CyberWire Daily - Dialysis down, data out.
Episode Date: August 14, 2025A ransomware attack exposes personal medical records of VA patients. New joint guidance from CISA and the NSA emphasizes asset inventory and OT taxonomy. The UK government reportedly spent millions to... cover up a data breach. Researchers identified two critical flaws in a widely used print orchestration platform. Phishing attacks increasingly rely on personalization. Rooting and jailbreaking frameworks pose serious enterprise risks. Fortinet warns of a critical command injection flaw in FortiSIEM. Estonian nationals are sentenced in a crypto Ponzi scheme. Michele Campobasso from Forescout joins us to unpack new research separating the hype from reality around “vibe hacking.” Meet the Blockchain Bandits of Pyongyang. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Michele Campobasso from Forescout joins us to unpack new research separating the hype from reality around “vibe hacking.” Their team tested open-source, underground, and commercial AI models on vulnerability research and exploit development tasks—finding high failure rates and significant limitations, even among top commercial systems. Selected Reading Medical records for 1 million dialysis patients breached in data hack of VA vendor (Stars and Stripes) NSA Joins CISA and Others to Share OT Asset Inventory Guidance (NSA.gov) CISA warns of N-able N-central flaws exploited in zero-day attacks (Bleeping Computer) U.K. Secretly Spent $3.2 Million to Stop Journalists From Reporting on Data Breach (The New York Times) From Support Ticket to Zero Day (Horizon3.ai) Personalization in Phishing: Advanced Tactics for Malware Delivery (Cofense) The Root(ing) Of All Evil: Security Holes That Could Compromise Your Mobile Device (Zimperium) Fortinet warns of FortiSIEM pre-auth RCE flaw with exploit in the wild (Bleeping Computer) Estonians behind $577 million cryptomining fraud sentenced to 16 months (The Record) Someone counter-hacked a North Korean IT worker: Here’s what they found (Cointelegraph) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Get to Toronto's main venues like Budweiser Stage and the new Roger Stadium with Go Transit.
Thanks to Go Transit's special online e-ticket fairs, a $10 one-day weekend pass offers unlimited travel on any weekend day or holiday anywhere along the Go Network.
And the weekday group passes offer the same weekday travel flexibility across the network.
starting at $30 for two people and up to $60 for a group of five.
Buy your online go pass ahead of the show at go-transit.com slash tickets.
A ransomware attack exposes personal medical records of VA patients.
New joint guidance from SISA and the NSA emphasize asset inventory and OT taxonomy.
The UK government reported.
spent millions to cover up a data breach. Researchers identified two critical flaws in a widely
used print orchestration platform. Fishing attacks increasingly rely on personalization. Rooting
and jailbreaking frameworks pose serious enterprise risks. Fortinette warns of a critical command
injection flaw. Estonian nationals are sentenced in a Crypto Ponzi scheme. Miquela Campobaso from
Fourskout joins us to separate the hype from reality around vibe hacking. And meet the
Blockchain Bandits of Pyongyang.
It's Thursday, August 14th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great to have you with us.
A ransomware attack on Davita, a major dialysis provider contracting with the Department of Veterans Affairs,
exposed about one million medical records, including veterans' social security numbers, lab results, and insurance details.
The breach affected VA patients receiving dialysis and lab services through the veteran community
care program. Additional data such as names, check images, and tax IDs may have been compromised.
The VA paid DeVita $206 million in early 2025 for services, but its internal systems were not
impacted. Forensic teams and the FBI are investigating. DeVita has restored affected systems
and will offer 12 months of free credit monitoring to victims. Kidney disease is more prevalent
among veterans, with the VA caring for about 600,000 affected individuals nationwide.
New joint guidance from agencies including SISA, the NSA, EPA, and international partners
emphasizes that building a modern defensible architecture for operational technology
relies on a well-maintained asset inventory and OT taxonomy,
titled Foundations for OT Cybersecurity, Asset Inventory, Asset Inventory Guidance for,
owners and operators. The document outlines a structured multi-step process, define governance,
scope, and roles, identify OT assets, and collect key attributes like IP addresses,
manufacturer, and criticality, create a taxonomy, classifying assets by function or
criticality, and organizing them using zones and conduits, manage inventory data centrally,
and apply lifecycle management. Beyond inventory, it guides organizing. It guides organizing.
in improving cybersecurity through vulnerability tracking, performance monitoring, training,
and continuous improvement. Appendix examples include conceptual taxonomies for oil and gas,
electricity, and water infrastructure. While voluntary and not prescriptive, this guide aids
asset owners in enhancing information clarity, security posture, and operational resilience
for critical OT environments. Separately, CISA warned that a
attackers are actively exploiting two vulnerabilities in Ennables and central remote monitoring and
management platform. The flaws, which require authentication, could allow command execution and
input injection, enable, patch them in the recent version, and urged immediate upgrades. About
2,000 instances are exposed online, mostly in the U.S., Australia, and Germany. Sisa added the
bugs to its known exploited vulnerabilities catalog, giving U.S. federal agencies until August 20th
to patch and advised all organizations to secure systems promptly to reduce exploitation risk.
In 2022, a British military error exposed the personal details of 18,700 Afghans who had worked with
U.K. forces, risking Taliban reprisals. According to the New York Times, the conservative
government sought a rare contramundum super injunction barring disclosure even to its victims,
spending $3.2 million in legal costs. The breach wasn't discovered until August 23 when part of the
data appeared on Facebook. Journalists who inquired were served with secrecy orders. The injunction
lasted 18 months until Labor's 2024 review prompted its lifting. Critics argue the order
increasingly serve to avoid political embarrassment. The breach triggered a 400 million pound
secret relocation program for 4,500 Afghans. The case, unprecedented in scope, has sparked debate
over press freedom in Britain, with legal experts noting such gag orders would be impossible
under U.S. First Amendment protections. Researchers at Horizon 3 AI have identified two critical flaws
in Xerox Freeflow Core, a print orchestration platform widely used by commercial print shops,
universities, and government agencies.
The XXE injection vulnerability and path traversal flaw allow unauthenticated remote attackers
to execute arbitrary code on affected systems.
One of the vulnerabilities enables server-side request forgery via improperly handled XML entities.
The other allows attackers to upload.
files to arbitrary locations, enabling web shell deployment and remote execution.
Both vulnerabilities are patched in the latest version, and immediate upgrading is advised.
The flaws were discovered during an investigation into unusual exploit callbacks and
disclosed under Horizon 3 AI's vulnerability policy.
Co-Fence Intelligence reports that subject customization, personalizing email subjects,
attachments, and links, is a key fishing tactic for delivering malware, especially remote-access
Trojans and information stealers. From the third quarter of 2023 through the third quarter of
24, the top malware delivery themes with customized subjects were travel assistance, response,
finance, taxes, and notification. Travel assistance most often delivered Vidal Steelear,
response used picabot, and finance commonly used J-Rat.
Customized file names often contained PII, particularly with J-Rat and Remcoastrat in finance or
taxes-themed emails.
This sort of personalization increases engagement, aiding attackers in stealing credentials
or enabling brokered access for ransomware operations.
Zimperium's Z-Labs warns that modern rooting and routing and
and jailbreaking frameworks, often developed without security oversight, pose serious enterprise
risks by enabling malware infections, app compromise, and full system takeover.
Many use Android kernel patching, as in kernel SU, A patch, and SK root, hooking kernel functions
to gain root access.
Weak authentication between user apps and kernel interfaces creates exploitable flaws.
A kernel S.U.5.7 vulnerability let attackers spoof the manager app via file descriptor manipulation,
bypassing signature checks to gain route before the legitimate manager launched.
Similar weaknesses such as A-patch's past weak password protection and magisks impersonation bug
show these risks are common.
Z-Labs stresses continuous monitoring as improper authentication, insecure,
communication, and poor-privileged isolation in rooting tools, create persistent real-world
exploitation opportunities.
Fortinette warns of a critical remote-unthenticated command injection flaw in Forta-Sim,
a security monitoring platform used by governments, enterprises, and MSSPs.
Exploid code is already active in the wild, allowing attackers to execute unauthorized commands
via crafted CLI requests with no distinctive IOCs for detection.
Multiple versions are affected, only supported releases will receive patches.
Admins should upgrade immediately to fixed versions or restrict access to pH Monitor on
Port 7900. Older unsupported versions remain permanently vulnerable.
Estonians Sergei Potopenko and Ivan Torogan were sentenced in Washington State to time served 16 months
for running a $500 million cryptocurrency Ponzi scheme.
Starting in 2013, they sold Bitcoin mining equipment via hash coins but never had adequate inventory.
They later launched Hashflare, offering remote mining contracts, showing fake profits to invests,
while operating only a fraction of the claimed capacity.
Assets worth over $450 million were seized for victim compensation.
Prosecutors sought 10 years, and the DOJ may appeal the sentence.
Coming up after the break, Michaela Campabaso from Forscout joins us to separate the hype from the reality around.
vibe hacking, and meet the blockchain bandits of Pyongyang.
I'm Ben Yellen, co-host of the caveat podcast. Each Thursday, we sit down and talk about the biggest
legal and policy developments affecting technology that are shaping our world. Whether it be
sitting down with experts or government officials or breaking down the latest
political developments, we talk about the stories that will have tangible impacts on businesses
and people around the world. If you are looking to stay informed on what is happening and how it
can impact you, make sure to listen to the caveat podcast.
Compliance regulations, third-party risk, and customer security demands are all growing and changing
fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something
more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so
much easier, and it can strengthen your security posture while actually driving revenue for your
business. You know, one of the things I really like about Vanta is how it takes the heavy lifting
out of your GRC program.
Their trust management platform automates those key areas,
compliance, internal, and third-party risk,
and even customer trust,
so you're not buried under spreadsheets and endless manual tasks.
Vanta really streamlines the way you gather and manage information
across your entire business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta
are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters,
like strengthening your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit Vanta.com slash cyber to sign up today for a free demo.
That's V-A-N-T-A-com slash cyber.
Mikaela Campobaso is a senior researcher at Fourskout.
I recently spoke with him about research separating the hype from the reality around vibe hacking.
So, bibe hacking is the concept of attackers being able to rely massively on generative.
AI to conduct sophisticated attacks, cyber attacks in this case, without having any specific
and prior knowledge on the topic. That's kind of the idea of eye backing. Can you give us an idea
of how someone might approach this? How would one who doesn't have a lot of experience use
an LLM to go at what they want to do? Yeah. So for example, one of the cases could be that
Someone is interested in attacking a given website.
Then they resort to chat GPT and they say, hey, I would like to do a security assessment on this specific website.
How should I approach to that in the very beginning?
And the LLM starts to give you some answers, some generic information you could find online.
So you do the process step by step and you start progressing with that.
But then once you do the general recon side of things,
then you will have to understand what is the technology behind the specific website,
and you're facing a moment in which you need to write and exploit some code that is going to attack this website
and exploit some vulnerabilities. And this is where the thing gets tricky.
Because ideally, the person that is using this generative,
AI doesn't know how the thing looks like, the attack looks like, and the LLM very confidently
will give some answers, which may be wrong.
So that's a little bit the issue that we see, and that's the reason why we started to
do this research, this line of research, to understand really how good an LLM could
possibly be when an attacker with no prior experience.
wants to perform a malicious activity, some malicious activity.
Well, let's dig into the research that you all did here.
What was your methodology and what did you discover?
So we sampled a number of LLMs spanning from commercial solutions, of course,
because they are the most famous right now and arguably the most advanced,
but we included also underground LLMs that you can find on marketplaces on the dark web or telegram.
We included also some open source LLM so you can find in some repositories online.
And some create LLMs like services that companies that actually have a fat number.
So you can buy their services and they offer you specialized LLMs to conduct offensive operations as a researcher, for example.
So we've sampled 50 of them and we decided to test them against.
a test bed of some tasks and the two tasks that we decided to to test these
elements against where vulnerability research and exploit development. So vulnerability
research in a nutshell is the process where someone or something looks at some code and then
tries to find what are the vulnerabilities in that code and and tries to exploit the
exploit them or at this pinpoint what are the issues in that code that may lead to an unintended use of that software.
And exploit development is the subsequent step, that is, you have some vulnerable codes, you know that it's vulnerable, you know, where the issue is.
And then you have to write a program that misuses said software in the unintended way to achieve something that the software was not originally signed for.
for example, launching commands on a system that was supposed to be just hosting, for example, a website.
So how did it go?
It didn't go that brilliantly.
And the reason for that is that for simpler tasks that we had for vulnerability research, they performed somewhat okay,
especially those that are commercial solutions and those that are on the gray area in a way.
But when we were moving towards the more cognitively complex tasks like exploit development,
they started to fail miserably.
The best group of LLMs was by far the commercial solutions,
which was surprising, honestly, because arguably they should prevent an arbitrary user to state,
hey, I'm a security researcher, write me an exploit.
Very, very easy to be convinced in that sense.
So, as I was saying, the commercial solutions performed quite well for vulnerability research in a way.
Exploitte development, roughly 50% of them managed to produce unexploited was actually usable and doing the exploiting the intended vulnerability.
Whereas a harder task in exploit development was managed from only 20% of them.
and we tested like 17 commercial solutions.
That's how it went.
It was not that great.
Yeah.
One of the things that struck me in the research
was that you all threw multiple iterations at these,
and you pointed out that some of these tasks required hours
and hours of attempts to get something useful out of it.
Yeah, that's right.
And that's one of the caveat of this research,
because I try to pose as someone that doesn't understand
understand much, but at least understand something about what they're doing.
I don't want to be just, I want to be accurate.
They're testing the LLM.
I wanted to be someone that knows how to do things.
So whenever I was giving them the task to write an exploit for a given piece of code,
I was monitoring the answers.
I was performing some minor corrections were needed.
And I was nudging sometimes LLMs to go in the right direction because they were
easily diverging from the right path.
So I was there looking after them carefully,
not too much, not to be like someone that already knows the solution
and then why I'm using an LLM in the first place.
And I really wanted to give each LLM their best shot
at trying to solve the task.
So each LLM was given up to five runs to solve each task.
despite all my efforts
of pretending to be
a somewhat average
attacker, these were the results
that were not too engrossing.
And by the way, the exploitive element
exercises were taken from some
CTFs. So they were not
complex code like real case
scenarios. We were talking about
the lines of code in C. Nothing too
crazy. Yet,
these were the results.
So what's the
takeaway here for folks who are worried about the the potential of these
LLMs enabling vibe hacking is your is your sense that we're still a ways off
I know in a way yes I would say that still they are a useful tool they can
replace basically Google if you want to you can you can look for information
there you can ask them to write you skeletons for scripts and develop
automated pipelines for conducting some sort of attacks,
but the level of sophistication,
that's the real different.
The level of sophistication that you can reach with an LLM
without being an expert already on the subject is fairly low.
And that's why arguably Vibe hacking is not,
as of today, a big issue.
It's just giving more wannabe attackers or someone
with opportunistic attackers with average
skills, some extra tools to be faster at their workflow, but not necessarily making a step forward.
Because at the end of the day, even though it's not going any further in terms of sophistication,
what you're getting right now in the positive outcomes of my tests is just an exploit.
An exploit is literally the same stuff that you would have done by hand.
They didn't use any new and undetectable way of exploiting a system.
They were doing something that a human would have done because they learned how to do it from humans.
So maybe the number of attacks is going to increase.
That's most likely.
Probably it's happening already right now.
But in terms of sophistication, we are seeing the same stuff already as always, I would argue.
That's Michaela Campobaso from Fourscout.
And finally, in the latest installment of North Korea does remote work,
Crypto-slooth Zach XBT has outed a six-person DPR
K-I-T squad, tied to a $680,000 June crypto hack,
moonlighting as blockchain developers under 31 fake identities.
Their CVs boasted experience at OpenC and ChainLink,
and one even interviewed at Polygon Labs.
Screenshots from a compromised device show them coordinating scams via Google Drive,
any desk, VPNs, and Google Translate,
all on a $1,489 monthly expense budget.
The crew also linked to a $1.4 billion bit-bit hack
secured freelance roles to siphon millions more.
Zach XBT warns the scams aren't high-tech, just high volume,
and sloppy hiring keeps the DPRK's most committed remote workers employed.
And that's The CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this month.
There is a link in the show notes.
Please take a moment and check it out.
N2K's senior producer is Alice Caruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.
Thank you.
Thank you.
Thank you.