CyberWire Daily - Iran’s digital threat after U.S. strikes.
Episode Date: June 24, 2025Cybersecurity warnings about possible Iranian retaliation have surged. A potential act of sabotage disrupts the NATO Summit in The Hague. Canadian cybersecurity officials discover Salt Typhoon breache...d a major telecom provider. The U.S. House bans WhatsApp from all government devices. APT28 uses Signal chats in phishing campaigns targeting Ukrainian government entities. A China-linked APT has built a covert network of over 1,000 compromised devices for long-term espionage. FileFix is a new variant of the well-known ClickFix method. SparkKitty targets Android and iOS users for image theft. Scammers steal $4 million from Coinbase users by posing as support staff. On today’s Threat Vector, host David Moulton sits down with Tyler Shields, Principal Analyst at ESG, to discuss the fine line between thought leadership and echo chambers in the industry. War Thunder gamers just can’t resist state secrets. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment In this segment of Threat Vector, host David Moulton sits down with Tyler Shields, Principal Analyst at ESG, entrepreneur, and cybersecurity marketing expert, to discuss the fine line between thought leadership and echo chambers in the industry. You can hear David and Tyler's full discussion on Threat Vector here and catch new episodes every Thursday on your favorite podcast app. Selected Reading Warnings Ratchet Over Iranian Cyberattack (BankInfoSecurity) NATO Summit in The Hague hit by potential sabotage as rail cables set on fire (The Record) Canada says Salt Typhoon hacked telecom firm via Cisco flaw (BleepingComputer) Scoop: WhatsApp banned on House staffers' devices (Axios) APT28 hackers use Signal chats to launch new malware attacks on Ukraine (Bleeping Computer) Chinese APT Hacking Routers to Build Espionage Infrastructure (SecurityWeek) FileFix - A ClickFix Alternative (mr.d0x) Photo-Stealing Spyware Sneaks Into Apple App Store, Google Play (SecurityWeek) Hackers Impersonate Coinbase User Support To Scam Victims of $4,000,000 Before Blowing Most of Money on Gambling: ZachXBT (The Daily Hodl) Reset the clock! War Thunder fan posts restricted Harrier data to game forum (Cyber Daily) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it
piece of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k. Cybersecurity warnings about possible Iranian retaliation have surged.
A potential act of sabotage disrupts the NATO summit in The Hague.
Canadian cybersecurity officials discover salt typhoon breached a major telecom provider. A Chinese-linked APT has built a covert network of over 1,000 compromised devices for long-term
espionage. FileFix is a new variant of the well-known ClickFix method.
Spark Kitty targets Android and iOS users for image theft.
Scammers steal $4 million from Coinbase users by posing as support staff.
On today's Threat Vector, host David Moulton sits down with Tyler Shields,
principal analyst at ESG, to
discuss the fine line between thought leadership and echo chambers in the industry.
And War Thunder gamers just can't resist state secrets.
It's Tuesday, June 24, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Following the U.S. bombing of Iranian nuclear sites on Saturday, cybersecurity warnings
about possible Iranian retaliation have surged.
Iran responded with a largely symbolic missile attack on U.S. forces in Qatar, but experts
caution that digital retaliation is still likely.
The Department of Homeland Security warned of possible cyber attacks and violence, while
former SISA head Jen Easterly urged critical infrastructure operators to secure their systems.
Though Iranian cyber capabilities are considered second-tier, they can be disruptive, using
tactics like social engineering and custom malware, including tools targeting
US fuel systems.
Activist groups aligned with Iran have already ramped up online propaganda and made questionable
claims of cyber attacks.
Experts note that much of Iran's cyber response may be psychological warfare, but real threats
remain, particularly if Iran deploys destructive
malware like past wiper attacks. The current threat is as much about
perception as it is about real cyber damage. A potential act of sabotage
disrupted the NATO summit in The Hague after a fire damaged nearly 30 railway
cables, halting train service between Amsterdam and
The Hague.
The blaze, early Tuesday, severely impacted transport just as over 45 world leaders were
arriving.
Dutch Justice Minister David van Wiel suggested sabotage, though the source remains unclear.
Around 27,000 police and military personnel were deployed for what
authorities called the largest security operation in Dutch history. Pro-Russian hacktivists
also claimed DDoS attacks tied to the summit. This comes amid rising concerns over Russian
hybrid threats, with NATO citing recent malign activities across member states. The sabotage mirrors past incidents, including France's 2023 railway disruptions before the
Olympics, as NATO warns of a growing campaign by Russia targeting Western infrastructure.
Back in February of this year, Canadian cybersecurity officials discovered that Salt Typhoon, the
Chinese state-sponsored hacking group, had breached a major Canadian telecom provider.
The attackers took advantage of an old Cisco vulnerability that had remained unpatched
long after its discovery.
Once inside, they accessed sensitive configuration files to set up a GRE tunnel likely to siphon
off network traffic.
This wasn't Salt Typhoon's first move.
The group had previously hit U.S. telecom giants and was already under Canadian surveillance
following earlier reconnaissance activity.
Yet, despite warnings, critical infrastructure remained vulnerable.
Now, the Canadian Center for Cybersecurity and the FBI warn that the threat is far from
over.
Salt Typhoon continues to target telecoms and other sectors, focusing on edge devices
like routers and VPNs.
The U.S. House has banned WhatsApp from all government devices, citing concerns over data
transparency, lack of stored data encryption,
and potential security risks, Axios reports.
The Office of Cybersecurity called the app high risk
and ordered its removal
from house-managed phones and computers.
The move aligns with broader efforts
to limit risky tech, including AI tools.
WhatsApp's parent company, Meta, strongly disagreed, pointing to its end-to-end encryption.
Approved alternatives include Microsoft Teams, Signal, and iMessage.
Staffers were also warned about phishing threats.
Russia-backed APT-28 has been using Signal chats in phishing campaigns targeting Ukrainian government entities,
delivering two newly discovered malware strains, Beardshell and Slimagent.
While signal itself wasn't compromised, attackers used it to send a malicious document with
embedded macros that launched Covenant, a memory resident loader.
Covenant deployed Beardshell, a C++ malware that downloads encrypted
PowerShell scripts and communicates with its command and control server via IceDrive API.
Beardshell maintains persistence using Windows registry com hijacking. Another tool, SlimAgent,
captures and encrypts screenshots for exfiltration. These attacks, uncovered by Cert.
UA with ESET's help, reflect APT-28's evolving tactics.
Previously, the group exploited Wi-Fi proximity in cyberespionage campaigns.
Ukrainian officials have criticized Signal's lack of cooperation in blocking Russian abuse,
a claim Signal denies.
This reflects broader concerns over the messaging platform's role in modern espionage, despite
its strong encryption and privacy stance.
A China-linked APT, identified as UAT-5918, has built a covert network of over 1,000 compromised devices, dubbed lap dogs, for
long-term espionage.
The group infected small office and home office routers, mainly ruckus and buffalo models,
with a custom back door called short leash.
These devices, exploited via old vulnerabilities, now serve as stealthy relay nodes.
The campaign targets IT, media, and other sectors across the US and Asia.
Lapdogs likely began in late 2023 and appears connected,
though distinct, from a larger network called PolarEdge.
Security researcher Mr. Dox has introduced a new phishing technique called the FileFix
attack, a browser-based variation of the well-known ClickFix method.
While ClickFix relies on tricking users into executing malicious commands via the Windows
Run dialog, FileFix instead abuses the file upload features in browsers.
The method uses social engineering to coax users into pasting a malicious command
into the File Explorer address bar, triggered through a fake file sharing page,
ultimately executing PowerShell code without the user leaving their browser.
The attack cleverly masks the command behind a decoy file path and uses browser scripting
to copy the payload to the clipboard.
A second variation shows how launching executables via File Explorer can bypass Windows' mark-of-the-web
protections, stripping security flags from downloadable files.
While simple, both variations demonstrate how social engineering can effectively
drive execution, reinforcing the need for awareness and monitoring of browser-spawned
system processes.
Kaspersky has uncovered a spyware campaign called Spark Kitty, targeting Android and
iOS users primarily in Southeast Asia and China.
Active since early 2024, the campaign uses fake apps, often TikTok mods or cryptocurrency
tools, distributed via both official and unofficial app stores.
The malware steals images from device galleries, likely to extract cryptocurrency wallet info
using optical character recognition.
On iOS, attackers use Apple's Enterprise program and modified open source libraries
to bypass app store restrictions. One infected Android app had over 10,000 Google Play downloads
before removal. Related malicious apps also appeared as progressive web apps tied to scams and Ponzi schemes.
Kaspersky links Spark Kitty to the earlier Spark Cat campaign,
both using image theft and OCR to harvest sensitive crypto-related data from mobile users.
The malicious code was embedded directly into the apps, not via third-party SDKs.
directly into the apps, not via third-party SDKs. Blockchain investigator Zach XBT has exposed a scam allegedly run by Christian Neves, also
known as Day Two, who stole $4 million from Coinbase users by posing as support staff.
Neves and his group tricked victims into creating wallets with pre-compromised
seed phrases on fishing sites. One accomplice, Paranoia, stole $240,000 from an elderly victim.
Much of the stolen crypto was gambled away or laundered via Monero. Despite solid on-chain
evidence, authorities have yet to charge anyone, and most of the funds
are unrecoverable.
Coming up after the break, David Moulton sits down with Tyler Shields from ESG to discuss
the fine line between thought leadership and echo chambers in the
industry, and War Thunder gamers just can't resist state secrets.
Stay with us. And now, a word from our sponsor, ThreatLocker.
Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software
can run in your environment.
If it's not approved, it doesn't run.
Simple as that.
It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day.
See how ThreatLocker can help you lock down your environment at www.threatlocker.com
Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on
track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even helping to drive
revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious
efficiency to your GRC game.
Vanta.
GRC.
How much easier trust can be.
Get started at Vanta.com slash cyber.
On today's Threat Vector segment, host David Moulton sits down with Tyler Shields, principal
analyst at ESG, to discuss the fine line between thought leadership and echo chambers.
Hi, I'm David Moulton, host of the Threat Vector podcast, where we go deep on today's biggest cybersecurity challenges and what it really takes to lead in this industry.
In our newest episode, I sat down with Tyler Shields, principal analyst at ESG and former
CMO to talk about a topic that most people get wrong, but you can't afford to.
How to build real trust in cybersecurity marketing.
Tyler brings the heat with some brutally honest insights from his career as a hacker turned analyst turned marketer.
He's seen it all from startups
that send a hundred thousand cold emails into the void
to big name vendors that confuse echo chambers
for thought leadership.
If you're in cybersecurity marketing or trying to break into it,
this episode is a must. It's fresh, sharp, and it might just change how you think about your role.
So thought leadership, you know, it's a word that gets thrown around quite a bit, a buzzword
if you will.
We hear it all over the place.
But I think it is a meaningful term, done right.
I've actually written a memo on it when I got here to Palo Alto on what I think is and
isn't thought leadership because a lot of things that weren't thought leadership
were getting tagged as thought leadership.
But I'm wondering what does that word mean for you?
Yeah, it's an interesting question, right?
Because you posed that question to me prior,
and I had to put a little bit of thought
into how I wanted to describe it,
because it's not just like, well, duh, it's this, right?
It's kind of a gray term,
which is why you're asking the question.
To me, the key thing about thought leadership
is providing value to the listener.
And I know that's kind of a weird way to look at it,
but it's actually how I anchor all of my marketing efforts.
If you provide value to the other side, the listener,
the person that you're trying to reach,
that's the ultimate marketing.
And so when you're doing thought leadership
from a marketing vantage point,
it's about providing value to someone else.
So thought leadership could be, you know,
simple definitions of something
if the audience doesn't understand that,
or it could be very deep research
that pushes the boundaries and drives the market
and discusses innovation and, you know, new topics.
And that's where I tend to live, given my background as an R&D person.
That's where I tend to live.
But my view of thought leadership is about providing value to the audience
that you can't really get anywhere else.
So, as security professionals, you know, we have this opportunity to say new things,
but it can be scary. You're not sure how it's going to be received,
if it's going to upset your comms or PR teams.
How do we lean into actual thought leadership
rather than that echo chamber of recycled ideas?
So I think you can answer that question in a couple different ways.
There's the individual version of that as an individual person.
It's about pushing boundaries and learning new things and expressing those new things as value to the audience.
But then there's also the corporate version of that question, right?
And I think oftentimes that forward thinking, pushing the boundaries view can be neutered a bit by corporate risk
and corporate not wanting to say thing
that's going to turn off the audience
or get any kind of negative brand impact.
And within reason, I don't necessarily think
that's the right way to do things as a brand, right?
I think the brand marketing is about being true to yourself. And if your company is just a extremely as a brand, right? I think, you know, the brand marketing is about being true to yourself.
And if your company is just an extremely risk averse, stodgy old company that
doesn't want to have a brand of innovation, fine, then you're never going to get that out.
But I think most cyber companies want that forward thinking brand.
And so push the boundaries, right?
It's okay to be wrong.
It's okay to state something that may not be completely accurate.
As long as you've done the research, you explain how you got there, people make mistakes.
Companies make mistakes, right?
And you can recover from that.
Now, obviously you can't go out there and say something that's like so horribly awful
that is irreparable to the brand, but I don't think anybody would do that anyway.
So for me, I love to push the boundaries.
I love companies that recognize their brand
can help and back those pushes and become innovative and forward thinking.
You know, there's a couple of big companies in the market, you know, one of which you guys work for. I think that does a really good job of pushing that brand.
Tyler, let's look to the future a little bit.
And we'll go five years, right? This feels like an impossible question, but we'll come back in five years and if you got
it right, gold stars for you.
And if not, nobody will know.
But if you look ahead, what do you think the biggest challenges are for security marketers
in this medium period of the next five years?
Yeah, that's a good question.
It's interesting.
When I became a CMO the first time, I've actually, I've,
I've maybe had three jobs in marketing, a VP role and two CMO roles.
I was never a line marketer, right?
So the first role I had was a CMO role at a startup that sold for about 800 million.
We ended up running that one up and doing a really good job of it.
So I took everything down to first principles, right?
Literally, because I didn't know what I was doing.
It was like, hey, how do I do this?
Well, let's start with this, right?
So everything came down to first principles.
And what I ended up doing was pushing the boundaries.
I was one of the first people
who did a cabana at Black Hat.
I was one of the first people,
I think I was the first person or first company
to give away Yetis when they were just coming out, right? Because they were like 30 bucks
a pop and people were like, God, that's so expensive. I'm like, yeah, but imagine the
value provided and the brand impact. So, you know, I think the key thing is somehow staying
in front of and remaining unique in what you're putting out and providing value in that unique
way. And here's the interesting thing, like, I'm afraid to go be a CMO one more time because
I don't have that newbie mindset where I can just do stuff that seems off the wall because
I've never done it before, right?
I'll talk myself out of it sometimes because that shouldn't work as, you know, I've done
it for 10 years, that shouldn't work.
But in reality reality it does. So I think that the trick is being very aggressive and trying things and letting things fly.
So if you want to succeed in the next five years, I would argue that the CMOs and the
cyber companies that let stuff fly and say, hey, we're going to be who we are and we're
going to be the bananas, whether it's because they're funny or whether it's because they're super technical or whatever it is, but we're going to let it fly and
we're going to let it rip. Those are the ones that are going to stand out. Will they be
successful companies? Maybe, maybe not. It highly depends on the tech, the product, the
market and other things, but their marketing should be highly successful. The episode is called Cut the Noise, Ditch the Nonsense, Earn the Trust, and it dropped
June 19th.
Find it in your Threat Vector feed here on the N2K CyberWire
Network or wherever you get your favorite podcasts. Today's cyber attacks move fast, your team needs to move faster.
That's why CloudRange is redefining cyber readiness with real-world AI-driven cyber
range simulations.
Join CEO Debbie Gordon as she shares how organizations are replacing outdated tabletop exercises
with live fire training that builds confidence and sharpens response in real time.
It's not just training, it's transformation.
Listen now and make sure your team is prepared for the threats ahead. And finally, once again, the digital battlefield of the online military combat game War Thunder
has been ambushed, not by tanks or jets, but by yet another overzealous forum
poster waving around restricted military documents like their Pokemon cards.
This time, an enthusiast uploaded handling materials for the AV-8B and TAV-8B Harriers,
which, while not classified, are marked for limited distribution. The documents earned him a temporary ban and a polite forum clean-up from the game's developer.
It's not the first time, and certainly not the last.
Similar leaks involving Russian tanks and US armored vehicles have popped up before,
each time greeted with the same weary sigh from moderators and military types alike.
As one RAF engineer dryly noted, these aren't exactly earth-shattering disclosures, but
rules are rules.
And if history's any guide, someone will break them again by next Tuesday. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey
to learn more about our listeners.
We're collecting your insights through the end
of August of this year.
There's a link in the show notes.
Please do check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound
design by Elliot Peltsman.
Our executive producer is Jennifer Iben, Peter Gilpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Did you know Active Directory is targeted in 9 out of 10 cyber attacks?
Once attackers get in, they can take control of your entire network.
That's why Sempris created PurpleKnight, the free security assessment tool that scans
your Active Directory for hundreds of vulnerabilities and shows you how to fix them.
Join thousands of IT pros using PurpleKnight to stay ahead of threats.
Download it now at sempris.com slash purple-night.
That's sempris.com slash purple-night.