Lessons from the latest breach reports. - CyberWire Daily

Summary7 min read

CyberWire Daily: Lessons from the Latest Breach Reports
Episode Release Date: April 24, 2025
Host: N2K Networks

Introduction

In the April 24, 2025 episode of CyberWire Daily, host Dave Bittner delves into the latest cybersecurity breach reports, providing a comprehensive analysis of the evolving threat landscape. The episode features insights from pivotal industry reports, expert analysis on sophisticated threat actors, significant security vulnerabilities, and an in-depth interview with Deputy Assistant Director Cynthia Kaiser from the FBI's Cyber Division.

Key Annual Reports: Verizon DBIR 2025 and Mandiant M Trends 2025

Verizon 2025 Data Breach Investigations Report (DBIR)

Drawing from over 22,000 incidents and 12,000 confirmed breaches, the Verizon DBIR 2025 highlights critical shifts in cybersecurity:

Top Attack Vectors: Credential abuse remains predominant, with vulnerability exploitation increasing by 34%.
Ransomware Trends: Despite a decrease in ransom payouts, ransomware now appears in 44% of breaches, driven by a surge in zero-day exploits targeting VPNs and Edge accounts.
Supply Chain Vulnerabilities: Breaches involving third-party vendors have doubled to 30%, emphasizing the need for robust supply chain security.
Human Element: Social engineering and human error continue to play significant roles in successful attacks.
Espionage: There's a noticeable rise in espionage-driven breaches, particularly within the manufacturing and healthcare sectors.

Verizon's Recommendations:
Verizon advocates for a layered security strategy, which includes:

Enforcing strong password policies.
Timely patching of vulnerabilities.
Comprehensive employee training.
Enhanced controls over third-party access.

Dave Bittner emphasizes the report's message:
"Cyber risks are expanding and proactive defense is no longer optional."

Mandiant M Trends 2025 Report

Mandiant's report provides a nuanced view of the financial motivations behind cyber threats:

Financially Motivated Attacks: Constitute 55% of all observed threat activity.
Credential Theft: Reaches an all-time high at 16%, underscoring growing vulnerabilities.
Targeted Industries: The financial sector is the most targeted, accounting for over 17% of cases.
Dwell Time: Median dwell time within networks has increased to 11 days, indicating that detection capabilities are struggling to keep pace with sophisticated threats.
Emerging Risks: Include infostealer malware, insecure cloud data repositories, insider threats from foreign IT operatives, and a surge in attacks on cryptocurrency and Web3 platforms.

Mandiant's Recommendations:
The report stresses the importance of multi-layered defense strategies, highlighting:

Improved logging and proactive threat hunting.
Strong identity and access controls.
Adoption of FIDO2-compliant multi-factor authentication.

Dave summarizes:
"Organizations need to stay a step ahead by enhancing their defensive measures in response to these evolving threats."

Sophisticated Threat Actors and Emerging Vulnerabilities

Cisco Talos on Toymaker and Cactus Threat Actors

Cisco Talos uncovered a sophisticated attack on critical infrastructure orchestrated by two distinct threat actors, Toymaker and Cactus:

Toymaker: A financially motivated initial access broker that exploited internet-facing vulnerabilities to deploy a custom backdoor named Lag Toy, enabling remote command execution and credential theft.
Cactus: Known for double extortion ransomware tactics, Cactus took over after Toymaker's initial breach, deploying ransomware after extensive data exfiltration and employing defense evasion techniques like safe mode reboots and credential hiding.

Key Insights:

The operational handoff between Toymaker and Cactus underscores the interconnected nature of modern cyber threats.
The incident accentuates the necessity for organizations to model and recognize interconnected threats to bolster their defenses.

ARMO's Discovery of a Major Linux Security Flaw

Researchers at ARMO identified a significant security flaw in the Linux IO_URing interface:

Vulnerability: Allows rootkits to bypass traditional detection methods that monitor system calls.
Demonstration: ARMO developed a stealthy rootkit named Curing, which executes commands without triggering alerts. Notably, traditional security tools like Falco and Tetragon failed to detect it under default settings.
Recommendations: Implement kernel runtime security instrumentation to effectively monitor and mitigate such threats.
Availability: The Curing rootkit is publicly available for testing on GitHub, serving as a tool for further research and defense enhancement.

Ransomware Groups Dragonforce and Anubis' New Business Models

SecureWorks reports on the evolving business models of ransomware groups Dragonforce and Anubis:

DragonForce:
- Evolution: Transitioned from a traditional ransomware-as-a-service operation to a cartel model.
- Offerings: Provides shared infrastructure and management tools, allowing affiliates to deploy their own malware.
- Impact: This flexible model potentially broadens DragonForce's affiliate base but introduces operational risks due to shared resources.
Anubis:
- Monetization Options: Offers multiple revenue streams, including ransom demands, extortion, and access sales.
- Profit Sharing: Affiliates receive 50-80% of profits.
- Pressure Tactics: Utilizes public shaming and threats to report breaches to regulators, increasing pressure on victims.

Observations:
These strategies reflect a shift towards decentralization in the ransomware ecosystem, particularly in response to disruptions faced by major players like Lockbit. Experts note that while ransomware attacks persist, early signs indicate that profit-cutting measures may be beginning to influence the threat landscape.

In-Depth Interview: Deputy Assistant Director Cynthia Kaiser on Salt Typhoon

Overview of Salt Typhoon's Cyber Espionage Campaign

Dave Bittner welcomes Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division to discuss the latest developments regarding Salt Typhoon, a group affiliated with the Chinese government.

Key Points from Kaiser:

Scope of the Campaign:
Salt Typhoon orchestrated a broad cyber espionage campaign targeting commercial telecommunications infrastructure. The group breached multiple telecom companies with objectives to:
- Steal customer call records data.
- Compromise the private communications of selected individuals.
- Copy sensitive information related to law enforcement.
Impact on U.S. Citizens:
Kaiser emphasizes the indiscriminate nature of the data collection:
"China is collecting vast swaths of data, including information on 13-year-olds. This data is forever, impacting individuals' privacy and security for years to come."
Future Risks:
The extensive data harvested can significantly bolster China’s AI efforts, allowing for the training of models that can identify patterns relevant to intelligence objectives.
"The sum of all this data is really dangerous, just even a few years in the future."

FBI's Response and Call to Action

Kaiser outlines the FBI's proactive measures:

Investigation and Attribution:
The FBI has a long history of disrupting botnets and malicious activities, citing the disruption of a botnet used by Volt Typhoon over a year ago.
Collaboration and Support:
The FBI has been actively notifying affected companies, providing technical assistance, and collaborating with government and intelligence partners to share threat intelligence and indicators of compromise.
Public Involvement:
Kaiser calls for public assistance in identifying individuals involved with Salt Typhoon:
"FBI has issued a request for information about the individuals who compromised these companies or who might make up this Salt Typhoon group."
She highlights the Department of State's Rewards for Justice program, offering up to $10 million for information leading to the identification of foreign government-linked individuals involved in malicious cyber activities against U.S. critical infrastructure.
Best Practices for Defense:
The FBI, along with government partners, has released a guide with best practices to enhance network visibility and secure network devices against exploitation by state-affiliated cyber actors.

Notable Quote:
"China has the data they steal forever. So if they're collecting these vast swaths of data and a 13-year-old's data is included, China has that child's information ever."
— Cynthia Kaiser [11:36]

Global Cybersecurity Trends and Observations

Internet Shutdowns and Digital Blackouts

The episode highlights a significant trend in global cybersecurity dynamics:

Pause on Internet Shutdowns:
According to Cloudflare’s Q1 report, there were no new government-mandated internet blackouts in 2025. These shutdowns are typically employed during elections, protests, or significant events to control information flow.
Possible Reasons for the Pause:
- Reduced Protests and National Exams: Fewer triggers for governments to enforce blackouts.
- Shifts in External Support and Regulations:
  NetBlocks' Alex Tolker suggests deeper shifts, such as the reduction of U.S. aid programs and increased compliance by social media platforms with government censorship requests, leading to fewer reasons for regimes to initiate shutdowns.
Environmental Factors:
Natural disasters like fires, storms, and earthquakes continue to impact network stability globally, affecting regions from New Jersey to Myanmar.

Expert Insight:
While the current pause is positive, experts caution that it may be temporary, suggesting ongoing vigilance is necessary.

Conclusion

The April 24, 2025 episode of CyberWire Daily provides a thorough examination of the current cybersecurity landscape, emphasizing the persistent and evolving nature of cyber threats. From the detailed analyses of the Verizon DBIR and Mandiant M Trends reports to insights on sophisticated threat actors and significant vulnerabilities, the episode underscores the critical need for robust, layered security strategies. The interview with FBI Deputy Assistant Director Cynthia Kaiser offers a sobering perspective on state-sponsored cyber espionage and the broader implications for U.S. national security and individual privacy. As cyber threats continue to adapt and grow in complexity, CyberWire Daily remains an essential resource for staying informed and prepared.

Notable Quotes:

"Cyber risks are expanding and proactive defense is no longer optional."
— Dave Bittner [05:10]
"China has the data they steal forever. So if they're collecting these vast swaths of data and a 13-year-old's data is included, China has that child's information ever."
— Cynthia Kaiser [11:36]
"The sum of all this data is really dangerous, just even a few years in the future."
— Cynthia Kaiser [14:15]

Sources:

Verizon 2025 Data Breach Investigations Report
Mandiant M Trends 2025 Report
Cisco Talos Threat Reports
ARMO Security Flaw Disclosure
SecureWorks Ransomware Group Analysis
Cloudflare Q1 Report on Internet Shutdowns
Interview with Deputy Assistant Director Cynthia Kaiser, FBI Cyber Division

For more detailed insights and daily cybersecurity updates, subscribe to CyberWire Daily and stay ahead in the rapidly changing world of cybersecurity.

Loading summary

Transcript11 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire Verizon and Mandiant call for layered defenses against evolving threats. Cisco Talos describes toymaker and cactus threat actors. Researchers discover a major Linux security flaw which allows rootkits to bypass traditional detection methods. Ransomware groups are experimenting with new business models. Deputy Assistant Director Cynthia Kaiser from the FBI FBI Cyber Division shares the latest on Salt Typhoon and global censorship Takes a Coffee break It's Thursday, April 24, 2024. I'm Dave Bittner and this is your Cyberwire Intel Brief. Thanks for joining us again here today. It's great to have you with us. Two of the cybersecurity industry's most anticipated annual reports the Verizon 2025 Data Breach Investigations Report, the DBIR and Mandiant's M Trends 2025 report offer a revealing look at the evolving threat landscape. Drawing on tens of thousands of real world incidents, both reports provide critical insights into how threat actors operate, what vulnerabilities they exploit, and which sectors are most at risk. Together, they highlight rising trends in credential theft, ransomware, supply chain attacks and the persistent human element in security breaches. The 2025 Verizon data breach Investigations Report reveals critical shifts in the cybersecurity landscape, drawing insights from over 22,000 incidents and over 12,000 confirmed breaches. Credential abuse and vulnerability exploitation remain the top attack vectors, with the latter jumping 34%. Driven by a surge in zero day exploits targeting VPNs and Edge accounts, ransomware continues its relentless rise, now appearing in 44% of breaches despite a dip in ransom payouts. Alarmingly, breaches involving third party vendors have doubled to 30%, underscoring growing supply chain vulnerabilities. Human error and manipulation, especially through social engineering, remain a major factor in successful attacks. Espionage driven breaches are also on the rise, particularly in manufacturing and healthcare, suggesting a shift in threat actor priorities to counter these evolving threats Verizon recommends a layered security strategy enforcing strong password policies, timely vulnerability patching, robust employee training and tighter controls over third party access. The report makes it clear cyber risks are expanding and proactive defense is no longer optional. The Mandiant M Trends 2025 report paints a clear picture of an evolving cyber threat landscape marked by a rise in financially motivated attacks. Now making up 55% of all observed threat activity exploits remain the leading entry point for attackers, but the use of stolen credentials has reached an all time high at 16%, highlighting a growing vulnerability. The financial sector emerged as the most targeted industry involved in over 17% of all cases studied. Meanwhile, attackers are lingering longer within networks with the median dwell time increasing to 11 days, a sign that detection capabilities may be lagging behind the sophistication of modern threats. New and evolving risks include the growing presence of infostealer malware insecure cloud data repositories, insider threats from foreign IT operatives, and a surge in attacks on cryptocurrency and web3 platforms. In response, Mandiant stresses the need for multi layered defense strategies emphasizing better logging, proactive threat hunting, strong identity and access controls, and adoption of FIDO 2 compliant multi factor authentication to help organizations stay a step ahead. In 2023, Cisco Talos uncovered a sophisticated attack on critical infrastructure involving two threat actors, Toymaker and Cactus. Toymaker, a financially motivated initial access broker, breached the organization by exploiting Internet facing vulnerabilities and deployed a custom backdoor lag toy. This tool enabled remote command execution and credential theft. After initial reconnaissance and credential harvesting, Toymaker handed off access to Cactus, a ransomware group known for double extortion. Cactus launched a full scale attack using various remote tools, creating malicious accounts and eventually deploying ransomware. Their tactics included extensive data exfiltration and defense evasion, such as safe mode reboots and credential hiding. The incident highlights the operational handoff between access brokers and ransomware actors and underscores the need for organizations to recognize and model interconnected threats for better defense. Researchers at ARMO discovered a major Linux security flaw involving the IO URing interface, which allows rootkits to bypass traditional detection methods that rely on monitoring system calls. To demonstrate this, they created a stealthy rootkit called curing that uses iouring to execute commands without triggering alerts. Most security tools, including Falco and Tetragon in default settings, failed to detect it. ARMO recommends kernel runtime security instrumentation for monitoring such threats, and Curing is now publicly available for testing on GitHub. Ransomware groups like Dragonforce and Anubis are experimenting with new business models to attract affiliates and boost profits. According to SecureWorks, DragonForce, which began as a traditional ransomware as a service operation, has rebranded as a cartel, offering hackers shared infrastructure and management tools while allowing them to use their own malware. This flexible model may broaden its affiliate base, though shared resources introduce operational risks. Meanwhile, Anubis offers multiple monetization options, ransom, extortion and access sales, sharing 50 to 80% of profits with affiliates. It also increases pressure on victims through public shaming and threats to report breaches to regulators. These evolving strategies reflect a shift towards decentralization in the ransomware ecosystem, especially following disruptions to major players like Lockbit. While ransomware attacks continue, experts note early signs that profit cutting efforts may be impacting the threat landscape. Coming up after the break, Deputy Assistant Cynthia Kaiser from the FBI Cyber Division is back with the latest on Salt Typhoon and Global censorship takes a coffee break. Stay with us. Foreign what's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit who but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by SpectreOps. Head to SpectreOps IO today to learn more. Spectrops see your attack paths the way adversaries do. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. Look at this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000. It is my pleasure to welcome back to the show Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division. Dad Kaiser, welcome back.
[11:26]
Cynthia Kaiser
Thank you for having me back.
[11:28]
Dave Bittner
You and your colleagues have recently published a new psa and this is covering Salt Typhoon. What would you like folks to know about that?
[11:37]
Cynthia Kaiser
So, as I'm sure most listeners have been tracking, the FBI has been conducting a major investigation into the hacking of commercial telecommunications infrastructure by actors affiliated with the Chinese government, tracked in open source reporting as Salt Typhoon. And really it's revealed a broad and significant cyber espionage campaign. And to be more specific, we've identified that the Chinese actors broke into the networks of multiple telecom companies and with several aims in mind. To steal customer call records data, to compromise the private communications of a limited number of individuals, and to copy certain sensitive information related to law enforcement. And I think that what I want to make sure people are walking away and thinking about is it's indicative of this activity, it's indicative of what we've come to see from China. But it's also a new level of insidiousness and a striking example of how cyber espionage looks and feels different than it has before. And when I say that, I mean what's remarkable is this kind of enormous and seemingly indiscriminate collection of called records and data about American people. And like that's your friends, that's fellow citizens, that's our family members. And to me as a mom, when I think about family members data being stolen, I'm thinking about my kids. China has the data they steal forever. And so if they're collecting these vast swaths of data and a 13 year old's data is included, China has that child's information ever. And can you imagine a world in which China would have been spying on you as a 13 year old? Like it feels preposterous, right? But it's what our kids have to deal with now in this modern day age. And that's gonna stay with them no matter what careers or risks they choose in the future. And so as we've been diving deep into this investigation, we have that in mind. We have in mind the impact to the folks in Washington who are having their communications targeted. We also have in mind though the victims that don't even kind of understand that they're victims yet. And that's what's most concerning about this just broad campaign.
[14:02]
Dave Bittner
What are some of the specific perils here? I mean, a nation state collecting this sort of detailed information on U.S. citizens. What's the potential future issue with that?
[14:15]
Cynthia Kaiser
China has been collecting for years lots of different types of information, personal information, personal identifying information, other types of content. And we know that they pull all that back and they bring it into this vast data lake. And lake seems like a weird word for how much data they have. I mean, maybe it's a vast data ocean at this point of the type of information they're collecting. And what they can do now versus in the future is also very different. Now they are able to go through that data and try to match it with various intelligence objectives they might have. But in the future, think about how all of that data can fuel their AI efforts. So using that data and training it to identify patterns over time for their own intelligence objectives, but then also just using that data to fuel their own models. It's really concerning from our end that the sum of all of this data that's collected could be really dangerous just even a few years in the future.
[15:28]
Dave Bittner
I think some folks, I think justifiably have maybe a sense of helplessness when it comes to this sort of thing. You know, their data was collected. They were unaware that it happened. Are there reassurances that you can provide from a federal law enforcement agency that you all are on the case to make sure that this sort of thing doesn't happen again?
[15:50]
Cynthia Kaiser
Absolutely. So I think there's a few aspects here on this, which is FBI isn't just relying on net defenders to keep malicious actors out. Over the past year, we've been heavily involved in investigating, attributing, and encountering this type of activity. In fact, a little over a year ago, we announced a huge disruption of a botnet used by Volt Typhoon. So for your listeners, a botnet's a network of hundreds or thousands of compromised devices often used to hide or power malicious activity. And in this case, the Volt Typhoon botnet was made up of hundreds of us home and small business routers. And so we're able to take our investigations and really identify ways to take adversaries offline. And as for the FBI's efforts, in this case, since we discovered the compromise, our response has been nonstop. We of course, immediately notified the affected companies and remained engaged with them, providing our technical assistance wherever we can. We've collaborated with partners across the government and intelligence community, and we've rapidly shared what we've learned with other potential victims. And then every day we're bringing in new evidence which we turn around and add to our larger threat picture and give indicators of compromise. I identified to victims directly to assist them in their mediation efforts, as well as put them out for netdefenders so that they can protect their networks from these insidious incidents. For example, we put out a guide in December with our government partners and within there we were able to provide best practices to strengthen visibility and harden network devices against successful exploitation carried out by China affiliated and other malicious cyber actors. But we're not done and we don't know everything. And that's why I'm really glad we're talking today because FBI has issued an announcement to request information from the public about these China affiliated actors that most people know of as Salt Typhoon and their compromise of multiple telecom companies. In particular, we're seeking information about the individuals who compromised these companies or who might make up this Salt Typhoon group, as well as anyone who has knowledge of other Salt Typhoon activity. And that is great for you to provide as a patriot or as a global citizen. But I also want to note that Department of State's Rewards for Justice program offers a reward of up to $10 million for information on foreign government linked individuals participating in certain malicious cyber activities against US critical infrastructure. So if you have any of that information, we'd love for you to contact your local FBI field Office, go to ic3.gov or submit tips to the Rewards for Justice program and that information is listed in our public announcement.
[19:15]
Dave Bittner
Cynthia Kaiser is Deputy Assistant director with the FBI's Cyber Division. Dad Kaiser, thanks so much for joining us today.
[19:23]
Cynthia Kaiser
Thank you for having me.
[19:39]
Dave Bittner
Bad actors don't break in. They log in. Attackers use stolen credentials in nearly nine out of 10 data breaches. Once inside, they're after one thing your data. Varonis AI powered data security platform secures your data at scale across las SaaS and hybrid cloud environments. Join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment@varonis.com and finally, 2025 opened with a noteworthy global phenomenon. Governments pressing pause on Internet shutdowns. According to Cloudflare's Q1 report, not a single new government mandated Internet blackout was recorded. These digital blackouts, often tied to elections, protests or even school exams, have long been a tool for control. But the sudden lull has analysts scratching their heads. Cloudflare suggests fewer protests and national exams may be a factor, while NetBlocks alp toker points to deeper shifts like the shuttering of U.S. aid programs and increased compliance from social media platforms with government censorship requests. With fewer objectionable voices online regimes have less reason to pull the plug. Still, Mother Nature didn't get the memo. Fires, storms and earthquakes knocked out networks from New Jersey to Myanmar. While the pause in shutdowns is welcome, experts warn it may be short lived. And that's the cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Heltzman. Our executive producer is Jennifer Ibin. Peter Kilpy is our publisher and I'm Dave Bitter. Thanks for listening. We'll see you back here tomorrow. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Blackcloak's award winning digital executive protection platform secures their personal devices, home networks and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 247365 with Black Cloak. Learn more at BlackCloak IO.