CyberWire Daily: Appetite for Tracking – A Feast on Private Data

Release Date: June 4, 2025
Host: Dave Bittner
Guest: Rohan Pinto, CTO of One Cosmos

Introduction

In this episode of CyberWire Daily, host Dave Bittner delves into a series of critical cybersecurity developments, ranging from significant privacy violations to emerging threats in the cyber landscape. The episode also features an in-depth interview with Rohan Pinto, CTO of One Cosmos, who explores the implications of AI-generated deepfakes on biometric security.

Major Privacy Violations: Meta and Yandex Tracking Scripts

Timestamp: [00:02]

Researchers have identified a substantial privacy breach involving tracking scripts from Meta and Yandex embedded across millions of websites. These scripts exploit legitimate browser functionalities to correlate web activity with user identities in Android applications such as Facebook, Instagram, and Yandex. This method effectively "bypasses the Android security model and browser privacy protections," breaking the sandbox that segregates web and app data.

• Key Points:

  • Meta initiated this tracking in 2023, while Yandex employed similar tactics since 2017.
  • The abuse includes covert communication via local ports and misuse of protocols like WebRTC.
  • Despite claims from Meta and Yandex that no sensitive data is collected, this technique de-anonymizes users even during private browsing sessions.
  • Partial fixes have been implemented by browsers like Chrome, DuckDuckGo, Brave, and Vivaldi, but researchers emphasize the need for platform-level reforms to manage local port access and enhance transparency.

• Quote:
  "This bypasses Android security model and browser privacy protections, effectively breaking the sandbox that separates web and app data."
  — Dave Bittner [02:10]

Vanta Data Breach Incident

Timestamp: [05:15]

Vanta, a compliance automation firm, reported a data breach affecting approximately 4% of its customers. The breach resulted from a product code change that compromised data isolation within Vanta's multi-tenant platform, leading to cross-customer data leakage.

• Details:
  • Affected data includes employee names, roles, security configurations, MFA usage, and integration details from under 20% of third-party integrations.
  • Vanta has notified all impacted customers and expects full remediation by the episode's release.
  • Given Vanta's role in supporting frameworks like SOC 2, ISO 27001, HIPAA, and GDPR, this breach is particularly sensitive for their security-focused clientele.

Emerging Threats: PumaBot and RamNet Trojan

Timestamp: [08:45]

Polyswarm researchers have uncovered a new Linux-based botnet named PumaBot, which targets vulnerable IoT devices, especially surveillance systems. Written in Go, PumaBot employs a targeted approach using curated IP lists to evade broad internet scanning and detection.

• PumaBot Characteristics:
  • Brute forces SSH credentials, focusing on devices from Pumatronics.
  • Establishes persistence by masquerading as legitimate services like Redis or MySQL.
  • Primarily used for cryptocurrency mining with tools like XMRig.
  • Collects system data to maintain inventories of infected devices.

Additionally, Honeywell's latest security report highlights a significant rise in ransomware attacks targeting industrial organizations. Notably, the RamNet Banking Trojan has been repurposed for industrial control system (ICS) intrusions, exhibiting a 3,000% spike in detections in Q4 2024 compared to Q2.

• Quote:
  "Ramnet, originally a banking trojan, appears to be repurposed to extract industrial control system credentials."
  — Dave Bittner [12:30]

Cyber Attacks on The North Face and Black Owl Team

Timestamp: [11:00]

• The North Face recently faced a credential stuffing attack, where hackers utilized stolen login details from other breaches to access customer accounts. While payment data remained secure, personal information such as contact details, shipping addresses, and purchase histories were exposed. The company responded by disabling compromised credentials and enforcing password resets.

• Black Owl Team (BO Team):
  According to Kaspersky, the BO Team has emerged as a significant cyber threat to Russian institutions. Active since early 2024, this pro-Ukraine hacker group independently targets Russian government agencies and industries, employing sophisticated tools like darkgate, Broken Door, and Remcos. Their recent attack disrupted a third of Russia's national court filing system.

CISA's ICS Advisories

Timestamp: [14:00]

The Cybersecurity and Infrastructure Security Agency (CISA) has issued critical advisories addressing severe vulnerabilities in Schneider Electric and Mitsubishi Electric industrial products. These vulnerabilities pose threats to critical infrastructure sectors, including energy and manufacturing.

• Key Vulnerabilities:
  • A critical flaw in Schneider's home automation devices allows remote code execution via buffer overflow (CVSS 9.3).
  • Another Schneider vulnerability permits local code execution in EcoStruxure software.
  • Mitsubishi's Melsec IQF PLC has a CVSS 9.1 information disclosure flaw due to improper input validation.

CISA urges immediate mitigation, including firmware updates and enhanced network security measures.

Kiranapro Data Wiping Attack

Timestamp: [17:00]

Kiranapro, an Indian grocery delivery startup, suffered a devastating cyberattack that resulted in the complete wiping of its data, including app code and sensitive customer information. Discovered on May 26, the breach was executed via compromised AWS and GitHub root accounts, likely through a former employee's credentials.

• Impact:
  • The attack halted operations for over 30,000 active users across 50 cities.
  • Despite using Google Authenticator for multifactor authentication, hackers deleted all EC2 instances, eliminating logs and recovery options.
  • Kiranapro is pursuing legal action and investigating the incident with GitHub.

UK's Cyber and Electromagnetic Command

Timestamp: [19:30]

The UK Ministry of Defense has unveiled its Strategic Defense Review, highlighting the establishment of the new Cyber and Electromagnetic (Cyber EM) Command. This entity integrates cyber operations with electromagnetic warfare, recognizing its foundational role in modern military strategy.

• Key Features:
  • Responsible for both offensive and defensive cyber missions.
  • Coordinates across various military services and collaborates with the National Cyber Force.
  • Anchors the UK's new digital targeting web for rapid precision strikes.
  • The command is slated to be operational by the end of the year, with an investment exceeding £1 billion.
  • UK Defense Secretary John Healy aims to enhance military readiness by 2027 through increased force size and expanded technological capabilities.

Interview: Rohan Pinto on AI Deepfakes and Biometric Security

Guest: Rohan Pinto, CTO of One Cosmos
Timestamp: [14:32] - [26:46]

Dave Bittner engages in a comprehensive discussion with Rohan Pinto about the rising threat of AI-generated deepfakes and their impact on biometric security systems.

• Key Insights:

  • Increasing Reliance on Biometrics: Pinto emphasizes the need for stronger biometric security measures in the face of sophisticated deepfakes that can mimic facial features, voice patterns, and iris scans.
    "Deepfakes... have the ability for an attacker to bypass a biometric authentication or verification system."
    — Rohan Pinto [14:32]

  • Current State of Biometric Systems: While technologies like Face ID on mobile devices offer convenience, Pinto points out their limitations, such as the inability to ensure the authenticity of the individual since multiple faces can be registered on a single device.
    "Face ID in itself is not sufficient to thwart deepfakes."
    — Rohan Pinto [16:29]

  • One Cosmos' Approach - Live ID: The company introduces a Live ID system that conducts real-time forensics of the presented face, including depth analysis, iris positioning, and infrared scans to verify if the individual is alive and not using a mask or deepfake.
    "We verify the authenticity of the individual in real time... ensuring that there is a live individual tied to that authentication attempt."
    — Rohan Pinto [16:29]

  • Multi-Layered Security: Pinto advocates for a combination of biometric factors and behavioral analytics (such as typing patterns and voice recognition) to enhance security without introducing user friction.
    "It's a combination of biometric factors and it could also include behavioral analytics."
    — Rohan Pinto [21:10]

  • Mitigation Strategies: Emphasizing the importance of liveness detection both on the device and server side, Pinto advises organizations to adopt comprehensive security measures that include behavioral analytics and strict data governance.
    "Ensure that liveness detection is enabled and not rely on a static biometric authentication mechanism..."
    — Rohan Pinto [25:36]

Sophos Uncovers GitHub Backdoors

Timestamp: [26:46]

Sophos cybersecurity experts have discovered that over 130 open-source GitHub projects were compromised with backdoors by a mysterious developer identified as ischhfd83. This incident began when a user raised concerns about the safety of Sakura Rat, a purported malware tool that was more of a "whoopee cushion" than a functional weapon.

• Details:

  • The malicious code discreetly downloaded additional malware during compilation, targeting other hackers and aspiring malicious actors rather than businesses.
  • The investigation revealed a complex web of copy-pasted code, automated commits, fake accounts, and obfuscated malware like lumastealer.
  • Sophos suspects this is part of a broader distribution-as-a-service racket, highlighting the murky depths of the digital supply chain.

• Conclusion:
  "And if you're downloading free hacking tools from strangers on GitHub, well, maybe you're the mark."
  — Dave Bittner [26:46]

Conclusion

This episode of CyberWire Daily underscores the evolving and increasingly sophisticated nature of cyber threats, from privacy violations and data breaches to the challenges posed by AI-driven deepfakes. The insights provided by industry leaders like Rohan Pinto offer valuable strategies for enhancing security measures to counteract these emerging dangers. As cyber threats continue to evolve, staying informed and adopting multi-layered security approaches remains essential for organizations worldwide.

Credits:

• Senior Producer: Alice Carruth
• Producer: Liz Stokes
• Mixer: Trey Hester
• Original Music & Sound Design: Elliot Peltzman
• Executive Producer: Jennifer Ibin
• Publisher: Peter Kilpe
• Host: Dave Bittner