CyberWire Daily - No hocus pocus—MagicINFO flaw is the real threat.
Episode Date: May 6, 2025A critical flaw in a Samsung’s CMS is being actively exploited. President Trump’s proposed 2026 budget aims to slash funding for CISA. “ClickFix” malware targets both Windows and Linux systems... through advanced social engineering. CISA warns of a critical Langflow vulnerability actively exploited in the wild. A new supply-chain attack targets Linux servers using malicious Go modules found on GitHub. The Venom Spider threat group targets HR professionals with fake resume submissions. The Luna Moth group escalates phishing attacks on U.S. legal and financial institutions. The U.S. Treasury aims to cut off a Cambodia-based money laundering operation. Our guest is Monzy Merza, Co-Founder and CEO of Crogl, discussing the CISO's conundrum in the face of AI. Malware, mouse ears, and mayhem: Disney hacker pleads guilty. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we are joined by Monzy Merza, Co-Founder and CEO of Crogl, who is discussing the CISO's conundrum—the growing challenge of securing organizations in a world where AI rapidly expands both the number of users and potential adversaries.Selected Reading Samsung MagicINFO Vulnerability Exploited Days After PoC Publication (SecurityWeek) Trump would cut CISA budget by $491M amid ‘censorship’ claim (The Register) New ClickFix Attack Mimics Ministry of Defense Website to Attack Windows & Linux Machines (Cyber Security News) Critical Vulnerability in AI Builder Langflow Under Attack (SecurityWeek) Linux wiper malware hidden in malicious Go modules on GitHub (Bleeping Computer) Malware scammers target HR professionals with Venom Spider malware (SC Media) Luna Moth extortion hackers pose as IT help desks to breach US firms (Bleeping Computer) US Readies Huione Group Ban Over Cybercrime Links (GovInfo Security) Hacker 'NullBulge' pleads guilty to stealing Disney's Slack data (Bleeping Computer) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. A critical flaw in Samsung's CMS is being actively exploited.
President Trump's proposed 2026 budget aims to slash funding for CISA.
ClickFix malware targets both Windows and Linux systems through advanced social engineering.
CISA warns of a critical Langflow vulnerability actively exploited.
A new supply chain attack targets Linux servers using malicious Go modules found on GitHub.
The Venom Spider Threat Group targets HR professionals with fake resume submissions.
The Lunamoth Group escalates phishing attacks on US legal and financial institutions.
The Treasury aims to cut off a Cambodia-based money laundering campaign.
Our guest is Manzi Mirza, co-founder and CEO of Krogel, discussing the CISO's conundrum
in the face of AI.
And malware, mouse ears, and mayhem.
A Disney hacker pleads guilty.
It's Tuesday, May 6, 2025.
I'm Dave Vintner and this is your CyberWire Intel Briefing. Thanks for joining us here today, great to have you with us.
A critical flaw in Samsung's Magic Info 9 server CMS is being actively exploited just
days after a proof of concept code went public, Arctic Wolf warns. With a CVSS score of 8.8, the vulnerability allows unauthenticated attackers
to upload and execute malicious files with system-level privileges.
The flaw stems from improper input validation, enabling arbitrary file rights
through crafted Java server pages. remote code execution is possible.
Though Samsung patched the bug in a version released in August of 2024, Arctic Wolf detected
exploitation starting April 30th of this year following public disclosure.
With an easy path to exploitation and public proof-of-concept code available, experts expect
continued targeting.
Organizations using magic info are urged to update immediately to avoid potential attacks.
Turning to Washington, President Trump's proposed 2026 budget aims to slash funding for the
Cybersecurity and Infrastructure Security Agency by $491 million, that's about 17%.
The cuts, currently symbolic and requiring congressional approval, are framed as an effort
to dismantle what the administration calls the censorship industrial complex.
The White House accuses CISA of prioritizing misinformation policing over its core mission
of protecting critical infrastructure
and election security.
The budget would eliminate programs related to misinformation, international outreach
and public engagement, accusing them of violating free speech and mismanaging resources.
The move follows Trump's long-standing, unfounded claims that the 2020 election was
stolen.
CISA's minimal presence at this year's RSA conference and a surprise keynote by
Homeland Security Secretary Kristi Noem signaled the agency's shifting status.
While CISA faces cuts, the Department of Homeland Security would see a $43 billion
increase for border security and deportations.
TSA and FEMA are also targeted for reductions, sparking early resistance from lawmakers.
A new malware campaign, dubbed ClickFix, is targeting both Windows and Linux systems through
advanced social engineering.
Hackers have created convincing Ministry of Defense website clones in multiple countries,
tricking defense workers into downloading fake security updates.
The malware, first seen in April of this year, spreads via spear-phishing emails and uses
spoofed domains with slight misspellings to appear legitimate.
Once installed, it exploits system-specific vulnerabilities,
using a hidden PowerShell task on Windows and a fake service on Linux to
maintain access and steal data. ClickFix's realism and cross-platform design
make it hard to detect. Researchers at Hunt.io uncovered the campaign after
spotting suspicious traffic from defense contractor networks.
Security agencies have since confirmed breaches at several mid-level contractors and two government
agencies.
Attribution is still unknown, but the operation shows hallmarks of a well-funded threat actor.
Experts recommend stricter verification of official communications and improved endpoint defenses. CISA has issued an alert about a critical Langflow
vulnerability actively exploited in the wild. Langflow, an AI development
framework, is affected by a code injection flaw in its validation endpoint,
allowing remote code execution without authentication. The bug, present in versions before 1.3.0, was detailed by Horizon 3.ai, which released
proof-of-concept exploit code.
While recent versions add authentication, full mitigation may require restricting network
access.
Agencies must patch by May 26th per federal directives.
A recent supply chain attack targets Linux servers using malicious Go modules found on
GitHub which deliver a disk wiping bash script named done.sh. The attack uses three obfuscated Golang modules, Proto Transform, Go MCP, and TLS Proxy, to
fetch and execute a payload that verifies it's on a Linux system before running a destructive
DD command.
This command overwrites the entire primary storage volume with zeros, rendering the system
unbootable and all data unrecoverable. Researchers at Socket discovered the campaign in April of this year.
The malicious modules impersonated legitimate developer tools to trick users.
Because Go's decentralized ecosystem allows similar module names,
attackers can sneak destructive code into unsuspecting projects.
Once the script is downloaded, it runs immediately,
leaving no time to respond. All three malicious modules have since been removed from GitHub,
but developers are urged to vet dependencies carefully to avoid catastrophic damage.
The Venom Spider threat group is targeting HR professionals with malware disguised as fake resume submissions.
According to Arctic Wolf, attackers are sending phony job applications and links to fake personal
websites.
These sites display a CAPTCHA to appear legitimate, then prompt the user to download a resume,
which is actually a malicious zip file.
This file contains the More Eggs malware,
a JavaScript-based remote access tool
that steals credentials and gives attackers backdoor access.
Historically focused on e-commerce and payment platforms,
Venom's Spider has now shifted to targeting HR portals
and job boards like LinkedIn,
putting nearly every industry at risk.
The group uses cloud infrastructure, anonymous domains, and evasive communication methods to avoid detection.
The campaign is especially dangerous because HR staff are expected to open emails and files from unknown sources,
making them ideal targets under high-volume hiring pressures.
The Lunamoth Group, also known as Silent Ransom Group, is escalating its callback phishing
attacks on U.S. legal and financial institutions.
These campaigns impersonate IT support staff via email and phone, tricking victims into
calling fake help desk numbers. Victims are then persuaded to install remote monitoring tools like AnyDesk or Zoho Assist,
granting attackers direct access to their systems.
Lunamoth avoids malware, relying entirely on social engineering.
Once inside, they search for sensitive data and exfiltrate it using tools like WinSCP or R-Clone.
The attackers then extort victims, threatening to leak stolen data unless ransoms are paid.
The group has registered dozens of typo-squatted domains to support this scheme and remains
difficult to detect due to its use of legitimate software.
Organizations are advised to restrict unused RMM tools and block known
lunamoth infrastructure. The US Treasury has begun the process of cutting off
Cambodia-based Huion Group from the dollar financial system, citing its role
in laundering billions for North Korea and Southeast Asian cyber criminal
groups. Huion facilitated scams and laundered over $4 billion from 2021 to early 2025, including
$37 million tied to North Korean cyber activities.
The company operates Huion Guarantee, a massive illicit online marketplace that, according
to Chainalysis and Elliptic, has processed up to $49 billion
in crypto transactions, far surpassing past darknet markets like Hydra.
Huion's network includes crypto and payment services that support scams and money laundering.
The U.S. aims to disrupt Huion's financial operations, with Treasury officials labeling it a central
hub for global cybercrime.
The move follows a broader crackdown on cyber scams in East and Southeast Asia, where organized
crime thrives amid weak enforcement and systemic corruption. Coming up after the break, my conversation with Manzi Mirza, co-founder and CEO of Krogel,
we're discussing the CISO's conundrum in the face of AI, and malware, malsiers, and
mayhem a Disney hacker pleads guilty.
Stick around.
Traditional pen testing is resource-intensive, slow, and expensive,
providing only a point-in in time snapshot of your application's
security, leaving it vulnerable between development cycles.
Automated scanners alone are unreliable in detecting faults within application logic
and critical vulnerabilities.
Outpost24's continuous pen testing as a service solution offers year-round protection with recurring manual penetration testing conducted by Crest certified pen testers allowing you
to stay ahead of threats and ensure your web applications are always secure.
And now a word from our sponsor, BlackKite.
If third-party risk is keeping you up at night, you're not alone.
It's a constant battle.
BlackKite's third-party cyber risk platform is built on real-world threat intelligence,
straight from their research team's ongoing breach analysis, dark web monitoring, and
attacker tactics. That means you get a hacker's eye view of your supply chain to proactively spot risks.
And speaking of research, they just dropped their 2025 third-party breach report, breaking
down last year's biggest trends and what's coming next.
Grab the report now at www.blackkite.com.
At last week's RSAC conference in San Francisco, I caught up with Manzi Merca, co-founder and
CEO of Krogel. In today's sponsored interview,
we discuss the CISO's conundrum in the face of AI.
And we are here at RSAC 2025 and joining me,
I feel like it's old home week.
Nice to speak once again with Manzi Mirza.
Today you are with Krogel.
You're the CEO and co-founder of that company.
We spoke, of course, in the past, you were with Splunk for many, many years CEO and co-founder of that company. We spoke of course in
your past, you were with Splunk for many many years. It's great to have you back.
Yeah great to be back, good to see you. So let's start off just for folks who may
not be familiar with the new company, how do you describe it? Krogl works on
tickets. It's a autonomous analyst, it's a knowledge engine that investigates
alerts,
executes threat hunts, and documents all of its work.
So when you have thousands of alerts coming in,
you need someone or something to look at those alerts
and operate on them so the analysts can really focus
on things that are important.
Well, take me through the journey here.
I mean, as you and your colleagues were thinking
about starting this up,
and is this a thing, would this work?
Like, what was the problem that you thought you could solve?
What was the itch that you thought you could scratch?
So I was an executive at Databricks for many years,
and then I had this idea to do something.
So instead of starting a company,
I actually went and worked for one of the largest banks in the world.
And to... I really wanted to feel the pain
of security operators,
because I thought surely, you know,
by 2023 these problems have been resolved.
And two big surprises,
which caused us to really focus Krogl
in the way that we did.
The first big one was, analysts told us over and over again
that the tools were in their way.
And leaders said, well, I don't have enough people.
So we found like that's like an interesting juxtaposition.
And we said, what if we created a product
that would make every security analyst
as effective as the entire team?
Now for the analyst listening in the room, right?
They know that's a ridiculous proposition.
But then the question is what would have to happen?
So that was the nexus point to start to create Krogl
to say, what would we have to build
to really enable and empower the analysts
to really exercise their intuition
and be as good as they want to be
without creating a tool that actually impedes them?
And that's how we started to work on Krogl
and we started two years ago.
Well, so help us understand,
when you say the tool's getting in the way for the analysts,
what does that look like day to day?
What's that frustration there?
Yeah, so I learned this firsthand
because I went into a very sophisticated organization
as an analyst.
So when an alert comes in,
usually you have lots and lots of tools
at your disposal to go and investigate the alert. You might have something
sitting in a data lake, you might have something sitting in your EDR system. So
just within those two capacities, now I have to know how to write a query against
my data lake, and then I have to extract that out, and then I have to know how to
write a query against my EDR system, and now I got to connect these two. We're
just at two right now.
Average organization has like 45 plus
security technologies and tooling,
so I have to, so the tool is in the way
in the sense that now I have to know all the schemas,
I have to know where all the data sits,
where the different types of data sits,
and then I have to integrate the results that I'm getting,
even though I know what to do.
I know how to investigate a malware alert,
but what I don't, or can't remember as a human,
is where is the data?
Where do I go first?
Where do I go next?
How do I write the query?
And so the tools are actually getting
in my way to do my job.
Okay, and so what does the other side of that look like?
What sort of things are you all providing
to get rid of those barriers?
So we sat down and we said, okay, if you want to make every analyst as effective as the entire team,
what laws of physics will we have to break? So the first one we said, okay, if you really want to do
this, you have to have a system that says you don't have to normalize your schema.
Because every analysis system says
you have to normalize your schema,
and then you can start to work on it.
But we know from experience from all these prior companies
that nobody's data is normalized across,
even within one tool, let alone across multiple data lakes.
And so that was number one.
So we said, okay, we have to build a system that does,
so we build a knowledge graph that creates a semantic layer
on top of the enterprise data lakes.
So that if something is called source IP over here
or sashimi over there, it doesn't matter.
We can still help the analyst execute that query
without having to write the query language
for those two systems because we now have understanding.
The second thing that we focused on was process.
So first is data problem, the second is a process problem.
What do analysts know?
Well, they know what to do, but they want it to be repeatable,
because Bob wants to share his work with Alice,
and between the two of them as a team, they do better work.
So create a mechanism to learn a process from Bob's work
and learn a process from Alice's work,
such that when the third person comes in,
they can benefit from the work of those two people.
So data and process, and those are the two building blocks
on which the whole system that we created is built.
Let's shift gears from the analyst to the CISO.
How is this sort of thing a lifestyle upgrade for the CISO?
Yeah, so I think from a CISO point of view,
when I talk to CISOs and our customers,
they are telling us their biggest challenge
is they're looking at a bandwidth problem.
And what they mean by that is that yesterday, let's say before the emergence of AI in the general context,
they had, let's say, a thousand users
or 5,000 users in their organization.
And so the security teams were doing work
to protect those 5,000 users or those 20,000 customers.
Now that AI is a part of the equation,
the amount of work that any given user can do
or the amount of expectation and work that any given user can do, or the amount of expectation
and work that any given customer is doing,
has increased by a very large order of magnitude.
So, it's almost analogous to what they're saying,
is I have 10 times more customers,
I have 10 times more users.
So now I have to protect in that environment.
And these CISOs were already encumbered
by not being able to respond to alerts,
I mean the thousands of alerts
that they were receiving before.
Now all of a sudden there's a whole bunch more.
So now they have this bandwidth issue
of how do I respond to this increase?
Their budgets are not increasing,
but they want to respond to this.
So they're saying, well I need something
to actually do the job.
So when I go and talk to them,
they're like, don't talk to me about AI. It's fine, you have AI, everybody has AI them, they're like, don't talk to me about AI.
It's fine, you have AI, everybody has AI, it's all good.
Don't talk to me about AI.
Talk to me, what are you actually going to do?
And so our mantra is very simple,
Krogel works on tickets.
And so that the analysts can focus on things
that are really important,
and the work can actually be done for you.
And so it's that bandwidth issue.
Now why is that a bigger, broader issue?
So when I ask them, okay, so what are your choices then?
So they're telling us their choices are one,
well, I could try to build this capability in-house.
And they understand if they're in a manufacturing business
or the government agency, their job is not to build products
and maintain products over their life cycle.
They're like, well, I tried, and then I asked them,
well, why are you trying this by yourself?
And they say, well, my SIM experiment failed,
or my SOAR experiment failed.
I'm not really trusting the industry
to see the path forward, so I'm going to do this on my own
because I haven't seen anything that actually works.
And then the second part of that is, okay, well, then why don't you go do it? And they say, no, we don't really anything that actually works. And then the second part of that is,
okay, well, then why don't you go do it?
And they say, no, we don't really want to do it.
We need a system to do this for us.
Okay, well, what do you need?
And that's where we got the interest of them telling us,
we need a system that appreciates the fact
that data is not normalized,
and we need a system that creates reproducible outcomes
that is rooted and anchored in processes.
And so that's what we're building.
You mentioned a couple of times the benefit of sort of
separating yourself from the need
to have the data normalized.
Can we dig into that a little bit?
Yes.
Explain that to me.
So, as an analyst,
when I go, if I'm working on something,
I have to touch lots and lots of systems.
Each system has a different schema,
and a different query language.
And so I have to learn that, and I have to memorize that.
And so the conventional wisdom has always been,
whether you look, anyone who's selling a data lake
or has a data lake product says,
well just put all your data in this one data lake.
Now what we are experiencing now is, that's not true.
People are living in cloud, multi-cloud hybrid.
So that's the problem statement.
So now the question is, okay,
how are you going to learn this?
So we built a system that essentially builds
this knowledge graph across all these different data lakes.
And the way we do that is we're essentially emulating
the way the analysts work.
Because the analysts doesn't say,
oh data's not normalized, sorry, can't work here anymore.
Right, right, sure.
They work through the problem.
And so we talk to tons and tons of analysts,
say how do you work through the problem?
And so they explain to us,
and we essentially patent this ability now,
we have a patent for this,
to go in and connect to a system
and learn what kind of data is in that system,
and learn how that data is related to another data set
in another system.
And so we are creating this semantic layer
of knowledge across,
so that the analyst now doesn't have to remember anything.
I see.
So this is work that the analysts were already doing
maybe without even realizing it,
all of these adapting to all these different systems.
So you take that burden off of them
and so they can cross talk.
That's really interesting.
Well, it is RSA, it is 2025.
You said the magic word, AI.
Is there-
Hopefully I didn't say it too many times.
No, no, right?
Is there an AI component that folks should know about?
Yes.
I think the biggest thing that we learned
as we started the company
is we like to call it a compound AI system.
There is no singular, there is no singular
sort of mechanism here.
So as an example, our technology uses an LLM.
We use a retrieval augmented generation capability.
We have an agentic workflow.
We even use a relational database.
And so AI is not just like a singular entity.
It is a combination of things working together
to produce an outcome.
In our case, the outcome being work on tickets
in a responsible way such that it's documented,
it is inspectable, and it is auditable.
And that's really the thing around AI
that is most important for, I think,
most people to understand.
And I think the other piece,
which a lot of folks are not talking about,
which I think we are sort of the,
we're proving that to be true,
which is not conventional wisdom, is,
so for example, we have a customer today
that's running Krogol in an internet disconnected environment,
fully functional, so it's a self-contained,
customer managed system.
So even that is possible, just like, you know,
so there's two big physics things that we broke, right?
The first thing we broke was,
oh, you don't have to normalize your data,
how dare you even say that out loud, right?
But yes, you don't have to normalize your data,
there's a way to solve that problem and solve outcomes.
The other one was, there's no way
that you can package this system up,
this compound AI system up, to make it customer managed
and fully private and completely in the customer's control.
So we solved that problem.
So it's possible to do it.
We have customers who are using it.
And so that's the thing I think about AI
that I think it would be really cool
for more people to understand.
Well before I let you go, let's go back up to the 50,000 foot view here.
As you're walking around here at RSAC, what gives you hope?
What are you optimistic about?
What are the positive things you're seeing from this industry?
Well first, I see still a lot of interaction,
a committed community that is yet
at another inflection point.
Like we have the mobile inflection point,
the high speed networks inflection,
big data inflection point.
We're at this AI inflection point.
And this community has always been ready
to take on the unknown.
And there's so many people that have had
so many conversations in meetups and on panels
and different
discussions.
The community is ready to work and to look forward,
both from the perspective of what will AI be used for to
help protect,
but also what will AI be used for to build,
bring together a new environment and a new ecosystem
for us.
So that is very energizing for me.
And I see that that's very energizing to a lot of people.
Yeah.
All right.
Well, Manzi Mirza is CEO and co-founder of Krogel.
Manzi, thank you so much for taking the time for us.
Thanks for having me, Dave.
It's a pleasure talking to you.
Yeah, take care.
Yeah, thank you. Let's be real, navigating security compliance can feel like assembling IKEA furniture without
the instructions.
You know you need it, but it takes forever and you're never quite sure if you've done
it right.
That's where Vanta comes in.
Vanta is a trust management platform
that automates up to 90% of the work for frameworks
like SOC 2, ISO 27001, and HIPAA,
getting you audit ready in weeks, not months.
Whether you're a founder, an engineer,
or managing IT and security for the first time,
Vanta helps you prove your security posture
without taking over your life. More than 10,000 companies, including names like Atlassian and Quora, trust Vanta
to monitor compliance, streamline risk, and speed up security reviews by up to five times.
And the ROI? A recent IDC report found Vanta saves businesses over half a million dollars
a year and pays
for itself in just three months.
For a limited time, you can get $1,000 off Vanta at vanta.com slash cyber.
That's v-a-n-year-old Californian Ryan Kramer,
alias NullBulge, pled guilty to hacking into Disney's Slack and stealing 1.1 terabytes of internal
data, with a malware-laced AI image generator disguised as a legit program on GitHub.
One unsuspecting Disney employee downloaded the malware, unknowingly handed over his digital
keys, including those stored in one password. Kramer used them to sneak into Disney's Slack like a tech-savvy Ursula, grabbing data from
nearly 10,000 channels.
Then with the flair of a B-movie hacker, Kramer posed as a Russian hacktivist group, threatening
the employee to stay quiet or face the public dump of Disney's secrets.
When the employee didn't bite,
Kramer made good on the threat
and posted the massive haul on breach forums.
Kramer now faces up to 10 years in prison,
proving once again that trying to blackmail a mouse
never ends well. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast. Your feedback
ensures we deliver the insights that keep you a step ahead in the rapidly changing world of
cybersecurity. If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben. Peter Kilpe is our publisher and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Music What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, identity attack paths are easy targets
for threat actors to exploit but hard for defenders to detect.
This poses risk in active directory, Entra ID, and Hybrid configurations.
Identity leaders are reducing
such risks with Attack Path Management.
You can learn how Attack Path Management is
connecting identity and security teams
while reducing risk with
Bloodhound Enterprise powered by SpectorOps.
Head to spectorops.io today to learn more.
SpectorOps, see your attack paths the way adversaries do.