CyberWire Daily - When "out of the box" becomes "out of control."
Episode Date: May 29, 2025Children’s DNA in criminal databases. ASUS routers get an unwanted houseguest. New APT41 malware uses Google Calendar for command-and-control. Interlock ransomware gang deploys new Trojan. Estonia i...ssues arrest warrant for suspect in massive pharmacy breach. The enemy within the endpoint. New England hospitals disrupted by cyberattack. Tim Starks from CyberScoop is discussing ‘Whatever we did was not enough’: How Salt Typhoon slipped through the government’s blind spots. And Victoria’s Secrets are leaked. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we have Tim Starks from CyberScoop discussing ‘Whatever we did was not enough’: How Salt Typhoon slipped through the government’s blind spots. Selected Reading The US Is Storing Migrant Children’s DNA in a Criminal Database (WIRED) GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers (GreyNoise) Mark Your Calendar: APT41 Innovative Tactics (Google Threat Intelligence Group) Interlock ransomware gang deploys new NodeSnake RAT on universities (BleepingComputer) Estonia issues arrest warrant for Moroccan wanted for major pharmacy data breach (The Record) Israeli company Syngia thwarts North Korean cyberattack (The Jerusalem Post) St. Joseph Hospital owner says company targeted in cybersecurity incident (WMUR) Victoria’s Secret Website Taken Offline After Cybersecurity Breach (GB Hackers) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it
peace of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's join in criminal databases.
Asus routers get an unwanted house guest.
New APT-41 malware uses Google Calendar for command and control.
Interlock Ransomware Gang deploys new Trojan.
Estonia issues arrest warrant for suspect and massive pharmacy breach.
The enemy within the endpoint?
New England hospitals disrupted by cyber attack.
Tim Starks from Cyberscoop is discussing,
Whatever we did was not enough.
How a salt typhoon slipped through the government's blind spots.
And Victoria's secrets are leaked.
Today is May 29th, 2025.
I'm T-minus Space Daily host Maria Varmazes in for Dave Bittner.
And this is your CyberWire Intel Briefing.
Happy Thursday, everybody. Thanks for joining us.
Let's get into today's intel briefing.
Between 2020 and 2024, U.S. Customs and Border Protection collected DNA samples from over
133,000 migrant children, including at least one as young as four years old, and uploaded
their genetic profiles to the FBI's Combined DNA Index System, or CODIS, which is a database traditionally
reserved for criminal offenders.
This expansion of biometric surveillance, justified by the Department of Justice as
a crime prevention measure, has raised significant privacy and ethical concerns.
While official policy limits routine DNA collection to individuals aged 14 and older, exceptions
were widely made, often without any criminal charges.
Notably, 122 minors identified as U.S. citizens had their DNA collected, 53 of whom were not
detained for any criminal arrest.
Critics argue that this practice blurs the line between civil immigration enforcement
and criminal investigation, effectively treating undocumented migrants, especially children,
as potential criminals. Privacy experts warn that storing raw DNA samples indefinitely
poses risks of misuse, including unauthorized profiling and surveillance. The inclusion
of minors in CODIS, a system designed for tracking
criminal offenders, underscores the need for stringent oversight and clear guidelines to
protect vulnerable populations from unwarranted surveillance. GrayNoise has uncovered a sophisticated
campaign compromising over 9,000 ACES routers, primarily targeting small office and home office
environments.
The attackers gain initial access through brute force attacks and authentication bypasses,
including techniques not yet assigned CVEs.
Subsequently, they exploit CVE-2023-39780, a command injection vulnerability, to execute
arbitrary commands.
The adversaries establish persistence by enabling SSH access
on a non-standard port and inserting their public SSH keys
using legitimate ASUS configuration methods.
These changes are stored in non-volatile memory or NV RAM,
allowing the backdoor to survive reboots and firmware updates.
Notably, no malware is deployed.
Instead, the attackers disable logging and security features
like Trend Micro's AI protection to evade detection.
Google's Threat Intelligence Group says the Chinese threat actor APT41
used a compromised government website to host a new strain of malware dubbed Tough Progress.
Notably, the malware uses Google Calendar Events for command and control communications.
Google explains, once executed, tough progress creates a zero-minute calendar event at a
hard-coded date, specifically May 30, 2023, with data collected from the compromised host
being encrypted and written in the calendar event description.
The operator places encrypted commands in calendar events on July 30th and 31st, 2023,
which are predetermined dates
also hard-coded into the malware.
Tough Progress then begins polling
calendar for these events.
When an event is retrieved,
the event description is decrypted
and the command it contains is executed
on the compromised host.
Results from the command execution are encrypted and written back to another calendar event.
The interlock ransomware gang is using a new trojan dubbed NodeSnake to target universities
according to a report from Bleeping Computer.
The malware is distributed via phishing emails with malicious links or attachments.
Quorum Cyber has published a report on the RAT noting that the malware is encoded in
JavaScript and executed with Node.js. The researchers state that Node Snake
demonstrates typical capabilities expected from a modern-day RAT. It is
designed for persistent access, system reconnaissance, and remote command
execution. It employs multiple evasion techniques,
communicates with command and control servers via HTTP, HTTPS,
and deploys secondary payloads to maintain control
and facilitate further compromise.
Quorum observed NodeSnake deployed
against two universities in the UK
within the last two months.
Estonian authorities have issued
an international arrest warrant for a Moroccan
national accused of hacking a customer card database belonging to Allium UPI, which is
a major provider of pharmacy and healthcare products across the Baltic countries, according
to a report from The Record. The breach occurred in February 2024 and exposed nearly 700,000
personal identification codes used by pharmacy customers,
revealing pharmacy purchases linked to customer accounts.
The incident affected data belonging to almost half of the Estonian population.
Estonia's Central Criminal Police alleges that 25-year-old Adrar Khalid gained access
to the database using a stolen password for an administrator
account.
In mid-2024, Israeli cybersecurity company Signea uncovered a sophisticated North Korean
cyberattack involving a threat actor posing as a legitimate IT employee at a Western company.
The attacker, operating from within the organization, used standard tools like Zoom and basic network
protocols to avoid detection.
By leveraging access through a corporate VPN and a company-issued laptop, the attacker
established a multi-layered covert control channel, enabling lateral movement, execution
of malicious code, and data exfiltration, all under the guise of routine remote work
activities. Cygniya's investigation began after the FBI recovered a client-issued laptop during a
raid on a suspected laptop farm, which is a service that facilitates foreign workers
impersonating U.S. citizens to secure remote roles in Western companies.
Shoham Simon, Cygniya's senior VP of Cyber Services, emphasized that the breach exploited
a trust vulnerability rather than a code flaw, highlighting the need for detection models
that account for anomalies in protocol usage and the misuse of legitimate tools.
A cyber incident affecting Massachusetts-based health system Covenant Health is disrupting
several affiliated hospitals in New England, according to WMUR.
News Center Maine reports that St. Joseph's Health Care in Bangor and St. Mary's Hospital in Lewiston
were both impacted, and St. Joseph's has attributed the disruption to a cyber attack.
WMUR says St. Joseph's Hospital in Nashua, New Hampshire, is diverting ambulances to different hospitals. Coming up after the break, Dave Bittner sits down with Tim Starks, senior reporter at Cyberscoop.
They'll unpack his recent piece called, Whatever We Did Was Not Enough, How Salt Typhoon Slipped
Through the Government's Blindspots.
Plus, what's the story behind
Victoria's secrets getting leaked?
Stick around.
Now, a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware and phishing to neutralize
identity-based threats like account takeover, fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.
Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast. Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and
compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So, if you're ready to trade in chaos for clarity,
check out Vanta and bring some serious efficiency
to your GRC game.
Vanta, GRC, how much easier trust can be.
Get started at vanta.com slash cyber.
From time to time, a piece of reporting cuts through the noise
and lays bare not just the breach, but a breakdown,
a systemic failure that affects national security, industry trust,
and how we define public-private
partnership in the digital age.
And that is exactly what Tim Stark's recent coverage
at CyberScoop has done with a deep dive into Salt Typhoon.
We're going to dig into that together today.
Tim, welcome.
It is always great to have you with us.
Yeah, great.
Great to be back, and thanks for the kind words.
Yeah. So let's start off with what prompted you
to pursue this story.
There's a lot here.
So it was actually, there's my story
and then there's a second story
that my colleague, Derek Johnson did,
but they both stem from the same idea,
which is our editor, Greg Otto, said
that he was flummoxed by the notion that the government
officials have been saying, we're not sure that salt typhoon will ever exit the telecommunication
networks that were part of the biggest breach arguably ever of the industry by those Chinese
hackers.
And so he wanted us to explore how that could be and why that could be.
And in starting from that premise, we broke it out into me deciding to take a deep dive on
what the government did or did not do well in the ways that might have allowed
salt typhoon to get into the systems and what made it hard for them to get rid of them and
what didn't go well about the government's response in the eyes of the people who were
critical of it.
And then Derek's piece, I'm sure we're going to talk about less, but I just want to encourage
people to read it too, is about what the telecommunications sector did that may have led to this happening
and worsened it once it did happen.
So that's where it started and this is where we ended.
Yeah. Well, let's dig into it from the beginning.
You know, your story outlines how,
is it correct to say that the telecom companies
were surprised and disappointed at the way
and where the messaging came from on this one?
Certainly a good number of them were.
The way we started the story was just to say
there were a number of large companies,
I said some, that first heard about this
from an article in the Wall Street Journal.
If you're talking about the public-private partnership
that we've all been talking about for decades
and the government has detected this intrusion
and the victims don't know about it from the
government, they're upset.
But then also, it's kind of an interesting dynamic where just on the notifications piece,
because there are several pieces of this, just on the who found out about it, when and
from whom, there was also the issue of starting off with too little is what some of the complaints
were, and then in and out with too little is what some of the complaints were, and then in an AIOP
with too much.
So one of the things we dive into deeper in the story is about what kind of effort there
was notified victims and how that played out and who was in charge of it.
But at least one telecom industry source pointed out to me that there was a little bit of a,
to use their phrase, puppies piling on phenomenon, where after they got notifications that they were victims,
they were getting calls from too many agencies
and getting too much demands for this and that
while they were trying to mitigate.
So it was this kind of multifaceted
before, after, during problem.
I do think that, you know, to the government's credit, there was, there was at minimum an
effort to address this and there was a diligent effort to address this and try to do it differently
than they've done in the past.
But that doesn't mean that the outcome satisfied all the players.
I mean, even the, the SSA official I talked to in background pointed out that, yeah, when
the Wall Street Journal came out, we heard from industry. They were not happy.
Well, let's talk about the government response.
As you say, you spoke to a number of people in government and granted some of them anonymity
so that they could speak more freely.
How do they self-assess the way that this went down?
Whenever you're talking to people who are,
you're writing something critical about them
and they potentially can be on the defensive,
I think what their assessment was,
was that we didn't get everything perfect.
I talked to someone who was in the government
during the time that this was happening,
that person explained a lot of the things that they did
to try to respond to this.
But the quote that's
in the headline is, whatever we did, it wasn't enough because they didn't stop it. So that's
a realistic appraisal. That was a former person. The current person said, look, we think we
did a good job. The government discovered this early salt typhoon activity. And without
us, would the victims even know that it was there?
Fair point.
Of course, there's counterpoints to that too that we can discuss.
But ultimately, they were of the mind that, hey, this could have been done better.
Even though we tried hard, the victim notifications still could have gone better.
And then you start to get into people who are in the government now.
Like, Christina has been making the point as head of DHS that, yes, they did discover this intrusion,
but they didn't really know how it came to be and what to do about it. And I talked to
some people who were critical of that element of it, that, okay, yes, SISA, through their
threat hunters, discovered this in government networks. Why didn't that sound bigger alarms?
Why didn't that cause more activity, not just on the victim notification front, but on other
things?
And then, of course, there were the questions of things like the beforehand.
There were vulnerabilities that were known here, but did they target those notifications
to the communities that needed them most? Did they directly interact with telecoms
and why didn't they?
It's a big complicated story that breaks down
some of these things and however much you wanna go
into what parts of that, next, I'm ready to go.
But it's a sweeping story about the ways
in which all of this unfolded.
How do you break down who ultimately bears responsibility here?
And has there been much finger pointing?
There has been much finger pointing, yeah.
One of the cool things about the story, I'm sorry, I feel like I'm almost like talking
up the story too much, but I'm going to talk about it.
One of the cool things about the story that I have anything to do with was the art that's
attached to it, which does have some visible finger pointing.
You'll recall that in real time, Ann Newberger, who was the White House National Security
official who was lead on cyber, had said these were basic vulnerabilities that the telecommunications
sector had or that their supply chain had, and they weren't addressed.
Basic hygiene didn't happen.
So I think you can definitely point the finger
at telecoms here.
I think you can point the finger at the government
about how they handled it, and whether they responded
as best they could have, whether they should have done more.
Certainly, you can blame the hackers.
It was funny, I was talking to somebody
about these two stories and someone asked
about why wasn't there a third? You got to have three in a series, right? And I was like,
who else would you blame? I'm like, well, the hackers. I mean, they were clever. They
targeted an industry that you can make the case that some people did in my story that
had been getting a little bit neglected because of, you know, there's something even people who were in the government at the time conceded
that they were focused on the people who were really desperately in need, the people who
were really far behind.
And the thought was the telecom sector was further ahead.
That may have well have been true.
But you know, the telecom sector has vulnerabilities too.
There was a section of this we kind of left on the cutting room floor, which was, you know, size in cyber is both a valuable thing to have and a dangerous
thing to have. It's why you see Microsoft constantly attacked. You would think Microsoft
with as much money as they have, that they would be able to address these things, but
they have such a gigantic attack surface. And that's one of the things I think we learned
here is that the telecom sector was really vulnerable.
And even if you don't play blame the victim,
it's really possible to be hacked
and to not have any culpability
and afraid not to be your fault.
I think in this case, just in my broader assessment,
I think there was fault to be found on all sides.
How much individuals want to blame one side
more than the other, I'm going to
leave it to them. But I think that there were real faults that I think our stories
outlined that pointed to culpability on the telecom sector side of things and
on the government side of things. And what are you seeing going forward here
in terms of both real substantive change and aspirational change?
Yeah, I think there is the sort of vague things
that Kristina has said about how to get CISA back on mission.
We haven't heard yet about how she wants to do that.
Certainly we've talked about the things that are sidelines
that are not really part of what our story was about,
but you and I have talked about those things.
But in terms of like, how do you get CISA back on mission,
such that if something like cell typhoon might happen again,
how do you avoid it happening?
We don't have a plan for that yet.
We haven't heard that plan yet on the government side.
Certainly, there have been people
who have advocating for strengthening things
like the Cybersecurity Information Sharing Act.
We'll see whether that happens at all.
But that's another idea that's out there about how
that this could have been helped.
I think we're going to be hearing more from Congress on that and more from Congress on
their investigation.
There's a House Homeland Security investigation into what really went wrong with Salt Typhoon.
So I think that could produce more ideas.
I think we're kind of still at the idea stage, frankly.
If you think about this, the public first learned about this back in September, but some of this wasn't really, we didn't really get a real sense
of some of the scope of this until closer to like December. And then we had an administration
change and you know, there's been some chaos there to say the least, above and beyond,
I think the usual kind of administration change where you have turnover of personnel and you
have turnover of ideas. So I think we're behind on that
for reasons that are both valid and perhaps questionable. So I think that we'll see more
once some of those cards start to play out on things like Congress, its investigation,
what the administration decides to do. I think that there's more to be seen there about,
I think like you talked about, it's more at the aspirational phase than the deliberative, this is what we're going to do now.
Tim Starks is senior reporter at CyberScoop. We will have a link to his in-depth reporting
on salt typhoon in our show notes. Do check it out. It is worth your time. Tim Starks, thanks so much for taking the time for us today. Thank you, Big Talk Dave. [♪ MUSIC PLAYING FADES out...]
And for our last story, Victoria's Secret is making headlines this week, and not for
reasons you might suspect, and not for a new collection.
Everybody just settle down.
The retailer has taken its US website offline and paused some in-store services after a
major cybersecurity breach was discovered over the Memorial Day weekend.
Online shoppers were met with a black screen and a brief message confirming the incident
as the company scrambles to investigate.
With digital sales making up nearly a third of its revenue, this outage isn't just inconvenient.
It is quite costly with shares in the company dropping nearly 7%.
So far Victoria's Secret hasn't revealed whether customer data was compromised, fueling plenty of speculation on that front.
whether customer data was compromised, fueling plenty of speculation on that front.
Experts say that the timing follows a familiar pattern,
with cyber criminals often striking
when staff coverage is light.
Victoria's Secret says its team is working
around the clock to restore operations.
And as one viral song goes,
I know Victoria's Secret.
Well, now Hacker's Mike too.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that
keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show,
please share a rating and review in your podcast app. NTK makes it easy for companies to optimize
your biggest investment, your people. We make
you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
N2K's senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We're mixed
by Trey Hester, with original music and sound design by Elliot Heltzman. Our executive producer
is Jennifer Iben. Peter Kylpe is our publisher.
And I'm Maria Varmazes in For Dave Bittner.
Thanks for listening. And now, a word from our sponsor, ThreatLocker.
Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software
can run in your environment.
If it's not approved, it doesn't run.
Simple as that.
It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down
your environment at www.threatlocker.com