CyberWire Daily - Taxing times for cyber fraudsters.
Episode Date: July 14, 2025British and Romanian authorities make arrests in a major tax fraud scheme. The Interlock ransomware gang has a new RAT. A new vulnerability in Google Gemini for Workspace allows attackers to hide mali...cious instructions inside emails. Suspected Chinese hackers breach a major DC law firm. Multiple firmware vulnerabilities affect products from Taiwanese manufacturer Gigabyte Technology. Nvidia warns against Rowhammer attacks across its product line. Louis Vuitton joins the list of breached UK retailers. Indian authorities dismantle a cyber fraud gang. CISA pumps the brakes on a critical vulnerability in American train systems. Our guest is Cynthia Kaiser, SVP of Halcyon’s Ransomware Research Center and former Deputy Assistant Director at the FBI’s Cyber Division, with insights on Scattered Spider. Hackers ransack Elmo’s World. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Cynthia Kaiser, SVP of Halcyon’s Ransomware Research Center and former Deputy Assistant Director at the FBI’s Cyber Division, discussing "Scattered Spider and Other Criminal Compromise of Outsourcing Providers Increases Victim Attacks." You can check out more from Halcyon here. Selected Reading Romanian police arrest 13 scammers targeting UK’s tax authority (The Record) Interlock Ransomware Unleashes New RAT in Widespread Campaign (Infosecurity Magazine) Google Gemini flaw hijacks email summaries for phishing (Bleeping Computer) Chinese hackers suspected in breach of powerful DC law firm (CNN Politics) Flaws in Gigabyte Firmware Allow Security Bypass, Backdoor Deployment (Security Week) Nvidia warns of Rowhammer attacks on GPUs (The Register) Louis Vuitton UK Latest Retailer Hit by Data Breach (Infosecurity Magazine) Indian Police Raid Tech Support Scam Call Center (Infosecurity Magazine) Security vulnerability on U.S. trains that let anyone activate the brakes on the rear car was known for 13 years — operators refused to fix the issue until now (Tom's Hardware) End-of-Train and Head-of-Train Remote Linking Protocol (CISA) Hacker Makes Antisemitic Posts on Elmo’s X Account (The New York Times) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Krogel is AI built for the enterprise SOC.
Fully private, schema free, and capable of running in sensitive air-gapped environments,
Krogel autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter.
Designed for high availability across geographies, it delivers context-aware, auditable decisions aligned to your workflows.
Krogel empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your sock
operate at scale with precision and control.
Learn more at Krogl.com.
That's C-R-O-G-L dot com. British and Romanian authorities make arrests in a major tax fraud scheme.
The interlock ransomware gang has a new rat.
A new vulnerability in Google Gemini for Workspace allows attackers to hide malicious instructions
inside emails.
Suspected Chinese hackers breach a major DC law firm.
Multiple firmware vulnerabilities affect products from Taiwanese manufacturer Gigabyte Technology.
NVIDIA warns against row hammer attacks across its product line. Louis Vuitton joins the list of breached UK retailers.
Indian authorities dismantle a cyber fraud gang.
CISA pumps the brakes on a critical
vulnerability in American train systems. Our guest is Cynthia Kaiser, senior vice
president of Halcyon's Ransomware Research Center and former deputy
assistant director at the FBI's cyber division with insights on Scattered
Spider and hackers ransack Elmo's world. It's Monday July 14th, 2025.
I'm Dave Bittner and this is your CyberWire Intel briefing.
Thanks for joining us.
It is great to have you with us.
British and Romanian authorities have arrested 14 people linked to a major tax fraud scheme
that used stolen personal data to falsely
claim millions in UK tax refunds.
HM Revenue and Customs said the gang used phishing attacks to harvest taxpayer information,
then filed fake benefit claims.
Raids across Romania led to 13 arrests while one suspect was arrested in England.
Authorities seized luxury goods and cash during the bust.
HMRC previously reported £47 million was stolen in 2023 through similar fraud, though
£1.9 billion in attempted fraud was stopped.
HMRC emphasized it wasn't hacked, the data came from phishing or third-party breaches.
About 100,000 individuals were notified of suspicious activity, but no personal financial
losses were reported.
The Interlock Ransomware gang is deploying a new remote access trojan written in PHP
as part of a broad campaign active
since May, researchers from the DFIR report and Proofpoint revealed.
This marks a shift from Interlock's earlier JavaScript-based NodeSnakeRat.
The PHP version enables automated system reconnaissance via PowerShell, exfiltrates data as JSON, checks
user privileges, and establishes command and control through CloudFlare Tunnel with backup
IPs for resilience.
It supports file execution, persistence, shell access, RDP movement, and self-termination.
Initial access is gained using the FileFix social
engineering trick where users are duped into running PowerShell commands by
pasting malicious paths into File Explorer. Interlock, known for double
extortion, has previously targeted US and UK government agencies. A new prompt
injection vulnerability in Google Gemini for Workspace allows attackers to hide
malicious instructions inside emails, tricking the AI into generating phishing-style summaries.
Discovered by Mozilla researcher Marco Figueroa, the attack hides commands in white, zero-sized text using HTML and CSS.
These are invisible to users, but read by Gemini when generating a summary.
The result might include fake security alerts or phone numbers that appear trustworthy.
Because there are no links or attachments, these emails bypass many filters.
Despite prior reports and Google security updates,
this method remains effective. Google says it's implementing new defenses and has seen
no real-world abuse yet. Security experts recommend filters to detect hidden content
and flag Gemini summaries with urgent messages or contact info as suspicious.
Suspected Chinese hackers breached email accounts
at major DC law firm Wiley in an intelligence-gathering operation,
the firm told clients.
The attackers, possibly linked to the Chinese government,
accessed Microsoft 365 accounts belonging to attorneys and advisors, likely
targeting sensitive trade, tariff, and foreign investment information.
Wiley, known for advising Fortune 500 clients and the U.S.
government on trade with China, is investigating what data was
accessed and is working with law enforcement and Mandiant.
The hack comes amid escalating U.S.-China trade tensions and follows other suspected
Chinese intrusions into U.S. agencies.
The FBI, already probing multiple Beijing-linked cyber operations, warns China's hacking capabilities
surpass all other foreign powers.
Chinese officials deny involvement, calling accusations baseless without solid evidence.
Multiple firmware vulnerabilities in products from Taiwanese manufacturer Gigabyte Technologies
could let attackers bypass UEFI security and gain deep control over affected systems, researchers
warn. Found in System Management Mode, a privileged CPU mode used for hardware-level tasks, the
flaws stem from improper buffer validation in SMI handlers.
This allows arbitrary code execution before the OS loads.
The bugs enable writing to protected memory, modifying system management RAM, and tampering
with flash operations.
Attackers with admin access, local or remote, could exploit these to disable secure boot,
install persistent firmware backdoors, and bypass OS-level protections.
The issues, first seen in AMI firmware, have now been identified in
Gigabyte products. Gigabyte has acknowledged the flaws and issued
firmware updates. Users are advised to update promptly. Nvidia has warned users
to enable mitigations against row hammer attacks after researchers at the
University of Toronto successfully exploited
the issue on an A6000 GPU with GDDR6 memory and ECC disabled.
Row-hammer manipulates memory by repeatedly accessing memory rows, potentially causing
data corruption.
In a July 9 advisory, NVIDIA emphasized that ECC is enabled by default on its Hopper and
Blackwell data center products and recommended enabling ECC on various models across its
product lines, including Blackwell, ADA, Hopper, Amper, Jetson, Turing, and Volta.
Louis Vuitton, UK has suffered a data breach, notifying customers on July 2 that personal
information may have been exposed, including names, contact details, birth dates, and shopping
preferences.
While there's no evidence of misuse, the company warned customers to watch for phishing
or fraud attempts.
The breach follows similar incidents at LVMH's
Korean operations and other brands like Dior and Tiffany. Security experts suggest the
breaches may stem from shared vulnerabilities across LVMH's systems. The ICO has been
notified and investigations are ongoing.
Indian authorities have dismantled a cyber fraud gang accused of scamming victims in
the UK, US, and Australia through fake tech support calls.
The Central Bureau of Investigation raided the gang's call center after an 18-month
probe, dubbed Operation Chakra 5, coordinated with the UK's National Crime Agency, the
FBI and Microsoft. Victims were tricked by scareware pop-ups claiming their
computers were hacked, then coerced into paying for bogus repairs. Over 100 UK
victims lost at least 390,000 pounds. The scammers used spoof numbers and voiceover IP calls
to mask their identity.
The case highlights international collaboration
sparked by Microsoft's tip to the NCA in early 2024.
Two suspects, including the ringleader, were arrested.
The call center reportedly operated
under the name First Idea.
The call center reportedly operated under the name First Idea. A critical vulnerability in American train systems, first discovered in 2012, has only
recently gained official attention after CISA issued a public advisory.
Researcher Niels found that the wireless end-of-train system used since the 1980s lacks strong authentication,
allowing attackers with low-cost software-defined radios to send false brake commands.
Despite repeated warnings, the American Association of Railways dismissed the issue as theoretical.
The vulnerability remained unresolved due to AAR's refusal to permit testing and the
Federal Railroad Administration's lack of test facilities. AAR finally acknowledged the problem
after CISA's involvement, but remediation is slow, with full implementation not expected until 2027.
Experts say the situation highlights long-standing industry resistance to cybersecurity
warnings even when public safety is at risk.
Coming up after the break, my conversation with Cynthia Kaiser, Senior Vice President of Halcyon's Ransomware Research Center, with her insights on Scattered Spider and Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
Delete Me also offers solutions for businesses,
helping companies protect their employees'
personal information and reduce exposure
to social engineering and phishing threats.
And right now, our listeners get a special deal,
20% off your Delete Me plan.
Just go to joindeleteeme.com slash N2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k code n2k.
Did you know Active Directory is targeted in 9 out of 10 cyber attacks?
Once attackers get in, they can take control of your entire network.
That's why Sempris created PurpleKnight, the free security assessment tool that scans
your Active Directory for hundreds of vulnerabilities and shows you how to fix them.
Join thousands of IT pros using Purple Knight to
stay ahead of threats. Download it now at sempris.com slash purple-knight. That's sempris.com
slash purple-knight. Cynthia Kaiser is Senior Vice President of Halcyon's Ransomware Research Center and former
Deputy Assistant Director at the FBI's Cyber Division.
I caught up with her for insights on Scattered Spider.
They're really one of the most disruptive and aggressive cyber criminal groups active
today.
So we hear about them a lot because they typically go after big payments, which means they target
large companies.
And when large companies are disrupted, a lot more customers are impacted, like you,
me and many of the folks listening today. And what's really made them stand out
is their deep focus on social engineering
and the speed at which they can compromise victims.
Most ransomware groups take days to encrypt systems,
but in just hours,
Scattered Spider can get onto a network, steal data,
and in many cases, deploy ransomware.
Now the research that you all have published
about Scattered Spider, you mentioned
that they're targeting business process outsourcing companies.
Can you unpack that for us?
Why would that be a target?
Sure, and it's more like what's old is new again.
So back in 2023, Scattered Spider first compromised a third party services company.
You hear them called business process outsourcing providers, BPOs.
Then they used that compromise to then attack major casinos.
While in 2024, we saw the group use other tactics, their recent tactics appear to use
more of those old tricks.
So their recent attacks against retail and likely insurance were facilitated in part
by compromising these third-party surface companies, think call centers or any other
outsourcing processes that a company may want to do.
And what's interesting here is they're not just cyber intrusions.
Some of their activities include insider recruitment at these providers.
So identifying individual employees that may be in financial distress or otherwise vulnerable.
And then either paying or coercing these employees to give Scattered
Spider access to the provider.
From my old days at the FBI to my new days here at Halcyon, I know I probably shouldn't
find a lot shocking anymore, but when I really stop and think about it, it feels really crazy
that we're talking about this kind of insider recruitment aspect among all
the other technical aspects that we expect in a ransomware operation. Yeah, I mean to put a fine
point on that, your research mentions that they actually seek out employees who might be under
financial or social stress? Absolutely. They're going onto social media, trying to identify those employees, and they're
targeting these providers oftentimes that they believe may have less security or are
newer on the scene and maybe don't have some of the controls in place. And to be clear,
these are global outsourcing companies, not necessarily in the country where those attacks are happening like the
US or UK.
Now the research notes that Scattered Spider uses backup and file replication tools for
data theft.
Can you walk us through how they make use of those?
We see actually more often data theft in the cases of scattered spider intrusions than necessarily
ransomware all the time, but it's all extortion.
So scattered spiders going in, they're stealing data, they're stealing information from a
company.
And it's for really kind of two reasons.
One is for extortion.
Tell the company, hey, we have your data.
We're not going to give it back unless you do X or we're going to sell it.
But it's the sale of it also and the use of it that really helps facilitate Scattered
Spider's financing and their future operations.
Think about what it means to compromise an insurance provider.
Think about the information that's there, that's present with those providers,
whether that's personal data that you can use for identity theft or information
about the networks and systems that are used by companies that are supported by that insurer.
It's vast and it helps scattered spider try to identify
how they may want to target other entities in the future.
Can you give us some insights on how the group operates? Like what the
structure is of the group internally? Do we have any insights about that?
of the group internally. Do we have any insights about that? Yeah, it's decentralized, but also really tightly aligned group with really clear division
of roles and responsibilities. So you'll almost kind of like a business. You have some leaders
at the top. They're setting strategic direction. They're identifying where to go, what to do. But then you also have,
they also are having junior affiliates or newcomers,
and what they're trying to do is prove themselves.
So they might be deploying off the shelf tools,
testing detection thresholds, handling initial phishing,
really doing some more of the low level work
to say I can be a part of this group, I want to do more.
And then you have kind of a lot of different entities in between.
They may be seeking out and just recruiting people to do one part of their business,
they're outsourcing too, and trying to figure out the most effective way
to be able to do their really disruptive activities.
I think one of the hallmarks of this group is they're going from sector to sector.
You mentioned insurance and it seems as though perhaps they targeted aviation. Is there something we can take from that,
the fact that they're being deliberate?
Yes, so they oftentimes are focused on one sector
and that's a function of they've been able to get the access
to that sector maybe through a commonly shared
business process outsourcing provider.
But they also like to rotate sectors so that their attacks come as a surprise and they're
able to escape the heat that might come from either network defense or law enforcement.
So staying on a sector for just a period of time, compromising multiple entities and then
moving on helps them to be more efficient, but then also not dwell too long so that people
can take the necessary steps to counter this group that has shown itself to be pretty highly adaptive.
What are your recommendations then for organizations
to best defend themselves against this sort of adversary?
So I think that really depends about whether you're talking
about securing your systems for the future
or are worried scattered spider or similar groups
are targeting your industry right now.
So if your industry is currently being targeted,
monitoring for spoof domains, suspicious login flows,
or cloned authentication pages,
especially those mimicking help desk or HR communications
are gonna be critical, as is auditing access and activity from your
outsourcing or managed service providers, especially device monitoring, privilege access use,
and insider risk reporting. But to protect your organization from future targeting,
one of the hallmarks of Scatter Spider really has been their ability to get around
there really has been their ability to get around multi-factor authentication.
So eliminating voice and text-based multi-factor
authentication and disabling legacy authentication protocols
helps to prevent some of these types of attacks
in the future.
So instead of having that type of MFA,
you really wanna implement or enforce
phishing-resistant multifactor authentication.
So something like number matching or hardware tokens.
And across having that with internal users and also your third-party service accounts.
And then finally, identify whether you're using secure outsourcing providers.
So providers with strong security measures often have insider reporting systems, can debug
bounties to detect and report suspicious activities.
It is critical that providers also be willing to share logs and security incidents with
their clients.
If they aren't willing to share that information, it may mean they're not adequately monitoring
their systems. So really, you know, making sure that
you're using the strongest account controls possible
and limiting the access you provide to your networks
to only secure third-party providers.
We mentioned that we've seen
scattered spider target insurance and aviation.
Is there any sense for where they might be headed next?
I think that we believe they're likely to move towards manufacturing, food industry,
or even utility targets moving forward.
And remember, they rotate across these industries.
And so if you've been targeted in the past by these actors,
don't be surprised that you may be targeted again
in the near future.
That's Cynthia Kaiser, senior vice president
of the Ransomware Research Center at Halcyon.
We'll have a link to her team's research in the show notes.
You hear from us here at the CyberWire Daily every single day. Now we'd love to hear from
you. Your voice can help shape the future of N2K networks.
Tell us what matters most to you by completing our annual audience survey.
Your insights help us grow to better meet your needs.
There's a link to the survey in our show notes.
We're collecting your comments through August 31st.
Thanks.
We've all been there. You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast? Well, it's easy. Just use Indeed. When it comes to
hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed's Sponsored Jobs
helps you stand out and hire fast. Your post jumps to the top of search results
so the right candidates see it first. And it works. Sponsored jobs on Indeed get
45% more applications than non-sponsored ones. One of the things I love about
Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you,
23 hires were made on Indeed, according to Indeed data worldwide.
There's no need to wait any longer. Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get your jobs more
visibility at indeed.com slash cyberwire. Just go to indeed.com slash cyber wire right
now and support our show by saying you heard about indeed on this podcast. Indeed.com slash
cyber wire. Terms and conditions apply. Hiring indeed is all you need. Krogel is AI built for the enterprise SOC. Fully private, schema-free, and capable of
running in sensitive air-gapped environments, Krogel autonomously investigates thousands
of alerts weekly, correlating insights across your tools without data leaving your perimeter.
Designed for high availability across geographies, it delivers context-aware, auditable decisions
aligned to your workflows.
Krogl empowers analysts to act faster and focus on critical threats, replacing repetitive
triage with intelligent automation to help your SOC operate at scale with precision and
control. Learn more at scale with precision and control.
Learn more at Krogl.com.
That's C-R-O-G-L dot com.
And finally, it's hard to imagine something more jarring than seeing Elmo, the cheerful
red muppet who teaches kids about kindness, suddenly spewing racist and anti-Semitic hate.
But that's exactly what happened when his verified ex-account was hacked over the weekend.
For a brief but painful moment, the lovable Sesame Street icon
became an unwitting mouthpiece for vile, hateful rhetoric. The posts were quickly
taken down, and Sesame Workshop issued a statement expressing outrage and
confirming the breach. Sadly, this incident is just another symptom of a
broader crisis. Since Elon Musk took over X, the platform has become a breeding ground for hate speech.
Even Grok, X's own chatbot, was caught parroting anti-Semitic nonsense.
All of this is unfolding against a disturbing backdrop.
Anti-Semitic incidents in the US hit record highs in 2024, the digital and real-world threats are converging, and
not even Elmo is safe.
One can't help wonder why Elmo and the rest of the Sesame Street gang still maintain their
verified accounts on ex-Twitter.
At any rate, today's CyberWire was brought to you by the number 404, but not, I repeat, not by the
letter X. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of the summer.
There's a link in the show notes.
Please take a minute and check it out.
N2K's senior producer is Alice Carruth, our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltsman.
Our executive producer is Jennifer Iben, Peter Kilpe as our publisher, and I'm Dave Bittner.
Thanks for listening, we'll see you back here tomorrow. Buying more tools won't make you more secure.
Continually training your people will.
In this episode, CloudRange co-founder and CEO Debbie Gordon shares how real-world simulations
are transforming readiness in 2025.
Because your last line of defense isn't software, it's your team.
Tune in now. Your stack depends on it.
Hi. Kim Jones here. On CISO Perspectives we get candid with the thinkers, doers, and
trailblazers shaping cybersecurity leadership. No scripts, no sales pitches.
Just real stories and hard-earned lessons from folks who've been there.
If you're looking to grow as a leader,
or just want to hear how others are navigating this ever-evolving field,
listen to CISO Perspectives.
It's your seat at the table.