CyberWire Daily - North Korea’s covert coders caught.

Episode Date: July 1, 2025

The Feds shut down a covert North Korean IT operation. Google releases an emergency update to fix a new Chrome zero-day. A major U.S. trade show and event marketing firm suffers a data breach. NetScal...er patches a pair of critical vulnerabilities. A sophisticated cyber attack targets The Hague. An Iran-linked hacking group threatens to release emails allegedly stolen from aides to President Trump. A ransomware attack exposes sensitive data linked to multiple Swiss federal government offices. The U.S. Treasury Department faces scrutiny after a string of cyberattacks. The FBI’s phone security tips draw fire from Senator Wyden. Tim Starks from CyberScoop describes how ubiquitous surveillance turned deadly. AI proves its pentesting prowess. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined today by Tim Starks, Senior Reporter from CyberScoop, discussing his story "Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report." Selected Reading US government takes down major North Korean 'remote IT workers' operation (TechCrunch) Google fixes fourth actively exploited Chrome zero-day of 2025 (Bleeping Computer) NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777 (NetScaler) International Criminal Court hit with cyber security attack (AP News) Iran-linked hackers threaten to release Trump aides' emails (Reuters) Swiss government data compromised in ransomware attack on health foundation Radix (Beyond Machines) Trade show management firm Nth Degree hit by data breach, exposing sensitive data (Beyond Machines) A Trio of US Treasury Hacks Exposes a Pattern Making Banks Nervous (Bloomberg) Senator Chides FBI for Weak Advice on Mobile Security (Krebs on Security) The top red teamer in the US is an AI bot (CSO Online) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the CyberWire Network powered by N2K. Risk and compliance shouldn't slow your business down. HyperProof helps you automate controls, integrate real-time risk workflows, and build a centralized system of trust so your teams can focus on growth, not spreadsheets. From faster audits to stronger stakeholder confidence, HyperProof gives you the business advantage of smarter compliance. Visit www.hyperproof.io to see how leading teams are transforming their GRC programs.
Starting point is 00:01:00 The feds shut down a covert North Korean IT operation. Google releases an emergency update to fix a new Chrome Zero Day. A major US trade show and event marketing firm suffers a data breach. Netscaler patches a pair of critical vulnerabilities. A sophisticated cyber attack targets the Hague. An Iran-linked hacking group threatens to release emails allegedly stolen from aides to President Trump. A ransomware attack exposes sensitive data linked to multiple Swiss federal government agencies. The US Treasury Department faces scrutiny after a string of cyber attacks. The FBI's phone security tips draw fire from Senator Wyden.
Starting point is 00:01:34 Tim Starks from Cyberscoop describes how ubiquitous surveillance turned deadly. And AI proves its pentesting prowess. It's Tuesday, July 1, 2025. I'm Dave Bittner and this is great to have you with us today. It seems impossible that it is already July 1st, but here we are. The US Department of Justice announced enforcement actions targeting North Korea's covert IT operations that fund its nuclear program. Authorities arrested Zhengjing Danny Wang, a U.S. citizen, for running a scheme from New Jersey that placed North Korean IT workers in U.S. tech jobs, generating over $5 million.
Starting point is 00:02:43 Eight others, six Chinese nationals and two Taiwanese citizens, were also indicted for wire fraud, money laundering, identity theft, hacking and sanctions violations. From 2021 through 2024, they impersonated over 80 Americans to gain remote jobs at over 100 companies, causing $3 million in damages. They ran US laptop farms and shell companies to hide workers' identities and stole sensitive data, including AI tech from a California defense firm. The FBI seized 137 laptops and raided 21 sites
Starting point is 00:03:21 in 14 states linked to the scheme. Google released an emergency update and rated 21 sites in 14 states linked to the scheme. Google released an emergency update to fix a new Chrome Zero Day vulnerability, marking the fourth such flaw patched this year. The bug, a high-severity type confusion issue in Chrome's V8 JavaScript engine, was already exploited in the wild. Discovered by Clement Lecigne from Google's Threat Analysis Group, the flaw could let attackers execute arbitrary code on unpatched devices. Google pushed configuration changes on June 26 to mitigate risks, and released updates
Starting point is 00:03:59 for Windows, Mac, and Linux the next day. While updates may take days to reach all users, they were immediately available when checked by a bleeping computer. Google hasn't shared technical details yet to protect users until most are updated. Previous Chrome Zero days were patched in March, May, and June. Enth Degree Investment Group, a major U.S. trade show and event marketing firm, reported
Starting point is 00:04:28 a data breach compromising personal data of up to 39,000 people. The breach occurred between December 12 and 20 of last year, but wasn't discovered until March of this year. Exposed data includes Social Security numbers, driver's licenses, financial details, health insurance data, and medical records. Victims are mainly in Texas. The company, serving clients like Microsoft and Mercedes-Benz, began notifying affected individuals in April and is offering 12 months of free credit monitoring. For our audience, it's worth noting that EnthDegree is a provider for the RSAC trade show. Netscaler's cloud software group released updates to fix two vulnerabilities affecting
Starting point is 00:05:17 Netscaler ADC and Netscaler Gateway when configured as a gateway or AAA virtual server. The first vulnerability is a memory overflow flaw that could cause denial of service and unintended control flow. The second results from insufficient input validation leading to memory overreads. The company confirmed active exploitation of the first vulnerability and urges immediate updates as no mitigations are available. The second vulnerability currently shows no exploitation evidence. The International Criminal Court was hit by a sophisticated cyber attack last week. The tribunal announced Monday.
Starting point is 00:06:01 The incident has been contained and an impact analysis is underway, though the ICC did not disclose the motive or whether data was compromised. The attack comes as The Hague hosted a NATO summit with heightened security. The ICC, which investigates sensitive global cases, was also targeted in 2023 and has previously been a focus of espionage efforts. Business operations continue as mitigation steps are implemented. Iran-linked hackers calling themselves Robert have threatened to release more emails allegedly stolen from President Trump's aides, including Susie Wiles, Roger Stone,
Starting point is 00:06:45 attorney Lindsay Halligan, and Stormy Daniels. The group claims to hold about 100 gigabytes of data and is considering selling it but hasn't shared details or contents. They previously leaked emails before the 2024 election, revealing campaign and legal communications, though the leaks didn't alter Trump's victory. US officials called the hack a calculated smear campaign and vowed prosecution. The group resurfaced after recent US airstrikes on Iran's nuclear facilities, with analysts suggesting Iran seeks asymmetric
Starting point is 00:07:21 retaliation without triggering direct military escalation. Tehran has denied cyberespionage. U.S. cyber officials warn critical infrastructure operators remain potential Iranian targets amid ongoing regional tensions. Swift Health Promotion Foundation RADx has suffered a ransomware attack, exposing sensitive data linked to multiple Swiss federal government offices. The Zurich-based nonprofit, which runs health education programs and online counseling services, was attacked on June 16 by the Sarcoma ransomware group.
Starting point is 00:08:00 When ransom demands failed, Sarcoma leaked 1.3 terabytes of data on June 29, including document scans, financial records, contracts, and internal communications. The Swiss National Cybersecurity Center confirmed investigations are underway, though attackers did not access federal administration systems directly. RADx is restoring data from backups and says there's no current evidence that partner organizations data was directly compromised. However, potentially affected individuals are advised to remain vigilant for phishing or credential theft attempts in the coming months. The US Treasury Department is under scrutiny
Starting point is 00:08:44 after three major cyber attacks in five years exposed critical security gaps, Bloomberg reports. Recent breaches include Chinese hackers infiltrating Secretary Janet Yellen's computer and Russian hackers spying on staff emails during the 2020 SolarWinds attack. In April, hackers accessed the Office of the Controller of the Currency's emails for a year using a VPN without triggering alerts. Investigations show Treasury repeatedly failed to implement basic safeguards like multi-factor authentication and adequate log monitoring.
Starting point is 00:09:21 Meanwhile, its cybersecurity leadership has been gutted by departures linked to Elon Musk's Department of Government efficiency, leaving vital positions vacant. Financial institutions are alarmed, fearing their confidential data could be exposed due to Treasury's weak defenses. Despite a billion-dollar annual cybersecurity budget, experts warn Treasury's fragmented oversight and depleted staff make it a prime target for foreign hackers, undermining trust in its ability to protect the financial sector. U.S. Senator Ron Wyden criticized the FBI's recent guidance to Capitol Hill staff on mobile
Starting point is 00:10:02 device security as overly simplistic in a letter to director Kash Patel. Though the FBI discussed basics like avoiding suspicious links, using private Wi-Fi, disabling Bluetooth, updating software, and regular reboots, Wyden said it failed to address zero-click spyware threats used by foreign adversaries. He urged recommending advanced protections available on modern phones, such as Apple's Lockdown Mode and Android's Advanced Protection Mode, as well as privacy steps like ad blockers, disabling ad tracking, and opting out of data brokers. Security experts echoed his call, recommending these features for high-value targets to counter sophisticated mobile attacks. Coming up after the break, Tim Starks from Cyberscoop describes ubiquitous surveillance turned deadly, and AI proves its pen-testing prowess.
Starting point is 00:11:07 Stay with us. Did you know Active Directory is targeted in 9 out of 10 cyber attacks? Once attackers get in, they can take control of your entire network. That's why Sempris created PurpleKnight, the free security assessment tool that scans your Active Directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands of IT pros using Purple Knight to stay ahead of threats. Download it now at sempris.com slash purple dash knight. That's sempris.com slash purple dash knight. And now a word from our sponsor, Spy Cloud.
Starting point is 00:12:05 Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity-based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
Starting point is 00:12:39 attackers already know. That's spycloud.com slash cyberwire. Joining me once again is Tim Starks. He is a senior reporter at CyberScoop. Tim, it's always great to have you back. Always, always. So you posted a story here recently about this Justice Department watchdog report dealing with some Mexican cartels. This one has some really interesting elements here.
Starting point is 00:13:18 Can you just give us an overview of the story here, Tim? Yeah, I was talking to my editor about this, and we were of the mind that if somebody had told you a story like this, you'd be like, that sounds like a bad episode of NCIS. That doesn't sound plausible, but here we have a rather extraordinary situation where the Department of Justice Inspector General said, there was an instance in 2018 where someone
Starting point is 00:13:42 from one of the cartels, the El Chapo cartel, came to the FBI and said, hey, the cartel hired a hacker who offered this menu of services, including getting into phones. That hacker then, on behalf of the cartel, broke into cameras in Mexico City, broke it, started tracking people by their geolocation data, settled on one particular FBI official who was coming out of the embassy in Mexico City and finding out they were having meetings with people who
Starting point is 00:14:18 were either potential witnesses or actual witnesses or people who might be able to help the case against El Chapo in some way. And the FBI learned subsequently that some of those people had been intimidated and even killed. Yeah. I mean, I think so often we're used to these stories ending in someone losing a lot of money, you know, ransomware or crypto jacking or something like that. But here we're talking about actual loss of life.
Starting point is 00:14:49 It's extremely rare. And interestingly enough, the only other time I can think of that's confirmed that this has happened, that a hacker did something that caused someone's death was actually also last week. It was the NHS had put out a review of some cyber attack and how it affected blood test results in London and England, and essentially said, that the delayed blood test caused someone to die. There have been other times where we've seen
Starting point is 00:15:19 a little bit of interaction between physical and cyber attacks, where there's been some tangible harm done, but not much in the way of actual people being killed. So this is shocking. I'm so much used to writing about economic loss and writing about espionage. And this was just very different. I've always wondered if we'd get to this point on cyber where, you know, you and I have covered this stuff for so long. It's a huge topic in the world, but I've always thought, you know, if you can show that people are dying because cyber attacks, I wonder if we'll gather a new level of physical attention because, you know, even during the Ukraine war, where there was some discussion of cyber attacks and enabling that war, you still couldn't point us to anything and say,
Starting point is 00:16:05 that person died because of that attack. So this convergence has always been really interesting to me and primarily theoretical. Now it's quite real. It sounds like something out of a Mission Impossible movie or a Bond villain or something like that. What's the FBI's response been to this watchdog report? The report talks about failures in the FBI's red team, I believe.
Starting point is 00:16:34 Yeah, so this was part of a broader report that was about the FBI struggling to deal with ubiquitous technical surveillance. That means everything from, you know, like the cameras that we saw in this case, or people's phones, or financial records. Essentially, there's so much surveillance in the world that other people could take advantage of, be they governments or be they people in situations like this with the hackers, that the Justice Department
Starting point is 00:16:57 Inspector General has been saying, the FBI needs to get a hang of this. It's really causing them some trouble. And this was a follow-on review to an earlier review. The FBI had created this kind of red team to look into this. And the Justice Department said, nope, you still haven't quite gotten it yet. So there were some recommendations that the FBI largely agreed with the recommendations, needed to do a bigger enterprise-wide look at all of this, but also train agents for.
Starting point is 00:17:26 In terms of this actual story, they have not commented on it specifically and referred my questions to the Department of Justice, which did not answer at all. Aaron Norris Now, help me understand here, Tim. I mean, this report goes back several years. So, is it fair to expect that methods have improved over time? Gosh, I hope not. But it certainly seems that that could be the case, right? I mean, in terms of what hackers are capable of doing, I think some of the capabilities are similar, but in terms of how many avenues there are to get into these kinds of things, I mean, if you're imagining someone taking over the cameras in a city, there may be more vulnerabilities
Starting point is 00:18:08 for them to exploit. Potentially there may be a broader catalog of ways they could do that. So potentially the ability of hackers to do this in situations where they haven't before might be different. Although of course, defenses have increased as well. So we think a lot about internet of things. We think a lot about surveillance of phones different, although of course, you know, defenses have increased as well. So, you know, we think a lot about Internet of Things, we think a lot about surveillance
Starting point is 00:18:28 of phones, and in some ways there's been some advancement and some decline in the defenses there. You mentioned earlier this notion of ubiquitous surveillance, which I think we all think about these days. Here's an example of how that's being used by the bad guys and again, ultimately leading to loss of life. Yeah, and there's been some reporting as well on the difficulties for intelligence agencies to collect human intelligence anymore, meaning just the simple matter of meeting in a park bench with somebody and hoping that you can convert them to spy for you and then stay in touch with you. So this is a broader phenomenon that ubiquitous technical surveillance as something that the bad
Starting point is 00:19:13 guys, as you say, could use. This is just maybe the starkest example of it. Yeah. What do you suppose could come out of a report like this? Yeah, I mean, I think the FBI seems to acknowledge that it needs to improve some things like the training to be aware of this, to do a broader enterprise-wide look at this. I think if you say that the FBI didn't do well enough in its last update report, unless according to the Inspector General, that there's a chance that they also won't do well enough next time. But certainly, the reminders are getting more prominent. And I think the fact that some of these examples,
Starting point is 00:19:53 there was a largely redacted document. This one was notably not redacted. So I think there might be some additional pressure on the FBI to shape up on this once they realize the embarrassment of some of these kinds of things, that this could be more like bully pulpit kind of pressure that once the public knows about it and knows what's gone wrong because of it, perhaps the FBI will say, okay, now we need to be even more careful.
Starting point is 00:20:16 We're not just answering to the inspector general of our department. Yeah. Now, really interesting reporting here. Again, Tim Starks, the senior reporter at CyberScoop. Tim, thanks so much for joining us. Thank you, Dave. Yeah. Yeah. Yeah.
Starting point is 00:20:31 Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah.
Starting point is 00:20:36 Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah.
Starting point is 00:20:40 Yeah. Yeah. Yeah. Did you know Active Directory is targeted in 9 out of 10 cyber attacks? Once attackers get in, they can take control of your entire network. That's why Sempris created PurpleKnight, the free security assessment tool that scans your Active Directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands of IT pros using Purple Night to stay ahead of threats. Download
Starting point is 00:21:05 it now at sempris.com slash purple dash night. That's sempris.com slash purple dash night. This episode is brought to you by Dzone. For the first time ever, the 32 best soccer clubs from across the world are coming together to decide who the undisputed champions of the world are in the FIFA Club World Cup. The world's best players, Messi, Holland, Kane and more are all taking part and you can watch every match for free on Dazon starting on June 14th and running until July 13th. Sign up now at dazone.com slash fifa. That's d-a-z-n.com slash fifa. And finally, AI has officially joined the hacker leaderboard. And it's not just any
Starting point is 00:21:59 leaderboard. Over on Hacker One, the top-ranked red teamer isn't a hoodie-wearing human, but Exbo, an AI chatbot that's been busy finding over 1,000 vulnerabilities while probably chugging imaginary Mountain Dew. Exbo outperformed 99 real hackers, identifying everything from SQL injections to a new Palo Alto VPN flaw affecting thousands. Its creators proudly say it operates like a human pen tester, except it doesn't sleep, complain about Jira tickets, or ask for raises. Experts warn this is great news for attackers, but a migraine for defenders already struggling to patch known flaws, let alone AI-discovered ones at machine speed.
Starting point is 00:22:47 As security leaders lament being outpaced, Expo's triumph proves defenders aren't just fighting humans behind keyboards anymore. They're battling bots that scan, exploit, and adapt in real time. On the bright side, AI can't steal your lunch from the office fridge. For now.
Starting point is 00:23:26 And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the show notes. Please do check it out. N2K's senior producer is Alice Carruth, our Cyberwire producer is Liz Stokes. We're mixed by Elliot Peltsman and Trey Hester, with original music by Elliot Peltsman.
Starting point is 00:23:53 Our executive producer is Jennifer Iben, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening, we'll see you back here, tomorrow. Hey everybody, Dave here. I've talked about DeleteMe before, and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. DeleteMe keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved knowing my privacy isn't something I have to worry about every
Starting point is 00:24:56 day. The DeleteMe team handles everything. It's the set it and forget it piece of mind. And it's not just for individuals. Delete Me also offers solutions for businesses, helping companies protect their employees' personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal, 20% off your Delete Me plan. Just go to joindeleteeme.com slash n2k and use promo
Starting point is 00:25:26 code n2k at checkout. That's joindeleteeme.com slash n2k code n2k.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.