CyberWire Daily - Redacted realities: Inside the MoJ hack.

Episode Date: May 19, 2025

The UK’s Ministry of Justice suffers a major breach. Mozilla patches two critical JavaScript engine flaws in Firefox. Over 200,000 patients of a Georgia-based health clinic see their sensitive data ...exposed. Researchers track increased malicious targeting of iOS devices. A popular printer brand serves up malware. PupkinStealer targets Windows systems. An Alabama man gets 14 months in prison for a sim-swap attack on the SEC. Our guest is Ian Tien, CEO at Mattermost, sharing insights on enhancing cybersecurity through effective collaboration. Ethical Hackers win the day at Pwn2Own Berlin.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices segment, we are joined by Ian Tien, CEO at Mattermost at RSAC 2025, who is sharing insights on enhancing cybersecurity through effective collaboration. Check out Ian’s blog on “What’s Next for Cybersecurity Teams? AI, Automation & Real-Time Workflows.” Listen to Ian’s interview here. Selected Reading Hackers steal 'significant amount of personal data' from Ministry of Justice in brazen cyber-attack (Daily Mail Online) M&S and Co-Op: BBC reporter on talking to the hackers (BBC) 210K American clinics‘ patients had their financial data leaked (Cybernews) 480,000 Catholic Health Patients Impacted by Serviceaide Data Leak (SecurityWeek) Over 40,000 iOS Apps Found Exploiting Private Entitlements, Zimperium (Hackread) This printer company served you malware for months and dismissed it as false positives (Neowin) Hack of SEC social media account earns 14-month prison sentence for Alabama man (The Record) Hackers Earn Over $1 Million at Pwn2Own Berlin 2025 (SecurityWeek) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the CyberWire Network, powered by N2K. And now a word from our sponsor, Spy Cloud. Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware, and phishing to neutralize identity-based threats like account takeover, fraud, and ransomware.
Starting point is 00:00:40 Don't let invisible threats compromise your business. Get your free corporate dark net exposure report at spycloud.com slash cyberwire and see what attackers already know. That's spycloud. suffers a major breach. Mozilla patches two critical JavaScript engine flaws in Firefox. Over 200,000 patients of a Georgia-based health clinic see their sensitive data exposed. Researchers track increased malicious targeting of iOS devices. A popular printer brand serves up malware. Pupkin Stealer targets Windows systems.
Starting point is 00:01:32 An Alabama man gets 14 months in prison for a sim swap attack on the SEC. Our guest is Ian Tian, CEO at Mattermost, sharing insights on enhancing cybersecurity through effective collaboration. And ethical hackers win the day at Pwn to Own Berlin. It's Monday, May 19th, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us. Happy Monday. It is great to have you with us as always. In the UK, hackers breached the Ministry of Justice's systems in April, stealing a significant
Starting point is 00:02:37 amount of personal data from the Legal Aid Agency, the LAA. The stolen data may include names, addresses, birth dates, national insurance numbers, criminal records and financial details of legal aid applicants since 2010. While the attackers claim to have accessed 2.1 million records, this figure is unconfirmed. The breach was discovered on April 23rd, but its scale became clear on May 16. The LAA's digital services were taken offline. Officials blame long-standing vulnerabilities and mismanagement. The Ministry of Justice, working with national cybersecurity bodies,
Starting point is 00:03:19 urges past applicants to stay vigilant for fraud. The breach follows a wave of recent cyber attacks on UK firms like M&S, Co-op, and Dior, raising concerns about systemic digital security failures. Meanwhile, BBC cybersecurity journalist Joe Tidy received a tip on Telegram from hackers claiming responsibility for the cyberattacks on M&S and Co-op, over a five-hour exchange they provided data samples confirming their involvement. The hackers, likely linked to the ransomware group Dragonforce, were frustrated that Co-op refused to pay the ransom.
Starting point is 00:03:59 After Tidy alerted Co-op, the company acknowledged the breach publicly. Dragonforce operates a ransomware-as-a-service model offering tools and support to cybercriminals in exchange for a cut of ransoms. Recently rebranded as a cartel, the group has been active since 2023. Though linked to numerous attacks it remains silent on the retail hacks, possibly due to ransom payments. Some experts suggest the broader Scattered Spider collective may be behind the campaign, but their exact role remains unclear. Mozilla has issued an emergency security update for Firefox to patch two critical JavaScript engine flaws that allow remote code execution. Discovered by security researchers from Palo Alto Networks and Trend Micro's Zero Day Initiative,
Starting point is 00:04:50 the vulnerabilities involve out-of-bounds read-write issues in JavaScript objects. Attackers can exploit them by luring users to malicious websites, requiring minimal interaction. Mozilla urges users to update Firefox immediately to protect against potential system compromise. Over 210,000 patients of Georgia-based Harbin Clinic had sensitive data exposed in a breach linked to third-party vendors National Recovery Services, NRS. The breach, which occurred in July of 2024, targeted NRS, a debt collection service provider for Harbin. However, Harbin only began notifying affected individuals in May of this year, nearly 10 months later. Exposed
Starting point is 00:05:39 data includes names, addresses, Social Security numbers, birth dates, and financial account details. The delay and the severity of the stolen information raise concerns about identity theft and financial fraud risks. Harbin recommends affected individuals monitor their financial accounts but has not confirmed offering credit monitoring services. The clinic, headquartered in Rome, Georgia, runs multiple
Starting point is 00:06:05 locations statewide and employs over 1,400 staff. Elsewhere, ServiceAid, a California-based enterprise solutions provider, reported a data leak affecting over 483,000 Catholic health patients to the Department of Health and Human Services. The breach involved an El search database that was accidentally exposed online from September 19 through November 5, 2024. While there's no evidence the data was stolen, ServiceAid can't rule it out.
Starting point is 00:06:39 Exposed information includes names, social security numbers, medical and insurance details, and login credentials. Affected individuals are being offered 12 months of free identity protection services. A new report from Zimperium warns that iOS devices, often seen as secure, are increasingly targeted through side-loaded and unvetted apps. Attackers exploit flaws in iOS using tools like TrollStore, C-Shell, and vulnerabilities such as MacDirtyCow and KFD to bypass Apple's protections. These apps may appear benign, but can exfiltrate data or compromise devices without detection. Zimperium found over 40,000 apps using private entitlements and over 800 using private APIs, posing serious risks.
Starting point is 00:07:33 Organizations, especially in regulated sectors, should adopt stricter app vetting, monitor permissions and detect side-loaded apps. Zimperium urges proactive defenses to counter these threats. Just because an app runs on iOS doesn't mean it's safe. Its behavior and origin matter more than its appearance. If you've bought a UV inkjet printer from the brand ProColored recently, you might want to scan your system for malware.
Starting point is 00:08:05 YouTuber Cameron Coward, known for his DIY tech reviews, first raised the alarm while reviewing a $6,000 printer. His antivirus flagged threats on the included USB device, specifically a worm and floxif, a file infector. When ProColored dismissed this as a false positive, Coward turned to Reddit, catching the attention of cybersecurity firm G-Data. Their investigation found malware, including a backdoor and a crypto-stealing trojan called Snipvex in official ProColored software downloads.
Starting point is 00:08:41 G-Data traced around $100,000 in stolen bitcoin linked to Snipvex. Procolored, later admitted malware might have been introduced via USB and has since cleaned up its downloads. Experts now urge users to scan their systems and consider full reinstallation if infected. Pupkin Stealer is a newly discovered information stealing malware written in C-sharp and first observed in April of this year. Lightweight and lacking advanced evasion tactics, it targets Windows systems to steal browser credentials, messaging app sessions like Telegram and Discord, desktop files, and screenshots. The malware exfiltrates data using Telegram's bot API, allowing it to hide within legitimate traffic.
Starting point is 00:09:31 Despite its simplicity, Pupkin Stealer is effective, compressing stolen data into a zip archive enriched with system metadata. It operates without persistence mechanisms, suggesting a quick hit-and-run strategy. Researchers believe it may be distributed via malware as a service and linked to a developer using the alias Ardent, possibly of Russian origin. The malware highlights a growing trend of cybercriminals exploiting legitimate services like Telegram for stealthy attacks, posing risks to e-commerce and individual users alike.
Starting point is 00:10:09 Eric Council Jr., a 25-year-old from Alabama, has been sentenced to 14 months in prison for a sim swap attack that compromised the SEC's ex-Twitter account in January of 2024. Mr. Council used a fake ID to obtain a replacement SIM card tied to a government phone linked to the SEC account. He then activated the card, retrieved a password reset code, and passed it to a co-conspirator. The hacker posted a false statement claiming SEC approval of Bitcoin ETFs, briefly spiking Bitcoin prices by over $1,000 before a $2,000 drop when the post was debunked. Council, who was paid $50,000 for his role, pleaded guilty to identity theft and fraud.
Starting point is 00:10:59 He must also forfeit the payment and will be on supervised release for three years post-prison with internet restrictions. Coming up after the break, my conversation with Ian Tian, CEO at Mattermost, sharing insights on enhancing cybersecurity through effective collaboration. And ethical hackers win the day at Pwn to Own Berlin. Stay with us. Compliance regulations, third-party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down?
Starting point is 00:11:57 If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear, there is a better way. Banta's Trust Management Platform takes the headache out of governance, risk, and compliance. It automates the essentials, from internal and third-party risk to consumer trust, making your security posture stronger, yes, even helping to drive revenue. And this isn't just nice to have.
Starting point is 00:12:30 According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So, if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta. GRC. How much easier trust can be. Get started at Vanta.com slash cyber. Worry about cyber attacks? CyberCare from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. So if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors, and much more. The best part? 100% of unused response time can be repurposed
Starting point is 00:13:40 for a range of proactive resilience activities. Find out more at cyber.care slash cyberwire. Ian Tian is CEO at Mattermost. I caught up with him on the show floor of the RSAC 2025 conference. In today's sponsored industry insights segment, he shares insights on enhancing cybersecurity through effective collaboration.
Starting point is 00:14:16 And I am pleased to be joined here at RSAC 2025 with Ian Tien. He is the CEO of Mattermost. Welcome, thanks for joining us here today. Thank you so much. Well, before we dig into our topic here, what is your impression of the show so far? It hasn't been open very long, but there's certainly a lot of energy here on the show floor. That's fantastic. Seeing a lot of old friends, making new friends. Just love the energy of the show. Everyone's got the late night events
Starting point is 00:14:45 and the sort of early morning coffees. So everyone's being a champ here. It's excellent. So for folks who aren't familiar with the company, can you give us a brief description of what you all do at Mattermost? Excellent. So Mattermost is a secure communications
Starting point is 00:14:57 and workflow solution for critical infrastructure. So think about anything you need in daily life. You need energy, you need security, you need defense, you need manufacturing, all those critical infrastructure industries need a different type of workflow and collaboration, and that's what we provide. Well, let's talk about collaboration.
Starting point is 00:15:14 Why is that so critical to the folks that you're helping out? So if you have a mission critical situation, you have to run if the power is out. You have to run if the internet is out. If you go down then, or if you're breached or you have an outage, then there's follow-on effects for other systems and for society in general.
Starting point is 00:15:31 So, you know, if something has to work, it's got to be built in a certain way where you can communicate even in sort of unforeseen circumstances. Well, help me understand how that plays out in the real world. Can you give us an example of how that collaborative network would apply in the real world? Yeah, absolutely. So a lot of things right now are very interconnected, right? We've kind of
Starting point is 00:15:52 moved to a software as a service and sort of an international view and saying, hey, we're gonna work with all these different SaaS providers and it's great because it's more efficient and you have like bigger security teams in these systems. But what happens is there can be outages of those systems and if it's downstream, everyone's affected. If one system goes down, all these others sort of topple as well, then it becomes a real issue. And if you're mission critical, you can't take that risk.
Starting point is 00:16:18 I think everyone remembers the CrowdStrike outage last year, which got down airlines and all these display systems and communication systems. So that's an example. If you take critical infrastructure and if it stops working, people can't move, first responders can't act. So mission critical systems need a separate architecture.
Starting point is 00:16:38 Very often on-premise or managed by a partner that says, hey, if this main system goes down or is breached, I can still operate and I can still respond to that emergency. Well, I mean, speaking of which, as we're recording here today, just yesterday, major power outage in Spain and Portugal. Turns out it was not a cyber attack, but the downstream effects of something like that were really clear. There was telecommunications and travel and all those sorts of things.
Starting point is 00:17:06 When you look at an event like that, what are your thoughts? Yeah, absolutely. So we serve the energy space, and very often you'll have electric utilities that have, you know, they'll use a general collaboration solution to like, oh, coordinate, and here's some PowerPoint presentations,
Starting point is 00:17:20 and that's all fine. When there's a critical incident, it's the frontline workers, it's the senior managers, and even the C-suite that get real-time updates that can marshal resources across the enterprise to really respond to that outage. And you can't do that if your primary system
Starting point is 00:17:36 is running on the electric grid that has the outage. So there's going to be the primary, and then there's going to be the emergency, alternate, contingency systems. And that's part of a mature critical infrastructure organization is going to have that across the world. Here in the U.S., domestically as well as internationally. Are there common misconceptions or shortcomings that you run into when you're working with
Starting point is 00:18:00 people or is it fair to call them blind spots? Yeah, so some folks, you know, it's really about strategic foresight. It's like until you're in an emergency, like very often you can't foresee it, right? So there's this concept of table topping with your security procedures. You're saying, okay, here's a table.
Starting point is 00:18:17 We're going to imagine what happens if certain things come to pass. And now you have to tabletop. Well, what happens if our primary communication system is breached or has an intrusion? And what typically happens is you go on WhatsApp come to pass and now you have to tabletop, well what happens if our primary communication system is breached or has an intrusion? What typically happens is you go on WhatsApp or you go on Signal and you're like, okay, we have to respond.
Starting point is 00:18:31 We can't use the primary system that has a potential intrusion. Let's take screenshots of our logs. Let's go use these systems to chat and communicate and get on calls. What happens is you hopefully solve the solution, but you've gone outside the main system for security, but now you've got all this information floating around on people's devices. If they leave your organization, there it goes.
Starting point is 00:18:52 You might be secure, maybe it's got end-to-end encryption, but it's not compliant because you have the data that's going to move around. It is no longer under enterprise control. So those are kind of the blind spots, and people, and they're saying, okay, they don't see it until it actually happens. They don't see it until the primary system is compromised and now they've got a they've got you know an
Starting point is 00:19:11 emergency situation and they have a to-do list of like okay we need to not do that in future. We need a secondary system. We need an emergency to count comms and that's where that's how this kind of space evolves. It's like you know the the saying is it's really the battle scars that you have that really shape a lot of the critical destruction in the world. Right, right, right. What's that old saying about
Starting point is 00:19:32 commsies don't make good sailors? Yeah. We heard that one. Yeah. Well, and for you all, collaboration is not just the tools that you're providing for people. I mean, you all collaborate with some of the biggest,
Starting point is 00:19:45 most well-known names in cyber. Yeah, absolutely. So a lot of, we don't talk very, we work with a lot of national security and critical infrastructure. So a lot of the organizations that respond to critical instance, that set policies that are really, it's really important for them to always be running.
Starting point is 00:20:02 And also another aspect is to have complete privacy on their information. So we absolutely work with some of the largest most important organizations in the world. And it's so important for them to be able to operate and have full control of their communications and data and workflow. Is there a part for things like open source software to play in this equation?
Starting point is 00:20:23 Yeah, absolutely. So open source is so important what we do because of its ability to adapt to any situation as well as be resilient and independent. So right now it's April 2025 and there's tabletopping right now happening around the world. I came from Tokyo, I came from Singapore, I'm in DC and there's tablet, well, what happens if we have supply chain disruption in our digital services? What if there's some ruling, you know, whether it's in different regulations that say, hey, we actually have to be sovereign. How could we be sovereign?
Starting point is 00:20:54 How do we have a supply chain that we operate that's going to be resilient for us? So, matter most being open source and being in control, having our customers in control, they can seal our source code, they can scan everything and understand, hey, this is going to work for us no matter what is critically important.
Starting point is 00:21:12 A lot, there's this pendulum has swung to more sovereignty. There's a mix. There's always going to be interdependence in SaaS services, but there's got to be a portion that you have full control over. Right. That visibility that you provide them with gives, I suppose, gives them a level of confidence. They can trust but verify. Yes, yeah. And verify to trust.
Starting point is 00:21:36 Yeah, yeah. What are your recommendations for people who are beginning this journey? They know this is something they need to pay more attention to. Maybe it's a little intimidating. What's the best place to begin? Yeah, I think really, you know, it's tabletopping, matter most is open source. We've got our documentation fully open.
Starting point is 00:21:54 We can show you reference architectures. You might use a reference architecture. You might use some other product that's totally fine. Our biggest competitor is actually custom built systems for defense and government, you know, for specific nations. And what we do is say, you can build it yourself or you can use our platform, which is open source, which is highly configurable and maintain.
Starting point is 00:22:13 We'll stand behind it, we'll do CVEs, we're doing caching, and we have a roadmap that constantly delivers value. But the reference architecture and how you lay out your system for critical infrastructure can be used by anyone. So you can check out MatterMode, you can check out our open source code, you can decide if you want to buy or if you want to build.
Starting point is 00:22:30 Okay. All right, well I think I have everything I need for our story here. Is there anything I missed? Anything I haven't asked you that you think it's important to share? Yeah, thanks. I think, you know, one realization that we've seen
Starting point is 00:22:42 with our communities around the world is that all software is on-premise and the cloud is a social construct created to trust operations and data to someone else's infrastructure. So the world was kind of realizing that and you're saying, okay well how do I think about the portion of my world which is outsourced in SAS which is fine but everyone needs that portion that they have full control over. So I'll leave you with that idea, is that this is the way that the world is going,
Starting point is 00:23:11 and I don't know if we're ever going to fully go back to 100 percent trust in outsourcing the complete systems for critical infrastructure. Oh, interesting. All right. Well, Ian, thank you so much for taking the time for us today. Yeah, thank you so much. It's a pleasure. That's Ian Tian, CEO at Mattermost. And finally, at Pwn to Own Berlin 2025, cybersecurity talent took center stage, with over $1 million awarded to ethical hackers who uncovered 28 zero-day vulnerabilities across a broad spectrum
Starting point is 00:24:01 of technologies. Hosted by Trend Micro's Zero Day Initiative, the event celebrated the skills of White Hat researchers who earned $1,078,750 for exploits targeting systems from AI platforms to virtualization software. Making history, Star Labs SG scored the competition's largest single payout, $150,000, for the first-ever VMware ESXi hack.
Starting point is 00:24:31 They ultimately walked away with $320,000 and the win. AI was featured for the first time, with $140,000 awarded for hacks on tools like NVIDIA's Triton inference server, Mozilla responded swiftly to $50,000 worth of Firefox vulnerabilities issuing patches the same day. The event was a powerful reminder of the value and necessity of ethical hacking in today's digital world. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Starting point is 00:25:24 Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
Starting point is 00:25:55 N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliott Peltsman, our executive producers Jennifer Iben, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening, we'll see you back here, tomorrow. So Hey everybody, Dave here. I've talked about DeleteMe before, and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. DeleteMe keeps finding and removing my personal information from data broker sites, and they
Starting point is 00:27:08 keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved knowing my privacy isn't something I have to worry about every day. The DeleteMe team handles everything. It's the set it and forget it piece of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees' personal information and reduce exposure to social engineering and phishing threats.
Starting point is 00:27:37 And right now, our listeners get a special deal, 20% off your DeleteMe plan. Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout. That's joindeleteeme.com slash n2k code n2k.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.