CyberWire Daily Summary: Episode "Beware of BADBOX" (June 6, 2025)

Hosted by N2K Networks, CyberWire Daily delivers the latest in cybersecurity news and expert analysis. In this episode titled "Beware of BADBOX," released on June 6, 2025, hosts Dave Bittner and guest Ian Bramson, Global Head of Industrial Cybersecurity at Black and Veatch, delve into significant security threats, critical vulnerabilities, and strategies to bridge the cyber attack readiness gap.

Key News Highlights

DOJ Seizes Over $7 Million Linked to North Korean IT Workers

The U.S. Department of Justice (DOJ) has taken decisive action by filing a civil forfeiture complaint to seize more than $7.7 million in cryptocurrency connected to North Korean IT operatives. These workers, primarily based in China and Russia, illicitly gained remote employment using stolen identities, funneling their earnings to finance North Korea's weapons programs while evading U.S. sanctions.

Dave Bittner highlights:

"These workers, often based in China and Russia, secretly funneled earnings to fund North Korea's weapons program, skirting US sanctions." (02:08)

The scheme was allegedly led by Sim Hyun Seop, a foreign trade bank representative, and Kim Sang Man, head of Cheong, a Ministry of Defense-linked firm. Their laundering tactics included chain hopping, token swapping, and purchasing NFTs. This seizure is part of the broader DPRK Revgen Domestic Enabler Initiative, targeting North Korea's global revenue streams and their U.S. collaborators, with the FBI and DOJ spearheading the investigations.

FBI Alerts on Bad Box 2.0 Malware Targeting IoT Devices

The FBI has issued warnings about Bad Box 2.0, a sophisticated malware campaign that has compromised over one million consumer Internet of Things (IoT) devices globally. Predominantly found on low-cost Android-based TVs, tablets, and projectors manufactured in China, Bad Box 2.0 covertly transforms these devices into residential proxies for cybercriminal activities.

Bittner reports:

"Bad Box 2.0 turns these gadgets into residential proxies for cybercriminals." (04:15)

The malware infiltrates devices either preloaded or installed during setup via malicious applications or firmware updates. Once compromised, these gadgets facilitate ad fraud, credential stuffing, and the masking of illicit traffic. Despite previous efforts to disrupt the botnet, its network continues to expand, with the highest number of infections in Brazil, the U.S., Mexico, and Argentina. The FBI advises consumers to:

• Avoid unofficial app stores.
• Monitor home network traffic.
• Keep devices updated.
• Disconnect any suspected compromised devices.

Major Security Flaw Discovered in Chrome Extensions

Researchers have identified a critical vulnerability in Chrome extensions that affects over 15 million users. The flaw arises from developers hardcoding sensitive credentials, such as API keys, authentication tokens, and cloud access secrets directly into their JavaScript code. Given that Chrome extension code is publicly accessible, attackers can easily extract these credentials, posing significant security risks.

Bittner explains:

"Exposed secrets include Google Analytics, Azure, speech APIs and even AWS keys." (06:40)

The repercussions range from corrupted analytics data to exorbitant cloud costs and exposure of broader infrastructure. Symantec's findings pointed out that multiple high-profile extensions, including those from Avast and Equatio, suffer from this issue. The primary cause is the prioritization of convenience over secure coding practices. Potential exploitation avenues include spamming devices, hijacking cloud resources, or leveraging the compromised credentials to gain elevated permissions within connected systems.

Iranian Hackers (Bladed Feline) Targeting Government Officials

ESET has uncovered activities by Bladed Feline, an Iranian-linked hacker group conducting extensive cyber espionage targeting Kurdish and Iraqi government officials. Operating since at least 2017, Bladed Feline initially compromised the Kurdistan Regional Government before expanding its reach to Iraq's central government and a telecom provider in Uzbekistan.

Bittner summarizes:

"Bladed Feline has operated since at least 2017, initially breaching the Kurdistan Regional Government and later expanding to Iraq's central government and even a telecom provider in Uzbekistan." (08:30)

The group employs custom malware variants such as Xamaron, Whisper, and PrimeCache to spy on systems, exfiltrate data, and maintain persistent remote access. Likely entry points include exploited server vulnerabilities and web shells. This campaign supports Iran's geopolitical objectives by monitoring Western ties within the Kurdistan Regional Government and countering U.S. influence in Iraq. Bladed Feline's modus operandi mirrors that of Oil Rig, known for targeting critical sectors and executing supply chain attacks.

Critical Vulnerabilities Patched by Hitachi, Acronis, and Cisco

Hitachi Energy:
Hitachi Energy addressed two critical vulnerabilities in its Relion 670, 650 series, and SAM 600 IO devices—integral components in power grid protection and control. These flaws could enable remote attackers to trigger memory corruption, potentially destabilizing the power grid. Although no public exploitation has been reported, Hitachi Energy recommends immediate upgrades to secure revisions to mitigate risks.

Acronis Cyber Protect:
Acronis has alerted users to multiple critical vulnerabilities, including three with the highest CVSS score of 10.0. These flaws permit attackers to bypass authentication, access sensitive data, and escalate privileges. Updates have been available for over a month, but Acronis advises users to update immediately. If immediate updating isn't feasible, they recommend restricting network access and monitoring systems for suspicious activities.

Cisco:
Cisco has patched 12 vulnerabilities across its product suite, notably a critical flaw in the cloud deployment of the Identity Service Engine. This vulnerability affects AWS, Azure, and Oracle Cloud ISE instances where shared credentials are improperly generated, allowing unauthorized access to sensitive data or modification of configurations. With no available workarounds and public proof-of-concept code, Cisco urges users to apply updates immediately. Additionally, two high-severity SSH flaws in the IMC and Nexis Dashboard fabric controller could enable unauthorized access or man-in-the-middle attacks, alongside nine medium-severity bugs across various communication and management tools.

Bittner emphasizes:

"Cisco strongly urges users to apply updates immediately." (11:50)

International CSAM Takedown: 20 Suspects Arrested

An extensive international law enforcement operation, spearheaded by Interpol and Europol, has led to the arrest of 20 individuals involved in producing and distributing Child Sexual Abuse Material (CSAM). Following an investigation initiated by Spanish authorities in late 2024, Operation Vibora has identified 88 suspects globally. The operation saw arrests across the Americas, Europe, Asia, and Oceania, including professionals such as teachers and healthcare workers in Spain and Latin America.

Dave Bittner reports:

"Operation Vibora identified 88 suspects globally." (12:30)

This operation builds on prior global efforts like Operation Stream, which dismantled the dark website Kidflix, and other initiatives targeting AI-generated CSAM. Collectively, these operations have led to the identification of hundreds of suspects and the seizure of thousands of devices, demonstrating a robust commitment to combating online child exploitation.

Roundcube Webmail Exploit "Email Armageddon"

A critical post-authentication remote code execution (RCE) vulnerability in Roundcube Webmail, dubbed "Email Armageddon," has resurfaced despite being patched on June 1. Hackers swiftly reverse-engineered the fix and are now selling a functional exploit online. The flaw, present for over a decade, involves unsanitized session variables leading to PHP object injection.

Bittner warns:

"Despite requiring login access, attackers claim credentials can be extracted from logs, brute forced or obtained via CSRF." (14:45)

With over 1.2 million instances of Roundcube Webmail deployed across hosting providers and various sectors, the attack surface is extensive. Security researchers, acknowledging the vulnerability's severity with a CVSS score of 9.9 and active exploitation in the wild, urge immediate patching to mitigate potential breaches.

In-Depth Interview: Ian Bramson on Bridging the Cyber Attack Readiness Gap

Dave Bittner:

"Our guest today is Ian Bramson, global head of industrial cybersecurity at Black and Veatch, exploring how organizations can close the cyber attack readiness gap and ChatGPT logs are caught in a legal tug of war." (02:02)

Current State of Cybersecurity in Industry

Ian Bramson describes the cybersecurity landscape as one in flux, marked by the convergence of increased cyber-attacks, evolving regulatory environments, and rapid digitalization.

"We're at a change point right now where you're seeing a convergence of a lot of different factors, from increased attacks to different type of regulatory environments, to lots of digitalization." (13:19)

This convergence results in varied levels of cybersecurity maturity across companies, with those recognizing the threat early moving ahead, while others lag behind.

Compliance vs. Security

Bramson emphasizes the distinction between compliance and security. While compliance focuses on meeting regulatory standards, security aims at safeguarding against threats beyond mere regulatory requirements.

"There's a difference between being compliant and being secure. Meaning I've got clients who are very focused on being compliant, and they are, but there's still lots of gaps in there." (14:37)

He points out that regulations often lag behind emerging threats, necessitating a proactive security approach rather than a checkbox-driven compliance mindset.

Elements of Successful Cybersecurity Programs

Bramson identifies two primary elements that successful organizations share:

1. Executive Commitment:
   Strong support and understanding of industrial cybersecurity from the board of directors are crucial.

   "They have commitment from the board of directors and an understanding and appreciation of what industrial cybersecurity is. Meaning it's not just about data, it's about safety and it's about uptime." (15:39)

2. Foundational Cyber Hygiene:
   Effective asset inventory, vulnerability management, and robust monitoring and response systems form the backbone of a solid cybersecurity program.

   "Do I know what I need to protect? That's asset inventory and asset management. Do I know where my holes are? That's vulnerability management and patch management." (15:39)

Securing Executive Buy-In

Translating technical cybersecurity concepts into risk management language that resonates with executives is essential for securing their support.

"Senior executives, boards of directors, they speak the language of risk. They understand consequence, they understand the idea of probability and impact." (17:06)

Creating a risk register and aligning cybersecurity initiatives with strategic business goals helps in effectively communicating the importance and urgency of cybersecurity investments.

Addressing Budget Constraints in Public Utilities

When dealing with budget-constrained sectors like water utilities, Bramson suggests:

• Exploring Grants and Funding:
  Investigate available financial assistance to support cybersecurity initiatives.

• Integrating Cybersecurity into Capital Expenditures:
  Incorporate cybersecurity measures during the planning stages of new projects or major modifications to reduce costs and enhance security from the outset.

"Build it in earlier, you can do things a lot cheaper, meaning and a lot better." (18:29)

Advice for Overwhelmed Security Professionals

Bramson advises security personnel to simplify the complex landscape by focusing on fundamental cybersecurity practices.

"Start breaking it down into those simple steps or clear steps, shall we say? And start working through those." (19:46)

By addressing basic questions on asset protection, vulnerability management, and system monitoring, organizations can build a strong cybersecurity foundation without feeling overwhelmed.

Black and Veatch’s Role in Enhancing Cybersecurity

Black and Veatch offers comprehensive support throughout the cybersecurity lifecycle, from initial consulting and implementation to ongoing management. Their approach ensures that clients can navigate the complexities of industrial cybersecurity effectively.

"We offer everything from consulting... to the actual implementation... and help me operate it." (21:11)

OpenAI Under Legal Scrutiny: ChatGPT Logs Preservation Order

In a controversial legal battle, OpenAI is contesting a federal court order mandating the preservation of all ChatGPT interactions, including deleted messages, temporary chats, and API-based business communications. This lawsuit, spearheaded by the New York Times and other plaintiffs over copyright concerns, posits that users are deleting conversations to obscure their digital activities.

Bittner outlines:

"The judge agreed and ordered OpenAI to preserve all logs." (22:00)

OpenAI argues that the order violates logical processes, privacy policies, and potentially international laws, emphasizing that the company did not destroy data but instead honored user deletion requests. The preservation order compels OpenAI to retain all chat data, including sensitive and personal information, placing the company in a precarious position between legal obligations and privacy commitments.

This situation has prompted users to scrutinize their chat histories meticulously and consider alternatives like Gemini, reflecting the broader implications for data privacy and legal compliance in AI-driven platforms.

Closing Remarks

Dave Bittner concludes the episode by directing listeners to additional resources, such as the annual audience survey and the upcoming Research Saturday featuring Michael Gorlick from Morphisec. He also acknowledges the production team, ensuring listeners are informed about the behind-the-scenes efforts that make CyberWire Daily possible.

For further details on today's stories and to participate in the survey, listeners are encouraged to visit [daily briefing@thecyberwire.com](mailto:daily briefing@thecyberwire.com).

Notable Quotes:

1. Ian Bramson on Industry Flux:
   "We're at a change point right now where you're seeing a convergence of a lot of different factors..." (13:19)

2. On Compliance vs. Security:
   "There's a difference between being compliant and being secure..." (14:37)

3. Executive Commitment:
   "They have commitment from the board of directors and an understanding and appreciation of what industrial cybersecurity is." (15:39)

4. Risk Management Language:
   "Senior executives, boards of directors, they speak the language of risk..." (17:06)

5. Simplifying Security Measures:
   "Start breaking it down into those simple steps or clear steps..." (19:46)

Conclusion

This episode of CyberWire Daily provides a comprehensive overview of pressing cybersecurity issues, from large-scale fraud and malware threats to vulnerabilities in widely used software. The in-depth interview with Ian Bramson offers valuable insights into building robust cybersecurity frameworks within organizations, emphasizing the importance of executive support and foundational security practices. Additionally, the legal tussle involving OpenAI underscores the ongoing tensions between technological advancements and data privacy laws. For cybersecurity professionals and enthusiasts alike, "Beware of BADBOX" serves as an essential briefing on the current and evolving landscape of cyber threats and defenses.