CyberWire Daily – August 19, 2025

Episode Title: Inside Intel’s Internal Web Maze

Overview

This episode of CyberWire Daily brings listeners the latest cybersecurity news, diving deep into vulnerabilities discovered within Intel’s internal websites, a North Korean spear-phishing campaign, a new devastating DDoS vulnerability, major ransomware and malware events, privacy developments in the UK, and a special segment on the toll of context switching in Security Operations Centers (SOC). The episode features concise yet impactful analysis and a guest conversation on the human element of SOC burnout.

Key Discussion Points and Insights

1. Intel’s Internal Web Vulnerabilities Revealed

Researcher Eaton Zvere uncovered four major vulnerabilities across Intel's internal websites, which exposed sensitive employee and supplier data.
Major Findings:
- Business Card Ordering Site: Login bypass allowed access to a global employee database (over 270,000 records).
- Hierarchy Management Site: Weakly encrypted, hard-coded credentials let attackers decrypt admin passwords, impersonate admins, and access employee/product data.
- Product Onboarding Portal: Leaked hard-coded credentials, including GitHub tokens, risked unauthorized product uploads.
- SIM Supplier Site: Broken authentication enabled attackers to enumerate employees and view confidential supplier agreements.
Intel patched the flaws post-disclosure, but its bug bounty program excluded web vulnerabilities, leaving the researcher unrewarded.
- Quote:
  
  “Intel patched the flaws after disclosure, its bug bounty program excluded website vulnerabilities, leaving the researcher unrewarded.” (02:36)

2. Kim Suki Group’s Targeted Espionage (APT43)

Researchers at Trellix exposed an espionage campaign by the North Korea-linked Kim Suki Group (APT43) targeting South Korean diplomatic missions (Mar–Jul 2025).
Tactics:
- 19+ spear-phishing emails impersonating trusted contacts; password-protected zip files hosted on Dropbox and DOM.
- LNK files inside the zips launched obfuscated PowerShell scripts pulling payloads from private GitHub repos for command and control.
- Delivered XenoRat (Remote Access Trojan) for full system control, data theft, and surveillance.
- Analysis indicated operational pauses aligned with Chinese holidays, suggesting infrastructure in China.
- Quote:
  
  “Victims ultimately received Xenorat, a remote access Trojan enabling full system control.” (03:28)
- Campaign underscores need for stronger diplomatic network defenses and aligns with MITRE ATT&CK techniques.

3. “MadeYou Reset”: New DDoS Vulnerability in HTTP/2

Researchers from Tel Aviv University identified "MadeYou Reset"—a DDoS vulnerability in HTTP/2 that circumvents the 2023 "Rapid Reset" fix.
Technical Details:
- Exploits HTTP/2's concurrent stream design by sending invalid control frames that force servers to cancel streams (mirrors "rapid reset" effects).
- Could impact 1/3 of websites globally; mitigation is complex and vendor responsibility is inconsistent.
- Quote:
  
  “Severity varies across implementations… mitigation is complex… inconsistent vendor responsibility leaves risks unresolved.” (04:12)

4. Ransomware Attack on Innotiv

Indiana-based drug development firm Innotiv reported a ransomware attack (detected Aug 8), forcing system shutdowns.
- Encrypted key systems, caused data storage and application outages, operations disrupted; company working offline with no clear recovery timeline.
- No ransomware group claimed responsibility yet.
- Impact on Innotiv’s $375M revenue remains unclear.
- Quote:
  
  “The company is relying on offline alternatives while working to restore systems with no timeline yet for recovery.” (05:17)

5. UK Backs Down on iCloud Encryption Access Demand

The UK has reportedly dropped its demand that Apple provide technical access to encrypted iCloud accounts—previously formalized in a "technical capability notice."
- Conflict: Seen by privacy advocates as a backdoor; the UK government rejects this depiction.
- Apple had disabled Advanced Data Protection for UK users in 2023, had challenged order at the Investigatory Powers Tribunal.
- UK and US emphasize that neither country can target the other's citizens, focusing on balance of security and privacy.
- Quote:
  
  “Apple is challenging the order at the Investigatory Powers Tribunal. With support from civil society groups, the UK government emphasized safeguards under existing US UK data sharing agreements... reaffirming its commitment to balancing security with privacy protections.” (06:23)

6. Pipe Magic Backdoor and Fake ChatGPT Apps

Microsoft warning: Hackers deploying Pipe Magic backdoor disguised as a fake ChatGPT desktop app, preparing ransomware strikes—linked to group Storm2460.
- Exploits a Windows zero-day in the Common Log File System driver.
- Targets hit in financial and real estate sectors, malware active since 2022 (resurfaced 2024).
- Victims see only a blank screen; attackers get remote access and data theft capability.

7. Ermac v3.0 Android Banking Trojan Source Code Leak

Huntio researchers found source code for Ermac 3.0 banking Trojan leaked in March 2024.
- Target scope expanded to 700+ apps, with stronger encryption, form injection, device control, and remote uninstall.
- Weak back-end security (hard-coded tokens, default credentials) exposed in the infrastructure itself.
- Leak could boost defensive detection, but also enables emergence of harder-to-detect new variants.

8. Nebraska Cloud Fraud & Crypto Mining Case

Charles O. Parks III ("CP3O") sentenced to one year in prison for defrauding cloud providers (Microsoft, Amazon suspected) of $3.5M in computational resources to mine $1M in cryptocurrency (Jan–Aug 2021).
- Used aliases, laundered proceeds via crypto exchanges, banks, NFT marketplace, funded luxury items.
- Prosecutors noted he posed as a crypto “influencer.”

9. SOC Context Switching – Threat Vector Mini-Panel

Segment begins: [13:54]

Host: David Moulton (Palo Alto Networks)
Guests: Liz Pinder (Cortex Systems Engineer) & Patrick Bile (SecOps Consulting Manager)

Key Topics:

Context Switching:
- SOC analysts face excessive app/tool switching—disrupts focus, extends mean time to respond.
- Mental overhead and fragmented attention are major barriers.
- Memorable Quote (Liz Pinder) [16:49]:
  
  “If someone interrupts you and you’re in the zone and then you get a Slack message… For me personally, it takes me like a good, you know, 30 minutes to get actually get back into the task… Imagine that constantly when you are just triaging alone—how much time that adds.”
Alert Fatigue & Automation:
- Overwhelmed SOCs struggle to know which alerts/activities to automate.
- Automate “little and often” tasks for greater cumulative effect.
- Quote (Patrick Bile) [18:47]:
  
  “Don't pick that one horrible task you do once a year. Do the things you do little and often. If you can shave off 30 seconds here, a minute there… there's your reduction on burning out because you're not doing the same thing over and over.”
Process for Automation and Human Error:
- Don’t try to automate bad or non-existent processes—clarity and documentation are vital.
- Playbooks must be carefully designed and iterated with guardrails, considering high-risk actions (like VIP password resets).
- Quote (Liz Pinder) [21:15]:
  
  “If you put a bad process into automation… you're going to have a bad playbook. So really you need to think about that process… before you think about automation.”
Human-Centered Security Operations:
- These are not just technological issues—human fatigue, burnout, and performance directly impact security outcomes.
- Quote (David Moulton) [23:12]:
  
  “These aren't just tech problems, they're human performance issues with real security outcomes.”

10. South Yorkshire Police Data Deletion Mishap

UK’s South Yorkshire Police accidentally deleted 96,000 pieces of bodycam evidence after an IT upgrade and failed backup procedures (May–July 2023).
- Record keeping and backup faults rendered much of the evidence potentially lost forever.
- Quote:
  
  “South Yorkshire Police admits the data probably went missing in error, which is as reassuring as it sounds…” (24:53)

Notable Quotes & Memorable Moments

| Timestamp | Speaker | Quote | |-----------|---------------|--------------------------------------------------------------------------------------------------------| | 02:36 | Host | "Intel patched the flaws after disclosure, its bug bounty program excluded website vulnerabilities..." | | 03:28 | Host | “Victims ultimately received Xenorat, a remote access Trojan enabling full system control.” | | 04:12 | Host | “Severity varies across implementations… mitigation is complex… inconsistent vendor responsibility...” | | 05:17 | Host | “The company is relying on offline alternatives while working to restore systems with no timeline yet.” | | 06:23 | Host | “Apple is challenging the order at the Investigatory Powers Tribunal…” | | 16:49 | Liz Pinder | "If someone interrupts you and you’re in the zone... takes me like a good, you know, 30 minutes..." | | 18:47 | Patrick Bile | "Do the things you do little and often... there's your reduction on burning out..." | | 21:15 | Liz Pinder | "If you put a bad process into automation… you're going to have a bad playbook." | | 23:12 | David Moulton | “These aren't just tech problems, they're human performance issues with real security outcomes.” | | 24:53 | Host | "South Yorkshire Police admits the data probably went missing in error, which is as reassuring as it sounds..." |

Timestamps for Key Segments

Intel vulnerability details – [02:10] - [03:00]
Kim Suki spear-phishing campaign – [03:01] - [04:00]
MadeYou Reset DDoS vulnerability – [04:01] - [05:00]
Innotiv ransomware attack – [05:00] - [06:20]
Apple/UK encryption standoff – [06:21] - [07:00]
Pipe Magic backdoor via fake ChatGPT app – [07:01] - [08:00]
Ermac banking trojan code leak – [08:01] - [09:00]
Nebraska crypto fraud sentencing – [09:01] - [10:00]
Threat Vector panel: SOC context switching and alert fatigue – [13:54] - [23:38]
South Yorkshire Police evidence loss – [23:41] - [25:32]

Tone

Analytical, pragmatic, and direct; occasionally irreverent and humorous (especially during commentaries on mishaps and blunders).
Expert guests offer practical, experience-based advice in a conversational, relatable way.

Summary

This CyberWire Daily episode delivers incisive coverage of news shaping the cybersecurity landscape, from severe corporate exposures and advanced nation-state threats to procedural and human pitfalls inside SOCs. It drives home the point that even as tools and attacks become more sophisticated, organizations remain vulnerable to simple oversights—both technical and human—and that better practices, processes, and attention to human performance are critical to effective cyber defense.

CyberWire Daily – August 19, 2025

Episode Title: Inside Intel’s Internal Web Maze

Overview

Key Discussion Points and Insights

1. Intel’s Internal Web Vulnerabilities Revealed

Researcher Eaton Zvere uncovered four major vulnerabilities across Intel's internal websites, which exposed sensitive employee and supplier data.
Major Findings:
- Business Card Ordering Site: Login bypass allowed access to a global employee database (over 270,000 records).
- Hierarchy Management Site: Weakly encrypted, hard-coded credentials let attackers decrypt admin passwords, impersonate admins, and access employee/product data.
- Product Onboarding Portal: Leaked hard-coded credentials, including GitHub tokens, risked unauthorized product uploads.
- SIM Supplier Site: Broken authentication enabled attackers to enumerate employees and view confidential supplier agreements.
Intel patched the flaws post-disclosure, but its bug bounty program excluded web vulnerabilities, leaving the researcher unrewarded.
- Quote:
  
  “Intel patched the flaws after disclosure, its bug bounty program excluded website vulnerabilities, leaving the researcher unrewarded.” (02:36)

2. Kim Suki Group’s Targeted Espionage (APT43)

Researchers at Trellix exposed an espionage campaign by the North Korea-linked Kim Suki Group (APT43) targeting South Korean diplomatic missions (Mar–Jul 2025).
Tactics:
- 19+ spear-phishing emails impersonating trusted contacts; password-protected zip files hosted on Dropbox and DOM.
- LNK files inside the zips launched obfuscated PowerShell scripts pulling payloads from private GitHub repos for command and control.
- Delivered XenoRat (Remote Access Trojan) for full system control, data theft, and surveillance.
- Analysis indicated operational pauses aligned with Chinese holidays, suggesting infrastructure in China.
- Quote:
  
  “Victims ultimately received Xenorat, a remote access Trojan enabling full system control.” (03:28)
- Campaign underscores need for stronger diplomatic network defenses and aligns with MITRE ATT&CK techniques.

3. “MadeYou Reset”: New DDoS Vulnerability in HTTP/2

Researchers from Tel Aviv University identified "MadeYou Reset"—a DDoS vulnerability in HTTP/2 that circumvents the 2023 "Rapid Reset" fix.
Technical Details:
- Exploits HTTP/2's concurrent stream design by sending invalid control frames that force servers to cancel streams (mirrors "rapid reset" effects).
- Could impact 1/3 of websites globally; mitigation is complex and vendor responsibility is inconsistent.
- Quote:
  
  “Severity varies across implementations… mitigation is complex… inconsistent vendor responsibility leaves risks unresolved.” (04:12)

4. Ransomware Attack on Innotiv

Indiana-based drug development firm Innotiv reported a ransomware attack (detected Aug 8), forcing system shutdowns.
- Encrypted key systems, caused data storage and application outages, operations disrupted; company working offline with no clear recovery timeline.
- No ransomware group claimed responsibility yet.
- Impact on Innotiv’s $375M revenue remains unclear.
- Quote:
  
  “The company is relying on offline alternatives while working to restore systems with no timeline yet for recovery.” (05:17)

5. UK Backs Down on iCloud Encryption Access Demand

The UK has reportedly dropped its demand that Apple provide technical access to encrypted iCloud accounts—previously formalized in a "technical capability notice."
- Conflict: Seen by privacy advocates as a backdoor; the UK government rejects this depiction.
- Apple had disabled Advanced Data Protection for UK users in 2023, had challenged order at the Investigatory Powers Tribunal.
- UK and US emphasize that neither country can target the other's citizens, focusing on balance of security and privacy.
- Quote:
  
  “Apple is challenging the order at the Investigatory Powers Tribunal. With support from civil society groups, the UK government emphasized safeguards under existing US UK data sharing agreements... reaffirming its commitment to balancing security with privacy protections.” (06:23)

6. Pipe Magic Backdoor and Fake ChatGPT Apps

Microsoft warning: Hackers deploying Pipe Magic backdoor disguised as a fake ChatGPT desktop app, preparing ransomware strikes—linked to group Storm2460.
- Exploits a Windows zero-day in the Common Log File System driver.
- Targets hit in financial and real estate sectors, malware active since 2022 (resurfaced 2024).
- Victims see only a blank screen; attackers get remote access and data theft capability.

7. Ermac v3.0 Android Banking Trojan Source Code Leak

Huntio researchers found source code for Ermac 3.0 banking Trojan leaked in March 2024.
- Target scope expanded to 700+ apps, with stronger encryption, form injection, device control, and remote uninstall.
- Weak back-end security (hard-coded tokens, default credentials) exposed in the infrastructure itself.
- Leak could boost defensive detection, but also enables emergence of harder-to-detect new variants.

8. Nebraska Cloud Fraud & Crypto Mining Case

Charles O. Parks III ("CP3O") sentenced to one year in prison for defrauding cloud providers (Microsoft, Amazon suspected) of $3.5M in computational resources to mine $1M in cryptocurrency (Jan–Aug 2021).
- Used aliases, laundered proceeds via crypto exchanges, banks, NFT marketplace, funded luxury items.
- Prosecutors noted he posed as a crypto “influencer.”

9. SOC Context Switching – Threat Vector Mini-Panel

Segment begins: [13:54]

Host: David Moulton (Palo Alto Networks)
Guests: Liz Pinder (Cortex Systems Engineer) & Patrick Bile (SecOps Consulting Manager)

Key Topics:

Context Switching:
- SOC analysts face excessive app/tool switching—disrupts focus, extends mean time to respond.
- Mental overhead and fragmented attention are major barriers.
- Memorable Quote (Liz Pinder) [16:49]:
  
  “If someone interrupts you and you’re in the zone and then you get a Slack message… For me personally, it takes me like a good, you know, 30 minutes to get actually get back into the task… Imagine that constantly when you are just triaging alone—how much time that adds.”
Alert Fatigue & Automation:
- Overwhelmed SOCs struggle to know which alerts/activities to automate.
- Automate “little and often” tasks for greater cumulative effect.
- Quote (Patrick Bile) [18:47]:
  
  “Don't pick that one horrible task you do once a year. Do the things you do little and often. If you can shave off 30 seconds here, a minute there… there's your reduction on burning out because you're not doing the same thing over and over.”
Process for Automation and Human Error:
- Don’t try to automate bad or non-existent processes—clarity and documentation are vital.
- Playbooks must be carefully designed and iterated with guardrails, considering high-risk actions (like VIP password resets).
- Quote (Liz Pinder) [21:15]:
  
  “If you put a bad process into automation… you're going to have a bad playbook. So really you need to think about that process… before you think about automation.”
Human-Centered Security Operations:
- These are not just technological issues—human fatigue, burnout, and performance directly impact security outcomes.
- Quote (David Moulton) [23:12]:
  
  “These aren't just tech problems, they're human performance issues with real security outcomes.”

10. South Yorkshire Police Data Deletion Mishap

UK’s South Yorkshire Police accidentally deleted 96,000 pieces of bodycam evidence after an IT upgrade and failed backup procedures (May–July 2023).
- Record keeping and backup faults rendered much of the evidence potentially lost forever.
- Quote:
  
  “South Yorkshire Police admits the data probably went missing in error, which is as reassuring as it sounds…” (24:53)

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Intel vulnerability details – [02:10] - [03:00]
Kim Suki spear-phishing campaign – [03:01] - [04:00]
MadeYou Reset DDoS vulnerability – [04:01] - [05:00]
Innotiv ransomware attack – [05:00] - [06:20]
Apple/UK encryption standoff – [06:21] - [07:00]
Pipe Magic backdoor via fake ChatGPT app – [07:01] - [08:00]
Ermac banking trojan code leak – [08:01] - [09:00]
Nebraska crypto fraud sentencing – [09:01] - [10:00]
Threat Vector panel: SOC context switching and alert fatigue – [13:54] - [23:38]
South Yorkshire Police evidence loss – [23:41] - [25:32]

Tone

Analytical, pragmatic, and direct; occasionally irreverent and humorous (especially during commentaries on mishaps and blunders).
Expert guests offer practical, experience-based advice in a conversational, relatable way.

Inside Intel’s internal web maze.

Summary

CyberWire Daily – August 19, 2025

Episode Title: Inside Intel’s Internal Web Maze

Overview

Key Discussion Points and Insights

1. Intel’s Internal Web Vulnerabilities Revealed

2. Kim Suki Group’s Targeted Espionage (APT43)

3. “MadeYou Reset”: New DDoS Vulnerability in HTTP/2

4. Ransomware Attack on Innotiv

5. UK Backs Down on iCloud Encryption Access Demand

6. Pipe Magic Backdoor and Fake ChatGPT Apps

7. Ermac v3.0 Android Banking Trojan Source Code Leak

8. Nebraska Cloud Fraud & Crypto Mining Case

9. SOC Context Switching – Threat Vector Mini-Panel

Segment begins: [13:54]

Key Topics:

10. South Yorkshire Police Data Deletion Mishap

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Tone

Summary

Summary

CyberWire Daily – August 19, 2025

Episode Title: Inside Intel’s Internal Web Maze

Overview

Key Discussion Points and Insights

1. Intel’s Internal Web Vulnerabilities Revealed

2. Kim Suki Group’s Targeted Espionage (APT43)

3. “MadeYou Reset”: New DDoS Vulnerability in HTTP/2

4. Ransomware Attack on Innotiv

5. UK Backs Down on iCloud Encryption Access Demand

6. Pipe Magic Backdoor and Fake ChatGPT Apps

7. Ermac v3.0 Android Banking Trojan Source Code Leak

8. Nebraska Cloud Fraud & Crypto Mining Case

9. SOC Context Switching – Threat Vector Mini-Panel

Segment begins: [13:54]

Key Topics:

10. South Yorkshire Police Data Deletion Mishap

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Tone

Summary