CyberWire Daily: “Code beneath the sand”
Episode Date: September 17, 2025
Host: Dave Bittner (N2K Networks)
Guest: Abhishek Agrawal (Material Security)
Episode Overview
This episode of CyberWire Daily delivers a comprehensive update on major cybersecurity headlines and in-depth industry analysis. Key topics include disruptive malware in key software repositories, takedowns of phishing platforms, advanced nation-state attacks, debates on critical government cyber funding, and an expert interview on the growing challenges of securing Google Workspace environments. The episode balances technical detail with industry implications and strategic recommendations, making it a must-listen for cybersecurity professionals and leaders.
Key News and Analysis Segments
1. New Malware: Shai Hulud Worm Infects NPM Repository
[01:35]
- Summary:
A self-replicating malware named Shai Hulud (named for the sandworms in Dune) has compromised at least 187 packages in the JavaScript npm repository. The worm steals developer credentials and exposes them in public GitHub repositories.- Uses hijacked NPM tokens to inject itself into the most popular packages linked to a victim’s account, releasing altered versions.
- Spreads using tools like Truffle Hog to harvest secrets, mimicking the dormant–active lifecycle of biological viruses.
- Briefly compromised CrowdStrike packages, which were quickly pulled.
- Expert Commentary:
“Experts say stronger two factor authentication for publishing packages is needed to prevent future outbreaks.” – Host [04:19]
2. Phishing-as-a-Service: Raccoon O365 Platform Disrupted by Microsoft and Cloudflare
[05:05]
- Summary:
Raccoon O365 (also known as Storm 2246) was a criminal platform offering subscription kits for phishing Microsoft 365 accounts.- Court-ordered seizure of 338 websites took down attackers' infrastructure.
- Kit enabled low-skilled criminals to impersonate brands, capture credentials/session tokens – even bypass MFA.
- Cryptocurrency traces identified Nigerian programmer Joshua Ogudipe as ringleader; Microsoft has filed suit and referred him to law enforcement.
- Notable Quote:
“Raccoon O365... enabled low skilled criminals to impersonate brands like DocuSign and SharePoint, creating fake Microsoft login pages.” – Host [05:43]
3. Advanced Persistent Threats: Fancy Bear’s “Operation Phantom Net Voxel”
[07:16]
- Summary:
APT28 (Fancy Bear) targets Ukrainian military officials with malicious Office documents:- Delivery of advanced backdoors via spear phishing and macro-enabled docs.
- Establishes command and control via obfuscated cloud services.
- Linked to additional spyware components for key logging and screenshots.
- At least 42 hosts compromised since late 2024, showing increased use of open-source and legitimate cloud resources for stealth.
- Key Moment:
“Fancy Bear's growing reliance on blended open source and legitimate cloud services for stealth and persistence.” – Host [09:32]
4. New Attacker Platforms: Void Proxy Targets Microsoft 365 & Google Accounts
[09:42]
- Summary:
The Void Proxy phishing service uses adversary-in-the-middle tactics to compromise both Microsoft 365 and Google accounts.- Part of a growing “phishing-as-a-service” ecosystem leveraging identity-based attacks.
- Security leaders recommend an identity-first approach: minimize privileges, closely monitor identity interactions.
- Quote:
“Identity-based attacks are harder to detect and exploit user trust directly.” – Host [10:10]
5. Ransomware Update: Colt Technology Services' Long Recovery
[10:27]
- Summary:
British telecom Colt Technology Services reports ransomware recovery may stretch into late November (over three months).- The Warlock group claimed responsibility; customer portals, billing, and some services remain affected.
- The attack likely exploited SharePoint vulnerabilities, followed by data theft and extortion attempts.
6. Hardware Security: Rowhammer “Phoenix” Attack on DDR5 Memory
[11:22]
- Summary:
Google and ETH Zurich uncover a new Rowhammer variant (“Phoenix”) affecting SK Hynix DDR5 memory on AMD Zen 4 systems.- Attack rate: complex, but exposes gaps in DDR5 protections.
- AMD responded with a BIOS update; cloud providers notified.
7. US Policy & Budget: Heated Senate Hearing on FBI Cyber Funding
[12:15]
- Summary:
Senate Judiciary Committee debates proposed cuts that would halve FBI cyber division staff.- Lawmakers warn of weakened defenses against ransomware and foreign threats.
- FBI Director Kash Patel highlights rising arrests and ongoing election security measures, disputes resource diversion claims.
- Lawmakers also extend two critical cyber programs to November 21, 2025, giving time for long-term deal-making.
Industry Voices: Securing Google Workspace with Abhishek Agrawal (Material Security)
[14:56] – [29:51]
Workspace as Critical Infrastructure
- Agrawal:
“A company's office suite or productivity suite... is such a mission critical surface because it's where a lot of institutional knowledge exists. It serves as identity... and is the first app you get and the last one that gets taken away when you leave.” [14:56]
Built-in Security and Its Limits
- Agrawal:
“The infrastructure is actually fairly secure out of the box... but as an organization scales, they might start hitting roadblocks with some of the out-of-box tooling.” [15:46]
Identity is the New Perimeter
- Agrawal:
“Google Workspace is acting as identity... consolidating a lot of different pieces of context. Who the person is, what files they can access, their function... that's what identity means.” [16:37]
Attacker Behavior: Lateral Movement and Persistence
- Agrawal:
Attackers, once inside, can move freely within Workspace:- Compromised accounts provide access to email/Drive/other apps.
- Attackers often seek persistence via mail forwarding rules, MFA change, or delegate assignments.
- “They might go try to change the MFA settings, they might assign delegate accounts. These are all different methods for establishing long-term persistence.” [17:46]
Data Sprawl and Exposure
- Agrawal:
“The cost of storage has gotten so low that all of us stopped deleting things... you're collecting a treasure trove of data which you may not even need, but poses a lot of risk.”- Public or broad sharing exacerbates risk and exposures. [19:18]
Where Built-in Google Security Falls Short
- Agrawal:
Basic detection/remediation exists, but it’s blunt and inflexible; “real world” needs go beyond what built-in tools offer.- “Customers end up not being able to use built-in tools and instead hack things together through third-party tools or APIs. There’s a lack of flexibility and granularity.” [20:42]
Lessons from Email Security Evolution
- “Why is all of email security so focused on the perimeter? Blocking is important, but there’s so much more attackers do once inside.”
- Compares to AV/EDR evolution:
- “No product is claiming they'll catch all malicious emails ever. So we need an EDR mentality... broaden to thinking about not just the perimeter, but controls for when accounts are compromised.” [22:11]
Major Workspace Risks
- Insider Risks: Employees misusing data—either maliciously or accidentally.
- Attacker/External Compromise: Stolen identity gives access to a wealth of sensitive, monetizable data.
- “Google Drive is a gold mine for attackers... legal docs, financial reports, pii, pci, regulated data all end up there.” [25:35]
Recommendations & Practical Steps
- Use APIs for Security Automation:
- “Top security teams... use APIs to consolidate data and build detections and response. The problem is most companies don’t have the bandwidth for a custom solution.” [26:59]
- Start Small and Prioritize:
- “Take it one step at a time with a prioritized view... experiment with visibility and basic controls first.” [28:07]
- Automation is Key:
- “The dream is... a world where a lot of this security is kind of taking care of itself and, when there are problems, they're self healing.” [28:54]
Notable Quotes & Memorable Moments
- “Strong two-factor authentication for package publishing is needed to prevent future outbreaks.” – Host [04:19]
- “Raccoon O365 enabled low skilled criminals to impersonate brands like DocuSign and SharePoint...” – Host [05:43]
- “For Google Drive, often the data is shared... externally, or with broad permissions, and over time you forget about it. That leads to a large exposure surface.” – Abhishek Agrawal [19:18]
- “Security is never as simple as black and white... Out of the box tools get to 80%, but in real-world scenarios, there are obvious gaps.” – Abhishek Agrawal [20:42]
- “You need a plan for detection and response even after account compromise – that’s the necessary evolution.” – Abhishek Agrawal [22:11]
- “The dream is... auto-remediations, where the security is taking care of itself and self-healing.” – Abhishek Agrawal [28:54]
Final Headlines
BreachForums Founder Pompompurin Sentenced
[30:18]
- Summary:
Conor Fitzpatrick (“Pompompurin”), founder of BreachForums, receives a three-year prison sentence for running the world’s largest English-language data breach bazaar.- Prosecutors had sought 15 years.
- Fitzpatrick facilitated sale of 14 billion records and earned nearly $700,000.
- Memorable Commentary:
“If your business model depends on VPNs and stolen identities, the retirement plan is usually an extended stay at Club Fed.” – Host
Useful Timestamps
- 01:35 – Shai Hulud NPM worm
- 05:05 – Raccoon O365 takedown
- 07:16 – Fancy Bear new APT campaign
- 09:42 – Void Proxy phishing platform
- 10:27 – Colt Technology ransomware update
- 11:22 – Phoenix Rowhammer on DDR5
- 12:15 – FBI Senate hearing & cyber budget
- 14:56 – Abhishek Agrawal interview: Google Workspace security
- 30:18 – Pompompurin/BreachForums sentencing
Tone and Language
The episode weaves authoritative analysis and industry perspective with a conversational, direct style. Guest insights are practical and experience-based, blending both high-level strategy ("identity is the new perimeter") and actionable recommendations ("start small, prioritize, automate").
For Listeners
This episode is essential for security leaders, practitioners, and anyone invested in cloud workspace security, incident response, and the evolving threat landscape. The expert interview on Workspace security provides not just context but a future-focused roadmap for defending organizational data and identity in SaaS environments.