CyberWire Daily - Typhoon on the line.
Episode Date: June 18, 2025Viasat confirms it was breached by Salt Typhoon. Microsoft’s June 2025 security update giveth, and Microsoft’s June 2025 security update taketh away. Local privilege escalation flaws grant root ac...cess on major Linux distributions. BeyondTrust patches a critical remote code execution flaw. SMS low cost routing exposes users to serious risks. Erie Insurance says their ongoing outage isn’t ransomware. Backups are no good if you can’t find them. Veeam patches a critical vulnerability in its Backup software. SuperCard malware steals payment card data for ATM fraud and direct bank transfers. We preview our Juneteenth special edition. Backing up humanity. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we are sharing an excerpt of our Juneteenth Special Edition conversation between Dave Bittner, T-Minus Space Daily’s Maria Varmazis, and CISO Perspectives podcast’s Kim Jones. Enjoy this discussion on the eve of Juneteenth and tune into your CyberWire Daily feed tomorrow on your favorite podcast app to hear the full conversation. Selected Reading Viasat hacked by China-backed Salt Typhoon in 2024 US telecom attacks (Cybernews) Microsoft's June Patches Unleash a Cascade of Critical Failures (WinBuzzer) New Linux udisks flaw lets attackers get root on major Linux distros (Bleeping Computer) BeyondTrust warns of pre-auth RCE in Remote Support software (Bleeping Computer) Two Factor Insecurity (Lighthouse Reports) Erie Insurance: ‘No Evidence’ of Ransomware in Network Outage (Insurance Journal) Half of organizations struggle to locate backup data, report finds (SC Media) New Veeam RCE flaw lets domain users hack backup servers (Bleeping Computer) Russia detects first SuperCard malware attacks skimming bank data via NFC (The Record) Why one man is archiving human-made content from before the AI explosion (Ars Technica) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. Viasat confirms it was breached by Salt Typhoon,
Microsoft's June 2025 security update giveth,
and Microsoft's June 2025 security update taketh away.
Local privilege escalation flaws grant
root access on major Linux distributions.
Beyond Trust patches a critical remote code execution flaw.
SMS low-cost routing exposes users to serious risks.
Erie Insurance says their ongoing outage isn't ransomware.
Backups are no good if you can't find them.
Veeam patches a critical vulnerability in its backup software.
Supercard malware steals payment card data for ATM fraud and direct bank transfers.
We preview our Juneteenth special edition.
And backing up humanity. It's Wednesday, June 18, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us. It's great to have you joining us.
It's great to have you with us.
Viasat has confirmed it was breached by Salt Typhoon, the Chinese state-sponsored espionage
group in a cyber attack linked to intrusions into U.S. telecom infrastructure ahead of
the 2024 presidential election.
The group had previously targeted firms like Verizon, AT&T, and T-Mobile and
reportedly accessed phone records of political figures including Donald Trump
and JD Vance. Viasat, which provides secure communications to both commercial
and government sectors, stated the breach stemmed from a compromised device but
found no customer data was affected.
The company worked with federal authorities and believes the threat has been neutralized.
Salt Typhoon, active since 2020, is known for its stealth and long-term access strategies,
raising concerns that the group may still be embedded in some networks.
U.S. officials have linked the group to broader cyber espionage efforts,
including a 2024 Treasury Department breach,
while China denies all allegations.
Microsoft's June 2025 security update
has created a dilemma for IT admins.
Install a patch that breaks DHCP services
or leave servers vulnerable to serious exploits.
The update, released June 10th, disrupts DHCP failover configurations on Windows Server
2016-2025, causing network outages.
Microsoft confirms the bug but has yet to issue a fix, forcing some to uninstall the
update, exposing systems to 66 vulnerabilities, including two zero days.
One is an actively exploited web-DAV flaw used by the Stealth Falcon group.
The same update has also caused issues with Surface Hub devices and L2TP VPN connections.
Experts warn this reflects a growing problem,
rushed patches causing major system failures.
Admins are effectively left testing mission-critical updates
in production environments.
Researchers at QALYS have uncovered two local privilege escalation flaws that can grant
root access on major Linux distributions.
The first affects the PAM configuration on OpenSUSA and SUSA Linux Enterprise, while
the second targets libblock-dev and the uDisk daemon, installed by default on most Linux
systems. Together, these bugs can be chained for an easy local-to-root exploit.
Even on their own, especially the UDSCs flaw, they pose a critical risk.
Proof-of-concept exploits have already worked on Ubuntu, Debian, Fedora, and OpenSusa.
Admins are urged to patch both immediately, as root access can lead to persistence, lateral
movement, and full system compromise.
Beyond Trust has patched a critical remote code execution flaw in its remote support
and privileged remote access tools. The bug, found in the chat feature, stems from improper
input handling in the template engine
enabling unauthenticated attackers to run arbitrary code on affected servers.
Cloud systems were patched by June 16th but on-prem customers must update
manually. Mitigations include enabling SAML for the public portal and
disabling certain features. No active exploitation has been reported, but past flaws have been targeted.
Tech giants like Google, Meta, and Amazon rely on a global web of contractors to deliver
one-time login codes via SMS, aiming for speed and low cost.
But this low-cost routing strategy exposes users to serious risks.
Middlemen, some with links to surveillance and cybercrime, can access and potentially
misuse these codes.
A recent investigation from Lighthouse Reports and Bloomberg revealed that over 1,000 companies
sent sensitive login messages through Fink Telecom Services,
a Swiss firm with a controversial track record.
Millions of messages, including account names and phone numbers, were found traveling through
this insecure network.
Fink has been previously linked to surveillance efforts and cyber incidents worldwide.
Despite bans on such practices in places like the
UK, the opaque SMS routing industry remains largely unregulated. Critics argue that tech
companies are failing to vet these providers adequately, leaving customer data vulnerable
in a system designed for more cost savings than security. ERI Insurance denies any evidence of ransomware or
ongoing cyber threats following a 10-day network
outage that began June 7.
This contradicts two class action lawsuits alleging a
ransomware attack and data breach.
ERI says it detected unauthorized activity and took
immediate steps to contain it, adding
that no data breach has been confirmed.
The lawsuits, filed by a customer and a former employee, each seek $5 million, claiming negligence
over exposed personal data.
One plaintiff says Eerie notified him of a data leak.
Meanwhile, Google Threat Intelligence has linked the timing to
Scattered Spider, a known cybercrime group targeting insurers.
Erie continues to work with cybersecurity experts and has
strengthened his defenses, but declined to comment on litigation.
The company urges customers to monitor their financial activity
and practice good security hygiene.
Communication services, including phones and emails, remain impacted by the incident.
Half of organizations struggle to locate backup data when needed, according to EON's 2025
State of Cloud Backup Report.
Despite rising ransomware threats, many still rely on outdated manual backup
strategies. A survey of over 150 IT leaders found 18% experienced data loss and 22% were
unsure if they had. Human error caused 64% of losses, while 25% were ransomware related. Only 49% used fully automated backups
and just 29% had layered ransomware defenses.
Alarmingly, 13% had no protection at all.
Fragmented approaches,
such as using individual cloud providers'
disaster recovery tools,
leave gaps in visibility and consistency.
Compliance is the top driver for backup investments,
but mismanaged data raises risks of violations and business disruption.
Eon urges companies to modernize with AI-driven cross-cloud solutions.
They say effective backups not only guard against loss,
but can also fuel analytics and AI if properly managed.
Veeam has patched a critical remote code execution vulnerability in its backup and replication
software.
Discovered by Watchtower and CodeWhite, the flaw affects domain-joined VBR installations
and allows any authenticated domain user to execute code remotely on the
backup server.
It impacts VBR version 12 and later and is fixed in a version released today.
Despite Veeam's best practices advising against domain-joining backup servers, many companies
still do, increasing their exposure to this threat.
Russian cybersecurity firm F6 has reported the first domestic attacks using Supercard,
a modified version of NFC Gate, a legitimate tool for relaying NFC data.
Supercard, now part of a malware-as-a-service scheme targets Android users and has previously been used
in Europe to steal payment card data for ATM fraud and direct bank transfers.
First detected in Italy in April and Russia in May, the malware disguises itself as a
legitimate app and uses social engineering to infect victims.
It identifies the user's payment system, like Visa or MasterCard, to facilitate
theft. Unique to SuperCard is its open commercial distribution via telegram, including Chinese
language channels with subscription models and support. F6 notes that this malware has
infected over 175,000 devices in Russia, causing $5.5 million in losses in the first quarter of this year
alone.
It's marketed as capable of targeting users in the US, Europe, and Australia.
Coming up after the break, we're sharing an excerpt from our Juneteenth special edition
conversation between T-Minus Space Daily's Maria Vermazes, CISO Perspectives podcasts
Kim Jones and myself.
We'll be right back.
Stay with us. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and compliance. It automates the essentials,
from internal and third-party risk to consumer trust, making your security posture stronger,
yes, even helping to drive revenue. And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So, if you're ready to trade in chaos for clarity,
check out Vanta and bring some serious efficiency to your GRC game.
Vanta. GRC. How much easier trust can be.
Get started at Vanta.com slash cyber.
And now a word from our sponsor, CloudRange. Cybersecurity isn't just a technology issue,
it's a people challenge. While tools can detect threats, it's the humans who decide how to
respond. That's why CloudRange uses immersive simulation-based training to build real-world instincts and
confidence.
This approach helps transform good security teams into great ones, ready to face today's
evolving threats.
Discover how CloudRange is empowering defenders at www.cloudrange.com. Let me take this back a little bit.
I'm old enough to remember the publication of Alex Haley's Roots and LeVar Burton in his breakout role
before Jodie LaForge as Contekinte was in that series.
What we don't necessarily recognize or realize
is why that was such a big deal.
Is because of the history of African Americans
coming over as slaves and families being broken up, it was
thought that it was not just difficult but damnably impossible to put together a lineage
on an individual that dates back as they do in other communities within the environment. So the ability for us to keep history, even back 150, 200 years, has been difficult, has
been, I won't call it underground because it really hasn't been underground, it's been
more a matter of kept within ethnic communities, is not unusual.
And we're not unique.
Think about towns and cities that have Chinatowns
and think about how much we don't know
regarding the history and the calendars, et cetera, there.
So for me, I've been aware of Juneteenth for decades,
you know, because this is part of the history
that my father made sure that we did not forget
as children growing up.
So yeah, it's been lifelong for me.
It's been something I've known about for a while.
It's been something that I've taken a quiet moment and reflected upon in
my adult years before the rest of the world became aware of it.
My perception though is that it's not that we're straying out of our lane,
it's that they've come careening into ours
with things like Doge, with the current situation
in Washington and the White House,
that cybersecurity used to, much more than it does today,
enjoy sort of bipartisan neutrality.
And it's not-
Same thing for space, by the way.
Yes.
Yeah, and it's not so much that way anymore.
And that's not the fault of the folks in cyber.
Right.
The fault is, is how we approach it.
And those goes beyond Juneteenth.
But as an example, what we get is into identity, access management, exposure of data and data
protection.
The way we argue this problem isn't politically over, you know, the president's
right to do X and how this happens with Y, but an understanding that what we are
doing in certain cases and be specific in fact based about those cases,
violate some basic tenants that we've grown up under.
Well, what we tend to do is we tend to do what I just did and get on the soapbox violate some basic tenets that we've grown up under.
What we tend to do is we tend to do what I just did
and get on the soapbox and rail at things,
and we contribute to the noise engine
rather than this particular problem violates
basic practices of security that we've
done for three to four decades.
And if you wish to do this, which is your right as commander in chief or is your right
as the government, and those conversations as to whether it is or ain't are well outside
of my wheelhouse, then I have a right as not only a private citizen, but as a decades old
cyber professional to ask, what the hell are you doing to take care of these concerns?
Yeah, that's not a political statement. That's a I'm a cyber guy. I should be asking those statements
Because my customers are gonna ask them of me. So I'm your customer
It's not wrong for me to ask them of you
So for me the issue is not just that these things are careening in, Dave,
but our response is again, it is not thoughtful, data-driven, experiential response.
It is knee-jerk reaction that feeds the engine and allows others to dismiss the argument.
Be sure to tune into your CyberWire daily feed tomorrow on your favorite podcast app
to hear the full conversation. Did you know Active Directory is targeted in 9 out of 10 cyber attacks?
Once attackers get in, they can take control of your entire network.
That's why Sempris created PurpleKnight,
the free security assessment tool
that scans your active directory
for hundreds of vulnerabilities
and shows you how to fix them.
Join thousands of IT pros using PurpleKnight
to stay ahead of threats.
Download it now at sempris.com slash purple-knight. That's sempris.com slash purple-knight.
That's sempris.com slash purple-knight.
And finally, former Cloudflare executive John Graham Cumming has launched a website with a distinctly post-modern
mission preserving the web's low-background cultural heritage, that is, media created
by humans before AI turned content into a buffet of statistically probable sentences.
His site LowBackgroundSteel.ai pays homage to the Cold War-era concept of low-background
steel, metal forged before nuclear testing filled the air and everything else with radiation.
Think of it as a digital time capsule, where archives like pre-2022 Wikipedia dumps, Project
Gutenberg books, and GitHub's Arctic Code Vault bask
in their human-authored glory.
The site quietly launched in 2023, but stayed low-key until now, perhaps wisely so.
Since ChatGPT's debut, AI-generated sludge has oozed across the web, syncing projects like WordFreak, a beloved language tool that
gave up in 2024 citing overwhelming synthetic noise.
Graham Cumming isn't launching an anti-AI crusade, just tagging the before in case the
after ever needs context.
Think of it as civilizations back up.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing
at the cyberwire.com. Please note that we will not be publishing tomorrow in observance
and celebration of the Juneteenth holiday in the U.S. We invite you to check out our
special edition episode on Juneteenth tomorrow in your CyberWire Daily podcast feed.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of the summer.
There's a link in the show notes.
Please do check it out.
And 2K's senior producer is Alice Carruth.
Our CyberWire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben. Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for listening, we'll see you back here Friday. Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
Delete Me also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.