CyberWire Daily - Lessons from the latest breach reports.
Episode Date: April 24, 2025Verizon and Mandiant call for layered defenses against evolving threats. Cisco Talos describes ToyMaker and Cactus threat actors. Researchers discover a major Linux security flaw which allows rootkits... to bypass traditional detection methods. Ransomware groups are experimenting with new business models. Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division shares the latest on Salt Typhoon. Global censorship takes a coffee break. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Dave sits down with Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division who shares a PSA on Salt Typhoon. Selected Reading 2025 Data Breach Investigations Report (Verizon) Mandiant M-Trends 2025 Report (Mandiant) Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs (Ciso Talos) Linux 'io_uring' security blindspot allows stealthy rootkit attacks (bleepingcomputer) Ransomware groups test new business models to hit more victims, increase profits (the record) Cloudflare: Government-backed internet shutdowns plummet to zero in first quarter (the record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. Verizon and Mandiant call for layered defenses against evolving threats.
Cisco Talos describes Toymaker and Cactus threat actors.
Researchers discover a major Linux security flaw which allows root kits to bypass traditional
detection methods.
Ransomware groups are experimenting with new business models. Deputy Assistant Director
Cynthia Kaiser from the FBI cyber division shares the latest on Salt Typhoon. And global
censorship takes a coffee break. It's Thursday, April 24th, 2024.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us again here today.
It's great to have you with us.
Two of the cybersecurity industry's most anticipated annual reports, the Verizon 2025 Data Breach
Investigations Report, the DBIR, and Mandiant's M Trends 2025 report offer a revealing look at the evolving threat landscape.
Drawing on tens of thousands of real-world incidents,
both reports provide critical insights
into how threat actors operate,
what vulnerabilities they exploit,
and which sectors are most at risk.
Together, they highlight rising trends in credential theft,
ransomware, supply chain
attacks, and the persistent human element in security breaches.
The 2025 Verizon Data Breach Investigations Report reveals critical shifts in the cybersecurity
landscape, drawing insights from over 22,000 incidents and over 12,000 confirmed breaches.
Credential abuse and vulnerability exploitation remain the top attack vectors, with the latter
jumping 34%, driven by a surge in zero-day exploits targeting VPNs and edge accounts.
Ransomware continues its relentless rise, now appearing in 44% of breaches despite a
dip in ransom payouts.
Alarmingly, breaches involving third-party vendors have doubled to 30%, underscoring
growing supply chain vulnerabilities.
Human error and manipulation, especially through social engineering, remain a major factor
in successful attacks.
Espionage-driven breaches are also on the rise,
particularly in manufacturing and healthcare,
suggesting a shift in threat actor priorities.
To counter these evolving threats,
Verizon recommends a layered security strategy,
enforcing strong password policies,
timely vulnerability patching, robust employee training,
and tighter controls over third-party
access.
The report makes it clear cyber risks are expanding and proactive defense is no longer
optional.
The Mandiant M Trends 2025 report paints a clear picture of an evolving cyber threat
landscape marked by a rise in financially motivated attacks, now making up 55% of all
observed threat activity.
Exploits remain the leading entry point for attackers, but the use of stolen credentials
has reached an all-time high at 16%, highlighting a growing vulnerability.
The financial sector emerged as the most targeted industry, involved in over 17% of all cases studied.
Meanwhile, attackers are lingering longer within networks,
with the median dwell time increasing to 11 days,
a sign that detection capabilities may be lagging behind the sophistication of modern threats.
New and evolving risks include the growing presence
of InfoStealer malware, insecure cloud data repositories,
insider threats from foreign IT operatives,
and a surge in attacks on cryptocurrency
and Web3 platforms.
In response, Mandiant stresses the need
for multi-layered defense strategies,
emphasizing better logging, proactive threat
hunting, strong identity and access controls, and adoption of FIDO2-compliant multi-factor
authentication to help organizations stay a step ahead.
In 2023, Cisco Talos uncovered a sophisticated attack on critical infrastructure involving two threat actors,
Toymaker and Cactus.
Toymaker, a financially motivated initial access broker, breached the organization by
exploiting internet-facing vulnerabilities and deployed a custom backdoor, LagToy.
This tool enabled remote command execution and credential theft. After initial reconnaissance and credential harvesting, Toymaker handed off access to
Cactus, a ransomware group known for double extortion.
Cactus launched a full-scale attack, using various remote tools, creating malicious accounts,
and eventually deploying ransomware.
Their tactics included extensive data exfiltration
and defense evasion, such as safe mode reboots
and credential hiding.
The incident highlights the operational handoff
between access brokers and ransomware actors
and underscores the need for organizations
to recognize and model interconnected threats
for better defense.
Researchers at ARMO discovered a major Linux security flaw involving the IOUring interface,
which allows rootkits to bypass traditional detection methods that rely on monitoring system calls.
To demonstrate this, they created a stealthy rootkit called Cing that uses iouring to execute commands without triggering
alerts.
Most security tools, including Falco and Tetragon in default settings, failed to detect it.
Armo recommends kernel runtime security instrumentation for monitoring such threats, and curing is
now publicly available for testing on GitHub.
Ransomware groups like Dragonforce and Anubis are experimenting with new business models
to attract affiliates and boost profits, according to Secureworks.
Dragonforce, which began as a traditional ransomware-as-a-service operation, has rebranded
as a cartel, offering hackers shared infrastructure and management
tools while allowing them to use their own malware.
This flexible model may broaden its affiliate base, though shared resources introduce operational
risks.
Meanwhile, Anubis offers multiple monetization options, ransom, extortion, and access sales,
sharing 50 to 80 percent of profits with affiliates.
It also increases pressure on victims through public shaming and threats to report breaches
to regulators.
These evolving strategies reflect a shift towards decentralization in the ransomware
ecosystem, especially following disruptions to major players like Lockbit.
While ransomware attacks continue, experts note early signs that profit-cutting efforts
may be impacting the threat landscape.
Coming up after the break, Deputy Assistant Cynthia Kaiser from the FBI Cyber Division
is back with the latest on Salt Typhoon, and Global Censorship takes a coffee break.
Stay with us. What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, Identity Attack Paths are easy targets
for threat actors to exploit but hard for defenders to detect.
This poses risk in Active Directory, Entra ID and Hybrid configurations.
Identity leaders are reducing such risks with Attack Path Management.
You can learn how Attack Path Management is connecting identity and security teams while reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to spectorops.io today to learn more.
SpectorOps, see your attack paths the way adversaries do.
Do you know the status of your compliance controls right now? Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off.
It is my pleasure to welcome back to the show, Deputy Assistant Director, Cynthia Kaiser
from the FBI cyber division, a DAD Kaiser.
Welcome back. Thank you Kaiser, welcome back.
Thank you for having me back.
You and your colleagues have recently published a new PSA and this is covering Salt Typhoon.
What would you like folks to know about that?
So as I'm sure most listeners have been tracking, the FBI has been conducting a major investigation
into the hacking of commercial telecommunications infrastructure by actors affiliated with the Chinese government
tracked in open source reporting as salt typhoon.
And really, it's revealed a broad and significant cyber espionage campaign.
And to be more specific, we've identified that the Chinese actors broke into the networks
of multiple telecom companies and with several aims in mind to steal customer call records
data to compromise the private communications of a limited number of individuals and to
copy certain sensitive information related to law enforcement.
And I think that what I wanna make sure people are walking away and thinking about is it's indicative
of this activity.
It's indicative of what we've come to see from China,
but it's also a new level of insidiousness
and a striking example of how cyber espionage looks
and feels different than it has before.
And when I say that, I mean, what's remarkable is this kind of enormous and seemingly indiscriminate
collection of called records and data about American people.
And like, that's your friends, that's fellow citizens, that's our family members.
And to me as a mom,
when I think about family members data being stolen,
I'm thinking about my kids.
China has the data they steal forever.
And so if they're collecting these vast swaths of data
and a 13 year old's data is included,
China has that child's information ever.
And can you imagine a world in which
China would have been spying on you as a 13-year-old?
It feels preposterous, right?
But it's what our kids have to deal with now in this modern day age, and that's going to
stay with them no matter what careers or risks they choose in the future.
And so, as we've been diving deep into this investigation, we have that in mind.
We have in mind the impact to the folks
in Washington who are having their communications targeted. We also have in
mind though the victims that don't even kind of understand that they're victims
yet and that's what's most concerning about this broad campaign. What are some
of the specific perils here? I mean a nation state collecting
This sort of detailed information on US citizens. What's the potential future issue with that?
China has been collecting for years
Lots of different types of information personal information personal identifying information
other types of content.
And we know that they pull all of that back
and they bring it into this vast data lake.
And lake seems like a weird word for how much data they have.
I mean, maybe it's a vast data ocean at this point
of the type of information they're collecting.
And what they can do now versus in the future
is also very different.
Now they are able to go through that data and try to match it with various intelligence
objectives they might have.
But in the future, think about how all of that data can fuel their AI efforts. So using that data and training it to identify patterns
over time for their own intelligence objectives,
but then also just using that data to fuel their own models.
It's really concerning from our end
that the sum of all of this data that's collected
could be really dangerous,
just even a few years in the future.
I think some folks, I think justifiably,
have maybe a sense of helplessness
when it comes to this sort of thing.
Their data was collected,
they were unaware that it happened.
Are there reassurances that you can provide
from a federal law enforcement agency
that you all are on a federal law enforcement agency that
you all are on the case to make sure that this sort of thing doesn't happen again?
Absolutely.
So I think there's a few aspects here on this, which is FBI isn't just relying on net defenders
to keep malicious actors out.
Over the past year, we've been heavily involved
in investigating, attributing, and encountering
this type of activity.
In fact, a little over a year ago,
we announced a huge disruption of a botnet
used by Volt Typhoon.
So for your listeners, a botnet's a network of hundreds
or thousands of compromised devices,
often used to hide or power malicious activity.
And in this case, the Volt Typhoon botnet
was made up of hundreds of US home and small business routers.
And so we're able to take our investigations
and really identify ways to take adversaries offline.
And as for the FBI's efforts in this case,
since we discovered the compromise,
our response has been nonstop.
We of course immediately notified the affected companies
and remained engaged with them,
providing our technical assistance wherever we can.
We've collaborated with partners across the government
and intelligence community,
and we've rapidly shared what we've learned
with other potential
victims. And then every day, we're bringing in new evidence, which we turn around and
add to our larger threat picture and give indicators of compromise identified to victims
directly to assist them in their mediation efforts, as well as put them out for net defenders
so that they can protect their networks from these insidious incidents.
For example, we put out a guide in December
with our government partners,
and within there, we were able to provide best practices
to strengthen visibility and harden network devices
against successful exploitation carried
out by China affiliated and other malicious cyber actors.
But we're not done.
And we don't know everything.
And that's why I'm really glad we're talking today because FBI has issued an announcement to request information from the public about these China
affiliated actors that most people know of as salt typhoon and their compromise of multiple
telecom companies.
In particular, we're seeking information about the individuals who compromised these companies or who might make
up this salt typhoon group, as well as anyone who has knowledge of other salt typhoon activity.
And that is great for you to provide as a patriot or as a global citizen. But I also want to note that Department of Justice, or Department of State's Rewards for Justice program
offers a reward of up to $10 million for information
on foreign government linked individuals participating
in certain malicious cyber activities
against US critical infrastructure.
So if you have any of that information,
we'd love for you to contact your local FBI field office go to ic3 gov or
Submit tips to the rewards for justice program and that information is listed in our public service announcement
Cynthia Kaiser is deputy assistant director with the FBI's cyber division
DAD Kaiser. Thanks so much for joining us today. Thank you for having me.
Bad actors don't break in, they log in.
Attackers use stolen credentials in nearly nine out of ten data breaches
Once inside thereafter one thing your data
Veronis is AI powered data security platform secures your data at scale
across LAS SAS and hybrid cloud environments
Join thousands of organizations who trust Veronis to keep their data safe. Get a free data risk assessment at Varonis.com.
And finally, 2025 opened with a noteworthy global phenomenon.
Governments pressing pause on internet shutdowns.
According to CloudFlare's Q1 report, not a single new government-mandated internet
blackout was recorded.
These digital blackouts, often tied to elections, protests, or even school exams, have long
been a tool for control.
But the sudden lull has analysts scratching their heads.
Cloudflare suggests fewer protests and national exams may be a factor, while Netblox's Alptoker
points to deeper shifts, like the shuttering of U.S. aid programs and increased compliance
from social media platforms with government
censorship requests. With fewer objectionable voices online, regimes have less reason to
pull the plug. Still, Mother Nature didn't get the memo. Fires, storms, and earthquakes
knocked out networks from New Jersey to Myanmar. While the pause in shutdowns is welcome,
experts warn it may be short-lived.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting
your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7-365 with Black Cloak.
Learn more at blackcloak.io.