CyberWire Daily - When spyware backfires.
Episode Date: May 7, 2025A jury orders NSO Group to pay $167 millions dollars to Meta over spyware allegations. CISA warns of hacktivists targeting U.S. ICS and SCADA systems. Researcher Micah Lee documents serious privacy ri...sks in the TM SGNL app used by high level Trump officials. The NSA plans significant workforce cuts. Nations look for alternatives to U.S. cloud providers. A medical device provider discloses a cyberattack disrupting its ability to ship customer orders. The Panda Shop smishing kit impersonates trusted brands. Accenture’s CFO thwarts a deepfake attempt. Our temporary intern Kevin Magee from Microsoft wraps up his reporting from the RSAC show floor. Server room shenanigans, with romance, retaliation, and root access. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Wrapping up RSAC 2025, we’re joined by our partner Kevin Magee, Global Director of Cybersecurity Startups at Microsoft for Startups. Kevin brings the energy with a high-octane medley of interviews directly from the show floor, featuring sharp insights and bold ideas from some of cybersecurity’s most influential voices. It’s the perfect, fast-paced finale to our RSAC coverage—check out the show notes for links to all the guests featured! In this segment, you’ll hear from Eoin Wickens, Director of Threat Intelligence of HiddenLayer, Jordan Shaw-Young, Chief of Staff for Security Services at BlueVoyant, Gil Barak, co-founder and CEO of Blink Ops, and Paul St Vil, VP of Field Engineering at Zenity. You can also catch Kevin on our Microsoft for Startups Spotlight, brought to you by N2K CyberWire and Microsoft, where we shine a light on innovation, ambition, and the tech trailblazers building the future right from the startup trenches. Kevin and Dave talk with startup veteran and Cygenta co-founder FC about making the leap from hacker to entrepreneur, then speak with three Microsoft for Startups members: Matthew Chiodi of Cerby, Travis Howerton of RegScale, and Karl Mattson of Endor Labs. Whether you are building your own startup or just love a good innovation story, listen and learn more here. Selected Reading Spyware-maker NSO ordered to pay $167 million for hacking WhatsApp (The Washington Post) CISA Warns of Hackers Attacking ICS/SCADA Systems in Oil and Natural Gas Companies (Cyber Security News) Despite misleading marketing, Israeli company TeleMessage, used by Trump officials, can access plaintext chat logs (Micha Flee) NSA to cut up to 2,000 civilian roles as part of intel community downsizing' (The Record) NIST loses key cyber experts in standards and research (Cybersecurity Dive) A coherent European/non-US cloud strategy: building railroads for the cloud economy (Bert Hubert) Medical device giant Masimo says cyberattack is limiting ability to fill customer orders (The Record) New Chinese Smishing Kit Dubbed 'Panda Shop' Steal Google, Apple Pay & Credit Card Details (Cyber Security News) Accenture: What we learned when our CEO got deepfaked (Computing) IT Worker from Computacenter Let Girlfriend Into Deutsche Bank’s Restricted Areas (GB Hackers) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. A jury orders NSO Group to pay $167 million to Meta over spyware allegations.
CISA warns of hacktivists targeting US ICS and SCADA systems.
Researcher Mika Lee documents serious privacy risks in the TM Signal app used by high-level Trump officials.
The NSA plans significant workforce cuts.
Nations look for alternatives to U.S. cloud providers.
A medical device provider discloses a cyber attack disrupting its ability to ship customer orders.
The Panda Shop's mission kit impersonates trusted brands.
Accenture's CFO thwarts a deep fake attempt,
our temporary intern, Kevin McGee from Microsoft,
wraps up his reporting from the RSAC show floor,
and server room shenanigans with romance,
retaliation, and root access.
["Retaliation"]
["Retaliation"]
["Retaliation"]
["Retaliation"] ["Retaliation"] It's Wednesday, May 7th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. A U.S. federal jury has ordered Israeli spyware maker NSO Group to pay over $167 million in
damages for hacking into WhatsApp and targeting more than 1,000 people.
The ruling caps a six-year legal battle led by WhatsApp's parent company, Meta, which
accused NSO of using its Pegasus spyware to breach U.S. anti-hacking laws.
The damages include $167 million in punitive and $440,000 in compensatory penalties, marking a record hit
to the spyware industry.
Although NSO claims it only sells to governments for lawful use, investigations show Pegasus
has targeted journalists, activists, and officials worldwide.
The ruling also rejected NSO's claim of immunity and exposes the
broader threat spyware poses to privacy and democracy. NSO says it may appeal.
Metta says they plan to donate damages to digital rights groups. CISA, alongside
the FBI, EPA, and Department of Energy has issued a joint advisory warning that unsophisticated
cyber actors are actively targeting industrial control systems and SCADA systems in the U.S.
oil and gas sector.
These attackers, likely hacktivists, exploit poor cyber hygiene using basic tools like
default credentials, brute force attacks, and misconfigured remote
access.
Despite their simplicity, such intrusions can lead to serious consequences including
system shutdowns or physical damage.
CISA urges asset owners to immediately remove OT systems from the public Internet, enforce
strong passwords and phishing-resistant MFA, secure remote access, segment networks,
and prepare for manual operations.
The alert also stresses reviewing third-party access and system configurations.
This follows recent warnings about critical vulnerabilities in ICS devices from major manufacturers. Security researcher Mika Lee has documented
serious privacy risks in the TM Signal app,
a modified version of Signal used by Trump officials.
Despite marketing claims, Lee's analysis of TM Signal's
Android source code confirms the app sends plain text
copies of messages to TeleMessages'
AWS hosted archive server, bypassing Signal's end-to-end encryption. These
chat logs, which include Signal, WhatsApp, Telegram, and possibly WeChat messages,
are vulnerable to access by the Israeli firm's staff and potentially foreign
intelligence.
The discovery was validated by a recent hack of tele-message that revealed plain-text messages
in server memory.
Senator Ron Wyden has urged the DOJ to investigate, citing national security concerns.
TM Signal appears visually identical to Signal and interoperates with it, making it difficult
for users to detect the switch. Lee warns that powerful U.S. officials using this insecure
app may have exposed sensitive communications possibly for years. TeleMessage has since
taken its archive server offline.
The NSA is planning to cut up to 2,000 civilian positions
around 8% of its workforce as part of a broader Trump administration effort to
shrink the federal government. The downsizing affects roles across the
agency including cybersecurity and administrative staff. Cuts are tied to a
Defense Department directive to reduce its budget by 8%
annually for five years affecting all combat support agencies. The NSA is
focusing on early retirements and buyouts to avoid mass layoffs. Meanwhile, key
cybersecurity leaders at NIST including Computer Security Division Chief Matthew
Schull are departing amid federal
downsizing in the Trump administration, raising serious concerns about NIST's capacity to
lead in AI and post-quantum cryptography.
Over 20 percent of CSD's federal staff have exited, jeopardizing critical research and
weakening collaboration with industry. Experts warn the loss of institutional knowledge will hamper standards development and shift more cybersecurity burdens to businesses.
NIST's budget may also face steep cuts under Trump's fiscal year 26 proposal.
All of this instability and uncertainty in the US.S. has triggered global demand for alternatives
to U.S. cloud dominance.
Europe is seeking digital sovereignty through a strategy that moves beyond simply replicating
Amazon, Google, or Microsoft.
The goal is to build a viable European cloud ecosystem that's not only technically credible,
but politically and economically independent.
This means reducing dependency on proprietary U.S. services, investing in open-source software
tailored for cloud infrastructure, and supporting European service providers.
Governments play a critical role by funding development, shaping procurement policies,
and enforcing privacy laws like GDPR to prioritize
local solutions.
While Europe already has strong hosting and networking players, transitioning them into
full-service cloud providers requires new business models and technical capabilities.
The plan resembles building digital railroads, laying the foundation for others to innovate upon.
This initiative, echoed by concerns in Canada, Australia, and New Zealand,
represents a broader global desire to break free from U.S. tech hegemony
and establish trusted local control over critical infrastructure.
Medical device giant Massimo has disclosed a cyberattack that disrupted its ability to
process and ship customer orders.
The breach, detected on April 27, has forced some manufacturing facilities to operate below
normal levels.
In a filing with the SEC, the California-based company said it isolated affected systems,
engaged cybersecurity experts,
and notified law enforcement.
The nature and scope of the attack remain under investigation, and Massimo has not confirmed
if ransomware was involved.
Despite the disruption, CEO Katie Seisman stated during an earnings call that the incident
is not expected to affect financial guidance.
Massimo, known for its pulse oximetry and patient monitoring tools, joins a growing list of manufacturers hit by cyber attacks that have caused major
operational and financial setbacks, including Clorox, Johnson Controls, and Sensata Technologies.
controls, and Sensata technologies. A new China-based smishing kit called PandaShop is enabling cybercriminals to steal financial
data by impersonating trusted brands like the US Postal Service, DHL, and major banks.
Discovered by Re-Security, the kit creates mobile-optimized phishing pages that convincingly
mimic legitimate websites.
It supports the theft of Google Pay, Apple Pay, and credit card details, and can send
up to 2 million messages daily, potentially targeting 60 million victims per month.
Unlike older SMS-based scams, PandaShop uses advanced tactics including Google RCS and Apple iMessage, evasion methods
to bypass detection, and OTP interception to defeat multi-factor authentication.
Researchers linked it to the smishing triad group due to shared tactics and coding similarities.
Configuration files and domain data point to operations based in China. The attackers boldly claim to be beyond the FBI's reach,
further emphasizing the challenge of combating transnational cybercrime.
Last May, someone impersonating an attorney set up a video call with
Accenture's CFO and a very convincing deepfake of CEO Julie Sweet.
The fake Julie asked for an urgent funds transfer.
Luckily, the CFO followed company protocols, and no money left the company.
Flick March, Accenture's EMEA Cyber Strategy lead, recounted the close call at the Cyber Security Festival,
warning that deepfakes are changing the game.
With inexpensive tools now readily available, even trained professionals are fooled.
Half failed a recent deepfake test.
March calls this a paradigm shift in the attack vector.
Deepfakes now blur the lines between cyber, fraud, and
disinformation, demanding a total rethink of security strategies.
Companies must embrace identity security, establish security communication channels,
and train teams to question even seemingly authentic requests.
If something feels off, says March, you should feel empowered to say, call me back on Monday.
Coming up after the break, our temporary intern Kevin McGee from Microsoft wraps up his reporting from the RSAC show floor, and server room shenanigans
with romance, retaliation, and root access.
Stay with us. traditional pen testing is resource intensive, slow and expensive providing
only a point-in-time snapshot of your application's security leaving it
vulnerable between development cycles. Automated scanners alone are unreliable
in detecting faults within application logic and critical vulnerabilities. Outpost 24's continuous pen testing as a service solution offers year-round protection,
with recurring manual penetration testing conducted by Crest-certified pen testers,
allowing you to stay ahead of threats and ensure your web applications are always secure.
We've all been there. You realize your business needs to hire someone
yesterday. How can you find amazing candidates fast?
Well, it's easy. Just use Indeed. When it comes to hiring,
Indeed is all you need. Stop struggling to get your job post noticed. Indeed's Sponsored
Jobs helps you stand out and hire fast. Your post jumps to the top of search results so
the right candidates see it first. And it works. Sponsored jobs on Indeed get 45% more
applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually
use Indeed for hiring here at N2K Cyberwire. Many of my colleagues here came to us through
Indeed. Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you,
23 hires were made on Indeed, according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 Sponsored Job Credit with Indeed. Terms and conditions apply, hiring indeed is all you need.
At last week's RSAC 2025 conference, Kevin McGee, Global Director of Cybersecurity Startups
at Microsoft, took a break from his day job and helped us.
Here's intern Kevin's final report from the RSAC show floor.
All right, tell me who you are and what you do.
Hi, I'm Owen Wickens, Director of Threat Intelligence at Hidden Lair.
Now you've got an interesting report that's just come out. I've had a chance to give it a read and some interesting findings. Can you give me the high level?
Sure, absolutely.
We have four parts in our report.
Threats to AI systems, threats faced by AI systems,
key advancements in AI security,
and predictions for the future.
We had an interesting survey with 250 respondents.
89% of IT leaders said that ML models
are becoming business critical in their organization.
74% reported that they knew they had an AI breach over the last year, and 95% have
budget allocated for AI security over the coming year.
Okay, so if I'm a CISO reading this report, what's the one thing I should look at that's most important?
And agentic AI is the future, but we've discovered all sorts of classes of
vulnerabilities across the supply chain, such as attack techniques like shadow logic
detrimental threats like indirect prompt injection to AI systems
So you're here at RSA now you're presenting
But what else are you looking to learn while you're here from other vendors or from presentations or some of the sessions?
I want to find out how people are utilizing agentic systems in the real world today
I think agentic is the future tool equipped LLMs with persistent data models are enabling
wonders that we haven't seen before. It's almost like an industrial
revolution. Instead of the printing press, it's now intelligence that's being
commoditized. Awesome. What's the one fun thing you've seen? So after party,
interesting booth. Anything of note that you'd like to pass on to those that
couldn't attend? Myself and my colleague Kazimir checked out the goats this morning.
The goats, excellent. Thank you very much. Thanks Kevin.
Alright, from the floor of RSA, tell me who are you and what do you do? Hey, so I'm
Gil, I'm the co-founder and CEO of BlinkOps. What does BlinkOps do? We are an
automation platform. We focus on automating all of the security
across SOC, GRC, IAM, cloud security and vulnerability management and so on.
Awesome. It sounds like you've got a great presence here. You got a ton of
folks here. How's the show been for you? It's been amazing. There's way too many
people but it's been going pretty well. We have a lot of traction, a lot
of activity, customers, partners, especially with Microsoft.
Awesome.
What's the number one challenge
that customers are bringing to you
that you're helping solve right now?
I would say that automation has always been an issue
for customers, but I think for the first time
in the past forever is the boards of organizations
are talking about optimizing their organization using automation and AI and there's been a void between what the
board wants and what the team can actually do and so I think we're in a
great position to fill that void. So my investment thesis is automate, remediate,
and govern. So very aligned to you what you do as well too. So what is the
number one thing that you would like to to tell those business leaders and boards about what they should be thinking
about in terms of securing their organizations for the for the new age of
AI? I think that obviously AI agents are the future but the problem with AI agents
is that they're also probably the biggest security risk for organizations
is they're essentially autonomous and if you give them admin access to your systems,
they might actually suspend all your accounts,
delete all your devices, and so on.
So there's a gap to bridge between that
and something you can trust.
What we've done at Blink is we've built a workflow engine
that's deterministic, so you can pre-define a workflow
however you want to see it,
define it, and at the same time,
you can also build autonomous agents.
Bridging those together, in my personal opinion,
is the holy grail, as opposed to going to a vendor
and trusting that whatever agent they built
will work out of the box.
So, you're here at RSA, what's the coolest thing you've seen
or what's the big theme that you think
is coming out of the show?
Coolest thing I've seen?
Well, there's a lot of animals in this conference.
We've seen puppies and then goats all over the place.
But otherwise, it's really nice to see that so many people are attending the conference.
I think it's actually bigger than last year, or at least it feels like it.
And it brings everybody together,
customers, vendors, partners.
I think it's a fantastic conference.
Awesome, thanks for your time and have a great RSA.
All right, so start off by telling me,
who are you and what do you do?
Hey Kevin, it's Jordan Shaw-Young.
I'm the Chief of Staff of Detection Response at Blue Voyant.
Blue Voyant, MSSP, in a lot of different areas,
helping enable customers to not only deploy security,
but also manage their security resources.
So, tell me a little more about what the company does.
Yeah, we're an MDR provider, so we do detection response.
A lot of the work we do is with our partner, Microsoft,
who we're here with in the booth.
BlueVoyant is also a detection response provider
for supply chain risk and third party risk.
So we kind of apply what we do in detection response,
both internally as well as into our customers'
extended supply chains and third parties.
Now you and I have known each other for a long time.
I know you always have your eye on what's cool,
what's new, what's upcoming.
So around the show, what have you got your eye on?
What themes are you looking for?
You know, give me some hints.
Yeah, the detection automation.
So some of the companies that are looking at ways
of helping SOCs manage volumes of detections
and finding really high fidelity detections
are really interesting vendors for us.
There's a lot of new, interesting technology
coming up in that area.
That's where we do a lot of our work.
So yeah, that's sort of been my highlight.
Now I'm required to make you say NJETIC AI.
So if you could tell me a little bit about that.
That seems to be the number one theme here.
Yeah, Blue Point's been doing R&D in AI
and in NGETIC AI specifically.
We've been doing a lot of work with Microsoft.
We've released a AI agent with the Secure Exchange.
So Blue Point's going to be doing a whole ton of work
with Microsoft, Microsoft Co-Pilot,
and it's really going to be transformational
for SOC operations at some point
in the future.
So one of the biggest challenges we hear about
is just there's not enough people in our industry.
So what are you doing to help solve for some of those
problems, both in managed services, but also in developing
IP and technology to bridge some of those gaps?
Yeah, I've heard that.
I don't know how accurate that is that we have this
giant skills gap, in terms of numbers of people,
but what we definitely do have is a lack of specialized
skills in certain areas.
And so it's very difficult to find people who are,
detection engineering is a good example of something,
where we put a lot of effort into finding really strong
detection engineers who are able to synthesize
threat intelligence and build these into detections
to find evil in customer networks. So where we're able to find technology to augment some of that, that's really difficult talent to find.
So anything we can we can find to bring into our tech stack to help them out. That's really what we're after.
All right, so what's the big fun moment? What's the best after party?
Give me something really interesting that you've seen or done exciting at RSA this year.
Yeah, that's a good question. I think whatever vendor it was who brought the goats and the goat pen,
that beats the dogs and the monster truck. I actually don't actually know who the vendor was,
but you know, that's a bold move to bring a whole goat pen.
That's awesome. I keep looking for the goats. I haven't found the goats yet, but it's on my list to check out.
Well, thanks, Jordan. Great to see you again and have a great RSA. All right so tell me
who are you and what do you do? Hi my name is Paul St. Phil I'm the VP of
Field Engineering here at Zenity. What does Zenity do? Zenity secures AI agents
everywhere. Everywhere? Tell me about that. Yeah so whether you have them
inside of Microsoft Co-Pilot or it's a chat GPT,
Salesforce agents, whatever platform you're consuming your agentic AI, we're
there to secure you. Awesome, so what are you hearing on the floor here? What are
customers asking you? What are some of their challenges? Yeah, what they're
seeing is a big rise in agentic on everybody's banner. In particular, they're
seeing the difference between generative AI and agentic AI and how the challenges
definitely are not on the same level.
Awesome.
So if you were to talk to one of your customers
or a potential customer, what's the first thing
they should be thinking about that you can help them solve?
The first thing they should be thinking about is
who's consuming agentic AI inside of their environment?
So what co-pilots do they have enabled?
And then secondarily, what are the tools and actions
and privileges that they think people would be chasing first
for their primary use cases?
You're a younger guy than me,
so you've probably been hitting the nightlife of RSA.
What are any fun activities or anything exciting
that's happened that you're willing to share?
Yeah, yeah, I've seen a couple people getting some great swag
on the floor with these neon
bags.
I'm hoping that my marketing leader hears me and signs us up for them next year.
That's fantastic.
So I've heard puppies, goats, anything else exciting?
That's about it for me.
Well thanks for your time and have a great RSA.
Awesome, thank you.
And our heartfelt thanks to Kevin McGee,
Global Director of Cybersecurity Startups at Microsoft,
for lending his talents to our RSAC coverage. Let's be real, navigating security compliance can feel like assembling IKEA furniture without
the instructions.
You know you need it, but it takes forever and you're never quite sure if you've done
it right.
That's where Vanta comes in.
Vanta is a trust management platform that automates up to 90% of the work for frameworks
like SOC 2, ISO 27001, and HIPAA, getting you audit ready in weeks, not months.
Whether you're a founder, an engineer, or managing IT and security for the first time,
Vanta helps you prove your security posture without taking over your life.
More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor
compliance, streamline risk, and speed up security reviews by up to five times.
And the ROI?
A recent IDC report found Vanta saves businesses over half a million dollars a year and pays
for itself in just three months.
For a limited time, you can get $1,000 off Vanta at vanta.com slash cyber. And finally, a former IT manager is suing Deutsche Bank and its contractor Computer
Center, alleging they let a security breach slide right under their noses and into their
server rooms. According to James Papa, a fellow IT worker brought his girlfriend, an unauthorized Chinese
national with tech skills, into Deutsche Bank's most sensitive tech areas multiple times.
Jenny, as she's called, allegedly accessed secure systems with a contractor laptop all
while Papa was off-site.
When he reported it, rather than earning a promotion, Papa got the boot.
No action was taken against the lovebirds, who later vacationed in China.
Now Papa is suing for $20 million, claiming whistleblower retaliation and a good old-fashioned
cover-up.
As for Deutsche Bank and Computer Center,
mum's the word.
Nothing says robust cybersecurity like bring your girlfriend to work day
in the server room. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben, Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening, we'll see you back here tomorrow. So What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt,
Identity Attack Paths are easy targets
for threat actors to exploit,
but hard for defenders to detect.
This poses risk in Active Directory,
Entra ID, and Hybrid configurations.
Identity leaders are reducing such risks
with Attack Path Management.
You can learn how Attack Path Management
is connecting Ident identity and security teams
while reducing risk with Bloodhound Enterprise,
powered by SpectorOps.
Head to spectorops.io today to learn more.
SpectorOps, see your attack paths the way adversaries do.