BEAR-ly washed and dangerous. - CyberWire Daily

Summary7 min read

CyberWire Daily Summary: "BEAR-ly Washed and Dangerous" | May 27, 2025

Hosted by Dave Buettner from N2K Networks, the CyberWire Daily episode titled "BEAR-ly Washed and Dangerous" delivers a comprehensive update on the latest cybersecurity threats, vulnerabilities, and industry insights. This summary encapsulates the key discussions, expert interviews, and critical analyses presented throughout the episode.

1. Major Cybersecurity News

a. Introduction of Laundry Bear Threat Actor

Overview: Dutch intelligence has identified a new Russian threat actor known as Laundry Bear (also tracked as Void Blizzard by Microsoft). This group specializes in cyber espionage, targeting NATO countries with a focus on defense contractors, aviation sectors, and Ukraine.
Technique: Laundry Bear employs simple, automated, and stealthy tools, avoiding custom malware to evade detection. Their initial appearance was marked by a hack on the Dutch police in 2024 using session hijacking and credentials from the cybercriminal flea market.
Distinction: Although their tactics overlap with known groups like Fancy Bear, Laundry Bear is recognized as a distinct entity within the Russian cyber threat landscape.

Notable Quote:

"Laundry Bear's tools are simple, automated and stealthy, just enough to make defenders lose sleep without ever deploying custom malware." – Dave Buettner [02:45]

b. GitHub MCP Vulnerability and AI Coding Agents Exploitation

Discovery: Invariant Labs uncovered a critical vulnerability in GitHub's Model Context Protocol (MCP) server, exposing AI coding agents to prompt injection attacks.
Impact: This flaw allows attackers to embed hidden commands in public GitHub issues, tricking AI agents into leaking sensitive data from private repositories.
Proof of Concept: Demonstrated the ability to extract private data such as salaries and repository information under the guise of user feedback.
Broader Implications: The vulnerability is model-agnostic, posing risks across the AI development ecosystem as AI becomes integral to software development.

c. Tenable Patches High-Severity Flaws in Network Monitor Tool

Details: Tenable has released patches for two critical vulnerabilities in its Network Monitor tool for Windows, identified by researcher Will Dorman.
- Flaw 1: Insecure directory permissions in non-default installations allowing local privilege escalation.
- Flaw 2: Enables low-privileged users to execute arbitrary code with system rights without administrative intervention.
Recommendation: Organizations using Tenable Network Monitor on Windows should update immediately and review directory permissions to mitigate risks, especially in multi-user environments.

d. MathWorks Suffers Ransomware Attack Affecting Matlab Services

Incident: A ransomware attack on May 18 led to a week-long outage of Matlab services, impacting millions of users, particularly in academia during exam seasons.
Effects: Disrupted internal systems, licensing servers, and Matlab Online services, forcing some users to resort to pirated versions.
Response: MathWorks is collaborating with federal law enforcement and cybersecurity experts to restore services and enhance security measures.

e. U.S. Department of Commerce Audits National Vulnerability Database (NVD)

Background: An audit initiated by the Office of Inspector General aims to address a backlog of unprocessed security flaws in the NVD, a situation exacerbated by a terminated contract in early 2024.
Objective: Evaluate NIST's oversight and implement strategies using automation and AI tools to manage vulnerability analysis more efficiently and prevent future delays.

f. FBI Warns Law Firms About Silent Ransom Group Tactics

Threat Actor: Silent Ransom Group (also known as Chatty Spider, Luna Moth, and UNC3753) has evolved its tactics from phishing emails to direct phone-based scams.
Methodology: Posing as internal IT staff, they trick employees into remote access sessions, facilitating the installation of tools like WINSCP or RCLONE to exfiltrate data.
Impact: Targets primarily law firms, but medical and insurance sectors are also affected.
Advice: The FBI recommends robust phishing awareness training, regular data backups, and prompt reporting of any related incidents.

g. Chinese Hackers Exploit Cityworks Vulnerability to Breach U.S. Municipal Networks

Vulnerability: A critical flaw in Cityworks, an asset management platform for local governments, allows remote code execution (CVSS 8.6).
Activities: Since January, the Chinese-speaking threat group UAT6382 has deployed web shells, custom malware, and tools like Cobalt Strike to maintain long-term control over breached networks.
Target Focus: Utility management systems are of particular interest, highlighting risks to municipal infrastructure.
FBI Recommendation: Immediate updating of Cityworks software and adherence to Cisco’s technical indicators to detect compromises.

h. Everest Ransomware Group Leaks Coca-Cola Employee Data

Breach Details: Everest has leaked 502 MB of data affecting 959 Coca-Cola employees in the Middle East, including sensitive personal information and internal organizational documents.
Consequences: Facilitates spear phishing, social engineering, and further intrusions. While passwords were not exposed, the leaked data significantly heightens cybersecurity risks for Coca-Cola.
Company Response: Coca-Cola has not disclosed whether ransom negotiations occurred.

i. Nova Scotia Power Ransomware Attack

Incident: A ransomware attack traced back to March 19 was detected on April 25, affecting billing payments and customer portals.
Impact: Approximately 280,000 customers had sensitive data stolen and leaked online. The utility emphasized that electricity supply remained unaffected.
Response: Nova Scotia Power is offering free credit monitoring and has engaged cybersecurity experts to enhance system security and restore operations.

2. In-Depth Interview: Securing AI by Design

Participants:

David Moulton: Host of the Threat Vector podcast
Tanya Shastri: SVP of Product Management, Palo Alto Networks
Navneet Singh: VP of Marketing, Palo Alto Networks

Discussion Highlights:

a. The Growing Use of Generative AI in Enterprises

Navneet Singh discusses how employees across departments like marketing, sales, and finance are leveraging generative AI tools (e.g., ChatGPT, Copilots, Gemini) to enhance productivity and creativity.
- Example: "We had an internal competition using AI tools to generate taglines and concepts, resulting in the successful deployment of Prisma Air's new campaign." (Navneet Singh [16:35])

b. Critical Components of a Secure AI Strategy

Tanya Shastri emphasizes the importance of visibility into AI tool usage (referred to as "shadow AI"), assessing application risks, and implementing fine-grained controls to prevent sensitive data exposure.
- Quote: "Ensuring that no private sensitive data is shared either inadvertently or otherwise with the application is also another important piece." (Tanya Shastri [17:54])

c. Secure AI by Design Approach

Navneet Singh outlines how integrating security into the AI development lifecycle helps organizations mitigate risks associated with AI applications.
- Key Aspects:
  - Model Scanning & Red Teaming: Identifying vulnerabilities within AI models.
  - Posture Assessment: Ensuring AI applications are not overly permissive.
  - Runtime Security & Prompt Injection Prevention: Protecting against real-time threats and manipulations.

d. Securing the Entire AI Pipeline

Tanya Shastri details the necessity of securing AI from development through deployment and runtime, covering aspects like model integrity, infrastructure security, continuous monitoring, and data protection.
- Quote: "Ensuring the data is secure, not just the access to the data, but important secure data, private data is locked down appropriately." (Tanya Shastri [22:33])

Conclusion of Interview: The conversation underscores that as AI becomes integral to enterprise operations, embedding security at every stage of AI development and deployment is crucial to prevent potential breaches and data leaks.

Notable Quotes:

"Another important piece, essentially control of that application." – Tanya Shastri [19:07]
"That's what we mean by being able to secure AI applications by design and securely being able to embrace AI." – Navneet Singh [22:07]

3. The CIA's Secret Spy Site: A Star Wars Fan Page

Overview: Dave Buettner narrates an intriguing case where a seemingly innocuous Star Wars fan site, StarWarsWeb.net, was actually a covert CIA channel used for communicating with human intelligence sources globally.

Key Points:

Exposure: Security researcher Ciro Santilli uncovered that the site was part of a network of CIA-operated domains masquerading as hobbyist sites.
Method: The CIA embedded secret logins triggered by entering passwords into the site's search bar, facilitating covert communications.
Consequences: Iranian authorities discovered the setup over a decade ago, leading to the unraveling of a network responsible for the deaths of over two dozen CIA sources in China between 2011 and 2012.
Investigation: Santilli's research involved meticulous analysis using open-source tools and the Wayback Machine, revealing unmasked IP patterns and related domains.

Notable Quote:

"Even in spycraft, developer errors like leaving digital breadcrumbs can bring an operation down." – Dave Buettner [25:10]

Expert Insight: Zach Edwards, a cybersecurity researcher, corroborated Santilli’s findings, highlighting that despite the sophistication of spy operations, oversights like digital breadcrumbs can lead to significant security breaches.

Conclusion: The case exemplifies the delicate balance between operational security and the risks posed by inadvertent digital leaks, even in highly secretive intelligence operations.

4. Sponsorship Messages

The episode includes sponsorship segments promoting products like Deleteme for privacy protection, SpyCloud for identity threat protection, Vanta for governance, risk, and compliance (GRC) management, and ThreatLocker for system security.

Final Thoughts

Dave Buettner wraps up the episode by emphasizing the importance of staying informed about evolving cyber threats and implementing robust security measures across all facets of technology use, including the burgeoning field of AI.

Closing Quote:

"It's a trap." – Dave Buettner [25:34]

Stay updated with daily cybersecurity news and expert analyses by tuning into the CyberWire Daily, your essential source for industry-leading insights.

Production Credits:

Senior Producer: Alice Carruth
Producer: Liz Stokes
Mixer: Trey Hester
Music and Sound Design: Elliot Peltzman
Executive Producer: Jennifer Ivan
Publisher: Peter Kilpe

For detailed links to today’s stories, visit [daily briefing@thecyberwire.com](mailto:daily briefing@thecyberwire.com).

Loading summary

Transcript13 lines

[00:02]
Dave Buettner
You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K laundry bear airs dirty cyber linen in the Netherlands. AI coding agents are tricked by malicious prompts in a GitHub MCP vulnerability. Tenable patches, critical flaws in network monitor on Windows MathWorks confirms ransomwares behind a Matlab outage. The Feds audit NVD over vulnerability backlogs. The FBI warns law firms of evolving silent ransom group tactics. Chinese hackers exploit a Cityworks flaw to breach U.S. municipal networks Everest ransomware group leaks Coca Cola employee data Nova Scotia power's been hit by ransomware on today's threat vector. David Moulton speaks with his Palo Alto Networks colleagues Tanya Shastri and Navneet Singh about a strategy for secure AI by design and the CIA's secret spy site was a Star wars fan page. It's Tuesday, May 27, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Thanks for joining us. It is great to have you with us and we hope everybody had a great long holiday weekend here in the U.S. anyway, Dutch intelligence just introduced the world to Laundry Bear, a fresh Russian threat actor with a knack for speed, stealth and stealing inboxes. The group, also tracked by Microsoft as Void Blizzard, has been linked to cyber espionage across NATO with a suspicious focus on defense contractors, aviation and Ukraine laundrie. Bear first popped up after a hack on the Dutch police in 2024 using session hijacking and credentials from the cybercriminal flea market. The Bear broke in, swiped contacts and likely hit other targets too. Despite overlapping tactics with Fancy Bear and the usual GRU suspects laundry, Bear is being treated as a distinct creature in the growing Russian menagerie. Think of it as the laundry doing cousin of Sandworm, Cozy and the rest. The Bear's tools are simple, automated and stealthy, just enough to make defenders lose sleep without ever deploying custom malware. Researchers at Invariant Labs uncovered a Critical vulnerability in GitHub's Model Context Protocol server and exposing AI coding agents to prompt injection attacks. The flaw lets attackers plant hidden commands in public GitHub issues. When users direct their AI agents to review these issues, the agents can be tricked into leaking sensitive data from private repositories. This exploit doesn't compromise the MCP tool itself, but manipulates the AI's trust in external content. One proof of concept prompted an agent to pull sensitive data like salaries and private repo info and publish it publicly, all under the guise of user feedback. The vulnerability is model agnostic and impacts the broader AI devtool ecosystem. As AI agents become central to software development, this incident shows traditional security may not be enough. Tenable has patched two high severity flaws in its network monitor tool for Windows. Discovered by researcher Will Dorman, the bugs affect versions before 6.5.1 and allow local privilege escalation and arbitrary code execution. The first flaw arises from insecure directory permissions in non default installations, enabling attackers with local access to elevate privileges. The second flaw is more severe, allowing low privileged users to plant malicious files and execute them with system rights. No admin clicks required. Tenable's latest update also upgrades several key libraries addressing broader vulnerabilities. Organizations using Tenable Network Monitor on Windows are urged to update immediately and review directory permissions. These flaws, while requiring local access provided, pose a serious threat in shared or multi user environments where the platform's privileged network monitoring role makes it a high value target. MathWorks has confirmed a ransomware attack is responsible for the week long outage that crippled Matlab, affecting millions of users. The incident began on May 18 and disrupted both internal systems and key online services, including licensing and Matlab Online, widely used in academia. Users, including frustrated students and engineers, were left in limbo with vague status updates and no clear cause until MathWorks broke its silence. Some users even resorted to pirating the software just to meet deadlines. The attack especially impacted students during exam season, with licensing servers down and access to Matlab greater stalled. Although many services are now restored, full recovery is ongoing. Commercial customers with local license servers largely avoided disruption, while educational Users who rely on cloud based access bore the brunt. MathWorks has involved federal law enforcement and is working with cybersecurity experts to finish cleanup and restore remaining services. The U.S. department of Commerce has launched an audit of the national vulnerability database to address a growing backlog of unprocessed security flaws. The backlog emerged after a key contract was terminated in early 2024, leaving vulnerabilities unexamined. The audit, led by the Office of Inspector General, aims to evaluate NIST's oversight and improve future processing. NVD leaders recently pledged to use automation and AI tools to catch up and and prevent future delays in vulnerability analysis. The FBI has issued a warning that law firms are being targeted by the Silent Ransom Group, also known as Chatty Spider, luna moth and UNC3753. Active since 2022, Silent Ransom Group previously used phishing emails posing as fake subscription alerts to lure victims into phone based scams. As of March of this year, they've pivoted to calling employees directly while posing as internal IT staff. Victims are tricked into joining remote access sessions, enabling attackers to install tools like WINSCP or RCLONE to exfiltrate sensitive data. Silent Ransom Group then demands ransom, threatening to leak data and even calling employees to pressure payment. Their use of legitimate tools makes detection difficult. While law firms are prime targets, medical and insurance organizations have also been hit. The FBI urges strong phishing awareness training, data backups and reporting of any SRG related incidents. Cisco Talos reports that a Chinese speaking threat group, UAT6382, has been exploiting a critical vulnerability in Cityworks to breach US local government networks since January of this year. Cityworks is an enterprise asset management and public asset management platform designed primarily for local governments and public works agencies. The flaw, rated CVSS 8.6, allows remote code execution. After gaining access, the attackers deploy web shells, custom malware and tools like Cobalt Strike and vshell to establish long term control. The group showed a specific interest in utility management systems. Evidence such as Chinese language code and tools like tetraloader built using the Chinese malware builder Maloader support Cisco's assessment of the group's origin and motives. The FBI urges affected organizations to update cityworks immediately and review Cisco's technical indicators to detect possible compromise. The campaign underscores the risk of software vulnerabilities in municipal infrastructure and the growing trend of financially motivated state linked cyber operations. The Everest Ransomware Group has leaked 502 megabytes of data containing sensitive information on 959 Coca Cola employees across the Middle east, including the UAE, Oman and Bahrain, posted on both their Dark Web Leak site and the XSS cybercrime forum. The files include personal data like names, addresses, passports, visas, banking details and salary records. Also leaked are internal documents mapping Coca Cola's system, admin accounts, HR roles and organizational hierarchies, critical intel for spear phishing, social engineering and further intrusions. While no passwords were exposed, the data significantly raises Coca Cola's cyber risk. Everest is known for leaking data when ransom demands are ignored. Coca Cola hasn't commented on whether negotiations occurred. Nova Scotia Power confirmed it suffered a ransomware attack traced back to March 19th of this year, although it was only detected on April 25th. The breach disrupted key IT systems like billing payments and customer portals, but not electricity supply. About 280,000 customers had sensitive data stolen and leaked online after the utility refused to pay ransom, citing sanctions, compliance and law enforcement advice. Stolen data includes names, contact info, addresses, social insurance and driver's license numbers, and bank details for autopay users. The company is offering free credit monitoring and has brought in cybersecurity experts to restore systems and strengthen defenses. Coming up after the break on today's Threat Vector, David Moulton speaks with his Palo Alto Networks colleagues Tanya Shastry and Navneet Singh about a strategy for secure AI by design and the CIA's secret spy site was a Star wars fan page. Stay with us. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic Identity Threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track. You're not alone, but let's be clear, there is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com cyber on today's threat Vector segment, David Moulton speaks with his Palo Alto Networks colleagues Tanya Shastry and Navneet Singh about a strategy for secure AI by design.
[15:27]
David Moulton
Hi, I'm David Moulton, host of the Threat Vector podcast where we discuss pressing cybersecurity threats and resilience and uncover insights in the latest industry trends. In our latest episode, I sat down with two of my colleagues, Tanya Shastry, SVP of Product Management, and Nav Singh, VP of Marketing, to explore a topic that's quietly redefining enterprise security. How to secure AI before it secures you a front page breach. Tanya and Nav pull back the curtain on what you're not seeing. Shadow AI, invisible threats inside browsers, and the hidden vulnerabilities in your AI dev pipeline. They break down how attackers are already exploiting gaps in AI security and how the most forward leaning organizations are staying two steps ahead. This episode will challenge the way you think about AI and security and what you haven't done yet. Check it out wherever you listen to podcasts. How are employees using Gen AI tools like ChatGPT, Copilots and Gemini inside the enterprise today and what risk does that create?
[16:35]
Navneet Singh
Employees are using gen applications in a variety of different ways. Especially you know, if you look at marketing department. I lead marketing for network security here at Palo Alto Networks. We use it in many, many different ways. One example of this we just came out of the Cybersecurity Bigger Scenarios conference which is RSA and biggest week, RSA week at that time. During that time we launched many new products and we had a campaign come out of it. So one of the things that we did in order to launch that was actually do a competition, internal competition where we had to use AI tools to come up with taglines, concepts, creative concepts, videos and so on. So we got 56 submissions in two days and one of those submissions was actually chosen and that's what we went with. We had deploy bravely for Prisma Airs that actually came out of this competition. So this is just one of the ways in which we are using it in my team. And when we talk to customers, they're using it a variety of ways in sales, marketing, finance, and so on.
[17:44]
David Moulton
Tanya, talk to me about the critical components of a security strategy that allows employees and AI or gen AI use without putting data at risk.
[17:55]
Tanya Shastri
Yes. So as Nav just mentioned, there's tremendous adoption of AI, but there is lack of visibility into what users are actually using. Essentially we call it shadow AI. So first and foremost, one of the very important components is having visibility into what the employees are using, what apps they're using, and then having a visibility into what the app actually does. What does it do? The various attributes of that application so you can assess the risk of that application. That is one area or one component that's important. And as you think about it, really these apps are being generated so quickly and there are more and more new apps. So staying up to speed and being able to recognize and understand which these new apps are continues to be important. Then another area, another component or another piece that's very important is once you have visibility, you have to be able to control the usage of the app. And that control could be a blunt tool where you say it's too risky and I just don't allow access to the application. But more importantly, you also have to be able to have a finer approach in that you allow access to an application, but then you are able to have a finer grained ability to decide what you do with that application. So for example, having access to a chat LLM ChatGPT for general use makes a lot of sense. There's a lot of value to leveraging it, but you may not want it to be used for situations where employees are sharing code with it and asking ChatGPT to improve their code. So being able to have that kind of fine grained control over how an app is used and what data is shared with the app, ensuring that no private sensitive data is shared either inadvertently or otherwise with the application. That's also another important piece, essentially control of that application. And then if you choose to decide to allow that application to be used, it's very important to continuously monitor the traffic that's actually going between the application back and forth to ensure that there are no threats, no malware, no other command control, other such things in the communication between the application and Mac.
[20:18]
David Moulton
Nav, let me take it over to you. How does the secure AI by design approach help organizations bake security into the AI development life cycle?
[20:29]
Navneet Singh
So let me talk about a customer example. So I was talking to a customer, which is professional services firm and they're building AI application, they in fact have tested it internally. It helps their consultants prepare for their meetings 2x faster because gives them so much information so quickly and so easily and which basically for a professional services firm means that they could potentially even double their revenues with the same headcount. So it's a. Yeah, is can be a game changer. So when you look at this, you know, going back to what you were saying about CISOs, they are going to feel the pressure from their CEOs and the board to really allow AI. So they. That's why we believe that the best approach is secure AI by design, which means you use AI in your development lifecycle, as Chaney was mentioning. So we offer capabilities to secure AI or safely enable AI in both use cases that we just mentioned, either employees using third party gen applications like ChatGPT so employees can safely use but prevent sensitive data from leaking. And secondly enterprises developing their own AI applications. So all the risks that Tanya had mentioned, so model scanning, red teaming so that we can find vulnerabilities. Looking at the posture, do you have overly permissive AI applications or agents? The runtime security, prompt injection attack, preventing multiple different types of prompt injection attacks.
[22:07]
Dave Buettner
Right.
[22:08]
Navneet Singh
All of that is something that we offer as part of our portfolio of AI. And that's what we mean by being able to secure AI applications by design and securely being able to embrace AI.
[22:25]
David Moulton
Tanya, what does it mean to secure the entire AI pipeline from development to deployment?
[22:33]
Tanya Shastri
So I just shared how the entire stack for AI is new and how there is a lot of complexity in terms of the technologies that are being brought together to deliver an AI application and then essentially the threats that it opens up. And when you think about it, essentially all the threats that open up during development, deployment and runtime are essentially what we need to take care of. So starting with development, being able to scan these ML models, being able to have the confidence that the ML models that are being used are secure, do not have any malware or vulnerabilities in them. Starting right there with scanners and so on, ensuring that there are no secrets shared inadvertently, no data being included in code that should not be included. Those kinds of things at the code development time. From a deployment standpoint, you really need to be able to first assess what all exists in the infrastructure that is all related to the AI applications. Essentially discovery to be able to discover all the pieces that are being brought together to develop the application, ensure that all those pieces are deployed correctly, do not have any misconfigurations being able to ensure that that is done right. That's another big piece from a deployment standpoint. So essentially all the things I talked about, whether it's new agents, plugins, LLMs, data sources, all those need to be deployed and configured appropriately. And then from a runtime perspective, being able to continuously monitor. So essentially when these applications are put in production, they now access the outside world, they're communicating with other applications, with external entities, and being able to continuously monitor that connection and being able to ensure that all the traffic that's going back and forth doesn't have any malware in it, doesn't have any threats in it, there isn't any data being exfiltrated, being able to make sure that there's no data loss. All those things are also important. And I do also want to highlight, and I mentioned before, right, with AI, there is no AI without data for all practical purposes. So ensuring that the data is secure, not just the access to the data, but important secure data, private data is locked down is appropriate.
[25:16]
David Moulton
If you've liked what you heard, catch the full episode now in your Threat Vector podcast feed. It's called Securing AI in the Interpretation Enterprise, released May 22. Don't get left behind.
[25:34]
Dave Buettner
Be sure to check out the complete Threat Vector podcast wherever you get your favorite podcasts. And finally, imagine logging into a crusty old Star wars fan site, StarWarsWeb.net only to learn years later that it wasn't just peddling Battlefront 2 nostalgia and Lego sets. It was a covert CIA channel for communicating with human intelligence sources around the world. Like these games, you will read the site's Yoda quote, which honestly, this podcast host probably clicked on twice without ever realizing it was part of an international spy network. According to security researcher Ciro Santilli, this now defunct relic was one of many CIA operated sites disguised as innocuous hobbies, extreme sports, Brazilian music, even comedy fan sites. The idea? Hide spy communications in plain sight. The method? A secret login triggered by typing a password into the site's search bar. The results? Well, I've got a very bad feeling about this. Iranian authorities caught wind of the setup over a decade ago, eventually unraveling a web that reportedly led to the deaths of over two dozen CIA sources in China between 2011 and 2012. Santilli's interest in the case started with some personal curiosity his mother in law as part of the Falun Gong movement, but quickly turned into a deep dive hobby involving Tourbots, HTML sleuthing and hours of crawling through the Wayback Machine. His breakthrough was discovering that the CIA hadn't bothered to mask IP address patterns or remove file names from publicly posted screenshots. From there, he tracked down hundreds of related domains. Zach Edwards, an independent cybersecurity researcher, says the findings align with what the infosec community suspected. For years, he said, yes, the CIA absolutely had a Star wars fan website with a secretly embedded communication system. Noting that even in spycraft, developer errors like leaving digital breadcrumbs can bring an operation down, Santilli unearthed the sights using a mix of open source tools, sheer patience, and presumably zero Jedi mind tricks. It's a trap. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now a word from our sponsor, ThreatLocker keeping your system secure shouldn't mean constantly reacting to threats. Threat Locker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.