CyberWire Daily - The Take It Down Act walks a fine line.
Episode Date: May 20, 2025President Trump signs the Take It Down Act into law. A UK grocer logistics firm gets hit by ransomware. Researchers discover trojanized versions of the KeePass password manager. Researchers from CISA ...and NIST promote a new metric to better predict actively exploited software flaws. A new campaign uses SEO poisoning to deliver Bumblebee malware. A sophisticated phishing campaign is impersonating Zoom meeting invites to steal user credentials. CISA has added six actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. A bipartisan bill aims to strengthen the shrinking federal cybersecurity workforce. Our guest is Chris Novak, Vice President of Global Cybersecurity Solutions at Verizon, sharing insights on their 2025 DBIR. DOGE downsizes, and the UAE recruits. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Chris Novak, Vice President of Global Cybersecurity Solutions at Verizon, sharing insights on their 2025 Data Breach Investigations Report (DBIR).Selected Reading Trump signs the Take It Down Act into law |(The Verge) Supplier to Tesco, Aldi and Lidl hit with ransomware (Computing) Fake KeePass password manager leads to ESXi ransomware attack (Bleeping Computer) Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers (Security Week) Threat Actors Deliver Bumblebee Malware Poisoning Bing SEO (Cybersecurity News) New Phishing Attack Poses as Zoom Meeting Invites to Steal Login Credentials (GB Hackers) CISA Adds Six Known Exploited Vulnerabilities to Catalog (CISA) Federal cyber workforce training institute eyed in bipartisan House bill (CyberScoop) UAE Recruiting US Personnel Displaced by DOGE to Work on AI for its Military (Zetter Sero Day) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. President Trump signs the Take It Down Act into law.
A UK grocer logistics firm gets hit by ransomware.
Researchers discover trojanized versions of the keypass password manager.
Researchers from CISA and NIST promote a new metric to better predict
actively exploited software flaws. A new campaign uses SEO poisoning to deliver bumblebee malware.
A sophisticated phishing campaign is impersonating Zoom meeting invites to steal user credentials.
CISA adds six actively exploited vulnerabilities to the known exploited vulnerability catalog.
A bipartisan bill aims to
strengthen the shrinking federal cybersecurity workforce. Our guest is Chris Novak, vice
president of global cybersecurity solutions at Verizon, sharing insights on the 2025 DBIR.
And Doge downsizes and the UAE recruits. It's Tuesday, May 20th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It's great to have you with us.
President Trump has signed the Take It Down Act into law, criminalizing the distribution
of non-consensual intimate images, including AI-generated deepfakes.
The law mandates that social media platforms remove such content within 48 hours of notification
and gives the FTC enforcement power.
Violators face up to three years in prison and fines.
While tech companies and some advocacy groups supported the law, others, like the Cyber
Civil Rights Initiative and the Electronic Frontier Foundation, warn it could harm victims
and chill free expression.
Critics fear the takedown process is vague and could be abused, especially under a politically
charged FTC.
Trump even hinted at using the law to protect himself from online criticism, adding
to concerns about selective enforcement and legal overreach.
Peter Green Chilled, a UK logistics firm supplying major grocers like Tesco and Aldi, was hit
by a ransomware attack last week, halting order processing but not affecting transport.
The firm is working around the disruption
and updating clients regularly.
This attack adds to a growing pattern
targeting the UK's food sector.
Recent victims include Marks & Spencer, Co-op and Harrods,
all of which faced system outages from ransomware.
Cybersecurity experts warn that the cold chain's
tight delivery schedules and complexity make it a prime target.
These attacks risk not just operations, but also food waste
and financial fraud through compromised communications.
The cold chain federation notes a surge in unreported incidents,
while security firms say threat activity is
only accelerating, putting the entire food supply chain at ongoing risk.
Threat actors have been using Trojanized versions of the KeePass password manager to infiltrate
networks and launch ransomware attacks.
The campaign, active for at least eight months, was uncovered by WithSecure during a ransomware
investigation.
Attackers altered KeePass's open-source code to create KeyLoader, a version that functions
normally but secretly installs a Cobalt strike beacon and exports users' password databases
in clear text.
Distribution occurred through malicious Bing ads and fake software sites with domains mimicking
KeePass's name.
The beacons used carry watermarks tied to a known initial access broker linked to black
buster ransomware operations.
Some variants of KeyLoader were even signed with legitimate certificates. One such domain remains active, still pushing the trojanized installer,
raising concerns about continued exposure.
Researchers from CISA and NIST have introduced a new metric
called Likely Exploited Vulnerabilities, LEV,
to better predict which software flaws are being actively exploited.
Developed by Peter Mell from NIST and Jonathan Spring from CISA, LEV uses equations that
combine data from the exploit prediction scoring system, known exploited vulnerabilities lists,
and key dates tied to each vulnerability.
The goal is to improve patch prioritization by estimating
the probability that a flaw has been exploited. Unlike KEV or EPSS alone, which can be incomplete
or inaccurate, LEV helps fill gaps by identifying high-risk vulnerabilities that might be overlooked.
It can also gauge how comprehensive kev lists really are.
NIST is now seeking industry partners to test and refine LEV with real-world data.
A new malware campaign using SEO poisoning on Microsoft Bing is delivering Bumblebee malware by luring users searching for technical software. Discovered in May by SciJax researchers, the campaign targets IT professionals and developers
by spoofing download sites for tools like WinMTR and MilestoneExprtect.
Threat actors registered typo-squatted domains, hosting them on the same server as Nairobi.
When users download it from these sites, a malicious installer delivers both the legitimate
app and the Bumblebee malware using stealthy techniques to evade detection.
Bumblebee, linked to ransomware groups like Conti, connects to multiple command and control
servers via the.life domain.
This shift from targeting common software to niche technical tools signals a strategic
focus on high-value targets with elevated system access.
A sophisticated phishing campaign is impersonating Zoom meeting invites to steal user credentials,
exploiting workplace urgency and trust. Victims receive emails mimicking real Zoom notifications, complete with company branding
and a fake video of participants, prompting users to enter login details on a spoofed
meeting page.
These fake sites use subtly altered domain names to appear legitimate.
Researchers note the use of personalized URLs suggests attackers may be leveraging leaked data to tailor emails, increasing believability.
Stolen credentials are likely exfiltrated via compromised APIs or messaging services, potentially granting access to broader corporate systems. Experts warn this targeted approach is more dangerous than generic phishing and recommend verifying unexpected invites, enabling multi-factor authentication,
and using email security tools and user awareness training to defend against such threats.
CISA has added six actively exploited vulnerabilities to its known exploited vulnerabilities catalog. These include flaws in Avanti-EPMM,
MDAMON email server,
SREMAX output messenger,
Zimbra collaboration suite,
and ZK-TEKO biotime.
Federal agencies must remediate these issues
by the set deadlines.
CISA urges all organizations
to prioritize patching KEV-listed vulnerabilities to reduce exposure to cyber threats.
A new bipartisan bill, the Federal Cyber Workforce Training Act, aims to strengthen the shrinking federal cybersecurity workforce.
Introduced by Representatives Pat Fallon, Republican from Texas, and Marcy Kaptur, Democrat from Ohio,
the bill tasks the National Cyber Director with creating a centralized training center
focused on hands-on, role-specific onboarding. The initiative would target entry-level and
transitioning workers, while also developing modules for HR staff to improve recruitment
and hiring. The curriculum would be crafted in coordination with DHS and DOD.
Lawmakers say the effort is in response to ongoing challenges in federal cyber hiring,
worsened under the Trump administration by workforce cuts, hiring freezes, and program
disruptions.
Critics like Representative Eric Swalwell warned these actions have
had long-term effects on recruitment, especially following layoffs at CISA.
The bill seeks to reverse these trends by creating sustainable cyber career
paths and raising training standards across federal agencies.
Coming up after the break, Chris Novak from Verizon shares insights on the 2025 DBIR and Doge downsizes and the UAE recruits.
Stay with us. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and
compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious
efficiency to your GRC game.
Vanta GRC.
How much easier trust can be. Get started at vanta.com slash cyber.
Worried about cyber attacks?
CyberCare from Storm Guidance is a comprehensive cyber incident
response and resilience service that helps
you stay prepared and protected.
A unique onboarding process integrates your team with industry-leading experts.
So if an incident occurs, your response is optimal.
Get priority access to deeply experienced responders, digital investigators, legal and
crisis PR experts, ransom negotiators, trauma counselors, and much more. The best part?
100% of unused response time can be repurposed for a range of proactive resilience activities.
Find out more at cyber.care slash cyberwire. Chris Novak is Vice President of Global Cybersecurity Solutions at Verizon, and I recently caught
up with him for insights on the 2025 DBIR.
Well, Chris, it is always a treat for me to be able to catch up with you. It seems on an annual basis to talk about the Verizon DBIR as it comes out every year.
So welcome back.
Thank you.
It's always a pleasure to be here, Dave.
Thanks.
For folks who may not be familiar with the report, what's the premise?
What prompts the creation of this report year after year?
Absolutely.
Yeah.
So it's interesting because we've been putting the report together now for, believe it or
not, 18 years.
So hopefully everyone out there has seen and heard of it.
But the premise of it was, way back in the beginning, people didn't speak about data
breaches.
It was a taboo thing.
Everybody knew everybody was having them, but nobody admitted to them.
And now I think that landscape has changed a little bit,
but the key here behind the report has always been,
how do we take a data and evidence-driven approach
to understanding how data breaches happen,
who they're happening to, why they're happening?
And most importantly, and I draw a lot of analogies
to healthcare, is how do we learn
from what's happening in the world
to understand what controls we need
to put in place, what education needs to improve
such that we can ultimately mitigate and reduce the amount
or the consequences or the impacts
of these kind of data breaches.
Well, given where we find ourselves in this world today,
were there any specific approaches that you
and your colleagues took
as you embarked on this year's DBR?
I think probably some of the biggest ones are,
the report has gotten even more global
than it has been in the past,
which I think sometimes people may sometimes think that,
Verizon, they think of it as being a very US organization
based on where we're headquartered.
The reality of it is we have nearly 100 data contributors to the report, all providing evidence
and data to describe the various incidents and data breaches that happened.
The report has gotten even bigger in terms of the data corpus this year.
Now we're up to covering 139 victim countries, over 22,000 incidents and over 12,000 data breaches.
So it's one of the biggest, if not the biggest data corpus that we've ever had in doing the
analysis, which allows us to draw, you know, and not to say that the numbers being bigger
means the situation's necessarily worse.
I look at it more as the numbers being bigger means we have more data to draw better conclusions
from.
Well, let's dig into some of the key findings together here.
What are some of the things that caught your eye?
One of the big things that really jumped out at us,
it was pretty alarming,
was the increase in exploitation of
vulnerabilities as an initial access step for these data breaches.
It grew by 34 percent and now accounts for
20 percent of all the data breaches in the dataset, which is, I think,
very significant when you see it kind of creeping up on the heels of things like credential
abuse, which we've seen time and time again play a major role in data breaches.
It's responsible for about 22%.
Exploitation of vulnerabilities now makes up 20.
So you see there that there's a lot of zero days, for example,
being exploited as a mechanism of getting in. And also a lot of what we saw, which was really
interesting, was a lot of those vulnerabilities are tied to perimeter devices. So I think we often
think that, well, we'll take the information and the systems and the applications that are most
important and put them behind firewalls
and VPN devices, kind of think of them as behind the big castle walls.
And now what we're finding is a lot of the zero day and other vulnerabilities that have
been exploited have been in those perimeter devices.
So now that big hard castle wall we thought we had in front of our sensitive data and
applications, it's got some zero day holes in it, which is allowing the threat actors to get past it and get ultimately
access to that soft, chewy middle.
Can we touch on ransomware here?
I think in my mind, at least recently, there's been sort of mixed messages on the ransomware
front with you.
Maybe people are paying less.
What sort of information did you all gather
when it comes to that?
So ransomware is still alive and well, unfortunately.
So we've seen a still yet again an increase.
So this year's report shows a 37% increase
from last year in ransomware events.
And what's interesting is, you know, it was present in about
44% of all breaches, which is up from 32% last year. What's interesting is if you look at it and
split the demographics of large businesses and organizations and you're small and medium,
there's a very outsized role that it plays in more of the small and medium sized businesses.
So it actually makes up about 88% in that SMB market,
which tells us that the threat actors
and kind of like we probably always thought or assumed,
they're mostly after financial gain
and they'll get it from wherever they can.
And if the larger organizations are doing,
I'd say arguably a better job in terms of maturing, implementing
controls. What ends up happening is it puts pressure on the SMB market that maybe has
not yet caught up or has not implemented those controls. The threat actors go where sometimes
there's just that weakest link, and that may be in that SMB market.
So, a lot of that is being hit with these ransomware events. And unfortunately, many of them not being well prepared to handle it are in a
position of, well, they either have to pay or, you know,
some part of their business becomes, you know, not, not operational. And,
you know, to, to your earlier points around pain,
we've actually seen overall the entire dataset,
there's actually been a pretty significant shift.
So if you look back two years ago, it was about 50-50 in terms of organizations that
paid the ransom versus those that didn't.
This year, what we found was it's actually now a bigger split and 64% of the victim organizations
did not pay the ransom.
So I'd say arguably that's a little bit of an improvement in the sense that
you know if they're not having to pay or paying that generally means that they've got more robust
controls resiliency measures in place to be able to recover from the event without actually having
the payment be the the vehicle to do so. That's an interesting insight. You know we can't go
through a report like this without mentioning generative AI. What were some of the data points that you all gathered there?
Generative AI I've never heard of it. What is it?
Sorry, I'm sorry. We just finished RSA conference. I meant to say a gentic AI
So generative AI is is is also one of things that's interesting because in last year's
report we were like, what should we say about generative AI?
What does the data tell us?
And this year's report, while it's interesting in that, so generative AI definitely plays
a role.
The area that we see it most often causing problems from a threat actor perspective in
terms of where they're using it still tends
to be around the use of social engineering.
They're using it to craft fishing and smishing types of attacks.
Interestingly enough though, the large majority of what we see happening from a gen AI or
a gentic or whatever AI flavor is the one you want to discuss, the majority of it is,
I would say, self-inflicted.
And what I mean by that is more organizations are still
finding that it's their internal use, misuse, lack
of appropriate governance or controls that's getting them
in more trouble with AI than the threat actors using it
against them.
Generally speaking, what we find is when we looked across
all the different entities out there, we saw that,
for example, a big thing that stood out is people using AI on their personal devices
as a way to get around corporate controls, and then they will use that to upload corporate
data to pick your platform of flavor, to upload corporate data to a Gen. AI platform and say,
share back insights with me, crunch this data for me, tell me what I don't know about this.
And as a result, obviously, it exposes corporate, you know, trade secrets and intellectual property.
And obviously that, again, again, the example of kind of self-inflicted.
And then the other areas where we still see a lot of issues is organizations that are
kind of trying to roll their own GEN.ai or agent agentic AI platforms internally, but maybe struggling
to tie it in with things like identity and access management and authorization privileges
or even just generally doing things like penetration testing to understand where there may be vulnerabilities
and holes.
The amount of times we get calls into our hotline asking for help because someone had
built a platform, I'll
give you a perfect example of one, where an organization had built a platform for their
internal use for HR purposes.
And they said, look, we're going to load all of our HR data into this platform and allow
it to be the first path for employees to get HR assistance rather than having to reach
out to a person each time.
They can ask a question to this platform and if it doesn't have the answer, then they go to an actual
HR rep.
But what ended up happening was they had not figured in the security controls and authorization
and access rights.
So anybody could ask the platform anything, including tell me who the highest paid person
in the company is.
How much does Bob or Nancy make?
Yeah.
I was just thinking of they are, boy, I was a half step, I'm with you. Wow. Yeah. Who could
have predicted that, Chris?
Right. And just imagine where that goes from here. So that's why I say a lot of what we
see right now is a lot of self-inflicted things like that, organizations struggling to manage
it and people finding other creative ways. And I think what's also interesting is people are now
growing more and more used to using generative AI
and the various flavors of it in their personal life.
They think nothing of just pulling up a chat GPT
or a Gemini on their mobile phone to ask a question.
And so they expect, look, if I can do this
with this kind of ease in my everyday personal life,
I should be able to do this at work too.
And that obviously doesn't necessarily translate.
It isn't necessarily secured or monitored by the organization.
And so there's a lot of kind of unintended consequences or
unmonitored risks there.
As you all are tracking the trends from this year's report,
what sorts of things do you think organizations should be aware of as we're heading into the second half
of 2025 and beyond?
So I'd say one thing that I would call out
is around third party risk.
We saw that third party risk increased dramatically
year over year.
So it actually doubled from 15% to 30%.
And the reason why I call that out is,
third party supply chain,
especially with kind of the geopolitical landscape
being kind of particularly frothy right now,
everybody's got a third party
and you probably have third parties of third parties.
And so the thing that we're encouraging
a lot of organizations to look at
is not just what you see in the report here,
which highlights this challenge,
but what is it that you're doing in your own organization?
When did you last evaluate
what your third party ecosystem looks like?
And how well do you understand
what their third party ecosystem looks like?
Are you doing things like cyber risk quantification,
for example, as a way to kind of understand
not just what your risks are,
but how do you prioritize the approach to them?
Because we continue, you know,
for example, the zero day vulnerabilities,
a lot of organizations are struggling to keep up
with the rate and the pace
in which they're uncovering these.
And now it becomes an important element to figure out,
okay, if I can't do it all right now,
I can't solve all my problems today,
I need to have a really kind of smart
and science-based approach towards prioritization of how I tackle them.
So I'd encourage organizations to very much look into that if they're not already doing it.
That's Chris Novak, Vice President of Global Cybersecurity Solutions at Verizon.
We'll have a link to the DBIR in our show notes.
And finally, Kim Zetter's Zero Day reveals a potentially troubling new development as the UAE seeks
to recruit former members of the Pentagon's Defense Digital Service who recently resigned
in protest over interference from the Department of Government Efficiency, DOJ.
Brigadier General Musallam al-Rashidi, representing the UAE's military, offered the entire DDS team jobs in Abu Dhabi
to help build an AI unit for the UAE's Ministry of Defense.
While the outreach came through official U.S. defense channels, the General's involvement
with Analog AI, a firm linked to the controversial Emirati company G42 raises serious red flags.
G42 has been under scrutiny for its ties to the Chinese government and military.
Intelligence officials warn that hiring U.S. cyber talent could inadvertently transfer sensitive
expertise or dual-use technologies to foreign powers like China. These risks are compounded by past instances where U.S. cyberoperatives recruited by Emirati
firms unknowingly engaged in surveillance and offensive hacking operations against U.S.
allies and dissidents.
Though none of the DDS workers have so far accepted the UAE's offer, they say this effort
reflects a larger threat.
The U.S. is shedding top-tier cyber talent, and foreign governments are eager to scoop
them up.
As one former DDS staffer warned, losing these experts not only weakens America's cyber
posture, it opens the door to our adversaries.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the Cyberwire.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben. Peter Kilpe is our publisher. And I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Hey everybody, Dave here. I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports, so I know exactly what's been taken
down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
DeleteMe also offers solutions for businesses, helping companies protect their employees' personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeliMe plan.
Just go to JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.