CyberWire Daily - Hello, hacker speaking.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. And now a word from our sponsor, Threat Locker, the powerful zero-trust enterprise solution that stops ransomware in its tracks. Allow listing is a deny-by-default software that makes application control simple and fast. Ring fencing is an application containment strategy, Ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with world-class endpoint protection from threat locker. Cisco reveals a fishing-related data breach.

Starting point is 00:00:58 Sonic Wall warns users to disable SSL VPN services after reports of ransomware gangs exploiting a likely zero-day. Researchers uncover a stealthy Linux backdoor and new vulnerabilities in NVIDIA's Triton inference server. A new malware campaign targets Microsoft 365 users with fake OneDrive emails. The U.S. Treasury warns of rising criminal activity involving cryptocurrency ATMs. Cloudflare accuses an AI startup of using stealthy methods

Starting point is 00:01:27 to bypass restrictions on web scraping. A global info-stealer campaign compromises over 4,000 victims across 62 countries. Marty Momgin, general manager of Ready 1 by Sempris, joins us to talk about Operation Blindspot, a tabletop exercise taking place this week at Black Hat. On this week's Threat Factor segment, David Moulton speaks with Nigel Hedges from Sigma Healthcare about how Sissos can shift cybersecurity from a technical problem to a business priority.

Starting point is 00:01:56 and one hospital's data ends up in the snack aisle. It's Tuesday, August 5, 2025. I'm Dave Bittner, and this is your Cyberwire Intel briefing. Thanks for joining us here today. It's great to have you with us. Cisco has revealed that attackers stole user profile data from Cisco.com via a voice fishing scam targeting an employee. The breach, discovered on July 24th, involved unauthorized access to a third-party cloud CRM system. Exposed data includes names, organization details,

Starting point is 00:02:56 contact info, Cisco user IDs, and account metadata. Cisco emphasized that no passwords, sensitive data, or proprietary information were taken, and its products and services remain unaffected. The compromised CRM instance was promptly shut down and an investigation began. Cisco has notified regulators and affected users where required. To prevent future incidents,

Starting point is 00:03:22 the company says their enhancing security and retraining staff on fishing. threats. Cisco has not disclosed the number of affected users or whether a ransom demand was made. Sonic Wall is warning users to disable SSL VPN services after reports of ransomware gangs exploiting a likely zero-day flaw in Gen 7 firewalls. Since mid-July, Arctic Wolf Labs and Huntress have observed Akira ransomware attacks that may bypass MFA and target domain controllers within hours. While a zero-day is suspected, other methods like root force or credential stuffing haven't been ruled out. Sonic Wall confirmed its investigating and urged users to disable

Starting point is 00:04:08 SSLVPN, restrict access by IP, enable botnet and geo-IP filters, enforce MFA, and remove unused accounts. The company also recently advised patching SMA-100 appliances against a critical RCE flaw, which, while not yet exploited, is being targeted in attacks using stolen credentials to deploy overstep malware. Researchers at Nextron Threat have uncovered a stealthy Linux back door dubbed Plague. It's embedded as a malicious plug-able authentication module, giving attackers persistent SSH access while bypassing system authentication. The malware deeply integrates into Linux systems, survives updates, erases traces like SSH logs and shell histories,

Starting point is 00:05:00 and uses obfuscation techniques to avoid detection. It even masquerades under a legitimate library name and includes hard-coded passwords for easy re-entry. Worryingly, no antivirus engines flagged the malware when samples were uploaded to virus total in 2024. Nextron isn't sure how it's being deployed, but the potential risk is high due to its ability to hijack authentication. So far, there's no evidence it's been found in the wild, but experts warn it poses a serious threat to Linux systems. Elsewhere, researchers at WIS have uncovered new vulnerabilities in NVIDIA's Triton inference server, saying they could pose a serious risk to AI systems. Three flaws affect the Python back end

Starting point is 00:05:48 and could allow remote attackers to gain full server control. Two are high severity, enabling code execution and data exposure. The third is medium severity. The attack chain starts with a minor info leak and escalates to full compromise,

Starting point is 00:06:06 risking theft of AI models and sensitive data. Invidia has patched the flaws and WIS has published technical details. Sublime Security has uncovered a new malware campaign targeting Microsoft 365 users with fake OneDrive emails. The attack begins with a message from a compromised account posing as a OneDrive file share. It includes a deceptive link that appears to lead to a Word document but instead downloads a malicious installer hosted on Discord CDN. When clicked, it installs two remote monitoring tools, a terra and splash top streamer alongside dot net runtime 8 giving attackers full remote access.

Starting point is 00:06:53 These tools, often used by IT admins, appear legitimate and bypass typical security checks. The dual installation ensures persistent control even if one tool is detected. This sophisticated multi-stage threat highlights the need for caution with unexpected emails and file types, always verify file extensions, and be wary of unusual download sources. The U.S. Treasury's Financial Crimes Enforcement Network, FinCEN, is warning financial institutions about rising criminal activity involving cryptocurrency ATMs, also known as convertible virtual currency kiosks. These machines, often found in places like gas stations, allow users to buy crypto with cash and are increasingly exploited for scams and money laundering.

Starting point is 00:07:46 Many operators fail to comply with anti-money laundering rules or register as required. In 2023, the FBI received nearly 11,000 complaints involving these kiosks, totaling $246 million in victim losses. Criminals often target vulnerable groups, especially seniors, using fake tech support scams. FinCEN urges operators and banks to watch for suspicious behavior like repeated sub-threshold transactions or first-time users making large deposits. Legislative efforts are underway to tighten oversight, including a bill requiring kiosk registration, transaction tracing, and consumer protections.

Starting point is 00:08:32 Cloudflare has accused AI startup perplexity of using stealthy methods to bypass web website restrictions on web scraping. In a blog post, Cloudflare said Perplexity ignored directives in Robots. Text files, which tell bots what content they can access. After receiving complaints, Cloudflare blocked Perplexity's bots and removed them from its list of verified crawlers. The move follows Cloudflare's recent policy giving customers the option to block or charge AI scrapers. Perplexity denies the claims. calling Cloudflare's post a sales pitch and disputing the bot identification.

Starting point is 00:09:15 The incident adds to perplexity's growing controversy, including threats of legal action from the BBC over alleged unauthorized content use. A global Info-Stealer campaign has compromised over 4,000 victims across 62 countries, stealing more than 200,000 passwords, hundreds of credit card numbers, and 4 million browser cookies. According to Sentinel Labs and Beasley security, the attacks are tied to Vietnamese-speaking actors using the Python-based PXA Steeler with data sold on telegram-based markets like Sherlock. The malware uses signed software like Hi-Hi-Soft PDF Reader and Microsoft Word 2013 to side-load malicious DLLs and evade detection. campaigns in April and July of this year

Starting point is 00:10:09 revealed increasingly sophisticated tactics including decoy documents and multi-stage infections PXA Steeler targets over 40 browsers and crypto wallet extensions exfiltrating data via telegram the stolen information grants access to victims bank accounts crypto apps VPNs and more fueling a thriving underground market for digital identity theft Coming up after the break, my conversation with Marty Momgian, general manager of Ready One by Sempros, telling us about Operation Blindspot, tabletop exercise taking place this week at Black Hat, and on this week's threat vector, David Moulton speaks with Nigel Hedges from Sigma Healthcare about how Sissos can shift cybersecurity from a technical problem to a business problem.

Starting point is 00:11:04 priority, and one hospital's data ends up in the snack aisle. Stick around. New adversary tactics and emerging tech to meet these threats is developing all the time. On threat vector, we keep you a step ahead. We dig deep into the threats that matter and the strategies that work. How do they help that customer know that what they just created is safe? The future is now and our expectations are wrong. Join me, David Moulton, Senior Director of Thought Leadership for Unit 42 at Palo Alto Networks

Starting point is 00:11:47 and our guests who live this work every day. We're not just talking about some encryption and paying multimillion dollar ransom. We're talking about fundamentally being unable to operate. Automated eradication and containment. So being able to very, very, right. rapidly ID what's going on in an environment and contain that immediately. They're hiding in plain sight. So if you're looking to sharpen your strategy and stay ahead of what's next,

Starting point is 00:12:17 tune in and listen to Threat Factor, your front line for security insights. by more than 80 to 1, and without securing them, trust, uptime, outages, and compliance are at risk. CyberArk is leading the way with the only unified platform purpose-built to secure every machine identity, certificates, secrets, and workloads across all environments, all clouds, and all AI agents. Designed for scale, automation, and quantum readiness, CyberArk helps modern enterprises secure their machine future. Visit cyberarc.com

Starting point is 00:13:05 slash machines to see how. Compliance regulations, third-party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier, and it can strengthen your security posture while

Starting point is 00:13:42 actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key areas, compliance, internal and third-party risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. It's a pretty impressive number.

Starting point is 00:14:22 So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta, GRC, just imagine how much easier trust can be. Visit Vanta.com slash cyber to sign up today for a free demo. That's V-A-N-T-A-com slash cyber. Marty Momgian is general manager of Ready One by Sempris. I caught up with him to find out more about Operation Blindspot,

Starting point is 00:15:07 a tabletop exercise taking place this week at Black Hat. Yeah, so something we do yearly is a community tabletop exercise and a simulation that we get just a bunch of members of the cyber community together, local law enforcement, sometimes we have the FBI attend as well, and just cyber law enforcement and we pretty much get everybody to get in your room and do a tabletop exercise that's generally open to the media

Starting point is 00:15:36 and our focus is based around what is really currently happening out there in the cyber industry right? What are the high value targets critical infrastructure health care, gas and oil airlines this year we're focusing on critical infrastructure the water treatment facility

Starting point is 00:15:54 well let's dig into that i mean what made you have a water treatment facility be the subject of this year's exercise um there were a few incidents that occurred late last year and early this year some made it to the media and some did not of a just state nation sponsored adversaries targeting critical infrastructure in the united states right and in europe and certain parts of the world and we decided you know instead of doing that traditional table top exercise let's do something that would actually have direct impact to the public from what we know is going on out there. So for someone who's going to attend, what can they expect to see? Generally, we try to make it a little bit of fun and a little bit serious at the same time.

Starting point is 00:16:41 What we do is step through cyber incident response framework and crisis management framework. We will assign the teams, randomly assign certain individuals to certain teams, and go through about a two-hour tabletop exercise that we take turns on the red team and blue team and stepping through an actual incident that has occurred in the past, but also reproducing it with the attendees. So my understanding is this year

Starting point is 00:17:08 you've got, I guess a bit of a cyber celebrity is fair to label your special guest this year? Yes, we got Marcus. Go on. one of probably the best known cyber security practitioners out there and researchers. Marcus Hutchins. Yep, Marcus Hutchins, one of my favorites. So I would say to me is more than a celebrity, right?

Starting point is 00:17:34 Knowing somebody like him in the industry who's an actual hands-on practitioner, not just somebody who speaks about it, but he actually practices true red teaming in the industry and shares his wealth of knowledge. So we're going to have him in attendance as well. more than likely signed to the red team because that's what Marcus is good at, of course. Is there an educational component to this as well?

Starting point is 00:17:56 I mean, is this something that someone who's looking to learn more about these sorts of tabletop exercises, would they be able to get something out of it? Yeah, yeah, absolutely. One thing that we do is we try to stay away from the theoretical. So there's a lot of tabletops that occur that's kind of make-believe theoretical, what if this happens, what if that happens?

Starting point is 00:18:15 And we do our due diligence that we actually step through, you know, de-identified and not sharing any personal information or identifiable information whatsoever about the incident, but actually stepping through the real-time tactics of threat actors and adversaries for these incidents and the real-time tactics that good guys, the blue team would use, right? So we try to make it a mix of consultative approach, plus very, very tactical when it comes to the red and blue team as well to make everybody, you know, participate as much as they can. and absorb as much knowledge as they can for us as well. And we try to have it be as engagedful as possible. What do you hope that people get out of this? What do you hope they walk away with? Mainly awareness. And the attendees are a mix of different industries.

Starting point is 00:19:01 So we have attendees from all different types of industries from around the world. What I generally look to get out of it and the attendees is learning from each other, right? What are different organizations doing, different industries doing in terms of handling cyber threats that are all? and how they really put their incident response plans together because there's a lot that we can learn from each other. That's Marty Momjian, general manager of Ready One by Sempros. On this week's threat vector segment, David Moulton speaks with Nigel Hedges from Sigma Healthcare about how SISOs can shift cybersecurity from a technical problem to a business priority.

Starting point is 00:19:52 Hi, I'm David Moulton, host of the Threat Vector podcast, where we break down cybersecurity threats, resilience, and the industry trends that matter most. Right now, we're facing a perfect storm of sophisticated attacks. Chinese state actors exploiting SharePoint flaws to deploy ransomware, affecting over 4,600 compromise attempts, are more. more than 300 organizations worldwide, new shade bios techniques that run malware in places where no security software can reach, and AI-generated malicious packages that are stealing cryptocurrency from thousands of users. CISOs need more than technical expertise. They need to be storytellers who can translate these complex threats into language that boards understand and act upon.

Starting point is 00:20:38 What you're about to hear is a snapshot from my conversation with Nigel Hedges, Executive General Manager of Cyber and Risk at Chemist Warehouse, about this challenge. If you like this short segment, you'll love the full episode. The link is in the show notes. Nigel Hedges, welcome to Threat Vector. I am so excited to have you here today. Let's do it, yeah. You've held CISO roles at major Australian enterprises.

Starting point is 00:21:09 What does it take to elevate cybersecurity from just an IT issue to a business issue in these types of environments? Yeah, it's a good question because I have more and more described cyber to anyone who will listen that it's not a technology risk. It's a technology-enabled business risk, just like any other business risk. So as a start, is that conversation. But I typically try to address it in my first 100 days of any new role, which is making a conscious effort to spend equal time and trying to understand the environment and the cyber risks that are inheriting, as well as going and meeting with key stakeholders from the business units.

Starting point is 00:21:59 And that way, having the dialogue, explaining the philosophy around my approach to cyber, you know, with the gems of marketing, sales, supply chain, whatever it might be, but actually just starting with a question of how can I help you. And so that's the way that I try to elevate cybersecurity is by, you know, getting in there and right from the get-go, appearing like somebody who wants to help in their domain.

Starting point is 00:22:29 So Nigel, you've worked across retail, higher ed, professional services, a lot of different domains. How do the conversations around cyber risks shift across these sectors at the executive level? Yeah, so I think that at the executive level, for me, at least in my experience, that it hasn't been as different as one might think. The industry is different, different complexities, of course. But I've found the types of concerns and questions are the same. I think the only difference I would probably point to is culture.

Starting point is 00:23:05 And take retail, for example, it's high stakes, quick to market, trying to get things done really quickly. So therefore, your approach to inserting cyber into those conversations and the exact level needs to be done in a certain way. With professional services, high education, there's a little bit more regulation. and compliance in there. So there's a little bit of a slow down to speed up type of thing.

Starting point is 00:23:35 And so again, that's kind of just going with the flow with what are the carrots and the sticks that you have available to work with the executives. I like the idea that there are unifying documents out that help coach an important group like your board on how to have a conversation with you. And I think maybe it helps. understand the types of questions you should answer. And I suppose when I say you, not just

Starting point is 00:24:04 you specifically, but security leaders in general, I'm curious, though, when you're preparing for those board level presentations, how do you decide what to include and what to leave out? Yeah, so for me, I always tried to go in with that materiality perspective again. So I am thinking about the types of incidents that have occurred possibly in that period. I'm looking at things that have happened in the market that are of interest and I will put them into my presentation and sometimes going into a very busy audit risk committee type of environment. You're going to think that they've probably going to be spending about four hours together talking about all sorts of things. So I try to think of it like I've got 10 minutes to talk and in fact

Starting point is 00:24:55 out of that 10 minutes, I've got five minutes to talk and five minutes for questions. The reality is, even with that perspective, I've typically gone into order at risk committee and come out 45 minutes later or longer. But I've basically tried to apply that approach because when I look at my material, I suddenly say to myself that there's no way I can cover these eight or nine things in five minutes. So what should I cut out? You have to just be brutal and go back to that material. sort of thing. They've got a fiduciary duty of care at the board level, especially, to

Starting point is 00:25:30 protect their organization and the organization's interests. So what connects to that? And that's helped me. And on Nigel, talk to me about your experience. What are the keys of making cybersecurity spending a priority in annual budgets? Yeah, so that is a good one. And I think it goes back to starting in the first 100 days. So I typically will look at the annual reports and I will try to connect business strategy and typically technology strategy, but definitely business strategy, and connect that back to cyber priorities. So if I find that I'm proposing something that really doesn't very clearly,

Starting point is 00:26:21 resonate with a business strategy and how it's supporting that, and there's probably something that I can't prioritize. It might be still something I'd do in BAU or enhancement, but it'll probably be best effort. So I'll put things in that map to the business strategy. That's something I kind of learned from the share word applied business security architecture or SABSA. You know, when I first made the transition out of sales engineering, I went into a security engineering role and SABSA was really helpful in connecting what we do from a security perspective to the business and that stuck would be. And then if that's clearly in there, then there's some of that kind of high mind perspective like, are we spending 10% of technology

Starting point is 00:27:08 budgets versus everything else that we spend on? So out of the technology budget, are we spending 10% on cyber, there's just some of the sort of statistics you might pull from industry research like Gartner, and then from there kind of just map out plus or minus how that stacks up to current spend in available resources, because we're all dealing with scarcity of resources. So you can only do what you can do, and the best thing you can actually present is that with this spend, I will not be able to do this. And then when you do that, what I found is sometimes folks in the board and the executives will say, well, I'm not actually really prepared to accept that. I actually want to do that thing over there. You said you can't do. Well, thanks,

Starting point is 00:28:01 Sarah and madame, but that's going to cost a little extra. And this is what will be. So if this is what you want me to deliver, this is what we have to do. If this got your attention, don't wait. Listen to the full episode now in your Threat Vector podcast feed. It's called Speaking Security and Board Language, and it's live now. You don't want to miss Nigel's game-changing approach to making cybersecurity a business conversation when it matters most. And be sure to check out the complete. episode of Threat Vector, wherever you get your favorite podcasts.

Starting point is 00:29:02 And finally, in a breach of both privacy and packaging standards, a major Thai hospital has been fined about $37,000. after patients' medical records were found moonlighting as snack bags. The saga began when sharp-eyed social media users noticed their chips came wrapped with x-rays and lab results, a snack and a health check in one. Turns out the hospital had outsourced document destruction to a small family-run business

Starting point is 00:29:34 that thought recycling meant reusing, literally. Over 1,000 records, including sensitive personal data, skipped the shredder and instead entered snack circulation. The contractor took the files home, skipped protocol, and never mentioned the paper trail. While the hospital received the brunt of the fine, the mom-and-pop operation was hit with a modest $500 bill and possibly a crash course in data privacy. And that's The CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.

Starting point is 00:30:27 We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August this year. There's a link in the show notes. Please take a minute and check it out. N2K's senior producer is Alice Carruth,

Starting point is 00:30:41 Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kielby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. Thank you.

Your Ad Here

CyberWire Daily - Hello, hacker speaking.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.