CyberWire Daily - Darknet drug marketplace closed for business.
Episode Date: June 16, 2025International law enforcement takes down a darknet drug marketplace. The Washington Post is investigating a cyberattack targeting several journalists' email accounts. Anubis ransomware adds destructiv...e capabilities. The GrayAlpha threat group uses fake browser update pages to deliver advanced malware. Researchers uncover a stealthy malware campaign that hides a malicious payload in a JPEG image. Tenable patches three high-severity vulnerabilities in Nessus Agent. Attackers can disable Secure Boot on many Windows devices by exploiting a firmware flaw. Lawmakers introduce a bipartisan bill to strengthen coordination between CISA and HHS. Harry Coker reflects on his tenure as National Cyber Director. Maria Varmazis checks in with Brandon Karpf on agentic AI. When online chatbots overshare, it’s no laughing Meta. CyberWire Guest Joining us today to discuss Agentic AI and it relates to cybersecurity and space with T-Minus Space Daily host Maria Varmazis is Brandon Karpf, friend of the show, founder of T-Minus Space Daily, and cybersecurity expert. Selected Reading Police seizes Archetyp Market drug marketplace, arrests admin (Bleeping Computer) Washington Post investigating cyberattack on journalists' email accounts, source says (Reuters) Anubis Ransomware Packs a Wiper to Permanently Delete Files (SecurityWeek) GrayAlpha Hacker Group Weaponizes Browser Updates to Deploy PowerNet Loader and NetSupport RAT (Cyber Security News) Malicious Payload Uncovered in JPEG Image Using Steganography and Base64 Obfuscation (Cyber Security News) Tenable Fixes Three High-Severity Flaws in Vulnerability Scanner Nessus (Infosecurity Magazine) Microsoft-Signed Firmware Module Bypasses Secure Boot (Gov Infosecurity) Bipartisan bill aims to create CISA-HHS liaison for hospital cyberattacks (The Record) Coker: We can’t have economic prosperity or national security without cybersecurity (The Record) The Meta AI app is a privacy disaster (TechCrunch) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. International law enforcement takes down a dark net drug marketplace. The Washington Post is investigating a cyber attack targeting several journalists' email accounts.
Anubis Ransomware adds destructive capabilities. The gray alpha threat group uses fake browser
update pages to deliver advanced malware. Researchers uncover a stealthy malware campaign
that hides a malicious payload in a JPEG image. Tenable patches three high severity vulnerabilities
in Nessus Agent. Attackers can disable secure boot on many Windows devices by exploiting
a firmware flaw. Lawmakers introduce a bipartisan bill
to strengthen coordination between CISA and HHS.
Harry Coker reflects on his tenure
as national cyber director.
Maria Varmasis checks in with Brandon Karp on agentic AI.
And when online chat bots overshare,
it's no laughing meta.
It's Monday, June 16th, 2025. Thanks for joining us here today.
It's great to have you with us.
Law enforcement from six countries have shut down the notorious Archetype Market, a darknet
drug marketplace active since 2020. The site hosted over 3,200 vendors and 17,000 listings, trafficking a wide range of drugs
and amassing more than 612,000 users.
Transactions totaled 250 million euros in Monero.
As part of Operation Deep Sentinel, led by German police with Europol and Euradjust,
Dutch authorities dismantled the platform's infrastructure.
A 30-year-old German suspect, believed to be the site's admin, was arrested in Spain.
Authorities also detained a moderator and six top vendors in Germany and Sweden.
Officers seized digital devices, drugs, and 7.8 million euros in assets. This
follows May's Operation Raptor, which targeted dark web dealers globally, resulting in 270
arrests, two tons of drugs, 184 million euros in assets, and 180 firearms seized.
The Washington Post is investigating a cyber attack that targeted email accounts of several in assets and 180 firearms seized.
The Washington Post is investigating a cyberattack that targeted email accounts of several journalists,
including those covering national security and China.
Discovered Thursday, the breach prompted a company-wide password reset on Friday.
While no other systems or customer data were impacted, the attack is suspected to involve a foreign government.
The Wall Street Journal first reported the incident, noting Microsoft accounts were compromised.
This follows a similar 2022 breach at News Corp, which also targeted journalists' data and communications.
Anubis Ransomware, active since late 2024, is a growing threat due to its destructive
capabilities.
Initially known for data extortion without encryption, Anubis now encrypts files and
includes a wiper module that permanently deletes them, making recovery impossible.
Trend Micro reports that it operates under a ransomware-as-a-service model and shares
code with Sphinx Ransomware.
Promoted on cybercrime forums by SuperSonic and Anubis Media, it targets sectors like
construction, healthcare, and engineering in Australia, Canada, Peru, and the US.
Anubis gains access via spearfishing, escalates privileges, disables
defenses and uses ECIES encryption.
Victims receive a ransom note threatening to leak stolen data.
Its use of file wiping sets it apart, adding urgency and pressure on victims.
Seven organizations are currently listed on its Tor-based leak site.
Researchers at Recorded Future have uncovered a stealthy campaign by the Gray Alpha threat
group using fake browser update pages to deliver advanced malware, including a new PowerShell
loader named PowerNet. Active since April 2024, this campaign marks a shift in Gray Alpha's tactics, combining
fake updates, malicious 7-zip sites, and the Tag124 traffic system. Victims ultimately
receive Net Support Rat, a remote access trojan granting full system control.
Gray Alpha's infrastructure mimics trusted brands like Google Meet and SAP Concur using
JavaScript-based profiling to tailor attacks.
Their infrastructure is hosted through bulletproof providers, notably Stark Industries Solutions.
Analysts link Gray Alpha to FIN7, a well-known cybercrime group.
The campaign's continued activity into 2025 and use of enhanced loaders like PowerNet
and Maskbat show a technically advanced and persistent threat targeting multiple industries
globally.
Internet storm center researchers uncovered a stealthy malware campaign that hides a malicious
payload in a JPEG image using steganography
and a modified Base64 encoding technique.
The malware is embedded after the image's end-of-image marker, making it invisible to
standard file viewers and many security tools.
Hosted at a suspicious domain, the image looks normal but contains a.NET DLL payload.
To avoid detection, the attackers substituted the at symbol for A in the Base64 encoding.
Specialized tools like jpegdump.py and bytestats.py revealed the anomaly.
When decoded, the payload matched known malware linked to a documented threat campaign.
This method highlights a growing risk as media files commonly shared with little scrutiny can
now be exploited for malware delivery, data theft, or establishing command and control channels.
Tenable has patched three high severity vulnerabilities in Nessus agent
affecting Windows hosts. These flaws allow non-admin users to escalate
privileges, execute code, or overwrite or delete system files with system privileges.
CVSS scores range from 7.8 to 8.8. While there's no evidence of active
exploitation, Tenable advises immediate updates.
The vulnerabilities are pending full analysis by the National Vulnerability Database.
Researchers at Binar.ly uncovered a vulnerability that allows attackers to disable secure boot
on many Windows devices by exploiting a flaw in UEFI firmware. The
flaw, found in a module by a rugged display vendor, allows arbitrary memory
writes stored in non-volatile RAM. This could let attackers overwrite secure
boot variables without detection even though the OS still appears protected.
While the exploit requires admin and physical access,
the risk is significant due to UEFI's pre-OS role.
Some UEFI distributions are immune,
but most systems remain vulnerable.
The flaw has likely circulated since October 2022.
Microsoft has patched the issue and revoked certificates for 14 affected modules in its June
2025 Patch Tuesday update. Lawmakers have introduced the Bipartisan Health Care Cybersecurity Act
to strengthen coordination between the Cybersecurity and Infrastructure Security Agency
and the Department of Health and Human Services. The bill, led by Representatives Brian Fitzpatrick, a Republican from Pennsylvania, and Jason
Crowe, Democrat from Colorado, would create a formal liaison to improve threat sharing,
communication, and incident response for the health care sector.
It also mandates cybersecurity training for hospital staff and directs both agencies
to study sector-specific vulnerabilities, particularly in small and rural hospitals.
A report to Congress would identify high-risk medical devices and recommend actions to protect
electronic health records and health care delivery. Critics argue the bill may overemphasize training over structural issues like underfunding.
Still, it responds to a rise in hospital cyberattacks
that have disrupted care and leaked sensitive patient data.
In an interview with The Record, Harry Coker, Jr.,
former national cyber director, emphasized a collaborative
and apolitical
approach during his tenure in the Biden administration.
He prioritized implementing the National Cybersecurity Strategy and its Actionable Implementation
Plan, advocating for role clarity among federal cyber agencies, and building trust across
the interagency. Coker celebrated progress on eliminating unnecessary degree requirements for cyber roles
and spotlighting long-standing Internet vulnerabilities,
such as weaknesses in the Border Gateway Protocol.
He highlighted the need to improve support for state, local, tribal, and territorial governments
under constant cyber assault,
and he urged a better balance
between political appointees and career professionals in his former office.
On regulatory harmonization, Coker called for mutual recognition of compliance across
sectors and tailoring based on core cybersecurity standards.
His advice to his successor, prioritize cyber, clarify roles, and build strong interagency
collaboration to ensure national security and economic prosperity remain tightly interwoven.
Coming up after the break, Maria Vermazes checks in with Brandon Karf on agentic AI,
and when online chat bots overshare, it's no laughing meta. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious
efficiency to your GRC game.
Vanta.
GRC.
How much easier trust can be.
Get started at Vanta.com slash cyber. Cyber.
Maria Varmasis is host of the T-minus Daily Space podcast right here on the N2K CyberWire
Network.
She recently checked in with commentator Brandon Karpf to discuss agentic AI.
Here's their conversation.
I wanted to get your thoughts on agentic AI and you had a whole bunch of thoughts.
So tell me a bit about your thinking about what we're doing here.
Yeah, of course.
This is sort of meta gaming, but I want to hear it.
Yeah, and I think this is valuable to the audience because I'm showing up in their feeds
about once a month
into Space Force, right? That was the first conversation.
That's an opportunity.
Our most recent conversation last month
was around implementing DevSecOps
and integrating GRC with DevSecOps,
especially for the space industry
and how challenging that could be,
but also what that opens up.
And it was a very practical recommendation
for space technology companies
to think about how they implement that.
And so I think bouncing between,
here's an interesting challenge,
industry challenge or industry opportunity, and then here's a
practical thing that you can do at your organization.
And we'll keep bouncing between those two types of topics every
single month.
So today is going to be a setting the scene, describing the
situation, and getting some of your take, but we'll save the
solutions for next time.
All right. So the Agendic AI was sort of the lead-in to this because I had been noticing at all of the conferences I've been to that that is the phrase everybody's using.
But of course, it can mean a lot of different things and also how you implement it within the space realm can be very different depending on what you're trying to do.
And you had some specific thoughts about agentic AI
and network architecture as it relates to space.
Walk me through this.
Sure. So obviously, agentic and anything AI is way overhyped.
And in general, I think that the large companies themselves are overhyped.
But the actual implementations and uses of the technology,
I actually think is underhyped.
The other thing that is underhyped right now
is the security implications
of actually applying agentic technologies.
And of course, agentic technologies
are really just allowing a computer and a model
to run workloads and do things autonomously
by themselves for you for a specific purpose.
And what, it's the dream, right? We all just sit back, do nothing, by themselves for you for a specific purpose.
It's the dream, right?
We all just sit back, do nothing, and AI makes all the money that we need.
And although we're probably pretty far away from that future, we're not far away from a future where
organizations and individuals start chaining these systems together to talk to each other at machine speeds.
And that opens up a whole other standards of communication between AI to AI systems.
And that opens up a whole new can of worms that I don't think anyone in this world is prepared for.
Right, because usually when that conversation starts going places, people start going,
okay, well, we're doomed.
Or they go, yeah, well, we just put our normal security framework on and data loss prevention
systems and encryption and firewalls and just like what we've been doing for the last 30
years because that's been going so well.
Super great.
It's been going super well.
Yeah, there's definitely not an industry about how well it's going.
So where is that middle path?
Yeah, well, and I think to get to that middle path, we actually need to talk about what
the risk is. And then I will to get to that middle path,
we actually need to talk about what the risk is.
We'll get there, friends.
But the threat here isn't actually the content of those communications.
Typically when we talk about data security and information security, we're talking about the actual content, your social security number, your bank transaction data,
your private personal data,
your interactions with family and friends and messages.
Actually, the real risk here is the metadata
of those communications, and I'll explain why.
So as agentic AI and as these models
are starting to accelerate,
we're starting to standardize how they talk to each other.
So Anthropic released a standard in the fall called MCP, Model Context Protocol,
that is essentially a dynamic wrapper around the API interfaces of models and other systems
that models would want to interact with, that creates a standard of communication,
essentially a protocol that allows those models and other models to talk to each other. would want to interact with,
I mean, we're talking about most of the large organizations in the world who have their own models and their own systems
that want to chain to create agentic workflows.
It's now a standard of how they talk to each other.
And how they talk to each other is releasing a tremendous amount of information
in the form of metadata.
And it's not actually the details of the communication.
And so it's now totally reasonable to say
that an adversary who's looking at network traffic
and looking at data flow from an organization
out into the dirty internet could see the specific traffic
going from your model, your agentic model,
to all of the other agentic models and micro models
and systems and microservices
that that model is reaching out to at machine speed.
And when we talk about machine speed, we're talking about extraordinary amounts of data every second
going from your organization's model or agentic system
to thousands of other systems and services on the dirty internet.
And opening up what databases are being accessed,
what services are being accessed, when, the timing, the frequency of those things, potentially
even who as an organization or an individual is using those systems.
And when you start thinking about all of that metadata, it creates a very clear picture.
And the clear picture it's creating is what you are doing, what your strategy is, what
your agentic system is trying to achieve on your behalf, what your strategy is, what your agentic system is trying
to achieve on your behalf, what your intent is.
So the adversaries no longer need to decrypt your data to figure out what you're doing
and why you're doing it.
They just need to capture the traffic, which is actually a pretty trivial activity.
And so that opens up a whole new set of vulnerabilities that the world is not prepared for
as we implement the model context protocol
and implement agentic workflows within our organizations
that even if you secure all the data,
the content is secure,
but the context of your communication,
the metadata is not secure.
And the metadata becomes the message.
That's interesting.
So content versus context is a great framework.
The devil's advocate would say, I don't know if I believe this, but I'm thinking it is,
okay, but how much can you really glean from context?
It really, really, really is enough.
And it's even enough today in a lot of use cases prior to the implementation of AI systems.
I'll give you a couple anecdotes. There's a research group out of UC San Diego
called the CAIDA research group.
They do a lot of internet measurement activities,
which essentially is the academia word
for signals intelligence.
And a couple years ago, they published a paper
where they were just by doing network analysis,
just by looking at metadata
of publicly available internet traffic, they were able to identify the physical locations
of Comcast's most critical network exchange points and fiber points around the United
States.
And from that, you can actually determine the couple nodes that you need to knock offline
with like a car accident
running into a telephone pole that would drop Comcast off of the internet entirely.
That was using just metadata.
Another great example is this fall Ben Gurion University released a proof of concept hack
where they did a side channel attack just measuring packets going from an individual user on ChatGPT and ChatGPT's servers.
And just by collecting that data, the packets themselves
were encrypted, but just because how they knew how ChatGPT
tokenizes data, and again, model context protocol provides
a standard for how data is transmitted between AI models,
so very similar.
But just knowing how OpenAI tokenizes data,
Ben-Gurion University was able, at a
greater than 50% accuracy, to determine the topic of the communications between a person
and ChatGPT, and at a greater than 20% accuracy, get perfect word replication of the prompts
and the responses from OpenAI.
Oh, dang.
The issue is there.
And you can get a lot of information about metadata.
And so now let's think about 10 years in the future.
You've got a company that is thinking about doing M&A
in your space and it's identifying M&A targets.
It's finding the exact organization
that you're trying to acquire
and why it's developing the strategy.
It's sending data to a pricing model,
a very specific kind of micro model. Think about microservices, but a micro model.
That micro model's only job is to develop a pricing model to acquire this one opportunity.
There's another market analysis model that's doing your go to market once you acquire.
There's another model that is out there whose whole purpose is how you integrate a company
into your organization. Your agent is doing all of this analysis in real time,
figuring out the IP trade secret issues, et cetera.
An individual who's looking at your agent
doing all of those transactions
could actually figure out ahead of time
what your strategy is, who your acquisition target is,
what your proprietary technology is,
what your go-to-market strategy will be, right?
Just based on the frequency of those things. And can tell, you know, that
you're about to make a move. And imagine if you're a public company, that is now
information that can move a stock price. Okay, so, so alright, I'm gonna ask the
obnoxious question. Yeah. How does this relate to space? Yeah, yeah, so of course.
And we'll tease this and we'll dive into this more I You know, I think the only two viable markets in this space industry in terms of the space segment are
Telecommunications and Earth observation that might change in the future
But to me that's the only two viable markets today for the space segment
So set aside Earth observation verse for a moment, but talk about the telecommunications
segment right and the fact that communication architectures have been up there for decades now, and it's
only increasing.
Now we're getting the direct-to-sell capabilities, where, you know, ASD, Space Mobile, and SpaceX,
everyone's kind of moving in this direction of massively increasing the internet backbone
capability of the space segment
and actually the efficiency of transmitting packets from ground to space
and using the space segment as part of the internet backbone
and the internet exchange points for the large-scale autonomous systems.
I think that the fact that there's such a barrier to entry, to actually getting those essentially routers and servers
and processes running on low Earth orbit
or medium Earth orbit satellites,
there's a huge barrier to entry.
That makes it much more difficult for an adversary
to get a measurement capability in a space segment.
But also how the space segment functions
from a telecommunications perspective.
Those are essentially relays.
They're a little more sophisticated
than a internet-based router in a large data center
at an internet exchange point
where you've got fiber lines coming in.
By adopting, and we don't have time today
to go into the details, but next time we talk,
we should go into the details
about how I think you can do this.
But actually adopting a space segment component of your backbone,
of your wide area network.
So instead of going directly from your network to the dirty internet,
you go from your network to a space segment,
and you essentially relay your communications into the space segment
and then out into the dirty internet, provides a layer of obfuscation for your metadata where it could potentially hide
the true source and destination, the true frequency and velocity and activity of your
data and the real metadata of what's happening inside your wide area network for your organization.
And so by relaying and essentially proxying your data first through a space segment
before going terrestrial into the internet backbone,
I think could actually provide one layer of protection
against these types of network analysis attacks
and reconnaissance attacks.
Okay, so we have to put a pin in that
because we do have to conclude.
But I'm just thinking, okay, how would that work
and why, so the how and the why of that
will definitely be next time.
Be sure to check out T-minus wherever you get your favorite podcasts.
And finally, imagine asking a chatbot a private question, only to find out you accidentally shared it with the world.
That's the awkward reality unfolding on Meta's new AI app, where users are unknowingly posting their chats publicly.
The app includes a share button that brings up a post preview, but many people seem unaware
they're broadcasting everything from innocent queries to very personal matters.
One user asked about skin irritation, another wanted help writing a letter for someone facing
legal trouble, full names included, and yes, someone asked about the science of smelly
farts.
The app doesn't clearly explain what's being shared or with whom, especially if it's
linked to a public Instagram account.
It's a surprising misstep from one of the world's biggest tech companies.
While the app only has 6.5 million downloads so far,
it's already gaining attention for all the wrong reasons.
Let this be a reminder,
read the fine print before you click share.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this summer. There is a link in the show notes. Please take a moment and check
it out. N2K's senior producer is Alice Carruth. Our cyberwire producer is Liz Stokes. We're
mixed by Trey Hester with original music and sound design by Elliot Peltsman. Our executive
producer is Jennifer Iben. Peter Kielpe is our publisher. And I'm Dave Bittner. Thanks
for listening.
We'll see you back here, tomorrow. Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The Delete Me team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
Delete Me also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to joindeleteeme.com slash n2k and use promo code N2K at checkout.
That's joindeleteeme.com slash n2k code n2k.