Behind the firewall, trouble brews. - CyberWire Daily

Summary

CyberWire Daily: "Behind the Firewall, Trouble Brews"

Release Date: July 11, 2025
Host: Dave Bittner
Guest: Catherine Wanis, VP of Product at Fingerprint

Introduction

On the July 11, 2025 episode of CyberWire Daily, host Dave Bittner delves into several critical cybersecurity issues ranging from vulnerabilities in web application firewalls to sophisticated fraud schemes involving AI bots. The episode also features an in-depth conversation with Catherine Wanis, VP of Product at Fingerprint, discussing the emerging threat of AI-facilitated music royalty fraud.

Top Cybersecurity News

Fortinet Patches Critical FortaWeb Vulnerability
- Timestamp [00:02]: Fortinet addressed a severe flaw in its FortaWeb Web Application Firewall (WAF), rated with a CVSS score of 9.6. This vulnerability allowed unauthenticated attackers to execute unauthorized SQL commands and potentially achieve remote code execution via the GUI component.
- Recommendation: Users are advised to isolate the web admin interface from the Internet and apply patches immediately. If patching is delayed, temporarily disabling the admin interface is suggested as a mitigation, though this is not a permanent solution.
Wing FTP Server Exploited for Remote Code Execution
- Timestamp [00:12]: Hackers are exploiting a critical vulnerability in Wing FTP Server that allows arbitrary code execution by injecting LUA code into user session files. Approximately 8,100 Wing FTP servers are exposed, with over 5,000 having vulnerable web interfaces.
US Cyber Command's AI Initiative in Fiscal 2026 Budget
- Timestamp [00:22]: The fiscal 2026 budget allocates $5 million to the new AI project, "Artificial Intelligence for Cyberspace Operations," under a broader $1.3 billion R&D plan. This initiative aims to enhance threat detection, automate data analysis, and improve decision-making within cyber operations.
Czech Cybersecurity Agency Bans Chinese AI Company Deepseek
- Timestamp [00:35]: The Czech agency Nuqib has declared Deepseek a national security threat, prohibiting its software on government devices. Concerns include data collection practices compliant with China's National Intelligence Law and the company's founder's ties to dual-use military technologies.
Do Not Apt Group Targets Italy's Ministry of Foreign Affairs
- Timestamp [00:50]: The espionage group linked to India has launched a cyber attack against Italy's Ministry of Foreign Affairs using spear phishing emails that deployed LopticMod malware to exfiltrate sensitive diplomatic data.
Mexico’s Former President Investigated for Spyware-Related Bribes
- Timestamp [01:05]: Former President Enrique Peña Nieto is under investigation for allegedly accepting up to $25 million in bribes to secure spyware contracts, including those involving NSO Group's Pegasus spyware. Peña Nieto has denied the allegations.
FBI Seizes Major Nintendo Switch Piracy Site
- Timestamp [01:18]: The FBI, in collaboration with the Dutch Financial Crime Agency FIAD, has taken down NSW2U, a significant Nintendo Switch piracy site. This action is part of Nintendo's broader efforts to combat piracy, especially with the launch of the Switch 2.
CISA Releases 13 Advisories on Industrial Control Systems (ICS)
- Timestamp [01:30]: The Cybersecurity and Infrastructure Security Agency (CISA) has issued 13 advisories addressing vulnerabilities in ICS products from manufacturers like Siemens, Delta, and Advantech. Organizations are urged to implement recommended mitigations promptly to secure critical infrastructure.
Retired US Army Lieutenant Colonel Pleads Guilty to Sharing Classified Information
- Timestamp [01:45]: David Franklin Slater, a retired lieutenant colonel with top-secret clearance, has pleaded guilty to sharing national defense secrets about Russia's war in Ukraine via a dating app. He faces up to 10 years in prison, with sentencing set for October 8th.

In-Depth Interview: AI Bots and Music Royalty Fraud

Guest: Catherine Wanis, VP of Product at Fingerprint
Topic: The use of bots in facilitating music royalty fraud

Overview of the Fraud Scheme

Catherine Wanis [15:08]:

"Fraudsters are creating fake artists, releasing AI-generated music, and launching thousands of AI bots to inflate streams and steal royalties from music streaming platforms."
Case Study: A fraudster operated 10,000 bot accounts to stream AI-generated music, amassing over $10 million in royalties by simulating thousands of listeners.

Mechanics of the Fraud

Catherine Wanis [15:54]:

"The fraud involved signing up for numerous artist accounts across various streaming services, creating AI-generated tracks of one minute each to bypass minimum length requirements, and using multiple laptops with numerous browser tabs to simulate diverse listening patterns."
Intentional Design: Each song was carefully crafted to appear unique and varied, preventing detection mechanisms from flagging repetitive or suspicious activity.

Detection and Downfall

Catherine Wanis [19:19]:

"The fraudulent activities were eventually detected through multiple clues, such as location obfuscation, use of automated scripts, multi-account browsers, and device tampering."
Detection Techniques:
- Location Obfuscation: Detection of VPNs and residential proxies.
- Bot Detection: Identifying automated scripts and unusual browsing patterns.
- Device Intelligence: Recognizing multiple tabs from the same device and other device tampering indicators.

Lessons for Cybersecurity Professionals

Catherine Wanis [20:59]:

"It's essential to not only detect the use of automation but also understand the intent behind it. Clues like multi-accounting, device tampering, and location discrepancies must be analyzed collectively for effective fraud detection."
Future Trends:
- Automation Usage: With Gartner’s estimate that 50% of service requests will be generated by automated agents in the next five years, distinguishing between benign and malicious automation becomes critical.
- Evolving Fraud Tactics: As detection methods improve, fraudsters will adapt by employing more sophisticated techniques, such as device farms and advanced obfuscation tactics.

Case Study: Crypto Theft and Sentencing

Narrative:
Nicholas Trullia, part of a crew labeled "evil computer geniuses," faced a significant legal setback after failing to return stolen crypto funds. Initially sentenced to 18 months for stealing $22 million in cryptocurrency by hijacking Michael Turpin's SIM card, Trullia’s sentence was escalated to 12 years due to his refusal to restitute $20.4 million to the victim. This case underscores the severe legal repercussions for financial crimes in the crypto space, especially when restitution is not made.

Closing Remarks

Dave Bittner wraps up the episode by reiterating the importance of robust cybersecurity measures and staying informed about evolving threats. He encourages listeners to engage with CyberWire’s resources, including the upcoming Research Saturday featuring a discussion with Selena Larson from Proofpoint on the Amatera Stealer. Additionally, he highlights ongoing opportunities for audience feedback through their annual survey.

Notable Quote:

"Fraudsters are always staying one step ahead; as we enhance our detection capabilities, they are evolving their tactics in a relentless cat-and-mouse game."
— Catherine Wanis [22:30]

Sponsors and Advertisements (Skipped as per instructions)

Conclusion

The episode of CyberWire Daily on July 11, 2025, provides a comprehensive overview of current cybersecurity challenges, from critical vulnerabilities and sophisticated phishing attacks to the emerging threat of AI-driven fraud in the music industry. The discussion with Catherine Wanis offers valuable insights into detecting and mitigating automated fraud schemes, emphasizing the necessity for continuous advancement in cybersecurity defenses to stay ahead of malicious actors.

For more detailed information on today's stories, visit CyberWire Daily Briefing or participate in their annual audience survey.

Transcript

Catherine Wanis (0:02)

You're listening to the Cyberwire network, powered by N2K.

Dave Bittner (0:12)

Hey everybody, Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Delete Me also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K foreign patches a critical flaw in its Fortaweb web application firewall Hackers are exploiting a critical vulnerability in wing FTP server. U.S. cyber Command's fiscal 2026 budget includes a new AI project. Checchi's cybersecurity agency has issued a formal warning about Chinese AI company Deepseek. The Do Not Apt group targets Italy's Ministry of Foreign Affair. Mexico's former president is under investigation for alleged bribes to secure spyware contracts. The FBI seizes a major Nintendo Switch piracy site. CISA releases 13 ICS advisories. A retired U.S. army lieutenant colonel pleads guilty to oversharing classified information on a dating app. Our guest is Catherine Wanis, VP of Product at Fingerprint, discussing how bots are being used to facilitate music royalty fraud and a federal judge is not impressed with a crypto thief's lack lack of restitution. It's Friday, July 11th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Happy Friday and thanks for joining us. It's great as always to have you here with us. Fortinet has patched a critical flaw in its fortaweb Web application firewall, affecting multiple versions. With a CVSS score of 9.6, the vulnerability allows unauthenticated attackers to run unauthorized SQL commands and potentially achieve remote code execution via the GUI component. If you run fortaweb, isolate its Web admin interface from the Internet and plan to patch quickly. If patching is going to be delayed. Consider disabling the web admin interface entirely. Although this blocks normal admin access, disabling the admin interface is only a temporary mitigation, not a permanent fix. Patching remains the safest and easiest solution. Hackers are exploiting a critical vulnerability in Wing FTP server to execute arbitrary code remotely. The flaw stems from mishandling null bytes, allowing attackers to inject LUA code into user session files and gain root or system privileges. While authentication is required, the exploit works with anonymous FTP accounts if enabled. WingFTP patched this in a version released on May 14. However, after technical details and a proof of concept exploit were published on June 30, attacks began immediately. Huntress reports exploitation attempts, including fetching files, system fingerprinting, and deploying remote access tools. About 8,100 wing FTP servers are Internet accessible, with over 5,000 exposing web interfaces increasing their risk of compromise. US Cyber Command's fiscal 2026 budget includes $5 million to launch a new AI project under its $1.3 billion R&D plan, Defense Scoop reports. This initiative follows a 2023 congressional mandate requiring Cybercom and other defense agencies to to create a five year roadmap for rapidly adopting AI in cyber operations. The project, called Artificial Intelligence for Cyberspace Operations, focuses on developing core data standards to curate and tag data for AI and machine learning integration. Housed within the Cyber National Mission Force, it will pilot AI technologies using Agile 90 day cycles for rapid testing and validation. Efforts include improving threat detection, automating data analysis and enhancing decision making. The budget also outlines five AI application vulnerabilities and exploits, network security and monitoring, modeling and predictive analytics, Persona and identity, and infrastructure and transport. This reflects Cybercom's broader push to operationalize AI for for evolving cyber threats efficiently and effectively. Chechiya's cybersecurity agency has issued a formal warning about Chinese AI company Deepseek, calling it a national security threat and banning its software from government devices. Deepseek, known for its low cost large language model released in January, has faced bans in several countries over privacy concerns. The Czech agency Nuqib found. Deepseek's app collects and stores user data in ways accessible to Chinese authority under laws like China's National Intelligence Law. It also warned the company's founder has ties to dual use military technologies. Deepseek stores user data on servers in China and Russia, raising further security risks. This follows similar warnings from countries including Australia, India and the Netherlands. US Lawmakers are also considering banning its use in government Deepseek has not commented on the ban. The Do Not Apt group believed linked to India has targeted Italy's Ministry of Foreign affairs in a recent cyber espionage campaign, Trellix reports. Known for South Asian espionage, Do Not Apt is expanding to European diplomatic targets. Attackers sent spear phishing emails impersonating European defense officials discussing an Italian defense attache visit to Bangladesh. The emails contained malicious Google Drive links leading to a RAR archive deploying malware. This infection chain used notflog exe and a scheduled task called Perform Task Maintain for persistent and access. The payload was linked to LopticMod malware used exclusively by Do Not Apt since 2018. The operation aimed to exfiltrate sensitive diplomatic data while evading detection, Trellix warns. This sophisticated attack underscores the group's growing interest in European intelligence and highlights the need for enhanced cyber defenses. Mexico's attorney general has launched an investigation into claims that former President Enrique Pena Nieto took up to $25 million in bribes from Israeli businessmen to secure spyware contracts, including the Pegasus spyware from NSO Group. The allegations stem from an Israeli business publication, the Marker, citing arbitration documents between businessman Yuri Ansbacher and Avishai Nariya. These documents reportedly describe bribes paid to Pena Nieto in exchange for lucrative government security contracts. Pena Nieto denied the claims, calling them baseless. During his presidency, Pegasus spyware was used to target journalists, scientists and activists in Mexico. The investigation seeks international legal assistance to access documents from Israeli courts. NSO Group did not comment on the allegations. Pena Nieto has faced previous corruption probes but has never been charged. The FBI has seized NSW2U, a major Nintendo Switch piracy site, as part of a law enforcement operation with Dutch Financial Crime Agency FIAD. NSW2U hosted Switch game ROMs for use on hacked consoles and emulators. The takedown follows Nintendo's ongoing crackdown on piracy, including lawsuits against emulator creators and ROM sites. NSW2U was added to the EU piracy watchlist in May. Users reported downloading games shortly before its seizure. Nintendo aims to tighten security further with the recent Switch 2 launch. Yesterday, CISA released 13 advisories detailing vulnerabilities in industrial control systems affecting products from Siemens, Delta, Advantech, Kunbus and others. The flaws range from issues in Siemens TIA components and Simatic hardware to Coonbus, Revpi, Delta's DTM Soft and Advantech's iView, among others. CISA urges organizations using ICS equipment to review these advisories promptly and implement recommended mitigations to secure critical infrastructure. David Franklin Slater, a 64 year old retired US army lieutenant colonel and civilian air Force employee has pleaded guilty to sharing national defense secrets with a woman he met on a dating app from February to April 2022. Slater, who held top secret clearance at Strategic Command in Nebraska, shared classified details about Russia's war in Ukraine, including military targets and Russian capabilities. The woman, identified only as Co Conspirator 1, called him her secret informant love and repeatedly requested sensitive information. Despite signing non disclosure agreements acknowledging potential harm to US Security, Slater shared these secrets via email and online messages. He faces up to 10 years in prison, supervised release and a $250,000 fine. Sentencing is set for October 8th. Coming up after the break, my conversation with Katherine Wanis, VP of Product at Fingerprint. We're discussing how bots are being used to facilitate music royalty fraud and a federal judge was not impressed with a crypto thief's lack of restitution. Stick Around Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's V a n t a dot com cyber foreign identities now outnumber humans by more than 80 to 1 and without securing them trust, uptime, outages and compliance are at risk. Cyber Arc is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber Ark helps modern enterprises secure their machine Future. Visit cyberark.com machines to see how. Katherine Wannes is VP of Product at Fingerprint. I recently caught up with her to discuss how bots are being used to facilitate music royalty fraud.