CyberWire Daily - Lights out for Lumma.
Episode Date: May 22, 2025A joint operation takes down Lumma infrastructure. The FTC finalizes a security settlement with GoDaddy. The Telemessage breach compromised far more U.S. officials than initially known. Twin hackers a...llegedly breach a major federal software provider from the inside. U.S. telecom providers fail to notify the Senate when law enforcement agencies request data from Senate-issued devices.DragonForce makes its mark on the ransomware front. A data leak threatens survivors of domestic abuse in the UK. Lexmark discloses a critical vulnerability affecting over 120 printer models. Our guest is David Holmes, CTO for Application Security at Imperva, with insights into the role of AI in bot attacks. Scammers ship stolen cash in Squishmallows. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest is David Holmes, CTO for Application Security at Imperva, a Thales company, who is sharing some insights into the role of AI in bot attacks. Selected Reading Lumma infostealer’s infrastructure seized during US, EU, Microsoft operation (the Record) FTC finalizes order requiring GoDaddy to secure hosting services (Bleeping Computer) Exclusive: Hacker who breached communications app used by Trump aide stole data from across US government (Reuters) By Default, Signal Doesn't Recall (Signal) Hack of Contractor Was at Root of Massive Federal Data Breach (Bloomberg) Phone companies failed to warn senators about surveillance, Wyden says - Live Updates (POLITICO) DragonForce targets rivals in a play for dominance (Sophos News) ‘Deep concern’ for domestic abuse survivors as cybercriminals expected to publish confidential refuge addresses (The Record) Lexmark reporting remote code execution flaw affecting over 120 Printer Models (Beyond Machines) DOJ charges 12 more in $263 million crypto fraud takedown where money was hidden in squishmallow stuffed animals (Bitdefender) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. A joint operation takes down Luma infrastructure.
The FTC finalizes a security settlement with GoDaddy.
The tele-message breach compromised far more U.S. officials than initially known.
Twin hackers allegedly breach a major federal software provider from the inside. US telecom providers fail to notify the Senate when law enforcement
agencies request data from Senate issued devices. DragonForce makes its mark on
the ransomware front. A data leak threatens survivors of domestic abuse in
the UK. Lexmark discloses a critical vulnerability affecting over 120 printer
models. Our guest is David
Holmes, CTO for Application Security at Imperva with insights on the role of AI in bot attacks,
and scammers ship stolen cash in squishmallows. It's Thursday, May 22nd, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
Great to have you with us as always.
A joint operation by US, EU, and Japanese authorities with help from Microsoft and other
cybersecurity firms has dismantled the infrastructure behind Luma, a major info-stealer malware.
Also known as Luma C2, the malware has infected millions of devices since 2023,
stealing sensitive data like passwords, credit card info, and cryptocurrency wallets.
Luma was sold via subscription, making it easy for even low-skilled criminals to exploit.
The FBI tracked over 10 million infections and estimated $36.5 million in credit card
thefts in 2023 alone.
Microsoft identified nearly 400,000 infections between March and May of this year.
The operation took down about 2,300 domains and disrupted communications between
infected devices and Luma servers. Developed by a Russian actor known as Shamil, Luma has
been marketed on Telegram and used in phishing and malvertising campaigns. The FBI warned
that while this takedown is a blow, Luma's operations may attempt to rebuild.
The Federal Trade Commission has finalized an order requiring GoDaddy to bolster its
security after years of data breaches due to weak practices.
The agency found GoDaddy lacked key protections like multi-factor authentication, proper software updates, and threat monitoring,
leading to breaches between 2019 and 2022.
In one case, attackers installed malware and stole source code after years of undetected
access.
Under the new order, GoDaddy must not mislead customers about security, implement HTTPS for APIs, ensure software and firmware are
updated and set up a robust security program.
The company must also add MFA for all users, including non-phone options, and undergo independent
security assessments every two years.
GoDaddy must report any data exposure incidents within 10 days.
While GoDaddy says it's already making changes, the settlement includes no admission of fault
or fines.
A hacker breach of TeleMessage, a government-used messaging service based on Signal, compromised
messages from over 60 U.S. officials, far more than previously known.
Reuters reviewed a cache of leaked data provided by Distributed Denial of Secrets.
The material revealed intercepted chats from FEMA, Customs, the Secret Service, U.S. diplomats,
and even one White House staffer.
Though much of the data was fragmentary and not overtly sensitive, it included travel-related discussions for senior officials.
TeleMessage, little known outside federal circles, became public after a Reuters
photo showed former Trump National Security Advisor Mike Walsh using the
app. The service, which archives encrypted messages for compliance, went offline May 5.
The breach raises metadata-related counterintelligence risks, experts say,
while some users confirmed message authenticity, federal agencies have offered little comment.
The White House acknowledged the cybersecurity incident but didn't elaborate on its use of the platform.
Elsewhere, Signal Desktop has added a new screen security feature for Windows 11 to
block screenshots and protected chats from Microsoft Recall, which captures app screenshots
every few seconds.
This setting, now enabled by default, uses a DRM flag to prevent content from appearing in Recall or similar tools.
Signal made the move after Microsoft relaunched Recall despite prior backlash.
While the setting may impact usability and accessibility, users can disable it with a warning.
Signal urges OS vendors to better support privacy-focused apps.
Bloomberg reports that OpExis, a software provider for nearly all U.S. federal agencies,
suffered a major cyber breach in February caused by insider threats.
Twin brothers Munib and Sahib Akhter, both convicted hackers. Hired as engineers despite their past, they allegedly accessed and deleted sensitive data
across multiple agencies, including the IRS and GSA.
The attack disrupted key systems and permanently erased records, including FOIA requests.
The FBI is investigating and federal agencies are reassessing contracts with OPEXs.
A Mandiant report revealed serious security lapses, including improper access during termination
and file exfiltration, contradicting OPEX's public claims.
The breach exposed the vulnerabilities in contractor vetting and data security within
government IT systems.
Under contracts established in 2020, major U.S. telecom providers—AT&T, Verizon, and
T-Mobile—are required to notify the Senate when law enforcement agencies request data
from Senate-issued devices.
However, an investigation by Senator Ron Wyden revealed that these carriers failed
to implement such notification systems, leaving senators unaware of potential surveillance
activities. One carrier even admitted to providing Senate data to law enforcement without the
mandated notification. Following the investigation, all three companies have begun complying with the notification requirement for Senate-funded lines.
Nevertheless, significant gaps remain, particularly concerning personal and campaign devices,
which are commonly used by Senators but fall outside the scope of current protections.
While AT&T and Verizon limit notifications to Senate-issued lines, T-Mobile has agreed
to notify about surveillance requests on personal end campaign devices flagged by the Senate
Sergeant-at-Arms.
Senator Wyden urges his colleagues to consider switching to carriers like T-Mobile, Google
Fi, U.S. Mobile, and CAPE, which have policies to inform customers of government
surveillance demands whenever legally permissible.
Dragon Force is a rising ransomware group reshaping the threat landscape through aggressive
tactics and strategic repositioning, Sophos reports.
First appearing in 2023 with a standard ransomware-as- as a service model, the group rebranded in
March of this year as a cartel, offering affiliates flexibility to use its infrastructure while
branding their own campaigns.
Dragonforce has targeted both IT and virtualized environments and reportedly teamed up, if
contentiously, with the prolific Ransom Hub group.
This included defacing rival leak sites and a potential hostile takeover of Ransom Hub's
infrastructure.
In recent attacks, DragonForce-linked malware was used by Gold Harvest, also known as Scattered
Spider, a decentralized cyber-criminal collective known for social engineering, MFA
bypasses, and use of info-stealers. Attacks on UK retailers including Marks
and Spencer highlight their threat. As internal feuds destabilize ransomware
networks, organizations must reinforce social engineering defenses, monitor
credentials, and strengthen incident response to withstand unpredictable attacks from increasingly flexible and
chaotic cybercrime groups. A cyber attack on the UK's Legal Aid Agency has
exposed sensitive data of over 2 million people, including survivors of domestic
abuse, raising fears of imminent leaks.
The Ministry of Justice confirmed that anyone who applied for legal aid since 2010 could be affected.
Compromised data includes addresses, national IDs, and contact details,
potentially revealing the locations of confidential women's refuges.
The MOJ has refused to pay ransom and is preparing to contact vulnerable individuals, prioritizing
abuse survivors, asylum seekers, and trafficking victims.
Refuge, a charity supporting abuse survivors, warns the breach could escalate abuse campaigns,
including harassment, impersonation, or tracking survivors.
While a court injunction has been issued against the data's distribution, it's unlikely to
deter cybercriminals.
Refuge is working to identify at-risk individuals and urges anyone affected to contact legal
advisors immediately.
Lexmark has disclosed a critical vulnerability affecting the embedded web server in over
120 printer models.
The flaw combines a path traversal and concurrent execution issue, allowing remote attackers
to access unauthorized files and execute arbitrary code.
If exploited, this vulnerability could let attackers fully compromise
affected Lexmark printers. Users are urged to update firmware to mitigate the
threat.
Coming up after the break, my conversation with David Holmes from
Imperva. We're discussing the role of AI in bot attacks,
and scammers ship stolen cash in squish mellows. Stay with us. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your
GRC program on track, you're not alone. But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust,
making your security posture stronger, yes, even
helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So, if you're ready to trade in chaos for clarity, check out Vanta and
bring some serious efficiency to your GRC game. Vanta. GRC. How much easier trust can
be. Get started at Vanta.com slash cyber. Worry about cyber attacks? CyberCare from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected.
A unique onboarding process integrates your team with industry-leading experts, so if an incident occurs, your response is optimal. Get priority access
to deeply experienced responders, digital investigators, legal and crisis PR
experts, ransom negotiators, trauma counselors, and much more. The best part?
100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at cyber.care.com.
David Holmes is CTO for Application Security at Imperva.
I recently caught up with him for insights on the role of AI in bot attacks.
So today we are talking about the 2025 Bad Bot Report.
Can we start off here with some high-level stuff?
What prompts the creation of this report every year?
We do this to bring awareness to the, say, problem of malicious automation.
People who run popular websites are very, very familiar with this problem.
But your average Joe on the street has no idea that day after day, this sort of a hidden
war is being fought across every website that they go and visit on a regular basis.
And so part of it is a tribute to the Defender.
Well, let's talk about some of the details here.
I mean, can you give us some of the groundwork here
on exactly where we find ourselves with the bot situation?
This past year was the first time in over a decade
that automated traffic, or what we call bot traffic,
actually surpassed human
generated traffic. So 51% of all traffic in the previous year was automated and 37% of
all traffic was malicious automation. So if you think about it, that 37% is translating
almost to 80% of all the automated traffic is malicious, leaving
only about 20% being what we call good bots like web crawlers, search engines, etc.
So help me understand, David, how artificial intelligence is part of the game now when
it comes to these bad bots.
The number of accessible AI tools has significantly lowered the barrier of entry for cyber attackers.
So on the simple end for, say, your first time's grip kitty, it's even easier for them
to create a malicious bot, right?
They just have to prompt, write the right prompt, get a bot.
So we actually see that in our data where we categorize the
sophistication of the bots that we see and we blocked 13 trillion connections
last year so we see a ton of these. Then the percentage of bots that were
basically simple self-identifying bots, you know, it might be like attacker tool
22x increased to nearly 45% of traffic.
And on the other end, the advanced attackers appear to be using artificial intelligence
to further refine their attacks so that they're becoming even more effective.
And they also are at about 45% of the automated attacks, leaving the middle ground to be a
very, very small 10%.
So we're seeing, just to say it again,
we're seeing AI at both the simple end of the spectrum
and at the advanced end of the spectrum.
Can we talk about some of the common evasion tactics
that you all are seeing here?
What are the bots doing to try to stay under the radar?
Oh, this is a daily grind where as soon as you,
let's say you're being attacked by a persistent attacker,
as soon as you figure out, oh, here's a fingerprint
that I can use to identify the queries coming
from this particular kind of bot,
as soon as you start blocking on
on that fingerprint, they know, oh, they figured it out. And now they just go back and figure out what did we change recently. So it's not so much as a individual evasive technique being
particularly effective. It's just this constant retooling on their part to be evasive and
this constant retooling on their part to be evasive and ultimately continue to evade your fingerprints so that they can continue conducting business.
And the reason why this stuff is so persistent is because this is a business for them, right?
If they're reselling your shoes or your hotel room, reservations or whatever it is that
they're monetizing, every time you block them,
they have a financial interest in figuring out
how you blocked them and then evading it.
One of the things the reports highlight
is how bad bots are exploiting APIs.
Can we dig into that a little bit?
Yeah, absolutely.
Remember when I said 45% of the malicious automation out there is what
we categorize as advanced, right? It's evasive. It's trying to fly under the radar. Of that
traffic about half of that is specifically attacking APIs. And we expect this trend to
continue, right?
Partly it's because targets they are attacking have APIs exposed somewhere, and it's just
easier for them to say, you know, directly machine to machine for their attack.
And also, a lot of the targets out there that have, say, high value digital assets, you
know, maybe a bank account or airline reservations, they will already
have some kind of defense in front of their website and maybe not so much in front of
their APIs.
And in our report, the very end of the report has recommendations.
And one of the recommendations is hey, it's time for everybody to start evolving their
API security because this trend we're seeing is only going to get worse.
Well let's talk about some of those recommendations.
You mentioned API security, but what else is on the list?
So other recommendations that we have in our report are, one is to implement risk identification,
understand the value of the assets that you have, whether or not they might be under attack.
For example, if you're not monitoring,
which is another recommendation that we have,
of course, you might not know that there might be
a million probes a month trying to figure out
is the particular web property that you've put up there
worth attacking in the first place.
Another one is using automation as a defense, right? And this is where the war becomes the attacker using automation and the defender using automation.
And that's just the nature of the game. It doesn't mean that you can solely rely on automation. You can't solely programmatically have a set of scripts or an AI defend against the human attacker
because the human attacker is a human
and also using scripts and AI.
Well, based on the information
that you all have gathered here,
where do you suppose we're headed?
What's the future with the bots themselves
and the mitigations against them?
Great question, Dave.
One of the statistics that we saw this year,
I want to highlight this to make a point,
is in the last 12 months,
we saw the travel industry under attack
more than the retail industry.
And one would be tempted to say, oh,
or to extrapolate and go, oh,
that means that we're going to see more attacks against travel
in the future.
But I've been in this business a long time.
Sometimes trends can just be, I don't want to say anomalies, but they can be local, right?
Maybe it was just this particular year.
However, that said, another one of the statistics that we saw last year was attacks seem to
be happening all year round now.
That was true before, but they would definitely spike seasonally around things like Christmas
or the summer travel season.
But we saw a much smoother graph of more automation over the last year.
So I think as it becomes easier and cheaper to launch attacks and continue to launch attacks, we're not going to see as much seasonality and we're just going to see more and more malicious attacks.
That's David Holmes, CTO for application security at Imperva. And finally, the DOJ has thrown a sizable legal book at a 27-member crypto crime ring
accused of scamming over $250 million globally, proving once again
that organized crime has gone digital and decadent.
Leading the charge is 20-year-old Malone Lam, who allegedly finessed 4,100 Bitcoin from a
DC crypto tycoon using nothing more than fake Google alerts and a convincing tech support
impersonation
— his alias?
Anne Hathaway.
Of course.
Lamb, and partner in fraud Jean-Diol Serrano, who went by VersaceGod, reportedly turned
their loot into a luxury lifestyle — Lambos, G-Wagons, $68,000 a month rentals, and nightclub tabs bigger than most mortgages.
Meanwhile, the gang, recruited via online gaming, had roles ranging from hackers to
real-life burglars, even smuggling cash in squishmallows, stuffing up to $25,000 inside
each toy for stealthy shipment across the U.S.
Even after arrest, Lam allegedly kept the crime spree alive, buying his girlfriend Hermes
bags from behind bars.
The moral?
If someone offers crypto advice under a celebrity pseudonym, maybe don't share your MFA code.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben. Peter Kilpe is our publisher. And I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The Delete Me team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
Delete Me also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and
phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2K, code N2K.