CyberWire Daily - No quick fix for a ClickFix attack.

Episode Date: May 12, 2025

A major student engagement platform falls victim to the ClickFix social engineering attack. Google settles privacy allegations with Texas for over one point three billion dollars. Stores across the UK... face empty shelves due to an ongoing cyberattack. Ascension Health reports that over 437,000 patients were affected by a third-party data breach. A critical zero-day vulnerability in SAP NetWeaver is being actively exploited. Researchers uncover two major cybersecurity threats targeting IT admins and cloud systems. U.S. prosecutors charge three Russians and one Kazakhstani in connection with the takedown of two major botnets. A new tool disables Microsoft Defender by tricking Windows into thinking a legitimate antivirus is installed. Tim Starks, Senior Reporter from CyberScoop, discusses congressional reactions to White House budget cut proposals for CISA. Fair use faces limits in generative AI. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We welcome back Tim Starks, Senior Reporter from CyberScoop, discussing congressional reactions to White House budget cut proposals for CISA. You can find background information in these articles:  House appropriators have reservations — or worse — about proposed CISA cuts⁠ ⁠Sen. Murphy: Trump administration has ‘illegally gutted funding for cybersecurity⁠’ Selected Reading iClicker website compromised with fake ClickFix CAPTCHA installing malware (BeyondMachines.net) Google Agrees to $1.3 Billion Settlement in Texas Privacy Lawsuits (SecurityWeek) Fears 'hackers still in the system' leave Co-op shelves running empty across UK (The Record) 437,000 Impacted by Ascension Health Data Breach (SecurityWeek) SAP NetWeaver Vulnerability Exploited in Wild by Chinese Hackers (Cyber Security News) New SEO Poisoning Campaign Targeting IT Admins With Malware (Hackread) Three Russians, one Kazakhstani charged in takedown of Anyproxy and 5socks botnets (The Record) Defendnot — A New Tool That Disables Windows Defender by Posing as an Antivirus Solution (Cyber Security News) Five Takeaways from the Copyright Office’s Controversial New AI Report (Copyright Lately)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the CyberWire Network powered by N2K. Hey everybody, Dave here. Join me and my guests, Outpost 24's Laura Enriquez and Michelo Steppa on Tuesday, May 13th at noon Eastern time for a live discussion on the biggest threats hitting web applications today and what you can do about them. We're going to talk about why attackers still love web apps in 2025, the latest threat trends shaping the security landscape, how to spot and prioritize critical vulnerabilities fast, along with scalable practical steps to strengthen your defenses. Again, the webinar is Tuesday,
Starting point is 00:00:42 May 13th for our live conversation on the state of modern web application security. You can register now by visiting events.thescyberwire.com. That's events.thescyberwire.com. We'll see you there. Hey, everybody. Dave here. I've talked about DeleteMe before, and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. DeleteMe keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports, so I know exactly what's been taken down.
Starting point is 00:01:25 I'm genuinely relieved knowing my privacy isn't something I have to worry about every day. The DeleteMe team handles everything. It's the set it and forget it piece of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees' personal information, and reduce exposure to social engineering and phishing threats.
Starting point is 00:01:49 And right now, our listeners get a special deal, 20% off your DeleteMe plan. Just go to joindeleteeme.com slash n2k and use promo code N2K at checkout. That's joindeleteeme.com slash n2k, code N2K at checkout. That's joindeleteme.com slash N2K code N2K. A major student engagement platform falls victim to the click-fix social engineering attack. Google settles privacy allegations with Texas for over $1.3 billion. Stores across the UK face empty shelves due to an ongoing cyberattack. Ascension Health reports that over 437,000 patients were affected by a third-party data
Starting point is 00:02:44 breach. A critical zero-day vulnerability in SAP NetWeaver is being actively exploited. Researchers uncover two major cybersecurity threats targeting IT admins and cloud systems. US prosecutors charge three Russians and one Kazakhstani in connection with the takedown of two major botnets. A new tool disables Microsoft Defender by tricking Windows into thinking
Starting point is 00:03:06 a legitimate antivirus is installed. Tim Starks, senior reporter from Cyberscoop, discusses congressional reactions to White House budget cut proposals for CISA, and fair use faces limits in generative AI. It's Monday, May 12, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Happy Monday and thanks for joining us here today. It is great to have you with us. iClicker is a student engagement platform used by about 5,000 instructors and 7 million
Starting point is 00:04:01 students at U.S. colleges, including major universities like Michigan and Florida. Between April 12 and the 16th of this year, its website was compromised in a click-fix social engineering attack. A fake captcha tricked visitors into running a malicious PowerShell script by copying it from the clipboard into the Windows Run dialog. Once executed, the script connected to a remote server to fetch more malware. Depending on the visitor, the attack either gave hackers full access
Starting point is 00:04:34 or downloaded harmless software to avoid detection. The likely payload was an information stealer, targeting credentials, browser data, and cryptocurrency wallets. iClicker confirmed the breach on May 6, stating its apps and data were unaffected and the vulnerability had been fixed. The number of affected users is still unknown. Google will pay $1.375 billion to Texas to settle claims it secretly tracked users' locations, private browsing activity, and biometric data without consent.
Starting point is 00:05:11 The lawsuit, led by Attorney General Ken Paxton, alleged that Google continued tracking users even with location services off and used the data for advertising profits. It also claimed Google collected biometric data like facial geometry without proper consent. Google denies wrongdoing but has since updated its policies. The settlement is one of the largest U.S. privacy-related fines. Co-op stores across the UK are facing empty shelves due to an ongoing cyberattack that began two weeks ago. Fearing hackers may still have access, the company has kept key logistics systems offline, severely disrupting deliveries. Staff report depot shipments are below 20 percent
Starting point is 00:05:58 of normal, with meat, dairy, and eggs prioritized due to perishability laws. Other items like produce, canned goods, and cigarettes remain scarce. CEO Shireen Khoury-Hawk confirmed customers and member data was compromised, though the nature of the hack is still unclear. Despite all stores remaining open, recovery is expected to take weeks. On the Scottish island of Islay, where Co-op is the only major grocer, special delivery processes are in place. Co-op, a member-owned cooperative, operates over 3,000 locations and does not have to report financial losses to public markets. Ascension Health reported that over 437,000 patients were affected by a data breach tied
Starting point is 00:06:47 to a third-party vendor's software vulnerability, not its own systems. Hackers exploited this flaw to steal sensitive data, including names, contact details, social security numbers, and health information. The breach likely stemmed from the Klopp Ransomware Group's December 2023 attack on Clio's File Transfer Platform. Impacted patients are being offered two years of free credit monitoring. This breach is smaller than Ascension's May 2024 ransomware incident, affecting 5.6 million. A critical zero-day vulnerability in SAP NetWeaver is being actively exploited by Chinese state-sponsored
Starting point is 00:07:28 hackers. The flaw, found in the Internet Communication Manager component, allows unauthenticated remote code execution via crafted HTTP requests. Despite emergency patches, many SAP systems remain exposed. Attackers are targeting high-value sectors like finance and manufacturing to steal sensitive data and establish persistent access. Researchers found that custom malware, dubbed SAFIRE, uses encrypted communication over SAP protocols, making detection difficult.
Starting point is 00:08:03 The attack chain begins with a malicious SOAP request that exploits memory corruption and delivers a reverse shell. From there, attackers modify SAP configurations to maintain access. The sophisticated campaign raises concerns about supply chain risks and has already caused operational disruptions across critical sectors including healthcare, government, and infrastructure. Varonis has uncovered two major cybersecurity threats targeting IT admins and cloud systems. First, attackers are using SEO poisoning to trick admins into downloading malware disguised as legitimate tools. These fake downloads can install back
Starting point is 00:08:45 doors like smoked ham or monitoring software enabling credential theft and data exfiltration. In one case nearly a terabyte of data was stolen followed by a ransomware attack. Separately, Varonis found a critical root access flaw in Azure's AZNFS mount utility used in HPC and AI workloads. The bug lets unprivileged users escalate to root by exploiting environment variables. Though Microsoft rated it low severity, the risk of full cloud compromise is significant. Varonis urges immediate patching and recommends a defense-in-depth strategy to reduce exposure. U.S. prosecutors have charged three Russians and one Kazakhstani in connection with a takedown
Starting point is 00:09:34 of two major botnets, any proxy, and five socks. The suspects allegedly ran a malware campaign that hijacked outdated wireless routers, converting them into proxy servers for rent on the seized websites. The botnets offered over 7,000 proxies, generating $46 million over 20 years. The operation, named Moonlander, involved international cooperation and technical analysis from Lumen Technologies. Many infected routers were found in Oklahoma with global reach across over 80 countries. The FBI warns that outdated routers, especially older Linksys, Cisco, and TP-Link models, are prime targets for exploitation by threat actors, including Chinese hackers.
Starting point is 00:10:23 Two defendants also face charges of using false identities to register domains. Authorities urge replacing unsupported routers to avoid similar compromises. A new tool called DefendNot disables Microsoft Defender by exploiting the Windows Security Center API, tricking Windows into thinking a legitimate antivirus is installed. Created by a GitHub developer, DefendNot registers a fake antivirus product using reverse-engineered interactions with the undocumented WSC API, bypassing Microsoft's integrity checks by injecting its code into trusted processes like Task Manager.
Starting point is 00:11:07 Once registered, Windows automatically disables Defender to avoid conflicts. While the tool requires admin privileges and persistent installation to survive reboots, it poses a risk if abused by malware developers. Security experts warn that although DefendNot showcases impressive technical skill, it highlights a significant security gap in how Windows handles AV product registration. The tool builds on the developer's earlier project, Node Defender, and underscores the need for better safeguards in WSC's architecture. Coming up after the break, my conversation with Tim Starks from CyberScoop discussing congressional reactions to White House budget cut proposals for CISA and fair use faces
Starting point is 00:12:02 limits in generative AI. Stick around. And now, a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com.
Starting point is 00:13:01 Let's be real. Navigating security compliance can feel like assembling IKEA furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right. That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SOC 2, ISO 27001, and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer, or managing IT and security for the first time, Vanta helps you prove your security posture without taking over your life.
Starting point is 00:13:37 More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times. And the ROI? A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time you can get a thousand dollars off Vanta at Vanta.com slash cyber that's Vanta.com slash cyber It is always my pleasure to welcome back to the show Tim Starks. He is a senior reporter at CyberScoop.
Starting point is 00:14:29 Tim, welcome back. It's great to be back. So Tim, you have posted a couple of stories over on CyberScoop in the past week or so looking at some of the proposed cuts to CISA and reactions from lawmakers about that. Can you unpack some of your reporting here for us? Yeah, sure. We start tail end of what would have been May 2nd, I think, where the administration put out its skinny budget that they called it, basically lacking major details. But it indicated that they would be looking to cut CISA's budget by $491 million, which
Starting point is 00:15:11 is, I think I estimated it was 17%. Lawmakers have been saying close to 20%. I think both are accurate. But it's a pretty massive, pretty massive potential cut. And the reasons they talked about doing this, they know, they don't go into a lot of details, but they talk about this notion that the Trump administration has that the CISA was part of the censorship industrial complex. We can talk more about whether that's true or not in a second. But, you know, we saw some reaction from lawmakers first on the
Starting point is 00:15:42 House side, the appropriators. Democrats were very harsh about this cut. They basically were saying this would be a killing blow for the agency and other things. The Republican chairman of the committee, subcommittee of unholy insecurity, Mark Amadi, had said, we need more details than this. We're hearing that China and Russia are kicking our butts, and here we are looking to cut this agency. So you need to really show us why you think we need to do that. And then continues on into later the week in which on Thursday of this week,
Starting point is 00:16:20 since it's time to do this, and the top Democrat on the Homeland Security Appropriations subcommittee, Chris Murphy, said that this was an illegal gutting of cybersecurity at DHS to pay for the border and that gets us up to speed. Well, let's go in a little reverse order then from where you laid things out for us. Talking about Senator Murphy, what is the case that he's making that these cuts might be illegal? Yeah, he was painting with a broader brush when he said, when he was talking about the powers of the purse that Congress has. I mean, the idea is Congress appropriates money, the executive branch spends it.
Starting point is 00:17:01 And there have been a lot of things happening at CISA where cuts have already happened to personnel, cuts have already happened to programs. There are talks about even more cuts, potentially a thousand plus people at a 3,000 person agency. And Senator Murphy's case was, this is illegal because you're ignoring congressional mandates. Let's talk about Kristi Noem, who has referred to CISA as playing the role of the Ministry of Truth. This rhetoric, I guess it feels old to me. I feel as though after the 2020 election and we had
Starting point is 00:17:50 members of Trump himself and of course his inner circle saying that the election was fraudulent and all of those things, which as we know got played out in many, many courtrooms across the country. But my sense after all of that was that CISA was maybe out of self-interest backing away from the misinformation role on their own. And so it seems to me like this stuff coming from Kristi Noem is kind of a solution in search of a problem. I think that's a good characterization. I'm trying not to editorialize here, but the administration, the Biden administration, really backed off of anything it was doing on misinformation, disinformation,
Starting point is 00:18:36 which by the way, was at best a miniscule amount of the work that the agency was doing. Then, the Secretary of Homeland Security herself evicted anybody who was in the election security community amount of the work that the agency was doing. Then the Secretary of Homeland Security herself evicted anybody who was in the election security community within CISA who was still working on misinformation or disinformation anyway and explicitly related to election security. And that was, I think, the most revealing exchange, even though we let our story with Senator Murphy, was between Senator Peters and Christine Ohm, with him basically saying, okay,
Starting point is 00:19:07 so you got rid of 15 people out of 3,000. How are you trying to get the agency back on mission? She says it is back on mission. But that's contradicted by the fact that if you look at what little information there is in the Trump administration budget proposal for fiscal 2026, their major reason that they're saying that we need to cut back on this agency is that it's being this ministry of truth kind of thing.
Starting point is 00:19:34 So it's a little confusing about whether they believe this is still going on and if so, what ways? I mean, there are other programs that people have singled out there. DHS has also gotten rid of. So things like monitoring unlike extremism. DHS has cut contracts for that under this administration. So you start to wonder where the $491 million comes from and whether, to quote Lauren Underwood, the top Democrat
Starting point is 00:19:55 on the House Appropriations Subcommittee, that this isn't about cutting fat. This is about deep cuts. And I think probably it's a justification you can use, especially to the right, if you're saying we need to cut the size of government overall and CISA has 3,000 people, we're going to have to cut some people there too. That's what it kind of feels like to me is that this is more an excuse, but maybe they'll surprise us and when they finally do release the full budget, which appropriators don't know when that's going to happen, they said at these two sessions.
Starting point is 00:20:27 Maybe they'll reveal what they're cutting and we'll say, oh, that's what they were referring to. Or at least it'll make a little bit of sense, whether you agree or disagree with their interpretation of things, you'll at least be able to point out and say, I understand their reasoning. Right now I don't understand their reasoning, frankly. Yeah. I mean, obviously I'm left scratching my own head. Clearly our adversaries are not slowing down or dialing back their investments in misinformation
Starting point is 00:20:50 or their attempts to get into our systems. So it would seem to me like the mission is as important as ever. Yeah. And on that front specifically, if you were saying, I'm concerned about the government censoring American speech, well, they've gotten rid of State Department programs that are focused on foreign misinformation campaigns. So I don't know, it still doesn't make a lot of sense like we were talking about. If you're concerned about Russia and China,, to their credit, despite the issues that this president
Starting point is 00:21:26 has had with Russia and whether he's too close to it, the CISA has stood by and said, we believe Russia is a cyber threat. So if you think they're threats, why would you cut these agencies? They need to do a better job, I think, than they have so far to convince me that they have a case. And that's always what comes out of my baseline as a reporter, like, do they have a case? And then you make the case in a story, you explain that case. You let me decide, but right now I don't hear a case.
Starting point is 00:21:50 It doesn't make sense. Well, when we look at proposed leadership for CISA, is it possible that we could find ourselves in a situation where we have a leader who shields the workers from all of this political rhetoric and just says, hey, everybody, heads down, we're going to continue our important work. We're going to make the most of the funds we have. Let me take all of the heat on all of this political stuff, but we've got work to do.
Starting point is 00:22:19 I think it's possible. I think we actually saw that under the first Trump administration. Chris Krabs, at least until the very end, did a good job of keeping CISA off of the president's radar. And the nominee for the CISA job is Sean Planky. He has a good reputation out there in the cyber world, left and right. He's considered a smart operator.
Starting point is 00:22:43 So we'll see what he does, you know, when the time comes that he does have his hearing, what kind of things he'll say to walk this tightrope of, you know, wanting to run an agency that you believe in, but also having it being cut under your feet by your own president. We'll see what he can get done. I think it's at least possible that he can mitigate some of these things. I think there was another hearing that I tuned into a little bit this week where Cash Patel, who is probably as loyalist as it gets to Trump, was saying that the FBI needed more money than the budget proposal. So if he's saying it, I wonder if somebody who's less ideologically aligned, and I don't
Starting point is 00:23:23 mean to say that Trump Planky's not conservative because my understanding is that he is. But if somebody who's less ideologically aligned to this MAGA movement, maybe that person can find a way to walk that tightrope. Yeah. All right, well, we will have links to all of Tim's reporting on these topics in our show notes.
Starting point is 00:23:45 Tim Starks is senior reporter at CyberScoop. Tim, thanks so much for taking the time for us. Thank you, Dave. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets. With bad directory hygiene and years of technical debt, identity attack paths are easy targets for threat actors to exploit but hard for defenders to detect.
Starting point is 00:24:26 This poses risk in active directory, Entra ID, and hybrid configurations. Identity leaders are reducing such risks with Attack Path Management. You can learn how Attack Path Management is connecting identity and security teams while reducing risk with Bloodhound Enterprise, powered by SpectorOps. Head to spectorops.io today to learn more. SpectorOps, see your attack paths the way adversaries do. And finally, late last Friday, in a move as quietly timed as it was politically charged, the U.S. Copyright Office released a pre-publication version of Part 3 of its AI study, just hours before its top leadership was abruptly dismissed. The 108-page report tackles how copyright law, especially fair use, should apply to
Starting point is 00:25:31 AI training. It argues that copying during training is presumptively infringing, and that even the model's weights may embed protected expression. The report emphasizes that fair use hinges on how the AI is ultimately used, not just how it's trained. Particularly striking is the Office's endorsement of a novel market dilution theory, warning that AI-generated content could flood and devalue markets, even without direct copying. While courts are not bound by the report, its detailed reasoning
Starting point is 00:26:06 could shape the over 40 ongoing copyright cases involving generative AI. Whether the report survives changing political winds remains uncertain, but its legal implications are already rippling outward. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks where all the fine podcasts are listed.
Starting point is 00:26:55 We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltsman. Our executive producer is Jennifer Iben, Peter Kilpe as our publisher, and I'm Dave Bittner.
Starting point is 00:27:30 Thanks for listening. We'll see you back here, tomorrow. And now a word from our sponsor, Spy Cloud. Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures
Starting point is 00:28:18 across your users from breaches, malware, and phishing to neutralize identity-based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what attackers already know. That's spycloud.com slash cyberwire.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.