Hardcoded credentials and hard lessons.

Dave Bittner

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire Researchers uncover serious vulnerabilities in the signal fork reportedly used by top government officials. CISA adds a second commvault flaw to its known exploited vulnerabilities catalog. Xai exposed a private API key on GitHub for nearly two months. Border Guard uncovers the cyber espionage campaign targeting critical national infrastructure in the Middle East. Threat brokers advertise a new SS7.0 day exploit on cybercrime forums. The Steel C Info Stealer and Malware Loader gets an update. Passkeys blaze the trail to a passwordless future on our afternoon Cyber Tea segment with Ann Johnson and speaks with Christina Murillo, head of Information Security at the New York Giants and Cubism meets computing. The Z80 goes full Picasso.

Ann Johnson

Foreign it's.

Dave Bittner

Monday, May 5, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Hello everyone and welcome back. It is really good to be home back in the Baltimore area after an exciting, energizing trip to San Francisco for this year's RSAC 2025 conference. The conference was a hit. Great sessions, lively conversations and plenty of time spent with friends, both familiar faces and some fantastic new ones. And yes, I spotted my new favorite T shirt. My agentic AI has purchase authority because nothing says cutting edge like giving your AI a company credit card. Let's get into it. So researchers have uncovered a serious vulnerability in TM Signal, an obscure non public messaging app reportedly used by former National Security Advisor Mike Waltz, known for accidentally adding a journalist to a classified chat. TM Signal turns out to be a lightly tweaked version of Signal modified to archive messages, which may explain its appeal to officials needing to comply with record keeping laws. But here's the the app uses hard coded credentials, a rookie level security blunder according to hackers. The company behind the app, Telemessage, was also breached, exposing messages, user data and even backend credentials. The breach reportedly took 15 to 20 minutes, and it raises uncomfortable questions about why officials are turning to fringe apps instead of secure government systems. Whatever the rationale, it's clear that security hygiene took a back seat. What happened here appears to be a textbook case of bypassing the rules that exist for a reason. Instead of going through proper US Government channels to vet and approve software, officials reportedly sidestepped protocol and deployed a messaging app through what amounts to shadow it. It's the kind of move that makes the whole cutting red tape mantra look reckless rather than efficient. Bureaucracy may be frustrating, but it's built on hard learned lessons about risk and control. Ignoring it in favor of quick fixes isn't innovation, it's dangerous. CISA has added a second Commvault flaw to its known exploited vulnerabilities catalog in less than a week, highlighting rising threat activity. The critical vulnerability, with a CVSS score of 10, affects multiple commvault command center versions and allows unauthenticated remote code execution via malicious zip files. Though not yet confirmed exploited in the wild, proof of concept code is public. Federal agencies Must patch by May 23. CISA also added a related YI framework flaw used in craft CMS attacks. A security misstep at Elon Musk's AI company Xai exposed a private API key on GitHub. For nearly two months. The key granted unauthorized access to internal, finely tuned LLMs used by SpaceX to Tesla and X Twitter, including unreleased GROK models discovered by security expert Philippe Catoregli and later investigated by GitGuardian. The leak stemmed from a mistakenly committed environment file. Despite early alerts, the key remained active until April 30. The exposed credentials had access to at least 60 sensitive data sets, underscoring lapses in XAI's credential management and internal monitoring. GetGuardian flagged that this kind of mistake committing secrets to public repos is unfortunately common. XAI has not commented publicly. The incident highlights how even top tier tech firms can fall short on basic operational security when secret management protocols are weak or overlooked. Fortiguard's Incident Response Team has uncovered a prolonged cyber espionage campaign targeting critical national infrastructure in the Middle east attributed to an Iranian state sponsored group. The intrusion spanned from May 2023 to early 2025, with activity possibly dating back to 2021. Attackers used stolen VPN credentials to access the network, deploying custom malware like Hanifnet, HX Library and Neo Express Rat, and evaded segmentation using proxy tools. They also attempted to regain access post containment via Web app vulnerabilities and phishing attacks. The campaign showed a high level of sophistication, with an emphasis on persistence and stealth. No operational disruptions were confirmed, but the attackers demonstrated strong interest in OT systems. The report urges better credential hygiene, stronger segmentation and proactive monitoring to defend against such advanced threats. A newly advertised SS7 zero day exploit on cybercrime forums is raising alarms about global mobile network security. Priced at $5,000, the kit allows attackers to intercept SMS messages, track phones in real time and potentially eavesdrop on calls or bypass two factor authentication. The exploit targets vulnerabilities in the mobile application part of the SS7 protocol, spoofing legitimate network nodes to manipulate routing and location data. Despite SS7's outdated design, it still underpins many 2G and 3G telecom systems worldwide used by about 30% of mobile connections. While newer networks offer stronger security, legacy systems remain vulnerable. Experts urge telecom providers to adopt SS7 firewalls and stricter controls and recommend users move away from SMS based authentication. This incident highlights the ongoing risks from legacy telecom infrastructure, Even decades after SSS's known flaws were first exposed. A popular infostealer and malware loader called Steelsea has released its second major version, now at 2.2.4. First spotted in March of this year by Zscaler, the update includes improved payload delivery, Chrome cookie theft bypasses, RC4 encryption and real time alerts via Telegram. It also adds a new admin panel and support for 64 bit systems. Notably, anti VM checks were removed, possibly due to a major code overhaul. Steel C remains actively used in attacks often delivered via malware loaders like Amaday. Microsoft is advancing its commitment to a passwordless future by making passkeys the default sign in method for all new Microsoft accounts. This shift aligns with the industry's move toward more secure and user friendly authentication methods. Passkeys utilize device based biometric or PIN authentication, eliminating the need for traditional passwords and reducing the risk of phishing attacks. Microsoft reports a 98% success rate for passkey sign ins, significantly higher than the 32% for password based logins. Security expert Troy Hunt emphasizes the vulnerabilities associated with traditional two factor authentication methods such as one time passwords, which can be susceptible to phishing. In a post titled Passkeys for Normal People, he advocates for the adoption of passkeys, highlighting their resistance to such attacks. Hunt's insights underscore the importance of transitioning to more secure authentication methods as major tech companies like Microsoft, Apple and Google adopt passkeys users are encouraged to embrace this change for enhanced security and a more streamlined login experience. Coming up after the break on our afternoon Cyber Tea segment with Ann Johnson. Ann speaks with Christina Murillo, head of Information security at the New York Giants and Cubism meets computing. The Z80 goes full Picasso.

Ann Johnson

Foreign.

Dave Bittner

Testing is resource intensive, slow and expensive, providing only a point in time snapshot of your application's security, leaving it vulnerable between development cycles. Automated scanners alone are unreliable in detecting faults within application logic and critical vulnerabilities. Outpost 24's continuous pen testing as a service solution offers year round protection with recurring manual penetration testing conducted by Crest certified pen testers, allowing you to stay ahead of threats and ensure your web applications are always secure. And now a word from our sponsor, Black Kite. If third party risk is keeping you up at night, you're not alone. It's a constant battle. Black Kite's third party cyber risk platform is built on real world threat intelligence straight from their research team's ongoing breach analysis, dark web monitoring and attacker tactics. That means you get a hacker's eye view of your supply chain to proactively spot risks. And speaking of research, they just dropped their 2025 third party breach report, breaking down last year's biggest trends and what's coming next. Grab the report now at www. Do black kite.com Microsoft's Ann Johnson is host of the Afternoon Cyber Tea podcast. And in today's segment, Ann speaks with Christina Murillo, head of Information Security at the New York Giants.

Christina Murillo

Today I'm excited to welcome Christina Murillo who is the head of information security at the National Football League's New York Giants. Welcome to Afternoon Cybertea. Christina.

Ann Johnson

Thank you so much, Anne. Thanks for having me.

Christina Murillo

So when you think about your journey and you think about new organizations and different roles, how do you go about assessing where the team is on their cyber journey? And what is your approach to actually taking and shaping a strategy that meets them where they are but gets them to the place of maturity where you want them to be?

Ann Johnson

So that's always a tough one. One thing that I will say is that I never walk in with a checklist. I always walk in with curiosity. One of my first moves is to listen across functions, right? I want to know how people have experienced security, if they understand security, what our corporate leaders, how they feel about security, where there are any gaps in terms of the culture as well. That's super important for me. In parallel, I also assess fundamentals, right? I look at our policies, architect, our identity, awareness, detection But I'm not really just looking to audit. I'm kind of looking for alignment. I'm looking to see where our security goals are in sync with business priorities, where they're not in sync. And then I build the strategy rooted in where we are, right? Not where we wish we were.

Christina Murillo

So cyber is full of misconceptions, right? How do you go about helping people get from that misconception to actually having a really mature understanding of the industry and a responsible understanding?

Ann Johnson

That's such a great question. One of the biggest misconceptions that I see within cybersecurity is that it's just an IT thing. It's it's job, it's something technical that sits off to the side, it will take care of it, it falls under it, and that's it. The truth, as we both know, is that it's a business risk issue, not just a technical one. So part of what I do is, you know, I work really hard to bring security into broader conversations like with operations, with finance, even with hr, in terms of identity and onboarding and all of that stuff, so that people understand how their day to day decisions impact the organization's risk posture. Something else that I see a lot is if we're compliant, we're secure, just check the box and that makes us secure. That's not true. And that's something that I have to emphasize over and over again. I try to incorporate real world examples. There's so many breaches and examples nowadays, I feel like we see one every other week. Where companies are fully compliant and still got hit. Right? Because maybe they weren't actually secure where it mattered the most. Right. Maybe there was a process failure as an example, not necessarily a technical one. So my real focus is just to make security relatable right across the organization.

Christina Murillo

How do you think about risk when you're building a security strategy and how do you think about compliance and how do you get your leadership and your peers aligned around the risk and aligned about the cyber risk, even if it isn't related to compliance?

Ann Johnson

I will say that that is always a journey. It's a never ending journey. But one thing I've learned is that risk isn't always about the math. It's about the story. Right. Or your ability to tell the proper story. So for me, you know, when I get pushback, I don't really argue. I what I try to do is I try to reframe the conversation around business impact and again, I go back to those real world scenarios. You know, I'll say Like, hey, here's how this type of risk has played out for others, or, hey, if this happened here, what would this cost us in downtime or reputation or how would this impact football operations? Right. So I always start with that business impact and what's at stake if the risk plays out. I've. In terms of, like, revenue, reputation, operations, et cetera. I listen for pushback, of course. I tell stories around it, I give examples. I. I listen at scale. I try to understand where the pushback is coming from. If there's just like a lack of awareness, if there's a misconception somewhere. And then ultimately, if things start to feel a little bit subjective, I try to turn them into decision points. You have to be flexible. You have to pivot. I think the most important thing, though, is to keep protecting the mission. Top of mind, like, whatever our mission is, right? If our mission is to win football games, if our mission is to delight our fans and our customers, I have to keep that at the forefront.

Christina Murillo

Well, let's talk about, you know, strategy is only successful if it's well adopted and if you measure it right, and if you continually measure it and then continually get feedback, get everyone on board going on a journey. How are you collaborating across the internal departments and with key stakeholders across the other NFL teams? And what is the key to managing those relationships?

Ann Johnson

So it's amazing. I mean, I won't take credit for, like, the community that has been set up. That's, you know, credit to the NFL CISO and his information security office. They've done a great thing with bringing us all together, like the 32 clubs. So we're, you know, we're always on phone calls multiple times a month. We have, we share threat intel. We meet in person a few times a year as well. At the end of the day, we all have the same shared goal, right, which is to protect our fans, protect our clubs, protect the overall league. One of my favorite elements of this entire journey has been meeting other information security officers across the different teams and learning more about their strategy, their processes, and us kind of like comparing and exchanging notes. That has been a joy because it's like our own little security community. I'm always encouraging people to share more externally so that the overall cyber community can get more of this goodness. But it's all about relationships. I think it really, for me has been about relationship building, making that time not only when they're urgent moments, but just overall.

Dave Bittner

You can check out the full episode of Afternoon Cyber Tea right here on the N2K CyberWire network, or wherever you get your favorite shows. Let's be real. Navigating security compliance can feel like assembling Ikea furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right. That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SoC2, ISO 27001 and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer, or managing IT and security for the first time, Vanta helps you prove your security posture without taking over your Life. More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times. And the roi. A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time, you can get $1,000 off vanta@vanta.com cyber that's V-A-N t a.com and finally, what happens when you mash up a 19th century art icon and a retro CPU from the golden age of microcomputing? Apparently you get the RC 2014 Mini 2 Picasso. This limited edition Z80 based single board computer runs Old School Basic, 4th and CPM, but does so with a flair even your art teacher would admire. Think standard RC 2014 guts, but laid out like Picasso himself dropped by with a soldering iron and no regard for straight lines. Resistors pirouette over each other, components are skewed like cubist portraits and no two boards look exactly the same thanks to a wild mix of silkscreen colors and socket styles. It's a PCB that says I contain multitudes and 8 bit computing nostalgia. Available via Z80 kits. This delightful mashup of silicon and surrealism is a refreshing reminder that PC boards don't have to be neat. They can be expressive, eccentric and maybe just a bit 1990s rave chic too. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian show every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Ann Johnson

Foreign.

Dave Bittner

What'S the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, Entra, ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise, powered by Spectrops. Head to SpectorOps IO today to learn more. Spectrops see your attack paths the way adversaries do.