CyberWire Daily - U.S. braces for Iranian cyber intrusions.
Episode Date: June 30, 2025CISA warns organizations of potential cyber threats from Iranian state-sponsored actors.Scattered Spider targets aviation and transportation. Workforce cuts at the State Department raise concerns abou...t weakened cyber diplomacy. Canada bans Chinese security camera vendor Hikvision over national security concerns.Cisco Talos reports a rise in cybercriminals abusing Large Language Models. MacOS malware Poseidon Stealer rebrands.Researchers discover multiple vulnerabilities in Bluetooth chips used in headphones and earbuds. The FDA issues new guidance on medical device cybersecurity. Our guest is Debbie Gordon, Co-Founder of Cloud Range, looking “Beyond the Stack - Why Cyber Readiness Starts with People.” An IT worker’s revenge plan backfires. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices segment, Debbie Gordon, Co-Founder of Cloud Range, shares insights on looking “Beyond the Stack - Why Cyber Readiness Starts with People.” Learn more about what Debbie discusses in Cloud Range’s blog: Bolstering Your Human Security Posture. You can hear Debbie's full conversation here. Selected Reading CISA and Partners Urge Critical Infrastructure to Stay Vigilant in the Current Geopolitical Environment (CISA) Joint Statement from CISA, FBI, DC3 and NSA on Potential Targeted Cyber Activity Against U.S. Critical Infrastructure by Iran (CISA, FBI, DOD Cyber Crime Center, NSA) Prolific cybercriminal group now targeting aviation, transportation companies (Axios) U.S. Cyber Diplomacy at Risk Amid State Department Shakeup (GovInfo Security) Canada Bans Chinese CCTV Vendor Hikvision Over National Security Concerns (Infosecurity Magazine) Malicious AI Models Are Behind a New Wave of Cybercrime, Cisco Talos (Hackread) MacOS malware Poseidon Stealer rebranded as Odyssey Stealer (SC Media) Airoha Chip Vulnerabilities Expose Headphones to Takeover (SecurityWeek) FDA Expands Premarket Medical Device Cyber Guidance (GovInfo Security) 'Disgruntled' British IT worker jailed for hacking employer after being suspended (The Record) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Risk and compliance shouldn't slow your business down.
HyperProof helps you automate controls, integrate real-time risk workflows, and build a centralized
system of trust so your teams can focus on
growth, not spreadsheets. From faster audits to stronger stakeholder confidence,
HyperProof gives you the business advantage of smarter compliance. Visit
www.hyperproof.io to see how leading teams are transforming their GRC
programs.
CISA warns organizations of potential cyber threats from Iranian state-sponsored actors. Scattered Spider targets aviation and transportation.
Workforce cuts at the State Department raise concerns
about weakened cyber diplomacy.
Canada bans Chinese security camera vendor Hikvision
over national security concerns.
Cisco Talos reports a rise in cyber criminals
abusing large language models.
Mac OS malware Poseidon Stealer rebrands.
Researchers discover multiple vulnerabilities
in Bluetooth chips used in headphones and earbuds. The FDA issues new guidance on medical
device cybersecurity. Our guest is Debbie Gordon, co-founder of Cloudrange, looking
beyond the stack why cyber readiness starts with people. And an IT worker's revenge plan
backfires.
It's Monday, June 30, 2025. I'm Dave Bittner and this is your CyberWire intel briefing.
Thanks for joining us here today.
It's great to have you with us.
CISA, along with the FBI, NSA, and Department of Defense Cybercrime Center has issued a fact sheet
warning organizations about potential cyber threats from Iranian state-sponsored or affiliated
actors.
While there is no current evidence of a coordinated Iranian cyber campaign targeting the U.S.,
officials note increasing activity from Iranian hackers and hacktivists in recent months expected to escalate
amid current geopolitical tensions.
These actors often exploit unpatched software, known vulnerabilities, and weak or default
passwords on Internet-connected devices.
The agencies urge critical infrastructure operators to take immediate precautions, including
disconnecting operational technology from public internet access, enforcing strong unique passwords,
applying all software patches, and using phishing-resistant multi-factor
authentication. These steps aim to strengthen defenses and reduce exposure
to opportunistic or targeted Iranian cyber operations.
The scattered spider hacking gang is now targeting the aviation and transportation sectors, cybersecurity
firms warned.
This mostly Western English-speaking group has attacked grocery suppliers, retailers,
and insurance companies in the U.S. and UK.
Hawaiian Airlines recently reported a cybersecurity
incident affecting its IT systems, while Canadian airline WestJet faced similar issues last
week. Though WestJet didn't confirm scattered spiders' involvement, sources suggest they
were behind it. Google's Mandiant Consulting and Palo Alto Networks warned that the group's attacks resemble past operations and urged airlines to harden systems immediately.
Scattered Spider is known for combining social engineering with exploiting known security vulnerabilities.
Despite arrests last fall, U.S. law enforcement has struggled to curb their activities.
Planned workforce cuts and a reorganization at the U.S. State Department are raising concerns
about weakened cyber diplomacy.
Secretary of State Marco Rubio aims to cut up to 2,000 employees and restructure the
Bureau of Cyberspace and Digital Policy.
This comes despite a federal court injunction blocking broad layoffs across agencies.
Staff were told to update resumes by June 13, and managers reviewed personnel files
in preparation.
Critics warn the cuts could fracture the cyber bureau's mission, reducing its ability to
coordinate with allies and agencies like Cyber Command,
especially as cyber threats rise from adversaries such as Iran and China.
Analysts say breaking up the Bureau's cybersecurity and economic portfolios will undermine efficiency
and direct leadership reporting.
House Democrats argue this threatens U.S. international cyber policy coordination.
Even if layoffs are blocked, Rubio may proceed with reorganization under a separate directive,
leaving the Bureau's future uncertain.
Canada has banned Chinese CCTV vendor Hikvision from operating in the country and selling
to federal institutions due to national security concerns.
Industry Minister Melanie Jolie ordered Hickvision Canada to cease operations
following a security review under the Investment Canada Act.
The government is investigating to ensure no federal agencies still use Hickvision products.
While the ban does not cover private businesses or individuals,
Canadians are urged to reconsider purchases. Hickvision faces global scrutiny for alleged
human rights abuses and security risks, including bans or removals in the U.S., UK, Australia,
India and Europe. In the U.S., Hikvision was banned from government contracts and placed
on the Entity List for its role in surveillance of Uyghurs in Xinjiang, accusations the company
denies. This Canadian ban follows Quebec's 2023 prohibition on Hikvision products in
government settings.
Cisco Talos reports a rise in cybercriminals abusing large language models to enhance attacks.
Criminals use three main methods.
Uncensored models like Onion GPT and White Rabbit Neo that generate phishing emails or
hacking tools.
Custom-built LLMs such as Worm GPT, Dark GPT, and Fraud GPT, advertised on the dark web to create
malware and phishing content, and jailbreaking legitimate LLMs like Chat GPT through prompt
injection techniques to bypass safety guardrails.
Criminals use LLMs for programming ransomware, creating phishing pages, verifying stolen
credit cards, and
scanning for vulnerabilities.
Some distribute backdoored models on platforms like Hugging Face to infect users.
Cisco warns that LLMs are becoming a force multiplier for cybercrime, making attacks
more efficient rather than inventing new cyber weapons. Interestingly, Talos found some dark web sellers like FraudGPT's alleged developer scamming
buyers with non-existent malicious AI products.
Syfirma reports that Poseidon Stealer, a macOS targeting malware as a service, has been rebranded
as Odyssey Stealer.
Odyssey spreads via click-fix campaigns on spoofed finance, crypto news, and fake Apple
App Store sites.
Users are tricked into running a Base64 command in Terminal, which executes malicious Apple
script to steal device passwords and keychain credentials. Odyssey targets cryptocurrency wallets like Electrum, Coinomi, and Exodus,
as well as browsers including Safari, Chrome, and Firefox.
It harvests passwords, payment info, session cookies, and autofill data.
It also steals files from desktop and documents folders,
archiving them into a zip file for exfiltration.
The control panel, mostly hosted in Russia, offers features like cookie-based session
hijacking and guest demos for buyers.
Cyferma advises blocking script execution using app whitelisting and only downloading apps from official or verified sources to mitigate this growing macOS threat.
Researchers at German security firm ERNW have discovered multiple vulnerabilities in Aeroha Bluetooth chips
used in headphones and earbuds from brands like Sony, Marshall, and Beyerdynamic.
The flaws stem from a custom protocol in Eroha's SDK that allows attackers to read or write
RAM and flash storage without authentication.
Exploitation is possible over both Bluetooth Low Energy and Bluetooth Classic even without
pairing.
Attackers within Bluetooth range could hijack headphones, eavesdrop on audio, read media
data, extract phone numbers, or rewrite firmware for full-code execution, enabling wormable
exploits.
These attacks are likely to target high-value individuals such as journalists or diplomats.
Aroha has fixed the vulnerability in its latest SDK,
but ERNW warns no vendors have released firmware updates yet,
leaving many devices exposed.
The FDA has issued new final guidance
on medical device cybersecurity,
replacing its 2023 version.
The updated document reflects expanded authority under Section 524b of the Food, Drug, and
Cosmetic Act requiring that any Internet-connected cyber device include cybersecurity details
in pre-market submissions.
The guidance mandates elements like software builds of materials, vulnerability management
plans, and demonstration
of reasonable assurance of cybersecurity.
Experts note this merges previous guidance with statutory updates into one cohesive document,
clarifying that cybersecurity is integral to safety and effectiveness determinations.
It explicitly covers debug ports, wireless modules, and access controls, widening regulatory
scope.
While the FDA aims to enhance device security amid rising healthcare cyber threats, experts
warn that recent budget cuts and staffing losses could slow reviews.
Researchers emphasize that manufacturers must prioritize security in design and documentation
to avoid delays and reduce post-market risks, as nearly all modern devices now qualify as cyber devices.
Coming up after the break, my conversation with Debbie Gordon, co-founder of Cloudrange.
We're looking beyond the stack, why cyber readiness starts with people.
And an IT worker's revenge plan backfires.
Stay with us. Did you know Active Directory is targeted in 9 out of 10 cyber attacks?
Once attackers get in, they can take control of your entire network.
That's why Semperis created PurpleKnight, the free security assessment tool that scans
your Active Directory for hundreds of vulnerabilities and shows you how to fix them.
Join thousands of IT pros using PurpleKnight to stay ahead of threats.
Download it now at sempris.com
purple-knight. That's sempris.com
slash purple-knight. And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat Protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.
Debbie Gordon is co-founder of CloudRange, and in today's sponsored industry voices
segment, we look beyond the stack, why cyber readiness starts with people.
So the human element, it's funny when I think about the last 10 years, the human element
10 years ago wasn't a thing. You had security leaders who thought that technology
could solve all problems
or compliance could solve all problems.
But it wasn't until maybe seven or eight years ago
that it became trendy, for good reason,
to focus on people in cybersecurity
because they are, in in fact the weakest link
in the chain. They are the last line of defense. And I'm not just talking about the users in
an organization who you don't want clicking on a phishing email. I'm talking about the
cybersecurity practitioners in a security operations center, who are incident responders also,
those people are the ones who are the last line of defense,
and they are the most important piece of the security stack.
And so, to answer your question,
there's so much focus on AI and automation,
but like with any innovation,
it just raises people up to do different work,
but you still need those people to be overseeing the work that got automated by the innovation.
Same thing with, you know every day we're seeing an
an exponential increase in the use of AI and that requires an exponential
increase in people who know how to decipher the accuracy of AI, how to think
critically and how to manage it, how to tell it what to do and how to do it.
And so people are so important and you know just people say oh are they you
know there's you're gonna not need humans anymore that's absolutely not true.
And from your perspective the organizations that are being effective
here who are seeing success are there common elements to the way that they approach this?
Yes.
So organizations who are taking a proactive
and preemptive approach to cybersecurity
are being a lot more successful.
So many security leaders, probably everyone listening,
feels like they're playing whack-a-mole constantly.
They're just trying to stay ahead.
There's new technologies, things are moving quickly, the attack surface is growing,
things are just getting more complex.
They can't necessarily stay ahead of what they need to know in terms of the tactics
that the bad guys are using and the technologies
they need to consider on how to defend against them.
There's so much out there.
So it's imperative, the ones that are being proactive and preemptive, they have to make
a really an intentional decision that they're going to be strategic about their approach.
And so the ones that are being more successful are saying,
okay, we're going to be proactive,
we're going to get our people trained in a constant way.
You can't just wait, think for things to happen to see if people know what they're doing.
And so by having an intentional methodology around training, upskilling,
and even security awareness to the general users, that is where
organizations are being most successful. Where we see organizations flailing in
the market is when they're just trying to be reactive and they can't keep up. But
when you have a plan and you execute on that plan, things are a heck of a lot easier.
How do you approach that person who feels as though they're flailing?
Like, you know, we have, we have barely enough bandwidth to, to, to keep our heads above
water to mix metaphors.
Like, what does the transition look like from that mode to one where you feel like you have your arms around this?
That's a great question.
And if you think about anything that you felt, and it's not specific to cybersecurity, just
any human, anything in human nature where a person feels overwhelmed, right?
They usually don't have a plan.
They don't, you know, you talk about eating one bite of the elephant at a time.
That's how you eat an elephant.
You have to eat it one bite at a time.
They don't know what that bite is.
And so with CloudRange, when we talk to customers and prospective customers, CISOs come to us because they know
that we have something that's not just another band-aid.
It's not just a tool in their stack.
It's actually something that they can integrate into their program proactively and sleep better
at night.
We see that all day long because when you know that your team is proactively preparing
and you can see on a report what TTPs that they've defended against, what threat vectors
that they've successfully defended against, when you know that you could go tell your
board tomorrow that you have successfully defended against XYZ attack in a simulation
and this is not going to happen to us.
That's comfort and people want to feel comfort and as much as we're in the technology world,
security leaders are humans and they want to feel safe.
They want to, and I don't mean safe
from a cybersecurity perspective.
I want to, I mean safe like that their job is being done
and they feel safe knowing that their team is ready
when something happens.
And so we use simulation for that
and they honestly sleep better at night.
I think it's a really interesting insight that you,
if what I hear you saying is that you kind of ignore
that emotional element, that human element
at your own peril, that you can't pretend like that
isn't a part of all of our day-to-day lives.
It absolutely is.
Purpose drives us all.
If you think about Maslow's hierarchy,
we all wanna have a purpose.
We all need to eat and have shelter and be protected.
But at the end of the day, we need to serve a purpose.
And when people are flailing,
they don't know if they're serving a purpose.
That's the thing, they very well may be,
but they need evidence of that. And so I love when we can sit down with a CISO or a CIO at one of our
customers and show them how much they have actually reduced risk in their company and they can see how
they've done it. They can see that their team has improved on their time to detect and time to respond on a list of different attack scenarios.
And they can see a very tangible benefit
and that makes them feel comfortable, confident and safe.
For folks who aren't familiar with attack simulation,
this notion of virtual cyber range attack simulation,
how do you describe it?
So, first off, this cloud range was the first virtual cyber range platform.
And a cyber range can, people think of a cyber range as different things.
Sometimes people think of a cyber range as a place you go and do an incident response exercise or in the military a cyber range, I'm using air quotes, is actually an event.
It's not even necessarily the technology, it's an event.
But what CloudRange developed is a virtual cyber range which is a cloud-based representation
of an actual enterprise environment, a cloud-based representation
of an actual enterprise environment,
a multi-segment environment.
Think of it as a sandbox or a safe place.
Think about a flight simulator, safe place.
You're not going to crash your real plane,
but you can practice doing really dangerous things.
So we developed this environment
and our customers are able to go into that environment, looks
and feels like their own, and there's industry-leading tools in there,
different SIMs and firewalls and EDRs, and that's the environment itself.
That's not useful without content. Content is what, that's the attack. So we have a team that is designing, scripting,
and releasing attacks so that our customers
can be proactive and preemptive by defending
against those attacks in a safe environment.
In this cyber range, there's live traffic,
both good and bad traffic.
They don't know when a SOC team logs into the range, they don't know what they're looking
for because just like in real life, the bad guys don't call you and say, hey, we're about
to attack you.
You don't know what you're looking for.
This gives organizations the ability to be proactive on an ongoing basis, and rather than just having to learn on the job,
which can be extremely dangerous and risky and very inefficient.
Help me understand how something like this gets integrated into an organization.
What's the cadence of actually interacting with something like this?
In terms of integrating it into an organization,
I'll divide this into two parts.
There's no technical integration
because it actually sits completely segregated
from an organization's network.
So we're not touching anything.
We can blow up malware.
We can do whatever we want and reset it
within a matter of minutes.
So it's very safe.
In terms of integrating it into the business itself, that's where it takes
a really great leader to say, we're going to be strategic about this and we're going to put a
proactive plan in place. So our customers, a lot of Fortune 500 customers, financial services, manufacturing, energy, insurance, and healthcare.
They are incorporating this into their security program
in the sense that at least once a month,
they have access to the range anytime they want,
but they plan and execute on going through
a different simulation at least once a month. You can do more than that.
You can do less than that.
It's like going to the gym.
The more you go, the better.
Five days or three days is not as, is three days better than one?
Five days is better than three, but all of it's better than none.
And so it's not about,
we wanna give them the exposure
and the more they do the better,
because again, then they can be confident
and have the metrics to show
that they have successfully detected
and responded to these attacks,
and it's gonna make them safe.
What's really important here is that
the attacks that we develop are
done so as a result of the threat intelligence that we get. So we have a whole library of
attacks. They don't go out of style. The bad guys are still using them. However, when we
hear about new intelligence, so for example, when Volt Typhoon happened,
we were able to recreate that
and roll it out to our customers.
Same with Salt Typhoon.
Then various flavors of ransomware.
So we put those out there and
our customers are always looking forward to what's next,
because they know that that could happen to
them and that they'll be ready for it as soon as they go through it.
The other piece is that
there's both OT and IT and most people think about IT in terms of cybersecurity, but we're hearing
more and more about OT and operational technology, industrial control systems, critical infrastructure.
That's something we've also built and we have virtualized OT environments for our OT customers.
So they're using OT and IT and those attacks are even a bit different because those are
ones that may come from the IT side over to the OT side or vice versa.
And those types of companies, they have their own struggles because sometimes they don't
even have agreement internally on whose job cyber security is and that's for a whole other podcast.
I mean, it seems to me like there's an opportunity here, you know, using air quotes to fail or to succeed, but to do either within this safe space where you can see how you would do in the real world,
but there are not the consequences
that you would get in the real world.
Exactly, that's why this is being adopted
so readily by organizations.
Eight years ago, a virtual cyber range didn't exist.
So when we built this, it was something that the market didn't necessarily ask for right
away because it didn't exist.
But now that the market knows it's there, you can't not have it.
Imagine when the flight simulator was invented, do you think that flight schools just said,
yeah, I don't think we need that.
Let's just put them in the airplane.
They can't not have it.
And same thing with the iPhone.
Before the iPhone was invented, people didn't say,
hey, I wish I could have some device
where I could email people and take pictures
and track my diet and my heart rate and my sleep.
No, they didn't ask for it because it had never existed.
So now it's getting asked for.
What are your recommendations for someone
who thinks like they may want to head down this path?
What's the best way to get started
and to see how this would work with their own organization?
So for somebody who wants to go down this path,
first off, that's obviously the right thing to do.
They're being proactive,
and we're hearing a lot about proactive and preemptive security, and this is a fundamental
part of it. So at CloudRange, we work with customers to put a program together. We have
what we call missions. We have customers go through an actual simulation with their security team,
and they actually get to see how it's done,
and they get to watch them in action.
And I'll tell you, when I see them,
and I haven't done it in a while,
but in the early days, I had the luxury
of observing some of the exercises
and the missions that our customers went through.
And it was amazing seeing the security analysts blossom when they were going through a simulation because all of a sudden you
see their confidence go up. Because people are afraid to do things in a
real environment. They might mess up, but when they know it's safe and they do
something and they see that it was right, they're automatically boosted and
they're going to be a lot more productive when they go back to their seat. So we encourage, you know, all of anyone who wants to do this.
First off, it's a it's a it really is a strategic initiative by organizations.
We don't really think about this as just a training plan, because training is sometimes
once and done.
This is ongoing because everything changes every day
in cybersecurity, so it's ongoing.
We have 95% year over year customer retention
because they're never finished.
There's always more things to defend against.
So we show you what those are.
We give you an opportunity to get on the range
and have your team go through it,
and you get actual results,
and it's a great way to start.
That's Debbie Gordon, co-founder of CloudRange.
["Dreams of a Better World"]
Did you know Active Directory is targeted in 9 out of 10 cyber attacks? Once attackers get in, they can take control of your entire network. That's why Semperis created Purple
Night, the free security assessment tool that scans your Active Directory for hundreds of
vulnerabilities and shows you how to fix them.
Join thousands of IT pros using PurpleKnight
to stay ahead of threats.
Download it now at sempris.com slash purple-knight.
That's sempris.com slash purple-knight.
Introducing TurboTax Business, a brand new way to file your own T2 return, all while
getting help from an expert who actually knows small businesses.
Got a tattoo studio, toy store, tiny but mighty taco stand?
We've got someone who gets small business taxes inside and out.
Experts are standing by to help and review while you file, so you know your return's
done right.
Intuit TurboTax business.
New from TurboTax Canada.
Some regional exclusions apply.
Learn more at TurboTax.ca slash business tax.
And finally, in a cautionary tale for managers everywhere, a British IT worker decided suspension wasn't
enough drama for the week.
Mohammed Umar Taj, clearly displeased with his July 2022 suspension, swiftly launched
a cyberattack against his employer, altering login credentials and sabotaging daily operations.
The firm, with clients in the UK, Germany, and Bahrain, reported at least 200,000 pounds
in losses, plus the general inconvenience of having their systems turned into Taj's
personal revenge sandbox.
Police found he even kept recordings of his exploits, presumably for his villain highlight
reel. Taj pleaded guilty and was sentenced to just over seven months in jail.
West Yorkshire police noted his antics rippled far beyond the UK.
The moral to the story?
Well, don't anger your IT guy.
Or at least revoke his admin privileges before HR breaks the bad news.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this summer. There's a link in the show notes. Please do check it out.
N2K's senior producer is Alice Carruth. Our producer is Liz Stokes. We're mixed by Elliot Pelsman and Trey Hester with original music by Elliot Pelsman.
Our executive producer is Jennifer Iben.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here, tomorrow. Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's
been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
DeleteMe also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash N2K, code N2K.