A

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI Our researcher uncovers vulnerab across Intel's internal websites that exposed sensitive employee and supplier data. The Kim Suki Group targets South Korean diplomatic missions. A new DDoS vulnerability bypasses the 2023 rapid reset fix. Drug development firm Innovative reports a ransomware attack to the SEC. The UK drops their demand that Apple provide access to encrypted iCloud accounts. Hackers disguise the Pipe Magic backdoor as a fake ChatGPT desktop app. The source code for a powerful Android bank Trojan is leaked online. A Nebraska man is sentenced to prison for defrauding cloud providers to mine nearly $1 million in cryptocurrency on this week's Threat vector, David Moulton speaks with Liz Pinder and Patrick Bale for a no holds barred look at context switching in the sock and a UK police force fails to call for backup. It's Tuesday, August 19, 2025. I'm Dave Buettner, and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. Security researcher Eaton Zvere uncovered four major vulnerabilities across Intel's internal websites that exp sensitive employee and supplier data. First, Intel's business card ordering site allowed login bypass, enabling access to a global employee database of over 270,000 records. Second, the hierarchy management site stored weakly encrypted hard coded credentials, allowing attackers to decrypt passwords, impersonate admins, and access employee and product data. Third, the product onboarding portal leaked multiple hard coded credentials, including GitHub tokens, which could have allowed rogue product uploads. Finally, Intel's SIM supplier site had broken authentication checks, letting attackers enumerate employees and access confidential supplier agreements. While intel patched the flaws after disclosure, its bug bounty program excluded website vulnerabilities, leaving the researcher unrewarded despite reporting critical issues elsewhere, Researchers at Trellix have exposed a North Korea linked espionage campaign by the Kim Suki Group, also known as APT43, targeting South Korean diplomatic missions. Between March and July, at least 19 spear phishing emails impersonated trusted contacts using password protected zip files hosted on Dropbox and DOM. The lures mimicked real events such as EU meetings and US Independence Day celebrations. Once opened, malicious LNK files launched obfuscated PowerShell scripts that pulled base 64 encoded payloads from GitHub, where attackers maintained private repositories for command and control. Victims ultimately received Xenorat, a remote access Trojan enabling full system control. Data theft and surveillance infrastructure analysis linked operations to the DPRK but noted Chinese holiday pauses, suggesting activity from China. The campaign maps to MITRE attack techniques remains ongoing and underscores the need for stronger diplomatic network defenses, researchers from Tel Aviv University have uncovered. MadeYou Reset, a new DDoS vulnerability in the HTTP 2 protocol that bypasses the 2023 Rapid Reset fix. Like Rapid Reset, it abuses HTTP 2's concurrent stream design to overwhelm servers. But instead of clients canceling requests, attackers send invalid control frames that force the server to cancel streams on their behalf. This allows attackers to repeatedly trigger backend work, mimicking rapid reset's devastating effect. The flaw could impact up to one third of websites worldwide. Severity varies across implementations While many vendors had already hardened systems after rapid reset, others only patched recently. Mitigation is complex, requiring stricter stream cancellation handling or backend limits, but inconsistent vendor responsibility leaves risks unresolved. Indiana based drug development firm Innotiv reported a ransomware attack to the SEC after discovering the incident on August 8. Threat actors encrypted key systems, forcing shutdowns that disrupted internal data storage, business applications and overall operations. The company is relying on offline alternatives while working to restore systems with no timeline yet for recovery. Law enforcement was notified, though no group has claimed responsibility. InnoTiv, which earned $375 million in the first three quarters of 2025, said financial impacts remain uncertain. The UK has reportedly dropped a demand requiring Apple to provide access to encrypted iCloud accounts, according to US Director of National Intelligence Tulsi Gabbard. The order, known as a technical capability notice, was criticized as a backdoor into user data, though the British government disputes that characterization. Apple had disabled advanced Data protection for UK users in 2023 to comply, since the feature made certain iCloud data accessible only from user devices. Apple is challenging the order at the Investigatory Powers Tribunal. With support from civil society groups, the UK government emphasized safeguards under existing US UK data sharing agreements, stressing that neither nation can target the other's citizens while reaffirming its commitment to balancing security with privacy protections. Microsoft has warned that hackers are disguising the Pipe Magic backdoor as a fake ChatGPT desktop app to prepare ransomware attacks attributed to threat group Storm2460. The malware exploits a Windows zero day in the common log file system driver to gain persistence and escalate privileges before deploying ransomware. Pipe Magic has been observed targeting it financial and real estate sectors worldwide. First seen in 2022, the malware resurfaced in 2024. Victims see only a blank screen while attackers gain remote access and data theft capabilities. Researchers from Huntio have discovered that the source code for Ermac version 3.0, a powerful Android banking Trojan, was leaked online in March 2024 via an exposed archive. The leak contained the trojan's back end, front end panel, Exfiltration Server builder and obfuscator. EIRMAC 3.0 expanded targeting from 467 apps in version 2 to over 700 financial, shopping and crypto apps, while adding stronger encryption, upgraded form injection techniques, fake push notifications, device control and remote uninstallation. Huntio also uncovered live infrastructure tied to the operation, including command and control servers with weak security for such as hard coded tokens and default credentials. While the leak undermines ermac's malware as a service credibility, it may enable defenders to improve detection but also risks new, harder to Detect variants emerging Nebraska man Charles O. Parks III, also known as CP3O, was sentenced to one year in prison for defrauding cloud providers for of nearly $3.5 million to mine nearly $1 million in cryptocurrency between January and August 2021. He used aliases and shell companies to access massive computing power from providers believed to be Microsoft and Amazon without paying. Parks laundered proceeds through crypto exchanges, banks and even an NFT marketplace funding luxury purchases. Prosecutors said he falsely branded himself a crypto influencer and innovator. Coming up after the break on this week's Threat Vector, David Moulton speaks with Liz Pinder and Patrick Bale about context switching in the soc, and a UK police force fails to call for backup. Stay with us. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use indeed when it comes to hiring, indeed is all you need. Stop struggling to get your job post noticed. Indeed's sponsored Jobs helps you stand out and hire fast Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with sponsored jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need.

B

Foreign.

A

Machine identities now outnumber humans by more than 80 to 1, and without securing them, trust, uptime outages and compliance are at risk. Cyber Arc is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber Arc helps modern enterprises secure their machine future. Visit cyberark.com machines to see how on this week's Threat Vector segment, Palo Alto's David Moulton speaks with Liz Pinder and Patrick Bale about context switching in the SoC.

B

Hi, I'm David Moulton, host of the Threat Vector Podcast, where we break down cybersecurity threats, resilience, and the industry trends that matter most. What you're about to hear is a snapshot from my conversation with Liz Pinder, Cortex Systems Engineer Specialist, and Patrick Bile, SecOps consulting manager at Palo Alto Networks. Together we take up no holds barred look at context switching in the soccer what it costs, why it's getting worse, and how smarter design can fix it. Listen to the full episode now in your Threat Vector feed. So when we were talking about putting this podcast together, we were talking about this idea of context switching and I ran across this HBR article that talked about workers switching apps something like a thousand plus times a day. It seems kind of wild, but then you start to observe your own patterns and you realize, yeah, you're moving back and forth in between desktop applications and web apps through your browser and your tab, your browsers and your tab. Get to the point where you can't even read the tabs anymore. There's so many there and each one is a different action or a different capability. And I imagine in the SoC that that kind of context switching shows up and that it's really costly. Can you talk about what the cost of that disruption and or the inability to focus because of all those tools looks like? Liz?

C

Yeah, definitely. I mean when we talk about the impact of that actual screen switching, I feel like there's kind of two overall issues that happen. There's kind of the issues on the analyst side, so what I definitely experienced and then we see issues as well on that visibility and detection side and just kind of to talk more about the analyst side because it's obviously like my personal experience, but I kind of like to think about, I don't know if you've ever heard of the, the, the article by Paul Graham which talks about kind of maker and manager time. So it's a quite an old piece of research, quite a few years ago now, but, but essentially it goes through that Maker time is something where you have long interrupted blocks to actually build and create something, whereas manager time is kind of split into meetings, check ins, quick decisions. And it's really that kind of make a time that you can directly associate with an analyst. You need to have that time for deep thinking with no interruptions, especially when you are going through an incident when you're triaging. And of course if you, I mean just thinking back to my experience, if you're having to continuously collect data for an alert, an alert comes in and I'm going to have to go to different sources to collect this data, either through logging into a firewall platform or kind of going and querying logs in my SIEM solution or even contacting someone, like contacting the owner of this kind of misconfigured S3 bucket, for example, all of that time adds up on its own. But it's also that kind of mental overhead that you have, like that's not really kind of thought of. If, you know, if someone interrupts you and you're kind of in the zone and then you get a slack message come in or you have a meeting put in as you're doing this task that requires that deep thinking. For me personally, it takes me like a Good, you know, 30 minutes to get actually get back into the task that I was originally presented with. So you know, imagine that constantly when you are just triaging alone and how much time that adds to actually resolving that alert. You know, that's you know, a lot of the reason why we have such long meantime to respond is because of that jumping across different tools and gathering all of that information.

B

Let's talk about alert fatigue. When analysts jump from tool to tool and alert to alert, how do we ensure that they can stay focused on what matters?

D

So yes, when we speak to SOCs and we say, what would you like to automate? And it's an intentionally provocative question, we normally get two answers, everything or we don't know. And that's, you know, I'm not sure which one's, which one's scarier, to be honest. But probably we don't know because like, if we're talking about alert fatigue, they should know the type of alert that is causing them to be fatigued or alerts. So really, like, when we're talking to SOCs, don't pick that one horrible task on that horrible system that you don't like doing, that you have to do once every six months or every year, do the things that you do little and often. If you can shave off 30 seconds here, a minute here, and you do that numerous times a day, week, month, then there's your return of investment on your sock and there's automation being key for you and there's your reduction on burning out because you're not doing the same thing over and over again. And that's the stuff that drove me up the wall, repeating those mundane tasks and also thinking about from the risk perspective. Again, that's the stuff that people in the soc would forget to do or intentionally not do because they have a bias to know what that the result is. So they assume it's benign or they assume it's malicious and they'll just quickly try and close the incident down. That's the wrong behavior that introduces risk, which the stock is there to avoid. Right. Or reduce the risk. Sorry.

C

It's all about giving them something interesting to look at. Right? Because we talk about, you know, how do we, how do we not interrupt that flow? And first of all, we can go by automation. So not just automation in terms of, you know, all the way to resolution, all the way to, let's block this straight away, really simply, we can utilize automation to enrich an alert. So instead of me having to go to my various open source intelligence tools to look up this one IP address, I can have all that information provided to me straight away so I can just make that informed decision. So analysts can make that informed decisions to then isolate that machine or close that alert down. So it's really that low hanging fruit almost, that helps combat that alert fatigue.

B

Liz, you've designed playbooks and that's what we tend to call these pre flight checklists. And some of the automations in security is a playbook or a workflow with a lot of customers. What mistakes do you see teams make that actually increase their context switching during incident responses?

C

Yeah, so something that was probably most common, and I think Patrick will agree, is you can't automate without having that processor in the first place. Right. So quite often customers come to us or I'm building a playbook and that process either doesn't exist in the first place or it's a bad process. For example, we had a customer that wanted to simply just reset a password and remove them from AD if there was an insider threat. So what they, they didn't have the proper process written down. So it was really difficult to kind of then automate it. They didn't think about, you know, what if this, what if this person was a VIP user? Do you want to like change the password of a ciso, for example? You know, so things like that, if you, if you put in a bad process into automation, you know, into create a playbook out of a bad process, you're going to have a bad playbook. So really you need to think about that process and go through it beforehand before you think about automation.

D

It's not all or nothing. And I think there is that fear of, well, we want to automate, we want to automate fully, but we don't trust it. But you can and should implement guardrails for break glass situations like potentially putting yourself at risk of losing your job by resetting someone's password who's in the exact position that you shouldn't. But you could argue as well that they're probably the people who would like it to be targeted. And let's test it, keep testing it. It's not a set and forget type thing, you know, it's, it's an iterative process that you want to test and refine. Unless it's not, you know, the, the high fidelity, 100% accurate things that I said, like who is user, what is ip, what is machine, what is cve? All those things.

B

These aren't just tech problems, they're human performance issues with real security outcomes. If this got your attention, don't wait. Listen to the full episode now in your Threat Vector podcast feed. It's called Designing Human Centered Security Operations and it's live.

A

Be sure to check out the complete episode of Threat Vector wherever you get your favorite podcasts and now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker and finally, the South Yorkshire Police has earned itself a polite scolding from the UK's data watchdog after it somehow managed to delete 96,000 pieces of body cam evidence, a feat of digital spring cleaning nobody asked for, according to the Information Commissioner's Office. The trouble began after an it upgrade in May 2023 left the force's digital evidence management system groaning under the weight of video files. Footage was temporarily stored on a local disk until July 26, when a third party transfer to a new storage grid turned into a large scale vanishing act. South Yorkshire Police admits the data probably went missing in error, which is as reassuring as it sounds. Although much of the footage had already been copied elsewhere, the force can't say how much was lost forever thanks to years of poor record keeping and unresolved backup issues. Unfortunately, when the files went missing, the.

D

IT team couldn't radio or backup.

A

And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.