CyberWire Daily - Workday’s bad day.
Episode Date: August 18, 2025HR software giant Workday discloses a data breach. Researchers uncover a zero-day in Elastic’s EDR software. Ghost-tapping is an emerging fraud technique where cybercriminals use NFC relay attacks t...o exploit stolen payment card data. Germany may be on a path to ban ad blockers. A security researcher documents multiple serious flaws in McDonald’s systems. There’s a new open-source framework for testing 5G security flaws. New York’s Attorney General sues the banks behind Zelle over fraud allegations. The DOJ charges the alleged Zeppelin ransomware operator and seizes over $2.8 million in cryptocurrency. Tim Starks from CyberScoop discusses the overlooked changes that two Trump executive orders could bring to cybersecurity. Bots build their own echo chambers. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.CyberWire Guest Today we have Tim Starks from CyberScoop discussing the overlooked changes that two Trump executive orders could bring to cybersecurity. Selected Reading HR giant Workday discloses data breach after Salesforce attack (Bleeping Computer) Researchers report zero-day vulnerability in Elastic Endpoint Detection and Respons Driver that enables system compromise (Beyond Machines) Ghost-Tapping and the Chinese Cybercriminal Retail Fraud Ecosystem (Recorded Future) Is Germany on the Brink of Banning Ad Blockers? User Freedom, Privacy, and Security Is At Risk. (Open Policy & Advocacy) How I Hacked McDonald's (Their Security Contact Was Harder to Find Than Their Secret Sauce Recipe) (bobdahacker) Boffins say tool can sniff 5G traffic, launch 'attacks' without using rogue base stations (The Register) New York claims Zelle’s shoddy security enabled a billion dollars in scams (The Verge) US Seizes $2.8 Million From Zeppelin Ransomware Operator (SecurityWeek) Researchers Made a Social Media Platform Where Every User Was AI. The Bots Ended Up at War (Gizmodo) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
And now a word from our sponsor.
The Johns Hopkins University Information Security Institute is seeking qualified applicants
for its innovative Master of Science in Security Informatics degree program.
Study alongside world-class interdisciplinary experts
and gain unparalleled educational research and professional experience in information security and assurance.
Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program,
which covers tuition, textbooks, and a laptop, as well as providing a $34,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at CS.com.
JhU.edu slash MSSI.
Post-tapping is an emerging fraud technique where cybercriminals use NFC relay attacks to exploit stolen payment card data.
Germany may be on a path to ban ad blockers.
A security researcher documents multiple serious flaws in McDonald's systems.
There's a new open-source framework for testing 5G security flaws.
New York's Attorney General sues the banks behind Zell over fraud allegations.
The DOJ charges the alleged Zeppelin ransomware operator and seizes over 2.5.
million dollars in cryptocurrency. Tim Starks from CyberScoop discusses the overlooked changes
that two Trump executive orders could bring to cybersecurity, and bots build their own
echo chambers. It's Monday, August 18th, 2025. I'm Dave Bittner, and this is your Cyberwire
Intel briefing.
Thanks for joining us here today.
It is great to have you with us.
HR Software Giant Workday has disclosed a data breach
after attackers accessed a third-party CRM platform
through a social engineering campaign.
While customer tenants and their
data were not affected, some business contact information, like names, emails, and phone
numbers, was exposed. Workday said attackers impersonated HR or IT staff via phone and text
to trick employees into giving access. The breach discovered on August 6th appears to be linked
to the Shiny Hunter's Extortion Group, which has recently targeted Salesforce CRM systems at several
major companies, including Adidas, Qantas, Google, Louis Vuitton, and Chanel.
The group uses malicious Oath apps to steal CRM data, then extorts victims by threatening
leaks.
Workday emphasized that only commonly available contact data was exposed, but warned it may
fuel further fishing attempts.
Researchers at Ash's cybersecurity have uncovered a zero-day flaw in Elastic's end-pointed
and response software. The bug, a null-pointer de-reference in a Microsoft-signed driver,
can be used to crash systems, bypass security, execute remote code, or plant malicious drivers
for persistence. The issue affects multiple versions with no patch available. Despite multiple
disclosure attempts, Elastic has not responded. The flaw poses a serious risk,
allowing attackers to undermine Elastic's security stack.
Recorded Futures Insect Group have published research on ghost tapping, an emerging fraud
technique where Chinese-speaking cybercriminals use NFC relay attacks to exploit stolen payment card
data linked to mobile wallets like Apple Pay or Google Pay.
An NFC relay attack is a type of cyber attack where criminals intercept and forward communication
between a contactless payment card or mobile wallet like Apple Pay or Google Pay,
and a payment terminal.
Mules equipped with burner phones
make in-person purchases of luxury goods,
which are later resold for profit.
Analysts at Insect Group
identified an individual on telegram
advertising ghost-tapping services
and burner devices to syndicates.
Following the May 2025 disclosure of Huon Guarantee,
criminals have shifted to Zinbi Guarantee
and Tudal Guarantee marketplaces
to coordinate fraud, recruit mules, and launder money.
Operations are concentrated in China and Southeast Asia, but can be executed globally.
Ghost-tapping's effectiveness stems from weak Know-Your-Customer checks at retailers,
making detection difficult.
Victims include retailers, banks, payment providers, and insurers.
A recent ruling from Germany's Federal Supreme Court threatens the legality of ad blockers,
raising concerns about user choice and privacy online.
The case stems from a decade-long legal battle
between publisher Axel Springer and IEO,
maker of Adblock Plus.
While lower courts largely upheld ad blockers
as tools that enable user choice,
Germany's Supreme Court overturned part of a 2022 ruling
and sent the case back for review.
The court asked whether ad blockers
alter copyright-protected code,
and under what conditions such interference is lawful.
Critics warn the decision could set a precedent that undermines not just ad-blocking,
but also browser extensions that enhance privacy, accessibility, and security.
If Germany restricts ad-blockers, it risks joining China as one of the few jurisdictions to ban them.
A security researcher who goes by the name Bob DeHacker uncovered multiple serious flaws in McDonald's,
systems, affecting employees and internal platforms worldwide.
Initial testing revealed that the McDonald's app failed to validate reward points server-side,
allowing free food. Further digging exposed wider vulnerabilities.
Their design hub used weak client-side protections, allowed anyone to register accounts,
emailed passwords in plain text, and exposed API keys and Algolia indexes with personal data.
Crew-level accounts could access executive systems, impersonate staff, and even alter franchise content through the GRS portal, which lacked authentication.
Misconfigurations also exposed internal documents, and the new Cosmix platform allowed coupon abuse and order manipulation.
Reporting these flaws was difficult.
McDonald's had removed its security dot-text contact file, forcing the researcher to cold-call HQ,
While most issues were fixed, reporting channels remain inadequate.
Researchers from the Singapore University of Technology and Design have released
Snifject, spelled S-N-I-5-G-E-C-T, because, of course it is, for for fuck's sake,
an open-source framework for testing 5G security flaws.
Unveiled at Usenix Security 2025, the tool exploits the tool exploits the pre-authentication
phase of 5G connections, when traffic between devices and base stations is unencrypted.
Using off-the-shelf radios, sniff-ject can sniff uplink and downlink traffic with 80% accuracy
at ranges up to 20 meters, and inject packets with a 70 to 90% success rate.
Demonstrated attacks include a 5G to 4G downgrade exploit, enabling surveillance and further compromise.
The tool also supports denial of service, fingerprinting, and multi-stage payload injection.
While the core framework is public on GitHub, more dangerous exploits are restricted to vetted institutions.
The GSM confirmed the downgrade flaw and assigned it a CVE under its disclosure program.
New York Attorney General Letitia James has filed a lawsuit against the banks behind Zell,
alleging the payment platform facilitated over $1 billion in fraud between 2017 and 2023.
James claims Zell's operator early warning services, owned by major banks, including J.P. Morgan Chase,
Bank of America, and Wells Fargo, rushed the product to market without proper safeguards.
The lawsuit cites weak registration processes that allowed scammers to pose as legitimate businesses or government agencies,
tricking victims into sending unrecoverable funds.
James also alleges EWS failed to act quickly on fraud complaints,
remove bad actors, or reimburse victims,
despite marketing Zell as safe.
While Zell denies wrongdoing,
James seeks restitution and damages for New Yorkers.
The case echoes earlier scrutiny by the Consumer Financial Protection Bureau.
The U.S. Department of Justice has charged,
Ionis Alexandrovich Antropenko, an alleged Zeppelin ransomware operator, and seized over
$2.8 million in cryptocurrency, plus cash and a luxury vehicle tied to his crimes.
Antropenko and co-conspirators encrypted and stole victims' data, demanding ransom to prevent
leaks. They allegedly laundered funds through chipmixer and structured cash deposits.
Zeppelin, first seen in 2019, and linked to Vega Locker, mainly targeted health care and tech sectors.
Antropenko faces charges of computer fraud, abuse, and money laundering conspiracy.
Coming up after the break, Tim Starks from Cyberscoop discusses the overlooked changes that two Trump executive
orders could bring to cybersecurity, and bots build their own echo chambers. Stay with us.
We've all been there. You realize your business needs to hire someone yesterday. How can you find
amazing candidates fast? Well, it's easy. Just use Indeed. When it comes to hiring, Indeed is all you
need. Stop struggling to get your job post noticed. Indeed's sponsored jobs helps you stand out and hire
fast. Your post jumps to the top of search results, so the right candidates see it first. And it
works. Sponsored jobs on Indeed get 45% more applications than non-sponsored ones. One of the things
I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring
here at N2K Cyberwire. Many of my colleagues here came to us through Indeed. Plus, with
sponsored jobs, there are no subscriptions, no long-term contracts. You only pay for results.
How fast is Indeed? Oh, in the minute or so that I've been talking to you,
23 hires were made on Indeed, according to Indeed data worldwide. There's no need,
to wait any longer. Speed up your hiring right now with Indeed. And listeners to this show will get a $75
sponsored job credit to get your jobs more visibility at Indeed.com slash cyberwire. Just go to
indeed.com slash cyberwire right now and support our show by saying you heard about Indeed on this
podcast. Indeed.com slash cyberwire. Terms and conditions apply. Hiring. Indeed is all you need.
CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1,
and without securing them, trust, uptime, outages, and compliance are at risk.
CyberArc is leading the way with the only unified platform purpose-built to secure every machine identity,
certificates, secrets, and workloads, across all.
all environments, all clouds, and all AI agents.
Designed for scale, automation, and quantum readiness,
CyberArk helps modern enterprises secure their machine future.
Visit cyberarc.com slash machines to see how.
And it's always my pleasure to welcome back to the show.
Tim Starks. He is a senior reporter at CyberScoop. Tim, welcome back. Hi, Dave. And it's my pleasure.
Well, thank you so much. A really interesting article you published recently here about some
executive orders from the Trump administration and how they could affect cybersecurity.
What prompted you to take on this topic here, Tim? I was really hoping you'd ask that question
because this was kind of an interesting way this story sort of came to me in my
head, right? So in March, they put out this preparedness executive order. And there was one
sort of big overwhelming reaction from the cyber community about the provisions that said,
we want state and local governments to be handling disasters more, including cyber attacks. And the
overwhelming reaction was like from the cyber community, that was like, that's insane. States
are not prepared to deal with this. And then when the June order came out, it kind of came out
on a, it came out on like a Friday afternoon, like late Friday. And we wrote a story about it, but we didn't
know much about it yet because the text wasn't even out yet. We just had a fact sheet. But as the
months have gone on, I just kept hearing people point out little things that I had not noticed
when I wrote my first stories because they were just quick first day stories. Things that I was like,
wait, that's kind of a big, that's kind of a bigger deal than I would have imagined. Why didn't
anybody point that out at the time? And so I started collecting all those sort of things and then
also asking people about them and saying, hey, is it me or is this kind of a bigger deal than
than we thought it was, both orders, really.
And the answer pretty much was, yeah, actually, there's a lot in there.
Now, to be fair, there are some people who say, and, you know, we cover some of this in the story,
that maybe some of this stuff won't get done because it requires, you know, agencies to do things
and the agencies have less funding.
There are people who say some of this stuff is just straight perplexing.
It doesn't make a lot of sense to them.
And there are some people who say, actually, some of these changes aren't that significant.
So I don't want to oversell the story, but I did find a significant number of people who said,
yeah, that's actually kind of big.
Well, take us through some of the key findings here.
I mean, what are some of the most important things that you cover?
Yeah, and so here's another thing.
Some of the stuff we haven't seen the impact of yet.
For example, in the preparedness order,
there is an order to review a great number of the most foundational policy documents
governing critical infrastructure protection.
You know, it's a disaster preparedness related order,
but it's things like the national security.
Memorandum, NSM-22 that the Biden administration wrote in the final year, its full year,
a rewrite of a decade-old document on how we handle critical infrastructure protection,
and it was updated to say, here are the changing threats, here we need to do more to share
their information.
And to be fair, there are some people who did not like that rewrite.
You know, Mark Montgomery of the Foundation for Defense of Democracies was among the critics of that.
He thinks it's a good thing that they might be rewriting this.
But part of the deal is that, you know, the people who are going to do that review are people like Sean Cairncross, who just got the job a week and a half ago or so, who just really finally got into the dump.
So we might not see some of the impact of this for a while, but those are some pretty big changes.
And there's a national resilience strategy that that's called for in that document.
The headline on the June order was a little bit about the digital identities provisions and how agencies would be able to do verification of those.
to provide benefits.
That's still important,
but there were things like telling,
you know,
that in the January Biden administrative order
that a lot of this order is responding to,
there was a NIST review of minimum security practices
that was ordered.
That's gone now.
The things like contractors having to submit to SISA,
essentially a certification saying,
yes, we are safe, we are secure.
They deleted that.
And so there's a pretty significant amount of stuff
that was kind of not headline making at the time.
that going back and plumbing into it a little bit more, you're like, oh, gosh, yeah,
these are potentially very major changes.
There's a quote here.
I want to pull from this that you got from Alexandra Reeve Givens, who heads up the Center
for Democracy and Technology, said, rolling back numerous provisions focused on improving
cybersecurity and identity verification in the name of preventing fraud, waste, and abuse
is like claiming we need safer roads
while removing guardrails from bridges.
This is an evocative comparison.
It is. And that was not an uncommon sentiment.
I think I mentioned a couple of things
that people thought might be good about this.
But another significant consensus
was that this is going to be bad for cybersecurity.
That getting rid of some of these things,
I didn't mention it exactly from Jake Williams,
the former NSA hacker who has been a long
time, cyber policy expert, you know, he said that that sort of self-attestation things that
I mentioned earlier, the certifications, that's like Sarbanes-Oxley for cyber, and you're getting
rid of it. Then you get into other areas where things, you know, Alex Sharp was somebody
I quote in the story from New York University, also a security advisor, saying that the NIST's,
getting rid of that NIST review, if you're talking about wanting to harmonize regulations,
well, you're undercutting yourself. So the administration might be not a
achieving its goals with these with these orders in some ways things that you would think they
would want to do that they might have actually stepped on this on their own foot on on this
you spoke with um california representative eric swalwell uh he's the top dem on the house
homeland security committee's cyber subpanels so he has uh i i would say an informed opinion
when it comes to these things yeah yeah and he he he had a he had the best uh statement that
was similar to something I'd heard from other people, which is, you know, this administration has
talking, talking about the importance of doing cybersecurity, but they're underfunding these
agencies. And so, are they really going to be able to do these things? Mark said similar
things. You know, the state, pushing things down to the state and local, but you're not giving
them any money to deal with that. Asking NIST to do certain things that the original orders
did not do and not get, and cutting their budget by 20 plus percent, you know, you wonder, you
wonder whether these are goals that will be achieved. And so, so that kind of had to had to
couch this story in a similar strange way where we said these, these actually may be big changes.
And why they might not be big changes. And part of it might be that they don't, they might
have the money or people to do it. Well, speaking of strange ways, I mean, you, you dedicate a whole
section here to head scratchers and mysteries. I mean, you know, it doesn't come up on every policy
article here. So what are we talking about here, Tim?
Yeah, so, so, you know, the one that caught my attention the most was when I, you know,
and I mentioned this in the very first story, but dealt into it a little bit more here,
is there's this language saying that you can't use cyber sanctions against domestic political
opponents. And my thought was like, wait a minute, who in the world would that even pertain
to? And just couldn't figure it out. You know, as the Congressional Research Service said,
they couldn't find an example of this ever having been done, that this seems to be existing
policy. I suppose hypothetically you could use those sanctions authorities against people in the
United States, but why do it? If the existing policy is this and it's never happened, why do it?
I did put some of this in the article. People were speculating, is this about Stuxnet? Right?
Is this a thing where they're worried about, you know, people who were involved in the development
of Stuxnet? And I'm like, so my follow-up question was, well, but okay, well, if you
That's the case. Would the United States go after people who were United States people who helped create a cyber tool that helped the U.S. objectives? And why would we do that? I mean, don't you think this administration kind of has a universal be in its bonnet about anything relating to cyber and the elections? Absolutely. Yeah. I mean, it also, the order specifically mentions elections. So some of this might be signaling. Some of this might be, oh, you know, we'll put this in here because the president will like it.
You know, people were speculating a lot about what that was about.
Another mystery was the stuff about getting rid of the digital identity verification language from the January Biden order because you don't want illegal immigrants to get these benefits.
But that's not, nobody said that nobody I could found could say that this has ever happened.
In fact, it seems as though the language would prevent people who weren't authorized to get benefits.
from getting them. So there's just a bunch of stuff in that people were like, why are they doing
this? This doesn't make any sense to us. And people wondering about what the actual ramifications
would be. Like, if they do this, what would it look like? You know, there were some people who said
that this was undergirding some existing Biden administration policies and other people saying,
actually, no, it's undoing them. So there were different views on different things. And, you know,
considering the fact that the Biden administration was not, you know, every chance they get still in
in August of 2025, the Trump administration says the, you know, the incompetent Biden administration,
and then they do things in this, in these orders that are deaf definitively supporting Biden
administration initiatives, things I wouldn't think that they would support, like the CyberTrustmark
initiative on labeling secure products. I would have thought maybe that, you know, if you're,
if you're extremely pro-business, you might think that was a bad or risky thing. No, they,
they fully support it. Well, Tim, your guess is as good as mine.
We're going to figure it out, Dave.
This isn't going away.
I'm going to keep an enigma wrapped in a mystery.
Yeah.
Well, the reporting is excellent, and we will have a link to it in the show notes.
Again, Tim Starks, a senior reporter at CyberScoop.
Tim, thanks so much for joining us.
Thank you.
And now, a word from our sponsor, Threat Locker, the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function.
shutout cybercriminals with world-class endpoint protection from threat locker.
And finally, researchers at the University of Amsterdam decided to see what happens when 500 AI
chatbots are let loose on a stripped-down social network. No ads, no algorithms, no dopamine-driven
content feeds. Surely, when...
Without those manipulative nudges, the bots would live in perfect harmony, right?
Wrong.
Much like their human inspirations, the bots quickly self-sorted into echo chambers,
following only like-minded peers and amplifying the loudest partisan voices.
Across five experiments and 10,000 interactions,
the results were depressingly familiar,
extremism, attracted followers, and interventions like chronological feeds,
hiding bios or downplaying virality barely made a dent, sometimes making things worse.
The study suggests polarization isn't just an algorithmic quirk. It's a structural feature of
social media itself. In other words, it's not just the mirror that's warped. It's us.
And that's The CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this month.
There is a link in the show notes.
Do us a favor and do check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed.
by Trey Hester with original music by Elliot Heltsman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.