CyberWire Daily - Hardcoded credentials and hard lessons.
Episode Date: May 5, 2025Researchers uncover serious vulnerabilities in the Signal fork reportedly used by top government officials. CISA adds a second Commvault flaw to its Known Exploited Vulnerabilities catalog. xAI expose...d a private API key on GitHub for nearly two months. FortiGuard uncovers a cyber-espionage campaign targeting critical national infrastructure in the Middle East. Threat brokers advertise a new SS7 zero-day exploit on cybercrime forums. The StealC info-stealer and malware loader gets an update. Passkeys blaze the trail to a passwordless future. On our Afternoon Cyber Tea segment with Ann Johnson, Ann speaks with Christina Morillo, Head of Information Security at the New York Giants. Cubism meets computing: the Z80 goes full Picasso. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.CyberWire GuestOn our Afternoon Cyber Tea segment with Ann Johnson, Ann speaks with Christina Morillo, Head of Information Security at New York Football Giants, as they discuss how she approaches cybersecurity with curiosity, business alignment, and strong collaboration across the NFL community. Selected Reading The Signal Clone the Trump Admin Uses Was Hacked (404 Media) Critical Commvault Vulnerability in Attacker Crosshairs (SecurityWeek) xAI Dev Leaked API Key on GitHub for Private SpaceX, Tesla & Twitter/X (Cyber Security News) FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure (Fortinet) Hackers Selling SS7 0-Day Vulnerability on Hacker Froums for $5000 (Cyber Security News) StealC malware enhanced with stealth upgrades and data theft tools (Bleeping Computer) Sick of 15-character passwords? Microsoft is going password-less, starting now. (Mashable) Passkeys for Normal People (Troy Hunt) Single-Board Z80 Computer Draws Inspiration From Picasso (Hackaday) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. Researchers uncover serious vulnerabilities in the signal fork reportedly used by top government officials.
CESA adds a second Commvault flaw to its known exploited vulnerabilities catalog.
XAI exposed a private API key on GitHub for nearly two months.
FortiGuard uncovers the cyber espionage campaign targeting critical national infrastructure in the Middle East.
Threat brokers advertise a new SS7 zero-day exploit on cybercrime forums.
The Steel Sea info stealer and malware loader gets an update.
Pass keys blaze the trail to a passwordless future.
On our afternoon
cyber tea segment with Ann Johnson and speaks with Christina Morillo, head of
information security at the New York Giants. And Cubism meets computing, the
Z80 goes full Picasso.
It's Monday, May 5th, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Hello everyone and welcome back.
It is really good to be home, back in the Baltimore area, after an exciting, energizing
trip to San Francisco for this year's RSAC 2025 conference.
The conference was a hit, great sessions, lively conversations, and plenty
of time spent with friends, both familiar faces and some fantastic new ones. And yes,
I spotted my new favorite t-shirt, My Agentic AI has purchase authority. Because nothing
says cutting edge like giving your AI a company credit card.
Let's get into it. So researchers have uncovered a serious vulnerability in TM Signal, an obscure non-public messaging
app reportedly used by former National Security Advisor Mike Waltz, known for accidentally
adding a journalist to a classified chat.
TM Signal turns out to be a lightly tweaked version of Signal,
modified to archive messages, which may explain its appeal to officials needing to comply with
record-keeping laws. But here's the kicker. The app uses hard-coded credentials, a rookie-level
security blunder. According to hackers, the company behind the app, TeleMessage,
was also breached, exposing messages, user data, and even back-end credentials.
The breach reportedly took 15 to 20 minutes, and it raises uncomfortable
questions about why officials are turning to fringe apps instead of secure
government systems. Whatever the rationale, it's clear that security hygiene took a backseat.
What happened here appears to be a textbook case of bypassing the rules that exist for
a reason.
Instead of going through proper U.S. government channels to vet and approve software, officials
reportedly sidestepped protocol and deployed a messaging app through what amounts to shadow IT.
It's the kind of move that makes the whole cutting red tape mantra look reckless rather than efficient.
Bureaucracy may be frustrating, but it's built on hard-learned lessons about risk and control.
Ignoring it in favor of quick fixes isn't innovation. It's dangerous.
CISA has added a second Commvault flaw to its known exploited vulnerabilities catalog
in less than a week, highlighting rising threat activity. The critical vulnerability, with
a CVSS score of 10, affects multiple Commvault command center versions and allows unauthenticated
remote code execution via malicious zip files. Though not yet confirmed, exploited
in the wild, proof of concept code is public. Federal agencies must patch by
May 23rd. CISA also added a related Yi framework flaw used in KraftCMS attacks.
A security misstep at Elon Musk's AI company XAI exposed a private API key on GitHub for
nearly two months.
The key granted unauthorized access to internal, finely tuned LLMs used by SpaceX, Tesla, and ex-Twitter, including unreleased Grok models.
Discovered by security expert Philippe Cataregli and later investigated by GitGuardian, the
leak stemmed from a mistakenly committed environment file.
Despite early alerts, the key remained active until April 30.
The exposed credentials had access to at least 60 sensitive data sets,
underscoring lapses in XAI's credential management and internal monitoring. GitGuardian flagged
that this kind of mistake, committing secrets to public repos, is unfortunately common. XAI
has not commented publicly. The incident highlights how even top-tier tech firms
can fall short on basic operational security
when secret management protocols are weak or overlooked.
FortiGuard's incident response team
has uncovered a prolonged cyberespionage campaign
targeting critical national infrastructure in the Middle East,
attributed to an Iranian state-sponsored group.
The intrusion spanned from May 2023 to early 2025,
with activity possibly dating back to 2021.
Attackers used stolen VPN credentials to access the network,
deploying custom malware like HANFnet, HXLibrary, and neoexpress-rat, and evaded segmentation
using proxy tools.
They also attempted to regain access post-containment via web app vulnerabilities and phishing attacks.
The campaign showed a high level of sophistication, with an emphasis on persistence and stealth.
No operational disruptions were confirmed, but the attackers demonstrated strong interest
in OT systems.
The report urges better credential hygiene, stronger segmentation, and proactive monitoring
to defend against such advanced threats.
A newly advertised SS-7 zero-day exploit on cybercrime forums is raising alarms about global mobile
network security.
Priced at $5,000, the kit allows attackers to intercept SMS messages, track phones in
real time, and potentially eavesdrop on calls or bypass two-factor authentication.
The exploit targets vulnerabilities in the mobile application part of the SS7 protocol,
spoofing legitimate network nodes to manipulate routing and location data.
Despite SS7's outdated design, it still underpins many 2G and 3G telecom systems worldwide,
used by about 30% of mobile connections. While newer networks offer stronger security,
legacy systems remain vulnerable.
Experts urge telecom providers to adopt SS7 firewalls and stricter controls
and recommend users move away from SMS-based authentication.
This incident highlights the ongoing risks from legacy telecom infrastructure,
even decades after SSS's known flaws were first exposed.
A popular info-stealer and malware loader called Steel-C has released its second major version,
now at 2.2.4.
First spotted in March of this year by Zscaler, the update includes improved payload delivery,
Chrome cookie theft bypasses, RC4 encryption, and real-time alerts via Telegram.
It also adds a new admin panel and support for 64-bit systems.
Notably, anti-VM checks were removed, possibly due to a major code overhaul.
SteelC remains actively used in attacks, often delivered via malware loaders like Amaday.
Microsoft is advancing its commitment to a passwordless future by making PassKeys the
default sign-in method for all new Microsoft accounts.
This shift aligns with the industry's move toward more secure and user-friendly authentication methods.
PassKeys utilize device-based biometric or PIN authentication, eliminating the
need for traditional passwords and reducing the risk of phishing attacks.
Microsoft reports a 98% success rate for Passkey sign-ins significantly higher than the 32% for password-based
logins.
Security expert Troy Hunt emphasizes the vulnerabilities associated with traditional two-factor authentication
methods such as one-time passwords, which can be susceptible to phishing.
In a post titled Passkeys for Normal People, he advocates for the adoption of passkeys,
highlighting their resistance to such attacks.
Hunt's insights underscore the importance of transitioning to more secure authentication methods.
As major tech companies like Microsoft, Apple, and Google adopt passkeys,
users are encouraged to embrace this change for enhanced security and a more
streamlined login experience.
Coming up after the break on our afternoon Cyber Tea segment with Ann Johnson, Ann speaks
with Christina Morillo, head of information security
at the New York Giants, and Cubism meets computing.
The Z80 goes full Picasso. Traditional pen testing is resource intensive, slow and expensive, providing only a point-in-time snapshot of your application's security, leaving it vulnerable between development cycles.
Automated scanners alone are unreliable in detecting faults within application logic and critical vulnerabilities. Outpost 24's continuous pen testing as a service solution
offers year-round protection
with recurring manual penetration testing
conducted by Crest certified pen testers,
allowing you to stay ahead of threats
and ensure your web applications are always secure.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring,
Indeed is all you need.
Stop struggling to get your job post noticed. Indeed's Sponsored Jobs helps you stand
out and hire fast. Your post jumps to the top of search results, so the right candidates
see it first. And it works. Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according to Indeed data worldwide.
There's no need to wait any longer. Speed up your hiring right now with Indeed. And listeners to this show will get a $75 sponsored job credit to get your job's more
visibility at indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now and support our show by saying you heard
about Indeed on this podcast.
Indeed.com slash cyberwire.
Terms and conditions apply.
Hiring?
Indeed is all you need.
Microsoft's Ann Johnson is host of the afternoon Cyber Tea podcast and in today's segment Ann speaks with Christina
Murillo, head of information security at the New York Giants.
Today I'm excited to welcome Christina Murillo, who is the head of information security at
the National Football League's New York Giants.
Welcome to afternoon Cyber Tea, Christina.
Thank you so much Ann, thanks for having me.
So when you think about your journey
and you think about new organizations and different roles,
how do you go about assessing where the team is
on their cyber journey?
And what is your approach to actually taking
and shaping a strategy that meets them where they are,
but gets them to the place of maturity
where you want them to be?
So that's always a tough one.
One thing that I will say is that I never walk in
with a checklist. I never walk in with a checklist.
I always walk in with curiosity.
One of my first moves is to listen across functions, right?
I want to know how people have experienced security,
if they understand security, what are corporate leaders,
how they feel about security, where there are any gaps
in terms of the culture as well that's super important for me.
In parallel, I also assess fundamentals, right?
I look at our policies, architecture, our identity,
awareness, detection.
But I'm not really just looking to audit.
I'm kind of looking for alignment.
I'm looking to see where our security goals are in sync
with business priorities, where they're not in sync.
And then I build the strategy rooted in where we are, right?
Not where we wish we were.
So cyber is full of misconceptions, right?
How do you go about helping people get
from that misconception to actually having
a really mature understanding of the industry
and a responsible understanding?
That's such a great question.
One of the biggest misconceptions that I see
within cybersecurity is that it's just an IT thing.
It's IT's job.
It's something technical that sits off to the side.
IT will take care of it.
It falls under IT and that's it.
The truth, as we both know,
is that it's a business risk issue,
not just a technical one. So part of what I do is we both know, is that it's a business risk issue, not just a technical one.
So part of what I do is, you know, I work really hard to bring security into
broader conversations, like with operations, with finance,
even with HR, right, in terms of identity and onboarding and all of that stuff.
So that people understand how their day-to-day decisions
impact the organization's risk posture.
Something else that I see a lot is, oh, if we're compliant, we're secure, right?
Like just check the box and that makes us secure. And that's not true.
And that's something that I have to emphasize over and over again.
I try to incorporate real world examples. There's so many breaches and examples nowadays.
I feel like we see one
every other week where companies are fully compliant and still got hit, right? Because
maybe they weren't actually secure where it mattered the most, right? Maybe there was
a process failure as an example, not necessarily a technical one. So my real focus is just
to make security relatable, right, across the organization.
How do you think about risk
when you're building a security strategy?
And how do you think about compliance?
And how do you get your leadership and your peers
aligned around the risk and aligned around the cyber risk,
even if it isn't related to compliance?
I will say that that is always a journey.
It's a never ending journey.
But one thing I've learned is that risk
isn't always about the math, it's about the story, right?
Or your ability to tell the proper story.
So for me, you know, when I get pushed back,
I don't really argue.
What I try to do is I try to reframe the conversation
around business impact.
And again, I go back to those real world scenarios. You know, I'll say something like,
hey, here's how this type of risk has played out for others.
Or, hey, if this happened here,
what would this cost us in downtime or reputation,
or how would this impact football operations, right?
So I always start with that business impact
and what's at stake if the risk plays out.
In terms of like revenue, reputation, operations, et cetera, I listen for pushback, of course.
I tell stories around it.
I give examples.
I listen at scale.
I try to understand where the pushback is coming from, if there's just like a lack of
awareness, if there's a misconception somewhere. And then, you know, ultimately,
if things start to feel a little bit subjective,
I try to turn them into decision points.
You have to be flexible, you have to pivot.
I think the most important thing though
is to keep protecting the mission top of mind.
Like whatever our mission is, right?
If our mission is to win football games,
if our mission is to, you know,
delight our fans and our customers,
I have to keep that at the forefront.
Well, let's talk about, you know,
strategy is only successful if it's well adopted
and if you measure it, right?
And if you continually measure it
and then continually get feedback,
get everyone on board, going on a journey,
how are you collaborating across internal departments
and with key stakeholders across the other NFL teams? and what is the key to managing those relationships?
So it's amazing. I mean, I won't take credit for like the community that has been set up
that's, you know, credit to the NFL, CISO and his information security office. They've
done a great thing with bringing us all together, like the 32 clubs. So we're always on phone calls multiple times a month.
We share thread intel.
We meet in person a few times a year as well.
At the end of the day, we all have the same shared goal,
which is to protect our fans, protect our clubs,
protect the overall league.
One of my favorite elements of this entire journey
has been meeting other information security officers
across the different teams
and learning more about their strategy, their processes,
and us kind of like comparing and exchanging notes.
That has been a joy
because it's like our own little security community.
I'm always encouraging people to share more externally
so that the overall cyber community
can get more of this goodness.
But it's all about relationships, I think.
It really, for me, has been about relationship building,
making that time, not only when there are urgent moments,
but just overall.
You can check out the full episode of Afternoon Cyber Tea right here on the N2K Cyberwire
Network or wherever you get your favorite shows.
Let's be real, navigating security compliance can feel like assembling IKEA furniture without the instructions.
You know you need it, but it takes forever and you're never quite sure if you've done
it right.
That's where Vanta comes in.
Vanta is a trust management platform that automates up to 90% of the work for frameworks like SOC 2, ISO
27001, and HIPAA, getting you audit ready in weeks, not months.
Whether you're a founder, an engineer, or managing IT and security for the first time,
Vanta helps you prove your security posture without taking over your life.
More than 10,000 companies, including names like Atlassian and Quora, trust Vanta
to monitor compliance, streamline risk, and speed up security reviews by up to five times.
And the ROI? A recent IDC report found Vanta saves businesses over half a million dollars
a year and pays for itself in just three months. For a limited time, you can get $1,000 off Vanta at vanta.com slash cyber.
That's vanta.com slash cyber. And finally, what happens when you mash up a 19th century art icon and a retro CPU from
the golden age of microcomputing?
Apparently you get the RC 2014 Mini 2, Picasso. This limited edition Z80 based single board computer runs old school basic, fourth and
CPM, but does so with a flair even your art teacher would admire.
Think standard RC 2014 guts, but laid out like Picasso himself, dropped by with a soldering
iron and no regard for straight lines. Resistors pirouette over each other, components are skewed like cubist portraits, and no two
boards look exactly the same, thanks to a wild mix of silk-screen colors and socket
styles.
It's a PCB that says, I contain multitudes, and 8-bit computing nostalgia. Available via Z80 kits, this delightful mashup of silicon and surrealism is a refreshing
reminder that PC boards don't have to be neat.
They can be expressive, eccentric, and maybe just a bit 1990s rave chic, too.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please
also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed
by Trey Hester with original music and sound design by Elliot Heltzman.
Our executive producer is Jennifer Iben.
Peter Kelpe is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can
seize control of critical assets. With bad directory hygiene and years of
technical debt, Identity attack paths are easy targets for threat actors to exploit
but hard for defenders to detect. This poses risk in active directory, entra ID
and hybrid configurations. Identity leaders are reducing such risks with Attack Path Management.
You can learn how Attack Path Management is connecting identity and security teams
while reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to spectorops.io today to learn more.
SpectorOps. See your attack paths the way adversaries do.