CyberWire Daily - UK Apple showdown gonna be public.
Episode Date: April 7, 2025UK court blocks government's attempt to keep Apple encryption case secret. Port of Seattle says last year's breach affected 90,000 people. Verizon Call Filter App flaw exposes millions' call records. ...Hackers hit Australian pension funds. A global threat hiding in plain sight. Cybercriminals are yelling CAPTCH-ya! Meta retires U.S. fact-checking program. Our guest today is Rob Boyce from Accenture and he’s discussing Advanced Persistent Teenagers (APTeens). And Google’s AI Goes Under the Sea. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Rob Boyce, Global Lead for Cyber Resilience at Accenture, joins to discuss Advanced Persistent Teenagers (APTeens). Advanced Persistent Teenagers (APTeens) have rapidly become a significant enterprise risk by demonstrating capabilities once limited to organized ransomware groups, the threat from juvenile, homegrown threat-actors has risen steadily. Selected Reading UK Effort to Keep Apple Encryption Fight Secret Blocked in Court (Bloomberg) Port of Seattle says ransomware breach impacts 90,000 people (BleepingComputer) Call Records of Millions Exposed by Verizon App Vulnerability (SecurityWeek) Cybercriminals are trying to loot Australian pension accounts in new campaign (The Record) NEPTUNE RAT Attacking Windows Users to Exfiltrate Passwords from 270+ Apps (Cyber Security News) Threat Actors Using Fake CAPTCHAs and CloudFlare Turnstile to Deliver LegionLoader (Cyber Security News) Meta ends its fact-checking program in the US later today, replaces it with Community Notes (Techspot) Suspected Scattered Spider Hacker Pleads Guilty (SecurityWeek) This Alphabet Spin-off Brings “Fishal Recognition” to Aquaculture (IEEE Spectrum) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Secure access is crucial for U.S. public sector missions.
Ensuring that only authorized users can access certain systems, networks, or data.
Are your defenses ready?
Cisco's Security Service Edge delivers comprehensive protection for your network and users.
Experience the power of Zero Trust and secure your workforce wherever they are.
Elevate your security strategy by visiting Cisco.com slash Go.SSE.
That's C-I-com slash GO slash SSE.
UK court blocks government's attempt to keep Apple encryption case secret.
Port of Seattle says last year's breach affected 90,000 people.
Verizon call filter app flaw exposes millions of call records.
Hackers hit Australian pension funds.
A global threat hiding in plain sight.
Cyber criminals are yelling, capture!
Meta retires US fact-checking program. Our
guest today is Rob Boyce from Accenture, and he's discussing advanced persistent teenagers,
AP teens. And Google's AI goes under the sea. Today is April 7th, 2025.
I'm Maria Varmazes, host of T-Minus Space Daily, in for Dave Vittner. And this is your CyberWire Intel Briefing.
Happy Monday everybody. Hope you're having a great one. Let's get into the headlines.
According to a report from Bloomberg, the UK Investigatory Powers Tribunal has blocked
the British government's effort to keep secret a case involving its request to circumvent
Apple's encrypted iCloud services.
The court, which hears complaints related to government surveillance, ruled that the
government's efforts were a fundamental interference with the principle of open justice.
The tribunal's ruling, which also publicly confirmed the existence of the case for the
first time, said it would have been, quote, a truly extraordinary step to conduct a hearing
entirely in secret without any public revelation of the fact that a hearing was taking place.
The Port of Seattle, the agency that oversees Seattle's seaport and airport, has disclosed
that the ransomware attack that it sustained in August affected data belonging to approximately 90,000 people, according to a report from
Bleeping Computer.
Around 71,000 of the victims are residents of Washington State.
The report says the breached information included some combination of names, dates of birth,
Social Security numbers or last four digits of social security numbers, driver's license or other government identification card numbers,
and some medical information. The agency previously disclosed that the RiceSider
ransomware gang posted the stolen data to its leak site
after the port refused to pay the ransom. Cyber security researcher Evan Connolly
discovered a vulnerability in Verizon's Call Filter iOS app that could have allowed unauthorized access to users' incoming call records.
The flaw involved API requests lacking proper verification, enabling attackers to retrieve
call data by specifying arbitrary phone numbers.
This exposed phone numbers and timestamps of incoming calls, potentially affecting millions
of users.
Verizon, which has over 140 million
subscribers, addressed the issue with a patch in mid-March 2025 following responsible disclosure
practices. Hackers have recently targeted multiple Australian superannuation funds, attempting to
access and steal members' retirement savings. The Association of Superannuation Funds of Australia, or the ASFA, reported that while most attempts were thwarted, some breaches did occur.
Australian Super, managing over 365 billion Australian dollars for more
than three and a half million members, confirmed that stolen passwords were
used to access 600 member accounts, resulting in four members losing a
combined 500,000.
The company responded by locking the affected accounts and notifying the impacted members.
Prime Minister Anthony Albanese acknowledged the incident, noting that cyberattacks occur
in Australia approximately every six minutes.
Neptune RAT is a sophisticated RAT or Remote Access Trojan, actively targeting Windows
users worldwide.
Distributed through platforms like GitHub, Telegram, and YouTube, it is often marketed
as the most advanced RAT.
The malware employs stealthy infection techniques using PowerShell commands to bypass traditional
security measures.
Once installed, Neptune RAT can exfiltrate credentials from over 270 applications, deploy
ransomware, monitor desktops
in real-time, and disable antivirus software.
It establishes persistence via scheduled tasks and registry modifications.
Cybercriminals are employing deceptive tactics involving fake CAPTCHAs and Cloudflare turnstile
to distribute Legion loader malware.
This campaign targets users searching for PDF documents online.
Victims encounter a fake CAPTCHA, and upon interaction they are led through a series
of steps including browser notification requests, culminating in the download of an MSI installer.
Executing this installer initiates a complex infection chain, ultimately installing a malicious
browser extension designed to steal sensitive information
such as cookies, browsing history, and bitcoin activities.
The malware affects multiple browsers including Chrome, Edge, Brave, and Opera.
Meta has officially ended its third-party fact-checking program in the United States
as of April 7, 2025.
This initiative, which previously involved external organizations
to assess the accuracy of content on Facebook, Instagram, and threads, has been replaced by a
user-driven system called Community Notes. This model allows the users to collaboratively add
context to posts, aiming to enhance information accuracy through collective input. MEDIS CEO Mark
Zuckerberg stated that this shift is
intended to promote free expression and reduce perceived biases associated with traditional
fact-checking methods. The company plans to continue its third-party fact-checking efforts
outside the United States and intends to expand the community notes system internationally
in the future.
Security Week is reporting that a 20-year-old Florida man named Noah
Urban has pleaded guilty to his involvement in the scattered spider
cybercriminal group. Urban, who was arrested in January 2024, was accused of
launching phishing and sim swapping attacks that led to the theft of
millions of dollars worth of cryptocurrency. Urban pleaded guilty to
conspiracy to commit wire fraud, wire fraud, and aggravated identity theft.
As part of the deal, he has agreed to pay $13 million in restitution to 59 victims.
Stick around after the break to hear Dave Bittner's conversation with Rob Boyce, global
lead for cyber resilience at Accenture, as they discuss advanced persistent teenagers,
or AP teens.
And official recognition could help save the planet? Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off.
Are you frustrated with cyber risk scores backed by mysterious data, zero context and
cloudy reasoning. Typical cyber ratings are ineffective and the true risk story is begging to be told.
It's time to cut the BS.
BlackKite believes in seeing the full picture with more than a score,
one where companies have complete clarity in their third-party cyber risk
using reliable quantitative data.
Make better decisions.
Reduce your uncertainty. Trust BlackKite. party cyber risk using reliable quantitative data. Make better decisions.
Reduce your uncertainty.
Trust BlackKite.
["BlackKite Theme Song"]
Advanced Persistent Teenagers, or APTEENS,
have rapidly become a significant enterprise
risk by demonstrating capabilities once limited to organized ransomware groups.
Rob Boyce, Global Lead for Cyber Resilience at Accenture, joins Dave to discuss Advanced
Persistent Teenagers.
Here's their conversation.
It is always my pleasure to welcome back to the show Rob Boyce.
He is the Global Lead for Cyber Resilience at Accenture. Rob, welcome back to the show Rob Boyce. He is the global lead for cyber resilience at Accenture.
Rob welcome back.
Thanks Dave, it's always a pleasure being here.
So I want to talk today about something that you've been tracking.
These are APTs, but the T's aren't what we think they are.
What do the T's mean in this particular case?
It means teens Dave.
So we're talking about advanced persistent teenagers.
Correct.
I'll just say at the outset that I have two of these,
but I don't think it's the kind of APT's
that you're talking about.
So fill us in.
What do we mean when we're talking about APT's?
Yeah, sure, of course.
I think what we continue to see in media,
in movies, et cetera, is this grandiose portrayal
of these super sophisticated, well-funded threat actors
that are coming from nation states
that are set on the downfall of our society.
In truth, the average person that we're seeing
play as an adversary in this space
are really just normal people.
And we've been doing a lot of research going really back to 2018 and this hypothesis of,
you know, individuals getting into this ransomware game or, you know,
as being a threat actor at large, becoming younger and younger.
And, you know, we've started seeing now a trend of individuals who are really average age between 17 and 25, more focused within country,
so targeting more domestically, not entirely domestically, but more domestically, and attacking, of course, both private and public sector.
And so it's really become fascinating for us to see this bit of a evolution of what we're being told is real,
the picture that we're being painted,
versus what is really happening within our threat landscape.
Are there particular, I'll use the phrase gateway drugs
for these teens getting into this?
I mean, does this start with trying to get the high score
on your favorite online game?
You know, it's actually interesting
because we always categorize threat actors
by different motivation types, right?
We're seeing the ones who are financially motivated,
politically motivated, et cetera.
And what we're finding here is, yes, there's always,
of course, a financial motivation for these individuals,
but what we see here is actually more ambition
to be infamous, more around notoriety,
more around I'm better than my peers and I'll be able to cause more of a disruption than somebody
else. And in my opinion, this actually even makes them a little bit more dangerous because
they don't necessarily have the same level of maturity as we've seen of someone who's been in
this game for a while or maybe who has the nation state overlords
that keep being track of what they're doing,
there's a lot less maturity that we're seeing
in this space as well.
So it's really a fascinating group to continue to track
as we can see them becoming more and more relevant
in this space.
So really following along with this uptick
in influencer culture, I guess?
It almost seems so.
Yeah, it almost seems so.
And I think I'm sure you're familiar with some
of the unmaskings we've seen recently,
whether it's scattered spiders or lapses or blackbasta.
This is where it's really come,
where we've really seen our hypothesis coming true,
where they've been showcasing who these individuals are.
And then of course, we find that a lot of them
are within that age range that I mentioned.
We also somewhat in our spare time, I guess,
really do some deep dives in some of the threat actors
that we're seeing to try and expose them
and provide packages to law enforcement and such.
And so we're seeing more and more again
of these individuals
in this space. And the thing is, because they're a little less mature, they're a little sloppy too.
And so being able to uncover who they are is becoming a little bit easier for researchers like
us to be able to identify them as well. And we've started identifying individuals from
places where we've never really seen a lot of activity.
Like Jordan and Yemen are a few places where we've seen a little bit more of this type
of activity recently originating from, which is also another fascinating point to me, just
the location of where these individuals are located.
It strikes me that it's also kind of, you know, what's old is new again.
I mean, you know, you think about the first generation
of the old phone freakers and that sort of thing.
I mean, there was definitely having come up in that time,
there was a strong team contingent back then.
And I guess that, as you say, immaturity,
that feeling of invincibility.
Yeah.
And I think the, I thought about this as well.
And I thought, hey, I remember watching
hackers where they were all high school students or reading 2600 magazine that seemed to be
targeted towards the younger generation. And there's a huge distinction to me though, between
those individuals and these. And those individuals previously were ones who spent a lot of time
being curious about technology,
digging into it, really trying to understand the way it worked.
And now I'm finding that these individuals have a slightly easier path to become a threat
actor.
It's just with the tools that are available on the dark web, being able to go into dark
web marketplaces, buy initial access, buy the tools that you need, maybe even trade
a little
or become an affiliate for a ransomware gang.
Just think the barrier to entry seems a lot lower now
for individuals to be able to become hackers
or become threat actors in many cases.
And so it is similar, but I find that the philosophy
behind it and also the work that's required
to become an expert in this space is entirely different now.
So what are your recommendations for defenders?
If the ratio of true nation state actors versus teenagers who have a little too much time
on their hands isn't what we thought it might have been, does that shift how they come out
the, come at the
defense of their organization? Yeah, a little bit actually. So this is what's interesting to me is
I've had a lot of conversations recently with organizations and the first thing that they're
always concerned about is these sophisticated nation state threat actors. And then of course,
what I'm trying to redirect them towards is that is important. For sure, that is real,
and probably honestly more real than many people realize. But that is a small subset
of the threat actors that are targeting you on a daily basis for most organizations.
And those individuals like the AP teens who are really focused more on lower barrier,
at least theory of entry into an organization, the easiest
way to be able to move laterally, the easiest way to gain access, and really double, it
forces organizations to think about doubling down on getting the foundational strategies
right.
And what I mean by that is, you know, I think if you could ensure that you had a good understanding
of your company's presence on the dark web.
Meaning do I have credentials that are being sold or stolen? Am I being targeted? Is there
malware or similar being targeted towards me or that would impact my systems?
Understanding your vulnerability landscape and we have been struggling with scanning
and patching for quite some time and now the exposure landscape's much more than just
vulnerability, so understanding the total exposures
within your organization.
And having a good answer for identity management,
especially around privileged access.
I think if you can get those three things correct
and have good programs around those three,
you will really be able to have a much easier time
limiting your risk to these types of threat
actors for sure.
All right.
Well, Rob Boyce is Global Lead for Cyber Resilience at Accenture.
Rob, thanks so much for taking the time for us.
Anytime, Dave.
It was a pleasure to be here.
Thank you.
That was Dave Bittner sitting down with Rob Boyce, Global Lead for Cyber Resilience at
Accenture to discuss advanced persistent teenagers or AP teens.
What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, identity attack paths are easy targets
for threat actors to exploit but hard for defenders to detect.
This poses risk in active directory, Entra ID, and hybrid configurations.
Identity leaders are reducing such risks with Attack Path Management.
You can learn how Attack Path Management is connecting identity and security teams while
reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to spectorops.io today to learn more.
SpectorOps, see your attack paths the way adversaries do.
In a move that's part sci-fi, part seafood sustainability, Google's secretive X-Lab has
unveiled Title X, an underwater AI system designed to transform fish farming.
Equipped with smart cameras and machine learning, Title X monitors farmed fish like salmon in
real time, tracking their movements, behavior,
and even individual fish health.
Think facial recognition.
Like, yeah, facial recognition for fish.
Yeah, so why does this matter?
Overfeeding in aquaculture wastes food and pollutes the water, while underfeeding or
missing early signs of disease can hurt both fish and farmers.
Title X aims to strike a balance, offering
farmers insights to feed just the right amount, reduce waste, and catch health issues early,
all without disrupting the watery ecosystem. After five years in stealth mode, the project
is now swimming into the spotlight with the goal of making aquaculture more efficient,
sustainable, and scalable. As global demand for seafood rises,
tech like this could be the key to meeting it responsibly.
So yes, the fish are getting their closeups,
and it might just help save the planet. And that's the CyberWire.
For a link to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that n2k cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector.
From the fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to
optimize your biggest investment, your people. We make you smarter about your teams while making
your team smarter. Learn how at n2k.com. N2K's senior producer is Alice Carruth. Our
cyberwire producer is Liz Stokes. We're mixed by Trey Hester, with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Ivan.
Peter Kilpe is our publisher.
And I'm Maria Varmasis, in for Dave Bittner.
Thanks for listening. Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services
by solving complex challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity, or cloud computing,
Vanguard offers a dynamic and collaborative environment where your ideas drive change.
With career growth opportunities and a focus
on work-life balance, you'll have the flexibility to thrive both professionally and personally.
Explore open cybersecurity and technology roles today at Vanguardjobs.com.