these macro groups or using their tools and then using
initial access brokers to actually get them inside of the company, where for a very small
amount of both time and cash, essentially anyone can become a ransomware actor now.
And then you combine that with the fact that there's essentially zero criminal prosecution or threat of criminal prosecution.
And the fact that people actually get to keep the millions or tens of millions of dollars
from these, these ransoms, it's, you know, it's, it's starting to grow out of control.
Well, I want to talk about a specific group that you and your colleagues at Halcyon have
had your eye on and they're called BrainCypher.
What can you tell us about them?
So it's a fairly new group.
They're six-ish months old and they're part of that ransomware economy.
They're not one of those top tier groups where they're building their own ransomware.
They're part of the LockBit affiliate network, right?
So it's LockBit is probably one of the oldest,
most sophisticated, advanced ransomware groups that exist.
And, you know, every day new groups like BrainCypher are
essentially coming online, leveraging their tooling to carry out these hyper sophisticated attacks that,
you know, previously were only capable by APTs.
only capable by APTs.
Do you have any sense for the sophistication of the BrainCypher group themselves
versus the tools that they're buying?
How much of this is ready to go that anybody could use?
So here's the interesting thing.
You don't buy these tools.
You join the group and they give them to you for a
profit share of washing the cryptocurrency for you. Right? So any of us could join this
lock-bit group. They don't, it doesn't cost anything. The only cash you really have to
outlay is from another kind of group called an initial access broker,
where there are groups out there
where they do these giant campaigns
and penetrate companies and then sell access
to like an initial loader,
to groups like BrainCypher.
And that allows them to get into a network
without having to hack their way in.
If that makes sense.
It does.
Who does BrainCypher seem to be targeting here?
Are there any organizations or verticals that they seem to focus their attention on?
So they seem to be pretty widely spread across the different targets that they're going after.
Government, law enforcement, right?
Critical industries, medical education and manufacturing.
And when it comes to the ransomware itself, I mean, we've seen some groups pivoting of some of them
not even bothering with the encryption part of just,
grabbing the data and then going for extortion.
What's the operational mode of this group?
Are they encrypting things?
Are they stealing data?
Is it a mix of both?
It's normally a mix of both with everyone.
Right.
Um, early on it was encryption based.
And then we saw the data X fill and the double extortion kind of come into play.
And then there were a couple of groups where they just do data X fill and extortion.
But, you know, 99 times out of of 100, you're going to see components in both in every ransomware.
And you should expect them both.
And the reason why is they figured out that it gives them a double chance of getting paid.
Right?
Everyone came out and said the answer to ransomware is backups, right?
And, you know, people have built better backup infrastructure.
And when you have backups, even though it takes weeks and weeks to recover from them,
you'd much rather spend that time than give money to a ransomware group for it.
Right.
And so as they started to lose out on that revenue, you know,
the double extortion and the data leakage has really kind of filled that gap and it
gives them the ability to ensure that there's always some sort of leverage to get paid. And
we've even seen that this is, this sounds a bit much,
but triple extortion, right?
Where they'll actually look into the data
and not just use the threat of,
I'm going to release this or whatever,
but actually profit off of what was inside.
Well, given that it seems like ransomware is here to stay,
at least for the immediate future,
what are your recommendations then?
I mean, what should folks be doing out there
to protect themselves?
Education, right?
I talk to CISOs all the time,
and what I like to recommend is everyone knows what type of
business they're responsible for.
Do some investigation and figure out what are the actual ransomware groups that are
targeting us right now.
We have a bunch of resources on our website Halcyon.ai that go into that.
Our ransomware maliciousness portal is fantastic.
We keep it updated every quarter
with essentially that information.
Who are the top ransomware groups?
Who are they attacking?
What type of verticals?
What type of companies?
What makes them unique?
What are their TTPs?
And once you get an understanding of, you know,
what are the grips that are targeting me,
look at some of the other breaches that they've done
and, you know, tabletop it, right?
Look at if they pulled out this attack on me,
how would we fare?
And, you know, start to make some changes?
Definitely have a plan, right? So many companies, once they get ransomware, the
response is, and if you're big enough, you have a cyber insurance company to call
and you call them up and they've done this so many times that they'll walk you
through a process.
But by walking through that process, you very much lose control of the situation, right?
And it goes to bi-hour companies and lawyers where they walk you through the steps of what
needs to get done.
And that's not always getting your business up and running as quickly as possible.
So if you're in healthcare, if you're in manufacturing, critical infrastructure, you, when the uptime
is that important where 21, 22 days would cause some sort of catastrophic damage.
You need to have a plan to address not only in the event of a ransomware attack,
how can we restore access to our critical systems quickly?
And, you know, to shamelessly plug Halcyon, that's what Halcyon is all about, right?
Like we give another layer of resiliency in addition to a layer of ransomware protection,
where if a ransomware attack does go through, we can isolate it to a single host and then bring back all the data in a very quick way
That was encrypted without anyone having to interact with the attackers
That's John Miller from Halcyon
And now, a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million
record payout in 2024, these traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security. and And finally, the British Museum had an unexpected plot twist when a disgruntled IT contractor
allegedly trespassed, shutting down parts of its network and forcing some galleries
and exhibits to close.
Think of it as the museum's own version of a heist movie,
minus the daring escape.
Police swooped in to arrest the man who's now out on bail,
leaving the museum scrambling to reboot both its systems
and its schedule.
Visitors with tickets were prioritized,
but temporary exhibitions like Silk Roads
and Picasso Printmaker were put on pause. The museum
apologized to ticket holders offering refunds or rescheduling options. It's not
every day the Rosetta Stone takes a backseat to an IT meltdown but the
British Museum is working hard to get back to its regularly scheduled program
minus the surprise IT drama.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing
at the cyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute
to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks
where all the fine podcasts are listed. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating
and review in your favorite podcast app. Please also fill out the survey and the show notes
or send an email to cyberwire at n2k.com. This episode was produced by Liz Stokes. Our
mixer is Trey Hester with Original Music and Sound Design by
Elliot Pelsman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Carr. Simone
Petrella is our president. Peter Kielpe is our publisher. And I'm Dave Bittner. Thanks for watching! you