CyberWire Daily - No click, all tricks.
Episode Date: March 26, 2025Researchers uncover a new Windows zero-day. A covert Chinese-linked network targets recently laid-off U.S. government workers. Malicious npm packages are found injecting persistent reverse shell backd...oors. A macOS malware loader evolves. DrayTek router disruptions affect users worldwide. A new report warns of growing cyber risks to the commercial space sector. CISA issues four ICS advisories. U.S. Marshals arrest a key suspect in a multi million dollar cryptocurrency heist. Our guest is Brian Levine, Co-Founder and CEO of FormerGov.com, speaking about creating a networking directory for former government and military professionals. The UK’s NCSC goes full influencer to promote 2FA. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Brian Levine, Co-Founder and CEO of FormerGov.com, speaking about the importance of networking and creating a directory for former government and military professionals. Selected Reading New Windows 0-Day Vulnerability Let Remote Attackers Steal NTLM Credentials - Unofficial Patch (cybersecuritynews) Exclusive: Secretive Chinese network tries to lure fired federal workers, research shows (Reuters) New npm attack poisons local packages with backdoors (bleepingcomputer) macOS Users Warned of New Versions of ReaderUpdate Malware (securityweek) DrayTek Routers Vulnerability Exploited in the Wild – Possibly Links to Reboot Loop (cybersecuritynews) ENISA Probes Space Threat Landscape in New Report (Infosecurity Magazine) CISA Warns of Four Vulnerabilities, and Exploits Surrounding ICS (cybersecuritynews) Crypto Heist Suspect "Wiz" Arrested After $243 Million Theft (hackread) NCSC taps influencers to make 2FA go viral (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Investigating is hard enough.
Your tools shouldn't make it harder.
Maltigo brings all your intelligence into one platform and gives you curated data, along
with a full suite of tools to handle any digital investigation.
Plus, with on-demand courses and live training, your team won't just install the platform.
They'll actually use it and connect the dots so fast cybercriminals won't realize they're
already in cuffs.
Maltigo is trusted by global law enforcement, financial institutions and security teams
worldwide.
See it in action now at Maltigo.com.
Researchers uncover a new Windows Zero Day, a covert Chinese-linked network targets recently laid off U.S. government workers.
Malicious NPM packages are found injecting persistent reverse-shell backdoors.
A Mac OS malware loader evolves.
Draytech router disruptions affect users worldwide.
A new report warns of growing cyber risks to the commercial space sector.
CISA issues four ICS advisories.
U.S. Marshals arrest a key suspect in a multi-million dollar cryptocurrency heist.
Our guest is Brian Levine, co-founder and CEO of FormerGov.com, speaking about creating
a networking directory for former government and military professionals. And the UK's NCSC goes full influencer to promote 2FA.
It's Wednesday, March 26, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today. It's great to have you with us. A new zero-day vulnerability affects all Windows versions from Windows 7 and Server 2008 R2
up through Windows 11 and Server 2025. Researchers at ZeroPatch say the flaw allows attackers to
steal NTLM authentication credentials just by tricking users into
viewing a malicious file in Windows Explorer, no clicks required. It can be
triggered through shared folders, USB drives, or files downloaded from malicious
websites. Though similar in impact to a previously recorded CVE, this issue is
technically distinct and previously undocumented.
Security researchers have reported the flaw to Microsoft and released temporary micro-patches
via zero-patch, free until an official fix is issued.
This marks the fourth zero-day from the same research team.
The patches cover a broad range of Windows systems and deploy automatically
with no reboot needed.
A covert Chinese-linked network is allegedly targeting recently laid-off U.S. government
workers with fake job ads, aiming to gather sensitive information.
Researcher Max Lesser found the campaign uses bogus consulting firms with overlapping websites and fake contact
details.
One firm, River Merge Strategies, posted ads for roles requiring government experience,
with connections traced to a Chinese tech company.
Some ads ran on LinkedIn and Craigslist, but were later deleted.
Reuters couldn't confirm if any hires occurred
or direct ties to the Chinese government.
U.S. officials warned these tactics
mirror past Chinese espionage operations.
The FBI confirmed that foreign intelligence
often uses fake recruiters to exploit former federal workers'
financial vulnerability.
The firm's activity raises concerns about national security, especially amid recent
federal workforce layoffs.
Two malicious NPM packages were found injecting persistent reverse-shell backdoors into legitimate
locally installed packages.
Even if the malicious packages were removed, the back door remains active.
Discovered by reversing labs, the attack replaces files in the popular ethers package
with Trojanized versions that fetch further payloads from a remote server.
The tactic is stealthy and dangerous, targeting developers through clever installer scripts.
Additional linked packages were also identified.
Developers are urged to scan environments and verify package legitimacy.
The macOS Malware Loader Reader update has evolved, now existing in five variants compiled
in Python, Crystal, Nim, Rust, and Go, according to Sentinel-1.
Originally seen in 2020, it still deploys the Geneo AdWare but now spreads through Trojanized
software installers on third-party download sites.
The Go variant collects system information and can execute remote commands, hinting at
broader malware potential. While current payloads are adware, Reader Update's design suggests it could be used
for more serious threats under a malware-as-a-service model.
A wave of Draytech router disruptions is affecting users worldwide, causing devices to enter constant
reboot loops. The issue began around March 22nd
and appears linked to the exploitation of known vulnerabilities.
Security firm Grey Noise observed active attacks on three Draytech flaws,
including remote code execution and directory traversal bugs.
Affected regions include the UK, Vietnam, Germany, and others.
ISPs confirm that outdated firmware is a key risk factor.
Draytech urges users to disconnect from the WAN and update firmware immediately.
Additional steps include disabling remote access features, enabling two-factor authentication, and applying ACLs. The disruptions impact both consumers and businesses with
instability reported across various sectors. Security researchers continue to track live
attacks urging quick action to prevent further outages.
The EU's cybersecurity agency, INISA, has released a new Space Threat Landscape Report warning of
growing cyber risks to the commercial space sector.
With over 10,000 satellites in orbit, most privately owned, space infrastructure now
supports critical services like internet access, logistics tracking, and remote monitoring.
INNISA warns that cyberattacks could trigger cascading effects from service disruptions
to geopolitical tensions.
The report highlights vulnerabilities from commercial off-the-shelf components, legacy
systems, weak encryption, and human error.
Inisa recommends security by design, strong encryption, regular patching, and adopting
zero-trust principles.
Despite space being classified as an essential sector under the NIS 2 directive,
many operators still struggle with compliance.
The report underscores the urgent need for robust cybersecurity
as digital threats to space systems grow alongside sector expansion.
CISA issued four ICS advisories revealing critical vulnerabilities in ABB,
Rockwell Automation, and Inaba Denki Sengyo products.
Flaws, with CVSS scores up to 9.3, could enable denial of service, device takeovers,
or unauthorized access in systems used across oil, gas, and
manufacturing sectors. While ABB and Rockwell have released patches, Anaba Denki Sanyo's
device remains unpatched. CISA urges immediate mitigation, including firmware updates, network
segmentation, limiting physical access, and secure remote access to protect critical
infrastructure.
U.S. Marshals have reportedly arrested Veer Chetal, also known as Wiz, a key suspect in
a $243 million cryptocurrency heist, according to blockchain investigator Zach XBT. The September 2024 scam involved phishing tactics, where hackers impersonated Google
and Gemini's support to trick a victim into resetting their two-factor authentication.
Chital, along with two co-conspirators, then looted the victim's crypto holdings.
Zach XBT traced the stolen funds and exposed how the group laundered money to fund a lavish
lifestyle.
Chital's arrest marks a major breakthrough in the case.
The incident highlights the critical need for strong personal cybersecurity practices.
No software can replace user vigilance when facing sophisticated phishing threats.
Investigations into the broader scam and remaining suspects are ongoing.
Coming up after the break, my conversation with Brian Levine from formergov.com about
creating a networking directory for former
government and military professionals and the UK's NCSC ghostful influencer.
Stay with us.
Do you know the status of your compliance controls right now? Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's
a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $ thousand dollars off.
Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity, or cloud computing, Vanguard offers a dynamic
and collaborative environment where your ideas drive change.
With career growth opportunities and a focus on work-life balance, you'll have the flexibility
to thrive both professionally and personally.
Explore open cybersecurity and technology roles today at Vanguardjobs.com.
Brian Levine is co-founder and CEO of FormerGov.com.
I caught up with him for insights on creating a networking directory for former government
and military professionals.
So I am a former cybercrime prosecutor with the US Department of Justice, and I was national
coordinator for the other 300 cybercrime prosecutors around the country.
So I have a very large network of former government people.
I have about 13,000 LinkedIn connections and I have LinkedIn premium.
And so I started getting referral requests, requests for attorneys based on what they
used to do in government.
So the request might be, I need a former prosecutor from the District of Connecticut who's now doing white collar defense.
And I was very excited to help with these requests because I am sort of a natural yenta
or matchmaker, if you will. And that's true for romance. It's true for work. Anytime I can connect
two people together, I feel happy about that.
And I thought I'd be really good at this
because I have such a big network of people
who are sort of right for these requests.
So I went to LinkedIn and I found that it was surprisingly
hard to find these people.
I tried Google, I tried AI, I tried firm pages, and it was just taking way too long.
So I reached out to a colleague of mine, Max Lang, who is an expert in digital marketing and
the internet. And I said, I know that I'm supposedly a cyber expert, but you're going to
have to teach me to use the internet. And he was really excited to prove that he was
smarter than me. And he spent three weeks studying this problem. And he came back to
me and he said, in a very disappointed way, the problem is not you, the problem is actually
the internet. And what he meant by that was that apparently internet search, AI
search, all of these tools that we use, they're all looking for structured data.
And everybody is naturally structuring their data based on what they currently
do, not what they used to do, which makes a lot of sense. But he explained to
me, if you're getting referral requests based on what people used to do
in the government, then for this piece of the population, there's something missing out there.
So we spent the last year trying to solve this problem and to build the first directory for
former government and military professionals, which makes these people easy to find and be found.
professionals which makes these people easy to find and be found
Well, help me understand why this is a necessity here I mean when you're out looking for folks that you want to network with or connect, you know person a with person B
Why is there a former connection to the government an important factor?
Yeah, so the way I think about it is if you have an important problem,
a significant problem or a significant opportunity with the government, and this could be anywhere
in the government, it could be federal, state, local, tribal, foreign, or military, and all of
those people are welcome to join the site. if you have an important problem or an important opportunity,
you ideally want to work with the person
who's closest to the office
that's going to be making that decision as possible,
who's going to be thinking about this issue as possible.
So if you can find an employee or you can find representation, or in your case, if you
want somebody for the media who you want to interview about what's going on in a particular
office, you just want someone who has the most direct knowledge as possible because
they're going to be the most helpful and the most insightful.
So that's really what we're trying to do here.
And based on the amount
of referral requests I was getting, I think a lot of people who deal with the government
already know this to be the case. But part of what we're doing is also helping to get
the word out to other people, to educate other people that this is a key advantage to have
someone with this kind of experience, knowledge, insight, and expertise on your team.
So explain to me what this is not.
I mean, I've been looking at the beta site
and it strikes me that this is not a jobs board.
You know, there's plenty of those out there
where people let you, there are jobs boards
for people with clearances, there are all sorts
of jobs boards.
It doesn't seem to be the primary focus of this.
Am I right there?
Yes, we are trying to make this very simple.
We're trying to make this a directory,
a place to find and be found.
We want it to be passive for the member.
And the member is the former government
or military employee.
And we want it to be passive in part
because the job boards aren't working.
I talked to so many people who tell me
they've applied to a hundred jobs a day,
or they've applied to thousands and thousands of jobs,
or they've made a thousand posts on this social network
or that social network.
It's way too much work
and it's having very little return on investment.
So our idea here is we just put everybody available on one directory.
We give them the tools to explain exactly what they did and exactly what insights and
experience and information they have in a way that's very easily, very well structured and very
easily searchable. And then we market very heavily and advertise very heavily to the
searcher audience, the in-house council, the recruiters, the people who place board members
on boards of directors, the media, the conference organizers. And we get them to come to this site,
we make sure they know about it, and they come for free
and they just find the, they were able to search for
and find their former government needle in a haystack.
And it's a really interesting proposition.
And as you say, I mean, I guess most of these government
folks who have left the government,
they're doing other things now, which kind of makes finding them a little bit of a needle
in a haystack.
Yeah.
Well, and the other problem is that when you're in government, you have to keep your visibility
low.
Almost every agency requires that.
If you can use social media at all, there's limitations on what you can
post. And because you've been in government, you have no book of business, you're not super
well networked, and you probably don't even know so much about doing business development
unless you had previous experience in the private sector. And so, first of all, when
you leave government, you're not necessarily in the best position to network and generate business because your profile was low.
And to your point, you're in a different job and your focus becomes on doing that job.
And it's most easy to find you on that employer's website, or if you're looking for that.
But for these people, it's their prior experience
that really distinguishes them.
Yeah, they say timing is everything.
And it seems to me like the chaos that's happening
in Washington, DC right now with so many government people,
I don't wanna be flipping about it,
but there's so many who are becoming
former government people as we speak.
This seems to me to be a valuable resource for them potentially.
Yes, so again, we had no premonition. People asked me what kind of crystal ball we had that we knew this was coming.
We did not. We had no idea this was coming and frankly,
We did not. We had no idea that this was coming.
And frankly, these are all my former colleagues and friends and peers.
So I would prefer that we have not had, had not had this, this timing.
But I am glad if this tool that I was sort of building for it with a different idea in
mind can be helpful now to so many more people.
That's Brian Levine from formergov.com
Is your AppSec program actually reducing risk? Developers and AppSec teams drown in critical alerts.
Yet 95% of fixes don't reduce real risk.
Why?
Traditional tools use generic prioritization and lack the ability to filter real threats from noise. High impact threats slip through and surface in production,
costing 10 times more to fix.
OxSecurity helps you focus on the 5% of issues that truly matter
before they reach the cloud.
Find out what risks deserve your attention in 2025.
Download the Application Security Ben security benchmark from Oxsecurity.
And finally, the UK's National Cyber Security Centre has gone full influencer to sell the masses on two-factor
authentication because nothing says cyber resilience like Instagram skits and TikTok
laughs. As part of the Stop Think Fraud campaign, comedy creators parody TV hacker clichés,
talking firewalls, logic bombs, and copying the blockchain, only to be foiled by that pesky second verification step.
What now, one faux hacker size? Well, that's the end of the film, really, another concedes.
It's mission impossible with less hacking and more humble pie.
Meanwhile, personal finance influencer Millennial Money UK keeps it serious, reminding us that
weak passwords and no 2FA equal big trouble.
The NCSC, known for blogs and boring but useful tips, hopes these social media antics will
get more folks locking down their logins.
No word yet on what they paid the influencers, but presumably it's not in cryptocurrency.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our CyberWire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Ibane.
Peter Kilpey is our publisher,
and I'm Dave Bittner. Thanks for listening. We'll see you back here, tomorrow. And now, a brief message from our sponsor, Dropzone AI.
Is your sock drowning in alerts, with legitimate threats sitting in queues for hours
or even days? The latest SAN SOC survey report reveals alert fatigue and limited automation
are SOC teams' greatest barriers. Drop Zone AI, recognized by Gartner as a cool
vendor, directly addresses these challenges through autonomous recursive reasoning investigations,
quickly eliminating false positives, enriching context,
and enabling analysts to prioritize real incidents faster.
Take control of your alerts and investigations with DropZone AI.