CyberWire Daily - Fingers point east.

Episode Date: May 28, 2025

The Czech Republic accuses Chinese state-backed hackers of cyber-espionage. CISA’s leaders head for the exits. Cybercriminals are using fake AI video generator websites to spread malware. A stealthy... phishing campaign delivers the Remcos RAT via DBatLoader. A fake Bitdefender website spreads malware targeting financial data. Medusa ransomware claims to have breached global real estate firm RE/MAX. An Iranian national faces up to 30 years in prison for ransomware targeting US cities. Our guest is Tony Velleca, CyberProof's CEO,  discussing exposure management and a more risk-focused approach to prioritize threats. Mind reading for fun and profit.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices segment, at the 2025 RSA Conference we were joined by Tony Velleca, CyberProof's CEO, who is discussing exposure management and moving towards a more risk-focused approach to prioritize threats. Listen to Tony’s interview here. Selected Reading Chinese spies blamed for attempted hack on Czech government network (The Record) CISA loses nearly all top officials as purge continues- (Cybersecurity Dive) Google warns of Vietnam-based hackers using bogus AI video generators to spread malware (The Record) Chrome 137, Firefox 139 Patch High-Severity Vulnerabilities (SecurityWeek) New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know (Hack Read) Hackers Mimic Popular Antivirus Site to Deliver VenomRAT & Steal Finance Data (Cybersecurity News) RE/MAX deals with alleged 150GB data theft: Medusa ransomware demands $200K (Cyber News) CISA Releases ICS Advisories Covering Vulnerabilities & Exploits (Cybersecurity News) Iranian pleads guilty to launching Baltimore ransomware attack, faces 30 years behind bars (The Record) Neural Privacy Under Threat: The Battle for Neural Data  (tsaaro consulting) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the CyberWire Network, powered by N2K. Hey everybody, Dave here. I've talked about DeleteMe before, and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. DeleteMe keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved knowing my privacy isn't something I have to worry about every
Starting point is 00:00:40 day. The DeleteMe team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Delete Me also offers solutions for businesses, helping companies protect their employees' personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal, 20% off your Delete Me plan.
Starting point is 00:01:05 Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout. That's joindeleteeme.com slash n2k, code n2k. The Czech Republic accuses Chinese state-backed hackers of cyberespionage. CISA's leaders head for the exits. Cybercriminals are using fake AI video generator websites to spread malware. A stealthy phishing campaign delivers the Remcos rat via D-Bad Loader. A fake Bitdefender website spreads malware targeting financial data. Medusa Ransomware claims to have breached global real estate firm Remax. An Iranian national faces up to 30 years in prison for ransomware targeting US cities.
Starting point is 00:02:05 Our guest is Tony Vallaca, cyber-proof CEO, discussing exposure management and a more risk-focused approach to prioritize threats. And mind reading for fun and profit. It's Wednesday, May 28, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us. It's great as always to have you here with us. The Czech Republic has accused Chinese state-backed hackers of targeting its Ministry of Foreign Affairs in a cyber espionage campaign that began in 2022. An investigation by Czech intelligence and cybersecurity agencies linked the attack to APT31, a group associated with China's
Starting point is 00:03:14 Ministry of State Security. The hackers targeted an unclassified network but may not have breached it. Foreign Minister Jan Lepovsky condemned China's interference, citing efforts to weaken Czech democracy. He summoned the Chinese ambassador and highlighted new security measures. The US and UK previously sanctioned APT31. The group also allegedly targeted British lawmakers. Czech officials shared findings with EU and NATO allies. Both organizations backed Prague with NATO condemning China's increased cyber threats. China has not yet responded.
Starting point is 00:03:56 The Cybersecurity and Infrastructure Security Agency is facing a major leadership crisis, with nearly all its top officials having left or set to leave by the end of May, Cybersecurity Dive reports. An internal email revealed that five of CISA's six operational divisions and most regional offices are losing senior leaders, including key figures like Matt Hartman and Boyden Roaner. These departures come amid rising cyber threats from foreign adversaries and have sparked concern over the agency's stability and effectiveness.
Starting point is 00:04:33 Experts and insiders warn the loss of seasoned leadership may weaken CISA's ability to support critical infrastructure and partner agencies. Field directors who helped expand CISA's reach across the US, are also stepping down, further fueling uncertainty. While CISA's leadership insists the agency remains mission-focused, morale is low and doubts about the agency's future are growing. Critics fear this exodus will hurt national cybersecurity and resilience at a critical time. Cyber criminals are using fake AI video generator websites to spread malware, Google's Mandiant unit has found. These scammers create fraudulent sites mimicking tools like Luma AI and Canva Dream Lab,
Starting point is 00:05:22 promoting them through thousands of malicious ads on platforms like Facebook and LinkedIn. Victims lured in by the ads are tricked into downloading malware such as Starkvale, which steals data and opens back doors for further access. Mandiant attributes the campaign to a group named UNC 6032, likely based in Vietnam. Since mid-2024, the campaign has impacted users globally, stealing credentials, cookies, and credit card info via telegram. Meta removed many of the malicious ads proactively,
Starting point is 00:05:58 aided by Mandiant's use of Meta's ad library. The campaign reveals how fake AI tools are now a widespread threat not just to tech professionals but to anyone tempted by trendy, seemingly legitimate AI services. Google and Mozilla have released Chrome 137 and Firefox 139, addressing 21 security vulnerabilities, including three rated high severity. Chrome 137 includes 11 fixes, notably two high-risk memory issues that could allow code execution or crashes. Firefox 139 patches 10 flaws, including a high severity double free bug.
Starting point is 00:06:40 Updates were also issued for Firefox ES ESR, and Thunderbird. Though no active exploitation was reported, users are urged to update promptly as browser vulnerabilities are common targets for attackers. Researchers at AnyRun have uncovered a stealthy phishing campaign delivering the Remcos Rat via DBat Loader. The attack uses obfuscated CMD scripts, user account control bypass, and legitimate Windows tools to evade detection. Victims receive phishing emails containing an archive with Factor.exe, which triggers the attack chain, DBAT loader execution,
Starting point is 00:07:23 script obfuscation, and malware injection. Remcos is stealthily embedded into trusted processes, and persistence is ensured through scheduled tasks and registry edits. This campaign shows how attackers exploit curiosity around AI tools and rely on native OS behavior to bypass traditional security. The researchers stress the importance of a dynamic analysis to detect and respond to modern evasive threats effectively. Cybercriminals have created a fake Bitdefender antivirus website, bitdefender-download.co,
Starting point is 00:08:03 to spread malware targeting financial data and enabling long-term system access. The fraudulent site closely mimics the real Bitdefender download page, tricking users into downloading a zip file containing Venom Rat, Storm Kitty, and Silent Trinity. Venom Rat steals files, crypto wallets, and credit card data, while Storm Kitty harvests credentials and Silent Trinity ensures persistent access. The attackers host files via Bitbucket and Amazon S3 to appear legitimate. The campaign is part of a broader phishing operation using shared infrastructure with fake banking sites.
Starting point is 00:08:42 Domain Tools researchers identified a common command and control server and warned of the attacker's dual goal, quick financial theft and long-term system control. Bitdefender is working to take the site down and Chrome now blocks the link. Experts urge users to download antivirus software only from official sites and remain cautious of unsolicited prompts. Medusa Ransomware claims to have breached global real estate firm Remax, exfiltrating 150 gigabytes of data and demanding a $200,000 ransom. The group posted samples on its dark web leak site, threatening public release in under
Starting point is 00:09:24 18 days. While Remax hasn't confirmed the breach, leaked data includes agent contact details, commissions, internal documents, and property schematics, mostly from 2021 through 2023. Security experts warn the full data set may contain more sensitive information, posing risks of identity theft, fraud, and property scams, along with reputational and financial damage to remacs. CISA has issued an advisory for a critical memory leak vulnerability in Johnson Control's iStar Configuration Utility Tool, impacting all versions prior to 6.9.5. The flaw, due to the use of
Starting point is 00:10:07 uninitialized variables, could expose sensitive data and affect industrial control systems vital to sectors like energy, transportation, and manufacturing. With a CVSS score of 7.4, the bug requires adjacent network access but no authentication. CISA urges defense-in-depth strategies, such as network segmentation and regular assessments, to mitigate risks. Iranian national Sina Gholinajad, aged 37, pleaded guilty to deploying Robin Hood ransomware in attacks that hit several US cities, including Baltimore
Starting point is 00:10:46 and Greenville, North Carolina. His actions caused tens of millions in damages and disrupted essential public services. The 2019 Baltimore hack alone inflicted $19 million in losses, forcing the city offline for months. Prosecutors say Gholenahad and his co-conspirators began the attacks in 2019, extorting victims with threats of similar consequences. They targeted municipalities in New York, Oregon,
Starting point is 00:11:15 and beyond until March 2024. Gulenahad faces up to 30 years in prison with sentencing set for August. He was detained in North Carolina with help from Bulgarian authorities. The Justice Department emphasized that cyber attacks on critical public systems won't go unpunished and thanked international partners for their support in the case. Coming up after the break, my conversation with Tony Velika, cyberproof CEO, we're discussing exposure management and a more risk-focused approach to prioritize threats. And mind reading for fun and profit.
Starting point is 00:12:00 Stick around. And now a word from our sponsor, Spy Cloud. Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware, and phishing
Starting point is 00:12:35 to neutralize identity-based threats like account takeover, fraud, and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what attackers already know. That's spycloud.com slash cyberwire. Compliance regulations, third-party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down?
Starting point is 00:13:16 If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear, there is a better way. Banta's trust management platform takes the headache out of governance, risk, and compliance. It automates the essentials from internal and third-party risk to consumer trust, making your security posture stronger, yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC,
Starting point is 00:13:52 teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So, if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC. How much easier trust can be. Get started at Vanta.com slash cyber. Tony Vallecca is CEO at Cyber Proof.
Starting point is 00:14:28 I recently caught up with him on the show floor of the RSAC conference. In today's sponsored industry voices segment, we discuss exposure management and a more risk focused approach to prioritize threats. Well, I am thrilled to be here at RSAC 2025. We are right here on the show floor, as you can see, and here. And it is my pleasure to be joined today by Tony Villaca. He is the CEO at Cyber Proof. Tony, welcome. Thank you. I'm excited.
Starting point is 00:14:59 So our conversation today, we are focusing on this very interesting metaphor that you shared with me. And I'm gonna read it here. This is the idea of an elusive single pane of glass. Please explain. Well, I think most people know that the single pane of glass was something we used to call the idea of a sim originally when we had a SOC, right?
Starting point is 00:15:25 We wanted to bring all this information into a single pane of glass. But as we look forward, it's not just the defensive capabilities that are important, we're looking more at the more proactive things we can do in cybersecurity. So anything that we do in cybersecurity
Starting point is 00:15:41 always has a denominator of cost. So nobody ever wants to spend a buck more than they have to to protect themselves and bring down their risk. So to me, the single pane of glass needs to start guiding people on what's the best dollar, next dollar spent to reduce my cyber risk. So that's the proactive side and the defensive side. And some companies are even talking now
Starting point is 00:16:02 about the predictive side. What is the next generation of attack coming with AI and how do I protect myself against that? Yeah, well I mean I think when we're talking about glass, there are a couple things I think of. There's of course, in case of emergency, break glass. Right? But then like there's plate glass, there's tempered glass,
Starting point is 00:16:24 and those break in very different ways. Does that metaphor extend to security that not everyone's glass is created the same? Not everyone's risk profile is the same? Yeah, no, that's a great analogy actually, because in fact with many of our large enterprise clients, they're saying, I need to look at risk the way I need to look at risk, right?
Starting point is 00:16:44 And this comes back to one of the foundational concepts, which is risk itself needs to be tailored to the organization that you have, and it becomes a language, for example, you need to know where your riskiest assets are, where your crown jewels, as they used to say, are, and these sorts of things. And I think also, a lot of times when we talk about risk,
Starting point is 00:17:06 people think that, hey, we're trying to add up the dollars and say I'm carrying $500 million worth of risk. I think that's where the models fail because nobody can really tell you how much risk you're carrying. The insurance providers may want that, and there's cyber risk, but I think the models will break down.
Starting point is 00:17:22 What we really want to know is where do we spend that next dollar and should I spend it on reducing an exposure to an attack or should I build a new detection rule or should I invest in better threat intelligence? So this is more of an analysis on how I optimize my spend to be able to get the maximum reduction in risk in my view. Are there common blind spots that people have when it comes to evaluating their risk?
Starting point is 00:17:53 Oh, I think so. And I think we've been blessed with a new framework, which is a MITRE ATT&CK framework. Because honestly, risk used to be, am I going to get fined by the regulators? And I think risk has moved to, am I at risk of a major ransomware breach? And ransomware, you know, if you look where cybercrime is going this year with the Ukraine war and the wars in the Middle East,
Starting point is 00:18:17 you're seeing a lot of focus on OT and systems like this. So you have abilities, the capabilities to attack those types of systems. That's going to flow down to cybercrime, systems like this, the capabilities to attack those types of systems. That's going to flow down to cybercrime and you're going to likely see those people that might have the biggest impact by having their manufacturing sites shut down or hospitals you saw last year. So these are the types of areas you're going to see new risks show up.
Starting point is 00:18:41 So what do I need to do to protect a lot of these new environments from these new capabilities? So that's the way I think it shows up for me in balancing some of these areas we may not be looking at today but need to look at tomorrow. How do you recommend that people balance their risk in terms of the things they're obligated to, the compliance things, like you mentioned, but then also the sort of more real time risks, like you said, things like ransomware, the smoking hole in the ground, that sort of thing. The things you don't see coming,
Starting point is 00:19:18 no one has unlimited resources, so the things you have to take care of, how do you turn that dial? So my point of view is that you're going to see a lot more, you know, the last three or four years, everybody's talking about threat intelligence, threat intelligence. Now I get a lot of great reports coming in on threat intelligence,
Starting point is 00:19:34 but how do I operationalize that in a way that I can prioritize my exposures? So I think this year you're going to see a lot, you're seeing the words, continuous threat exposure management. I think you're going to see focusing lot, you're seeing the words continuous threat exposure management. I think you're going to see focusing on the threat actors that are important to you, your industry, where you're at, what technology you're running,
Starting point is 00:19:52 being able to understand those campaigns and tactics at the tactics and technique level, and then to be able to understand where you're exposed to those tactics and techniques. So it's around a continuous view of what the threat actors are targeting you and flowing that all the way through your organization. And on the defensive side, you have to understand
Starting point is 00:20:14 whether you can even, you have the detections in your systems. Most security operations teams that are maybe even using outsource providers don't know what they're actually able to see and what they can't see, and they probably can't tell you whether, how that compares to the threat actors and the techniques that they're running today, right?
Starting point is 00:20:33 We're here at RSAC 25, and of course AI is still the hot topic. For you and your colleagues at Cyber Proof, how does that play into the equation? Great question. Obviously you can't go to any interview today and not talk about AI. No, it'd be malpractice for me not to ask you about it.
Starting point is 00:20:54 So. So in that vein, I think there's two sides of it. There's AI for security, which is the exciting side. For me, what can we do? And I think you're seeing this agentic AI just taking off very quickly. This has a promise of maybe offloading. Today we probably have analytical tools
Starting point is 00:21:11 that'll give us a lot more problems than we can solve, so we need the agents to be able to help us solve some of those tools. And you're going to see purpose-built agents to do threat hunting and L1, SOC, and things like that. And I think that's going to mature very quickly. So that's the positive side. I think the CISOs that get ahead
Starting point is 00:21:31 and lay the foundation for a solid framework, you're seeing like the OWASP Top 10 for LLMs and things now putting these frameworks in early. I think it's an opportunity for them to take leadership positions in companies because there are very few roles in an organization that understand all aspects, regulatory compliance, the technical aspects, and even the business aspects,
Starting point is 00:21:52 which most CISOs have to in their jobs today. So I think there's an opportunity, but I also think it's like anything, it's a cold war, it's going to be changing so quickly, you got to stay ahead of it, and you got to make it a priority, or you're going to be changing so quickly, you got to stay ahead of it, and you got to make it a priority, or you're going to get behind. Yeah, yeah.
Starting point is 00:22:09 For the people who are well along on this journey, with a company like yours, what are they enjoying? What does success look like? You know, they're day to day of feeling like we have this under a certain amount of control? As you say, we tend to work for the larger enterprise companies and more sophisticated companies,
Starting point is 00:22:32 and for those, I like to say, do they have a well-managed estate? And because I'm hearing this word used more and more often is do I know we're all assets? Are all my assets under management? Am I able to make sense of this complex environment and to be able to take advantage of some of this continuous site exposure management
Starting point is 00:22:52 that you're seeing coming out, or attack surface prioritization, or even is my SOC able to see all the things that I need? So I think a lot of it is just putting, and I don't even like to call it governance anymore, honestly I think it lot of it is just putting, and I don't even like to call it governance anymore, honestly I think it's a continuous process of making sure that you're keeping your estate well managed so that you can do it.
Starting point is 00:23:13 The other problem that I hear many times is, do you have the ability, a lot of times our security teams own the responsibility for the security, but they don't have the, they don't own the teams that are actually doing things. So you're going to see software development being much more important, right? The kind of defects that are entered into that, or LLMs.
Starting point is 00:23:32 But those teams are not necessarily owned. So there may be governance responsibility, but they don't have the responsibility to actually do the fixing. So I think that ability to make sure that you have the right leverage and working with those teams to get things done is going to be critical
Starting point is 00:23:47 as the change happens, right? Yeah. What about for the person who's on the other side of that journey, who's just getting started, looks at it and feels a little overwhelmed, you know, like how am I going to start taking bites out of this problem? What's your words of wisdom for them?
Starting point is 00:24:08 You know, it's great. I think all security people probably feel overwhelmed, no matter what. So step back, take a look at the landscape, pick your priorities, take a deep breath, and execute, right? I think execution will be key. We're all going to be wrong about something because we don't know,
Starting point is 00:24:27 and it's going to be changing so quickly. I think it's also communicate effectively. I think that's an area that most of us in security can move from a technical conversation and do more of a business conversation, it'll be important. Execute, execute, execute, execute. That's my motto. Yeah.
Starting point is 00:24:47 Before I let you go, RSAC, for you, what do you get out of this show? What do you hope to accomplish? What are the things you look forward to getting together with all of your friends and colleagues here? I'm always amazed when the show of, what, 40,000 plus people is here. How many people I run into, I know.
Starting point is 00:25:04 And I forget, and I forget. So I love just reconnecting with many people. I cry outside the booth, I ran, that somebody hadn't seen in about five years. But the second is I'm always shocked at the innovation, the new startups that are coming, the problems that they're solving. And I think one of the challenges,
Starting point is 00:25:21 you got to figure out, you don't know which one of those is going to be successful, but I think we're at this point where we, the industry has a responsibility to try some of these things out and to make sure that we're always progressing on that, on an innovation front. So I learn a lot from talking to many of these startups about how they look at the problem.
Starting point is 00:25:41 Yeah. Well Tony, thank you so much for taking the time for us. It was a real pleasure to get to chat with you. And likewise, I always enjoy these conversations. It always makes me think. All right. Have a good show. See you soon.
Starting point is 00:25:53 OK, bye. That's Tony Velika from Cyber Proof. And finally, imagine popping on a sleek little meditation headband for some self-care, only to find you've accidentally signed away the intimate details of your inner monologue. That's the unsettling reality U.S. Senators Chuck Schumer, Maria Cantwell, and Ed Markley are now raising alarms about. They've asked the FTC to investigate brain-computer interface companies, because apparently reading your mind isn't off limits if it's in the fine print. A Neuro-Rights Foundation study found 29 out of 30 neurotech firms are scooping up users' brain data, but only 14 bother to ask for permission.
Starting point is 00:26:56 And unless you're in the EU or lucky enough to live in California, your brain waves are basically up for grabs. These tools promise breakthroughs, communication for the paralyzed, early Alzheimer's detection, or boosted focus. But without regulation, they might just become thought-mining machines for profit. The stakes include your mental privacy, identity, and autonomy. Because apparently, what were you thinking might soon be a data point. And that's the CyberWire.
Starting point is 00:27:44 For links to all of today's stories, check out our daily briefing at the cyberwire.com. N2K's senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Keltzman. Our executive producer is Jennifer Iben. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening, we'll see you back here tomorrow. And now, a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment.
Starting point is 00:28:55 If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.