Fingers point east. - CyberWire Daily

Summary

CyberWire Daily: Episode Summary – "Fingers Point East"

Release Date: May 28, 2025
Host: Dave Bittner, N2K Networks
Guest: Tony Valleka, CEO of Cyberproof

1. Introduction

In the May 28, 2025 episode of CyberWire Daily, host Dave Bittner delves into a spectrum of pressing cybersecurity issues, ranging from state-sponsored cyber espionage to innovative threat management strategies. The episode also features an insightful interview with Tony Valleka, CEO of Cyberproof, who discusses the evolving landscape of exposure management and the integration of AI in cybersecurity.

2. Key Cybersecurity News

a. Chinese State-Sponsored Cyber Espionage in the Czech Republic
The Czech Republic has accused Chinese state-backed hackers, specifically the APT31 group linked to China's Ministry of State Security, of conducting a cyber espionage campaign targeting its Ministry of Foreign Affairs since 2022. Despite targeting an unclassified network without breaching it, Czech Foreign Minister Jan Lipovský stated, "China's interference efforts aim to weaken Czech democracy" [04:50]. The Czech authorities have shared their findings with EU and NATO allies, receiving support amid growing condemnation of China's cyber threats. China has yet to respond to these accusations.

b. Leadership Crisis at CISA
The Cybersecurity and Infrastructure Security Agency (CISA) is undergoing a significant leadership upheaval, with nearly all top officials resigning or planning to leave by the end of May [06:15]. Key figures like Matt Hartman and Boyden Rohner are among the departing leaders, raising concerns about the agency's capacity to manage rising cyber threats effectively. Experts warn that this exodus could undermine national cybersecurity and the support of critical infrastructures just when it is most needed.

c. Malware Spread via Fake AI Video Generator Websites
Cybercriminals are exploiting the popularity of AI tools by creating fraudulent websites that mimic legitimate services like Luma AI and Canva Dreamlab. These fake sites disseminate malware, including StarkVail, which steals data and opens backdoors for further access [07:30]. Mandiant has attributed this campaign to the Vietnamese group UNC6032. Meta has collaborated with Mandiant to remove many malicious ads, highlighting the widespread threat posed by deceptive AI tool fronts.

d. Browser Security Updates
Google and Mozilla have released updates—Chrome 137 and Firefox 139 respectively—to address 21 security vulnerabilities, including high-severity flaws that could allow code execution or crashes [09:45]. Users are urged to update their browsers promptly to protect against these vulnerabilities, which are common exploitation targets for attackers.

e. Stealthy Phishing Campaign Delivering Remcos RAT via DBAT Loader
Researchers at Any Run have identified a sophisticated phishing campaign that delivers the Remcos Remote Access Trojan (RAT) through the DBAT Loader [11:10]. The attack employs obfuscated scripts and legitimate Windows tools to evade detection. Victims receive phishing emails containing malicious archives that trigger the attack chain, ultimately embedding Remcos into trusted processes for persistent access. This highlights the need for dynamic analysis to counter modern evasive threats effectively.

f. Fake Bitdefender Website Spreading Malware
A fraudulent Bitdefender download site, BitdefenderDownload.co, is distributing malware aimed at stealing financial data and ensuring long-term system access [13:00]. The site mirrors the legitimate Bitdefender download page and entices users to download a zip file containing Venom Rat, Storm Kitty, and Silent Trinity malware. Bitdefender is actively working to take down the site, and Chrome now blocks access to the malicious link. Users are advised to download antivirus software only from official sources.

g. Medusa Ransomware Breach of ReMax
Medusa ransomware has claimed responsibility for breaching the global real estate firm ReMax, exfiltrating 150 gigabytes of data and demanding a $200,000 ransom [14:00]. Although ReMax has not confirmed the breach, the leaked data reportedly includes sensitive information such as agent contact details and property schematics from 2021 to 2023. Security experts warn of potential risks like identity theft and fraud resulting from the exposed data.

h. Critical Vulnerability in Johnson Control's I Star Configuration Tool
CISA has issued an advisory regarding a critical memory leak vulnerability in Johnson Control's I Star Configuration utility tool, affecting all versions prior to 6.9.5 [15:30]. With a CVSS score of 7.4, this flaw could expose sensitive data and impact industrial control systems across vital sectors like energy and transportation. CISA recommends implementing defense-in-depth strategies, including network segmentation and regular security assessments.

i. Guilty Plea of Iranian National for Ransomware Attacks
Iranian national Sina Golenahad has pleaded guilty to deploying Robin Hood ransomware targeting several U.S. cities, including Baltimore and Greenville, North Carolina [17:20]. His actions have caused tens of millions in damages and disrupted essential public services. Golenahad faces up to 30 years in prison, with sentencing scheduled for August. The Justice Department highlighted the significance of international cooperation in apprehending cybercriminals, emphasizing that attacks on critical public systems will face severe consequences.

3. Interview with Tony Valleka, CEO of Cyberproof

a. Exposure Management and Risk-Focused Approach
In an in-depth conversation, Tony Valleka discusses the evolution of exposure management towards a more risk-focused approach. He emphasizes the shift from traditional "single pane of glass" models to systems that prioritize proactive threat mitigation based on cost-effectiveness. Valleka states, "The single pane of glass needs to start guiding people on what's the best dollar next dollar spent to reduce my cyber risk" [15:16]. This approach involves understanding where to allocate resources for maximum risk reduction, whether through exposure reduction, detection rule enhancements, or enhanced threat intelligence.

b. Tailoring Risk Assessment to Organizational Needs
Valleka highlights the importance of customizing risk assessments to fit an organization's specific needs, noting that "risk itself needs to be tailored to the organization that you have" [16:35]. He critiques traditional models that attempt to quantify risk in monetary terms, advocating instead for prioritizing actions that effectively mitigate the most pertinent threats.

c. Common Blind Spots in Risk Evaluation
Addressing common blind spots, Valleka points out that many organizations struggle to operationalize threat intelligence, making it difficult to prioritize exposures effectively [17:53]. He underscores the necessity of a continuous view of threat actors' activities and ensuring that security operations can detect and respond to current attack techniques.

d. Integration of AI in Cybersecurity
AI remains a pivotal topic, with Valleka discussing both its potential and challenges in cybersecurity [20:33]. He notes the emergence of agentic AI for tasks like threat hunting and Level 1 Security Operations Center (SOC) duties, stating, "This has a promise of maybe offloading today... purpose-built agents to do threat hunting and L1 SOC" [20:54]. Valleka also emphasizes the importance of regulatory frameworks for AI, such as the OAUTH top 10 for Large Language Models (LLMs), to guide ethical and effective AI usage in security contexts.

e. Advice for Cybersecurity Professionals
For those embarking on enhancing their organization's exposure management, Valleka advises focusing on execution and effective communication [24:07]. He encourages security teams to prioritize their actions, communicate risks in business terms, and maintain flexibility to adapt to the rapidly changing threat landscape.

f. Insights from RSAC 2025
Valleka shares his experiences from the RSAC 2025 conference, highlighting the innovation and problem-solving approaches of new startups [25:14]. He emphasizes the industry's responsibility to support and integrate innovative solutions to advance cybersecurity measures.

4. Emerging Concerns in Neurotechnology Privacy

Towards the end of the episode, Bittner addresses alarming developments in neurotechnology privacy. U.S. senators Chuck Schumer, Maria Cantwell, and Ed Markley have urged the FTC to investigate brain-computer interface companies for potential violations of mental privacy [26:30]. A Neuro Rights foundation study revealed that 29 out of 30 neurotech firms collect users' brain-related data, often without explicit consent. Without stringent regulations, these technologies risk becoming tools for invasive data mining, threatening individuals' mental privacy, identity, and autonomy. The segment underscores the urgent need for regulatory frameworks to protect sensitive cognitive data.

5. Conclusion

In this episode of CyberWire Daily, Dave Bittner provides a comprehensive overview of significant cybersecurity threats and trends, while Tony Valleka offers expert insights into evolving exposure management strategies and the integration of AI in cybersecurity practices. The discussion highlights the critical need for tailored risk assessments, proactive threat prioritization, and robust regulatory measures to safeguard both digital and cognitive privacy.

Notable Quotes:

Tony Valleka on Single Pane of Glass Evolution:
"The single pane of glass needs to start guiding people on what's the best dollar next dollar spent to reduce my cyber risk." [15:16]
Valleka on Risk Tailoring:
"Risk itself needs to be tailored to the organization that you have." [16:35]
On AI's Role in Cybersecurity:
"This has a promise of maybe offloading today... purpose-built agents to do threat hunting and L1 SOC." [20:54]
Advice to Cybersecurity Professionals:
"Step back, take a look at the landscape, pick your priorities, take a deep breath and execute." [24:07]

For more detailed insights and daily updates, visit CyberWire Daily.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Delete Me also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now our listeners get a special 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.

Tony Valleka (1:25)

Foreign.

Dave Bittner (1:33)

The Czech Republic accuses Chinese state backed hackers of cyber espionage CISA's leaders head for the exits cybercriminals are using fake AI video generator websites to spread malware. A stealthy phishing campaign delivers the Remcos RAT via DBAT Loader. A fake bitdefender website spreads malware targeting financial data. Medusa ransomware claims to have breached global real estate firm ReMax. An Iranian national faces up to 30 years in prison for ransomware targeting US cities. Our guest is Tony Valleka, Cyberproof CEO, discussing exposure management and a more risk focused approach to prioritize threats and mind reading for fun and profit. It's Wednesday, May 28, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us. It's great as always to have you here with us. The Czech Republic has accused Chinese state backed hackers of targeting its Ministry of Foreign affairs in cyber espionage campaign that began in 2022. An investigation by Czech intelligence and cybersecurity agencies linked the attack to APT31, a group associated with China's Ministry of State Security. The hackers targeted an unclassified network but may not have breached it. Foreign Minister Jan Leposky condemned China's interference, citing efforts to weaken Czech democracy. He summoned the Chinese ambassador and highlighted new security measures the US and UK previously sanctioned APT31. The group also allegedly targeted British lawmakers. Czech officials shared findings with EU and NATO allies. Both organizations backed Prague, with NATO condemning China's increased cyber threats. China has not yet responded. The cybersecurity and infrastructure Security agency is facing a major leadership crisis, with nearly all its top officials having left or set to leave by the end of May, cybersecurity dive reports. An internal email revealed that five of CISA's six operational divisions and most regional offices are losing senior leaders, including key figures like Matt Hartman and Boyden Rohner. These departures come amid rising cyber threats from foreign adversaries and have sparked concern over the agency's stability and effectiveness. Experts and insiders warn the loss of seasoned leadership may weaken CISA's ability to support critical infrastructure and partner agencies. Field directors who helped expand CISA's reach across the US are also stepping down, further fueling uncertainty. While CISA's leadership insists the agency remains mission focused, morale is low and doubts about the agency's future are growing. Critics fear this exodus will hurt national cybersecurity and resilience at a critical time. Cybercriminals are using fake AI video generator websites to spread malware. Google's Mandiant unit has found These scammers create fraudulent sites mimicking tools like Luma AI and Canva Dreamlab, promoting them through thousands of malicious ads on platforms like Facebook and LinkedIn. Victims lured in by the ads are tricked into downloading malware such as StarkVail, which steals data and opens backdoors for further access. Mandiant attributes the campaign to a group named UNC6032, likely based in Vietnam. Since mid-2024, the campaign has impacted users globally, stealing credentials, cookies and credit card info via Telegram. Meta removed many of the malicious ads, proactively aided by Mandiant's use of Meta's ad library. The campaign reveals how fake AI tools are now a widespread threat not just to tech professionals, but to anyone tempted by trendy, seemingly legitimate AI services. Google and Mozilla have released Chrome 137 and Firefox 139, addressing 21 security vulnerabilities, including three rated high severity. Chrome 137 includes 11 fixes, notably two high risk memory issues that could allow code execution or crashes. Firefox 139 patches 10 flaws, including a high severity Double free bug updates were also issued for Firefox, ESR and Thunderbird, though no act of exploitation was reported. Users are urged to update promptly, as browser vulnerabilities are common targets for attackers. Researchers at any run have uncovered a stealthy phishing campaign delivering the remcos RAT via DBAT Loader the attack uses obfuscated CMD scripts, user account control bypass and legitimate Windows tools to evade detection. Victims receive phishing emails containing an archive with Factura exe, which triggers the attack chain, DBAT loader execution, script obfuscation and malware injection. Remcos is stealthily embedded into trusted processes and persistence is ensured through scheduled tasks and registry edits. This campaign shows how attackers exploit curiosity around AI tools and rely on native OS behavior to bypass traditional security. The researchers stress the importance of a dynamic analysis to detect and respond to modern evasive threats effectively. Cybercriminals have created a fake Bitdefender antivirus website, Bitdefender Download Co, to spread malware targeting financial data and enabling long term system access. The fraudulent site closely mimics the real bitdefender download page, tricking users into downloading a zip file containing Venom Rat, Storm Kitty, and Silent Trinity. Venom Rat steals files, crypto wallets and credit card data, while Storm Kitty harvests credentials and Silent Trinity ensures persistent access. The attackers host files via BitBucket and Amazon S3 to appear legitimate. The campaign is part of a broader phishing operation using shared infrastructure with fake banking sites. Domain tools Researchers identified a common command and control server and warned of the attacker's dual quick financial theft and long term system control. Bitdefender is working to take the site down and Chrome now blocks the link. Experts urge users to download antivirus software only from official sites and remain cautious of unsolicited prompts. Medusa ransomware claims to have breached global real estate firm ReMax, exfiltrating 150 gigabytes of data and demanding a $200,000 ransom. The group posted samples on its Dark Web leak site, threatening public release in under 18 days. While ReMax hasn't confirmed the breach, leaked data includes agent contact details, commissions, internal documents and property schematics, mostly from 2021 through 2023. Security experts warn the full data set may contain more sensitive information, posing risks of identity theft, fraud and property scams, along with reputational and financial damage to ReMax. CISA has issued an advisory for a critical memory leak vulnerability in Johnson Control's I Star Configuration utility tool, impacting all versions prior to 6.9.5. The flaw, due to the use of uninitialized variables, could expose sensitive data and affect industrial control systems vital to sectors like energy, transportation and manufacturing. With a CVSS score of 7.4, the bug requires adjacent network access but no authentication. CISA urges defense in depth strategies such as network segmentation and regular assessments to mitigate risks. Iranian national Sina Golenahad, age 37, pleaded guilty to deploying Robin Hood ransomware in attacks that hit several U.S. cities, including Baltimore and Greenville, North Carolina. His actions caused tens of millions in damages and disrupted essential public services. The 2019 Baltimore hack alone inflicted $19 million in losses, forcing the city offline for months. Prosecutors say Go Linohad and his co conspirators began the attacks in 2019, extorting victims with threats of similar consequences. They targeted municipalities in New York, Oregon and beyond until March 2024. Go linohad faces up to 30 years in prison, with sentencing set for August. He was detained in North Carolina with help from Bulgarian authorities. The Justice Department emphasized that cyber attacks on critical public systems won't go unpunished and thanked international partners for their support. In the Coming up after the break, my conversation with Tony Valleca, Cyberproof CEO. We're discussing exposure management in a more risk focused approach to prioritize threats and mind reading for fun and profit. Stick around and now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing. To neutralize identity based threats like account takeover, fraud and ransomware, don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire compliance regulations, third party.