CyberWire Daily - Redacted realities: Inside the MoJ hack.
Episode Date: May 19, 2025The UK’s Ministry of Justice suffers a major breach. Mozilla patches two critical JavaScript engine flaws in Firefox. Over 200,000 patients of a Georgia-based health clinic see their sensitive data ...exposed. Researchers track increased malicious targeting of iOS devices. A popular printer brand serves up malware. PupkinStealer targets Windows systems. An Alabama man gets 14 months in prison for a sim-swap attack on the SEC. Our guest is Ian Tien, CEO at Mattermost, sharing insights on enhancing cybersecurity through effective collaboration. Ethical Hackers win the day at Pwn2Own Berlin. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices segment, we are joined by Ian Tien, CEO at Mattermost at RSAC 2025, who is sharing insights on enhancing cybersecurity through effective collaboration. Check out Ian’s blog on “What’s Next for Cybersecurity Teams? AI, Automation & Real-Time Workflows.” Listen to Ian’s interview here. Selected Reading Hackers steal 'significant amount of personal data' from Ministry of Justice in brazen cyber-attack (Daily Mail Online) M&S and Co-Op: BBC reporter on talking to the hackers (BBC) 210K American clinics‘ patients had their financial data leaked (Cybernews) 480,000 Catholic Health Patients Impacted by Serviceaide Data Leak (SecurityWeek) Over 40,000 iOS Apps Found Exploiting Private Entitlements, Zimperium (Hackread) This printer company served you malware for months and dismissed it as false positives (Neowin) Hack of SEC social media account earns 14-month prison sentence for Alabama man (The Record) Hackers Earn Over $1 Million at Pwn2Own Berlin 2025 (SecurityWeek) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud. suffers a major breach.
Mozilla patches two critical JavaScript engine flaws in Firefox.
Over 200,000 patients of a Georgia-based health clinic see their sensitive data exposed.
Researchers track increased malicious targeting of iOS
devices. A popular printer brand serves up malware. Pupkin Stealer targets Windows systems.
An Alabama man gets 14 months in prison for a sim swap attack on the SEC. Our guest is
Ian Tian, CEO at Mattermost, sharing insights on enhancing cybersecurity through effective
collaboration.
And ethical hackers win the day at Pwn to Own Berlin. It's Monday, May 19th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us.
Happy Monday.
It is great to have you with us as always.
In the UK, hackers breached the Ministry of Justice's systems in April, stealing a significant
amount of personal data from the Legal Aid Agency, the LAA.
The stolen data may include names, addresses, birth dates, national insurance numbers, criminal
records and financial details of legal aid applicants since 2010.
While the attackers claim to have accessed 2.1 million records, this figure is unconfirmed.
The breach was discovered on April 23rd, but its scale became clear on May 16.
The LAA's digital services were taken offline.
Officials blame long-standing vulnerabilities and mismanagement.
The Ministry of Justice, working with national cybersecurity bodies,
urges past applicants to stay vigilant for fraud.
The breach follows a wave of recent cyber attacks on UK firms like M&S, Co-op, and Dior, raising
concerns about systemic digital security failures.
Meanwhile, BBC cybersecurity journalist Joe Tidy received a tip on Telegram from hackers
claiming responsibility for the cyberattacks on M&S and Co-op,
over a five-hour exchange they provided data samples confirming their involvement.
The hackers, likely linked to the ransomware group Dragonforce,
were frustrated that Co-op refused to pay the ransom.
After Tidy alerted Co-op, the company acknowledged the breach publicly.
Dragonforce operates a ransomware-as-a-service
model offering tools and support to cybercriminals in exchange for a cut of ransoms. Recently
rebranded as a cartel, the group has been active since 2023. Though linked to numerous
attacks it remains silent on the retail hacks, possibly due to ransom payments. Some experts suggest the broader Scattered Spider collective may be behind the campaign,
but their exact role remains unclear.
Mozilla has issued an emergency security update for Firefox to patch two critical JavaScript
engine flaws that allow remote code execution. Discovered by security researchers from Palo Alto Networks and Trend Micro's Zero Day Initiative,
the vulnerabilities involve out-of-bounds read-write issues in JavaScript objects.
Attackers can exploit them by luring users to malicious websites, requiring minimal interaction.
Mozilla urges users to update Firefox immediately
to protect against potential system compromise. Over 210,000 patients of
Georgia-based Harbin Clinic had sensitive data exposed in a breach linked to
third-party vendors National Recovery Services, NRS. The breach, which occurred in July of 2024, targeted NRS, a
debt collection service provider for Harbin. However, Harbin only began
notifying affected individuals in May of this year, nearly 10 months later. Exposed
data includes names, addresses, Social Security numbers, birth dates, and
financial account
details.
The delay and the severity of the stolen information raise concerns about identity theft and financial
fraud risks.
Harbin recommends affected individuals monitor their financial accounts but has not confirmed
offering credit monitoring services.
The clinic, headquartered in Rome, Georgia, runs multiple
locations statewide and employs over 1,400 staff.
Elsewhere, ServiceAid, a California-based enterprise
solutions provider, reported a data leak affecting over
483,000 Catholic health patients to the Department of
Health and Human Services.
The breach involved an El search database that was accidentally exposed online from
September 19 through November 5, 2024.
While there's no evidence the data was stolen, ServiceAid can't rule it out.
Exposed information includes names, social security numbers, medical and insurance details,
and login credentials.
Affected individuals are being offered 12 months of free identity protection services.
A new report from Zimperium warns that iOS devices, often seen as secure, are increasingly
targeted through side-loaded and unvetted apps. Attackers exploit flaws in iOS using tools like TrollStore, C-Shell, and vulnerabilities
such as MacDirtyCow and KFD to bypass Apple's protections.
These apps may appear benign, but can exfiltrate data or compromise devices without detection. Zimperium found over 40,000 apps using private entitlements and over 800 using private APIs,
posing serious risks.
Organizations, especially in regulated sectors, should adopt stricter app vetting, monitor
permissions and detect side-loaded apps.
Zimperium urges proactive defenses to counter these threats.
Just because an app runs on iOS doesn't mean it's safe.
Its behavior and origin matter more than its appearance.
If you've bought a UV inkjet printer
from the brand ProColored recently,
you might want to scan your system for malware.
YouTuber Cameron Coward, known for his DIY tech reviews, first raised the alarm while
reviewing a $6,000 printer.
His antivirus flagged threats on the included USB device, specifically a worm and floxif,
a file infector.
When ProColored dismissed this as a false positive, Coward turned to Reddit, catching
the attention of cybersecurity firm G-Data.
Their investigation found malware, including a backdoor and a crypto-stealing trojan called
Snipvex in official ProColored software downloads.
G-Data traced around $100,000 in stolen bitcoin linked to Snipvex. Procolored,
later admitted malware might have been introduced via USB and has since cleaned up its downloads.
Experts now urge users to scan their systems and consider full reinstallation if infected.
Pupkin Stealer is a newly discovered information stealing malware written in C-sharp and first
observed in April of this year.
Lightweight and lacking advanced evasion tactics, it targets Windows systems to steal browser
credentials, messaging app sessions like Telegram and Discord, desktop files, and screenshots. The malware exfiltrates data using Telegram's bot API, allowing it to hide within legitimate
traffic.
Despite its simplicity, Pupkin Stealer is effective, compressing stolen data into a
zip archive enriched with system metadata.
It operates without persistence mechanisms, suggesting a quick hit-and-run strategy.
Researchers believe it may be distributed via malware as a service and linked to a developer
using the alias Ardent, possibly of Russian origin.
The malware highlights a growing trend of cybercriminals exploiting legitimate services
like Telegram for stealthy attacks, posing risks to e-commerce and individual
users alike.
Eric Council Jr., a 25-year-old from Alabama, has been sentenced to 14 months in prison
for a sim swap attack that compromised the SEC's ex-Twitter account in January of 2024.
Mr. Council used a fake ID to obtain a replacement
SIM card tied to a government phone linked to the SEC account. He then activated the
card, retrieved a password reset code, and passed it to a co-conspirator. The hacker
posted a false statement claiming SEC approval of Bitcoin ETFs, briefly spiking Bitcoin prices by over
$1,000 before a $2,000 drop when the post was debunked.
Council, who was paid $50,000 for his role, pleaded guilty to identity theft and fraud.
He must also forfeit the payment and will be on supervised release for three years post-prison with internet
restrictions.
Coming up after the break, my conversation with Ian Tian, CEO at Mattermost, sharing
insights on enhancing cybersecurity through effective collaboration.
And ethical hackers win the day at Pwn to Own Berlin.
Stay with us. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program
on track, you're not alone. But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even
helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So, if you're ready to trade in chaos for clarity, check out Vanta and bring
some serious efficiency to your GRC game. Vanta. GRC. How much easier trust can be.
Get started at Vanta.com slash cyber. Worry about cyber attacks? CyberCare from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. So if an incident occurs, your response is optimal. Get priority access to deeply experienced responders,
digital investigators, legal and crisis PR experts,
ransom negotiators, trauma counselors, and much more.
The best part? 100% of unused response time can be repurposed
for a range of proactive resilience activities.
Find out more at cyber.care slash cyberwire.
Ian Tian is CEO at Mattermost.
I caught up with him on the show floor
of the RSAC 2025 conference.
In today's sponsored industry insights segment,
he shares insights on enhancing cybersecurity
through effective collaboration.
And I am pleased to be joined here at RSAC 2025
with Ian Tien.
He is the CEO of Mattermost.
Welcome, thanks for joining us here today.
Thank you so much. Well, before we dig into our topic here, what is your impression of the show so far?
It hasn't been open very long, but there's certainly a lot of energy here on the show floor.
That's fantastic. Seeing a lot of old friends, making new friends. Just love the energy of the show.
Everyone's got the late night events
and the sort of early morning coffees.
So everyone's being a champ here.
It's excellent.
So for folks who aren't familiar with the company,
can you give us a brief description
of what you all do at Mattermost?
Excellent.
So Mattermost is a secure communications
and workflow solution for critical infrastructure.
So think about anything you need in daily life.
You need energy, you need security, you need defense,
you need manufacturing,
all those critical infrastructure industries
need a different type of workflow and collaboration,
and that's what we provide.
Well, let's talk about collaboration.
Why is that so critical to the folks
that you're helping out?
So if you have a mission critical situation,
you have to run if the power is out.
You have to run if the internet is out.
If you go down then, or if you're breached
or you have an outage, then there's follow-on effects
for other systems and for society in general.
So, you know, if something has to work,
it's got to be built in a certain way
where you can communicate even in sort of
unforeseen circumstances.
Well, help me understand how that plays out
in the real world.
Can you give us an example of how that collaborative network would apply in the real world? Yeah, absolutely. So a
lot of things right now are very interconnected, right? We've kind of
moved to a software as a service and sort of an international view and saying,
hey, we're gonna work with all these different SaaS providers and it's great
because it's more efficient and you have like bigger security teams in these
systems. But what happens is there can be outages of those systems
and if it's downstream, everyone's affected.
If one system goes down, all these others
sort of topple as well, then it becomes a real issue.
And if you're mission critical, you can't take that risk.
I think everyone remembers the CrowdStrike outage
last year, which got down airlines
and all these display systems and communication
systems.
So that's an example.
If you take critical infrastructure and if it stops working, people can't move, first
responders can't act.
So mission critical systems need a separate architecture.
Very often on-premise or managed by a partner that says, hey, if this main system goes down
or is breached, I can still
operate and I can still respond to that emergency.
Well, I mean, speaking of which, as we're recording here today, just yesterday, major
power outage in Spain and Portugal.
Turns out it was not a cyber attack, but the downstream effects of something like that
were really clear.
There was telecommunications and travel and all those sorts of things.
When you look at an event like that,
what are your thoughts?
Yeah, absolutely.
So we serve the energy space,
and very often you'll have electric utilities that have,
you know, they'll use a general collaboration solution
to like, oh, coordinate,
and here's some PowerPoint presentations,
and that's all fine.
When there's a critical incident,
it's the frontline workers,
it's the senior managers,
and even the C-suite that get real-time updates
that can marshal resources across the enterprise
to really respond to that outage.
And you can't do that if your primary system
is running on the electric grid that has the outage.
So there's going to be the primary,
and then there's going to be the emergency,
alternate, contingency systems.
And that's part of a mature critical infrastructure organization is going to have that across
the world.
Here in the U.S., domestically as well as internationally.
Are there common misconceptions or shortcomings that you run into when you're working with
people or is it fair to call them blind spots?
Yeah, so some folks, you know,
it's really about strategic foresight.
It's like until you're in an emergency,
like very often you can't foresee it, right?
So there's this concept of table topping
with your security procedures.
You're saying, okay, here's a table.
We're going to imagine what happens
if certain things come to pass.
And now you have to tabletop.
Well, what happens if our primary communication system
is breached or has an intrusion? And what typically happens is you go on WhatsApp come to pass and now you have to tabletop, well what happens if our primary communication system is
breached or has an intrusion?
What typically happens is you go on WhatsApp or you go on
Signal and you're like, okay, we have to respond.
We can't use the primary system that has a potential intrusion.
Let's take screenshots of our logs.
Let's go use these systems to chat and communicate and get on calls.
What happens is you hopefully solve the solution,
but you've gone outside
the main system for security, but now you've got
all this information floating around on people's devices.
If they leave your organization, there it goes.
You might be secure, maybe it's got end-to-end encryption,
but it's not compliant because you have the data
that's going to move around.
It is no longer under enterprise control.
So those are kind of the blind spots,
and people, and they're saying, okay,
they don't see it until it actually happens. They don't see it until the
primary system is compromised and now they've got a they've got you know an
emergency situation and they have a to-do list of like okay we need to not
do that in future. We need a secondary system. We need an emergency to count
comms and that's where that's how this kind of space evolves. It's like you
know the the saying is it's really the battle scars that you have
that really shape a lot of the critical destruction
in the world.
Right, right, right.
What's that old saying about
commsies don't make good sailors?
Yeah.
We heard that one.
Yeah.
Well, and for you all,
collaboration is not just the tools
that you're providing for people.
I mean, you all collaborate with some of the biggest,
most well-known names in cyber.
Yeah, absolutely.
So a lot of, we don't talk very,
we work with a lot of national security
and critical infrastructure.
So a lot of the organizations that respond
to critical instance, that set policies that are really,
it's really important for them to always be running.
And also another aspect is to have
complete privacy on their information.
So we absolutely work with some of
the largest most important organizations in the world.
And it's so important for them to be able to operate and have
full control of their communications and data and workflow.
Is there a part for things like
open source software to play in this equation?
Yeah, absolutely. So open source is so important what we do because of its ability to adapt
to any situation as well as be resilient and independent. So right now it's April 2025
and there's tabletopping right now happening around the world. I came from Tokyo, I came from
Singapore, I'm in DC and there's tablet, well, what happens if we have supply chain disruption in our digital services?
What if there's some ruling, you know,
whether it's in different regulations that say,
hey, we actually have to be sovereign.
How could we be sovereign?
How do we have a supply chain that we operate
that's going to be resilient for us?
So, matter most being open source and being in control,
having our customers in control,
they can seal our source code,
they can scan everything and understand,
hey, this is going to work for us no matter
what is critically important.
A lot, there's this pendulum has swung to more sovereignty.
There's a mix. There's always going to be
interdependence in SaaS services,
but there's got to be a portion that you have full control over.
Right. That visibility that you provide them with
gives, I suppose, gives them a level of confidence.
They can trust but verify.
Yes, yeah. And verify to trust.
Yeah, yeah.
What are your recommendations for people who are beginning this journey?
They know this is something they need to pay more attention to.
Maybe it's a little intimidating.
What's the best place to begin?
Yeah, I think really, you know,
it's tabletopping, matter most is open source.
We've got our documentation fully open.
We can show you reference architectures.
You might use a reference architecture.
You might use some other product that's totally fine.
Our biggest competitor is actually custom built systems
for defense and government, you know, for specific nations.
And what we do is say, you can build it yourself
or you can use our platform, which is open source,
which is highly configurable and maintain.
We'll stand behind it, we'll do CVEs, we're doing caching,
and we have a roadmap that constantly delivers value.
But the reference architecture and how you lay out
your system for critical infrastructure
can be used by anyone.
So you can check out MatterMode, you can check out
our open source code, you can decide if you want to buy
or if you want to build.
Okay.
All right, well I think I have everything I need
for our story here.
Is there anything I missed?
Anything I haven't asked you that you think
it's important to share?
Yeah, thanks.
I think, you know, one realization that we've seen
with our communities around the world is that
all software is on-premise and the cloud is a social construct created to trust
operations and data to someone else's infrastructure.
So the world was kind of realizing that and you're saying, okay well how
do I think about the portion of my world which is outsourced in SAS
which is fine but everyone needs that portion that they have full control over.
So I'll leave you with that idea,
is that this is the way that the world is going,
and I don't know if we're ever going to fully go back to
100 percent trust in
outsourcing the complete systems for critical infrastructure.
Oh, interesting. All right. Well, Ian,
thank you so much for taking the time for us today.
Yeah, thank you so much. It's a pleasure.
That's Ian Tian, CEO at Mattermost.
And finally, at Pwn to Own Berlin 2025, cybersecurity talent took center stage, with over $1 million awarded to ethical hackers who uncovered 28 zero-day vulnerabilities across a broad spectrum
of technologies.
Hosted by Trend Micro's Zero Day Initiative,
the event celebrated the skills of White Hat researchers
who earned $1,078,750 for exploits targeting systems
from AI platforms to virtualization software.
Making history, Star Labs SG scored the competition's
largest single payout, $150,000, for the first-ever
VMware ESXi hack.
They ultimately walked away with $320,000 and the win.
AI was featured for the first time, with $140,000 awarded for hacks on tools like NVIDIA's Triton
inference server, Mozilla responded
swiftly to $50,000 worth of Firefox vulnerabilities issuing patches the same
day. The event was a powerful reminder of the value and necessity of ethical
hacking in today's digital world.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliott Peltsman, our executive producers Jennifer Iben, Peter Kilpe is our publisher, and I'm
Dave Bittner. Thanks for listening, we'll see you back here, tomorrow. So Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals. DeleteMe also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan. Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k code n2k.