Podcast Summary: CyberWire Daily – Episode “Hardcoded Credentials and Hard Lessons”

Release Date: May 5, 2025
Host: Dave Bittner
Producer: N2K Networks

Episode Overview

In this episode of CyberWire Daily, host Dave Bittner delves into a series of critical cybersecurity issues impacting organizations globally. The discussion spans vulnerabilities in government-used messaging apps, newly discovered exploits, state-sponsored cyber espionage, malware updates, and significant shifts in authentication methods. Additionally, the episode features an insightful interview with Christina Murillo, Head of Information Security at the New York Giants, during the Afternoon Cyber Tea segment hosted by Ann Johnson.

Key Cybersecurity News

1. Vulnerabilities in TM Signal and Telemessage Breach

Researchers have identified a severe vulnerability in TM Signal, a non-public messaging app reportedly utilized by high-ranking government officials, including former National Security Advisor Mike Waltz. The app, a modified version of Signal designed to archive messages for compliance with record-keeping laws, suffers from a fundamental security flaw: hardcoded credentials.

Dave Bittner highlights, “The app uses hardcoded credentials, a rookie-level security blunder” (03:35). This oversight led to the company, Telemessage, being breached, exposing sensitive messages, user data, and backend credentials within a mere 15 to 20 minutes. The incident raises critical questions about the reliance on fringe applications over secure government systems, pointing to a lapse in security hygiene and adherence to established protocols.

2. CISA Adds Commvault Flaw to Known Exploited Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has recently included a second vulnerability related to Commvault in its Known Exploited Vulnerabilities Catalog. This new flaw, with a CVSS score of 10, affects multiple Commvault Command Center versions, enabling unauthenticated remote code execution through malicious ZIP files.

Dave Bittner notes, “Federal agencies must patch by May 23” (06:10), emphasizing the urgency despite the vulnerability not yet being exploited in the wild. Additionally, CISA has added a related YI framework flaw associated with Craft CMS attacks, underlining the increasing threat landscape.

3. Xai’s Private API Key Exposure on GitHub

A significant security lapse at Elon Musk's AI company, Xai, resulted in a private API key being inadvertently exposed on GitHub for nearly two months. This key provided unauthorized access to internal Large Language Models (LLMs) used by SpaceX, Tesla, and Twitter, including unreleased GROK models.

Dave Bittner explains, “The exposed credentials had access to at least 60 sensitive data sets” (08:50), highlighting deficiencies in Xai’s credential management and internal monitoring systems. The incident underscores the importance of stringent secret management protocols, even within top-tier tech firms.

4. State-Sponsored Cyber Espionage in the Middle East

FortiGuard's Incident Response Team has uncovered an extended cyber espionage campaign targeting critical national infrastructure in the Middle East, attributed to an Iranian state-sponsored group. The infiltration, lasting from May 2023 to early 2025 with potential beginnings in 2021, involved the use of stolen VPN credentials and deployment of sophisticated malware such as Hanifnet, HX Library, and Neo Express RAT.

Dave Bittner comments, “The campaign showed a high level of sophistication, with an emphasis on persistence and stealth” (11:00), urging organizations to enhance credential hygiene, network segmentation, and proactive monitoring to defend against such advanced threats.

5. SS7 Zero-Day Exploit on Cybercrime Forums

A newly advertised SS7 zero-day exploit has emerged on cybercrime forums, raising significant concerns about global mobile network security. Priced at $5,000, this exploit kit enables attackers to intercept SMS messages, track phones in real-time, eavesdrop on calls, and bypass two-factor authentication.

Dave Bittner elaborates, “Despite SS7's outdated design, it still underpins many 2G and 3G telecom systems worldwide” (12:30). Experts recommend that telecom providers implement SS7 firewalls and encourage users to transition away from SMS-based authentication to mitigate these ongoing risks.

6. Steel C Info Stealer and Malware Loader Updates

The Steel C Info Stealer, a popular infostealer and malware loader, has released its second major version, 2.2.4. First identified by Zscaler in March, the update includes enhancements such as improved payload delivery, Chrome cookie theft bypasses, RC4 encryption, real-time alerts via Telegram, a new admin panel, and support for 64-bit systems. Notably, the removal of anti-VM checks suggests a significant code overhaul.

Dave Bittner points out, “Steel C remains actively used in attacks often delivered via malware loaders like Amaday” (14:00), indicating the persistent threat posed by such malware in the cybersecurity landscape.

7. Microsoft’s Shift to Passkeys for a Passwordless Future

In a move towards enhancing security and user experience, Microsoft is making passkeys the default sign-in method for all new accounts. Passkeys leverage device-based biometric or PIN authentication, effectively eliminating the need for traditional passwords and reducing susceptibility to phishing attacks.

Dave Bittner states, “Passkeys utilize device-based biometric or PIN authentication, eliminating the need for traditional passwords” (16:00). Security expert Troy Hunt emphasizes their advantages, noting a 98% success rate for passkey sign-ins compared to 32% for password-based logins. This shift aligns with industry trends as major tech companies adopt passkeys to bolster security and streamline the authentication process.

Afternoon Cyber Tea: Interview with Christina Murillo

Host: Ann Johnson
Guest: Christina Murillo, Head of Information Security at the New York Giants

1. Assessing and Shaping Cybersecurity Strategy

Christina Murillo discusses her approach to evaluating and developing cybersecurity strategies within organizations. Emphasizing curiosity over checklists, she focuses on understanding the current security landscape by listening to various functions within the organization.

Christina Murillo: “One of my first moves is to listen across functions... looking for alignment between security goals and business priorities” (13:45).

2. Addressing Misconceptions in Cybersecurity

The conversation highlights common misconceptions, such as viewing cybersecurity solely as an IT issue or equating compliance with security. Christina underscores the importance of integrating security into broader business discussions to enhance organizational risk awareness.

Christina Murillo: “Cybersecurity is a business risk issue, not just a technical one” (14:55).

3. Risk Management and Compliance

Christina elaborates on her method of framing cybersecurity risks in terms of business impact rather than purely mathematical assessments. By using real-world scenarios, she effectively communicates the potential consequences of security risks to leadership and peers.

Christina Murillo: “Risk isn't always about the math. It's about the story... what would this cost us in downtime or reputation” (16:15).

4. Collaboration within the NFL Security Community

Highlighting the strength of the NFL's security community, Christina shares insights into collaborative efforts among the 32 NFL teams. Regular communication and threat intelligence sharing are pivotal in maintaining a robust security posture across the league.

Christina Murillo: “We're like our own little security community... it's all about relationships” (18:10).

Conclusion

This episode of CyberWire Daily provides a comprehensive overview of pressing cybersecurity challenges, ranging from vulnerabilities in specialized messaging apps to sophisticated state-sponsored espionage. The insightful interview with Christina Murillo offers a practical perspective on developing and implementing effective cybersecurity strategies within large organizations. As the landscape evolves, the emphasis on robust security practices, proactive risk management, and collaborative efforts remains paramount in safeguarding critical assets and maintaining operational integrity.

Notable Quotes:

• Dave Bittner: “The app uses hardcoded credentials, a rookie-level security blunder” (03:35).
• Dave Bittner: “Federal agencies must patch by May 23” (06:10).
• Dave Bittner: “Despite SS7's outdated design, it still underpins many 2G and 3G telecom systems worldwide” (12:30).
• Christina Murillo: “Cybersecurity is a business risk issue, not just a technical one” (14:55).
• Christina Murillo: “Risk isn't always about the math. It's about the story... what would this cost us in downtime or reputation” (16:15).
• Christina Murillo: “We're like our own little security community... it's all about relationships” (18:10).

Timestamps:

• 03:35 – TM Signal Vulnerability
• 06:10 – CISA Adds Commvault Flaw
• 08:50 – Xai’s API Key Exposure
• 11:00 – Cyber Espionage in the Middle East
• 12:30 – SS7 Zero-Day Exploit
• 14:00 – Steel C Info Stealer Update
• 16:00 – Microsoft’s Shift to Passkeys
• 13:45 – Interview: Assessing Cybersecurity Strategy
• 14:55 – Interview: Addressing Misconceptions
• 16:15 – Interview: Risk Management
• 18:10 – Interview: Collaboration within NFL

This summary is intended for informational purposes and reflects the discussions held during the CyberWire Daily episode released on May 5, 2025.