BEAR-ly washed and dangerous.

Summary

CyberWire Daily Summary: "BEAR-ly Washed and Dangerous" | May 27, 2025

Hosted by Dave Buettner from N2K Networks, the CyberWire Daily episode titled "BEAR-ly Washed and Dangerous" delivers a comprehensive update on the latest cybersecurity threats, vulnerabilities, and industry insights. This summary encapsulates the key discussions, expert interviews, and critical analyses presented throughout the episode.

1. Major Cybersecurity News

a. Introduction of Laundry Bear Threat Actor

Overview: Dutch intelligence has identified a new Russian threat actor known as Laundry Bear (also tracked as Void Blizzard by Microsoft). This group specializes in cyber espionage, targeting NATO countries with a focus on defense contractors, aviation sectors, and Ukraine.
Technique: Laundry Bear employs simple, automated, and stealthy tools, avoiding custom malware to evade detection. Their initial appearance was marked by a hack on the Dutch police in 2024 using session hijacking and credentials from the cybercriminal flea market.
Distinction: Although their tactics overlap with known groups like Fancy Bear, Laundry Bear is recognized as a distinct entity within the Russian cyber threat landscape.

Notable Quote:

"Laundry Bear's tools are simple, automated and stealthy, just enough to make defenders lose sleep without ever deploying custom malware." – Dave Buettner [02:45]

b. GitHub MCP Vulnerability and AI Coding Agents Exploitation

Discovery: Invariant Labs uncovered a critical vulnerability in GitHub's Model Context Protocol (MCP) server, exposing AI coding agents to prompt injection attacks.
Impact: This flaw allows attackers to embed hidden commands in public GitHub issues, tricking AI agents into leaking sensitive data from private repositories.
Proof of Concept: Demonstrated the ability to extract private data such as salaries and repository information under the guise of user feedback.
Broader Implications: The vulnerability is model-agnostic, posing risks across the AI development ecosystem as AI becomes integral to software development.

c. Tenable Patches High-Severity Flaws in Network Monitor Tool

Details: Tenable has released patches for two critical vulnerabilities in its Network Monitor tool for Windows, identified by researcher Will Dorman.
- Flaw 1: Insecure directory permissions in non-default installations allowing local privilege escalation.
- Flaw 2: Enables low-privileged users to execute arbitrary code with system rights without administrative intervention.
Recommendation: Organizations using Tenable Network Monitor on Windows should update immediately and review directory permissions to mitigate risks, especially in multi-user environments.

d. MathWorks Suffers Ransomware Attack Affecting Matlab Services

Incident: A ransomware attack on May 18 led to a week-long outage of Matlab services, impacting millions of users, particularly in academia during exam seasons.
Effects: Disrupted internal systems, licensing servers, and Matlab Online services, forcing some users to resort to pirated versions.
Response: MathWorks is collaborating with federal law enforcement and cybersecurity experts to restore services and enhance security measures.

e. U.S. Department of Commerce Audits National Vulnerability Database (NVD)

Background: An audit initiated by the Office of Inspector General aims to address a backlog of unprocessed security flaws in the NVD, a situation exacerbated by a terminated contract in early 2024.
Objective: Evaluate NIST's oversight and implement strategies using automation and AI tools to manage vulnerability analysis more efficiently and prevent future delays.

f. FBI Warns Law Firms About Silent Ransom Group Tactics

Threat Actor: Silent Ransom Group (also known as Chatty Spider, Luna Moth, and UNC3753) has evolved its tactics from phishing emails to direct phone-based scams.
Methodology: Posing as internal IT staff, they trick employees into remote access sessions, facilitating the installation of tools like WINSCP or RCLONE to exfiltrate data.
Impact: Targets primarily law firms, but medical and insurance sectors are also affected.
Advice: The FBI recommends robust phishing awareness training, regular data backups, and prompt reporting of any related incidents.

g. Chinese Hackers Exploit Cityworks Vulnerability to Breach U.S. Municipal Networks

Vulnerability: A critical flaw in Cityworks, an asset management platform for local governments, allows remote code execution (CVSS 8.6).
Activities: Since January, the Chinese-speaking threat group UAT6382 has deployed web shells, custom malware, and tools like Cobalt Strike to maintain long-term control over breached networks.
Target Focus: Utility management systems are of particular interest, highlighting risks to municipal infrastructure.
FBI Recommendation: Immediate updating of Cityworks software and adherence to Cisco’s technical indicators to detect compromises.

h. Everest Ransomware Group Leaks Coca-Cola Employee Data

Breach Details: Everest has leaked 502 MB of data affecting 959 Coca-Cola employees in the Middle East, including sensitive personal information and internal organizational documents.
Consequences: Facilitates spear phishing, social engineering, and further intrusions. While passwords were not exposed, the leaked data significantly heightens cybersecurity risks for Coca-Cola.
Company Response: Coca-Cola has not disclosed whether ransom negotiations occurred.

i. Nova Scotia Power Ransomware Attack

Incident: A ransomware attack traced back to March 19 was detected on April 25, affecting billing payments and customer portals.
Impact: Approximately 280,000 customers had sensitive data stolen and leaked online. The utility emphasized that electricity supply remained unaffected.
Response: Nova Scotia Power is offering free credit monitoring and has engaged cybersecurity experts to enhance system security and restore operations.

2. In-Depth Interview: Securing AI by Design

Participants:

David Moulton: Host of the Threat Vector podcast
Tanya Shastri: SVP of Product Management, Palo Alto Networks
Navneet Singh: VP of Marketing, Palo Alto Networks

Discussion Highlights:

a. The Growing Use of Generative AI in Enterprises

Navneet Singh discusses how employees across departments like marketing, sales, and finance are leveraging generative AI tools (e.g., ChatGPT, Copilots, Gemini) to enhance productivity and creativity.
- Example: "We had an internal competition using AI tools to generate taglines and concepts, resulting in the successful deployment of Prisma Air's new campaign." (Navneet Singh [16:35])

b. Critical Components of a Secure AI Strategy

Tanya Shastri emphasizes the importance of visibility into AI tool usage (referred to as "shadow AI"), assessing application risks, and implementing fine-grained controls to prevent sensitive data exposure.
- Quote: "Ensuring that no private sensitive data is shared either inadvertently or otherwise with the application is also another important piece." (Tanya Shastri [17:54])

c. Secure AI by Design Approach

Navneet Singh outlines how integrating security into the AI development lifecycle helps organizations mitigate risks associated with AI applications.
- Key Aspects:
  - Model Scanning & Red Teaming: Identifying vulnerabilities within AI models.
  - Posture Assessment: Ensuring AI applications are not overly permissive.
  - Runtime Security & Prompt Injection Prevention: Protecting against real-time threats and manipulations.

d. Securing the Entire AI Pipeline

Tanya Shastri details the necessity of securing AI from development through deployment and runtime, covering aspects like model integrity, infrastructure security, continuous monitoring, and data protection.
- Quote: "Ensuring the data is secure, not just the access to the data, but important secure data, private data is locked down appropriately." (Tanya Shastri [22:33])

Conclusion of Interview: The conversation underscores that as AI becomes integral to enterprise operations, embedding security at every stage of AI development and deployment is crucial to prevent potential breaches and data leaks.

Notable Quotes:

"Another important piece, essentially control of that application." – Tanya Shastri [19:07]
"That's what we mean by being able to secure AI applications by design and securely being able to embrace AI." – Navneet Singh [22:07]

3. The CIA's Secret Spy Site: A Star Wars Fan Page

Overview: Dave Buettner narrates an intriguing case where a seemingly innocuous Star Wars fan site, StarWarsWeb.net, was actually a covert CIA channel used for communicating with human intelligence sources globally.

Key Points:

Exposure: Security researcher Ciro Santilli uncovered that the site was part of a network of CIA-operated domains masquerading as hobbyist sites.
Method: The CIA embedded secret logins triggered by entering passwords into the site's search bar, facilitating covert communications.
Consequences: Iranian authorities discovered the setup over a decade ago, leading to the unraveling of a network responsible for the deaths of over two dozen CIA sources in China between 2011 and 2012.
Investigation: Santilli's research involved meticulous analysis using open-source tools and the Wayback Machine, revealing unmasked IP patterns and related domains.

Notable Quote:

"Even in spycraft, developer errors like leaving digital breadcrumbs can bring an operation down." – Dave Buettner [25:10]

Expert Insight: Zach Edwards, a cybersecurity researcher, corroborated Santilli’s findings, highlighting that despite the sophistication of spy operations, oversights like digital breadcrumbs can lead to significant security breaches.

Conclusion: The case exemplifies the delicate balance between operational security and the risks posed by inadvertent digital leaks, even in highly secretive intelligence operations.

4. Sponsorship Messages

The episode includes sponsorship segments promoting products like Deleteme for privacy protection, SpyCloud for identity threat protection, Vanta for governance, risk, and compliance (GRC) management, and ThreatLocker for system security.

Final Thoughts

Dave Buettner wraps up the episode by emphasizing the importance of staying informed about evolving cyber threats and implementing robust security measures across all facets of technology use, including the burgeoning field of AI.

Closing Quote:

"It's a trap." – Dave Buettner [25:34]

Stay updated with daily cybersecurity news and expert analyses by tuning into the CyberWire Daily, your essential source for industry-leading insights.

Production Credits:

Senior Producer: Alice Carruth
Producer: Liz Stokes
Mixer: Trey Hester
Music and Sound Design: Elliot Peltzman
Executive Producer: Jennifer Ivan
Publisher: Peter Kilpe

For detailed links to today’s stories, visit [daily briefing@thecyberwire.com](mailto:daily briefing@thecyberwire.com).

Summary

CyberWire Daily Summary: "BEAR-ly Washed and Dangerous" | May 27, 2025

1. Major Cybersecurity News

a. Introduction of Laundry Bear Threat Actor

Overview: Dutch intelligence has identified a new Russian threat actor known as Laundry Bear (also tracked as Void Blizzard by Microsoft). This group specializes in cyber espionage, targeting NATO countries with a focus on defense contractors, aviation sectors, and Ukraine.
Technique: Laundry Bear employs simple, automated, and stealthy tools, avoiding custom malware to evade detection. Their initial appearance was marked by a hack on the Dutch police in 2024 using session hijacking and credentials from the cybercriminal flea market.
Distinction: Although their tactics overlap with known groups like Fancy Bear, Laundry Bear is recognized as a distinct entity within the Russian cyber threat landscape.

Notable Quote:

"Laundry Bear's tools are simple, automated and stealthy, just enough to make defenders lose sleep without ever deploying custom malware." – Dave Buettner [02:45]

b. GitHub MCP Vulnerability and AI Coding Agents Exploitation

Discovery: Invariant Labs uncovered a critical vulnerability in GitHub's Model Context Protocol (MCP) server, exposing AI coding agents to prompt injection attacks.
Impact: This flaw allows attackers to embed hidden commands in public GitHub issues, tricking AI agents into leaking sensitive data from private repositories.
Proof of Concept: Demonstrated the ability to extract private data such as salaries and repository information under the guise of user feedback.
Broader Implications: The vulnerability is model-agnostic, posing risks across the AI development ecosystem as AI becomes integral to software development.

c. Tenable Patches High-Severity Flaws in Network Monitor Tool

Details: Tenable has released patches for two critical vulnerabilities in its Network Monitor tool for Windows, identified by researcher Will Dorman.
- Flaw 1: Insecure directory permissions in non-default installations allowing local privilege escalation.
- Flaw 2: Enables low-privileged users to execute arbitrary code with system rights without administrative intervention.
Recommendation: Organizations using Tenable Network Monitor on Windows should update immediately and review directory permissions to mitigate risks, especially in multi-user environments.

d. MathWorks Suffers Ransomware Attack Affecting Matlab Services

Incident: A ransomware attack on May 18 led to a week-long outage of Matlab services, impacting millions of users, particularly in academia during exam seasons.
Effects: Disrupted internal systems, licensing servers, and Matlab Online services, forcing some users to resort to pirated versions.
Response: MathWorks is collaborating with federal law enforcement and cybersecurity experts to restore services and enhance security measures.

e. U.S. Department of Commerce Audits National Vulnerability Database (NVD)

Background: An audit initiated by the Office of Inspector General aims to address a backlog of unprocessed security flaws in the NVD, a situation exacerbated by a terminated contract in early 2024.
Objective: Evaluate NIST's oversight and implement strategies using automation and AI tools to manage vulnerability analysis more efficiently and prevent future delays.

f. FBI Warns Law Firms About Silent Ransom Group Tactics

Threat Actor: Silent Ransom Group (also known as Chatty Spider, Luna Moth, and UNC3753) has evolved its tactics from phishing emails to direct phone-based scams.
Methodology: Posing as internal IT staff, they trick employees into remote access sessions, facilitating the installation of tools like WINSCP or RCLONE to exfiltrate data.
Impact: Targets primarily law firms, but medical and insurance sectors are also affected.
Advice: The FBI recommends robust phishing awareness training, regular data backups, and prompt reporting of any related incidents.

g. Chinese Hackers Exploit Cityworks Vulnerability to Breach U.S. Municipal Networks

Vulnerability: A critical flaw in Cityworks, an asset management platform for local governments, allows remote code execution (CVSS 8.6).
Activities: Since January, the Chinese-speaking threat group UAT6382 has deployed web shells, custom malware, and tools like Cobalt Strike to maintain long-term control over breached networks.
Target Focus: Utility management systems are of particular interest, highlighting risks to municipal infrastructure.
FBI Recommendation: Immediate updating of Cityworks software and adherence to Cisco’s technical indicators to detect compromises.

h. Everest Ransomware Group Leaks Coca-Cola Employee Data

Breach Details: Everest has leaked 502 MB of data affecting 959 Coca-Cola employees in the Middle East, including sensitive personal information and internal organizational documents.
Consequences: Facilitates spear phishing, social engineering, and further intrusions. While passwords were not exposed, the leaked data significantly heightens cybersecurity risks for Coca-Cola.
Company Response: Coca-Cola has not disclosed whether ransom negotiations occurred.

i. Nova Scotia Power Ransomware Attack

Incident: A ransomware attack traced back to March 19 was detected on April 25, affecting billing payments and customer portals.
Impact: Approximately 280,000 customers had sensitive data stolen and leaked online. The utility emphasized that electricity supply remained unaffected.
Response: Nova Scotia Power is offering free credit monitoring and has engaged cybersecurity experts to enhance system security and restore operations.

2. In-Depth Interview: Securing AI by Design

Participants:

David Moulton: Host of the Threat Vector podcast
Tanya Shastri: SVP of Product Management, Palo Alto Networks
Navneet Singh: VP of Marketing, Palo Alto Networks

Discussion Highlights:

a. The Growing Use of Generative AI in Enterprises

Navneet Singh discusses how employees across departments like marketing, sales, and finance are leveraging generative AI tools (e.g., ChatGPT, Copilots, Gemini) to enhance productivity and creativity.
- Example: "We had an internal competition using AI tools to generate taglines and concepts, resulting in the successful deployment of Prisma Air's new campaign." (Navneet Singh [16:35])

b. Critical Components of a Secure AI Strategy

Tanya Shastri emphasizes the importance of visibility into AI tool usage (referred to as "shadow AI"), assessing application risks, and implementing fine-grained controls to prevent sensitive data exposure.
- Quote: "Ensuring that no private sensitive data is shared either inadvertently or otherwise with the application is also another important piece." (Tanya Shastri [17:54])

c. Secure AI by Design Approach

Navneet Singh outlines how integrating security into the AI development lifecycle helps organizations mitigate risks associated with AI applications.
- Key Aspects:
  - Model Scanning & Red Teaming: Identifying vulnerabilities within AI models.
  - Posture Assessment: Ensuring AI applications are not overly permissive.
  - Runtime Security & Prompt Injection Prevention: Protecting against real-time threats and manipulations.

d. Securing the Entire AI Pipeline

Tanya Shastri details the necessity of securing AI from development through deployment and runtime, covering aspects like model integrity, infrastructure security, continuous monitoring, and data protection.
- Quote: "Ensuring the data is secure, not just the access to the data, but important secure data, private data is locked down appropriately." (Tanya Shastri [22:33])

Notable Quotes:

"Another important piece, essentially control of that application." – Tanya Shastri [19:07]
"That's what we mean by being able to secure AI applications by design and securely being able to embrace AI." – Navneet Singh [22:07]

3. The CIA's Secret Spy Site: A Star Wars Fan Page

Key Points:

Exposure: Security researcher Ciro Santilli uncovered that the site was part of a network of CIA-operated domains masquerading as hobbyist sites.
Method: The CIA embedded secret logins triggered by entering passwords into the site's search bar, facilitating covert communications.
Consequences: Iranian authorities discovered the setup over a decade ago, leading to the unraveling of a network responsible for the deaths of over two dozen CIA sources in China between 2011 and 2012.
Investigation: Santilli's research involved meticulous analysis using open-source tools and the Wayback Machine, revealing unmasked IP patterns and related domains.

Notable Quote:

"Even in spycraft, developer errors like leaving digital breadcrumbs can bring an operation down." – Dave Buettner [25:10]

Conclusion: The case exemplifies the delicate balance between operational security and the risks posed by inadvertent digital leaks, even in highly secretive intelligence operations.

4. Sponsorship Messages

Final Thoughts

Closing Quote:

"It's a trap." – Dave Buettner [25:34]

Stay updated with daily cybersecurity news and expert analyses by tuning into the CyberWire Daily, your essential source for industry-leading insights.

Production Credits:

Senior Producer: Alice Carruth
Producer: Liz Stokes
Mixer: Trey Hester
Music and Sound Design: Elliot Peltzman
Executive Producer: Jennifer Ivan
Publisher: Peter Kilpe

For detailed links to today’s stories, visit [daily briefing@thecyberwire.com](mailto:daily briefing@thecyberwire.com).

wavePod

Powered by Wave AI

Summary

1. Major Cybersecurity News

2. In-Depth Interview: Securing AI by Design

3. The CIA's Secret Spy Site: A Star Wars Fan Page

4. Sponsorship Messages

Final Thoughts

Summary

1. Major Cybersecurity News

2. In-Depth Interview: Securing AI by Design

3. The CIA's Secret Spy Site: A Star Wars Fan Page

4. Sponsorship Messages

Final Thoughts