CyberWire Daily - OCC breach jolts financial sector.
Episode Date: April 15, 2025Some U.S. banks pause electronic communications with the OCC following a major breach of the agency’s email system. Uncertainty spreads at CISA. China accuses three alleged U.S. operatives of conduc...ting cyberattacks during February’s Asian Games. Microsoft Teams suffers filesharing issues. Fraudsters use ChatGPT to create fake passports. Car rental giant Hertz confirms data stolen in last year’s Cleo breach. Researchers describe a novel process injection method called Waiting Thread Hijacking. A new macOS malware-as-a-service threat is being sold on underground forums. A UK man is sentenced to over eight years for masterminding the LabHost phishing platform. Kim Jones joins us with a preview of the newly relaunched CISO Perspective podcast. David Moulton from Unit 42 sits down with Rob Wright, Security News Director at Informa TechTarget for the latest Threat Vector. Fighting the flood of AI generated experts. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Kim Jones joins Dave to launch the newly rebranded CISO Perspectives—formerly CSO Perspectives. We’re excited to welcome a fresh voice to the mic as Kim takes the helm. In this premiere episode, he’s joined by Ed Adams for a candid conversation about the evolving role of the CISO and the big question on everyone’s mind: Is the cyber talent ecosystem broken? Tune in as Kim kicks off this next chapter—same mission, sharper focus, new perspective. Threat Vector Segment The cybersecurity industry is full of headlines, but are we paying attention to the right ones? In this segment of Threat Vector, host David Moulton, Director of Thought Leadership at Unit 42, sits down with Rob Wright, Security News Director at Informa TechTarget, to discuss the stories the industry overlooks, the overhyped AI security fears, and the real risks posed by certificate authorities. You can listen to the full conversation here and catch new episodes of Threat Vector each Thursday on your favorite podcast app. Selected Reading OCC Hack: JPMorgan, BNY Limit Information Sharing With Agency After Breach (Bloomberg) CISA Braces for Major Workforce Cuts Amid Security Fears (BankInfo Security) China Pursuing 3 Alleged US Operatives Over Cyberattacks During Asian Games (SecurityWeek) Microsoft Teams File Sharing Outage, Users Unable to Share Files (Cyber Security News) ChatGPT Image Generator Abused for Fake Passport Production (GB Hackers) Hertz says personal, sensitive data stolen in Cleo attacks (The Register) Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking (Check Point Research) macOS Users Beware! Hackers Allegedly Offering Full System Control Malware for Rent (Cyber Security News) LabHost Phishing Mastermind Sentenced to 8.5 Years (Infosecurity Magazine) Virtual reality: The widely-quoted media experts who are not what they seem (Press Gazette) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
Some U.S. banks pause electronic communications with the OCC following a major breach of the
agency's email system.
Uncertainty spreads at CISA.
China accuses three alleged U.S. operatives of conducting cyberattacks during February's
Asian Games.
Microsoft Teams suffers file sharing issues.
Fraudsters use chat GPT to create fake passports.
Car rental giant Hertz confirms data stolen in last year's Clio breach. chat Mining the lab host phishing platform. Kim Jones joins us with a preview of the newly relaunched
CISO perspectives podcast.
David Moulton from unit 42 sits down with Rob Wright,
security news director at Informa Tech Target
for the latest threat vector
and fighting the flood of AI generated experts.
It's Tuesday, April 15th, 2025.
The first day of the first week of the first week of the first week of the first week of the first week It's Tuesday, April 15th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It's great to have you with us.
Several major U.S. banks, including JPMorgan Chase and BNY Mellon, have paused electronic
communications with the Office of the Controller of the Currency, the OCC, following a major
breach of the agency's email system,
Bloomberg reports.
Hackers accessed over 100 accounts for more than a year,
prompting fears that sensitive data,
such as banks cybersecurity reports
and even national security letters, may have been exposed.
The OCC is working with Microsoft, CrowdStrike,
and Mandiant to investigate.
Though on-site examiners still have access, banks worry the compromised data could aid
future cyberattacks.
The incident, now deemed a major breach, has triggered congressional scrutiny and raised
concerns about the OCC's cybersecurity safeguards, with experts warning that trust between banks
and regulators has
been fundamentally shaken.
Uncertainty is spreading at the U.S. Cybersecurity and Infrastructure Security Agency as staff
face a deadline to accept resignation or payout offers from the Department of Homeland Security.
Reports suggest CISA could lose up to 1,300 employees, about a third of its
workforce, amid broader federal cyber staffing cuts. The move has alarmed officials and experts
who warn it could weaken the nation's defenses against cyber threats to critical infrastructure
like water, energy, and transportation. Staff describe the atmosphere as chaotic, with many
eyeing exits to the private sector.
CISA says it's committed to supporting employees while continuing its mission.
However, the scope of the reductions far exceeds previous cuts and threatens to cripple key
divisions within the Federal Cyber Defense Agency.
China has accused three alleged U.S. operatives of conducting cyberattacks during February's
Asian Games in Harbin.
According to Chinese authorities, the individuals, reportedly linked to the NSA, targeted event
management systems holding sensitive personal data.
The cyberattacks allegedly disrupted games operations and extended to critical infrastructure
in Heilongjiang province, including energy, telecom, and defense institutions, as well
as tech giant Huawei.
China claims the attacks caused serious national harm and has urged the US to stop its alleged
cyber operations.
While offering no concrete evidence, China says it will take further steps to protect
its cybersecurity.
The U.S. has not responded to the accusations.
Both countries routinely blame each other for cyberespionage fueling ongoing tensions
in cyberspace.
Earlier today, Microsoft Teams users experienced a major issue affecting file sharing, prompting
an ongoing investigation by Microsoft.
The company acknowledged the disruption via its Microsoft 365 status account and is tracking
the issue.
Although the Microsoft 365 Service Health page initially showed no problems, users reported
widespread difficulties accessing files,
particularly via SharePoint.
Microsoft has not provided a fixed timeline,
but recommends using alternatives
like OneDrive for sharing.
OpenAI's chat GPT image generator has been exploited
to create realistic fake passports in minutes.
According to the 2025 Cato Control Threat Report.
This marks a major shift in cybercrime,
where generative AI allows non-experts,
termed zero-knowledge threat actors,
to forge documents without coding skills
or access to illicit tools.
By tweaking prompts, users can bypass chat GPT's safeguards, producing convincing
passports for fraud. This ease enables scams like new account fraud, insurance fraud, and
identity theft. Traditional ID verification methods, such as photo uploads, are now vulnerable.
Experts urge stronger defenses like NFC-based document checks, liveness detection, and device-anchored
identity verification.
Car rental giant Hertz has confirmed that customer data was stolen in last year's
Clop ransomware attacks exploiting Clio file transfer software.
The breach affected Hertz, Dollar, and Thrifty customers, exposing personal details
like names, contact info, birth dates, credit card and driver's license data, and in some
cases social security numbers and medical claim information. The stolen files came from
a Clio product used by Hertz. While there's no evidence of misuse, Hertz is offering two
years of identity and
dark web monitoring.
Checkpoint Research describes a novel process injection method called waiting thread hijacking
– WTH – offering a stealthier alternative to traditional thread hijacking techniques,
unlike conventional methods that rely on suspending and modifying active threads,
actions often detected by endpoint detection and response systems,
WTH targets dormant threads within Windows thread pools. By identifying threads in a waiting state,
WTH manipulates their return addresses to redirect execution to malicious code without triggering common security alerts.
This approach avoids the use of high-risk APIs,
instead utilizing standard operations. To further evade detection, the technique can distribute its steps across multiple processes,
obfuscating behavioral signatures typically monitored by security tools.
WTH exemplifies the evolving tactics in cyber threats, emphasizing the need for advanced behavioral analysis in cybersecurity
defenses.
A new macOS malware-as-a-service threat
Inari Loader is being sold on underground forums,
marking a serious escalation in Apple-targeted cyberattacks.
Unlike previous Mac OS stealers,
Inari offers a premium toolkit with remote desktop access,
advanced data exfiltration, and password bypass capabilities,
allowing attackers to harvest credentials without fake prompts.
The malware is modular and can be deployed through multiple vectors like.dmg files or malicious apps.
It also reportedly evades detection
without adding obfuscation.
Offered at between 5,000 and $10,000 per month,
it's priced well above competitors like Atomic and Banshee,
likely reflecting its powerful features.
The loader adds to a growing wave of macOS threats seen in 2023 and 2024, such as Macsteeler
and Metasteeler.
Researchers warn this development could lead to broader exploitation of macOS systems.
Users should stay alert, avoid unverified downloads, enable 2FA, and keep their devices
updated with the latest security patches.
Zach Coyne, aged 23, from Huddersfield in the UK,
has been sentenced to eight and a half years in prison for creating LabHost,
one of the world's largest phishing as a service platforms.
Operating from 2021 to 2024, LabHost was used by over 2,000 fraudsters to build
fake websites imitating banks, healthcare providers, and postal services to steal personal and financial
data. The platform enabled global fraud, causing losses exceeding £100 million, far more than
initially estimated.
Coin profited by charging membership fees for access to pre-made phishing templates
or custom-built sites.
Lab host was dismantled in April 2024 following a major international takedown involving the
Met Police, NCA, Microsoft, and Europol.
Authorities also arrested 24 suspects and searched over 70 locations.
This case highlights law enforcement's growing focus on dismantling cybercrime
infrastructure and prosecuting those who enable mass fraud.
Coming up after the break, Kim Jones joins us with a preview of the newly relaunched
CISO Perspectives podcast.
David Moulton sits down with Rob Wright from Informa Tech Target for the latest threat
vector and fighting the flood of AI-generated experts. What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, Identity attack paths are easy targets
for threat actors to exploit but hard for defenders to detect.
This poses risk in active directory, intra-ID and hybrid configurations.
Identity leaders are reducing such risks with Attack Path Management. You can learn how Attack Path Management is connecting identity and
security teams while reducing risk with Bloodhound Enterprise, powered by
SpectorOps. Head to SpectorOps.io today to learn more. SpectorOps, see your
attack paths the way adversaries do.
It is my pleasure to welcome back to the show Kim Jones. He is the host of CISO Perspectives, our newly rebooted program that is part of Cyberwire Pro.
Kim, welcome back.
It's good to be back.
Thanks, Dave.
Well, let's talk about the episode that you're kicking off this season with.
And it's titled, Is the Cyber Talent Ecosystem Broken?
I have to say, this is an intriguing title to me.
I have my own thoughts, but I'm curious like what led you to decide
This is how you're gonna lead off the system and what went into creating this episode
Well, one of the approaches that I wanted to take this season
Was to focus on depth of issues. So there's a lot of big
tractable things out there that CISOs face that either get passing
consideration during a 30 minute podcast or usually a session at a conference and that
we don't go into any depth in except maybe at the bar after the conference session. So what I wanted to do with this podcast
is to take a multi-episode arc
regarding some of those more tractable problems
that are out there.
And one of the ones that I hear about regularly
and that we talk about regularly
is the cyber talent ecosystem.
So what we're gonna do through the bulk of this season is talk about various aspects of the talent ecosystem. So what we're going to do through the bulk of this season is talk about
various aspects of the talent problem. So I wanted to start with an overview of what
we are seeing out there within the market space and some of the challenges that we're
facing via the various ways that people can come into cyber versus some of the complaints
that we have as senior cyber leaders regarding what the ecosystem is or is not doing for us.
And look at what not only the ecosystem could do better, but frankly what we could do better
to make it work for us.
Because I think that's a problem that we haven't addressed for hell decades now.
You know, I think it's fair to say that this is a hot
button issue for a lot of people.
This kind of disconnect between, you know,
the one hand is saying we have all these missing,
but we don't have enough people to fill the positions
in cyber and then the other side are people who are newly
have earned their credentials and they're saying,
nobody will hire me. And there's a lot of sort of talking past each other side are people who are newly have earned their credentials and they're saying nobody
will hire me.
And there's a lot of sort of talking past each other and trying to get past this frustration.
Is that a frustration you've seen and when you share?
It's one that I have seen absolutely.
It's one that I share slightly and I say slightly because one of the things I try and do is walk the
talk if you will and normalize things in my environment and you know eat and breathe what
I say that I want within the environment and that includes doing things like creating a
proper job descriptions, creating pathways that don't require everyone to go to college,
hiring people from non-traditional pathways, and doing the things
that so that we're consistently solving all pieces of that problem. What we're going to talk about
starting with this episode and throughout the season is many cases what lots of people are
doing are just tackling one piece of that and then still complaining as to why things aren't
working well. You know, we complain that the individual who has come up through a training or career transition
program doesn't have the skills that are needed.
Yet when we sit down, and I actually use this example in this first episode, I've sat down
with a handful of Fortune 500 CISOs and said, tell me what you want.
And then when you try to ask them to tell them what you want
and you say, okay, so if I can build what you want,
you'll hire these folks, right?
And then everyone starts backpedaling.
Then when you push them to say, tell me what you want,
you get a, I'm not avoiding the question.
I'm not telling you because we're really not sure.
And you know, if you don't know where you want to go, then any destination
will get you there or no destination will get you there as Lewis Carroll used to say.
So yeah, it's a frustration for me that after almost 40 years in this profession,
we still can't figure out what we want to be when we grow up and help people get
there and that's, that's wrong.
Yeah.
be when we grow up and help people get there. And that's wrong.
Yeah.
Are you hopeful or optimistic that we're perhaps able
to take a serious look at this and fix it?
Any good cyber professional is always optimistic
because you can't be a pessimist and do this work.
You know, plain and simple.
What I'm hoping to do through the course of the season is provide listeners all of the
pieces and parts for them to put together.
And then as we look at each episode, here are some things that you can do to address
this piece.
Here are some things that you can do to address this piece.
So that they have a strategic viewpoint on this problem.
And it's not just me.
I'm inviting in subject matter experts and other guests, et cetera, to bring their perspective
to the problem as well.
So it isn't just me railing at the microphone every week.
It's truly bringing people who say, okay, here's the starting point.
I use the analogy.
What we're doing is we're setting the table and that's just me talking about what I see in this beginning, you know, in these pieces, as we begin the episode.
Then we invite experts to dine with us and then I bring somebody else in and we
deep dive on that piece of it.
And then we do that and just build, hopefully, a look at all of the aspects of the challenge and
give people a holistic, I won't call it a roadmap, but I'm not fully caffeinated, so
I probably will.
So a roadmap in terms of things to consider in terms of solving it.
So I'm ever hopeful, Matt.
Yeah.
Well, the show is CISO Perspectives.
It is part of CyberWire Pro right here on the N2K
CyberWire network. And Kim Jones is the host. Kim, thanks so much for joining us.
Looking forward to it, man. And I'm looking forward to talking to you about our next episode,
next week. We'll do it.
Thanks.
On this week's preview of the Threat Vector podcast, David Moulton, director of thought leadership at Unit 42, is joined by Rob Wright, security news director at Informa Tech Target.
They're discussing the stories the industry overlooks, overhyped AI security fears, and the real risks posed by certificate authorities.
Hi, I'm David Moulton, host of the ThreatVector podcast, where we discuss pressing cybersecurity
threats and resilience and uncover insights into the latest industry trends.
In my latest episode of ThreatVector, I sat down with Rob Wright, security news director
at Informatech
Target, to ask a deceptively simple question. Are we actually paying attention to the threats that
matter? Rob's been covering cybersecurity for over a decade, and in this conversation he unpacks the
stories the media often misses, and the ones it may be getting wrong. We talk about the uncomfortable truth behind certificate authorities, why deepfakes might
be getting too much credit, and how AI headlines can obscure more than they reveal.
If you've ever wondered what goes on behind the scenes in cybersecurity journalism, and
what industry risks are flying just under the radar, you're going to want to hear this.
Check out the episode wherever you listen to podcasts.
Rob, this may be a loaded question,
given the current news media landscape,
but how do you view your role as a cybersecurity journalist?
And what drives your approach to covering this industry?
Yeah, I do consider myself a cybersecurity news reporter.
In terms of what drives my approach,
it's changed a lot.
The urgency around cybersecurity has increased
what feels like, I don't know,
at least tenfold over the last few years.
So we try to, I try to cover the stuff that I think
has the biggest impact on the masses.
So not just enterprise security, but also, you know,
government and citizens at large, I guess,
because it really has gone from,
the beat's gone from enterprise to just,
I mean, this is something the whole world,
I guess, has to deal with now.
Who do you see as your main audience?
We try to deliver our news
with a hypothetical reader in mind.
And that hypothetical reader is a practitioner,
a technology practitioner,
somebody that works in IT or
IT security within an enterprise organization
or government organization.
But yeah, we tried to deliver
our content to the folks
that are actually working with this stuff.
You know, there's always room for some of the, you know, general consumer news out there
and obviously some of the beginners that are just getting into this business.
But by and large, we try to focus on the people that are like really into this stuff, that
are really working with it every day.
And they need to know about the types of technologies, the types of threats, the types of goings
on that are important to their jobs.
So I kind of see using AI and how it works as in some ways like talking to another person. If I ask you, describe your dinner from last night,
and then 10 minutes later ask you to describe it to me again,
and if you use the exact same story
to tell me about what you had, who was there,
the overall vibe of dinner,
in a robotic fashion, in a classic compute model, I would be freaked
out by you. But if a computer does that, says the exact same thing over and over, I'm like,
yeah, that's what I expect. It's a programming problem. I got some inputs, I get an output.
It's always the same. And AI breaks that relationship with the machine in a way that causes us to step back and go, oh no.
And sometimes you can't tell if it's just doing the analysis
of what word next a little different,
or if it's just BSing you, right?
And you don't know, has it decided to hallucinate?
That's a fun term.
Or is it just telling you the story in a new way?
And I think that's the part that causes me pause
in an industry like security where you're going,
is it telling me that this is a false positive
and I move on?
Is it telling me that this is an incident
and I need to go after it?
And it doesn't really know
it's mathematically assigned a rating. And that can be, that's problematic.
So solving for that is, I think that's gonna be key.
Rob, what strategies can cybersecurity professionals
and journalists use to verify some of the claims
about AI related security incidents
to separate the hype that we're seeing from the reality,
especially before reporting on them.
This is hard because I think there's a lot of AI washing
and I think there's a tendency for people to kind of
get carried away with applications for AI
that are really neat and interesting, but like, don't, it's not a one-to-one.
It's not just because you can do something over here.
Doesn't mean you can take that same technology
and apply it over there.
So for example, just because Deep Blue
can beat the world's chess chance
and you can build an application
that is very, very specifically tailored to do one thing really well
same with Google and
AlphaGo the the Chinese game go it
Created this game and oh my god, and it beats the world's best go players
Just because that is is out there and you know
That that works doesn't mean you can just
take that technology and bolt it on to a cybersecurity application and have it do wondrous things.
I think the thing that people should be aware of, the practitioners out there, is that a
lot of the stuff is kept in a black box.
But if you can get to the vendors and the providers
out there that are using this technology
and really touting it, just run some simple tests.
Just run simple tests and just see, start small,
start innocuous, don't ask it to like run your sock. Don't ask it to run, you know, don't ask co-pilot or whatever
to just do these complex things. Just start small.
I start small with AI. I asked Google AI very simple questions.
I asked it a couple weeks ago, what are the best-selling
American rock bands in the history of modern music?
And it comes back with the Rolling Stones, Pink Floyd, ACDC, what are the best-selling American rock bands in the history of modern music?
And it comes back with the Rolling Stones, Pink Floyd,
ACDC, Led Zeppelin.
If you can't get that right,
if you can't get that right, stop.
Stop and I'm not saying throw the vendor out,
but just reevaluate, just say,
come back to us in a few months when you have
that cleaned up and we'll take another look.
So I would start small with tasks like, okay, is it picking up these login attempts from
this IP address or we've got 100 attempts on this account in this amount of time from
this region, is it flagging it?
Simple, simple stuff.
And if it can't get that right, then just move on.
If you like what you heard,
catch the full episode now
over in your Threat Vector podcast feed.
It's called What Cybersecurity Blindspots
Could Lead to the Next Major Attack From April 10th.
Be sure to check out the Threat Vector Podcast wherever you get your favorite podcasts. Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist, Vanta brings automation to evidence collection across 30 frameworks
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber that's vanta.com slash cyber for a
thousand dollars off
and finally here at the cyber wire we rely on credible experts to provide context and
clarity on breaking cyber and tech news.
So imagine our concern over reports of a growing number of seemingly authoritative sources
from senior analysts to psychologists that started sounding a little too slick, replying
to quote requests faster than you can say generative AI.
According to Press Gazette,
some of these experts flooding journalist inboxes
aren't real people at all.
They're the product of PR platforms and clever prompts,
offering ready-made commentary attributed to fabricated identities
like Rebecca, a supposed science educator
who's also a budgeting guru and a music industry analyst, or Barbara, who's been
quoted by nearly every outlet imaginable but whose main online presence is tied
to an adult toy shop. The problem is these fake personas are often
indistinguishable from the real thing, until you scratch beneath the surface. In a landscape where trust is everything,
this AI-enabled fakery is more than a curiosity, it's a credibility crisis.
Stay vigilant, my friends. Stay vigilant. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher and I'm Dave Bithner.
Thanks for listening.
We'll see you back here tomorrow. Looking for a career where innovation meets impact? Vanguard's technology team is shaping
the future of financial services by solving complex challenges with cutting-edge solutions. Whether you're passionate about AI, cybersecurity, or cloud computing, Vanguard offers a
dynamic and collaborative environment where your ideas drive change. With
career growth opportunities and a focus on work-life balance, you'll have the
flexibility to thrive both professionally and personally. Explore open cybersecurity and technology roles today at VanguardJobs.com.