CyberWire Daily - When spies get spied on.
Episode Date: August 13, 2025Patch Tuesday. The Matrix Foundation patches high-severity vulnerabilities in its open-source communications protocol. The “Curly COMrades” Russian-aligned APT targets critical infrastructure. Mic...rosoft tells users to ignore new CertificateServicesClient (CertEnroll) errors. Researchers uncover a malware campaign hiding the NjRat Remote Access Trojan in a fake Minecraft clone. Motorcycle manufacturer Royal Enfield suffers a ransomware attack. The DOJ details a major operation against the BlackSuit ransomware group. Our guest is Jack Jones, father of Factor Analysis of Information Risk (FAIR) and the FAIR Controls Analytics Model (FAIR-CAM), sharing insights on cyber risk quantification. Data Brokers’ digital hide-and-seek. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Jack Jones, father of Factor Analysis of Information Risk (FAIR) and the FAIR Controls Analytics Model (FAIR-CAM), as he is sharing insights on where he sees the cyber risk quantification market heading. Selected Reading Microsoft Patches Over 100 Vulnerabilities (SecurityWeek) Adobe Patches Over 60 Vulnerabilities Across 13 Products (SecurityWeek) Chipmaker Patch Tuesday: Many Vulnerabilities Addressed by Intel, AMD, Nvidia (SecurityWeek) Fortinet, Ivanti Release August 2025 Security Patches (SecurityWeek) ICS Patch Tuesday: Major Vendors Address Code Execution Vulnerabilities (SecurityWeek) Alarm raised over 'high-severity' vulnerabilities in Matrix messaging protocol (The Record) 'Curly COMrades' APT Hackers Target Critical Organizations Across Multiple Countries (GB Hackers) Microsoft asks users to ignore certificate enrollment errors (Bleeping Computer) Fake Minecraft Installer Spreads NjRat Spyware to Steal Data (Hackread) Motorcycle manufacturer Royal Enfield hit by ransomware attack published: yesterday (Beyond Machines) US Authorities Seize $1m from BlackSuit Ransomware Group (Infosecurity Magazine) We caught companies making it harder to delete your personal data online (The Markup) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
We got your patch Tuesday notes.
The Matrix Foundation patches high-severity vulnerabilities in its open-source communications protocol.
The curly comrades Russian-aligned APT targets critical infrastructure.
Microsoft tells users to ignore new certificate services client errors.
Researchers uncover a malware campaign hiding the NJ rat remote access Trojan and a fake Minecraft clone.
Motorcycle manufacturer Royal Enfield suffers a ransomware attack.
The DOJ details a major operation against the black suit ransomware gang.
Our guest is Jack Jones, father of factor analysis of information risk and the Fair Controls Analytics model,
sharing insights on cyber risk quantification and data brokers digital hide and seek
it's wednesday august 13th 2025 i'm dave vittner and this is your cyberwire intel briefing
Thanks for joining us here today.
It's great as always to have you with us.
August 2025's Patch Tuesday brought a major wave of security updates across the tech stack.
Microsoft patched over 100 vulnerabilities spanning Windows, Office, HyperV,
and flagged a publicly disclosed privilege escalation bug.
12 are rated critical, with the most severe being a GDI-plus remote code execution issue
with a CVSS of 9.8, though none appear actively exploited, and overall exploitation is judged unlikely.
Intel, AMD, and Invidia release dozens of advisories.
Intel patched high-severity flaws affecting zion, drivers, firmware, and networking,
many enabling privilege escalation, denial of service, or information disclosure.
AMD fixed issues tied to research on stacking engine attacks and an EDK2-SM code execution bug.
Invidia resolved several high-severity flaws in its Nemo, Isaac Groot, Apex, and Deep Learning Tools
that could lead to remote code execution or data tampering.
In the industrial and control system space, vendor,
including Schneider Electric, Honeywell, ABB, Phoenix Contact, and Aviva,
fixed code execution, privilege escalation, and denial of service vulnerabilities
across SCADA, controllers, analytics, and management tools.
Several were high severity.
Adobe issued updates for over 60 vulnerabilities across 13 products,
including Commerce, Photoshop, InDesign, Framemaker, and Substance 3D tools.
Many were critical code execution flaws.
though none are known to be exploited in the wild.
Finally, Fortinette released 14 advisories,
including a critical Forta-Sim bug,
allowing unauthenticated remote code execution
with a proof-of-concept public,
a high-severity authentication bypass in Forta-Web
and other important fixes in Forda-Manager,
Forta-Mail, and more were also addressed.
Avanti patched two high-severity-authenticated RCE issues
in Avalanche.
The Matrix Foundation has patched two high-severity vulnerabilities in its open-source
federated communications protocol used by governments and enterprises for sensitive discussions.
The flaws could have allowed attackers to seize control of classified channels or predict
room IDs, enabling them to infiltrate or redirect communications.
One bug led malicious admins override a channel creator's permissions,
potentially disrupting crisis coordination.
The other allowed prediction of room IDs, risking authentication access.
Fixes elevate room creator's privileges and switch to cryptographic hashing for IDs.
The off-cycle embargoed update required complex coordination and delayed full disclosure to allow testing.
Room upgrades may cause user disruption and testing before deployment is advised.
Bit Defender Labs has detailed Curly Comrades, a Russian-aligned APT active since mid-20204,
targeting critical infrastructure in Georgia and Moldova.
The group infiltrates judicial, government, and energy entities to steal credentials,
maintain persistence, and exfiltrate sensitive data.
Key tools include the custom Mukur agent backdoor, which bypasses AMSI to run encrypted
PowerShell scripts, and techniques like calm hijacking of disabled N-gen tasks for system-level
re-entry. Operations blend legitimate utilities with custom malware using proxy relays,
SOX-5 servers, and compromised websites for covert C2. Credential theft exploits NTDS database copies,
LSAS dumps, and adapted open-source tools. Data is staged, encrypted, discreeted,
disguised as PNGs and updated via curl.exe.
The stealthy redundant infrastructure underscores resilience and geopolitical intent.
Bit Defender urges XDR deployment, LOL bin monitoring, and managed detection to counter this persistent espionage threat.
Microsoft is asking Windows 11 users to ignore new certificate services client errors appearing after
the July 2025 preview and later updates. The event viewer logs error ID 57, citing a failed
Microsoft-Pluton cryptographic provider load, but Microsoft says it's harmless, linked to an
unfinished feature. Similar false warnings have surfaced in recent months, including Windows
firewall, BitLocker, and WinRE update errors, all without functional impact. The company confirms no
action is needed, as these events don't affect system performance or security.
Point Wilde's Lat 61 threat intelligence team has uncovered a malware campaign hiding the
NJ Rat Remote Access Trojan in a fake Minecraft clone, Eaglecraft 1.12 offline.
Popular in schools and restricted environments, the game distracts players while NJ. Rat silently
steals passwords, keystrokes, and personal data, and spies via webcam and microphone.
The malware installs Windows Services.exe for persistence, spawning hidden processes for command
execution and payload handling. It can crash systems if security tools like Wireshark are
detected. The rat connects to a remote server in India, hosted on Amazon's cloud for attacker
control. Given Minecraft's long history as a malware target, experts warn players to download
only from official sources and avoid unofficial mods or installers to prevent spyware infections
and data theft. Motorcycle manufacturer Royal Enfield has reportedly suffered a ransomware
attack, with hackers claiming to have encrypted all servers and wiped backups, crippling operations,
posted on an underground forum as a complete breach notice,
the attack prompted temporary suspension of online ordering and some workshop services.
The Chennai-based company confirmed a cybersecurity incident
and launched an internal investigation but disclosed no details on affected data.
The breach risks regulatory fines, reputational damage, and loss of trust among dealers,
suppliers, and customers in the motorcycle community.
The U.S. Department of Justice has detailed a major operation against the Blacksuit Ransomware Group,
formerly known as Royal.
Authorities seized four servers, nine domains, and $1.1 million in cryptocurrency stolen from a victim
who paid a $1.4 million ransom in April of 2023.
The funds repeatedly moved through a crypto exchange were frozen in January 2024.
This covert seizure preceded Operation Checkmate, a multinational effort involving U.S. agencies, the U.K.'s NCA, and partners from Europe and Canada, disrupting the gang's infrastructure and seizing digital assets.
Active since 2022 and linked to Conti, BlackSuit has demanded over $500 million from victims, targeting manufacturing, government, health care, and commercial sectors.
Officials say the action reflects a disruption-first strategy
to protect critical infrastructure and U.S. businesses from ransomware threats.
Coming up after the break, my conversation with Jack Jones,
father of factor analysis of information risk, fair,
and data brokers digital hide and seek.
Stay with us.
I'm Ben Yellen, co-host of the caveat podcast.
Each Thursday, we sit down and talk about the biggest legal and policy developments affecting technology that are shaping our world.
Whether it be sitting down with experts or government officials or breaking down the latest political developments,
we talk about the stories that will have tangible impact.
on businesses and people around the world.
If you are looking to stay informed on what is happening
and how it can impact you,
make sure to listen to the caveat podcast.
Compliance regulations, third-party risk,
and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing,
actually slowing you down?
If you're thinking there has to be something more efficient
than spreadsheets, screenshots, and all those manual processes,
you're right.
GRC can be so much easier.
And it can strengthen your security posture
while actually driving revenue for your business.
You know, one of the things I really like about Vanta
is how it takes the heavy lifting out of your GRC program.
Their trust management platform automates those key areas,
compliance, internal and third-party risk, and even customer trust, so you're not buried under
spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information
across your entire business. And this isn't just theoretical. A recent IDC analysis found that
compliance teams using Vanta are 129% more productive. It's a pretty impressive number.
So what does it mean for you? It means you get back more time and
energy to focus on what actually matters, like strengthening your security posture and scaling
your business. Vanta, GRC, just imagine how much easier trust can be. Visit Vanta.com
slash cyber to sign up today for a free demo. That's V-A-N-T-A-com slash cyber.
Jack Jones is father of factor analysis of information risk and the Fair Controls Analytics
model.
I caught up with him for insights on cyber risk quantification.
Yeah, so I was a newly minted CISO at nationwide insurance in 2000.
And as a newly minted CISO, one of the first things you have to do is go beg for money.
And I went, you know, I'd put together my strategy and went on my dog and pony show.
And one of the executives listened to me and then asked two questions that I wasn't prepared for.
The first question was, how much risk do we have?
My answer was lots.
And he said, and if we spend these millions of dollars, you're asking for how much less risk will we have?
And I knew I was in trouble then.
So I kind of hung my head and said, well, less.
And he knew he wasn't going to get a better answer.
It was a teaching moment.
And I took the lesson to heart and went back and decided that this can't be an intractable problem.
And over a period of months put together the factor analysis of information risk or fare model,
which we began using a nationwide to very good effect.
And that was really the catalyst moment.
And so where do we stand today when it comes to the broad use of that model
and how people are quantifying risk?
So Fair has been adopted as an open standard by the Open Group,
and they offer a professional certification around it and those sorts of things.
It's also taught in at least a couple of dozen.
universities. And we have local chapters, fair chapters around the world in 20-some cities.
There's the Fair Institute, which is a non-profit that's dedicated to advancing risk measurement
and management. And that has, I believe, 17,000 members globally now. So it has gotten some
legs. And now we have a number of different solution providers who have baked it into their
solutions to help organizations measure risk far more easily than if you had to do it manually
in a spreadsheet or on a whiteboard or something like that. Can you walk us through how it works
and how so many organizations are finding it an effective way to come at this problem? Sure. Well, it
begins even before you start measuring. So for any measurement, you first have to make it very clear
what it is your measuring in the first place. So Fair begins by defining risk in a way that makes it
very clear what it is you're measuring. And it defines it as a loss event scenario. Maybe that's
an operational outage due to ransomware that occurred from fishing or whatever the case might be. But
it's this clearly scoped loss event scenario.
And once you have something that's clearly scoped,
you can then begin to apply the model and gather data and measure the thing you're going after.
And ultimately, of course, that's to help make better decisions.
And how would this change that conversation you had with leadership so many years ago?
If you were walking in today, what kind of answers would you be able to give?
Sure. Well, I begin by saying, based on our analyses and our discussions with business
stakeholders, here are the key loss of and scenarios that we as an organization care about,
and that placed the organization at greatest risk. And given that we've defined those scenarios,
we went out and evaluated, measured them, gathered data, talked to internal experts,
external experts and run the numbers using typically Monte Carlo or sometimes a Bayesian sort of
analysis that allows us to faithfully represent the uncertainty in the measurement, which is crucial
because there's always uncertainty. And so we're able to present to executives the loss exposure
of the organization faces from those scenarios, from which they can decide, are they comfortable
with that level of exposure, or would they like us to, you know, take one or more measures to
reduce risk? And, of course, going into that conversation, we'll have evaluated some of the
options and arrived at what we believe are the most cost-effective options for reducing risk
so that we, you know, so they don't have to wait for an answer if they decide that mitigation
is something they want to pursue.
in the years since you originated this fair model have there been changes have there been
adjustments as you've seen how things work in the real world yeah of course no models are perfect
and certainly that's true for fair and so as we've applied it and learned in the application of
it has there have been some tweaks for example to how
Loss magnitude is evaluated to some of the terminology we use.
We've certainly improved some of the measurement practices
and the reporting practices as well.
But underneath it all, the model itself has really proven to be very resilient.
And the reason for that is there is an attempt to describe what risk is and how it works.
and so let's take
in the world we face today
where there's AI
and of course
rampant ransomware and whatnot
the landscape keeps changing
but how risk works
doesn't change
so the model itself has
proven to be very resilient
and so if there's some new
threat technology
or methods that come out tomorrow
the model is still
going to be able to be applied against those changes in the risk landscape. If the business
gets into a new form of business or begins to apply AI in new and inventive ways,
Fair is still going to be perfectly capable of analyzing those. The details of the scenarios
might change, but fundamentally how risk works doesn't change. So that's been a, frankly,
an unexpected and very useful dimension of the model.
are there competing models out there have other organizations or people come up with their own ways of coming at this problem
sure a lot of smart people trying to try to work this issue and so there are some proprietary models out there and various solution providers have been developed and there's of course nist 800 dash 30 which isn't really a quantitative model
that a lot of people believe it is.
But it's, again, it's a risk measurement model.
So there are these other solutions that have been developed.
But what's interesting is when you look under the covers,
and this is something I've heard from numerous people,
is those solutions, even the proprietary ones,
very often look very fairish.
Because, again, if fair is a reasonably accurate,
depiction of how risk works, then any risk model that isn't fundamentally flawed should in some
ways at least resemble fair, which, you know, there may come a point where somebody comes up with
an entirely new description of how fair work or how risk works. And that becomes dominant.
But, you know, fair's been around for, you know, over 20 years now. And there is,
have been quite a few people trying to poke holes in it over that span of time because not
everybody's happy with the notion of quantifying risk. And to date, it has stood the test of
time and some very close examination by people who are frankly way smarter than I am.
What are your recommendations for organizations who may want to look into adopting this
model? What's a good strategy for them to begin?
do your homework and that really involves i think there are a couple of really good sources
one is the fair institute which has scores of papers and videos and literally hundreds upon
hundreds of blog posts on virtually any dimension of the problem you care to think about
And then the Open Group has its professional certification and some resources for learning about it.
And by the way, the Fair Institute also has created some online training that is offered through, my mind's gone blank,
one of those online training programs that offers college courses and whatnot as well.
at any rate. So there are a lot of resources available.
And there are one characteristic of the community in the Fair Institute is they are passionate about helping one another out.
So, you know, reach out to people who you've seen publish on fair or risk measurement and those sorts of things.
And don't hesitate to ask questions because the people you'd be talking to have,
have been where you are, have wrestled the beast,
have undoubtedly had some high points and some low points in the process,
because it can be challenging.
It's gotten a lot easier as the years have gone by
as we've improved the resources and the technology supporting it
and that sort of thing.
But it can still be daunting for some people
who aren't used to the notion of quantifying
something that they've always just assigned,
yellow and green too.
So don't hesitate to reach out, including reaching out to me through LinkedIn.
As you look back, I would imagine, you must have a certain sense of pride that Fair has stood
the test of time and has become one of the standards in our industry.
Yes, that's absolutely true.
I did not have a grand vision for this.
I was trying to keep my job as a CISO and be more effective.
And it was the people around me who said, you know, this is potentially something important, Jack, you should share it.
And so, you know, I wrote my first white paper on it and that got a fair amount of attention.
And it just kind of grew from there.
And I've been really fortunate to be surrounded by people who have maybe recognized opportunities regarding its utility that I wouldn't necessarily have seen and have really done a lot of the legwork
for helping the community grow.
So, yeah, I'm proud, but I'm incredibly grateful, too,
because if left to my own devices,
it would not be nearly what it was,
or what it's turned out to be.
Our thanks to Jack Jones for joining us.
Summer is Tim's ice latte season.
It's also hike season, pool season, picnic season, and yeah, I'm down season.
So drink it up with Tim's ice lattes, now whipped for a smooth taste.
Order yours on the Tim's app today at participating restaurants in Canada for a limited time.
And finally, in theory, California law gives you the right to tell data brokers to delete your personal information.
information. In practice, you'll need the patience of a monk and the detective skills of Sherlock Holmes
to find where to do it. A review by The Markup and Cal Matters found 35 out of 499 registered brokers
had buried their opt-out pages so deep even Google couldn't find them, thanks to deliberate code
that hides these pages from search engines. Officially, the pages exist. Practically, they're as
accessible as Atlantis.
After reporters came knocking, some companies blamed oversights and hastily removed the code.
Others stood firm, citing spam prevention.
Meanwhile, a few opt-out links were tucked at the bottom of home pages, hidden behind pop-ups,
tiny fonts, and enough scrolling to count as cardio.
It's all legal, of course, just not particularly findable, which one suspects is probably
probably the point.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at the Cyberwire.com.
We'd love to hear from you.
We're conducting our audience survey through the end of this month.
There is a link in the show notes. Please do check it out.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Helksman.
Our executive producer is Jennifer Eben. Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
You know what I'm going to be.