CyberWire Daily - Fingers point east.
Episode Date: May 28, 2025The Czech Republic accuses Chinese state-backed hackers of cyber-espionage. CISA’s leaders head for the exits. Cybercriminals are using fake AI video generator websites to spread malware. A stealthy... phishing campaign delivers the Remcos RAT via DBatLoader. A fake Bitdefender website spreads malware targeting financial data. Medusa ransomware claims to have breached global real estate firm RE/MAX. An Iranian national faces up to 30 years in prison for ransomware targeting US cities. Our guest is Tony Velleca, CyberProof's CEO, discussing exposure management and a more risk-focused approach to prioritize threats. Mind reading for fun and profit. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices segment, at the 2025 RSA Conference we were joined by Tony Velleca, CyberProof's CEO, who is discussing exposure management and moving towards a more risk-focused approach to prioritize threats. Listen to Tony’s interview here. Selected Reading Chinese spies blamed for attempted hack on Czech government network (The Record) CISA loses nearly all top officials as purge continues- (Cybersecurity Dive) Google warns of Vietnam-based hackers using bogus AI video generators to spread malware (The Record) Chrome 137, Firefox 139 Patch High-Severity Vulnerabilities (SecurityWeek) New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know (Hack Read) Hackers Mimic Popular Antivirus Site to Deliver VenomRAT & Steal Finance Data (Cybersecurity News) RE/MAX deals with alleged 150GB data theft: Medusa ransomware demands $200K (Cyber News) CISA Releases ICS Advisories Covering Vulnerabilities & Exploits (Cybersecurity News) Iranian pleads guilty to launching Baltimore ransomware attack, faces 30 years behind bars (The Record) Neural Privacy Under Threat: The Battle for Neural Data (tsaaro consulting) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it
peace of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k. The Czech Republic accuses Chinese state-backed hackers of cyberespionage.
CISA's leaders head for the exits.
Cybercriminals are using fake AI video generator websites to spread malware.
A stealthy phishing campaign delivers the Remcos rat via D-Bad Loader. A fake Bitdefender
website spreads malware targeting financial data. Medusa Ransomware claims to have breached
global real estate firm Remax. An Iranian national faces up to 30 years in prison for
ransomware targeting US cities.
Our guest is Tony Vallaca, cyber-proof CEO, discussing exposure management and a more
risk-focused approach to prioritize threats.
And mind reading for fun and profit. It's Wednesday, May 28, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us.
It's great as always to have you here with us.
The Czech Republic has accused Chinese state-backed hackers of targeting its Ministry of Foreign
Affairs in a cyber espionage campaign that began in 2022. An investigation by Czech intelligence
and cybersecurity agencies linked the attack to APT31, a group associated with China's
Ministry of State Security. The hackers targeted an unclassified network but may not have breached
it. Foreign Minister Jan Lepovsky condemned China's interference, citing efforts
to weaken Czech democracy. He summoned the Chinese ambassador and highlighted new security
measures. The US and UK previously sanctioned APT31. The group also allegedly targeted British
lawmakers. Czech officials shared findings with EU and NATO allies.
Both organizations backed Prague with NATO condemning China's
increased cyber threats.
China has not yet responded.
The Cybersecurity and Infrastructure Security Agency
is facing a major leadership crisis,
with nearly all its top officials having left or set to
leave by the end of May, Cybersecurity Dive reports.
An internal email revealed that five of CISA's six operational divisions and most regional
offices are losing senior leaders, including key figures like Matt Hartman and Boyden Roaner.
These departures come amid rising cyber threats from foreign adversaries and have sparked
concern over the agency's stability and effectiveness.
Experts and insiders warn the loss of seasoned leadership may weaken CISA's ability to support
critical infrastructure and partner agencies.
Field directors who helped expand CISA's reach across the US,
are also stepping down, further fueling uncertainty. While CISA's leadership insists the agency
remains mission-focused, morale is low and doubts about the agency's future are growing.
Critics fear this exodus will hurt national cybersecurity and resilience at a critical time.
Cyber criminals are using fake AI video generator websites to spread malware, Google's Mandiant unit has found.
These scammers create fraudulent sites mimicking tools like Luma AI and Canva Dream Lab,
promoting them through thousands of malicious ads on platforms
like Facebook and LinkedIn.
Victims lured in by the ads are tricked into downloading malware such as Starkvale, which
steals data and opens back doors for further access.
Mandiant attributes the campaign to a group named UNC 6032, likely based in Vietnam.
Since mid-2024, the campaign has impacted users globally,
stealing credentials, cookies, and credit card info via telegram.
Meta removed many of the malicious ads proactively,
aided by Mandiant's use of Meta's ad library.
The campaign reveals how fake AI tools are now a widespread threat
not just to tech professionals but to anyone tempted by trendy, seemingly legitimate AI
services.
Google and Mozilla have released Chrome 137 and Firefox 139, addressing 21 security vulnerabilities, including three rated high severity.
Chrome 137 includes 11 fixes, notably two high-risk memory issues
that could allow code execution or crashes.
Firefox 139 patches 10 flaws, including a high severity double free bug.
Updates were also issued for Firefox ES ESR, and Thunderbird. Though no active
exploitation was reported, users are urged to update promptly as browser
vulnerabilities are common targets for attackers.
Researchers at AnyRun have uncovered a stealthy phishing campaign delivering the
Remcos Rat via DBat Loader. The attack uses obfuscated CMD scripts, user account control bypass,
and legitimate Windows tools to evade detection.
Victims receive phishing emails containing an archive with Factor.exe,
which triggers the attack chain, DBAT loader execution,
script obfuscation, and malware injection.
Remcos is stealthily embedded into trusted processes, and persistence is ensured through
scheduled tasks and registry edits.
This campaign shows how attackers exploit curiosity around AI tools and rely on native
OS behavior to bypass traditional security.
The researchers stress the importance of a dynamic analysis to detect and respond to
modern evasive threats effectively.
Cybercriminals have created a fake Bitdefender antivirus website, bitdefender-download.co,
to spread malware targeting financial data and enabling long-term system access.
The fraudulent site closely mimics the real Bitdefender download page, tricking users
into downloading a zip file containing Venom Rat, Storm Kitty, and Silent Trinity.
Venom Rat steals files, crypto wallets, and credit card data, while Storm Kitty harvests
credentials and Silent Trinity ensures persistent access.
The attackers host files via Bitbucket and Amazon S3 to appear legitimate.
The campaign is part of a broader phishing operation using shared infrastructure with
fake banking sites.
Domain Tools researchers identified a common command and control server and warned of the
attacker's dual goal, quick financial theft and long-term system control.
Bitdefender is working to take the site down and Chrome now blocks the link.
Experts urge users to download antivirus software only from official sites and remain cautious of
unsolicited prompts.
Medusa Ransomware claims to have breached global real estate firm Remax, exfiltrating
150 gigabytes of data and demanding a $200,000 ransom.
The group posted samples on its dark web leak site, threatening public release in under
18 days.
While Remax hasn't confirmed the breach, leaked data includes agent contact details,
commissions, internal documents, and property schematics, mostly from 2021 through 2023.
Security experts warn the full data set may contain more sensitive information,
posing risks of identity theft, fraud, and
property scams, along with reputational and financial damage to remacs.
CISA has issued an advisory for a critical memory leak vulnerability in Johnson Control's
iStar Configuration Utility Tool, impacting all versions prior to 6.9.5. The flaw, due to the use of
uninitialized variables, could expose sensitive data and affect industrial
control systems vital to sectors like energy, transportation, and manufacturing.
With a CVSS score of 7.4, the bug requires adjacent network access but no
authentication.
CISA urges defense-in-depth strategies, such as network segmentation and regular assessments,
to mitigate risks.
Iranian national Sina Gholinajad, aged 37, pleaded guilty to deploying Robin Hood ransomware
in attacks that hit several US cities, including Baltimore
and Greenville, North Carolina.
His actions caused tens of millions in damages and disrupted essential public services.
The 2019 Baltimore hack alone inflicted $19 million in losses, forcing the city offline
for months.
Prosecutors say Gholenahad and his co-conspirators
began the attacks in 2019,
extorting victims with threats of similar consequences.
They targeted municipalities in New York, Oregon,
and beyond until March 2024.
Gulenahad faces up to 30 years in prison
with sentencing set for August.
He was detained in North Carolina with help from Bulgarian authorities.
The Justice Department emphasized that cyber attacks on critical public systems won't go
unpunished and thanked international partners for their support in the case. Coming up after the break, my conversation with Tony Velika, cyberproof CEO, we're
discussing exposure management and a more risk-focused approach to prioritize threats.
And mind reading for fun and profit.
Stick around.
And now a word from our sponsor, Spy Cloud. Identity is the new battleground
and attackers are exploiting stolen identities to infiltrate your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection
helps security teams uncover and automatically
remediate hidden exposures across your users
from breaches, malware, and phishing
to neutralize identity-based threats
like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see
what attackers already know. That's spycloud.com slash cyberwire.
Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program
on track, you're not alone. But let's be clear, there is a better way. Banta's
trust management platform takes the headache out of governance, risk, and
compliance. It automates the essentials from internal and third-party risk to
consumer trust, making your security posture stronger, yes, even helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC,
teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So, if you're ready to trade in chaos for clarity,
check out Vanta and bring some serious
efficiency to your GRC game.
Vanta GRC.
How much easier trust can be.
Get started at Vanta.com slash cyber. Tony Vallecca is CEO at Cyber Proof.
I recently caught up with him on the show floor of the RSAC conference.
In today's sponsored industry voices segment, we discuss exposure management and a more
risk focused approach to prioritize threats.
Well, I am thrilled to be here at RSAC 2025.
We are right here on the show floor, as you can see, and here.
And it is my pleasure to be joined today by Tony Villaca.
He is the CEO at Cyber Proof. Tony, welcome.
Thank you. I'm excited.
So our conversation today, we are focusing on this very interesting metaphor
that you shared with me.
And I'm gonna read it here.
This is the idea of an elusive single pane of glass.
Please explain.
Well, I think most people know that the single pane
of glass was something we used to call the idea
of a sim originally when we had a SOC, right?
We wanted to bring all this information
into a single pane of glass.
But as we look forward,
it's not just the defensive capabilities
that are important,
we're looking more at the more proactive things
we can do in cybersecurity.
So anything that we do in cybersecurity
always has a denominator of cost.
So nobody ever wants to spend a buck more than they have to
to protect themselves and bring down their risk.
So to me, the single pane of glass needs to start
guiding people on what's the best dollar,
next dollar spent to reduce my cyber risk.
So that's the proactive side and the defensive side.
And some companies are even talking now
about the predictive side.
What is the next generation of attack coming with AI
and how do I protect myself against that?
Yeah, well I mean I think when we're talking about glass,
there are a couple things I think of.
There's of course, in case of emergency, break glass.
Right?
But then like there's plate glass, there's tempered glass,
and those break in very different ways.
Does that metaphor extend to security
that not everyone's glass is created the same?
Not everyone's risk profile is the same?
Yeah, no, that's a great analogy actually,
because in fact with many of our large enterprise clients,
they're saying, I need to look at risk the way
I need to look at risk, right?
And this comes back to one of the foundational concepts,
which is risk itself needs to be tailored
to the organization that you have,
and it becomes a language, for example,
you need to know where your riskiest assets are,
where your crown jewels, as they used to say, are,
and these sorts of things.
And I think also, a lot of times when we talk about risk,
people think that, hey, we're trying to add up the dollars
and say I'm carrying $500 million worth of risk.
I think that's where the models fail
because nobody can really tell you
how much risk you're carrying.
The insurance providers may want that,
and there's cyber risk,
but I think the models will break down.
What we really want to know is
where do we spend that next dollar and should I spend it on reducing
an exposure to an attack or should I build
a new detection rule or should I invest
in better threat intelligence?
So this is more of an analysis on how I optimize my spend
to be able to get the maximum reduction in risk in my view.
Are there common blind spots that people have when it comes to evaluating their risk?
Oh, I think so. And I think we've been blessed with a new framework,
which is a MITRE ATT&CK framework. Because honestly, risk used to be,
am I going to get fined by the regulators?
And I think risk has moved to,
am I at risk of a major ransomware breach?
And ransomware, you know,
if you look where cybercrime is going this year
with the Ukraine war and the wars in the Middle East,
you're seeing a lot of focus on OT and systems like this.
So you have abilities,
the capabilities to attack those types of systems.
That's going to flow down to cybercrime, systems like this, the capabilities to attack those types of systems.
That's going to flow down to cybercrime and you're going to likely see those people that
might have the biggest impact by having their manufacturing sites shut down or hospitals
you saw last year.
So these are the types of areas you're going to see new risks show up.
So what do I need to do to protect a lot of these new environments from these
new capabilities? So that's the way I think it shows up for me in balancing some of these
areas we may not be looking at today but need to look at tomorrow.
How do you recommend that people balance their risk in terms of the things they're obligated to, the compliance things, like you mentioned,
but then also the sort of more real time risks,
like you said, things like ransomware,
the smoking hole in the ground, that sort of thing.
The things you don't see coming,
no one has unlimited resources,
so the things you have to take care of,
how do you turn that dial? So my point of view is that you're going to see a lot more,
you know, the last three or four years,
everybody's talking about threat intelligence,
threat intelligence.
Now I get a lot of great reports coming in
on threat intelligence,
but how do I operationalize that in a way
that I can prioritize my exposures?
So I think this year you're going to see a lot,
you're seeing the words,
continuous threat exposure management. I think you're going to see focusing lot, you're seeing the words continuous threat exposure management.
I think you're going to see focusing on the threat actors
that are important to you, your industry,
where you're at, what technology you're running,
being able to understand those campaigns
and tactics at the tactics and technique level,
and then to be able to understand
where you're exposed to those tactics and techniques.
So it's around a continuous view of what the threat actors
are targeting you and flowing that all the way
through your organization.
And on the defensive side, you have to understand
whether you can even, you have the detections
in your systems.
Most security operations teams that are maybe even using
outsource providers don't know what they're actually able
to see and what they can't see,
and they probably can't tell you whether,
how that compares to the threat actors
and the techniques that they're running today, right?
We're here at RSAC 25,
and of course AI is still the hot topic.
For you and your colleagues at Cyber Proof,
how does that play into the equation?
Great question.
Obviously you can't go to any interview today
and not talk about AI.
No, it'd be malpractice for me not to ask you about it.
So.
So in that vein, I think there's two sides of it.
There's AI for security, which is the exciting side.
For me, what can we do?
And I think you're seeing this agentic AI
just taking off very quickly.
This has a promise of maybe offloading.
Today we probably have analytical tools
that'll give us a lot more problems than we can solve,
so we need the agents to be able to help us
solve some of those tools.
And you're going to see purpose-built agents
to do threat hunting and L1, SOC, and things like that.
And I think that's going to mature very quickly.
So that's the positive side.
I think the CISOs that get ahead
and lay the foundation for a solid framework,
you're seeing like the OWASP Top 10 for LLMs
and things now putting these frameworks in early.
I think it's an opportunity for them
to take leadership positions in companies
because there are very few roles in an organization
that understand all aspects, regulatory compliance,
the technical aspects, and even the business aspects,
which most CISOs have to in their jobs today.
So I think there's an opportunity,
but I also think it's like anything, it's a cold war,
it's going to be changing so quickly,
you got to stay ahead of it,
and you got to make it a priority, or you're going to be changing so quickly, you got to stay ahead of it, and you got to make it a priority,
or you're going to get behind.
Yeah, yeah.
For the people who are well along on this journey,
with a company like yours,
what are they enjoying?
What does success look like?
You know, they're day to day of feeling like
we have this under a certain amount of control?
As you say, we tend to work for the larger enterprise
companies and more sophisticated companies,
and for those, I like to say,
do they have a well-managed estate?
And because I'm hearing this word used more and more often
is do I know we're all assets?
Are all my assets under management?
Am I able to make sense of this complex environment
and to be able to take advantage of some of this
continuous site exposure management
that you're seeing coming out,
or attack surface prioritization,
or even is my SOC able to see all the things that I need?
So I think a lot of it is just putting,
and I don't even like to call it governance anymore,
honestly I think it lot of it is just putting, and I don't even like to call it governance anymore, honestly I think it's a continuous process
of making sure that you're keeping your estate
well managed so that you can do it.
The other problem that I hear many times is,
do you have the ability, a lot of times our security teams
own the responsibility for the security,
but they don't have the, they don't own the teams
that are actually doing things.
So you're going to see software development
being much more important, right?
The kind of defects that are entered into that, or LLMs.
But those teams are not necessarily owned.
So there may be governance responsibility,
but they don't have the responsibility
to actually do the fixing.
So I think that ability to make sure
that you have the right leverage
and working with those teams
to get things done is going to be critical
as the change happens, right?
Yeah.
What about for the person who's on the other side
of that journey, who's just getting started,
looks at it and feels a little overwhelmed,
you know, like how am I going to start taking bites
out of this problem?
What's your words of wisdom for them?
You know, it's great.
I think all security people probably feel overwhelmed,
no matter what.
So step back, take a look at the landscape,
pick your priorities, take a deep breath,
and execute, right?
I think execution will be key.
We're all going to be wrong about something because we don't know,
and it's going to be changing so quickly.
I think it's also communicate effectively.
I think that's an area that most of us in
security can move from a technical conversation
and do more of a business conversation,
it'll be important.
Execute, execute, execute, execute.
That's my motto. Yeah.
Before I let you go, RSAC, for you,
what do you get out of this show?
What do you hope to accomplish?
What are the things you look forward to getting together
with all of your friends and colleagues here?
I'm always amazed when the show of, what,
40,000 plus people is here.
How many people I run into, I know.
And I forget, and I forget.
So I love just reconnecting with many people.
I cry outside the booth, I ran,
that somebody hadn't seen in about five years.
But the second is I'm always shocked at the innovation,
the new startups that are coming,
the problems that they're solving.
And I think one of the challenges,
you got to figure out, you don't know which one of those
is going to be successful,
but I think we're at this point where we,
the industry has a responsibility to try some
of these things out and to make sure that we're always
progressing on that, on an innovation front.
So I learn a lot from talking to many of these startups
about how they look at the problem.
Yeah.
Well Tony, thank you so much for taking the time for us.
It was a real pleasure to get to chat with you.
And likewise, I always enjoy these conversations.
It always makes me think.
All right.
Have a good show.
See you soon.
OK, bye.
That's Tony Velika from Cyber Proof. And finally, imagine popping on a sleek little meditation headband for some self-care, only
to find you've accidentally signed away the intimate details of your inner monologue.
That's the unsettling reality U.S. Senators Chuck Schumer, Maria Cantwell, and Ed Markley
are now raising alarms about.
They've asked the FTC to investigate brain-computer interface companies, because apparently reading
your mind isn't off limits if it's in the fine print. A Neuro-Rights Foundation study found 29 out of 30 neurotech firms are scooping up users'
brain data, but only 14 bother to ask for permission.
And unless you're in the EU or lucky enough to live in California, your brain waves are
basically up for grabs.
These tools promise breakthroughs, communication for the paralyzed, early Alzheimer's detection,
or boosted focus.
But without regulation, they might just become thought-mining machines for profit.
The stakes include your mental privacy, identity, and autonomy.
Because apparently, what were you thinking might soon be a data point.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing
at the cyberwire.com. N2K's senior producer is Alice Carruth. Our CyberWire producer is
Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot
Keltzman. Our executive producer is Jennifer Iben. Peter Kilpe is our publisher, and I'm
Dave Bittner. Thanks for listening, we'll see you back here tomorrow. And now, a word from our sponsor, ThreatLocker.
Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software
can run in your environment.
If it's not approved, it doesn't run.
Simple as that.
It's a way to stop ransomware and other attacks before they start without adding extra complexity
to your day.
See how ThreatLocker can help you lock down your environment at www.threatlocker.com.