Behind the firewall, trouble brews. - CyberWire Daily

Summary5 min read

CyberWire Daily: "Behind the Firewall, Trouble Brews"

Release Date: July 11, 2025
Host: Dave Bittner
Guest: Catherine Wanis, VP of Product at Fingerprint

Introduction

On the July 11, 2025 episode of CyberWire Daily, host Dave Bittner delves into several critical cybersecurity issues ranging from vulnerabilities in web application firewalls to sophisticated fraud schemes involving AI bots. The episode also features an in-depth conversation with Catherine Wanis, VP of Product at Fingerprint, discussing the emerging threat of AI-facilitated music royalty fraud.

Top Cybersecurity News

Fortinet Patches Critical FortaWeb Vulnerability
- Timestamp [00:02]: Fortinet addressed a severe flaw in its FortaWeb Web Application Firewall (WAF), rated with a CVSS score of 9.6. This vulnerability allowed unauthenticated attackers to execute unauthorized SQL commands and potentially achieve remote code execution via the GUI component.
- Recommendation: Users are advised to isolate the web admin interface from the Internet and apply patches immediately. If patching is delayed, temporarily disabling the admin interface is suggested as a mitigation, though this is not a permanent solution.
Wing FTP Server Exploited for Remote Code Execution
- Timestamp [00:12]: Hackers are exploiting a critical vulnerability in Wing FTP Server that allows arbitrary code execution by injecting LUA code into user session files. Approximately 8,100 Wing FTP servers are exposed, with over 5,000 having vulnerable web interfaces.
US Cyber Command's AI Initiative in Fiscal 2026 Budget
- Timestamp [00:22]: The fiscal 2026 budget allocates $5 million to the new AI project, "Artificial Intelligence for Cyberspace Operations," under a broader $1.3 billion R&D plan. This initiative aims to enhance threat detection, automate data analysis, and improve decision-making within cyber operations.
Czech Cybersecurity Agency Bans Chinese AI Company Deepseek
- Timestamp [00:35]: The Czech agency Nuqib has declared Deepseek a national security threat, prohibiting its software on government devices. Concerns include data collection practices compliant with China's National Intelligence Law and the company's founder's ties to dual-use military technologies.
Do Not Apt Group Targets Italy's Ministry of Foreign Affairs
- Timestamp [00:50]: The espionage group linked to India has launched a cyber attack against Italy's Ministry of Foreign Affairs using spear phishing emails that deployed LopticMod malware to exfiltrate sensitive diplomatic data.
Mexico’s Former President Investigated for Spyware-Related Bribes
- Timestamp [01:05]: Former President Enrique Peña Nieto is under investigation for allegedly accepting up to $25 million in bribes to secure spyware contracts, including those involving NSO Group's Pegasus spyware. Peña Nieto has denied the allegations.
FBI Seizes Major Nintendo Switch Piracy Site
- Timestamp [01:18]: The FBI, in collaboration with the Dutch Financial Crime Agency FIAD, has taken down NSW2U, a significant Nintendo Switch piracy site. This action is part of Nintendo's broader efforts to combat piracy, especially with the launch of the Switch 2.
CISA Releases 13 Advisories on Industrial Control Systems (ICS)
- Timestamp [01:30]: The Cybersecurity and Infrastructure Security Agency (CISA) has issued 13 advisories addressing vulnerabilities in ICS products from manufacturers like Siemens, Delta, and Advantech. Organizations are urged to implement recommended mitigations promptly to secure critical infrastructure.
Retired US Army Lieutenant Colonel Pleads Guilty to Sharing Classified Information
- Timestamp [01:45]: David Franklin Slater, a retired lieutenant colonel with top-secret clearance, has pleaded guilty to sharing national defense secrets about Russia's war in Ukraine via a dating app. He faces up to 10 years in prison, with sentencing set for October 8th.

In-Depth Interview: AI Bots and Music Royalty Fraud

Guest: Catherine Wanis, VP of Product at Fingerprint
Topic: The use of bots in facilitating music royalty fraud

Overview of the Fraud Scheme

Catherine Wanis [15:08]:

"Fraudsters are creating fake artists, releasing AI-generated music, and launching thousands of AI bots to inflate streams and steal royalties from music streaming platforms."
Case Study: A fraudster operated 10,000 bot accounts to stream AI-generated music, amassing over $10 million in royalties by simulating thousands of listeners.

Mechanics of the Fraud

Catherine Wanis [15:54]:

"The fraud involved signing up for numerous artist accounts across various streaming services, creating AI-generated tracks of one minute each to bypass minimum length requirements, and using multiple laptops with numerous browser tabs to simulate diverse listening patterns."
Intentional Design: Each song was carefully crafted to appear unique and varied, preventing detection mechanisms from flagging repetitive or suspicious activity.

Detection and Downfall

Catherine Wanis [19:19]:

"The fraudulent activities were eventually detected through multiple clues, such as location obfuscation, use of automated scripts, multi-account browsers, and device tampering."
Detection Techniques:
- Location Obfuscation: Detection of VPNs and residential proxies.
- Bot Detection: Identifying automated scripts and unusual browsing patterns.
- Device Intelligence: Recognizing multiple tabs from the same device and other device tampering indicators.

Lessons for Cybersecurity Professionals

Catherine Wanis [20:59]:

"It's essential to not only detect the use of automation but also understand the intent behind it. Clues like multi-accounting, device tampering, and location discrepancies must be analyzed collectively for effective fraud detection."
Future Trends:
- Automation Usage: With Gartner’s estimate that 50% of service requests will be generated by automated agents in the next five years, distinguishing between benign and malicious automation becomes critical.
- Evolving Fraud Tactics: As detection methods improve, fraudsters will adapt by employing more sophisticated techniques, such as device farms and advanced obfuscation tactics.

Case Study: Crypto Theft and Sentencing

Narrative:
Nicholas Trullia, part of a crew labeled "evil computer geniuses," faced a significant legal setback after failing to return stolen crypto funds. Initially sentenced to 18 months for stealing $22 million in cryptocurrency by hijacking Michael Turpin's SIM card, Trullia’s sentence was escalated to 12 years due to his refusal to restitute $20.4 million to the victim. This case underscores the severe legal repercussions for financial crimes in the crypto space, especially when restitution is not made.

Closing Remarks

Dave Bittner wraps up the episode by reiterating the importance of robust cybersecurity measures and staying informed about evolving threats. He encourages listeners to engage with CyberWire’s resources, including the upcoming Research Saturday featuring a discussion with Selena Larson from Proofpoint on the Amatera Stealer. Additionally, he highlights ongoing opportunities for audience feedback through their annual survey.

Notable Quote:

"Fraudsters are always staying one step ahead; as we enhance our detection capabilities, they are evolving their tactics in a relentless cat-and-mouse game."
— Catherine Wanis [22:30]

Sponsors and Advertisements (Skipped as per instructions)

Conclusion

The episode of CyberWire Daily on July 11, 2025, provides a comprehensive overview of current cybersecurity challenges, from critical vulnerabilities and sophisticated phishing attacks to the emerging threat of AI-driven fraud in the music industry. The discussion with Catherine Wanis offers valuable insights into detecting and mitigating automated fraud schemes, emphasizing the necessity for continuous advancement in cybersecurity defenses to stay ahead of malicious actors.

For more detailed information on today's stories, visit CyberWire Daily Briefing or participate in their annual audience survey.

Loading summary

Transcript18 lines

[00:02]
Catherine Wanis
You're listening to the Cyberwire network, powered by N2K.
[00:13]
Dave Bittner
Hey everybody, Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Delete Me also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K foreign patches a critical flaw in its Fortaweb web application firewall Hackers are exploiting a critical vulnerability in wing FTP server. U.S. cyber Command's fiscal 2026 budget includes a new AI project. Checchi's cybersecurity agency has issued a formal warning about Chinese AI company Deepseek. The Do Not Apt group targets Italy's Ministry of Foreign Affair. Mexico's former president is under investigation for alleged bribes to secure spyware contracts. The FBI seizes a major Nintendo Switch piracy site. CISA releases 13 ICS advisories. A retired U.S. army lieutenant colonel pleads guilty to oversharing classified information on a dating app. Our guest is Catherine Wanis, VP of Product at Fingerprint, discussing how bots are being used to facilitate music royalty fraud and a federal judge is not impressed with a crypto thief's lack lack of restitution. It's Friday, July 11th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Happy Friday and thanks for joining us. It's great as always to have you here with us. Fortinet has patched a critical flaw in its fortaweb Web application firewall, affecting multiple versions. With a CVSS score of 9.6, the vulnerability allows unauthenticated attackers to run unauthorized SQL commands and potentially achieve remote code execution via the GUI component. If you run fortaweb, isolate its Web admin interface from the Internet and plan to patch quickly. If patching is going to be delayed. Consider disabling the web admin interface entirely. Although this blocks normal admin access, disabling the admin interface is only a temporary mitigation, not a permanent fix. Patching remains the safest and easiest solution. Hackers are exploiting a critical vulnerability in Wing FTP server to execute arbitrary code remotely. The flaw stems from mishandling null bytes, allowing attackers to inject LUA code into user session files and gain root or system privileges. While authentication is required, the exploit works with anonymous FTP accounts if enabled. WingFTP patched this in a version released on May 14. However, after technical details and a proof of concept exploit were published on June 30, attacks began immediately. Huntress reports exploitation attempts, including fetching files, system fingerprinting, and deploying remote access tools. About 8,100 wing FTP servers are Internet accessible, with over 5,000 exposing web interfaces increasing their risk of compromise. US Cyber Command's fiscal 2026 budget includes $5 million to launch a new AI project under its $1.3 billion R&D plan, Defense Scoop reports. This initiative follows a 2023 congressional mandate requiring Cybercom and other defense agencies to to create a five year roadmap for rapidly adopting AI in cyber operations. The project, called Artificial Intelligence for Cyberspace Operations, focuses on developing core data standards to curate and tag data for AI and machine learning integration. Housed within the Cyber National Mission Force, it will pilot AI technologies using Agile 90 day cycles for rapid testing and validation. Efforts include improving threat detection, automating data analysis and enhancing decision making. The budget also outlines five AI application vulnerabilities and exploits, network security and monitoring, modeling and predictive analytics, Persona and identity, and infrastructure and transport. This reflects Cybercom's broader push to operationalize AI for for evolving cyber threats efficiently and effectively. Chechiya's cybersecurity agency has issued a formal warning about Chinese AI company Deepseek, calling it a national security threat and banning its software from government devices. Deepseek, known for its low cost large language model released in January, has faced bans in several countries over privacy concerns. The Czech agency Nuqib found. Deepseek's app collects and stores user data in ways accessible to Chinese authority under laws like China's National Intelligence Law. It also warned the company's founder has ties to dual use military technologies. Deepseek stores user data on servers in China and Russia, raising further security risks. This follows similar warnings from countries including Australia, India and the Netherlands. US Lawmakers are also considering banning its use in government Deepseek has not commented on the ban. The Do Not Apt group believed linked to India has targeted Italy's Ministry of Foreign affairs in a recent cyber espionage campaign, Trellix reports. Known for South Asian espionage, Do Not Apt is expanding to European diplomatic targets. Attackers sent spear phishing emails impersonating European defense officials discussing an Italian defense attache visit to Bangladesh. The emails contained malicious Google Drive links leading to a RAR archive deploying malware. This infection chain used notflog exe and a scheduled task called Perform Task Maintain for persistent and access. The payload was linked to LopticMod malware used exclusively by Do Not Apt since 2018. The operation aimed to exfiltrate sensitive diplomatic data while evading detection, Trellix warns. This sophisticated attack underscores the group's growing interest in European intelligence and highlights the need for enhanced cyber defenses. Mexico's attorney general has launched an investigation into claims that former President Enrique Pena Nieto took up to $25 million in bribes from Israeli businessmen to secure spyware contracts, including the Pegasus spyware from NSO Group. The allegations stem from an Israeli business publication, the Marker, citing arbitration documents between businessman Yuri Ansbacher and Avishai Nariya. These documents reportedly describe bribes paid to Pena Nieto in exchange for lucrative government security contracts. Pena Nieto denied the claims, calling them baseless. During his presidency, Pegasus spyware was used to target journalists, scientists and activists in Mexico. The investigation seeks international legal assistance to access documents from Israeli courts. NSO Group did not comment on the allegations. Pena Nieto has faced previous corruption probes but has never been charged. The FBI has seized NSW2U, a major Nintendo Switch piracy site, as part of a law enforcement operation with Dutch Financial Crime Agency FIAD. NSW2U hosted Switch game ROMs for use on hacked consoles and emulators. The takedown follows Nintendo's ongoing crackdown on piracy, including lawsuits against emulator creators and ROM sites. NSW2U was added to the EU piracy watchlist in May. Users reported downloading games shortly before its seizure. Nintendo aims to tighten security further with the recent Switch 2 launch. Yesterday, CISA released 13 advisories detailing vulnerabilities in industrial control systems affecting products from Siemens, Delta, Advantech, Kunbus and others. The flaws range from issues in Siemens TIA components and Simatic hardware to Coonbus, Revpi, Delta's DTM Soft and Advantech's iView, among others. CISA urges organizations using ICS equipment to review these advisories promptly and implement recommended mitigations to secure critical infrastructure. David Franklin Slater, a 64 year old retired US army lieutenant colonel and civilian air Force employee has pleaded guilty to sharing national defense secrets with a woman he met on a dating app from February to April 2022. Slater, who held top secret clearance at Strategic Command in Nebraska, shared classified details about Russia's war in Ukraine, including military targets and Russian capabilities. The woman, identified only as Co Conspirator 1, called him her secret informant love and repeatedly requested sensitive information. Despite signing non disclosure agreements acknowledging potential harm to US Security, Slater shared these secrets via email and online messages. He faces up to 10 years in prison, supervised release and a $250,000 fine. Sentencing is set for October 8th. Coming up after the break, my conversation with Katherine Wanis, VP of Product at Fingerprint. We're discussing how bots are being used to facilitate music royalty fraud and a federal judge was not impressed with a crypto thief's lack of restitution. Stick Around Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's V a n t a dot com cyber foreign identities now outnumber humans by more than 80 to 1 and without securing them trust, uptime, outages and compliance are at risk. Cyber Arc is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber Ark helps modern enterprises secure their machine Future. Visit cyberark.com machines to see how. Katherine Wannes is VP of Product at Fingerprint. I recently caught up with her to discuss how bots are being used to facilitate music royalty fraud.
[15:09]
Catherine Wanis
So I'm talking today about really fraudsters that are creating fake artists, releasing AI generated music, and launching thousands of AI bots to inflate streams and steal royalties from music streaming platforms. So in a recent case, a Fraudster reportedly operated 10,000 bot accounts at once to stream his own AI generated catalog and really get over $10 million, allegedly using his bot army to stream his fake art AI generated music.
[15:41]
Dave Bittner
Well, help us understand, for folks who may not be familiar with how the payment system works with streaming music, what sort of things did this person have to do to generate this income stream?
[15:55]
Catherine Wanis
Yeah, so basically the first thing that he did was he signed up for many different artist accounts on a variety of different streaming services. So he signed up with various music distribution services that said, okay, I'm this artist, I'm that artist, the other artist. He then tried to bring on several different folks to co create music with him, but realized soon that he couldn't scale that. And so he then enlisted the help of AI to create thousands and thousands and thousands of independent songs, each of which lasted about one minute. So many streaming services have a minimum of 30 seconds of length for a given song, and so he made them one minute in length so that it wouldn't trip up any sort of fraudulent pieces. And then what he did is he set up racks and racks of laptops with 30, 40 different tabs open in each one and programmed each one to be able to play randomized playlists of his own music, sprinkling in a couple of other artists along the way to try not to trip up things as well, to make it look as if there were hundreds of different artists who were being streamed by thousands of different people. He then got paid for all of these different streams for all of his different artists that he had. And that's sort of how the fraud itself was actually perpetrated.
[17:19]
Dave Bittner
Wow. Now, it seems to me like, I suppose the case could be made that the generation of AI generated music isn't the problem here. Certainly there are plenty of accounts I've seen on places like YouTube and the streaming accounts where, you know, people have AI generated music and they're very upfront about it. And I know lots of people enjoy that as sort of, you know, background music, that sort of thing. But it seems to me like the real fraud here was setting up that army of bots to stream the Music to trigger those plays. And that's how he got paid.
[17:58]
Catherine Wanis
Yeah, so definitely AI generated music does have its own challenges in terms of, especially if it's pulled from other artists, how do you appropriately copyright protect those different. Different artists and things like that as well. So this has been around since the days when you could do sampling and include things or potentially copy other pieces. But in this particular case, the main fraud was that it was someone who was trying to look as if there were multiple people. And this is called multi accounting fraud. This is used a lot to try to perform things like promo abuse, or in this particular case, to pretend to be not only a bunch of different artists, but also to be a bunch of different humans listening to those different tracks. There are really four basic classes of fraud that we see automations and fraudsters trying to commit. One is someone trying to look like they're multiple people, which is again this multi accounting fraud. The second one is someone trying to look like they are someone else in an account takeover situation. And the third one is really someone who's trying to look like they're somewhere else. So this could be something like regional abuse. And in this particular case, this was a case of multi accounting fraud where he was trying to pretend to be thousands of real listeners listening to his music.
[19:16]
Dave Bittner
And what ultimately led to his downfall.
[19:19]
Catherine Wanis
What ultimately led to his downfall is that the different streaming services fraud systems did eventually pick up on the fraud, looking at a variety of different clues that the systems generated that were involved in perpetrating the fraud. So many streaming services don't necessarily do real time fraud detection, they do fraud detection at the point of paying out the royal. So even though the case itself talked about $10 million worth of fraud that was scattered across a wide variety of different streaming services. So it's not like one streaming service got hit with $10 million. The way that they found this out was through a variety of different techniques. One was being able to detect location obfuscation, so he was using VPNs, residential proxies, different IP addresses and so forth. And there are ways that you can detect whether or not that's in use, things like your time zone not matching even what fonts they have installed on their machines and things like that that can tell them that. Secondly was that they were able to detect that these automated scripts were being used. So that had bot detection as a part of it. The third is the use of things like multi accounting browsers or having multiple tabs open in the same browser. Sometimes using device intelligence, you can detect that sort of thing, as well as all being part of the same machine, the same visitor and so forth.
[20:46]
Dave Bittner
What are some of the lessons to be taken away from this for folks in our audience who are tasked with protecting their own organizations for the cybersecurity? Are there general lessons here to be learned?
[20:59]
Catherine Wanis
Yeah, I think the main thing is that although he was using scripts to be able to facilitate streaming these different pieces in a world where ordinary users are increasingly going to be using automations to perform a variety of tasks. So for example, gartner estimates that 50% of all service requests in the next five years are going to be generated by automated agents as opposed to humans. It's not just a matter of looking to see whether or not there's an automation in use, but also what the intent of that automation might be. So being able to look at things, clues that can tell you is this someone pretending to be multiple people or not, and whether that's through the use of multi accounting browsers? There was another case of a rapper who used racks and racks of Android phones in his office, each of which was streaming that. So being able to detect device farms, being able to detect device tampering, which a lot of fraudsters are using. So things like signal tampering, jailbroken phones and so forth, as well as location obfuscation, those are all different clues that folks need to be looking for in terms of detecting these fraudsters. And they all need to be used in conjunction with each other. It's not enough these days to just say, oh, this is a bot or this isn't. You have to be looking for these other clues.
[22:16]
Dave Bittner
Yeah, I mean, I suppose this is the sort of cat and mouse game that we've seen with so many other things in this world of, you know, as each side ups their game, they will both evolve.
[22:31]
Catherine Wanis
Yes, definitely. We definitely will see that. And if bot detection and automation detection ever becomes really robust and sophisticated, I think we'll start seeing people, even paying people again, like the old days of click farming and things like that. So fraudsters are always staying one step, we're always trying to catch up with them.
[22:50]
Dave Bittner
We've come a long way since people used to have a little notebook to write down their Nielsen viewing habits, right?
[22:58]
Catherine Wanis
Definitely, definitely.
[23:01]
Dave Bittner
That's Catherine Wanis, VP of Product at Fingerprint. And now a word from our sponsor, ThreatLocker, the powerful Zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring Apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.
[23:54]
Nicholas Trullia
This episode is brought to you by Polestar. There's only one true way to experience the all electric luxury SUV Polestar 3, and that's to take a test drive. It can go from 0 to 60 in as little as 4.8 seconds with the dynamic handling of a sports car. But to truly understand how it commands the road, you need to be behind the wheel. Up to 350 miles of range. The 3D surround sound system by Bowers and Wilkins. It's all something you have to experience to believe. So book your Test drive for Polestar 3 today@Polestar.com.
[24:29]
Dave Bittner
And finally, our F around and Find out desk tells us the tale of one Nicholas Trullia, who once thought 18 months in prison was a steep price for stealing $22 million in crypto. Turns out not paying back your victim can make life much steeper. A US judge just bumped his sentence to 12 years after Trulia willfully failed to return nearly $20.4 million. Trulia, part of a crew dubbed evil computer geniuses, helped hijack blockchain mogul Michael Turpin's SIM card to drain his crypto. Court records revealed Truglia had $53 million in assets from bitcoin to fine art. His lawyer insisted he surrendered everything accessible. Apparently, he just couldn't access enough to avoid learning that while crypto can be volatile, so can sentencing when you keep the loot. And that's the Cyber wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There is a link in the show Notes. Please do check it out. Be sure to check out this weekend's Research Saturday and my conversation with Selena Larson from proofpoint. We're discussing their research. Amatera Stealer, rebranded ACR Stealer with improved evasion and sophistication. That's Research Saturday. Do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bithner. Thanks for listening. We'll see you back here next week. Foreign is AI built for the enterprise soc, fully private, schema free and capable of running in sensitive air gapped environments. Krogle autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context aware, auditable decisions aligned to your workflows. Krogel empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your SOC operate at scale with precision and control. Learn more@krogle.com that's C-R-O GL.com.