CyberWire Daily - Lights out, lines down.
Episode Date: April 28, 2025A massive power outage strikes the Iberian Peninsula. Iran says it repelled a “widespread and complex” cyberattack targeting national infrastructure. Researchers find hundreds of SAP NetWeaver sys...tems vulnerable to a critical zero-day. A British retailer tells warehouse workers to stay home following a cyberattack. VeriSource Services discloses a breach exposing personal data of four million individuals. Global automated scanning surged 16.7% in 2024. CISA discloses several critical vulnerabilities affecting Planet Technology’s industrial switches and network management products. A Greek court upholds a VPN provider’s no-logs policies. Law enforcement dismantles the JokerOTP phishing tool. Our guest is Tim Starks from CyberScoop with developments in the NSO Group trial. How Bad Scans and AI Spread a Scientific Urban Legend. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Special Edition On our Microsoft for Startups Spotlight, brought to you by N2K CyberWire and Microsoft, we are shining a light on innovation, ambition, and the tech trailblazers building the future right from the startup trenches. This episode is part of our exclusive RSAC series where we dive into the real world impact of the Microsoft for Startups Founders Hub. Along with Microsoft’s Kevin Magee, Dave Bittner talks with an entrepreneur and startup veteran, and founders from three incredible startups who are part of the Founders Hub, each tackling big problems with even bigger ideas. Dave and Kevin set the stage speaking with startup veteran and Cygenta co-founder FC about making the leap from hacker to entrepreneur. Dave and Kevin then speak with three founders: Matthew Chiodi of Cerby, Travis Howerton of RegScale, and Karl Mattson of Endor Labs. So whether you are building your own startup or just love a good innovation story, listen in. For more information, visit the Microsoft for Startups website. CyberWire Guest We are joined by Tim Starks from CyberScoop who is discussing Judge limits evidence about NSO Group customers, victims in damages trial Selected Reading Nationwide Power Outages in Portugal & Spain Possibly Due to Cyberattack (Cyber Security News) Iran claims it stopped large cyberattack on country’s infrastructure (The Record) 400+ SAP NetWeaver Devices Vulnerable to 0-Day Attacks that Exploited in the Wild (Cyber Security News) M&S warehouse workers told not to come to work following cyberattack (The Record) 4 Million Affected by VeriSource Data Breach (SecurityWeek) Researchers Note 16.7% Increase in Automated Scanning Activity (Infosecurity Magazine) Critical Vulnerabilities Found in Planet Technology Industrial Networking Products (SecurityWeek) Court Dismisses Criminal Charges Against VPN Executive, Affirms No-Log Policy (Hackread) JokerOTP Dismantled After 28,000 Phishing Attacks, 2 Arrested (Hackread) A Strange Phrase Keeps Turning Up in Scientific Papers, But Why? (ScienceAlert) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Traditional pen testing is resource-intensive, slow, and expensive, providing only a point-in-time
snapshot of your application's security, leaving it vulnerable between development cycles.
Automated scanners alone are unreliable in detecting faults within application logic
and critical vulnerabilities.
Outpost24's continuous pen testing as a service solution offers year-round protection, with
recurring manual penetration testing conducted by Crest-certified pen testers, allowing you to stay ahead of threats and ensure your web applications are always secure.
A massive power outage strikes the Iberian Peninsula. Iran says it repelled a widespread and complex cyber attack targeting national infrastructure.
Researchers find hundreds of SAP NetWeaver systems vulnerable to a critical zero day.
A British retailer tells warehouse workers to stay home following a cyber attack. Vera Source Services discloses a breach exposing personal data of four million
individuals. Global automated scanning surged 16% in 2024.
CISA discloses several critical vulnerabilities affecting planet
technologies, industrial switches, and network management products.
A Greek court upholds a VPN provider's no logs policy.
Law enforcement dismantles the Joker OTP phishing tool.
Our guest is Tim Starks from Cyberscoop
with developments in the NSO Group trial
and how bad scans and AI spread a scientific urban legend. It's Monday, April 28, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
We are coming to you live and on location from RSAC 2025 right here in beautiful San
Francisco.
The Moscone Center is buzzing with the latest in cybersecurity innovation, critical discussions,
and of course, a few caffeine-fueled debates about AI, quantum threats, and how to finally
get rid of passwords for good.
We've got a packed week ahead with interviews from industry leaders, quick takes on major
announcements, and a look at the trends shaping the future of cyber defense.
So whether you're joining us from the show floor or tuning in from afar, stick around.
You don't want to miss what's coming up this week.
Let's dive in.
A massive power outage struck the Iberian Peninsula today, cutting electricity across
Spain, Portugal, and parts of southern France and Andorra.
The blackout, which began around 12.30 pm local time, caused Spain's power
demand to collapse by half within moments, a total grid failure. Sources suggest a cyber
attack is the likely cause, though authorities have not confirmed this. Critical infrastructure
was severely impacted, including airports, metros, telecommunications, and traffic systems.
Spain's Prime Minister Pedro Sanchez visited Red Electrica's control center as emergency
restoration efforts began, focusing on hydroelectric power while gas and nuclear power remained
offline.
Internet traffic dropped by nearly 37% across the region. The Spanish Cybersecurity Coordination Office is investigating,
but officials warn it's too early to draw conclusions.
This outage highlights growing concerns,
as cyberattacks on utilities have more than doubled globally in recent years.
Recovery is expected to take time.
Meanwhile, Iran says it repelled a widespread and complex cyberattack targeting national
infrastructure, according to Bazaad Akbari of the government's telecommunication infrastructure
company. Few details were shared, and there's no confirmed link to a deadly explosion at
Rashid Rajay Port the previous day, which killed 28 and injured 800.
Maritime experts attribute the explosion to mishandled ballistic missile fuel, though Iran denies this.
The incident comes amid tense nuclear negotiations between Iran and the U.S.
Iran has faced several major cyber attacks in recent years, including ones on its fuel
system and steel mills, often blamed on US and Israeli forces without evidence.
Groups like Predatory Sparrow have claimed past attacks, raising suspicions of state
backing due to the precision involved.
Iran's officials continue to cite cyber threats as key national security concerns.
Shadow servers found 454 SAP NetWeaver systems vulnerable to a critical zero-day flaw allowing
unauthenticated file uploads and full system compromise.
Discovered by ReliaQuest in April, the bug targets the metadata uploader component and
has already been weaponized in the wild.
Attackers upload web shells via a missing authorization check.
SAP issued an emergency patch on April 24.
Organizations are urged to patch immediately or apply temporary passwords as the flaw poses
a severe risk to exposed SAP environments.
British retailer Marks & Spencer has told around 200 agency workers not to report to
its main warehouses as it manages a growing cyber attack crisis.
Online shopping remains paused, with M&S apologizing for the disruption but assuring customers
that stores are still open.
The incident, first disclosed last week, has already led to an 8% drop in M&S shares.
The company says its internal team and external cyber experts are working urgently to restore
online and app services. Vera Source Services disclosed that a 2024 breach exposed personal data of 4 million
individuals tied to companies using its employee benefits platform.
Stolen data includes names, birth dates, addresses, and social security numbers.
Although discovered quickly, full impact analysis took over a year with final notifications
issued this month.
No misuse has been reported yet, but Verisource is offering free credit monitoring.
Security experts stress the prolonged exposure window raises heightened risks of identity
fraud and theft. Global automated scanning surged 16.7% in 2024, exposing major digital vulnerabilities,
according to FortiGuard Labs' 2025 Global Threat Landscape Report.
The threat actors now execute 36,000 scans per second, targeting services like SIP, RDP,
and IoT protocols, cybercrime marketplaces
added 40,000 new vulnerabilities and drove a 500% rise in infostealer malware logs, contributing
to 1.7 billion stolen credentials.
Critical sectors like manufacturing and business services are increasingly targeted, with the
U.S. absorbing 61% of attacks.
AI-driven threats such as fraud GPT are intensifying phishing and credential stuffing campaigns.
Fortinet urges organizations to shift to intelligence-led defense strategies, emphasizing attack surface
management, real-world adversary simulation, and dark web monitoring.
Experts stress that real-time AI-powered security solutions are crucial to countering today's
evolving cyber threats and preventing operational disruptions.
Several critical vulnerabilities affecting planet technology's industrial switches and
network management products have
been disclosed by CISA.
The flaws allow remote unauthenticated attackers to gain admin access, create accounts, and
execute OS commands.
Researcher Kevin Breen, who reported the issues, noted hundreds to thousands of exposed devices
globally including in critical manufacturing.
Planet Technology patched the vulnerabilities this month, and no active exploitation has
been reported so far.
WindScribe, a privacy-focused VPN and cybersecurity provider, has scored a major legal victory
as founder Yegor Sack was acquitted by a Greek court.
The case, triggered by the cyber incident involving a WindScribe server, could have
set a dangerous global precedent by criminalizing infrastructure ownership.
Thanks to WindScribe's strict no-logs policy, the court found no evidence linking Mr. Sack
or the company to any wrongdoing.
The ruling reaffirms that privacy providers cannot be held responsible for user actions
when no data is collected.
WindScribe, founded in 2016, remains a fierce defender of online freedom, vowing to resist
any pressure to compromise user trust.
Mr. Sack called the case a critical stand against government
overreach, warning, today it's hacking, tomorrow it could be criticizing a dictator.
Two men have been arrested in the UK and the Netherlands as part of a major international
operation dismantling Joker OTP, a fishing tool used to steal over seven and a half million pounds.
The tool tricked victims into revealing two-factor authentication codes by impersonating trusted
institutions like banks and cryptocurrency platforms.
Joker OTP was deployed in over 28,000 phishing attacks across 13 countries.
The investigation, led by Cleveland Police's Cybercrime Unit
and supported by Europol and the Dutch National Police, marks one of the UK's largest cyber
fraud cases. The suspects, operating online as SPIT and DEFONE123, face charges including fraud,
unauthorized access, money laundering, and blackmail.
Authorities have begun shutting down the infrastructure supporting Joker OTP,
warning users of the platform that further law enforcement actions are underway.
Coming up after the break, Tim Starks from CyberScoop shares developments in the NSO group trial and how bad scans and AI spread a scientific urban legend.
Stay with us. Let's be real, navigating security compliance can feel like assembling IKEA furniture without
the instructions.
You know you need it, but it takes forever and you're never quite sure if you've
done it right.
That's where Vanta comes in.
Vanta is a trust management platform
that automates up to 90% of the work for frameworks
like SOC 2, ISO 27001, and HIPAA,
getting you audit ready in weeks, not months.
Whether you're a founder, an engineer,
or managing IT and security for the first time,
Vanta helps you prove your security posture
without taking over your life.
More than 10,000 companies, including names like Atlassian and Quora,
trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times.
And the ROI? A recent IDC report found Vanta saves businesses over half a million dollars a year and pays
for itself in just three months.
For a limited time, you can get $1,000 off Vanta at vanta.com slash cyber.
That's vanta. public sector missions.
Ensuring that only authorized users can access certain systems, networks, or data.
Are your defenses ready?
Cisco's Security Service Edge delivers comprehensive
protection for your network and users. Experience the power of zero trust and secure your workforce
wherever they are. Elevate your security strategy by visiting Cisco.com slash go dot SSE. That's
C-I-S-C-O dot com slashcom slash GO slash SSE.
It is always my pleasure to welcome back to the show Tim Starks, senior reporter at Cyberscoop. Tim, welcome back.
It is always my pleasure to be back
Well, Tim, you recently had an article over on cyber scoop about the whatsapp versus NSO group case
Some of the legal ramblings that are going on there wranglings. I should say
Paging dr. Freud
Wranglings, I should say. Bring us up to date here.
Well, I guess before we dig in, just briefly explain what the lawsuit between WhatsApp and NSO Group is all about.
Yeah, there's a couple different cases that are happening.
Well, there's more than a couple, but these are a couple particularly big ones that have had some happenings of late.
One of them, and I think the biggest of them, the biggest of all the lawsuits really against
NSO Group or any spyware maker for that matter, is WhatsApp versus NSO Group.
And WhatsApp alleged in a case that began several years ago that NSO Group is guilty
for spying on something like 1,400
of its users.
And NSO Group is saying that's illegal under the CFAA, the Computer Fraud and Abuse Act,
and some other reasons, privacy invasive.
NSO Group says essentially, we're not the people who hack anyone, we're just the people
who make the technology that hacks people.
And there's the rub.
So that's what the case is about.
There was a hearing, or rather, I should say an order
that was handed out this week that was important
to how things were going to proceed.
So a judge said, we find NSO to be guilty of this behavior.
So now they're in the damages phase, deciding how much anybody's going to be guilty of this behavior. So now they're in the damages phase, deciding
how much anybody's going to get out of this. And so a ruling came down this week on what
kind of evidence could be happening, what each side could enter when making their case.
That's what the ruling was this most recent week.
Well, what is significant that NSO can no longer bring up? Yeah, what are they restricted?
It's fairly penalizing, just by my read.
They can't talk about who their clients are.
They can't talk about the professions or identities of the alleged victims.
And those are pretty big.
One of the people I talked And those are pretty big.
One of the people I talked to for the story said,
this kind of goes to the strategy,
the basic fundamental strategy of what NSO Group
was going to try to argue, which is,
hey, we're representing governments
that are doing things to crack down on terrorists
and criminals, and this really limits
what they can argue on that front.
There are some other
limitations as well on the other side, but they're not as strict. And there were some
restrictions I talked on in the story that go to both the plaintiff and the defendant in this case,
saying essentially, we're leaving reputational harm out of this entirely. We're just not going
to get into it on both sides. So it's a really fascinating ruling.
As someone who's been following the legal ramifications, the legal battles over spyware,
it was a really fascinating ruling saying, hey, Minnesota group, you're going to try
to say we're the good guys.
We're not going to let you really say that.
And one of the things that was interesting about the ruling is that the judge was really
skeptical of Minnesota Minnesota's argument.
They're saying, hey, look, we're the good guys.
We're helping these people catch terrorists, but we can't actually say who the people we
work for are.
But also, we're the good guys.
It was kind of a sort of circular argument that made it so that the judge said, look,
you're just not going to be able to do any of that.
You can't be saying, oh, we represent the good guys, but not say who the good guys are.
And you can't say, oh, we don't know what they're doing,
but we also know that they're doing good things.
It was kind of a circular argument
that the judge was like, nope, you're
not going to be able to do this.
So does this shift the focus of the trial
towards NSO Group's conduct rather than their clients'
conduct?
Yeah, big time.
I mean, one of the big issues involved in this case was how guilty is NSO Group for
the behavior of the people who use this technology?
And this really makes it harder for them to say, you know, hands off, we're not, this
isn't anything, we need license.
But the judge is basically putting them in a position of saying, you know, look, you are responsible.
So now we're just now it's just coming down to how much damage are we going to award to the plaintiffs?
Because we've already found you responsible. And any arguments I might have go, you also recently reported on a new, I guess,
second-in-command over at CISA. Who do we have here?
Oh, no. I actually haven't said his name aloud, so I've got to...
Oh, I see. Oh, I see. So a print guy on a podcast. The advantage is mine.
Oh, okay. I'm going to do my best, the future, to the future SISA number two, Gatumakala.
I think that's pretty good.
I had not said it out loud because what's interesting is, you know, that they, this
actually, this wasn't announced by SISA originally. It was announced by South Dakota. He's the
former CIO and head of their like sort their technology division there in the state government.
This kind of broke late Thursday that he was going to be the person.
I really just had email exchanges with anybody trying to figure out who he was and whether
it was true.
Since it has confirmed he is, in fact, going to be the new deputy director, it's something
that's probably a month or more away
because he doesn't leave his job in the state position
until May 16th.
But he's someone who does have a tech background.
You and I have talked about some of these appointments.
Some of these appointments from the Trump administration
have not had much in the way of tech or cyber experience.
He definitely does have that in multiple jobs.
So he looks to be someone who isn't just hired just because,
although I'm sure it has a connection,
to the fact that he worked for Kristi Noem,
who is now the secretary of the Department of Homeland Security
and had been the South Dakota governor.
So looks like a candidate coming in who has some experience,
but we might not get him for more like a month.
Okay, all right.
Well, progress underway, I suppose.
And as they say, time will tell.
Time will tell.
We say it awkwardly when I do.
We do, we do.
Because it's true.
Because it's true.
That's why we do it. That's right, that's right.
All right, Tim Starks is senior reporter at Cyberscoop.
Tim, thanks so much.
Thank you. Threat Locker. Keeping your system secure shouldn't mean constantly reacting to threats.
Threat Locker helps you take a different approach by giving you full control over what software
can run in your environment. If it's not approved, it doesn't run. Simple as that.
It's a way to stop ransomware and other attacks before they start without adding extra complexity
to your day. See how Threat Locker can help you lock down your environment at
www.threatlocker.com.
And finally, ever heard of vegetative electron microscopy?
No?
Good, because it's total nonsense.
But thanks to a string of scanning errors, translation mix-up, and little AI mischief,
this completely made-up scientific term has warmed its way into real academic papers.
It all started when 1950s research got poorly digitized, blending unrelated words into something
that sounded impressive but meant absolutely nothing.
Then, a tiny mistranslation in Farsi helped the error spread even further.
Now, large AI models including GPT-3 and GPT-4 faithfully regurgitate the fake term as if it's a cornerstone
of modern science.
Researchers are calling it a digital fossil, a mistake now permanently trapped in the AI
training ecosystem, and fixing it is next to impossible.
So, the next time someone drops vegetative electron microscopy in a paper, just know
science, courtesy of AI, sometimes makes stuff up too. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We've got a programming note.
There's a special edition that explores the benefits of the cyber startup ecosystem with
our partners at Microsoft.
You can catch the details of it in our show notes and find it in your CyberWire Daily
podcast feed in your favorite podcast app.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep us a step ahead in the rapidly changing
world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. Don't forget
to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on
Jason and Brian's show every week. You can find Grumpy Old Geeks where all the fine podcasts
are listed.
N2K's senior producer is Alice Carruth, our cyberwire
producer is Liz Stokes. We're mixed by Trey Hester with original music and
sound design by Elliot Peltsman. Our executive producer is Jennifer Iben,
Peter Kilpey is our publisher, and I'm Dave Bittner. Thanks for listening, we'll
see you back here tomorrow. And now a word from our sponsor, Spy Cloud. Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats
like account takeover, fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.