CyberWire Daily - No panic—just patch.
Episode Date: June 26, 2025Patches, patches and more patches.A patient death has been linked to the 2023 ransomware attack on an NHS IT provider. U.S. authorities indict the man known online as “IntelBroker”. A suspected cy...berattack disrupts Columbia University’s computer systems. A major license plate reader company restricts cross-state data access after reports revealed misuse of its network by police agencies. Our guest is Andy Boyd, former Director of CIA's Center for Cyber Intelligence (CCI) and currently an operating partner at AE Industrial Partners. Discounted parking as a gateway cybercrime. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today joins us from this week’s Caveat podcast episode. Andy Boyd, former Director of CIA's Center for Cyber Intelligence (CCI) and currently an operating partner at AE Industrial Partners, a private equity firm focused on the national security and aerospace industries, joins Dave and co-host Ben Yelin to discuss offensive cyber and the United States government. You can listen to the full conversation here and catch new episodes of Caveat every Thursday on your favorite podcast app. Selected Reading Cisco reports perfect 10 critical remote code execution flaws in Identity Services Engine (ISE) (Beyond Machines) Citrix releases emergency patches for actively exploited vulnerability in NetScaler Products (Beyond Machines) CISA Warns of FortiOS Hard-Coded Credentials Vulnerability Exploited in Attacks (Cyber Security News) CISA: AMI MegaRAC bug enabling server hijacks exploited in attacks (Bleeping Computer) Patient's death linked to cyber attack on NHS, hospital trust says | Science, Climate & Tech News (Sky News) British Man Charged by US in ‘IntelBroker’ Company Data Hacks (Bloomberg) French police reportedly arrest suspected BreachForums administrators (The Record) Potential Cyberattack Scrambles Columbia University Computer Systems (The New York Times) Flock Removes States From National Lookup Tool After ICE and Abortion Searches Revealed (404 Media) Student allegedly hacked Western Sydney University to get discounted parking and alter academic results | New South Wales (The Guardian) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it
piece of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code and more patches.
A patient death has been linked to the 2023 ransomware attack on an NHS IT provider.
U.S. authorities indict the man known online as Intel broker.
A suspected cyber attack disrupts Columbia University.
A major license-plated reader company
restricts cross-state data access
after reports revealed misuse of its network
by police agencies.
Our guest is Andy Boyd, former director of the CIA's
Center for Cyber Intelligence
and currently operating partner at AE Industrial Partners.
And discounted parking as a gateway cybercrime.
It's Thursday, June 26th, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today. It's great as always to have you with us. We begin today with quite the collection of
critical vulnerability notifications.
Cisco has issued an emergency advisory for
two critical vulnerabilities for the CVSS of 10,
in its identity services engine
and ISE passive identity connector.
The first allows remote attackers to execute arbitrary code as root via crafted API requests.
The second lets attackers upload malicious files to privileged directories, also leading
to root-level code execution.
Cisco has released patches to fix the flaws.
The company says there are no known attacks yet but stresses immediate patching as no
workarounds exist.
Organizations using affected systems should update now to prevent possible full system
compromise.
Citrix has patched a critical memory overflow flaw in its Netscaler ADC and Gateway products, which has been actively
exploited.
The vulnerability can be triggered remotely and may lead to code execution, despite Citrix
labeling it a denial-of-service risk.
Two additional critical flaws affect sensitive memory handling and access controls.
Patches are available for supported versions, and users are urged to upgrade and
terminate all active sessions, especially recalling past issues with Citrix bleed.
CISA has added CVE-2019-6693 to its known exploited vulnerabilities catalog, warning that Fortinet
FortiOS systems are being actively targeted.
The critical flaw involves hard-coded encryption keys in backup files, allowing attackers to
decrypt sensitive configuration data. Federal organizations must apply fixes or stop using
affected systems by July 16. The vulnerability reflects a broader issue with hard-coded credentials, which can't
be changed without altering source code, posing serious risks to network security infrastructure
if left unaddressed.
CISA has confirmed active exploitation of a critical authentication bypass flaw in AMI's
MegaRack BMC firmware used in servers from vendors like HPE and ASUS.
The bug lets unauthenticated attackers remotely hijack and potentially brick unpatched servers.
Discovered by Eclipseum, it can lead to malware deployment, firmware tampering, and physical
damage.
With over 1,000 exposed servers found online, CISA has added it to its
known exploited vulnerabilities list, mandating federal agencies patch by July 16th.
Patient death has been linked to the 2023 ransomware attack on NHS IT
provider Sinovus, which disrupted pathology services in southeast London.
The attack, attributed to Russian group Keelin, delayed 1,100 cancer treatments, cancelled
2,000 outpatient appointments, and postponed over 1,000 operations.
King's College Hospital confirmed the death, citing delayed blood test results as a contributing
factor. The cyber attack impacted multiple NHS trusts and primary care across six boroughs, marking
a tragic escalation in the real-world impact of cybercrime.
Kai West, a 25-year-old British man known online as Intel Broker, has been indicted
by US authorities for leading a global hacking
scheme that caused over $25 million in damages. Prosecutors allege West and his group breached
dozens of companies, stealing and selling sensitive data, including customer lists and
marketing information. Operating on the notorious Breach Forum site, West reportedly sold or offered stolen data
over 150 times.
He was arrested in France in February and remains in custody pending US extradition.
Authorities linked him to the crimes through cryptocurrency transactions, including a Bitcoin
payment from an undercover officer.
Intel Broker is also connected to past breaches
of companies like AMD, Cisco, and Hewlett-Packard Enterprise.
If convicted, West faces up to 20 years in prison
on the most serious charge.
French authorities have arrested several individuals,
including those known online as Shiny Hunters,
Hollow, Knocked, and Depressed, suspected
of reviving BreachForums, the major marketplace for stolen data.
The suspects, all in their 20s, are linked to high-profile data breaches targeting companies
like SFR and France Travail.
BreachForums was first shut down in 2023 after its co-founder, Connor Fitzpatrick, was arrested.
Authorities allege the group helped relaunch the site in 2024 using new infrastructure.
A suspected cyber attack has disrupted Columbia University's computer systems for a second day,
affecting services on its Morningside campus, including email,
Zoom, and course platforms.
While many systems were restored by Wednesday, he's services, like the course and library
catalogs, remained offline.
An image of President Trump appeared on some campus screens, though officials say it might
not be tied to the attack.
No data breaches or ransomware have been detected, and law enforcement has been notified.
The University Medical Center was unaffected.
Though no group has claimed responsibility, the incident comes amid rising cyber threats
to universities, which face increasing attacks due to valuable data and complex networks. FLOC, a major license plate reader company, has restricted cross-state data access in
Illinois, California, and Virginia after reports revealed misuse of its network by police agencies.
Investigations by 404 Media showed police used Flock's national lookup feature to aid ICE operations and track
individuals for reasons tied to immigration and abortion, violating state laws.
In response, Flock disabled national lookups in those states, revoked access for 47 agencies
in Illinois, and introduced real-time search blocking for illegal terms.
Virginia's new law, effective July 1, limits license plate data use to specific crimes.
FLOC also plans an AI tool to flag suspicious searches and is re-educating agencies on legal data use.
The change follows mounting public concern, audits, and local media reports of unauthorized data use. The change follows mounting public concern, audits, and local media
reports of unauthorized data sharing. Several cities, including Austin and San
Marcos, have ended or scaled back contracts with Flock over these concerns.
Flock says it's reinforcing compliance through audits, new training, and stricter
oversight.
Coming up after the break, Andrew Boyd, former director of the CIA's Center for Cyber Intelligence and currently an operating partner at AE Industrial Partners,
and discounted parking as a gateway cybercrime. Stay with us.
And now a word from our sponsor ThreatLocker. Keeping your system secure
shouldn't mean constantly reacting to threats. ThreatLocker helps you take a
different approach by giving you full control over what software can run in
your environment. If it's not approved it doesn't run. Simple as that. It's a way
to stop ransomware and other attacks before they start without adding extra
complexity to your day.
See how ThreatLocker can help you lock down your environment at www.threatlocker.com.
Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Vanta's Trust Management Platform takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even helping to drive revenue.
And this isn't just nice to have. According to a recent analysis from IDC,
teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So, if you're ready to trade in chaos for clarity,
check out Vanta and bring some serious efficiency to your GRC game.
Vanta. GRC. How much easier trust can be.
Get started at vanta.com slash cyber.
Andrew Boyd is former director of the CIA's Center for Cyber Intelligence
and currently an operating
partner at AE Industrial Partners.
He recently joined me and my co-host Ben Yellen on the Caveat podcast to discuss offensive
cyber and the United States government.
Here's part of our conversation.
Andy, it's a real treat to have you join us here today.
We really appreciate you taking the time.
Thanks, Dave and Ben.
It's an honor to be on the show.
I've been a long time listener
and it's an honor for me as well.
Well, let's start off with your experience.
Can you share with us, where did you get your start
and what led you to where you are today?
Well, I got my start in Northern New Jersey
and then headed off to the Air Force Academy and then after graduating from the Air Force Academy
spent five years in Air Force intelligence, migrated to the State
Department, fell in love with the overseas experience and spent a decade
in the field with the US State Department, a variety of embassies across the Middle
East. I went and joined the CIA,
started working on real concrete counter-terrorism issues,
but eventually migrated into cyber operations,
ultimately culminating at the end of my career,
serving for almost four years
as the director of CIA Center for Cyber Intelligence.
What is the primary mission that you had there
as director of the Center for Cyber Intelligence with the CIA?
So what I like to say is, you know, CCI is the mission manager for all things cyber at CIA.
That includes offensive cyber operations, intelligence collection, and strategic analysis,
writing products on nation-state and non-nation-state cyber threats for the Oval Office and what we call
the President's Daily Brief, all the way down
to specific analyses of cyber threats
that probably would not be of interest to policymakers,
but certainly would be of interest to threat hunters
in the intelligence community,
but also in the other parts of the US government, DHS, CISA, and folks that are defenders of our networks.
So you, just based on your experience, I think you're well situated to answer this question.
One of the things you told us before this interview is that there is a say-do gap in offensive cyber operations.
Can you describe that a little bit? Because I think
politicians in both parties, presidential administrations, say that they want to improve
offensive cyber operations and nobody really knows what that means in practice.
So yeah, the say-do gap, I think I stole that from some of my DOD friends who like that phrase.
I take the new administration at their word,
including John Ratcliffe, who's the director of CIA currently,
who said that they want to expand
offensive cyber operations against our adversaries.
I think in part, it comes from not really understanding
what cyber tools can do and what they can't do.
We use our cyber tools in the intelligence community
and in cyber command and across the government
to collect information, to collect intelligence,
but also under very specific authorities
from the White House to disrupt,
or in some cases destroy networks that are
of our adversaries where we see a threat.
Has been sort of alluded to, I think, offensive cyber is sometimes a fuzzy term, sometimes
a loaded term.
I would love to hear how you define it and how you think it's different from cyber defense
or active defense.
I tend to define offensive cyber as two things,
information, intelligence collection on one side of it,
which frankly, not just the United States,
but a number of nations with capabilities do that.
And then on the other side, the destructive
and or disruptive attacks using cyber tools
to bring down networks.
Now, there are some who consider
cyber warfare to be in a completely separate domain of warfare, like the army and the marines
on the ground, the Air Force and Navy, Naval Aviation in the air, Space, using space as a military domain. In my opinion, cyber, offensive cyber is a supporting
activity, not unlike electronic warfare, to support whatever the strategic goal is of a military
activity. Again, separate from my point on information collection, intelligence collection.
Now, if you have a well thought out strategy, cyber
attacks against a military adversaries communications grids, things like that can be, you know,
quite helpful.
Yeah. So just for example, as we're recording this, tensions have erupted between Israel
and Iran and there's been discussion of US involvement. And I think certainly a reticence to send active U.S. service members
into the region for this type of conflict.
Do you foresee some point down the line where our entire involvement
in a conflict like this, even just supporting an ally,
whether that's Israel or a NATO ally, is going to be through our
expertise in offensive cyber operations?
I don't think so.
I mean, I think the conflict between Israel and Iran is proving that kinetic military
activity, for lack of a better term, it is what wins wars.
Again, there is some indication that there's been some cyber activity on the Israeli side, onto Iran.
Again, I think against a bank that was associated with the IRGC in Iran, that is a supporting
element to the broader military operation. If, in fact, the United States decides to use only
cyber tools against Iran, and I'm not saying that this is even in the offing.
That would really, in my opinion, and this is not a judgment on any administration, it's
just what I've experienced over my career, that would really just be a sort of crutch
to indicate that we're doing something because there is no concrete way to affect what's happening between
Israel and Iran in comparison to the, you know, the air dominance that the
Israelis have and the attacks that they've done on the leadership
infrastructure in Iran.
Andy, what do you see as the boundaries or ethical red lines for offensive cyber?
I would suspect Ben as an attorney may be better equipped
to answer that, but I will give my opinion on that.
As an attorney, I'd just like to say I have no ethics.
Okay.
Just kidding.
I mean, again, there's some sort of mystery and magic
applied to cyber that has always sort of mystified me,
frankly, when it's really just another tool and magic applied to cyber that is always sort of mystified me frankly.
When it's really just another tool for intelligence collection or again
disruptive or destructive activity not unlike electronic warfare or any other
inventions that we've had over the years. It's just that a lot of people again
going back to our policy discussion, don't understand
how it works.
But handsets, our phones, our iPhones, Android phones, endpoints on laptops, small office
home routers, all the endpoints you can think of, that's where the information is.
So that is why cyber, offensive cyber is such an important thing for intelligence collection,
but also, you know, for other sorts of operations.
You know, that in and of itself
doesn't make it particularly unique.
It's just unique in that that's where we are in 2025,
as opposed to where we were 20 years ago,
where, you know, offensive cyber vectors
weren't quite what they are today.
Do you think policymakers themselves
are up to speed on cyber capabilities
and how offensive cyber is actually used?
I think there are some.
I think there are some both in the Senate and the House
and in the executive branch who are very cognizant of it.
I mean obviously there's you know professional, you know permanent non-political staff at the intelligence community and out at
DHSS and elsewhere who are very very cognizant of all of it. But I think writ large
I don't think we've really settled on what our strategic intent
in cyber is currently and how that's going to nest into our broader national security
strategy.
I don't think we've really settled on the big part of that grand strategy debate is
whether or not our cyber tools are warfighting domain
in and of themselves, or is it a supporting fire?
Yeah, it's been my perception that leadership
up to and including presidents are reticent
to draw red lines in the sand when it comes to cyber.
And you can understand why that may be,
but it seems to me like there's intentional fuzziness there,
like maybe to not hold back capabilities
or perhaps not even reveal capabilities.
Do you think there's anything to that line of thinking?
Well, I mean, I also don't think
that debate is settled yet either.
I mean, there are some in the previous administration
that believe that a disruptive or destructive cyber attack
inside Russia post Russian invasion of Ukraine,
that that would be considered an act of war
because the activity was happening
on boxes inside of Russia.
There was a whole nother group of folks
in the previous administration who argued
that that was not the case.
If no one was going to be injured, that that would not be an active war. And I really do
not think we've resolved that debate. And I think, you know, you all are familiar with
the Cyber Solarian Commission where a lot of these discussions and that kind of grew
into the founding of the Office of the National Cyber Director.
A lot of these ideas were discussed in there and frankly the naming of the Cyber Slaring Commission
linking it to the discussion in the 1950s about the appropriate deterrent capability of nuclear weapons,
I think despite all the effort Mark Montgomery and others put into that, is inconclusive.
And I think frankly with the legislative branch and the executive branch we'd
need a behind closed door discussion on that strategy and then a very open
discussion including academia as to where we want to go not unlike what we
did in the 1950s on the discussion of our deterrent strategy back then.
You are now back in the private sector.
What role do you think the private sector can play
in all of this as advisors to the government,
as a way to enhance capabilities?
Can you talk a little bit about that?
Well, thanks for asking, Ben.
Yes, I think the private sector plays an enormous role.
They're both on the defensive and the offensive side.
I mean, on the defensive side the offensive side. I mean,
on the defensive side, the 90% or more, I can't put a real hard number on it, but the
infrastructure is owned by the private sector, be it our telecommunications networks who
were victims of salt iPhone, be it all 16 critical infrastructure sectors, oil and gas
transportation and whatnot.
Even our medical system and our education system are vulnerable to nation state, non-nation
state cyber threats.
The private sector has to be deeply, deeply involved in defending those networks.
And I think we're way behind the curve on that.
On the offensive side, we have a number of companies that do
vulnerability research and, you know, under appropriate authorities of the federal government
or state and local law enforcement provide that vulnerability research. And then, you
know, what we would call exploit development to do legal activity, be it under DOD Title
10 authorities, intelligence community Title 50 authorities, or under law enforcement authorities. And the US
government doesn't have the capacity to be doing that vulnerability research on
their own and frankly if the private sector is not deeply involved in that we
would be behind the power curve. Andy what advice would you give to the next generation of cyber leaders who are navigating
this evolving offensive cyber landscape?
Yeah, I mean, I think luckily it didn't just evolve overnight.
I mean, we've sort of watched this progress and frankly, I always I point to where cyber
command was was born, you know, a decade and a half ago, and really had a hard time standing up and
getting the appropriate people to work.
Now it's a much more collaborative environment, and
the leadership at Cyber Command is frankly second to none.
You know, I do worry about retaining talent in the intelligence community.
We are losing some folks to the voluntary early retirement
program that has sort of been in effect since the new administration came in.
But I think we'll take a step back five years from now,
and I think we'll have a very healthy cyber leadership in the intelligence
community, DOD, FBI, and CISA.
And I think the people we have coming up are very talented.
They just have to keep that flow of talent coming in. conversation on the Caveat Podcast, which you can find right here on the N2K Cyberwire
Network or wherever you get your favorite podcasts.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization.
Traditional defenses can't keep up.
Spy Cloud's Holistic Identity Threat Protection helps security teams uncover and automatically remediate hidden exposures
across your users from breaches, malware, and phishing to neutralize identity-based threats like account takeover, fraud and ransomware.
Don't let invisible threats compromise your business. Get your free corporate darknet
exposure report at spycloud.com slash cyberwire and see what attackers already know. That's And finally, what began as a quest for cheaper parking at Western Sydney University turned
into a full-blown cybercrime saga, complete with grade tampering, dark web threats, and
a cryptocurrency ransom.
A 27-year-old former student, who allegedly didn't take no discount lightly, has been
charged with 20 cyber offenses after a four-year hacking spree that police say escalated from
financial mischief to digital extortion.
Her digital trail included altering academic records, compromising systems, and eventually
demanding $40,000 in crypto to keep sensitive student and staff data off the dark web.
The motive?
Unresolved grievances, police say, though parking rates may have been the proverbial
gateway crime.
Authorities seized over 100 gigabytes of data during raids while the university scrambled
to shore up its cybersecurity.
Experts say universities can be more vulnerable due to complex staff-student roles and apparently
parking policies that drive some straight into cyber-villainy. She'll appear in court on Friday.
No word on whether the courthouse validates parking.
["Cyberwire"]
["Cyberwire"]
["Cyberwire"]
["Cyberwire"]
["Cyberwire"]
["Cyberwire"]
["Cyberwire"]
["Cyberwire"]
["Cyberwire"]
["Cyberwire"]
["Cyberwire"]
["Cyberwire"]
["Cyberwire"]
["Cyberwire"]
["Cyberwire"] ["Cyberwire"] ["Cyberwire"] And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire dot
com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of August.
There's a link in the show notes.
We hope you'll check it out.
N2K's senior producer is Alice Carruth. Our producer is Liz Stokes. We're mixed by Elliot
Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer
is Jennifer Iben. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Did you know Active Directory is targeted in 9 out of 10 cyber attacks?
Once attackers get in, they can take control of your entire network.
That's why Sempris created PurpleKnight, the free security assessment tool that scans
your Active Directory for hundreds of vulnerabilities and shows you how to fix them.
Join thousands of IT pros using PurpleKnight to stay ahead of threats.
Download it now at sempris.com slash purple-knight.
That's sempris.com slash purple-knight.