CyberWire Daily - The bug that let anyone in.
Episode Date: July 3, 2025Sudo patch your Linux systems. Cisco has removed a critical backdoor account that gave remote attackers root privileges. The Hunters International ransomware group rebrands and closes up shop. The Cen...ters for Medicare and Medicaid Services (CMS) notifies 103,000 people that their personal data was compromised. NimDoor is a sophisticated North Korean cyber campaign targeting macOS. Researchers uncover a massive phishing campaign using thousands of fake retail websites. The FBI’s top cyber official says Salt Typhoon is largely contained. Microsoft tells customers to ignore Windows Firewall error warnings. A California jury orders Google to pay $314 million for collecting Android user data without consent. Ben Yelin shares insights from this year’s Supreme Court session. Ransomware negotiations with a side of side hustle. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today our guest is Ben Yelin from UMD CHHS, who is sharing a wrap up of this year’s Supreme Court session. If you want to hear more from Ben, head on over to the Caveat podcast, where he is co-host with Dave as they discuss all things law and privacy. Selected Reading Linux Users Urged to Patch Critical Sudo CVE (Infosecurity Magazine) Cisco warns that Unified CM has hardcoded root SSH credentials (Bleeping Computer) Hunters International ransomware shuts down after World Leaks rebrand (Bleeping Computer) Feds Notify 103,000 Medicare Beneficiaries of Scam, Breach (Data Breach Today) N Korean Hackers Drop NimDoor macOS Malware Via Fake Zoom Updates (Hackread) China-linked hackers spoof big-name brand websites to steal shoppers' payment info (The Record) Top FBI cyber official: Salt Typhoon ‘largely contained’ in telecom networks (CyberScoop) Microsoft asks users to ignore Windows Firewall config errors (Bleeping Computer) California jury orders Google to pay $314 million over data transfers from Android phones (The Record) US Probes Whether Negotiator Took Slice of Hacker Payments (Bloomberg) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Risk and compliance shouldn't slow your business down.
HyperProof helps you automate controls, integrate real-time risk workflows, and build a centralized
system of trust so your teams can focus on
growth, not spreadsheets. From faster audits to stronger stakeholder confidence,
HyperProof gives you the business advantage of smarter compliance. Visit
www.hyperproof.io to see how leading teams are transforming their GRC
programs.
Patch your Linux systems? No, seriously, pseudo-patch your Linux systems.
Cisco has removed a critical backdoor account
that gave remote attackers root privileges.
The Hunter's International Ransomware group rebrands and closes up shop.
The Centers for Medicare and Medicaid Services notifies over 100,000 people that their personal
data was compromised.
Nimdoor is a sophisticated North Korean cyber campaign targeting macOS.
Researchers uncover a massive phishing campaign using thousands of fake retail websites. and $114 million for collecting Android user data without consent. Ben Yellen shares insights from this year's Supreme Court session and ransomware negotiations
with a side of side hustle.
It's Thursday, July 3rd, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It's great as always to have you with us.
Security researchers have found two serious elevation of privileges vulnerabilities in
sudo, the critical Linux utility installed on nearly all servers and workstations.
The first flaw affects multiple versions.
It lets local users gain full root access by abusing the chroot function even without
specific pseudo rules.
The bug was introduced in June 2023 and impacts multiple systems like Ubuntu and Fedora.
Users are urged to upgrade immediately.
Second flaw is an elevation of privilege bug that remained hidden for 12 years.
It affects multiple stable versions and legacy versions, allowing privilege escalation in
configurations using host or host-alias directives common in enterprises.
Though low in severity, it still poses a risk.
Stratascale warns these vulnerabilities highlight operational gaps,
urging businesses to audit environments, strengthen detection,
and patch systems to avoid hidden threats undermining trust and compliance.
Cisco has removed a critical backdoor account from its unified communications manager that
allowed unauthenticated remote attackers to log in with root privileges.
The flaw results from static root credentials left over from development and testing.
There are no workarounds.
Admins must upgrade or apply patches.
Successful exploitation lets attackers execute commands as root.
While Cisco has seen no active attacks yet, it released indicators of compromise to help
detect breaches.
This was the latest in a series of backdoor removals from Cisco products, including previous
issues in iOS XE, DNA Center, WAS, and smart licensing utility, highlighting
ongoing risks from hard-coded credentials in enterprise infrastructure.
The Hunters International Ransomware Group has shut down its operations and is offering
free decryptors to help victims recover data without paying ransoms.
In a dark web statement, the gang cited recent developments for its closure, likely referencing
increased law enforcement scrutiny and declining profits.
Hunters International emerged in late 2023 and was suspected to be a rebrand of Hive
due to code similarities.
It targeted nearly 300 organizations worldwide, including the U.S.
Marshals Service, Hoya, Tata Technologies, Auto Canada, Austral USA, Integris Health,
and Fred Hutch Cancer Center.
While it previously combined encryption with extortion, the group recently launched WorldLeaks, an
extortion-only operation.
Victims can request decryption tools and recovery guidance via the gang's website.
Threat analysts warn this shutdown does not end its threat actor's activities, as affiliates
may migrate to other ransomware or data extortion groups.
The Centers for Medicare and Medicaid Services, CMS, is notifying 103,000 people that their
personal data was compromised after fraudsters created fake Medicare.gov accounts using valid
beneficiary information between 2023 and 2025.
The scheme came to light in May when beneficiaries reported account creation letters they didn't
initiate.
Attackers used stolen data, including Medicare beneficiary identifiers, dates of birth, and
zip codes from unknown external sources to create accounts and potentially access additional information
like provider details, diagnoses, and premium data.
CMS deactivated affected accounts, replaced Medicare cards for victims, and blocked new
account creation from foreign IP addresses.
While no misuse has been reported yet, CMS continues to investigate.
The incident follows broader warnings about rising healthcare scams exploiting people's
fear of losing access to care, as cybercriminals increasingly target government healthcare
programs for profit.
Sentinel Labs has uncovered a sophisticated North Korean cyber campaign targeting Web
3 and cryptocurrency firms using new macOS malware called Nimdor.
Revealed on July 2, the report details multi-stage attacks leveraging social engineering, fake
Zoom updates, and the rare Nim programming language to evade detection. Hackers pose as trusted contacts on Telegram,
sending malicious Zoom SDK scripts
heavily disguised to install additional tools.
Once inside, they deploy a C++ injector
to steal keychain passwords, browser data,
and Telegram chats,
and install Nimdor for long-term access.
The malware uses encrypted WebSocket communications and techniques to stay active even after a
shutdown.
Sentinel Labs warns that North Korea's adoption of cross-platform languages like Nim plus
clever AppleScript use makes detection harder.
The report urges companies to strengthen defenses
against these evolving persistent threats
targeting the crypto and web three sector.
Researchers uncovered a massive phishing campaign
using thousands of fake retail websites,
impersonating brands like Apple, PayPal, Nordstrom,
and Hermes to steal credit card data.
First flagged in Mexico, security firm Silent Push found it targets English and Spanish users globally.
Some sites convincingly mimic retail stores with scraped listings and Google Pay widgets,
while others are poorly built.
Technical indicators suggest Chinese cybercriminals are behind it.
Many sites remain active despite takedowns, highlighting the persistent threat of retail-themed
phishing scams.
In an interview with Tim Starks from Cyberscoop, Brett Leatherman, the FBI's new top cyber
official, said Chinese hackers behind the telecommunications breach
known as Salt Typhoon are currently largely contained and dormant within networks but
still pose a threat.
Although Salt Typhoon is known for espionage, Leatherman warned their access could pivot
to destructive actions similar to Volt Typhoon, which is pre-positioned in U.S. critical infrastructure.
Nine U.S. telecom companies were impacted, with more victims identified abroad due to information sharing.
Leatherman emphasized continued focus on victim support, resilience, and deterrence,
though offensive operations require further attribution.
Evicting Salt Typhoon remains challenging
due to their entrenched foothold.
He also flagged North Korean IT scams
as a growing insider risk that could evolve
into intellectual property theft or brokering access
for broader cyber operations.
Microsoft has told customers to ignore
Windows firewall error warnings labeled Event 2042,
appearing after the June 2025 preview update on some Windows 11 systems.
These config-read-failed errors result from a new, unfinished feature and do not affect
firewall functionality or system processes.
Microsoft said no action is required and they're working on a fix.
The errors appear in event viewer logs but can be safely disregarded, according to the
company's Windows Release Health dashboard this week.
A California jury has ordered Google to pay $314 million for collecting Android user data
over cellular networks without consent in a class-action lawsuit dating back to 2019.
Plaintiffs argued Google's passive data transfers used users' paid cellular data for its own
benefit, including targeted ads, and continued even after apps were closed.
The lawsuit said these transfers occurred silently even while devices sat idle overnight
and couldn't be fully disabled.
Google argued the data transfers are minimal and essential for security and device performance,
stating users consented through settings and terms of use. A spokesperson said Google will appeal,
calling the ruling a setback for users.
Coming up after the break, Ben Yellen shares insights
from this year's Supreme Court session
and ransomware negotiations with a side of side hustle. Up after the break, Ben Yellen shares insights from this year's Supreme Court session and
ransomware negotiations with a side of side hustle.
Stick around.
Did you know Active Directory is targeted in nine out of ten cyber attacks?
Once attackers get in, they can take control of your entire network.
That's why Sempris created PurpleKnight, the free security assessment tool that
scans your Active Directory
for hundreds of vulnerabilities and shows you how to fix them.
Join thousands of IT pros using Purple Knight
to stay ahead of threats.
Download it now at sempris.com slash purple dash night.
That's sempris.com slash purple dash night.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches,
malware and phishing to neutralize identity-based threats like account takeover, fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash CyberWire.
And joining me once again is Ben Yellen.
He is from the University of Maryland's Center for Cyber
Health and Hazard Strategies. Ben, it's always great to have you back.
Good to be with you, Dave.
We just finished up our Supreme Court term here for the year.
And there's some cases here that caught your eye that are worth
sharing with our audience here. What do you got?
There are really two cases that caught my eye.
One applies very generally, and that means it does apply to a lot of the topics
you cover on the Daily podcast and over on caveat.
And one, I think is more specific to the world of cyber, world of data privacy.
So we'll talk about the general one first.
This is a case that has to do with what are called universal injunctions.
So it's the ability of individual federal district court judges to issue holdings that
don't only apply to the parties in that case, whether that
party is an individual plaintiff or something like a state, but applies across the country.
So this has been a phenomenon going back 20, 25 years. We've had a lot of these so-called
universal injunctions. This case was about one or a few of them actually relating to
a Trump administration executive order on birthright citizenship.
So that executive order narrowed the definition
of birthright citizenship in the United States.
Some individual plaintiffs, as well as states,
brought litigation saying that this new policy violates
the 14th Amendment, which says that anybody born
in the United States and subject to the jurisdiction
in the United States is a citizen of the United States.
And those parties obtained universal injunctions.
So court said not only am I ruling out or forbidding enforcement of this policy against
the plaintiffs in this case, but I am prohibiting the enforcement of this policy across the
entire country. And in a 6-3 decision, the enforcement of this policy across the entire country.
Okay.
And in the 6-3 decision, the Supreme Court said that is no longer acceptable.
It is not within the traditions of our judicial system.
It's not well grounded in the Constitution or in the Judiciary Act of 1789, which governs
a lot of how our judicial branch works. So what that means in practice is,
even if you as a plaintiff think that a executive action,
whether it's a bill that's signed
or whether it's an executive order,
if you think that's blatantly unconstitutional,
you're gonna have to go court by court across the country
with a class of plaintiffs that meet standing requirements
to get specific injunctions that apply to a bunch of plaintiffs that meet standing requirements to get specific injunctions
that apply to a bunch of plaintiffs.
You're no longer going to have this out where you just have to find one plaintiff in one
district and you can get the entire policy struck down across the country.
So now the one way you would get that type of universal applicability would be to do a class
action lawsuit and you'd have to establish a really large class and that's a very difficult
cumbersome process.
So it's going to be much harder to obtain universal nationwide relief, judicial relief
from some of these policies.
And I think that could have wide reaching implications
in all spheres of the law.
So that's-
So for example, for our cyber concerns,
you could see if someone brought a case
where they thought there was some unconstitutional
privacy concern, for example,
it would not be allowed to be paused nationwide.
Exactly.
So let's say you had a bunch of plaintiffs
in the state of Maryland where we are.
They could sue in a federal district court in Maryland.
Whatever decision that court came up with,
if they issued an injunction against enforcement
of that policy, that injunction could only
apply to that class of plaintiffs
in the state of Maryland.
It can only apply to the litig plaintiffs in the state of Maryland. It can only apply to
the litigants in this case. Now, incidentally, if it applies to the
plaintiffs in Maryland, then it will probably end up applying to almost
everybody in Maryland. Like if it's a some type of privacy policy, it will
apply to everybody within that jurisdiction. But it wouldn't apply to
people across the country
that are subject to the jurisdiction of other federal
district courts.
So that's just a tool that's now out of the toolbox.
You can't obtain these nationwide injunctions.
We've seen a lot of them not only
during the Trump administration, but also the Biden
administration on the other side.
A lot of people in the conservative legal community
were going to a single district court judge in Texas
during the Biden administration
to try to obtain these universal injunctions
against policies they didn't agree with
and they were successful.
Yeah.
And that's no longer a tool
that's gonna be available to them
next time we have a democratic president.
Interesting.
All right, well, the next one
is a little more directly related.
Yeah, so this one comes from the state of Texas.
This is a case called Free Speech Coalition Incorporated v.
Paxton, who is the attorney general of Texas.
So Texas passed a statute requiring age verification
for accessing pornographic websites.
The rationale, of course, being that they don't want children to access this type of pornographic
material, which is self-explanatory, seems very reasonable.
Free Speech Coalition is a group of free speech advocates.
They were joined by representatives of many of these pornographic websites, ensuing the
state of Texas saying that this is a violation of adults' First Amendment rights.
So the thinking is, even though this policy is designed
to prevent children from accessing these websites,
it will have an impact on adults
who have First Amendment associational rights
to view this type of pornographic material
by having required age verification, it might burden adults' ability to view this type of pornographic material. By having required age verification,
it might burden adults' ability to view this material.
So the Supreme Court, in this case,
another 6-3 decision along ideological lines,
upheld the constitutionality of this Texas law.
A big question was what level of scrutiny
would apply to the statute.
Generally, when you have a restriction on speech
based on its content,
courts will apply what's called strict scrutiny,
which is the highest level of scrutiny,
which in normal parlance just means
you better have a darn good reason to do what you're doing.
Right.
And the dissent was adamant in saying
that strict scrutiny should apply here.
And even though Texas does have a compelling interest in preventing children from accessing
pornographic material, they are not using the least restrictive means of achieving that
objective.
There are other ways that you could stop children from accessing these websites without having
what they consider to be burdensome procedures
for age verification, which might include things like submitting personally identifiable
information that then go on the internet, that are sold on the dark web potentially.
Right, right.
You have leaks and things.
Exactly.
The majority opinion said that strict scrutiny should not apply, That in cases where there is no facial prohibition on adults
accessing these websites, it's only an incidental burden.
And really, the policy is intended
to keep children from accessing this website.
Then only intermediate scrutiny, which
is kind of the middle level of scrutiny, should apply.
And as long as the government has an important interest here,
which Texas does, and the means
of achieving that interest is substantially related to that interest, then the law is
constitutionally permissible.
And what the Supreme Court is saying here is Texas made a reasonable judgment that the
best way to achieve the objective of keeping kids away from pornographic material is to have age verification procedures that that is constitutionally acceptable.
They don't have to find the least restrictive means of achieving that
objective as long as they're using means that are pretty closely related to
achieving those legislative ends. So as a result, I think we're going to see a lot more laws across the country
with age verification requirements for pornographic websites.
Now, the Supreme Court has said that requiring people to submit proof of age
beyond just, hey, click this box if you're 18, but let's see you upload a government-issued ID.
Or there are some other procedures that send people
to third party sites where they have to upload their ID.
That that type of requirement is now deemed constitutional
according to our Supreme Court.
So I think that's gonna impact regulations on access
to these websites in a whole bunch of different states.
Yeah, interesting.
All right, well, Ben Yellen is from the University of Maryland's
Center for Cyber Health and Hazard Strategies.
Ben, thank you for joining us and explaining it.
Always good to be with you, Dave.
Did you know Active Directory is targeted in 9 out of 10 cyberattacks? Once attackers get in, they can take control of your entire network.
That's why Semperis created PurpleKnight, the free security assessment tool that scans
your Active Directory for hundreds
of vulnerabilities and shows you how to fix them.
Join thousands of IT pros using Purple Night to stay ahead of threats.
Download it now at sempris.com slash purple-night.
That's sempris.com slash purple-night. No frills? Delivers! And finally, our ransom shenanigans desk tells us that Digital Mint, a company that negotiates
with ransomware hackers on behalf of victims, is now investigating one of its own.
The former employee allegedly struck side deals with hackers to pocket some extra crypto,
because apparently salary negotiations weren't enough excitement.
Digital Mint swiftly fired the employee who remains unnamed and is cooperating with the Justice Department's probe.
CEO Jonathan Solomon assured clients they acted swiftly while President Mark Grenz touted
transparency as Digital Mint's cultural backbone.
Meanwhile, cybersecurity experts dryly note that ransomware negotiators aren't exactly
incentivized to lower demands if their profits scale with payment size.
As ever, analysts caution that paying ransoms only emboldens attackers.
In short, even ransomware negotiators may need their own negotiators,
preferably ones without side hustles.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com.
A programming note that we will not be publishing tomorrow, July 4th, in observation of Independence
Day here in the U.S.
We plan to share some programming from across the N2K Cyberwire network for you to enjoy.
Have a safe holiday.
We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through August 31st. There's a link in the show notes. Please do check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Elliot Peltsman and Trey Hester
with original music by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
DeleteMe also offers solutions for
businesses, helping companies protect their employees' personal information and reduce
exposure to social engineering and phishing threats. And right now, our listeners get a
special deal, 20% off your DeleteMe plan. Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteme.com slash n2k, code n2k.