CyberWire Daily - Cracked and Nulled taken down.
Episode Date: January 30, 2025International law enforcement takes down a pair of notorious hacking forums. Wiz discovers an open DeepSeek database. Time Bandit jailbreaks ChatGPT. Ransomware hits one of the largest U.S. blood cent...ers. A cyberattack takes the South African Weather Service offline. Researchers describe a new “browser syncjacking” attack. TeamViewer patches a high-severity privilege escalation flaw. Over three dozen industry groups urge Congress to pass a national data privacy law. CISA faces an uncertain future. N2K’s Brandon Karpf speaks with Ellen Chang, Vice President Ventures at BMNT and Head of BMNT Ventures. OpenAI Cries Foul After Getting a Taste of Its Own Medicine. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, N2K’s Brandon Karpf speaks with Ellen Chang, Vice President Ventures at BMNT and Head of BMNT Ventures, about the venture model, why it exists, how it works, and its impact. Selected Reading Police seizes Cracked and Nulled hacking forum servers, arrests suspects (Bleeping Computer) Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History (Wiz) Time Bandit ChatGPT jailbreak bypasses safeguards on sensitive topics(Bleeping Computer) US blood donation giant warns of disruption after ransomware attack (TechCrunch) South Africa’s government-run weather service knocked offline by cyberattack (The Record) Syncjacking Attack Enables Full Browser and Device Takeover (Infosecurity Magazine) TeamViewer Patches High-Severity Vulnerability in Windows Applications (SecurityWeek) Industry groups call on Congress to enact federal data privacy law (The Record) US Cyber Agency’s Future Role in Elections Remains Murky Under the Trump Administration (SecurityWeek) OpenAI Furious DeepSeek Might Have Stolen All the Data OpenAI Stole From Us (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n two k and use promo code and two k at checkout the only way to
get twenty percent off is to go to join delete me dot com slash n two k and enter code and
two k at checkout that's join delete me dot com slash n two k code and two k. The
international law enforcement takes down a pair of notorious hacking forums.
Wiz discovers an open DeepSeek database.
Time Bandit jailbreaks chat GPT.
Ransomware hits one of the largest US blood centers.
A cyber attack takes the South African Weather Service offline.
Researchers describe a new browser sinkjacking attack.
TeamViewer patches a high severity privilege escalation flaw.
Over three dozen industry groups urge Congress to pass a national data privacy law.
CISA faces an uncertain future.
NTK's Brandon Karf speaks with Ellen Chang,
Vice President of Ventures at BMNT
and head of H4X Labs.
And OpenAI cries foul after getting
a taste of its own medicine. It's Thursday, January 30th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Authorities have dismantled two of the largest hacking forums, Cracked and in Operation Talent, seizing 17 servers and arresting two
suspects. With over 10 million users, these forums served as hubs for cybercriminal activity,
offering stolen credentials, hacking tools, and cybercrime as a service. Europol described
them as entry points into cybercrime, providing configs for credential
stuffing tools like OpenBullet and hosting AI-based hacking tools.
In a coordinated effort across multiple countries, authorities seized 12 domains, including cracked,
nulled, Stark RDP, and Selex, the latter two being integral to the Forum's operations.
Law enforcement searched seven properties, confiscating over 50 electronic devices and
$312,000 in cash and cryptocurrency.
The FBI took over the domains, replacing their name servers with FBI-controlled addresses.
The seized data, including email and IP addresses, will
aid future investigations. While forum staff acknowledged the takedown, law
enforcement emphasized its impact on disrupting cybercriminal infrastructure.
It started with a routine scan. The WIS research team was mapping DeepSeek's
external attack surface. Nothing unusual for cybersecurity was mapping DeepSeq's external attack surface.
Nothing unusual for cybersecurity researchers.
DeepSeq, after all, was making waves with its DeepSeq R1 reasoning model,
a rival to OpenAI's best.
But quickly, the team stumbled upon something alarming.
An open ClickHouse database, completely exposed, no passwords, no
authentication. Just sitting there waiting to be accessed. With a simple
query, the researchers found themselves staring at over 1 million logs filled
with chat history, API keys, backend operations, and other sensitive data.
Worse, the database allowed full administrative control, meaning an attacker could not just
read but potentially alter or escalate privileges within DeepSeq's systems.
Realizing the gravity of the situation, the WIS team immediately reported the issue.
DeepSeq responded swiftly, locking down the exposure.
But the incident highlighted a growing problem.
AI startups are scaling fast, often without proper security measures.
While the world worries about AI's long-term risks, the real dangers are often much simpler
– accidental data leaks like this one.
AI companies must prioritize security just as cloud providers do, or risk exposing their
users, their data, and their reputation.
AI researcher David Kussmar made a chilling discovery.
Time Bandit, a jailbreak that lets users bypass chat GPT's safety filters to access dangerous
instructions on weapons, malware, and even nuclear topics.
The flaw exploits ChatGPT's temporal confusion, tricking it into thinking it's in the past
while using modern knowledge.
Realizing the severity, Kuzmar frantically tried to alert OpenAI but struggled to find
a direct contact.
Even after reaching out to CISA, the FBI,
and government agencies, he was met with silence. He says his anxiety grew as the weeks passed.
Eventually, through CERT Coordination Center, OpenAI was contacted, confirming the exploit.
While OpenAI has implemented partial fixes, the jailbreak still works in some cases.
The New York Blood Center, NYBC, one of the largest U.S. blood centers, has suffered a
ransomware attack, causing service disruptions.
Detected on January 26, the breach forced NYBC to take systems offline, affecting blood
donation processing and hospital supply chains.
The attack comes amid a blood emergency, with supplies at dangerously low levels.
NYBC is working to restore systems but has no clear timeline.
It's unknown who's behind the attack or if patient data was compromised. A cyberattack has taken the South African Weather Service offline, disrupting critical
weather services for airlines, farmers, and regional allies like Mozambique and Zambia.
The attack, which began Sunday evening, took down the Weather Service's website, email
systems, and aviation and marine services, forcing
the agency to share updates via social media.
This marks the second attempted attack in two days, with no ransomware group claiming
responsibility.
South Africa has faced numerous cyberattacks on public institutions, including its Defense
Department, pension system, and National Lab Services.
The Weather Service is working with ICT service providers to restore systems but has no timeline
for full recovery.
Imagine installing what seems like an innocent browser extension only to unknowingly hand
over full control of your browser, data, and even your device to an attacker.
That's exactly what researchers at Square X have uncovered in a new technique they're
calling browser sync jacking.
It's a three-stage attack that turns a simple extension into a full-scale cyber weapon.
First, a user, maybe an employee, installs a malicious extension. That extension silently authenticates them into an attacker-controlled Google Workspace
profile, allowing hackers to disable security settings and make changes to the browser.
Next, they take over the entire browser.
The extension waits for a normal download, then swaps it out for a malicious file.
That file registers the victim's Chrome browser as managed by the attacker, giving them full
control.
And finally, device hijacking.
The attacker can now use the compromised browser to record screens, capture audio, turn on
cameras and even install malware without the user even knowing.
The researchers say there's no easy way to track or stop it.
Traditional security tools like EDR and secure web gateways simply don't catch these kinds
of browser-based attacks.
Square X is calling this a massive blind spot in enterprise security, and unless organizations
start monitoring what extensions their employees install,
this kind of attack could become a huge problem.
TeamViewer has patched a high-severity privilege escalation flaw
that could allow local attackers to gain elevated privileges on Windows systems.
The vulnerability affects multiple versions and has been fixed in the latest updates.
Although there's no evidence of exploitation in the wild,
TeamViewer urges users to update immediately,
as threat actors have previously abused TeamViewer
for malware deployment.
The flaw was reported via Trend Micro's Zero Day Initiative.
Security experts warn that remote access tools like TeamViewer
can increase the attack surface, especially
in industrial and operational technology environments, making regular updates crucial.
Over three dozen industry groups are urging Congress to pass a national data privacy law
that would override state regulations. In a letter to House and Senate Commerce Committee
leaders, they argue that
a unified standard would help businesses operate more efficiently and lower consumer costs.
Despite bipartisan interest, past privacy bills have failed due to disagreements over
preempting state laws and allowing individuals to sue over violations. If enacted, federal law could replace strong state
protections such as California's privacy law and Illinois's biometric data rules.
The letter, backed by big tech and automotive groups, does not mention data
brokers. It proposes transparency requirements, consumer opt-out rights, and
limits on data collection but exempts small businesses.
Critics warn the proposal mirrors weaker state laws and could reduce consumer protections
rather than strengthen them.
The Cybersecurity and Infrastructure Security Agency has played a major role in protecting
election systems across the U.S. But now its future is uncertain.
Since its creation in 2018, CISA has worked with state officials to strengthen voting
security.
But President Donald Trump and his allies have criticized the agency, accusing it of
censoring conservatives and interfering in the 2020 election.
CISA denies these claims.
Now with Trump back in office, there's no clear leader for the agency.
His Homeland Security Secretary, Kristi Noem, has suggested reining in CISA's authority,
and a Republican policy plan, Project 2025, proposes moving CISA to the Transportation
Department and limiting its role in elections. Many state officials say CISA has been critical in improving election security.
But as political battles continue, the question remains.
Will CISA's mission change before the next election? Coming up after the break, N2K's Brandon Karpf speaks with Ellen Chang, Vice President
of Ventures at VMNT and head of H4X Labs.
And OpenAI cries foul after getting a taste of its own medicine.
Stay with us.
Cyber threats are evolving every second and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with Threatlocker, a cybersecurity solution trusted by businesses worldwide. Threatlocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit Threatlocker.com
today to see how a default deny approach can keep your company safe and securely. Visit threatlocker.com today to see how a default deny approach can
keep your company safe and compliant.
Do you know the status of your compliance controls right now, like right now. We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when
you go to vanta.com slash cyber. That's vanta.com slash cyber for a thousand
dollars off. N2K's Brandon Karp recently sat down with Ellen Chang, Vice President of Ventures at
BMNT and head of H4X Labs.
Here's their conversation.
I am joined today by Ellen Chang, Vice President of Ventures at BM&T.
Ellen, thank you so much for joining us on the CyberWire.
It is my pleasure, Brandon.
So looking at your background, your experiences in technology, in the military, in the Navy,
and also in investing, there's a theme that keeps emerging in your background, which is
this theme of deep tech.
So just fundamentals, can you kind of give us a sense of what is deep tech?
How does it relate to national security and even cybersecurity?
Deep tech, that's such a potent word because people can make it what they want to.
AI is deep tech and for a while there, AR is deep tech.
But let me go back to the founding person.
There's a person who used to run MIT Angels Swati,
and I can't pronounce her last name so I'm not going to.
But she actually defined it for the MIT Angels in that,
it's really these startups that have
some science and technical risk around it.
So that's just my background,
given a lot of the work I've been doing,
and I used to work at Northrop Grumman,
and I have a systems engineering background.
So I tended to gravitate to these types of companies.
Deep tech as a term really came to the scene,
I would say six, seven years ago,
and people grabbed it and use it how they need to use it.
I think right now how I like to use it since AI,
a lot of folks put AI into deep tech is,
I differentiate by saying,
hey, I really like to look at hardware,
hard tech, hardware-oriented types of technologies,
and maybe material sciences related technologies,
because I think there's a renaissance
in material science these days
that are kind of being leveraged
across many different domains.
You know, thinking about then your work at BM&T
and curious kind of leading ventures for BM&T,
how do you kind of, you're looking at these companies,
you're evaluating the impact they might have.
Can you share how you go through that process,
what that looks like?
Sure.
Let me kind of provide a little bit of a backdrop on BMNT.
It is a government contractor.
So most of the ventures work that we do
is not a specific fund, but it's based on programs
that different government agencies award us for.
So we work very closely with the Navy,
work closely with the Space Works and also NASA.
So there's a little bit of space in a blue theme.
What we're doing with them is helping them with
the companies they've funded.
Some of them are startups and some of them are small businesses.
I make a differentiation here with those two terms
because the government often provides R&D grants to companies,
and often these companies may or may not want to scale those technologies.
They basically are doing research projects for the government,
and so they become these small businesses
and the government is really buying research.
We have a program that helps these companies
take, understand the technologies that they have,
and work with the team to help
them make a decision as to
which technologies to actually commercialize.
It can be actually a challenge for some of
these founders because they're inventors.
They're not entrepreneurs is what I like to say.
Inventors are not entrepreneurs and they have to learn
that entrepreneurial piece and all of a sudden when you
turn to an entrepreneur you might have to pick one.
You can't work on a plethora of science projects,
which a lot of the inventors love to do.
So there's a little bit of a culture and adjustment.
But we've been successful at helping them think
through which technology might be most relevant,
that they're most passionate about, perhaps.
Think through the market opportunity analysis.
So we do some mediation and where can this technology go?
So it's a technology looking for a market in general.
Then we help them move forward with that.
Sometimes they find other government grants to
move to reduce the tech because
you're actually taking technology and productizing it. And until it's productized, you're not really
able to commercialize. I do want to say we are commercially focused and mission aware, meaning
we help the companies go commercial and then potentially sell back to the government because
we believe that having a larger commercial market that moves faster is better for companies' kind
of longevity.
So we think through that.
Over the last three years, we started to get quite a bit more involved in defense tech
startups, the theme that you brought up, which is there are several, like especially in Palo
Alto, where our company is based
and where Ventures is the most of our team is at,
there's a new interest by all the Silicon Valley DCs
on funding companies that can re-industrialize America
or really understand and help with national security.
And what we help with them is help them understand
the government structure.
Most of these companies get some sort of SBIR,
especially with Spaceworks or NASA.
Then they're competing with their brothers and sisters,
the other companies that are in,
quote unquote, a cohort,
and they're looking to find other ways to do government business development.
We help them understand that government side, but we also keep them balanced with the commercial side, to find other ways to do business, government business development.
We help them understand that government side, but we also keep them balanced with the commercial
side because what I like to say to some of the companies that tend to be venture backed
is venture capitalists don't want their companies to become a project based company.
Are these companies finding you or are you finding them?
What does this pipeline look like in order to accomplish that connection?
Both. Because we're working with the government, the government has a portfolio that come to
us. But because of that, we also, the word gets out that we're working with this batch
of companies. So literally, we talk like I was literally talking to like four or five
companies this week, and they're coming to us and they kind of want to get on the bandwagon.
I'm trying to work with them. It's like, this is how you can get on the bandwagon. How can we help you?
Yeah, we're working on that right now. I mean bridging that gap between a
The initial research and then the research to an applied technology the applied technology to a product the product to a market
The market to a viable business model.
That life cycle, I mean, we said it quickly, but incredibly complex, a lot of fraught with
landmines and barriers.
My gut would say that would take a very long time and a lot of effort to create
that circle.
Now, a little bit of a longer question, but venture, especially early stage funds work
on shorter time scales, right?
Ten-year typical fund life.
Is that the right place for venture to be focusing?
That's a very good question.
I would say sometimes no,
but you're starting to see some venture funds actually
on the thesis raise longer term venture funds.
So instead of the 10 year,
there's a couple of 15 year popping out.
Some might argue 15 years is not good enough either,
depending on the life cycle.
So these different investors are pretty astute looking at probably the maturity of the company
in order to understand where that technical risk is.
And if the TRL is too low or the market is too far off, they're hesitant, right?
In the meantime though, venture capitalists also
do kind of act in a herd.
So once one goes in, like one of the known entities goes in,
others also hover and go in.
It's often said that it's better to be on a good deal,
not necessarily.
It's more about deals than getting in on a good deal,
venture capital.
We do tend to look at whole platforms,
like a whole space domain awareness program
or a whole ISAM system.
Whereas in the Navy,
we might need some materials innovation
around the main reduction gear of an engineering plant,
or smaller subcomponents of a highly complex system
that still require innovation and development.
There's probably more opportunity there
than is realized.
It's quieter, right?
It's like, it's kind of like,
who are some of the billionaires in the world?
Well, you know, the guy who actually made the,
standardized the wheel for the shopping carts.
Literally that guy is like, right?
And so it's like this quiet back water type stuff
that actually is pretty profitable.
And so what I do know is the Navy's fairly successful
transitioning a lot of their SBIR awards
and research projects.
I think it's, their strategy is different, right?
Whereas the space Force is literally trying
to create a new market, they have to,
I don't think the Space Force called space
a war fighting domain until this year.
But they're adjusting to that.
But here you have the Navy, which is,
it's flying the program a little bit differently.
And innovation happening more at the edge potentially
than at the headquarter element.
There's innovation happening in deployed units and ships.
I've seen it myself on the ship that I was a member of,
sailors doing creative things to solve their problems
in real time while deployed.
Yes, yes.
And 100%, I mean, commercial technologies are there
that the sailors, the end users can use and adjust.
And I think we should encourage that.
How you make that a program of record for a single company,
that's the harder concept.
I haven't been able to figure that piece out,
but oftentimes we at BM&T think through those business models.
Like what kind of business model innovation really needs to happen to enable
some of these innovations to actually land?
And maybe it's not a 20-year program record, because if you think about it,
I don't really know what a system might look like in 20 years.
Your iPhone, what in 20 years, like what does that look like?
You don't know.
Things are changing so quickly.
Mm-hmm. Yeah. Where we stand today and the work you do, what has you absolutely
fired up? What's getting you out of bed in the morning? What's getting you really
excited to do the work that you do, to work with the companies and then the
government, the government partners that you have?
You know what, especially when I work with what I call the get to yes people, the people
like are trying to get to yes, I find a lot of potential in moving forward, not innovations
from the US perspective, but just the fact that over the last year or so, the fact that
we're re-industrializing,
we're re-growing our capability to manufacture,
and that our international partners are on board,
we're helping each other globally.
If you want to call China the main threat that we're working against,
I call this the reverse Belt and Road strategy.
The Belt and Road is about to go out and spawn China.
Well, now we just like shrink,
we commandeer the supply chains and we
become the best customer all of a sudden,
Chinese are squeezed out.
So I like to think about working on that,
even as I work with the startups who are needing the help.
Because a lot of the startups we work with,
they prototype using Chinese parts because they need to,
it's inexpensive, and then they need to. It's inexpensive.
And then they have to become NDA compliant.
Where do they go?
And some of these innovations and the supply chain challenges
is being worked right now.
That's the supply chain.
I've got to say, I probably wasn't
expecting you to say supply chain is
what you're excited about.
But it makes sense, though, the way you described it.
That is a critical part of our national security strategy
then what do you need help from
in terms of this community, right?
Right now, people who are listening,
a number of them are government civilians,
a number of military, many work in cybersecurity
as senior executives in technology
in the private sector and public sector.
What help do you need to help move national security forward cybersecurity as senior executives in technology in the private sector and public sector.
What help do you need to help move national security forward through technology?
I would say think through the business model innovations that are required.
I think we in the government, we at D&D, we have ample technologies.
We're almost overloaded with that, but we can't seem to really think about finding lower,
lower costs, lower overhead ways to get at that.
Great, well, Ellen, thank you so much for joining us.
That's N2K's Brandon Karf speaking with Ellen Chang,
Vice President of Ventures at BMNT and head of H4X Labs.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with
Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Hit pause on whatever you're listening to and hit play on your next adventure. Stay
two nights and get a $50 Best Western gift card.
Life's the trip.
Make the most of it at Best Western.
Visit bestwestern.com for complete terms and conditions.
And finally, in a biting razor sharp article for 404 Media,
Jason Kobler describes how OpenAI and Microsoft
are now complaining that DeepSeek may have used OpenAI's own models to train its AI.
The same OpenAI that's currently being sued by the New York Times for hoovering up its
articles without permission.
Oh, the irony. The claim is that DeepSeek engaged in something called distillation, a standard AI technique
where a smaller model learns from a bigger one by asking a ton of questions.
It's a widely accepted model, even backed by AI legend Jeffrey Hinton, and has been
used for years to make AI models more efficient.
But now that OpenAI is on the receiving end, suddenly it's unfair.
Kobler maintains this whole thing is hilarious because OpenAI's entire business model is built on scraping vast amounts of data from the internet,
mostly without permission, while arguing that it's totally fine under fair use. But now, when someone else does it, suddenly, OpenAI is clutching its pearls and running
to the government for protection.
President Trump's new AI czar, venture capitalist David Sachs, is jumping in, claiming there's
substantial evidence that DeepSeek siphoned knowledge from OpenAI.
Meanwhile, Sam Altman took a passive-aggressive swipe at DeepSeek on Twitter, basically saying
copying is easy, real innovation is hard.
But let's not forget, OpenAI did not invent AI.
It's built on research from Google, academia, and open source communities, the same way
DeepSeek and every other AI company does.
That's how science works.
So now, OpenAI is complaining to the government about protecting US technology
while trying to gatekeep an industry it dominated by using the exact same tactics.
If that's not the pot calling the kettle machine learned, I don't know what is.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing
at the cyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures
we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpey is our publisher. And I'm Dave Bittner. Thanks for listening, we'll
see you back here tomorrow. you