CyberWire Daily - Inside Intel’s internal web maze.
Episode Date: August 19, 2025A researcher uncovers vulnerabilities across Intel’s internal websites that exposed sensitive employee and supplier data. The Kimsuky group (APT43) targets South Korean diplomatic missions. A new DD...oS vulnerability bypasses the 2023 “Rapid Reset” fix. Drug development firm Inotiv reports a ransomware attack to the SEC. The UK drops their demand that Apple provide access to encrypted iCloud accounts. Hackers disguise the PipeMagic backdoor as a fake ChatGPT desktop app. The source code for a powerful Android banking trojan was leaked online. A Nebraska man is sentenced to prison for defrauding cloud providers to mine nearly $1 million in cryptocurrency. On this week’s Threat Vector, David Moulton speaks with Liz Pinder and Patrick Bayle for a no holds barred look at context switching in the SOC. A UK police force fails to call for backup. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Security analysts are drowning in tools, alerts, and tabs. On today's Threat Vector segment from Palo Alto Networks, we offer a snapshot from host David Moulton's conversation with Liz Pinder and Patrick Bayle. Together they take a no holds barred look at context switching in the SOC, what it costs, why it's getting worse, and how smarter design can fix it. You can listen to David, Patrick, and Liz's conversation here. It’s a must-listen for anyone building or managing a modern SOC. New episodes of Threat Vector drop each Thursday on the N2K CyberWire network and in your favorite podcast app. Selected Reading Intel data breach: employee data could be accessed via API (Techzine Global) North Korean Kimsuky Hackers Use GitHub to Target Foreign Embassies with XenoRAT Malware (GB Hackers) Internet-wide Vulnerability Enables Giant DDoS Attacks (Dark Reading) Drug development company Inotiv reports ransomware attack to SEC (The Record) UK ‘agrees to drop’ demand over Apple iCloud encryption, US intelligence head claims (The Record) Ransomware gang masking PipeMagic backdoor as ChatGPT desktop app: Microsoft (The Record) ERMAC Android malware source code leak exposes banking trojan infrastructure (Bleeping Computer) Nebraska man gets 1 year in prison for $3.5M cryptojacking scheme (Bleeping Computer) South Yorkshire Police Deletes 96,000 Pieces of Digital Evidence (Infosecurity Magazine) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
And now a word from our sponsor.
The Johns Hopkins University Information Security Institute is seeking qualified applicants
for its innovative Master of Science in Security Informatics degree program.
Study alongside world-class interdisciplinary experts
and gain unparalleled educational research and professional experience in information security and assurance.
Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program,
which covers tuition, textbooks, and a laptop, as well as providing a $34,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at CS.com.
jhu.edu slash ms.i.
A researcher uncoveres vulnerabilities across Intel's internal websites that exposed sensitive employee and supplier uncovers vulnerabilities across Intel's internal websites that exposed sensitive employee and supplier data.
The Kimsuki Group targets South Korean diplomatic missions.
A new DEDOS vulnerability bypasses the 2023 rapid reset fix.
Drug development firm and notive reports a ransomware attack to the SEC.
The UK drops their demand that Apple provide access to encrypted iCloud accounts.
Hackers disguise the pipe magic backdoor as a fake chat GPT desktop app.
The source code for a powerful Android banking Trojan is leaked online.
A Nebraska man is sentenced.
to prison for defrauding cloud providers to mine nearly $1 million in cryptocurrency.
On this week's threat vector, David Moulton speaks with Liz Pinder and Patrick Bale
for a no-holds-barred look at context switching in the sock, and a UK police force
fails to call for backup.
It's Tuesday.
August 19th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us here today.
It's great to have you with us.
Security researcher Eaton Zver
uncovered four major vulnerabilities
across Intel's internal websites
that exposed sensitive employee and supplier data.
First, Intel's business card ordering site allowed login bypass,
enabling access to a global employee database of over 270,000 records.
Second, the hierarchy management site stored weekly encrypted hard-coded credentials,
allowing attackers to decrypt passwords, impersonate admins,
and access employee and product data.
Third, the product onboarding portal leaked multiple hard-coded credentials, including GitHub
tokens, which could have allowed rogue product uploads.
Finally, Intel's SIM supplier site had broken authentication checks, letting attackers enumerate
employees and access confidential supplier agreements.
While Intel patched the flaws after disclosure, its bug bounty program excluded website vulnerabilities,
leaving the researcher unrewarded despite reporting critical issues.
Elsewhere, researchers at Trellix have exposed a North Korea-linked espionage campaign
by the Kimsuki Group, also known as APT-43, targeting South Korean diplomatic missions between March and July.
At least 19 spearfishing emails impersonated trusted contacts using password-protected zip files hosted
on Dropbox and DOM.
The lures mimicked real events, such as EU meetings and U.S. Independence Day celebrations.
Once opened, malicious LNK files launched obfuscated PowerShell scripts that pulled Base 64 encoded
payloads from GitHub, where attackers maintained private repositories for command and control.
Victims ultimately received Xenorat, a remote-access Trojan, enabling full system control,
data theft and surveillance.
Infrastructure analysis linked operations to the DPRK,
but noted Chinese holiday pauses,
suggesting activity from China.
The campaign maps to miter attack techniques
remains ongoing and underscores the need
for stronger diplomatic network defenses.
Researchers from Tel Aviv University
have uncovered Medew Reset,
a new DDoS vulnerability in the HTT2 protocol that bypasses the 2023 Rapid Reset Fix.
Like Rapid Reset, it abuses HTTP2's concurrent stream design to overwhelm servers,
but instead of clients canceling requests,
attackers send invalid control frames that force the server to cancel streams on their behalf.
This allows attackers to repeatedly trigger back-end work mimicking rapid recent.
Reset's devastating effect. The flaw could impact up to one-third of websites worldwide.
Severity varies across implementations, while many vendors had already hardened systems after
rapid reset, others only patched recently. Mitigation is complex, requiring stricter stream
cancellation handling or back-end limits, but inconsistent vendor responsibility leaves risks
unresolved.
Indiana-based drug development firm in Notive reported a ransomware attack to the SEC
after discovering the incident on August 8th. Threat actors encrypted key systems,
forcing shutdowns that disrupted internal data storage, business applications, and
overall operations. The company is relying on offline alternatives while working to restore
systems with no timeline yet for recovery. Law enforcement was notified, though no group has claimed
responsibility. A notive, which earned $375 million in the first three quarters of 2025,
said financial impacts remain uncertain. The U.K. has reportedly dropped a demand
requiring Apple to provide access to encrypted I-Cloud accounts, according to U.S. Director of National
intelligence Tulsi Gabbard. The order, known as a technical capability notice, was criticized as a
backdoor into user data, though the British government disputes that characterization. Apple had
disabled advanced data protection for UK users in 2023 to comply, since the feature made certain
iCloud data accessible only from user devices. Apple is challenging the order at the
investigatory powers tribunal with support from civil society groups.
The UK government emphasized safeguards under existing U.S.-UK.
data sharing agreements, stressing that neither nation can target the other citizens,
while reaffirming its commitment to balancing security with privacy protections.
Microsoft has warned that hackers are disguising the pipe magic back door as a fake chat GPT desktop app,
to prepare ransomware attacks.
Attributed to threat group Storm 2460,
the malware exploits a Windows Zero Day
in the common log file system driver
to gain persistence and escalate privileges
before deploying ransomware.
Pipe Magic has been observed targeting IT,
financial, and real estate sectors worldwide.
First seen in 2022,
the malware resurfaced in 2024.
Victims see only a blank screen,
while attackers gain remote access and data theft capabilities.
Researchers from Hunt I.O. have discovered that the source code for Ermac version 3.0,
a powerful Android banking Trojan, was leaked online in March 2024 via an exposed archive.
The leak contained the Trojan's back-end, front-end panel, ex-filtration server, builder, and obfuskator.
ERMAC 3.0 expanded targeting from 467 apps in version 2 to over 700 financial shopping and crypto apps,
while adding stronger encryption, upgraded form injection techniques, fake push notifications, device control, and remote uninstallation.
Hunt I.O. also uncovered live infrastructure tied to the operation, including command and control servers with weak security, such as hard-coded tokens and
default credentials. While the leak undermines
Irmax malware-as-a-service credibility, it may enable defenders to improve
detection, but also risks new, harder to detect, variants emerging.
Nebraska man Charles O. Parks III, also known as CP30, was sentenced to one year in prison
for defrauding cloud providers of nearly $3.5 million, to mine nearly one
million dollars in cryptocurrency. Between January and August 2021, he used aliases and shell companies
to access massive computing power from providers believed to be Microsoft and Amazon without paying.
Parks laundered proceeds through crypto exchanges, banks, and even an NFT marketplace, funding luxury
purchases. Prosecutors said he falsely branded himself a crypto influencer and innovator.
Coming up after the break on this week's threat vector,
David Moulton speaks with Liz Pinder and Patrick Bale
about context switching in the sock.
And a UK police force fails to call for backup.
Stay with us.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's sponsored jobs helps you stand out and hire fast.
Your post jumps to the top of search results,
so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed? Oh, in the minute or so that I've been talking to you,
23 hires were made on Indeed, according to Indeed data worldwide.
There's no need to wait any longer. Speed up your hiring right now with Indeed.
And listeners to this show will get a $75-sponsored job credit to get your jobs more visibility
at Indeed.com slash Cyberwire.
Just go to Indeed.com slash Cyberwire right now and support our show by
saying you heard about Indeed on this podcast.
Indeed.com slash Cyberwire.
Terms and conditions apply.
Hiring?
Indeed is all you need.
CISOs and CIOs know
machine identities now outnumber humans by more than 80 to one.
And without securing them,
trust, uptime, outages, and compliance
are at risk. CyberArc is leading the way with the only unified platform purpose-built to secure
every machine identity, certificates, secrets, and workloads across all environments, all clouds,
and all AI agents. Designed for scale, automation, and quantum readiness, CyberArk helps
modern enterprises secure their machine future. Visit cyberarc.com slash machines to see how.
On this week's Threat Vector segment, Palo Alto's David Moulton speaks with Liz Pinder and Patrick Bale about context switching in the sock.
Hi, I'm David Moulton, host of the Threat Vector podcast, where we break down cybersecurity threats, resilience, and the industry trends that matter most.
What you're about to hear is a snapshot for my conversation with Liz Pinder.
Cortex Systems Engineer Specialist, and Patrick Bile,
SECOPS Consulting Manager at Palo Alto Networks.
Together, we take a no-holds-barred look at context switching in the sock,
what it costs, why it's getting worse,
and how smarter design can fix it.
Listen to the full episode now in your Threat Vector Fe.
So when we were talking about putting this podcast together,
We were talking about this idea of context switching.
And I ran across this HBR article that talked about workers switching apps something like a thousand plus times a day.
It seems kind of wild, but then you start to observe your own patterns and you realize, yeah, you're moving back and forth in between, you know, desktop applications and web apps through your browser and your tab, you know, gets your browsers and your tab get to the point where you can't even read the tabs anymore.
There's so many there, and each one is a different action or a different capability.
And I imagine in the sock that that kind of context switching shows up and that it's really costly.
Can you talk about what the cost of that disruption and or the inability to focus because of all those tools looks like, Liz?
Yeah, definitely.
I mean, when we talk about the impact of that actual screen switching, I feel.
like there's kind of two overall issues that happen. There's kind of the issues on the analyst
side, so what I definitely experienced. And then we see issues as well on that visibility and
detection side. And just kind of to talk more about the analyst side, because it's obviously
like my personal experience. But I kind of like to think about, I don't know if you've
I've heard of the article by Paul Graham, which talks about kind of maker and manager time.
So it's quite an old piece of research quite a few years ago now, but essentially it goes
through that maker time is something where you have long interrupted blocks to actually build
and create something, whereas manager time is kind of split into meetings, check-ins,
quick decisions.
And it's really that kind of maker time that you can directly,
associate with an analyst. You need to have that time for deep thinking with no interruptions,
especially when you are going through an incident, when you're triaging. And of course,
if you, I mean, just thinking back to my experience, if you're having to continuously collect data
for an alert, an alert comes in and I'm going to have to go to different sources to collect this data,
either through logging in to a firewall platform or kind of going and querying logs in my
Seam solution or even contacting someone like contacting the owner of this kind of misconfigured
S3 bucket for example all of that time adds up on its own but it's also that kind of mental
overhead that you have like that's not really kind of thought of if you know if someone
interrupts you and you're kind of in the zone and then you get a slack message coming or you have a
meeting put in as you're doing you know this task that requires that deep thinking for me personally
it takes me like a good you know 30 minutes to get actually get back in to the task um that i was
you know originally presented with so you know imagine that constantly when you are just
triaging alone and how much time that adds to actually resolving that alert.
You know, that's, you know, a lot of the reason why we have such long meantime to respond
is because of that jumping across different tools and gathering all of that information.
Let's talk about alert fatigue.
When analysts jump from tool to tool and alert to alert, how do we ensure that they can stay
focused on what matters?
So, yes, when we speak to Sox, and we say, what would you like to automate?
And it's an intentionally provocative question.
We normally get two answers.
Everything or we don't know.
And that's, you know, I'm not sure which one's, which one's scarier, to be honest.
But it's probably we don't know.
Because if we're talking about alert fatigue, they should know the type of alert that is causing them to be fatigued.
or alerts.
So really, like, when we're talking to socks,
don't pick that one horrible task
on that horrible system that you don't like doing
that you have to do once every six months
or every year.
Do the things that you do little and often.
If you can shave off 30 seconds here,
a minute here, and you do that numerous times
a day, week, month,
then there's your return of investment on your sock
and there's automation being key for you.
And there's your reduction on burning out
because you're not doing the same thing over and over again.
And that's the stuff that drove me up the wall,
repeating those mundane tasks.
And also thinking about from the risk perspective again,
that's the stuff that people in the sock would forget to do
or intentionally not do because they have a bias to know what the result is.
So they assume it's benign or they assume it's malicious
and they'll just quickly try and close an instant down.
That's the wrong behaviour.
That introduces risk, which we...
The stock is there to avoid, right?
Or reduce the risk, sorry.
It's all about giving them something interesting to look at, right?
Because we talk about, you know, how do we not interrupt that flow?
And first of all, we can go by automation.
So not just automation in terms of, you know, all the way to resolution,
all the way to, let's block this straight away.
Really simply, we can utilize automation to enrich an alert.
So instead of me having to go to my various open source intelligence tools to look up this one IP address,
I can have all that information provided to me straight away.
So I can just make that informed decisions or analysts can make that informed decisions
to then isolate that machine or close that alert down.
So it's really that low hanging fruit almost that helps combat that alert fatigue.
Liz, you've designed playbooks, and that's what we tend to call these pre-flight checklists and some of the automations in security is a playbook or a workflow with a lot of customers.
What mistakes do you see teams make that actually increase their contact switching during instant responses?
Yeah, so something that was probably most common, and I think Patrick will agree, is you can't automate, you know, without having.
that process out in the first place, right? So quite often, you know, customers come to us or,
you know, I'm building a playbook and that process either doesn't exist in the first place
or it's a bad process, you know? So, for example, we had a customer that wanted to
simply just reset a password and remove them from AD if there was like an insider,
inside a threat. So what they didn't have the proper process written down. So it was really difficult
to kind of then automate it. They didn't think about, you know, what if this, what if this person
was a VIP user? Do you want to like change the password or of a C-Serve, for example, you know? So things like
that, if you put in a bad process into automation, you know, and to create a playbook out of a
bad process, you're going to have a bad playbook. So really you need to think about that process
and go through it beforehand, before you know, think about automation. It's not all or nothing.
And I think there is that fear of, well, we want to automate. We want to automate fully,
but we don't trust it. But they, you can and should implement guardrails for, you know,
break glass situations like essentially, you know, putting yourself at risk of losing your job
by reset in someone's password who's in the exact position that you shouldn't.
But you could argue as well that they're probably the people who would likely to be targeted.
And let's test it.
Keep testing it.
It's not a set and forget type thing.
You know, it's an iterative process that you want to test and refine unless it's not, you know, the high fidelity, 100% accurate things that I said, like, who is user, what is IP, what is machine, what is CV, all those things.
These aren't just tech problems.
They're human performance issues with real security outcomes.
If this got your attention, don't wait.
Listen to the full episode now in your Threat Vector podcast feed.
It's called Designing Human-centered Security Operations and it's live.
Be sure to check out the complete episode.
of ThreatVector wherever you get your favorite podcasts.
And now a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution
that stops ransomware in its tracks.
Allow listing is a deny-by-default software
that makes application control simple and fast.
Ring fencing is an application containment strategy,
ensuring apps can only access the files,
registry keys, network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from threat locker.
Whether you own a bustling hair salon,
a painting company that just landed a big job,
or the hottest new bakery in town,
You need business insurance that can keep up with your evolving needs.
With flexible coverage options from TD Insurance, you only pay for what you need.
Get a quote in minutes from TD Insurance today.
TD, ready for you.
And finally, the South Yorkshire Police has earned itself a polite scolding from the UK's data watchdog,
after it somehow managed to delete 96,000 pieces of body cam evidence,
a feat of digital spring cleaning nobody asked for.
According to the Information Commissioner's Office,
the trouble began after an IT upgrade in May 2023 left the forces
digital evidence management system groaning under the weight of video files.
Footage was temporarily stored on a local disk until July 26th,
when a third-party transfer to a new storage grid
turned into a large-scale vanishing act.
South Yorkshire police admits the data probably went missing in error,
which is as reassuring as it sounds.
Although much of the footage had already been copied elsewhere,
the force can't say how much was lost forever,
thanks to years of poor record-keeping and unresolved backup issues.
Unfortunately, when the files went missing,
The IT team couldn't radio for backup.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at the Cyberwire.
dot com. We'd love to hear from you. We're conducting our annual audience survey to learn more about
our listeners. We're collecting your insights through the end of August. There's a link in the show
notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is
Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive
producer is Jennifer Eibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
I'm going to be able to be.