CyberWire Daily - North Korea’s covert coders caught.
Episode Date: July 1, 2025The Feds shut down a covert North Korean IT operation. Google releases an emergency update to fix a new Chrome zero-day. A major U.S. trade show and event marketing firm suffers a data breach. NetScal...er patches a pair of critical vulnerabilities. A sophisticated cyber attack targets The Hague. An Iran-linked hacking group threatens to release emails allegedly stolen from aides to President Trump. A ransomware attack exposes sensitive data linked to multiple Swiss federal government offices. The U.S. Treasury Department faces scrutiny after a string of cyberattacks. The FBI’s phone security tips draw fire from Senator Wyden. Tim Starks from CyberScoop describes how ubiquitous surveillance turned deadly. AI proves its pentesting prowess. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined today by Tim Starks, Senior Reporter from CyberScoop, discussing his story "Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report." Selected Reading US government takes down major North Korean 'remote IT workers' operation (TechCrunch) Google fixes fourth actively exploited Chrome zero-day of 2025 (Bleeping Computer) NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777 (NetScaler) International Criminal Court hit with cyber security attack (AP News) Iran-linked hackers threaten to release Trump aides' emails (Reuters) Swiss government data compromised in ransomware attack on health foundation Radix (Beyond Machines) Trade show management firm Nth Degree hit by data breach, exposing sensitive data (Beyond Machines) A Trio of US Treasury Hacks Exposes a Pattern Making Banks Nervous (Bloomberg) Senator Chides FBI for Weak Advice on Mobile Security (Krebs on Security) The top red teamer in the US is an AI bot (CSO Online) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Risk and compliance shouldn't slow your business down.
HyperProof helps you automate controls, integrate real-time risk workflows, and build a centralized
system of trust so your teams can focus on
growth, not spreadsheets. From faster audits to stronger stakeholder confidence,
HyperProof gives you the business advantage of smarter compliance. Visit
www.hyperproof.io to see how leading teams are transforming their GRC
programs.
The feds shut down a covert North Korean IT operation. Google releases an emergency update to fix a new Chrome Zero Day.
A major US trade show and event marketing firm suffers a data breach.
Netscaler patches a pair of critical vulnerabilities.
A sophisticated cyber attack targets the Hague.
An Iran-linked hacking group threatens to release emails allegedly stolen from aides to President Trump.
A ransomware attack exposes sensitive data linked to multiple Swiss federal government agencies.
The US Treasury Department faces scrutiny after a string of cyber attacks.
The FBI's phone security tips draw fire from Senator Wyden.
Tim Starks from Cyberscoop describes how ubiquitous surveillance turned deadly.
And AI proves its pentesting prowess.
It's Tuesday, July 1, 2025. I'm Dave Bittner and this is great to have you with us today.
It seems impossible that it is already July 1st, but here we are.
The US Department of Justice announced enforcement actions targeting North Korea's covert IT
operations that fund its nuclear program.
Authorities arrested Zhengjing Danny Wang, a U.S. citizen, for running a scheme from
New Jersey that placed North Korean IT workers in U.S. tech jobs, generating over $5 million.
Eight others, six Chinese nationals and two Taiwanese citizens, were also indicted for
wire fraud, money laundering, identity theft, hacking and sanctions violations.
From 2021 through 2024, they impersonated over 80 Americans to gain remote jobs at over
100 companies, causing $3 million in damages.
They ran US laptop farms and shell companies
to hide workers' identities and stole sensitive data,
including AI tech from a California defense firm.
The FBI seized 137 laptops and raided 21 sites
in 14 states linked to the scheme.
Google released an emergency update and rated 21 sites in 14 states linked to the scheme.
Google released an emergency update to fix a new Chrome Zero Day vulnerability, marking the fourth such flaw patched this year.
The bug, a high-severity type confusion issue in Chrome's V8 JavaScript engine,
was already exploited in the wild.
Discovered by Clement Lecigne from Google's Threat Analysis Group, the flaw could let
attackers execute arbitrary code on unpatched devices.
Google pushed configuration changes on June 26 to mitigate risks, and released updates
for Windows, Mac, and Linux the next day.
While updates may take days to reach all users,
they were immediately available when checked by
a bleeping computer. Google hasn't shared technical
details yet to protect users until most are updated.
Previous Chrome Zero days were patched in
March, May, and June.
Enth Degree Investment Group, a major U.S. trade show and event marketing firm, reported
a data breach compromising personal data of up to 39,000 people.
The breach occurred between December 12 and 20 of last year, but wasn't discovered until
March of this year.
Exposed data includes Social Security numbers, driver's licenses, financial details, health insurance data, and medical records.
Victims are mainly in Texas.
The company, serving clients like Microsoft and Mercedes-Benz, began notifying affected individuals in April and is offering 12 months of free credit monitoring.
For our audience, it's worth noting that EnthDegree is a provider for the RSAC trade show.
Netscaler's cloud software group released updates to fix two vulnerabilities affecting
Netscaler ADC and Netscaler Gateway when configured as a gateway or AAA virtual server.
The first vulnerability is a memory overflow flaw that could cause denial of service and
unintended control flow.
The second results from insufficient input validation leading to memory overreads.
The company confirmed active exploitation of the first vulnerability and urges immediate updates as no mitigations are available.
The second vulnerability currently shows no exploitation evidence.
The International Criminal Court was hit by a sophisticated cyber attack last week.
The tribunal announced Monday.
The incident has been contained and an impact analysis is underway, though the ICC did not
disclose the motive or whether data was compromised.
The attack comes as The Hague hosted a NATO summit with heightened security.
The ICC, which investigates sensitive global cases, was also targeted in 2023 and has previously
been a focus of espionage efforts.
Business operations continue as mitigation steps are implemented.
Iran-linked hackers calling themselves Robert have threatened to release more emails allegedly
stolen from President Trump's aides, including Susie Wiles, Roger Stone,
attorney Lindsay Halligan, and Stormy Daniels.
The group claims to hold about 100 gigabytes of data and is considering
selling it but hasn't shared details or contents.
They previously leaked emails before the 2024 election, revealing
campaign and legal communications, though the leaks didn't
alter Trump's victory. US officials called the hack a calculated smear
campaign and vowed prosecution. The group resurfaced after recent US airstrikes on
Iran's nuclear facilities, with analysts suggesting Iran seeks asymmetric
retaliation without triggering direct military escalation.
Tehran has denied cyberespionage.
U.S. cyber officials warn critical infrastructure operators remain potential Iranian targets
amid ongoing regional tensions.
Swift Health Promotion Foundation RADx has suffered a ransomware attack, exposing sensitive data
linked to multiple Swiss federal government offices.
The Zurich-based nonprofit, which runs health education programs and online counseling services,
was attacked on June 16 by the Sarcoma ransomware group.
When ransom demands failed, Sarcoma leaked 1.3 terabytes of data on June 29, including document scans, financial records, contracts, and internal communications.
The Swiss National Cybersecurity Center confirmed investigations are underway, though attackers did not access federal administration systems directly. RADx is restoring data from backups
and says there's no current evidence
that partner organizations data was directly compromised.
However, potentially affected individuals are advised
to remain vigilant for phishing or credential theft attempts
in the coming months.
The US Treasury Department is under scrutiny
after three major cyber attacks in five years
exposed critical security gaps, Bloomberg reports.
Recent breaches include Chinese hackers infiltrating Secretary Janet Yellen's computer and Russian
hackers spying on staff emails during the 2020 SolarWinds attack.
In April, hackers accessed the Office of the Controller of the Currency's emails for a
year using a VPN without triggering alerts.
Investigations show Treasury repeatedly failed to implement basic safeguards like multi-factor
authentication and adequate log monitoring.
Meanwhile, its cybersecurity leadership has been gutted by departures
linked to Elon Musk's Department of Government efficiency, leaving vital
positions vacant. Financial institutions are alarmed, fearing their confidential
data could be exposed due to Treasury's weak defenses. Despite a billion-dollar
annual cybersecurity budget, experts warn Treasury's fragmented
oversight and depleted staff make it a prime target for foreign hackers, undermining trust
in its ability to protect the financial sector.
U.S. Senator Ron Wyden criticized the FBI's recent guidance to Capitol Hill staff on mobile
device security as overly simplistic in a letter
to director Kash Patel. Though the FBI discussed basics like avoiding suspicious links, using
private Wi-Fi, disabling Bluetooth, updating software, and regular reboots, Wyden said
it failed to address zero-click spyware threats used by foreign adversaries. He urged recommending advanced protections available on modern phones, such as Apple's
Lockdown Mode and Android's Advanced Protection Mode, as well as privacy steps like ad blockers,
disabling ad tracking, and opting out of data brokers.
Security experts echoed his call, recommending these features for high-value targets to counter sophisticated mobile attacks.
Coming up after the break, Tim Starks from Cyberscoop describes ubiquitous surveillance turned deadly, and AI proves its pen-testing prowess.
Stay with us.
Did you know Active Directory is targeted in 9 out of 10 cyber attacks?
Once attackers get in, they can take control of your entire network.
That's why Sempris created PurpleKnight, the free security assessment tool that scans your Active Directory for hundreds of vulnerabilities and shows you how to fix them.
Join thousands of IT pros using Purple Knight to stay ahead of threats.
Download it now at sempris.com slash purple dash knight. That's sempris.com slash purple
dash knight.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity-based
threats like account takeover, fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.
Joining me once again is Tim Starks. He is a senior reporter at CyberScoop. Tim, it's
always great to have you back.
Always, always.
So you posted a story here recently about this Justice Department watchdog report dealing
with some Mexican cartels.
This one has some really interesting elements here.
Can you just give us an overview of the story here, Tim?
Yeah, I was talking to my editor about this, and we were of the mind that if somebody had told you
a story like this, you'd be like,
that sounds like a bad episode of NCIS.
That doesn't sound plausible,
but here we have a rather extraordinary situation
where the Department of Justice Inspector General said,
there was an instance in 2018 where someone
from one of the cartels, the El Chapo cartel,
came to the FBI and said, hey, the cartel hired a hacker who offered this menu of services,
including getting into phones.
That hacker then, on behalf of the cartel, broke into cameras in Mexico City, broke it, started tracking people
by their geolocation data, settled
on one particular FBI official who
was coming out of the embassy in Mexico City
and finding out they were having meetings with people who
were either potential witnesses or actual witnesses
or people who might be able to help the case against El
Chapo in some way.
And the FBI learned subsequently that some of those people had been intimidated and even
killed.
Yeah.
I mean, I think so often we're used to these stories ending in someone losing a lot of
money, you know, ransomware or crypto jacking or something like that. But here we're talking about actual loss of life.
It's extremely rare.
And interestingly enough, the only other time I can think of that's confirmed
that this has happened, that a hacker did something that caused someone's
death was actually also last week.
It was the NHS had put out a review of some cyber attack and how it affected blood test results
in London and England, and essentially said,
that the delayed blood test caused someone to die.
There have been other times where we've seen
a little bit of interaction between physical
and cyber attacks, where there's been some tangible harm done, but not much in the way of actual people being killed.
So this is shocking. I'm so much used to writing about economic loss and writing about espionage. And this was just very different.
I've always wondered if we'd get to this point on cyber where, you know, you and I have covered this stuff for so long. It's a huge topic in the world, but I've always
thought, you know, if you can show that people are dying because cyber attacks, I wonder if we'll
gather a new level of physical attention because, you know, even during the Ukraine war,
where there was some discussion of cyber attacks and enabling that war, you still couldn't point
us to anything and say,
that person died because of that attack.
So this convergence has always been really interesting to me
and primarily theoretical.
Now it's quite real.
It sounds like something out of a Mission Impossible movie
or a Bond villain or something like that.
What's the FBI's response been to this watchdog report?
The report talks about failures in the FBI's red team, I believe.
Yeah, so this was part of a broader report that was about the FBI struggling to deal
with ubiquitous technical surveillance.
That means everything from, you know, like the cameras that we saw in this case, or people's phones,
or financial records.
Essentially, there's so much surveillance in the world
that other people could take advantage of,
be they governments or be they people in situations
like this with the hackers, that the Justice Department
Inspector General has been saying,
the FBI needs to get a hang of this.
It's really causing them some trouble.
And this was a follow-on review to an earlier
review. The FBI had created this kind of red team to look into this. And the Justice Department
said, nope, you still haven't quite gotten it yet. So there were some recommendations
that the FBI largely agreed with the recommendations, needed to do a bigger enterprise-wide look
at all of this, but also train agents for.
In terms of this actual story, they have not commented on it specifically and referred my
questions to the Department of Justice, which did not answer at all.
Aaron Norris Now, help me understand here, Tim. I mean,
this report goes back several years. So, is it fair to expect that methods have improved over time?
Gosh, I hope not. But it certainly seems that that could be the case, right? I mean, in
terms of what hackers are capable of doing, I think some of the capabilities are similar,
but in terms of how many avenues there are to get into these kinds of things, I mean,
if you're imagining someone taking over the cameras in a city, there may be more vulnerabilities
for them to exploit.
Potentially there may be a broader catalog
of ways they could do that.
So potentially the ability of hackers to do this
in situations where they haven't before might be different.
Although of course, defenses have increased as well.
So we think a lot about internet of things. We think a lot about surveillance of phones different, although of course, you know, defenses have increased as well. So, you
know, we think a lot about Internet of Things, we think a lot about surveillance
of phones, and in some ways there's been some advancement and some decline
in the defenses there. You mentioned earlier this notion of ubiquitous
surveillance, which I think we all think about these days. Here's an example of how that's being used by the bad guys and again, ultimately leading
to loss of life.
Yeah, and there's been some reporting as well on the difficulties for intelligence agencies
to collect human intelligence anymore, meaning just the simple matter of meeting in a park
bench with somebody and hoping that you can convert them to spy for you and then stay in touch with you.
So this is a broader phenomenon that ubiquitous technical surveillance as something that the bad
guys, as you say, could use. This is just maybe the starkest example of it. Yeah. What do you
suppose could come out of a report like this? Yeah, I mean, I think the FBI seems to acknowledge that it needs to improve some things like
the training to be aware of this, to do a broader enterprise-wide look at this.
I think if you say that the FBI didn't do well enough in its last update report, unless
according to the Inspector General, that there's a chance that they also won't do well enough
next time.
But certainly, the reminders are getting more prominent.
And I think the fact that some of these examples,
there was a largely redacted document.
This one was notably not redacted.
So I think there might be some additional pressure on the FBI
to shape up on this once they realize
the embarrassment of some of these kinds of things,
that this could be more like bully pulpit kind of pressure
that once the public knows about it and knows what's gone wrong because of it,
perhaps the FBI will say, okay, now we need to be even more careful.
We're not just answering to the inspector general of our department.
Yeah. Now, really interesting reporting here.
Again, Tim Starks, the senior reporter at CyberScoop.
Tim, thanks so much for joining us.
Thank you, Dave.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Did you know Active Directory is targeted in 9 out of 10 cyber attacks?
Once attackers get in, they can take control of your entire network.
That's why Sempris created PurpleKnight, the free security assessment tool that scans your
Active Directory for hundreds of vulnerabilities and shows you how to fix them.
Join thousands of IT pros using Purple Night to stay ahead of threats. Download
it now at sempris.com slash purple dash night. That's sempris.com slash purple dash night.
This episode is brought to you by Dzone. For the first time ever, the 32 best soccer clubs
from across the world
are coming together to decide who the undisputed champions of the world are in the FIFA Club World
Cup. The world's best players, Messi, Holland, Kane and more are all taking part and you can
watch every match for free on Dazon starting on June 14th and running until July 13th. Sign up now at dazone.com slash fifa. That's d-a-z-n.com
slash fifa.
And finally, AI has officially joined the hacker leaderboard. And it's not just any
leaderboard. Over on Hacker One, the top-ranked red teamer isn't a hoodie-wearing human, but
Exbo, an AI chatbot that's been busy finding over 1,000 vulnerabilities while probably
chugging imaginary Mountain Dew. Exbo outperformed 99 real hackers, identifying everything from
SQL injections to a new Palo Alto VPN flaw affecting thousands.
Its creators proudly say it operates like a human pen tester, except it doesn't sleep,
complain about Jira tickets, or ask for raises.
Experts warn this is great news for attackers, but a migraine for defenders already struggling
to patch known flaws, let alone AI-discovered ones at machine speed.
As security leaders lament being outpaced,
Expo's triumph proves defenders aren't just fighting humans
behind keyboards anymore.
They're battling bots that scan, exploit,
and adapt in real time.
On the bright side,
AI can't steal your lunch from the office fridge.
For now.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this summer.
There's a link in the show notes.
Please do check it out.
N2K's senior producer is Alice Carruth, our Cyberwire producer is Liz Stokes.
We're mixed by Elliot Peltsman and Trey Hester, with original music by Elliot Peltsman.
Our executive producer is Jennifer Iben, Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening, we'll see you back here, tomorrow. Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
Delete Me also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo
code n2k at checkout. That's joindeleteeme.com slash n2k code n2k.