CyberWire Daily - Reflections in a broken vault.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. And now a word from our sponsor, Threat Locker, the powerful zero-trust enterprise solution that stops ransomware in its tracks. Allow listing is a deny-by-default software that makes application control simple and fast. Ring fencing is an application containment strategy, Ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with world-class endpoint protection from threat locker. Researchers uncover multiple vulnerabilities in a popular open source secret.

Starting point is 00:01:00 manager. Software bugs threaten satellite safety. Columbia University confirms a cyber attack. Researchers uncover malicious NPM packages posing as WhatsApp development tools. A new EDR killer tool is being used by multiple ransomware gangs. Home improvement stores integrate AI license plate readers into their parking lots. The U.S. Federal Judiciary announces new cybersecurity measures after cyber attacks compromised its case management system. SISA officials reaffirmed their commitment to the CVEE program. Our guest is David Weissman from Blackberry discussing the challenges of secure communications and AI watermarking breaks under spectral pressure.

Starting point is 00:01:51 It's Friday, August 8, 2025. I'm Dave Bittner, and this is your Cyberwire Intel briefing. Thanks for joining us here today. It is great to have you with us. Researchers at Sciata uncovered nine vulnerabilities in Hashikorp Vault, a popular open-source secrets manager. These flaws, eight of which are now patched, allowed to attackers to bypass authentication, escalate privileges, and even execute remote code. The bugs stem from logic errors in vault's core components, including authentication, MFA,

Starting point is 00:02:41 and plugin handling. Some exploits like case variations in usernames, bypass lockouts or MFA. Others abuse policy normalization to gain route access or trick Valt's trust model using forged certificates. The most severe enables RCE by uploading malicious plug-ins via the audit log system, a flaw hiding in plain sight for nearly a decade. Affecting both open-source and enterprise editions, the report highlights the importance of patching, tight configuration, and strong identity enforcement to prevent full infrastructure compromise. Anti-satellite missiles may be flashy, but hacking is the new space warfeworthy.

Starting point is 00:03:27 fair, while four nations have tested kinetic anti-satellite weapons, it turns out knocking a satellite offline could be as simple as exploiting bad code. At this year's Black Hat conference, researchers from vision space technologies demonstrated just how easy it is to hijack a satellite or its ground station using known software vulnerabilities. To break down what they found and what it means for satellite security and the growing space economy, here's our own Maria Vermazer. Our top story comes from the world of space cybersecurity, because right now it is a very special time in Las Vegas for cybersecurity professionals. It's affectionately known as Hacker Summer Camp,

Starting point is 00:04:09 a mega week of professional conferences in Las Vegas, including major events like Black Hat and DefCon, where researchers often share key findings from their work. This year's Black Hat Conference included a major finding in the realm of space cybersecurity from researchers at Vision Space Technologies, according to a new piece from the register. The researchers found a number of vulnerabilities, some rated critical,

Starting point is 00:04:33 and a number of software that is heavily used in the space industry on board satellites as well as in ground stations. And those include CryptoLiv, YAMS, OpenC3 Cosmos, and NASA's core flight system Aquila. During their Black Hat presentation, the Vision Space researchers simulated being able to send an unauthorized command to fire a satellite's thrusters and immediately change its course. Another vulnerability that they found, when exploited using an unauthenticated telephone,

Starting point is 00:05:02 could completely crash a satellite's onboard software, forcing it to reboot and in some cases fully reset. Vision space showed that other flaws that they discovered in spaceflight system software allowed for remote code executions, denial of service attacks, credential leakage, cross-site scripting attacks, or even granted full code execution permissions. It is crucial to note here that the researchers' response. responsibly disclosed these vulnerabilities with the software owners, and the vulnerabilities have subsequently been remediated prior to the Black Hat presentation. In plain language, there are fixes for all of these problems. And we will have links to the full research posts from Vision Space in the show notes for you, which includes more detail on their research, along with the specific

Starting point is 00:05:46 CVEs for these vulnerabilities, if that is information that you need. That's Maria Vermazze's host of the T-Minis Daily Space Podcast. Columbia University has confirmed a cyber attack that exposed personal data of nearly 870,000 individuals. The breach, discovered in late June, affected social security numbers, contact details, academic records, financial aid, and health insurance information. The hackers accessed systems in mid-May and stole data to allegedly support a political agenda opposing affirmative action. While patient data at Columbia's Medical Center was untouched,

Starting point is 00:06:29 the attack disrupted IT systems campus-wide. The university is offering two years of free credit monitoring to those impacted. Researchers at Socket have uncovered two malicious NPM packages posing as WhatsApp development tools that contain destructive data wiping code. These packages, still live on NPM, have been downloaded over 1,100 times and mimic legitimate WhatsApp bot libraries. A hidden function fetches a JSON-KillSwitch list from GitHub, sparing specific Indonesian phone numbers. If not on the list, a package executes and recursively deletes local files.

Starting point is 00:07:12 Though currently inactive, the code includes a commented-out data ex-filtration feature. Additional packages by the same publisher could turn malicious with future updates. Meanwhile, Socket also identified 11 malicious Go packages using obfuscated code to run remote payloads in memory. Most are still active, primarily targeting CI servers and Windows machines. Developers are urged to double-check dependencies for hidden threats. A new EDR killer tool, seen as the successor to EDR Kill Shifter, is being used by eight ransomware gangs. including Ransom Hub, Medusa, and Kielin. The tool disables antivirus and security tools on compromised systems,

Starting point is 00:08:00 helping attackers move laterally and deploy ransomware undetected. It uses obfuscated code and loads a malicious driver via a bring-your-own-vulnerable driver method. Sophos researchers believe the tool was developed collaboratively with each gang using a unique build, reflecting a growing trend of shared tooling in ransomware operations. Public records reveal that Lowe's and Home Depot have quietly integrated AI-powered flock license plate readers into their parking lots and shared access to this surveillance data with law enforcement.

Starting point is 00:08:38 According to an investigation by 404 media, the Johnson County Texas Sheriff's Office has access to 173 Lowe's locations nationwide and multiple Home Depot sites within Texas, as well as gunshot detection tools at some stores. Flock says private businesses choose whom to share data with, but the records suggest extensive law enforcement partnerships. While Home Depot confirmed law enforcement collaborations, neither company addressed specifics. Critics, like the EFF, warn of risks to customer privacy, especially when surveillance

Starting point is 00:09:16 tech can be used without warrants or accountability. The report highlights a growing trend, private businesses feeding real-time surveillance data into public law enforcement networks, often without customers' knowledge. The U.S. Federal Judiciary has announced new cybersecurity measures after recent sophisticated cyber attacks compromised its case management system. The breach, first reported by Politico, may have exposed confidential court-dourts. documents and identities of informants in multiple federal courts. The Administrative Office of the U.S. courts is now working with courts to secure sensitive data and restrict access to sealed filings. While most documents are public by design, some contain protected or classified

Starting point is 00:10:05 information, making them prime targets for nation-state hackers and cybercriminals. The judiciary had previously pledged to isolate sensitive documents after a 2020 brief. officials warn that the threat landscape is growing with adversaries seeking to exploit legal systems for espionage disruption or extortion the judiciary aims to restore trust through tighter digital safeguards this week at black hat sissa officials reaffirmed their commitment to the CVE program after an april contract dispute raised fears about its future the CVE system vital for tracking cybersecurity vulnerabilities faced a brief funding scare that SISA now says was a contract issue, not a budget problem. Despite calls to shift CVE oversight to a nonprofit with global governance,

Starting point is 00:10:59 SISA plans to continue managing and improving the program. Officials emphasized its foundational role in cybersecurity and pledged enhancements like richer vulnerability data and expanded collaboration with international partners. SISA also discussed broader efforts, including AI threat response, cyber hygiene tools, and reducing exposed industrial systems online. So far, the agency has contacted 3,000 entities

Starting point is 00:11:28 to secure internet-exposed systems, achieving an 80% success rate and reducing risks. Yesterday, SISA issued 10 advisories warning of critical vulnerabilities in various industrial control systems, affecting sectors like energy, manufacturing, and transportation. The flaws include unauthenticated access, buffer overflows, path traversal, and improper certificate validation across platforms from Delta Electronics, Rockwell Automation, Mitsubishi Electric, and others. Some vulnerabilities score as high as 9.8 on CVSS. These advisories

Starting point is 00:12:09 emphasize the urgency for ICS operators to patch systems and reinforce security. Coming up after the break, my conversation with David Weissman from Blackberry discussing the challenges of secure communications and AI watermarking breaks under spectral pressure. Stay with us. New adversary tactics and emerging tech to meet these threats is developing all the time. On threat vector, we keep you a step ahead. We dig deep into the threats that matter and the strategies that work.

Starting point is 00:12:59 How do they help that customer know that what they just created is safe? The future is now and our expectations are wrong. Join me, David Moulton, Senior Director of Thought Leadership for Unit 42 at Palo Alto Networks, and our guests who live this work every day. We're not just talking about some encryption and paying multimillion dollar ransom. We're talking about fundamentally being unable to operate. Automated eradication and containment.

Starting point is 00:13:27 So being able to very rapidly ID what's going on in an environment and contain that immediately. They're hiding in plain sight. So if you're looking to sharpen your strategy and stay ahead of what's next, tune in and listen to Threat Vector, your frontline for security insights. CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and without securing them, trust, uptime, outages, and compliance are at risk. CyberArc is leading the way with the only unit.

Starting point is 00:14:09 platform purpose-built to secure every machine identity, certificates, secrets, and workloads across all environments, all clouds, and all AI agents. Designed for scale, automation, and quantum readiness, CyberArc helps modern enterprises secure their machine future. Visit cyberarc.com slash machines to see how. Compliance regulations, third-party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right.

Starting point is 00:15:02 GRC can be so much easier. And it can strengthen your security posture while actually driving revenue. for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key areas, compliance, internal and third-party risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. It's a pretty impressive

Starting point is 00:15:46 number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta, GRC, just imagine how much easier trust can be. Visit Vanta.com slash cyber to sign up today for a free demo. That's V-A-N-T-A-com slash cyber. David Weissman is Vice President of Secure Communications at Blackberry. I recently caught up with him for a discussion about the challenges and misconceptions about secure communications. Where we find ourselves today is that the number of risk that people are facing in real life to their communication security is higher than ever, and the pace of those risks in the sophistication is accelerating. And that's really driven by two things. One, the focused attacks on the telecommunication networks around the world by third parties, including governments, coupled with the,

Starting point is 00:17:07 the rise of AI for generating deep fakes and for targeting when to do identity and spoofing attacks. Well, let's dig into both of those. I mean, when you talk about the threats to the telecoms themselves, how does that trickle down to the users, the business users and us as individuals? Yeah, what was found out last year in the U.S., there was an attack called Salt Typhoon that was reportedly launched by the Chinese government, and what they did is they embedded malware into all of the U.S. telephone networks. And with that, they were able to have real-time visibility into who's calling whom, who's messaging whom, and even listening in to phone calls and reading text messages. And since then, it turns out those types of attacks are happening around

Starting point is 00:18:00 the world. So, you know, at this point, you have to assume that, you know, all of the telephone networks are compromised. And as a result, people are saying, I need to start protecting my communications by using things that are end-to-end encrypted. So we've seen a massive rise and consumer apps such as WhatsApp, such as Signal, these types of applications.

Starting point is 00:18:25 And while that does mitigate some of the risk, at least from this particular salt typhoon type of attack, it opens up a whole other set of risk, particularly for regulated industries and for governments. Well, I mean, let's go there. What are some of the risks that people need to be concerned with with some of these secure apps? Yeah, the first risk is around identity

Starting point is 00:18:48 and having confidence who you're communicating with. You know, there's been a lot of also in the U.S. press recently around the wrong persons added into a chat group, right? Sort of famously, yes. Yes, yes. So what drives that is these, at the end of the day, they're open registration systems. Anyone can sign up

Starting point is 00:19:08 and anyone can basically fake an identity. Since it's open, you have no true confidence in who you're communicating with. And sometimes it may just be mistakes. Other times, it could be specific malicious activity. Either one are possible because of the open registration, public registration nature of most of these consumer applications. The other thing that happens is since you can spoof identities, you can use AI deepfakes to start delivering very convincing messages.

Starting point is 00:19:45 So it's been in the press recently that senior government officials on these type of applications got voice messages from the Secretary of State. It sounded 100% like the Secretary of State. Now, fortunately, they called back and said, hey, did you really leave me this message? That just kind of shows how easy it is to, once you have access to a system, how easy it is to introduce fake information, do spoofing of attacks. And then it's even been identified that with these types of systems, the Russian intelligence has found a way to insert themselves into the middle silently as a secondary device and see all of the communications and listen in and no one even knows they're there. so while the first set of attacks was the public phone network itself this next one round of attacks has been okay now that we've got everybody on these platforms let's take advantage of that what about the encryption itself i mean if we say we're using an app like signal for example just you know hypothetically um how much confidence should we have in that part of the chain i think the encryption itself there's not a problem with it. It's very high-quality encryption. At the end of the day, all of these systems, whether they're ones from Blackberry, whether they're ones from Signal, or, and by the way,

Starting point is 00:21:12 WhatsApp uses the signal encryption protocols as an example, they're all built on the same foundational algorithms. So the difference is, you know, have they been specifically certified? Do we know who's running the systems versus something a customer or a government controls? But that's operational it's it's not the security of the actual encryption algorithms it's really the environment they're used in and then the whole identity topic is the real risk driver there what about the metadata do do folks get a false sense of security that the communications are secure but then perhaps the metadata itself is accessible yeah absolutely and there's two aspects to that. One is visibility

Starting point is 00:22:03 of metadata. So there have been numerous reports. One of the most recent was last summer, AT&T said they'd lost a year's worth of call records for all of their users around the world. So that's a case where

Starting point is 00:22:19 retrospectively, they'd had the data somewhere, someone stole it. What happened with the Salt Typhoon is instead of that being retrospective, it became real-time. And so you didn't need to steal and then analyze it. You could get it as it happened, which means the efficacy of attacks can be much more effective.

Starting point is 00:22:40 When you start to think about the messaging applications themselves, you know, often that metadata is inside the encryption tunnels. So just a casual observer on the network doesn't have access to it. But the provider of the service has access to it. So if you read the meta terms and conditions, they explicitly say, hey, we're not going to listen to your call, but we're going to mine all that metadata for business purposes. That means for selling ads. And that's why you get weird things like you're chatting with someone about some topic

Starting point is 00:23:13 and all of a sudden you get an Instagram ad. And they didn't need to know what you were chatting about, but they knew who you were talking to. They knew what that person's interested in. You might be interested also. And I suppose there's the potential for sharing with law enforcement as well, right? Well, absolutely, and that's the U.S. law, that these service providers, if they're asked, they have to share that data. So that's the one aspect, and that sharing of that data, that's the second part, right, is, you know, particularly for regulated industries, for governments, they need to keep records of communications for legal purposes.

Starting point is 00:23:48 And if you're using the consumer type system, you don't actually have those records yourself. So, you know, you've got to figure out how could I get them? and if you're talking about message content, what did you type, what documents that you share? They're not going to be able to give you that. So you need a system such as BlackBerry provides that gives the government or the organization the ability to have those records,

Starting point is 00:24:11 but have in a way that they have full control over it. So if there is a government request, if there is a subpoena, they have to come to you directly. They can't get your data from a telco. They can't get your data from meta or whoever because they don't have it. And that's kind of the second. part of, you know, if the risk, if you do use those systems, then that data is discoverable

Starting point is 00:24:35 versus if it's the system you have, it's only discoverable with your own knowledge and your own legal team authorizing release of the information. I see. So you're not worrying about I guess they refer to them as canaries, right? Where to know whether, to even know whether or not someone has requested the data, you want to have control over that. So what are your recommendations then? I mean, if I'm a security professional and I want to put the word out to my team members as to what the best practices are, where should we begin? Yeah, I think the first best practice is you need to segregate your personal and your

Starting point is 00:25:15 professional communications. And most people have done that. They have work emails. They have personal emails. but with messaging apps, a lot of times they just mix it all together. And that can lead to mistakes. I can leave the data leakages. So the first advice is separate those two.

Starting point is 00:25:32 They maybe use one for personal, one for professional. At least the data segregated. But then really, for your organization, you need to look at what's the sensitivity of what we're doing, how embarrassed are we going to be if this information's out on the Internet and public or what are the legal ramifications from privacy and such? And think about, does it make sense that we actually do our official communications in a system that's more sovereign and we have total control over versus a consumer-grade service?

Starting point is 00:26:04 So those are my core recommendations. And then I guess making sure that you're fulfilling whatever regulatory obligations you have as well. Well, yeah, and that's a part of understanding the risks that are involved. So, you know, if you're a financial institution, if you're a government agency, you need to keep records of all calls and messages. Well, to keep prop records, you have to have copy of the data. And that's another reason, by the way, why I say segregate your personal and your professional, because since people need a copy of the data, well, that copy should be in the professional

Starting point is 00:26:37 business communications, not your personal communications with your family. Right, right. Nobody needs to know what time you pick the kids up from camp. Right. That's David Weissman, Vice President of Secure Communications at Blackberry. No frills, delivers. Get groceries delivered to your door

Starting point is 00:27:08 from No Frills with PC Express. Shop online and get $15 in PC optimum points on your first five orders. Shop now at no-frails.ca. And finally, AI-generated images have become so indistinguishable from the real thing that identifying them now rivals reading tea leaves only with less success. A Microsoft study pegged human accuracy at 62%, suggesting we may soon outsource image detection to darts and blindfold.

Starting point is 00:27:44 folds. In response, watermarking emerged as the industry's digital signature, a spectral seal, cleverly tucked where human eyes can't wander, until unmarker, unveiled at the I-Triplee Symposium, which doesn't so much seek the watermark as quietly dismantle the scaffolding that holds it up. Developed by a Canadian Ph.D. student, it erases watermark signals across frequency space, elegantly, precisely, and with unnerving consistency. The very subtlety that makes spectral watermarking undetectable also makes it remarkably predictable to machines. Watermarking promised authenticity, unmarker replies with a raised eyebrow. And that's The CyberWire.

Starting point is 00:28:50 For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's research Saturday and my conversation with Nicolas Charaviglio, chief scientist from Zimperium's Z-Labs. The research we're discussing is titled Behind Random Words, Double Trouble Mobile Banking Trojan, revealed. That's research.

Starting point is 00:29:12 Saturday. Check it out. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this month. There's a link in the show notes. Please take a moment and check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you.

CyberWire Daily - Reflections in a broken vault.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.