Appetite for tracking: A feast on private data.

Dave Bittner

You're listening to the Cyberwire network, powered by N2K and now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire Researchers uncover a major privacy violation involving tracking scripts from Meta and Yandex, A compliance automation firm discloses a data breach Puma bot stalks vulnerable IoT devices the RamNet Banking Trojan gets repurposed for ICS intrusions. The North Face suffers a credential stuffing attack. Kaspersky says the Black Owl team is a cyber threat to Russia. CISA releases ICS advisories An Indian grocery delivery startup suffers a devastating data wiping attack. The UK welcomes their new cyber and electromagnetic command. Our guest is Rohan Pinto, CEO of One Cosmos, discussing the implications of AI deepfakes for biometric security and the cybersecurity sleuths at Sophos Unravel a curious Caper It's Wednesday, June 4th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Researchers have uncovered a major privacy violation involving tracking scripts from Meta and Yandex embedded in millions of websites, Ars Technica reports. These scripts exploit legitimate browser features to link web activity with identities in Android apps like Facebook, Instagram and Yandex. This bypasses Android security model and browser privacy protections, effectively breaking the sandbox that separates web and app data. Meta began this tracking in 2023, while Yandex has used similar methods since 2017. The abuse involves covert communication via local ports and misused protocols like WebRTC. Although meta and Yandex claim no sensitive data is collected, the technique de anonymizes users even in private browsing. Chrome, DuckDuckGo, Brave and Vivaldi have introduced partial fixes, but researchers warn these are temporary. They urge platform level reforms to control local port access and enhance transparency. Google says they're investigating, and both Meta and Yandex say they've paused the feature. However, the issue does underscore ongoing risks in how mobile ecosystems handle privacy and app browser interactions. Vanta, a compliance automation firm, disclosed a data breach incident affecting fewer than 4% of its customers, although potentially impacting hundreds of organizations. The breach stemmed from a product code change that broke data isolation in Vanta's multi tenant platform, leading to cross customer data leakage. As a result, a subset of data from under 20% of third party integrations with was exposed and shared bidirectionally between accounts. Leaked information included employee names, roles, security configurations, MFA usage and integration details. While the number of affected individuals remains undisclosed, Vanta confirmed all impacted customers have been notified. The issue was identified on May 26 with full remediation expected today. Vanta supports compliance with frameworks like SoC2, ISO 27001, HIPAA and GDPR, making the incident especially sensitive for its security conscious Clientele. Researchers at Polyswarm have uncovered a stealthy new Linux based botnet called PumaBot, targeting vulnerable IoT devices, especially surveillance systems. Written in Go, PumaBot differs from typical malware by using curated IP lists from command and control servers. Instead of scanning the Internet broadly, this targeted approach helps it avoid detection. Pumabot brute forces SSH credentials to gain access, with a particular focus on devices from Pumatronics, a surveillance equipment maker. Once inside, it establishes persistence by disguising itself as legitimate services like Redis or MySQL and embeds into system directories to survive reboots. Its main goal is cryptocurrency mining executing tools like XMRig to generate illicit profits. The malware also gathers system data and sends it back to attackers who maintain inventories of infected devices. Puma Bot's emergence underscores growing IoT risks tied to default credentials and weak security practices. Honeywell's latest security report reveals a sharp rise in ransomware attacks targeting industrial organizations, with over half of 2024's SEC reported incidents affecting operational technology. More notably, data from Honeywell's SMX USB scanning solution uncovered nearly 1,800 unique threats among 31 million scanned files, including 124 previously unseen. The standout malware was Win32 worm Ramnet, responsible for 42% of all detections and showing a staggering 3,000% spike in the fourth quarter of 2024 versus quarter two. Ramnet, originally a banking trojan, appears to be repurposed to extract industrial control system credentials. Its surge aligns with the widespread use of Windows based ICS platforms, making it a potent threat via USB borne infections. Honeywell's cybersecurity lead Paul Smith suggests that its effectiveness in stealing credentials and use of built in system tools may explain its dominance, whether by accident or targeted design. On April 23, outdoor apparel brand the North Face suffered a credential stuffing attack where hackers used stolen login details from other breaches to access customer accounts. Though payment data remained secure, personal details like contact info, shipping addresses and purchase history were exposed. The attackers exploited users tendency to reuse passwords across sites. The company responded by disabling compromised credentials, forcing password resets and urging customers to use unique passwords to reduce cross platform security risks. No internal systems were breached. The pro Ukraine hacker group BO Team, also known as Black Owl, has emerged as a major cyber threat to Russian institutions, according to Kaspersky. Active since early 2024, the group operates independently with its own tools, often targeting Russian government agencies and industries. A notable attack recently disrupted a third of Russia's national court filing system. BO Team gains access via phishing and delays actions to avoid detection. Unusual for hacktivists. Their toolkit includes backdoors like darkgate, Broken Door and Remcos, and they often delete backups or use Babuk ransomware for extortion. The group disguises malware as legitimate software and shares details of attacks on Telegram. Despite their pro Ukraine stance, BO Team works solo without ties to other hacktivist groups, setting them apart in Russia's threat landscape. CISA issued critical advisories for severe vulnerabilities in Schneider Electric and Mitsubishi Electric industrial products, threatening critical infrastructure like energy and manufacturing. The most serious flaw with A CVSS of 9.3 affects Schneider's now unsupported home automation devices, enabling remote code execution via buffer overflow. Another Schneider vulnerability allows local code execution in EcoStruxure software. Mitsubishi's Melsec IQF PLC's 4Face A CVSS 9.1 info disclosure flaw from improper input validation. CISA urges immediate mitigations, including firmware updates and network security enhancements. Indian grocery delivery startup kiranapro suffered a devastating cyber attack that wiped all its data, including app code and sensitive customer information. The Breach, discovered on May 26, occurred after hackers accessed root accounts on AWS and GitHub, likely via a former employee's credentials. The attack rendered KiranaPro's app unable to process orders, halting operations for its over 30,000 active users across 50 cities. Founded in December 2024, Kiranapro runs on India's open network for digital commerce and supports voice based grocery ordering in multiple languages. The startup had ambitious expansion plans, now stalled by the breach. Despite using Google Authenticator for multi factor authentication, hackers deleted all EC2 instances, leaving no logs or recovery options. Kirana Pro is pursuing legal action and investigating the incident with GitHub. The UK's Ministry of Defense has unveiled its Strategic Defense Review, emphasizing the critical role of the new Cyber and Electromagnetic command. This new domain integrates cyber operations and electromagnetic warfare, now recognized as foundational to modern military strategy. The Cyber EM Command will lead both offensive and defensive cyber missions, coordinate across services, and work alongside the National Cyber Force without overlapping authority. It will also anchor the UK's new digital targeting web, designed to connect military assets for rapid precision strikes. The government aims to have the command operational by year's end and will invest over £1 billion to support it. These moves come amid rising cyber threats and follow a damning report on UK military readiness. UK Defense Secretary John Healy promises to reverse years of decline by growing force size, expanding tech capabilities, and returning the military to a war ready posture by 2027. Coming up after the break, my conversation with Rohan Pinto, CTO of One Cosmos. We're discussing the implications of AI deep fakes for biometric security, and the cybersecurity sleuths at Sophos unravel a curious caper. Stay with us. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear, there is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger. Yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com Cyber Rohan Pinto is CTO of One Cosmos. I recently caught up with him to discuss implications of AI deepfakes for biometric security.

Rohan Pinto

I think the reliance on biometric security should increase given the time period that we are in right now with the exponential increase of deepfakes and AI generated content. Because deepfakes in itself, they can mimic facial features, they can mimic voice patterns, they can even mimic iris scans, thereby having the ability for an attacker to bypass a biometric authentication or verification system. So I think it is pretty crucial for any organization that works with biometrics to not discount the fact that deepfakes are being used extensively, especially given the whole North Korean hackers actually being able to secure themselves jobs in the U.S. department of Defense by using deepfakes. So it is pretty crucial that every organization that looks at biometrics to increase or enhance your security posture does consider looking at methodologies and processes to thwart deepfakes as well.

Dave Bittner

You know, I think like a lot of people, the most frequent interaction I have with this sort of thing is on my mobile device. I have an iPhone. I use face ID to log in, and it works remarkably well. And then I'll go to the airport and they might ask me to have my face scanned. I was at a theme park recently and they used facial ID instead of tickets to get into the theme park. I'm curious, what is the state of the art these days? What is happening at the highest level with this sort of technology? I know you and your colleagues there get very high marks for the products that you all provide. Where do we stand?

Rohan Pinto

We got to remember one thing. When we talk in terms of systems or mobile devices or even kiosks at a theme park, using face ID to authenticate an individual, we got to remember that the authenticity is what matters, because end of the day, face ID is local to the mobile, and you can actually have multiple individuals register their face ID on the same device. So face ID in itself is not sufficient to thwart deepfakes. When you look at mobile apps or kiosks that rely on systems that purely base identification or presence of an individual is not sufficient, because what face ID and touch ID does is that it identifies presence. It does not actually bind the identity of the user to the actual authentication mechanism. For example, on my mobile device, I have my face registered, and I also have my son's face registered, which means that if I now use face ID to access or authenticate into any corporate system, you have very low assurance that it's actually Rohan Pinto that's logging or accessing the system, because it could be any face ID that is registered on that device. So at One Cosmos, we have approached the entire biometric aspect of authentication and security from a completely different angle. We have something called as live id, which means that we verify the authenticity of the individual in real time by doing a lot of forensics in real time with the face that is being presented. Also match that particular face to the face that was actually registered during the onboarding event to ensure that it is not just cryptographically signed like what face ID does, but also asserts the fact that this is a live individual by doing a liveness check at the time of authentication to have additional assurance that there is an actual identity that that is tied to that particular authentication attempt, regardless of the form of biometrics that are used. I hope that.

Dave Bittner

Well, I mean, let's dig into some of the details of that. When you say a live individual, I mean, are we looking for things like eye movement, Are we looking for things like a heartbeat? What sets me apart from say, a highly accurate silicone mask?

Rohan Pinto

Yeah, absolutely. So when it comes up to silicon masks, again, we do a lot of forensics on the face itself. I'll give you an example. I'll run through a couple of examples. For example, we just don't look at the face. We look at the depth between the ears and the nose, the distance between the eyes, the position of the iris, the angle from which you're looking at the shadows, the depth patterns, and even we do some infrared as well to ensure that the person is a living, breathing individual. However, this might not thwart a silicon mask in the equation, but it does enable us to identify that the person on the other end of the line is a living, breathing individual, regardless of whether the user is using a silicon mask or not. Now that combined with other passive detection techniques to analyze whether it is a deep fake, whether there is noise in the equation, whether there is granularity in the clarity of the image that is being captured, whether the camera being used is a default camera of the device or is being overridden by a third party video streaming service. A combination of a multitude of these elements enable us to have a very high level of accuracy when it comes up to identifying the individual.

Dave Bittner

Well, and it sounds like, I mean, I think you captured one of the key points here, and perhaps it's a point of misunderstanding for a lot of folks, which is that this is a multi layered thing. Right. It's not just the biometrics. There are many other factors that you and the other folks who do this kind of thing. Thing rely on.

Rohan Pinto

Absolutely. It's a combination of biometric factors and it could also include behavioral analytics. And what I mean by behavioral analytics is that let's say the user is authenticating into a system, he's typing in his user ID and password, and once he authenticates into the system, the user performs certain actions. So we also have the ability to detect the user's Behavioral patterns, typing patterns, voice and face, and a combination of them increases our accuracy level to reduces the success rate of spoofing attempts.

Dave Bittner

How do you make sure that you're not introducing undue friction with these sorts of systems?

Rohan Pinto

Yes, that's a very interesting question, because when it comes up to the friction, it's one of the elements that could actually thwart a user from using biometrics. So we try to make it as simple as possible when it comes up to user experience. And we have a lot of focus within our organization on enhancing the user experience. So we do not want the user to go through a multitude of steps to prove who he or she claims to be. We want the user to be able to authenticate using Face id, like what they always do, except that the camera being launched for Face ID is not the default device camera, but actually the camera that gets triggered from within our mobile application itself. So from a user experience perspective, the user does exactly what the user does on a day to day basis, which is look at his phone and log in. But what we do additionally with that 2 second or a 1 second video that is captured, or a sequence of frames from the images that are captured, the keystrokes that are captured, the voice analytics that are captured and sent to our analysis engine to give us real time results is all transparent to the user experience. So from a user experience perspective, all the user does is picks up his phone. The mobile app would tell the user to smile, maybe look left or look right, or maybe even blink, you know, a few simplistic actions that do not confuse the user. And the complexity is all on the passive scanning side. On the server side.

Dave Bittner

What are your recommendations for organizations that are looking into this sort of thing? How do they decide how to align the degree of complexity here versus their own appetite for risk?

Rohan Pinto

Yeah, so risk is another important factor out here, right? Because various organizations have got various risk thresholds that they would like to adhere to. So let's factor in risk in addition to the kind of tool sets that an organization would need to use. Now, either an organization can go out and use tool sets provided by valid third parties or third party organizations, be it Microsoft or Google or Apple by themselves, or even third parties like Plaid or even Twilio offer services that do liveness detection as such, but one cosmos per se, we offer the entirety as a singular platform that the customer can use, where the customer can choose to use things like liveness detection, micro expression analysis. They could evolve alongside a lot of sophisticated generative models that we use for deepfake detection as well. So the integration of the security aspect of an organization's infrastructure could be as simple as making an API call over to us. We carry on with the user journey from there on. Ensure that the biometrics are authentic, ensure that it is not deep fake, ensure that there are no silicon masks used. We ensure that micro expression analysis is also done. Run through a whole bunch of AI models that enable us to determine whether this is AI generated content or otherwise before we can return back not just a success of the authentication attempt, but also a risk threshold that the consuming organization can adjust based on their own risk thresholds or appetite.

Dave Bittner

I see. All right, well Rohan, I think I have everything I need for our story here. Is there anything I missed? Anything I haven't asked you that you think it's important to share?

Rohan Pinto

Well, I think one of the most important things that everybody talks about is what are the mitigation strategies for, you know, for deepfake detection or for using deepfakes. So one thing that I would what I tell everybody is that you got to ensure that liveness detection is enabled and not rely on a static biometric authentication mechanism just like face id, because face ID does liveness detection on the edge. And you would need to do a combination of both liveness detection on the edge as well as on the server side. Additionally add behavioral analytics onto it which is keystrokes or gate or traditional biometric verification systems as well. And on top of it, also ensure that you've got data governance rules in place so that you're using products and technologies that are based on standards and not something that's just available off of the Internet.

Dave Bittner

That's Rohan Pinto, CTO of 1 Cosmos. And finally, cybersecurity sleuths at Sophos have unraveled a curious caper. Over 130 open source GitHub projects booby trapped with backdoors, all courtesy of a mystery dev known only as ischhfd83. The plot kicked off when a user questioned the safety of Sakura Rat, a so called malware tool that was less weapon, more whoopee cushion. Upon inspection, researchers found the code discreetly downloaded, extra malware mid compilation, targeting not businesses, but in a karmic twist, other hackers and wannabes. What followed was a journey through a thicket of copy pasted chaos, automated commits, copycat accounts and layers of obfuscation cloaking nasties like lumastealer. Sophos suspects this is part of a broader distribution as a service racket. They conclude the digital supply chain's underbelly remains as shady as ever. And if you're downloading free hacking tools from strangers on GitHub, well, maybe you're the mark. And that's the Cyberwire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until the end of August. There's a link in the show Notes. Please do check it out. N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. DeleteMe keeps finding and removing my personal information from data broker sites. And they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The DeleteMe team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.