CyberWire Daily - Cybercrime has a hefty price tag.
Episode Date: July 10, 2025UK police make multiple arrests in the retail cyberattack case. French authorities arrest a Russian basketball player at the request of the U.S. A German court declares open season on Meta’s track...ing pixels. The European Union unveils new rules to regulate artificial intelligence. London’s Iran International news confirms cyberattacks from Banished Kitten. Treasury sanctions a North Korean hacker over fake IT worker schemes. Microsoft confirms a widespread issue preventing organizations from deploying the latest Windows updates. Agreements over AI help end a year-long Hollywood strike. Researchers take an in-depth look at ClickFix. I’m joined by Ben Yelin and Ethan Cook for a look at Congress’ recent attempt to limit AI regulation through preemption. Password insecurity with a side of fries. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we’re sharing our latest Caveat Policy Deep Dive—a special segment where we explore the legal and policy forces shaping our digital lives. In this episode, Ethan Cook joins hosts Dave Bittner and Ben Yelin to break down a recent attempt by Congress to use preemption as a way to block state-level AI laws, and what this means for the ongoing tug-of-war over who should regulate AI in America. For the full conversation and a deeper dive into the implications of this federal vs. state showdown, check out the Caveat podcast Selected Reading UK police arrest four in connection with M&S and Co-op cyberattacks (Reuters) Russian Basketball Player Arrested in France at Request of United States (The Moscow Times) German court rules Meta tracking technology violates European privacy laws (The Record) European Union Unveils Rules for Powerful A.I. Systems (The New York Times) Leaked materials came from previously reported cyberattacks, Iran International confirms (Iran Insight) Treasury sanctions North Korean over IT worker malware scheme (Bleeping Computer) Microsoft confirms Windows Server Update Services (WSUS) sync is broken (Bleeping Computer) Industry video game actors pass agreement with studios for AI security (Reuters) Fix the Click: Preventing the ClickFix Attack Vector (Palo Alto Networks) McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’ (WIRED) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it
peace of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n arrests in the retail cyber attack case.
French authorities arrest a Russian basketball player at the request of the U.S.
A German court declares open season on Metta's
tracking pixels. The European Union unveils new rules to regulate artificial intelligence.
London's Iran International News confirms cyber attacks from banished kitten. Treasury
sanctions a North Korean hacker over fake IT worker schemes. Microsoft confirms a widespread
issue preventing organizations from deploying the latest Windows updates.
Agreements over AI help end a year-long Hollywood strike.
Researchers take an in-depth look at ClickFix.
I'm joined by Ben Yellen and Ethan Cook for a look at
Congress's recent attempts to limit
AI regulation through preemption and
password insecurity with a side of fries.
It's Thursday, July 10th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It's great as always to have you with us.
Four people all under the age of 21 have been arrested over cyber attacks that hit major UK retailers including Marks & Spencer,
Co-op and Harrods, the national crime agency said.
The April ransomware attacks on M&S was the most severe, shutting down online clothing
sales for nearly seven weeks and costing about $400 million in operating profit.
Those arrested were detained in London and the West Midlands on suspicion of blackmail,
money laundering, computer misuse, and organized crime.
M&S chairman Archie Norman said the attackers were loosely aligned parties led by Dragon
Force and, he noted, FBI involvement.
He urged laws requiring firms to report serious cyberattacks, revealing two recent major incidents
in the UK went unreported.
French authorities arrested Russian basketball player Danil Kasatkin, age 26, at Paris' Charles
de Gaulle Airport on June 21, at the request of the U.S. where he's accused
of involvement in a ransomware hacking ring.
U.S. officials allege Kasatkin negotiated ransom payments for a group that hacked about
900 companies and two federal agencies between 2020 and 2022.
Kasatkin denies the charges, claiming he bought a used computer and is useless with
computers, according to his lawyer.
The Paris court denied his bail, meaning he remains in custody facing possible extradition.
Kassatkin, who played for Penn State in 2018 and 2019, and most recently for Moscow's MBA MAI, had traveled to France with his fiancee.
His lawyer said his physical condition in detention threatens his basketball career.
A German court has ordered Metta to pay 5,000 euros to a Facebook user for embedding tracking
pixels and SDKs in third-party websites without user consent, violating GDPR.
The Leipzig Regional Court ruled Meta's tracking technology collects personal data even if
users aren't logged in to Facebook or Instagram, enabling profiling for profit.
This precedent allows other users to sue without proving individual damages.
Experts warn the ruling could lead to massive class-action lawsuits against
Meta and any websites using its tracking tools without consent, potentially
resulting in business-breaking fines.
Experts called it one of Europe's most significant rulings this year, noting 5,000 euros per visitor could multiply
rapidly for sites with large user bases.
The European Union has unveiled new rules to regulate artificial intelligence,
targeting powerful general-purpose AI systems like those from OpenAI,
Microsoft, and Google. The guidelines, part of the AI Act passed last year, require companies to improve transparency,
limit copyright violations, and protect public safety.
Tech firms must disclose what data trains their models and conduct risk assessments
to prevent misuse, such as creating biological weapons.
The voluntary code of practice takes effect on August 2nd,
with penalties enforceable from 2026.
While EU officials say the rules promote innovation and safety,
critics argue they were weakened to gain industry support.
Some fear strict regulation will hamper Europe's competitiveness
against the US and China.
Google and OpenAI are reviewing the guidelines.
Microsoft declined comment.
The rules follow growing concerns about AI misuse,
including recent anti-Semitic comments
by Elon Musk's chatbot Grok.
The AI act will take full effect in the coming years.
Iran International, a Persian-language 24-7 television news network based in London, confirmed
that materials published from its journalists' hacked Telegram accounts are linked to two
cyber attacks in summer 2024 and January of this year.
The news outlet said hackers may have installed malware on journalists' computers through
compromised Telegram accounts.
Iranian state media published screenshots from internal chats earlier this week.
The attacks were carried out by Banished Kitten, also known as Storm-0842 and Dune, a group
operating under Iran's Ministry of Intelligence.
Iran International said the hacks are part of a broader intimidation campaign, including
physical threats against staff.
The channel stated it has taken measures to protect employees and will continue its mission
of delivering independent, uncensored news.
Iran International has been labeled a terrorist organization by Tehran and has
faced threats before, including the stabbing of one of their hosts in London in 2024 and
a terrorist conviction against a man filming its premises in 2023.
The U.S. Treasury has sanctioned North Korean hacker Song Kum-hyeok for his role in the Andariel
Group, a sub-cluster of Lazarus focused on ransomware and crypto heists.
Song facilitated schemes using stolen U.S. identities to help DPRK IT workers get remote
jobs at American companies, splitting their income to fund North Korea's weapons programs.
Some workers also installed malware and stole data from employers.
And Dariel, also known as APT-45 or Silent KoLima, operates under North Korea's Reconnaissance
General Bureau.
Microsoft has confirmed a widespread issue affecting Windows Server Update Services, WSUS,
preventing organizations from syncing with Microsoft Update and deploying the latest Windows updates.
The system normally syncs daily, but since last night, admins have reported failed sync attempts
with errors such as a connection attempt failed and.NET timeouts.
Microsoft identified the root cause as a problematic update revision
in the storage layer that blocks synchronization.
The issue began about 12.30 a.m. Eastern Time
and affects both automatic and manual syncs.
Microsoft says there are currently no workarounds
and that they are working on a fix.
Hollywood video game voice and motion capture actors have signed a new contract with Game Studios, ending a nearly year-long strike.
The deal includes AI consent and disclosure requirements to protect performers, along with safety measures and medics for high-risk motion capture jobs.
Actors will receive a 15% pay increase with additional raises through 2027.
SAG-AFTRA highlighted AI protections as the key achievement,
with negotiation committee member Sarah Elmaleh calling AI the centerpiece of their proposal package.
Palo Alto Networks Unit 42 has published an in-depth analysis of ClickFix, the rising
social engineering technique where attackers trick users into running malicious commands
disguised as quick fixes for computer issues.
Campaigns in 2025 include Net Support Rat, Lactradectis Malware, and
Luma Stealer, targeting sectors from finance to healthcare. Click-fix lures
often abuse legitimate brands like DocuSign or Okta and exploit clipboard
injection, instructing victims to paste harmful PowerShell commands. These
attacks bypass standard detection as victims execute malware themselves, enabling
credential theft, rat infections, and ransomware.
Hunting tips include reviewing RunMRU registry keys, EDR telemetry, clipboard use, and EventID
4688 for suspicious process launches.
Palo Alto urges organizations to deploy strong detection, educate employees, and remain vigilant
as ClickFix evolves rapidly across global attack campaigns. Coming up after the break, my conversation with Ben Yellen and Ethan Cook, we're looking
at Congress's recent attempt to limit AI regulation through preemption.
And password insecurity with a side of fries.
Stay with us. compliance regulations third-party risk and customer security demands are all
growing and changing fast is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots
and all those manual processes, you're right.
GRC can be so much easier, and it can strengthen your security posture while actually driving
revenue for your business.
You know, one of the things I really like about Vanta is how it takes the heavy lifting
out of your GRC program.
Their trust management platform automates those key areas – compliance, internal and
third-party risk, and even customer trust – so you're not buried under spreadsheets
and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire
business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters.
Like strengthening your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit vanta.com slash cyber to sign up today for a free demo.
That's vanta.com slash cyber.
CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and
without securing them, trust, uptime, outages,
and compliance are at risk.
CyberArk is leading the way with the only unified platform
purpose-built to secure every machine identity, certificates,
secrets, and workloads across all environments, all clouds,
and all AI agents.
Designed for scale, automation, and quantum readiness, CyberArk helps modern
enterprises secure their machine future. Visit cyberark.com slash machines to see how.
Ben Yellen is my co-host over on the Caveat Podcast.
And on our most recent episode, we were joined by our N2K colleague, Ethan Cook.
We took a look at Congress's recent of notes for us to discuss preemption here
today.
Maybe I start with you.
Give us a little insights into this journey as you took on this topic.
Yeah.
So, you know, there was a weird thing going on in Congress that we haven't seen
in a little bit.
And it's not that it's haven't happened before, and it's not that it's not been, you know,
popular before, but it's not necessarily the flashy thing to talk about.
But it had a lot of impact.
And that was a moratorium going through the House at the time, and has now gone through
and failed in the Senate, but the whole point of it was
to use federal preemption to ban all state, not ban, negate all state AI laws
that have been passed already and prevent any other ones from being passed
for the next 10 years. Which when you say that out loud, it sounds really extreme
and kind of convoluted and the antithesis of what
honestly both parties kind of put forward which is that we value states
having opinions, there's a value there, no one really ever says states shouldn't
ever be able to have any say over a matter. And this whole moratorium felt
completely the opposite, felt like it was a complete removal of power and this has
been done before and it gained a lot of notoriety very quickly.
And, you know, as we were talking, Ben pointed out that this, while it's a kind of off-the-beat
subject, it had a lot of relevance and was worth looking into.
And, you know, since then and after doing my research and writing this up, I mean, I
would agree. This is a very interesting topic.
And I think it's going to set up a larger conversation
about what AI policy looks like in the next five years.
Ben, what do you make of this?
So first of all, I want to thank you guys in our audience
for indulging, because this is really
nerding out on a legal concept.
But I hope to try and illustrate why I think preemption
is such an important topic.
Because a lot of what we discuss on this podcast
are laws and policies.
And in case you haven't noticed, Congress,
though they've been a little bit more productive this year,
is slow to address societal problems.
It's polarized.
It is famously inefficient,
it has arcane rules that prevent just the routine passage
of small pieces of legislation,
things like requiring unanimous consent in the Senate
for most things and having a 60 vote threshold
for most things to get through the Senate.
So that leaves the states and the
states generally are well positioned. The Constitution gives states police powers to
protect the health, safety and welfare of their citizens. As long as states are not
violating the federal constitution or their own state constitutions, they can pass laws
on anything. And they do. I think I mentioned in one of our previous episodes that Maryland
just officially labeled the orange crush as our official cocktail.
Oh, wow.
So I didn't know that.
I did not know that.
Always on top of the critical issues here.
Okay.
So what makes preemption so interesting is it's the federal government taking the keys
away from state governments and their ability to experiment with laws and regulations, especially
on topics like artificial intelligence, where things are rapidly developing and state legislators
and legislatures need to be nimble and to be able to develop fast acting policy solutions
to address problems that are impacting their citizens.
And the reason that this AI provision, which ultimately failed, as you said, raised my
eyebrows is that this would have handcuffed the states from responding to new developments
in AI.
We've had executive orders from the past two presidential administrations,
not much of that is kind of like binding policy. So it would be, all right, federal government
hasn't passed any AI regulation, state governments can't pass any AI regulation. So who's going
to protect us?
So before we dig into the details of this AI policy. Can we touch on some of the history here?
I mean, what is there in the Constitution that gives the feds the power to preempt the
states?
So this comes from the Supremacy Clause, which says that federal laws are the supreme law
of the land.
The caveat to that, so to speak, is that Congress is limited to its enumerated powers.
So Congress could only pass laws pursuant to Article 1, Section 8 of the Constitution,
which has a list of things Congress can do.
Because this was written in the 1780s, a lot of these items that are listed in Article
1, Section 8 seem kind of silly.
But there are a few things that still apply,
raising and supporting armies, protecting
intellectual property.
Those are domains of the federal government.
The kind of catch-all that's been
used to justify a lot of federal action
is Congress's ability to regulate interstate commerce.
So if Congress wanted to step in and regulate artificial intelligence, they could say,
and Supreme Court precedent would back them up, that because this has a substantial effect on
interstate commerce, Congress has the power to regulate it. So when you're in an area where
Congress has an enumerated power, because of the Supremacy C clause, whatever Congress does usurps or supersedes the actions of state governments.
So that's where the notion of preemption comes from.
What the Supreme Court has held is that Congress has to be pretty specific and explicit about preempting state action. Yeah. All right. Well, Ethan, what can you tell us about the history of this AI preemption?
Any insights on its origin?
Yeah.
So, as many people have probably been aware of, there is a bill that just recently got
passed that I think has been the big, beautiful bill, right?
Yeah.
And it is our reconciliation bill for this year.
And it has got a lot of feedback, both good and bad, over the past couple weeks.
And probably the most infamous moment it had was when it passed the House the first time,
when a 2015 to 2014 vote, very, very narrow.
And there was a lot of criticism,
specifically to Republican lawmakers who had the majority,
that this bill came together very quickly.
It was not read through.
It was voted upon and passed to the Senate
without really any debate or discussion.
And one of the things that happened
after it went to the Senate
was people started kind of breaking it down
and actually looking what was in this thing. And they discovered this moratorium. And it gained a lot of pushback
instantly from people basically saying that on both sides of the aisle, by the way, this
was not just a democratic pushback saying that this is not what we're about. We don't
have anything in place federally to kind of cover our bases. We're taking away efforts. Obviously,
state legislators were very... A lot of state lawmakers came out, were very perturbed about
this. And the only real argument in favor of this was basically saying that, yeah, we
are pulling this because we currently have too many state laws and it is creating confusion.
And what this whole process is doing is causing us to both lose economic advancement and technological
innovation.
And that was the crux of the argument of why we should preempt state laws in this.
And then, you know, and then I think the maybe goal is we would pass something eventually that would, at the federal level,
that would legislate this and, you know, bring some guidance.
And then it went to while in the Senate and after it was approved by the Senate parliamentarian,
Republicans pretty much unanimously pulled support for the moratorium and it overwhelmingly
failed to pass in the Senate and was killed before it was passed back to house and the reconciliation bill was eventually passed in general
So this bill provides AI empowered broadband funding to help set up rural broadband
Across the country and states would only be eligible for that broadband money
If they did not regulate artificial intelligence, so it was kind of the carrot instead of the stick approach.
Right, like the old 55 mile an hour speed limit.
Or the classic drinking age.
Right.
If you bring it to 21, we won't slash your funding,
but if you keep it under, you can, you can,
but you just won't get the money.
Right, and so it was that sort of approach
was held to be constitutional in those two circumstances, but then
President Obama through Obamacare tried a different tactic in terms of conditioning funding
So they passed the Affordable Care Act
With this pretty large expansion of Medicaid and they said to the states
You either accept this expansion of Medicaid or you will lose all of your Medicaid
funding. And the Supreme Court said that that was too coercive. It was the state base, it
was the federal government basically putting a gun to the head of the state. So I don't
know how courts would have seen this. I think this is somewhere between drinking age and Medicaid.
I don't think it's on either polar end.
But that's kind of where the constitutional question
would have lied is, is this policy overly coercive?
Is it forcing states to do something basically
completely against their will?
But then I think Marsha Blackburn kind of started to pull away from that deal.
And I think Cruz realized he didn't have the votes.
They actually put an amendment up to during consideration of the bill in the Senate to
strip out this AI preemption provision.
It passed 99 to one, which is just very interesting.
So what's the point in supporting this provision?
It's not like it's politically popular.
Wasn't worth fighting over.
Yeah.
I saw at one point he tried to cut it down
to five years instead of 10.
Yeah, I mean, I think he was really-
They tried like four different things.
They were going back in negotiations
to try and make it work.
There was, it was approved by the parliamentarian. it was then unapproved by the parliamentarian,
it was then reapproved by the parliamentarian.
So it went back and forth through multiple iterations within the Senate and ultimately
just never gained the support that it needed.
Yeah.
And so at the end of the day, this provision didn't pass.
I think from our perspective,
it's worth noting what kind of state regulations
this would have preempted.
States have started to take action on AI policy,
setting up governance structures for AI,
promulgating rules on which AI tools can be used
by various government agencies, doing inventory of AI systems in state government
offices, certainly in the criminal realm, restrictions on deep-picked pornography.
California passed a law restricting the use of artificial intelligence in political advertising.
So depending on the version of the smoratorium that would have passed, all of those laws
would have been declared null and void because of this preemption provision.
Be sure to check out the complete episode of Caveat right here on the N2K Cyberwire network
or wherever you get your favorite podcasts.
And now a word from our sponsor ThreatLocker, the powerful zero trust enterprise solution
that stops ransomware in its tracks.
AllowListing is a deny by default software that makes application control simple and
fast.
Ring Fencing is an application containment strategy, ensuring apps can only access the
files, registry keys, network resources and other applications they truly need to function. Shut out cyber criminals with world-class endpoint protection from ThreatLocker.
There's regular cold. And then there's the mountains are blue cold.
Mountain cold refreshment. Coors light. The chill choice.
Celebrate responsibly. Must be legal drinking age.
And finally, if you're applying to McDonald's these days, prepare to charm Olivia, the AI
chatbot gatekeeper who screens resumes and asks personality test questions with all the warmth of a soggy
french fry.
But Olivia had a secret.
Her platform, run by Paradox AI, could be breached with the cybersecurity equivalent
of leaving the drive-through cash drawer open, a password of 123456.
Security researchers Ian Carroll and Sam Curry stumbled upon this
password tragedy while wondering why burger flippers needed to impress a
chatbot. Within half an hour of applying, they accessed up to 64 million
applicant records dating back years, thanks to laughably weak security and basic web vulnerabilities.
Paradox.ai swiftly admitted the oversight, insisting no one else accessed the data and
vowing to launch a bug bounty program.
McDonald's, meanwhile, said it was disappointed in Paradox.ai.
It was never their intent to serve up a potential data leak.
You want fries with that?
[♪ Music playing.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing
at the cyberwire.com. We'd love to hear from you. We're conducting our annual audience
survey to learn more about our listeners. We're collecting your insights through the
end of this summer. There's a link in the show notes. Please do check it out. N2K's
senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes, we're
mixed by Trey Hester with original music by Elliot Peltsman, our executive producer is
Jennifer Iben, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening,
we'll see you back here, tomorrow. So And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat Protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire
and see what attackers already know. That's spycloud.com slash cyberwire.