CyberWire Daily - Powering AI with politics.
Episode Date: July 24, 2025The White House unveils its plan for global AI dominance. Microsoft warns that recent SharePoint server exploitation may extend to ransomware. A phishing campaign targeting the U.S. Department of Educ...ation’s grants portal. The FBI issues a warning about “The Com” cybercriminal group. SonicWall urges users to patch a critical vulnerability. A new supply chain attack has compromised several popular NPM packages. Joe Carrigan, co-host of the Hacking Humans podcast, joins to discuss how scammers are exploiting misconfigured point-of-sale terminals. Japanese police release a free decryption tool for Phobos ransomware. AI takes the wheel and drives right off a cliff. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Joe Carrigan, co-host of the Hacking Humans podcast, joins to discuss how scammers are exploiting misconfigured point-of-sale terminals, highlighting severe vulnerabilities that small businesses often overlook. If you want to hear more from Joe, head over to the Hacking Humans page. Selected Reading From Tech Podcasts to Policy: Trump's New AI Plan Leans Heavily on Silicon Valley Industry Ideas (SecurityWeek) Hackers hit more than 400 organizations in Microsoft SharePoint hacks (Axios) Microsoft says some SharePoint server hackers now using ransomware (Reuters) Hackers Clone U.S. Department of Education's Grant Site in Credential Theft Campaign (TechNadu) Copilot Vision on Windows 11 sends data to Microsoft servers (The Register) FBI: Thousands of people involved in 'The Com' targeting victims with ransomware, swatting (The Record) SonicWall urges admins to patch critical RCE flaw in SMA 100 devices (Bleeping Computer) High-Value NPM Developers Compromised in New Phishing Campaign (SecurityWeek) Free decryptor for victims of Phobos ransomware released (Fortra) 'I destroyed months of your work in seconds' says AI coding tool after deleting a dev's entire database during a code freeze: 'I panicked instead of thinking' (PC Gamer) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and
without securing them, trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform
purpose-built to secure every machine identity, certificates,
secrets, and workloads across all environments, all clouds,
and all AI agents.
Designed for scale, automation, and quantum readiness,
CyberArk helps modern enterprises
secure their machine future.
Visit cyberark.com slash machines to see how.
The White House unveils its plan for global AI dominance.
Microsoft warns that recent SharePoint server exploitation may extend to ransomware.
A phishing campaign targets the U.S. Department of Education's grants portal.
The FBI issues a warning about the COM cybercriminal group.
Sonic Wall urges users to patch a critical vulnerability.
A new supply chain attack has
compromised several popular NPM packages. My Hacking Humans co-host Joe Kerrigan joins us
to discuss how scammers are exploiting misconfigured point-of-sale terminals. Japanese police release a
free decryption tool for the Phobos ransomware. And AI takes the wheel and drives right off a cliff.
It's Thursday, July 24th, 2025.
I'm Dave Fittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It's great as always to have you with us.
President Donald Trump yesterday unveiled a sweeping AI action plan aimed at achieving
U.S. global dominance in artificial intelligence.
The plan calls for slashing environmental regulations to fast-track data center construction
and boost exports of U.S.-made AI technologies.
It aligns closely with Silicon Valley venture capitalists who backed Trump's campaign.
Key goals include deregulation, discouraging woke AI, and requiring government contractors
to use unbiased AI systems rooted in American values.
Trump signed three executive orders to enact these changes.
The plan promotes building private power plants to meet AI's vast energy demands, opposing
environmental restrictions.
Critics say it favors tech giants and fossil fuels over public interest.
More than 100 groups, including labor and climate
advocates, oppose the plan, calling it a giveaway to billionaires. Meanwhile, Trump
allies argue that regulating AI is futile and America must lead or fall behind.
Microsoft reports that three China-based hacking groups, including two tied to the
Chinese government, have been
exploiting critical flaws in on-premise SharePoint servers since early July.
As we've been covering throughout the week, Microsoft reports that three China-based hacking
groups, including two tied to the Chinese government, have been exploiting critical
flaws in on-premise SharePoint servers since early July.
Victims include major U.S. institutions like the National Nuclear Security Administration,
NIH, energy firms, and universities.
The vulnerabilities allow attackers to steal documents and execute code remotely.
Microsoft patched the flaws on July 22, but hackers had already stolen machine keys to
maintain access post-patch.
Researchers warn that more nation-state and criminal actors may join in, deploying ransomware
or conducting espionage.
One group, Storm 2603, is linked to Warlock ransomware.
Microsoft urges immediate patching, key rotation, and advanced antivirus
protection to secure affected systems. Over 400 servers worldwide are already compromised,
according to iSecurity. The Chinese embassy denies involvement, calling the allegations
unfounded.
A phishing campaign targeting the U.S. Department of Education's G5 Grants Portal was uncovered
on July 15.
Threat researchers at B4AI's Precrime Lab found several fake domains impersonating G5.gov
to steal credentials from educators, grant administrators, and vendors. These cloned sites mimic the official login page and use tactics like MFA bypass, JavaScript-based
credential theft, and cloaking to avoid detection.
Fraudsters likely aim to gain access to sensitive accounts, change payment details, or launch
broader supply chain attacks.
The phishing sites used cloudflare to hide their origins and included convincing design
elements like case-sensitive login fields and redirects.
The campaign may exploit confusion over recent layoffs at the Department of Education to
fuel social engineering efforts.
The Office of the Inspector General has been alerted and Before.ai is
working to disrupt the malicious domains and monitor for asset reuse tied to the campaign.
Microsoft is expanding AI features in Windows 11 with a new suite of tools for its Copilot
Plus PCs, including the controversial Copilot Vision.
This successor to the delayed and criticized Recall tool captures screen activity and sends
it to Microsoft's servers for analysis, unlike Recall, which processed data locally.
Microsoft claims this will help Copilot become a true companion, offering proactive help. Meanwhile, a new agentic AI called Mu, limited to Qualcomm-powered PCs, can perform system
tasks from natural language commands.
Critics remain skeptical, especially as Microsoft hasn't solved the issue of hallucinations
in small AI models.
Also, Windows' blue screen of death has officially turned black, alongside the debut of quick
machine recovery for faster system repairs.
Many features are US only and will roll out gradually.
The FBI has issued a warning about the COM, a decentralized cybercriminal group made up
largely of minors, targeting youth aged 11-25 through gaming platforms.
The group engages in a wide range of cybercrimes, including ransomware attacks, SIM swapping,
cryptocurrency theft, DDoS attacks, swatting, and child exploitation.
Their motives range from financial gain to notoriety and ideology.
Subgroups like HackerCom and IRLCom have conducted high-profile cyber attacks, sold hacking
services, and even engaged in real-world violence like kidnapping, assault, and extortion. One particularly disturbing offshoot called 764 targets minors to produce child sexual
abuse material.
The group recruits minors to evade harsh penalties and shares tools across subgroups.
Internal disputes often escalate into cyber or physical attacks.
The FBI highlights the comms' growing sophistication and warns of its dangerous blend of online
and offline criminal activity.
SonicWall is urging users of its SMA 100 series appliances to patch a critical vulnerability
that allows remote code execution via arbitrary file uploads if attackers have
admin access.
While there's no sign of active exploitation yet, Sonic Wall warns that these devices are
already being targeted using stolen credentials.
Google researchers recently linked threat group UNC 6148 to attacks deploying the Overstep
rootkit and possibly Abyss ransomware.
Users should update immediately and check for signs of compromise.
A new supply chain attack has compromised several popular npm packages after attackers
phished developers using a fake site, npnjs.com, that mimicked the official node.js registry.
npm stands for node package manager, the default package manager for the node.js JavaScript runtime.
Phishing emails lured victims into entering credentials, allowing attackers to steal NPM tokens and publish malicious packaged versions
without GitHub changes, making detection harder.
The malware, dubbed Scavenger, deploys a stealthy DLL targeting Chromium-based browsers, stealing
cache data, extension information, and browser history.
It also disables Chrome security alerts.
Security firm Socket and others note the phishing campaign used
tokenized URLs to mimic legitimate login sessions, the attack likely
harvested emails from packaged metadata, and abused persistent NPM tokens.
With millions of downloads at risk, this marks a serious escalation
in open- source ecosystem threats.
Japanese police have released a free decryption tool for victims of the Phobos ransomware and its variant 8Base.
Phobos, active since 2018 as a ransomware as a service, has extorted millions from organizations worldwide. Recent international law enforcement actions including arrests
in Thailand and the seizure of 27 servers have crippled the group. Now with
the decrypter available via the No More Ransom project, past victims may recover
their files without paying ransoms. Authorities haven't disclosed how the tool was
developed, but credit recent intelligence operations.
Coming up after the break, Joe Carrigan discusses how scammers are exploiting
misconfigured point-of-sale terminals,
and AI takes the wheel and drives right off a cliff.
Stay with us. Bad actors don't break in, they log in.
Attackers use stolen credentials in nearly nine out of ten data breaches, and once inside,
thereafter one thing, your data.
Varonis's AI-powered data security platform secures your data at scale.
Across LAS, SAS, and hybrid cloud environments.
Join thousands of organizations who trust Veronis
to keep their data safe.
Get a free data risk assessment at veronis.com.
Krogel is AI built for the enterprise SOC,
fully private, schema free, and capable of running in sensitive, air-gapped environments, Krogel autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context-aware, auditable decisions aligned to your workflows.
Krogl empowers analysts to act faster and focus on critical threats, replacing repetitive
triage with intelligent automation to help your SOC operate at scale with precision and
control.
Learn more at Krogl.com.
That's C-R-O-G-L.com.
And it is always my pleasure to welcome back to the show Joe Kerrigan.
He is my co-host over on the Hacking Humans podcast along with Maria Vermazes.
Joe, welcome back. Hi Dave. So, interesting little scam story that you have to share
with us here. This happens in some retail businesses. Right, this is coming
out of CTV News, which is a Canadian company, a Canadian news organization
from our friends in the Great White North, Dave. Okay. Apparently, there are, well, let me just,
we've all experienced this.
You walk into some small business, right?
Like maybe my favorite example of this
is the ice cream shop that I go to.
Okay.
And anybody looks at me and goes,
that guy likes ice cream.
Okay.
So I go in there and there's always this point of sale
terminal that they have to accept credit cards. So there are these companies and there's always this point of sale terminal that they have to accept
credit cards.
So there are these companies out there like Square, I believe they're called Block now,
that actually was started by Jack Dorsey from Twitter.
And then there are other companies like Clover and Toast that are named in the story.
So what these systems are, they're essentially turnkey
point of sale systems.
You buy the system, you sign up for the service,
and now you can accept credit cards
and they can do all your,
they do a lot of bookkeeping integration.
Really great for small businesses.
And instead of having a big cash register,
you have this thing that looks like a little,
Like an iPad.
Like an iPad, yeah. And then they turn it around and they say, would you like to like a little like an iPad like an iPad, right?
And then they turn it around they say would you like to leave a $25 or 25% tip, right?
And of course you can make that ethical decision on your own. I will not fault you for anything
Anyway, what's happening here is that there is a
Security problem with them in that the users
are not resetting the default passwords,
the default passwords that will allow you to have access
to do things like issue refunds.
So the store owners.
Store owners, correct.
Are not changing the default passwords.
Correct.
So like for example, there's one company in here,
the Suvlaki Hut in Toronto.
Somebody used the point of sale terminal
to issue a $2,000 refund to themselves.
Oh.
That is a lot of Suvlaki.
Yes it is.
He got my mouth watering.
That is a lot of Suvlaki.
Security footage shows the guy picking the terminal up
and trying to hide what he was doing,
then processing a manual refund.
The owner's son said they had no idea
the terminal could do that without oversight.
Yeah.
Which is interesting.
Right.
You think there'd be like a second factor
or a verification of a password?
There is, but it's a default.
Ah, there you go. And that's what's happening. I see. There is, but it's a default. There you go.
And that's what's happening.
I see.
There was another company, a man pretending to buy a teapot refunded himself $4,900.
I mean, these are not small amounts of money that are getting applied. harkens back to the old, age old problem,
and the problem that we've seen in IOT
and critical infrastructure stuff of default passwords.
And when you get a piece of equipment,
it doesn't matter if you're in business or at home,
you have to be able to change that default password.
And that has to be easy. You have to be able to change that default password and that has to be easy.
You have to know how to do it.
And what I'm saying here is this should be part
of your purchasing decision, right?
How do I change the default password?
Should be a question you ask the sales guy.
Right, when, yeah, if somebody's there getting you set up
and that sort of thing,
that should be top of your list of things to ask.
Yeah, yeah. So just make sure that you do that and you set up and that sort of thing. That should be top of your list of things to ask. Yeah.
Yeah.
So just make sure that you do that
when it's time to install one of these systems
and you can at least make this more difficult
for people to do.
Right.
That is one of the odd things about these terminals
that because they're so small and self-contained,
it's not like a big cash register
where there's a little tiny little like sub device
that handles the credit card taking or the, you know,
the swiping of whatever.
Yeah, it's the whole device.
The whole device.
They turn around, it's like inviting you behind the counter
to use the cash register yourself.
Right. Right?
That's what they're doing.
They turn that thing around.
Yeah.
Maybe I'll try to encourage people not to do that to me
and ask me for a tip by just saying,
oh, I'm gonna issue myself a $2,000 refund here.
And see what happens.
I'll probably wind up in jail.
That's why Joe was never invited back
to the comic book shop.
Right.
Right, right.
So I guess the recommendations here are obvious.
Right, change the default password.
And this doesn't just go for your point of sale systems. It really goes for everything Right, change the default password. And this doesn't just go for your point of sale systems,
it really goes for everything.
Just change the default password.
Yeah, and if you're running one of these,
just be vigilant.
And if you see somebody grab one of those things,
it's perfectly okay to,
I would say, snatch it out of their hands,
depending on what you feel comfortable doing,
maybe pulling the network plug,
stopping them from doing it. It's an interesting little evolution in scamming.
The convenience of these little devices is undeniable,
but as always, someone's discovered a way to exploit it.
Yeah, I don't know if this is scamming
or if this is more akin to just reaching around
and putting your hand in the register.
Yeah.
I think I'd call it robbery.
Right, right. Interesting.
All right. Well, we will have a link to that story in the show notes. Again, Joe Carrigan
is my co-host over on the Hacking Humans podcast, which if you are not listening to, you should
be. There you go. Joe, thanks so much for joining us. My pleasure, Dave. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets,
screenshots and all those manual processes, you're right. GRC can be so much easier and it can
strengthen your security posture while actually driving revenue for your business. You know,
one of the things I really like about Vanta is how it takes the heavy lifting
out of your GRC program.
Their trust management platform automates those key areas, compliance, internal and
third-party risk, and even customer trust, so you're not buried under spreadsheets and
endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire
business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters
like strengthening your security posture and scaling your business.
Vanta, GRC, just imagine how much easier
trust can be. Visit vanta.com slash
cyber to sign up today for a free demo. That's
vanta.com slash cyber.
Hey everybody, Dave here. I've talked about DeleteMe before and I'm still using it because
it still works. It's been a few months now and I'm just as impressed today
as I was when I signed up.
Delete Me keeps finding and removing my personal information
from data broker sites and they keep me updated
with detailed reports so I know exactly
what's been taken down.
I'm genuinely relieved knowing my privacy isn't something
I have to worry about every day.
The DeleteMe team
handles everything. It's the set it and forget it piece of mind. And it's not just for individuals.
DeleteMe also offers solutions for businesses, helping companies protect their employees' personal
information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
And finally, welcome to the world of vibe coding, where developers let AI take the wheel
and sometimes drive straight off a cliff. Just ask Jason Lemkin, a seasoned VC, who learned the hard way when Replit's AI assistant
turned his database into digital dust.
Nine days into his project, the AI cheerfully admitted it had deleted the entire database
without permission, despite clear instructions not to touch a thing.
The assistant, ever helpful in its remorse, offered a step-by-step recap titled How This
Happened, which boiled down to it seeing empty queries, panicking, ignoring orders, and nuking
everything.
It even confirmed the loss wasn't limited to test data, this was live data from over
1200 companies.
The AI soberly assessed the damage as catastrophic beyond measure, which feels about right.
Replit's CEO has since issued refunds and promises of postmortems and recovery tools.
As for the AI, perhaps it's now being gently encouraged to pursue less
destructive hobbies, like Sudoku.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through August 31st.
There's a link in the show notes.
Please do check it out.
And 2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music
by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here, tomorrow. And now, a word from our sponsor ThreatLocker, the powerful zero-trust enterprise solution
that stops ransomware in its tracks.
AllowListing is a deny-by-default software that makes application control simple and
fast.
Ring fencing is an application containment strategy, ensuring apps can only access the
files, registry keys, network resources and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from ThreatLocker.