CyberWire Daily - Scam operations disrupted across Asia.
Episode Date: June 12, 2025Interpol’s Operation Secure dismantles a major cybercrime network, and Singapore takes down scam centers. GitLab patches multiple vulnerabilities in its DevSecOps platform. Researchers unveil a cove...rt method for exfiltrating data using smartwatches. EchoLeak allows for data exfiltration from Microsoft Copilot. Journalists are confirmed targets of Paragon’s Graphite spyware. France calls for comments on tracking pixels. Fog ransomware operators deploy an unusual mix of tools. Skeleton Spider targets recruiters by posing as job seekers on LinkedIn and Indeed. Erie Insurance suffers ongoing outages following a cyberattack. Our N2K Lead Analyst Ethan Cook shares insights on Trump’s antitrust policies. DNS neglect leads to AI subdomain exploits. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we share a selection from today’s Caveat podcast where Dave Bittner and Ben Yelin are joined by N2K’s Lead Analyst, Ethan Cook, to take a Policy Deep Dive into “The art of the breakup: Trump’s antitrust surge.” You can listen to the full episode here and find new episodes of Caveat in your favorite podcast app each Thursday. Selected Reading Interpol takes down 20,000 malicious IPs and domains (Cybernews) Singapore leads multinational operation to shutter scam centers tied to $225 million in thefts (The Record) GitLab patches high severity account takeover, missing auth issues (Bleeping Computer) SmartAttack uses smartwatches to steal data from air-gapped systems (Bleeping Computer) Critical vulnerability in Microsoft 365 Copilot AI called EchoLeak enabled data exfiltration (Beyond Machines) Researchers confirm two journalists were hacked with Paragon spyware (TechCrunch) Tracking pixels: CNIL launches public consultation on its draft recommendation (CNIL) Fog ransomware attack uses unusual mix of legitimate and open-source tools (Bleeping Computer) FIN6 cybercriminals pose as job seekers on LinkedIn to hack recruiters (The Record) Erie Insurance confirms cyberattack behind business disruptions (Bleeping Computer) Why Was Nvidia Hosting Blogs About 'Brazilian Facesitting Fart Games'? (404 Media) Secure your public DNS presence from subdomain takeovers and dangling DNS exploits (Silent Push) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get
your jobs more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber
wire right now and support our show by saying you heard about indeed on this podcast. Indeed.com
slash cyber wire. Terms and conditions apply. H hiring indeed is all you need.
Interpol's Operation Secure dismantles a major cybercrime network, and Singapore takes down
scam centers.
GitLab patches multiple vulnerabilities in its DevSecOps platform.
Researchers unveil a covert method for exfiltrating data using smartwatches.
EchoLeak allows for data exfiltration from Microsoft Copilot.
Journalists are confirmed targets of Paragon's graphite spyware.
France calls for comments on tracking pixels.
Fog ransomware operators deploy an unusual mix of tools.
Skeleton Spider targets recruiters by posing as job seekers on LinkedIn,
and indeed, eerie insurance suffers ongoing outages following a cyber attack.
Our N2K lead analyst Ethan Cook shares insights
on Trump's antitrust policies,
and DNS neglect leads to AI subdomain exploits.
It's Thursday, June 12, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It's great to have you with us.
Interpol's Operation Secure, a joint effort by 26 countries across Asia and the South
Pacific, has dismantled a major cybercrime network.
The operation removed 20,000 malicious IP addresses and domains tied to infostealer
malware. Authorities seized 41 servers and over 100 gigabytes of data,
identifying 117 command and control servers used for phishing,
fraud, and stealing sensitive data,
like passwords and crypto-wallet information.
Hong Kong police played a key role in the analysis.
Over 216,000 individuals were alerted to potential risks.
The crackdown also led to 32 arrests, including suspects in Vietnam, Sri Lanka, and Nauru.
Interpol worked with cybersecurity firms like Group IB and Kaspersky to share intel, highlighting
the value of international collaboration in combating
global cyber threats.
Meanwhile, Singapore led a month-long multinational crackdown called Operation Frontier Plus,
targeting scam syndicates responsible for roughly $225 million in fraud.
Coordinating with police from Hong Kong, South Korea, Malaysia, the Maldives, Thailand, and
Macau, authorities investigated nearly 34,000 suspects tied to over 9,200 scams.
These ranged from fake investments to romance and job scams.
Over 1,800 arrests were made, 32,000 bank accounts frozen, and $20 million seized.
Singapore alone arrested 106 suspects linked to $30 million in fraud, recovering $8 million.
Charges include hacking and identity theft. The operation, which began in April, relied on rapid
cross-border collaboration to trace and freeze stolen funds.
Officials stress the growing sophistication of these scams and the need for a global response.
They say similar efforts are underway in the U.S., India, and Japan.
GitLab has issued urgent security updates to patch multiple vulnerabilities in its DevSecOps
platform.
The flaws include account takeover risks and the ability for attackers to inject malicious
jobs into CI CD pipelines.
The fixes are included in GitLab updates.
Critical issues addressed include HTML injection, missing authorization, cross-site scripting,
and a denial-of-service flaw.
GitLab.com is already patched, and users of self-managed instances are urged to upgrade
immediately.
Researchers in Israel have unveiled SmartAttack, a covert method for exfiltrating data from air gap systems
via smartwatches.
The attack involves malware on a secure, isolated computer emitting ultrasonic signals via
built-in speakers.
These inaudible tones, modulated to carry data, are picked up by a smartwatch microphone
worn nearby. The watch then transmits the data via Wi-Fi, Bluetooth, or cellular networks.
Though challenging and theoretical,
the attack shows how insider threats can bypass physical isolation.
Experts recommend banning smartwatches and disabling speakers in sensitive areas to mitigate risk.
Microsoft has disclosed a critical vulnerability in
its 365 Copilot AI Assistant,
marking the first known zero-click attack on an AI agent.
Dubbed Echo Leak,
the flaw allowed attackers to exfiltrate
sensitive data by exploiting a new LLM scope violation.
Attackers send emails with hidden prompt injections disguised as business content.
When users later ask copilot-related questions, its RAG engine retrieved the malicious emails
as context.
The AI then embedded stolen data into links that triggered automatic requests to an attacker-controlled
server, bypassing content security policies.
No user clicks were needed, just a crafted email and irrelevant query.
Discovered by AIM Security in January of this year, Microsoft patched the issue in May with
server-side updates. There's no sign it was exploited in the wild,
and no action is needed by customers.
Citizen Lab has confirmed the first known infections by Paragon's Graphite Spyware,
targeting Italian journalist Ciro Pellegrino and an unnamed European journalist. Both were compromised through a zero-click
iMessage exploit allowing surveillance without user interaction. Paragon's
spyware linked to Italian intelligence agencies was reportedly active during
the hacks despite Italy's denials. The spyware scandal has widened with other
victims including journalists and migrant aid workers.
Pellegrino, unaware he was a target, criticized the lack of support from Italy's government.
A recent parliamentary report claimed no journalists were targeted,
but Citizen Lab's forensic evidence challenges that narrative.
Israel's paragon ended its ties with Italy after the government refused to investigate.
Citizen Lab continues examining additional cases as the spyware's full reach and intent
remain unclear.
France's data watchdog CNIL has launched a public consultation on its draft recommendation
for regulating tracking
pixels in emails. These invisible 1x1 pixel images are used to monitor when emails are
opened, raising privacy concerns. The proposal aims to clarify consent requirements and ensure
compliance, especially as complaints about email tracking increase.
The draft applies to all organizations using email tracking and their service providers.
The consultation runs until July 24, and CNIL is also collecting input on the economic impact
of regulation.
Fog ransomware operators are deploying an unusual mix of tools, blending open-source
utilities with legitimate software to evade detection.
First observed in May 2024, the group initially used stolen VPN credentials, passed the hash
attacks, and exploited known flaws in Veeam and SonicWall systems.
In a recent attack on an Asian financial institution, Symantec uncovered a novel toolset that included
SciTechA and employee monitoring software used to capture credentials and GC2, a rare
backdoor using Google Sheets or SharePoint for command and control.
Other tools included Stowaway for stealthy delivery, SMB exec and PS exec for lateral
movement and Adapt2x C2 for post-exploitation.
The attackers also used 7-Zip, Megasync and Free File Sync for data exfiltration.
Symantec notes the atypical toolkit, especially SciTech and GC2, signals an evolving
strategy that challenges standard ransomware detection methods.
Cyber criminal group FIN6, also known as Skeleton Spider, is using a new tactic to infect recruiters
with malware by posing as job seekers on LinkedIn and Indeed.
According to Domain Tools, the group sends convincing phishing emails with no clickable
links, requiring recipients to manually enter URLs leading to fake resume websites hosted
on trusted platforms like AWS. These sites use CAPTCHA and traffic filters to bypass security tools and deliver the More
Eggs Back Door, a malware-as-a-service tool used to steal credentials and enable ransomware
attacks.
FIN 6, historically known for stealing payment card data from point-of-sale systems, is now
shifting toward broader enterprise threats. The use of professional messaging and cloud hosting
allows them to evade detection,
signaling a more sophisticated approach
to targeting organizations through social engineering.
Erie Insurance and Erie Indemnity Company
confirmed a cyber attack on June 7th,
causing ongoing outages and business disruptions.
Customers have been unable to access the portal, file claims, or receive documents.
The company activated its incident response plan and is working with law enforcement and
cybersecurity experts to investigate.
While the nature and impact of the attack are still unclear, Eerie emphasized it won't
request payments
via email or phone during the outage.
There's no confirmation yet if ransomware or data theft is involved.
Coming up after the break, our N2K lead analyst Ethan Cook shares insights on Trump's antitrust
policies and DNS neglect leads to AI sub-domain exploits.
Stick around. Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed up.
DeleteMe keeps finding and removing my personal information from data broker sites,
and they keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every day.
The DeleteMe team handles everything. It's the set it and forget it piece of mind.
And it's not just for individuals.
DeleteMe also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k code n2k. And now, a word from our sponsor, ThreatLocker.
Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software
can run in your environment.
If it's not approved, it doesn't run.
Simple as that.
It's a way to stop ransomware and other attacks before they start without adding extra complexity
to your day.
See how ThreatLocker can help you lock down your environment at www.threatlocker.com We are sharing a selection from today's caveat podcast, where my co-host Ben Yellen and I
are joined by N2K's lead analyst, Ethan Cook.
We take a policy deep dive into the Trump administration's antitrust stance.
Let's just start off with some high level stuff.
I mean, when we're talking about antitrust
and the Trump administration,
what's the high level approach
that they seem to be taking here, Ethan?
I think the best way I can summarize it is aggressive,
specifically against big tech.
I would go as far to say
that this is probably the most aggressive administration regarding
antitrust policy in about two decades.
Biden's a close contender, but they certainly are pushing for some pretty aggressive policies.
Ben, I say this in a way surprises me.
I'm thinking back to President Trump's inauguration and who was standing by his side.
Yeah, the second row there was Bezos and Musk and Zuckerberg.
I think this is a really interesting surprise, at least from my perspective.
There were a lot of, as Ethan writes about, antitrust cases in progress, initiated by, in many cases, the Biden administration, FTC,
which was run by an antitrust hawk, Lena Kahn.
And there were hints that some of Trump's people
were on board this antitrust agenda, including
JD Vance, the vice president, who
said that he admired a lot of Lena Kahn's work.
But I certainly didn't think that they'd go at it
as strongly as they have, largely because Trump seemed
to have made peace with Big Tech and with Silicon Valley
prior to the election.
And a lot of his new base of support in 2024
that he didn't have in 2016 and 2020
was Silicon Valley types,
VCs, people who are in the industry, who
are very forward looking and were frustrated
by democratic economic policy, social and cultural policy.
And so this became a big part of his coalition.
You'd think that President Trump would come in,
and as a payback to getting
the votes of this community, he would be lighter on antitrust matters.
And it's just a really interesting surprise that his administration has been so tough,
particularly because a lot of the Trump presidency has been undoing the work of the previous
administration.
So I feel like we could have seen that here and we haven't.
They've continued to vigorously argue the case
in these two Google cases that we've talked about.
Now there's a medicase that's coming up
and they have kept their foot on the gas pedal.
So it's definitely something that's noteworthy and surprising.
Ethan, what's the why here? I mean, why do we think antitrust has become such a focal
point of this administration's tech policy agenda?
Yeah, it's an interesting one. It's kind of a, it's a question that I've been grappling
with, especially considering how, you know, Deben's point during the campaign trail, it
appeared that Trump was not only willing to take their money, but was willing to give them
access. And then to turn around and kind of slap in the face and say, yeah, thank you for all your
support. I'm now going to break up all your companies was kind of shocking to me. I think
part of it when I try and think back is, you know, to Ben's point, some of these cases were
started by the Biden administration, but some of these cases date back to Trump's
first administration where at the end in 2020, he was launching some of these cases and it
felt like, you know, there was that rift between him and social media companies, him and big
tech companies.
So I think some of this is that inherent gap that has been there for years now, and he's
just kind of playing that through.
And I think part of the other side is, and I didn't write about this, but maybe a little
speculation on my behalf, but Trump is more aligned with more traditional big tech or
big media companies.
If he reinstituted net neutrality or net neutrality died, which net neutrality is something that
these big tech companies were pretty much in favor of and companies that provide internet
were not in favor of.
And the killing of net neutrality was something that I thought was a, and Trump's reiterated
attempts to kill net neutrality was something that kind of aligned to me saying,
okay, maybe he's more in line with these traditional companies
that we consider like Verizon, AT&T, whatever, maybe for
internet providers than compared to a Google or a Meadow.
It's an interesting theory, but then like, why is the second
row at his inauguration the heads of all these companies?
Yeah, I don't it's weird to me because it's this dynamic where, obviously, there was a
huge political stunt and got the media talking for days that they were there. But at the
same time, there appears to be no love lost between the two of them. I mean, outside of
these lawsuits, I mean, you know, Trump and Elon's relationship has pretty much fallen apart.
And I mean, I don't think anyone was particularly shocked by that.
But I kind of saw that one coming a little bit.
But I think maybe there, you know, one thing that there he's, you know, he's going to go
after these cases, but maybe relax on the merger and acquisition front.
I don't know. It's kind of a dynamic where I'm kind of,
it's a head scratcher.
Could it be as simple as loyalty flows in one direction
when it comes to Donald Trump?
I mean, he expects these tech companies to bend their knees
and make their contributions,
but that does not in any way guarantee that he's obligated to
anything.
I mean, that's been the pattern of his presidencies and really going back to his career in business
is that he expects loyalty from others, but like, and everybody kind of sidles up to him
thinking that they can buy his loyalty with their political support or with money.
But he does not always
fulfill those promises, which is why he's had falling outs with people like Elon
Musk. And just going back through his political career and business career,
people who've tried to cozy up to him to get what they want frequently don't end
up getting what they want, even if they've spent a decade cozying up to him.
So, you know, I always think of Lindsey Graham, who I think made the senator from only don't end up getting what they want, even if they've spent a decade cozying up to him.
So I always think of Lindsey Graham, who I think
made the senator from South Carolina, who's
a big traditional pro-defense Republican,
was very anti-Trump during the 2016 campaign,
kind of famously wrote a tweet saying, if we nominate this guy,
we're going to get killed, and we deserve to.
Of course, he won the election.
And I think Lindsey Graham made a calculated decision
at that point to say, let me get on this guy's good side,
and maybe I can help shape his foreign policy
to be more a traditional Republican interventionist
foreign policy.
Maybe I can make him more of a defense hawk.
And he's kept up the praise and the cozying up to Trump, their golf buddies.
And maybe on some matters, he's gotten his way on foreign policy, but on things like Ukraine and Russia, and certainly on Iran, he has not. So I think there is that kind of pattern here of
people think that he doesn't have fixed
political beliefs and they take from that that he's malleable and that if you flatter
him you might get what you want.
And I think he loves that people think that because people come to him and they flatter
him.
But it's just I think it doesn't always end up accruing to the benefit of the flatterers, if that
makes sense.
Yeah.
I think, Ethan, you sort of alluded to an interesting point here, which is, and I guess,
Ben, chime in on this.
I can't help thinking how many things loop back to the 2020 election, right?
And so President Trump's animosity
towards these big companies, as Ethan alluded to,
you can trace back to what Trump and his allies
consider misinformation,
mainly that President Trump lost the 2020 election, right? The refusal
to acknowledge that. How much of this keeps looping back to that?
Yeah, and I think this is this interesting dynamic where it, because I don't even think
it was just the loss. I think it was throughout the four years under Biden, them continuing to go after this misinformation and, you know, follow Biden's statement, even
though Biden was actively pursuing these lawsuits, all of them in the meanwhile using as a, you
know, convenient, hey, these were already started for me, might as well see it through.
And I think to an extent, this feels a little bit like a targeted
you went after me and my claims for four years. I am, you know, thank you for helping me get elected.
I am now going to pay it back. Our thanks to Ethan Cook for joining Ben and I on caveat. We hope
you'll check out the entire episode of caveat. You can find that right here on the N2K Cyberwire network or wherever you get your favorite
podcasts.
Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and
compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even helping to drive revenue.
And this isn't just nice to have. According to a recent analysis from IDC,
teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact.
So, if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your
GRC game.
Vanta.
GRC.
How much easier trust can be.
Get started at Vanta.com slash cyber. And finally, our It's Always DNS desk takes us on a scenic stroll through the internet's
lesser-maintained cul-de-sacs, where technical debt and laziness collide in a wonderfully
absurd mess.
First, 404 Media visits the Wow Lazy Empire, a junkyard of AI-generated nonsense squatting
on once-pristine subdomains from the likes of NPR, Stanford, and NVIDIA.
Thanks to poor subdomain hygiene, spammers found abandoned plots and moved in, posting
content like gay furry porn.
These AI-sploited subdomains don't just confuse search engines, they make your brand look
like its moonlighting is a bizarre fanfic site.
Much of this is the result of the elegant disaster of dangling DNS records.
This is when you point a subdomain to a service and later stop using that service, but forget
to delete the DNS pointer.
You've left the digital backdoor wide open.
Hackers can swoop in, claim that service, and hijack your subdomain to host phishing
sites, malware, or more furry content.
Not that there's anything inherently wrong with furry content.
The fix?
Scrub your DNS like it's a crime scene.
["Cyberwire Theme Song"]
And that's the Cyberwire. We'd love to hear from you.
We're conducting our annual survey to learn more about our listeners.
We're collecting your insights through the end of summer.
There's a link in the show notes.
Please do check it out.
And 2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliott Peltsman.
Our executive producer is Jennifer Ivan, Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening, we'll see you back here, tomorrow. So And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire
and see what attackers already know. That's spycloud.com slash cyberwire.