Podcast Summary: CyberWire Daily – "A Blast from the Breached Past"

Release Date: June 20, 2025
Host: N2K Networks
Production: N2K's CyberWire Daily

1. Exposed Database of Stolen Credentials

Timestamp: [02:35]

The episode begins with a discussion about what was reported as a historic data breach. However, it turns out that no new breach occurred. Instead, a large database of previously stolen credentials was exposed online.

Ben Yellen explains, “The format matched what's commonly used by Infostealer malware. That malware quietly grabs passwords stored in browsers and apps, then ships them off to cybercriminals” ([03:13]). This compilation includes data from older breaches, malware logs, and credential stuffing attacks, indicating that while the exposure is significant, it involves already compromised information. Dave Bittner adds, “So no, the sky isn't falling again. But yes, you should still update your security hygiene” ([03:29]).

2. Aflac's Ransomware Attack

Timestamp: [03:39]

Aflac reported thwarting a ransomware attack initiated by a sophisticated cybercrime group on June 12. Although the ransomware did not disrupt operations, some sensitive personal and health data was stolen prior to containment.

Ben Yellen notes, “The ransomware didn't disrupt operations, the stolen files may include sensitive personal and health data from customers, employees, and agents” ([03:50]). Aflac suspects the use of social engineering tactics, possibly impersonating IT staff, linked to the group known as Scattered Spider, which has recently targeted insurance firms. They have responded by alerting the SEC, setting up a helpline, and offering identity protection to affected individuals.

This incident marks the second breach Aflac has faced in two years, the first involving 1.3 million customers in Japan in 2023.

3. Cloudflare's Largest DDoS Attack Thwarted

Timestamp: [04:40]

Cloudflare successfully mitigated what it claims to be the largest Distributed Denial of Service (DDoS) attack ever recorded, peaking at 7.3 terabits per second ([04:47]).

Ben Yellen elaborates, “The attack hit a hosting provider in mid-May and lasted just 45 seconds, but still delivered 37.4 terabytes of traffic” ([04:49]). The assault targeted nearly 22,000 destination ports per second on a single IP, with over 99% of traffic originating from UDP floods across 161 countries. The episode highlights the escalating threats to core Internet infrastructure.

4. Emerging Cyber Threats: Mocha Mannequin and Godfather Android Trojan

a. Mocha Mannequin

Timestamp: [05:22]

Red Canary discovered a new threat named Mocha Mannequin, which combines sophisticated social engineering with custom-built malware. It deceives users with fake instructions, such as CAPTCHA tests that prompt them to execute harmful PowerShell commands, resulting in the download and launch of a backdoor known as Node Init RAT.

Ben Yellen states, “Mocha Manikan hides its traffic using Cloudflare tunnels, making it harder to detect” ([05:45]). This RAT can collect data, execute commands, and potentially install ransomware, with links to Interlock Ransomware. Red Canary advises organizations to train users, monitor systems, and block suspicious network activities to defend against this deceptive threat.

b. Godfather Android Trojan

Timestamp: [06:25]

A new variant of the Godfather Android Trojan employs an advanced virtualization technique to hijack banking and cryptocurrency applications. According to Ximperium, Godfather establishes a sandbox environment on infected devices to run virtual copies of target apps, thereby evading detection.

Ben Yellen explains, “Godfather now sets up a sandbox on infected devices to run real copies of target apps, making it harder to detect” ([06:36]). Utilizing open-source tools like Xposed and VirtualApp, the Trojan gains full visibility and control over user interactions. Currently, it targets Turkish banks, altering APK and Android manifest files to avoid detection and exploiting Android's accessibility services to trick users into granting necessary permissions.

5. Sophisticated Spear Phishing Campaign Targets British Expert

Timestamp: [07:22]

Kier Giles, a British specialist in Russian information warfare, was targeted by an advanced spear phishing campaign. The attackers impersonated a U.S. Department of State official, sending convincing emails with fake documentation to elicit sensitive information.

Ben Yellen summarizes, “The attacker posed as a U.S. state Department official named Claudi S. Weber and invited Giles to a fake consultation” ([07:35]). The campaign, potentially linked to Russian state-sponsored actor APT 29, involved creating persistent access to Giles' Gmail through malicious app-specific passwords. Although Giles did not utilize the targeted account, the incident underscores the sophistication and patience of modern phishing tactics, possibly leveraging large language models to craft realistic interactions.

6. Judicial Ruling Dismisses CrowdStrike Lawsuit

Timestamp: [08:35]

A federal judge dismissed a lawsuit filed by airline passengers against CrowdStrike, alleging that a 2024 software update disrupted airline operations.

Ben Yellen clarifies, “The judge ruled that the claims were preempted by the Airline Deregulation Act (ADA), even though CrowdStrike isn't an airline” ([08:47]). The court determined that the disruptions, which affected ticketing, boarding, and scheduling, were inherently tied to airline services, thus falling under ADA protection. This ruling establishes a precedent safeguarding vendors integral to airline operations from similar lawsuits, emphasizing that the harm was related to service disruptions rather than direct personal injury.

7. Banana Squad's Malicious Open Source Repositories

Timestamp: [09:46]

Reversing Labs researchers uncovered Banana Squad's latest cyber threat, where the group disguises malicious code as legitimate open-source software. Over 60 fake GitHub repositories posing as Python hacking tools were discovered, embedding malware designed to steal sensitive data from Windows systems, browsers, and cryptocurrency wallets.

Dave Bittner highlights, “One tactic involves hiding harmful code in long invisible lines pushed off screen, making it hard for developers to detect” ([10:07]). Despite a 70% reduction in open-source malware in 2024, Banana Squad managed to release hundreds of malicious packages downloaded nearly 75,000 times before removal.

The group employs stealthier and more sophisticated methods, underscoring the rising risks from vulnerable code within popular open-source software packages.

8. DOJ Seizes Over $225 Million in Cryptocurrency Linked to Scams

Timestamp: [10:36]

The U.S. Department of Justice (DOJ) is pursuing the seizure of over $225 million in cryptocurrency connected to romance and investment scams originating from Vietnam and the Philippines.

Ben Yellen reports, “The funds, traced via blockchain analysis by the FBI and Secret Service, were laundered through hundreds of wallets and thousands of transactions” ([11:06]). The operation targeted over 430 victims across multiple U.S. states, who were defrauded through fake social media connections offering lucrative crypto investments. Victims were deceived into sending millions, only to be locked out of their accounts after being asked to pay counterfeit fees to withdraw funds.

This marks the largest crypto seizure in U.S. Secret Service history, reflecting enhanced law enforcement capabilities amid a global surge in crypto-related scams, which totaled $5.8 billion in losses last year.

9. Oversight Committee Requests Microsoft to Hand Over GitHub Logs on DOGE Misconduct

Timestamp: [12:12]

An oversight committee from the House of Representatives has requested Microsoft to provide GitHub logs related to alleged misconduct by the group DOGE (Department of Government Efficiency), previously associated with Elon Musk.

Steven Lynch, a representative from the University of Maryland Center for Health and Homeland Security, elucidates, “The whistleblower disclosure and public reporting allege that DOGE engineers accessed the National Labor Relations Board (NLRB) systems to delete records, install backdoors, and exfiltrate data” ([15:21]).

The request includes a complete clone of the GitHub repository titled "NX Gen B Door Extract" and a list of all private repositories accessed by DOGE team member Jordan Wick from January 1st to May 15th. However, due to the Democratic minority on the committee, the request lacks subpoena authority and may not compel Microsoft to comply. Lynch suggests the primary goal is to raise public awareness rather than enforce compliance legally.

10. ASR Jam: A Novel Defense Against AI-Powered Scam Calls

Timestamp: [22:49]

Researchers from Israel and India have developed ASR Jam, a tool designed to thwart AI-driven scam calls. ASR Jam employs EchoGuard, a sound-altering algorithm that subtly warps the user’s voice to confuse AI speech recognition systems without affecting human comprehension.

Ben Yellen describes it as, “Like mumbling in just the right frequency to fluster a robot but not your grandma” ([23:26]). This real-time, invisible defense effectively disrupts most AI models, including OpenAI's Whisper, making it difficult for scammer bots to process the conversation. The researchers term this method “pleasantly disruptive,” aiming to protect individuals from vishing scams that exploit AI's ability to mimic human interactions.

Interview Highlight: Steven Lynch on Microsoft's GitHub Logs Request

Timestamp: [14:52]

In an in-depth segment, Steven Lynch discusses the House Oversight Committee's request for Microsoft to provide GitHub logs related to DOGE's alleged misconduct. He explains the context of the whistleblower's claims, the specifics of the requested information, and the potential implications for data security and corporate oversight.

Lynch emphasizes the challenges in obtaining a legally binding response due to the committee's minority status, suggesting that the request is more about raising awareness than enforcing compliance. He also touches upon the broader issues of data security within government systems and the importance of transparency in addressing potential vulnerabilities.

Conclusion

The "A Blast from the Breached Past" episode of CyberWire Daily delves into a series of significant cybersecurity incidents and emerging threats. From exposed databases and sophisticated ransomware attacks to innovative defenses against AI-driven scams, the episode provides a comprehensive analysis of the current cybersecurity landscape. Additionally, it highlights ongoing governmental oversight and legal precedents that shape the industry's response to cyber threats.

For listeners seeking to stay informed on the latest in cybersecurity, this episode offers valuable insights and expert commentary on pressing issues affecting individuals, businesses, and governmental bodies alike.

Notable Quotes:

• Ben Yellen ([03:13]): “The format matched what's commonly used by Infostealer malware. That malware quietly grabs passwords stored in browsers and apps, then ships them off to cybercriminals.”

• Dave Bittner ([03:29]): “So no, the sky isn't falling again. But yes, you should still update your security hygiene.”

• Ben Yellen ([06:36]): “Godfather now sets up a sandbox on infected devices to run real copies of target apps, making it harder to detect.”

• Steven Lynch ([17:06]): “Right, because that obviously implies that there is a backdoor targeting NLRB's internal system.”

For more detailed information on today’s stories, visit The CyberWire.