CyberWire Daily - The nightmare you can’t ignore.
Episode Date: March 25, 2025Critical Remote Code Execution vulnerabilities affect Kubernetes controllers. Senior Trump administration officials allegedly use unsecured platforms for national security discussions. Even experts li...ke Troy Hunt get phished. Google acknowledges user data loss but doesn’t explain it. Chinese hackers spent four years inside an Asian telecom firm. SnakeKeylogger is a stealthy, multi-stage credential-stealing malware. A cybercrime crackdown results in over 300 arrests across seven African countries. Ben Yelin, Caveat co-host and Program Director, Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, joins to discuss the Signal national security leak. Pew Research Center figures out how its online polling got slightly forked. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined by Ben Yelin, Caveat co-host and Program Director, Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, on the Signal national security leak. Selected Reading IngressNightmare: critical Kubernetes vulnerabilities in ingress NGINX controller (Beyond Machines) Remote Code Execution Vulnerabilities in Ingress NGINX (Wiz) Ingress-nginx CVE-2025-1974: What You Need to Know (Kubernetes) Trump administration is reviewing how its national security team sent military plans to a magazine editor (NBC News) The Trump Administration Accidentally Texted Me Its War Plans (The Atlantic) How Russian Hackers Are Exploiting Signal 'Linked Devices' Feature for Real-Time Spying (SecurityWeek) Troy Hunt: A Sneaky Phish Just Grabbed my Mailchimp Mailing List (Troy Hunt) 'Technical issue' at Google deletes some customer data (The Register) Chinese hackers spent four years inside Asian telco’s networks (The Record) Multistage Info Stealer SnakeKeylogger Attacking Individuals and Businesses to Steal Logins (Cyber Security News) Over 300 arrested in international crackdown on cyber scams (The Record) How a glitch in an online survey replaced the word ‘yes’ with ‘forks’ (Pew Research) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a brief message from our sponsor, DropZone AI.
Is your sock drowning in alerts, with legitimate threats sitting in queues for hours or even
days?
The latest SAN Sock Survey Report reveals alert fatigue and limited automation are SOC teams
greatest barriers.
Drop Zone AI, recognized by Gartner as a cool vendor, directly addresses these challenges
through autonomous recursive reasoning investigations, quickly eliminating false positives, enriching
context and enabling
analysts to prioritize real incidents faster.
Take control of your alerts and investigations with DropZone AI. Critical remote code execution vulnerabilities affect Kubernetes controllers. Senior Trump
administration officials allegedly used unsecured platforms for national security discussions.
Even experts like Troy Hunt get fished.
Google acknowledges user data loss but doesn't explain it.
Chinese hackers spent four years inside an Asian telecom firm.
Snake Keylogger is a stealthy multi-stage credential-stealing malware.
A cybercrime crackdown results in over 300 arrests across seven African countries.
And the Pew Research Center figures out
how its online polling got slightly forked.
It's Tuesday March 25 25th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
Great to have you with us.
Wiz Research discovered four critical remote code execution vulnerabilities dubbed Ingress
Nightmare in the Ingress NGINX controller for Kubernetes.
These flaws allow unauthenticated attackers to inject malicious NGINX configurations, leading to full cluster takeover and unauthorized
access to all secrets across namespaces.
The attack targets the admission controller, which lacks authentication and is often exposed
to the public Internet.
With a CVSS score of 9.8, this issue affects at least 6,500 clusters, including Fortune 500 environments.
Exploits use NGINX features like SSL Engine to load malicious libraries.
Mitigation includes patching to the latest versions, disabling or securing the admission
controller, and applying strict network policies.
The research also highlights systemic security weaknesses
in Kubernetes admission controllers
and calls for better hardening practices.
A major national and cybersecurity concern surfaced
after the Atlantic's editor-in-chief, Jeffrey Goldberg,
was accidentally added to a Signal Group chat
involving senior Trump administration
figures discussing potential airstrikes in Yemen.
The encrypted messaging thread, believed authentic, included sensitive military details like weapons,
targets, and timing.
Though Defense Secretary Pete Hegseth denied it was a war plan, Goldberg noted the chat mirrored
CENTCOM's operational timeline and included high-level coordination.
The use of Signal, a commercial, unclassified app for such discussions, raises alarms about
secure communication practices.
Goldberg exited the group after realizing it was likely real and no one noticed his presence.
The White House confirmed it's reviewing the incident, underscoring risks of misrouted sensitive information
and the vulnerabilities introduced when officials use unsecured platforms for national security discussions.
Stay tuned for my discussion of this story with our policy expert Ben Yellen.
Speaking of Signal, Mandiant warns that Russian hacking groups are exploiting Signal's linked
devices feature to secretly spy on encrypted chats.
By tricking users into scanning malicious QR codes, attackers can add their own device
to the victim's Signal account, receiving messages in real time without breaking
encryption.
Targets include military personnel, journalists, and politicians.
The technique has low detection risk and has been used in both remote fishing and battlefield
operations.
Mandiant urges users to audit linked devices and follow strong security practices.
Security expert Troy Hunt fell for a convincing MailChimp phishing attack while jet-lagged,
resulting in the compromise of his account and the export of his 16,000 subscriber mailing
list.
The phish, hosted on a spoofed MailChimp site, tricked him into entering login credentials
and a one-time
password.
Moments later, attackers accessed his account from a New York IP and exported the list,
which included both active and unsubscribed users, raising concerns about MailChimp's
data retention practices.
Hunt quickly changed his credentials and notified subscribers, but reflected on how fatigue
and subtle social engineering contributed to the breach.
He emphasized the limitations of one-time password-based 2FA and called for phishing-resistant authentication
like passkeys.
The phishing site was disabled within hours.
Hunt plans a deeper technical analysis and urges users
to remain vigilant against sophisticated scams.
Google says a technical issue caused the loss of timeline data for some Google Maps users,
possibly permanently. The timeline feature tracks users' location history and can include photos, creating a
visual travel log.
Users noticed missing data over the weekend and Google confirmed the issue in emails.
Those with encrypted backups can restore their data manually, but users without backups have
lost it for good.
Google hasn't detailed the cause or scope of the incident, raising broader concerns
about data resilience.
Chinese state-linked hackers dubbed Weaver Ant infiltrated an unnamed Asian telecom firm
and remained undetected for over four years, according to incident response firm Signia.
The hackers initially breached the network using compromised
Zysel home routers and maintained persistence through a network of web shells,
including the China Chopper tool. Weaver Ant used an orb network of hijacked
routers and IoT devices to mask their activity and move laterally across systems.
Their objective was long-term espionage and data theft.
Cygniya discovered the intrusion
during a separate investigation
and linked it to Chinese actors
based on tools, working hours, and targeted infrastructure.
The attackers demonstrated high-level sophistication
using multiple custom tools
and evasion techniques to stay hidden.
Snake Keylogger is a stealthy multi-stage credential-stealing malware that uses malicious
spam emails with deceptive disk image files to trick victims.
The attached file mimics a business document, increasing the chance of user interaction.
Once opened, it deploys an executable
that initiates an infection chain,
downloading and decrypting a hidden payload
disguised as an MP3.
The malware executes in memory via process hollowing,
targeting installutil.exe to evade detection.
It harvests credentials from web browsers,
email clients, FTP apps, and
Wi-Fi settings, exfiltrating data to attacker-controlled servers.
Interpol coordinated a major international crackdown on cybercrime, resulting in over
300 arrests across seven African countries between November and February. Authorities
in Nigeria, South Africa, Zambia, and others dismantled cross-border cybercrime
networks behind mobile banking, investment, and messaging app scams, which defrauded over
5,000 victims.
Nigeria arrested 130 suspects, including 113 foreign nationals, some allegedly coerced
into scams via human trafficking.
South Africa disrupted a SIM box fraud operation used in SMS phishing attacks, while Zambia
arrested hackers targeting banking data through malicious links.
Seized assets include vehicles and properties.
Private cybersecurity firms like Kaspersky and Group IB supported the effort
by analyzing malware and sharing data. Interpol cited Africa's growing cybercrime risks,
with the region leading in average weekly cyber attacks per organization back in 2023.
Coming up after the break, my conversation with Ben Yellen over the senior Trump administration officials using unsecured platforms for national security discussions, and Pew Research Center
figures out how its online polling got slightly forked.
Stay with us.
Do you know the status of your compliance controls right now?
Like right now. We know that real-time visibility is critical for security, but when
it comes to our GRC programs, we rely on point-in-time checks. Look at this. More than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the
gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services
by solving complex challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity, or cloud computing,
Vanguard offers a dynamic and collaborative environment where your ideas drive change.
With career growth opportunities and a focus on work-life balance, you'll have the flexibility
to thrive both Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security and also
my co-host over on the caveat podcast.
Ben, welcome back.
Good to be with you again, Dave.
So earlier on today's Cyberwire, we were talking about this amazing story from the Atlantic
about the Trump administration accidentally texting one of the Atlantic reporters' war
plans.
Your initial hot take on this when you saw this story come across the wire.
Well, first my jaw dropped.
Right.
And then my jaw dropped even further when I saw people who have security clearance or
are involved in national security seeing their reaction and basically all of them saying,
if I did this, I would have been fired for starters.
There could have been more severe consequences.
So my first reaction is to look at the potential legal liability of the principals here. The person who accidentally
included Jeffrey Goldberg, the journalist at the Atlantic, in this group chat about
the attack on the Houthis in Yemen was Michael Waltz. And that potentially could be a violation
of the Espionage Act if he was reckless in discussing classified military information
that could have caused
harm to our troops and could have aided and abetted our enemies. That's the essence of
the Espionage Act.
Right.
I don't think President Trump or his Justice Department would prosecute. Just this morning
as we're recording, the president reiterated that he has confidence in Michael Waltz, the
national security advisor. And I take him at his word that there aren't
going to be consequences. That's just not the nature of this president or this justice
department.
Right.
In terms of the merits of the case, I do think it's complicated. We saw this with the Hillary
Clinton email case where the former FBI director, James Comey, said that she had been extremely
careless with her classified
communications when she used a private email server, but he declined to prosecute saying
that when they prosecuted these types of cases, there usually has to be some type of clear
intent that's evident. And it seems to me that this was just a very unfortunate accident.
I don't know why Michael Waltz would have intended to have Jeffrey Goldberg involved
in this conversation.
I do think it was extreme recklessness, which
if you look at the letter of the law,
you could be charged for extreme recklessness,
but just the history of it.
There generally has to be some intention,
like there was in the case of David Petraeus, former war
general, when he discussed classified information with his mistress who
was writing a book and was prosecuted, although I think he agreed to a plea deal to avoid
prison time.
So that's one element of it.
And then there's the Presidential Records Act.
These communications are of the type that need to be preserved under the Presidential
Records Act to be housed in the National Archives.
And Waltz himself put this group chat
on the setting where the communications automatically
would have been deleted after seven days.
So technically, that's illegal under the Presidential Records
Act.
Again, I do not think he's going to be subject to prosecution
just based on the nature of
this president and this Justice Department and their lack of willingness to press charges
against whom they consider their people.
And I think they have the support of the Republican Party in this.
Just looking at interviews I've seen with Republican senators and Republican congressmen,
many of them are saying this was a huge screw up, but we have to move on from it. Hopefully
they've learned their lesson. And that seems to be the attitude that the party is taking
right now.
The fact that or I suppose more fairly stated the assumption that if they're using signal,
they're doing so on their personal devices, which are not secure devices to be having these kinds of conversations.
Is this a slap on the wrist kind of thing?
A, hey, don't do that anymore?
One would think so.
There are ways to hold these types of communications.
If you're in person, you do so in a SCIF, in a secure facility.
If you're not, there are communications channels available
for these types of conversations.
There are going to be imminent foreign policy matters that come up when the national security
advisor, the director of national intelligence, the secretary of state, the secretary of defense
are in different physical locations. And they do need a method to communicate candidly.
But it should not be on their personal devices. And it should not be on their personal devices and it should not be on the signal application.
So I think the lesson going forward for them is obviously next time use a secure communications
method because this was extremely dangerous.
Luckily, the person included in the conversation is a responsible journalist.
He chose not to publish the content that
seemed to be the specific war plans for attacking
the Houthis, like the time of the attack
and the potential targets.
He was responsible in withholding that information.
But they might not be so lucky in the future.
It could be another journalist who's
more willing to share that information publicly,
or it could be with an adversary of the United States
and somebody who wishes to do us harm.
So yeah, that seems to me to be the obvious lesson
going forward, to put it mildly.
Yeah.
This seems to me to be so representative
of where we are in this particular moment,
where you have something like this happen that under any other circumstances,
under any other administration, the folks involved would likely be fired or have to resign.
And you have the folks from the opposing party, the Democrats, up in arms about this.
And I think anyone concerned about or anyone who studies national security, anyone who's
ever had a security clearance, their jaws hit the floor and they're shouting from the
rooftops about how serious this is.
And yet on the other side, it's as if there's nothing to see here.
Oh, you know, we made a mistake.
Let's move on.
We promise we won't do it again.
And the gulf between those two things to me is really,
again, representative of where we find ourselves.
And it makes it so hard to navigate, I think.
Do you think I'm on the money with that assessment?
I think you're right about it.
I mean, naturally, it should be the Democrats who are making a big stink about this publicly.
They do not have agenda setting power.
They can't schedule hearings in the House or the Senate because they're in the minority.
Now, by coincidence, there happens to be a hearing about emerging national security threats
and many of the principals involved in the story are testifying.
And it seems that they are using that hearing as an opportunity to ask some of these representatives
what happened here.
They do have the right to ask questions if these people happen to be at a hearing.
But beyond that, I mean, they can demand an investigation,
but they don't have any actual power to compel it.
So I think they're in a weak political position
as long as members of the Republican Party and Congress
stick together and stand by the president
and say that this was an unfortunate accident.
It doesn't merit further investigation.
They've learned their lesson, which
at least at this early stage seems to be the line.
I think regardless of your political views, at the very least, there should be some type
of investigation here.
I think if this were a different administration, you might see the attorney general appoint
a special counsel to investigate this, somebody who isn't directly involved in the administration, who could draft a nonpartisan
report just giving the straight facts about what happened in this scenario and outlining
some recommendations.
But I don't anticipate that happening here.
Yeah.
All right.
Well, if you would like to hear a more detailed discussion of this, do check out this week's caveat podcast,
where Ben and I spend some more time on this topic.
You can find that wherever you get your podcasts.
In the meantime, Ben Yellen,
thank you so much for dropping in with us here today.
Always time well spent.
Always good to be with you, Dave, thanks. Is your AppSec program actually reducing risk?
Developers and AppSec teams drown in critical alerts, yet 95% of fixes don't reduce real risk.
Why?
Traditional tools use generic prioritization and lack the ability to filter real threats from noise.
High impact threats slip through and surface in production, costing 10 times more to fix.
Aux security helps you focus on the 5% of issues
that truly matter before they reach the cloud.
Find out what risks deserve your attention in 2025.
Download the application security benchmark
from OxSecurity.
And finally, imagine taking a serious online survey only to be asked, forks or no? That's exactly what happened in a Pew Research Center online poll thanks to a wonderfully
weird bug.
Turns out, a glitch triggered Google Chrome's auto-translate, mistaking the English language
survey for Spanish.
Chrome then helpfully translated the word yes to forks.
This culinary chaos stemmed from a bizarre Google Translate quirk, where yes in Spanish,
oddly becomes forks in English.
Pew traced the issue, squashed some bugs with some HTML wizardry, and double-checked that
their data remained deliciously intact.
Only 0.2% of users reported seeing the error, and no measurable impact was found on the
results.
Bonus weirdness, Chrome also thought lean meant red.
Pews now got safeguards in place, so future surveys don't serve up accidental utensils.
So yes, it was a strange ride, but no data or forks were harmed in the making of this research.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed
by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer
is Jennifer Iben. Peter Kelphy is our publisher,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers. I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly
what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, Today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com slash N2K and use
promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K at checkout. That's joindeleteme.com slash N2K, code N2K.