Lessons from the latest breach reports. - CyberWire Daily

Summary

CyberWire Daily: Lessons from the Latest Breach Reports
Episode Release Date: April 24, 2025
Host: N2K Networks

Introduction

In the April 24, 2025 episode of CyberWire Daily, host Dave Bittner delves into the latest cybersecurity breach reports, providing a comprehensive analysis of the evolving threat landscape. The episode features insights from pivotal industry reports, expert analysis on sophisticated threat actors, significant security vulnerabilities, and an in-depth interview with Deputy Assistant Director Cynthia Kaiser from the FBI's Cyber Division.

Key Annual Reports: Verizon DBIR 2025 and Mandiant M Trends 2025

Verizon 2025 Data Breach Investigations Report (DBIR)

Drawing from over 22,000 incidents and 12,000 confirmed breaches, the Verizon DBIR 2025 highlights critical shifts in cybersecurity:

Top Attack Vectors: Credential abuse remains predominant, with vulnerability exploitation increasing by 34%.
Ransomware Trends: Despite a decrease in ransom payouts, ransomware now appears in 44% of breaches, driven by a surge in zero-day exploits targeting VPNs and Edge accounts.
Supply Chain Vulnerabilities: Breaches involving third-party vendors have doubled to 30%, emphasizing the need for robust supply chain security.
Human Element: Social engineering and human error continue to play significant roles in successful attacks.
Espionage: There's a noticeable rise in espionage-driven breaches, particularly within the manufacturing and healthcare sectors.

Verizon's Recommendations:
Verizon advocates for a layered security strategy, which includes:

Enforcing strong password policies.
Timely patching of vulnerabilities.
Comprehensive employee training.
Enhanced controls over third-party access.

Dave Bittner emphasizes the report's message:
"Cyber risks are expanding and proactive defense is no longer optional."

Mandiant M Trends 2025 Report

Mandiant's report provides a nuanced view of the financial motivations behind cyber threats:

Financially Motivated Attacks: Constitute 55% of all observed threat activity.
Credential Theft: Reaches an all-time high at 16%, underscoring growing vulnerabilities.
Targeted Industries: The financial sector is the most targeted, accounting for over 17% of cases.
Dwell Time: Median dwell time within networks has increased to 11 days, indicating that detection capabilities are struggling to keep pace with sophisticated threats.
Emerging Risks: Include infostealer malware, insecure cloud data repositories, insider threats from foreign IT operatives, and a surge in attacks on cryptocurrency and Web3 platforms.

Mandiant's Recommendations:
The report stresses the importance of multi-layered defense strategies, highlighting:

Improved logging and proactive threat hunting.
Strong identity and access controls.
Adoption of FIDO2-compliant multi-factor authentication.

Dave summarizes:
"Organizations need to stay a step ahead by enhancing their defensive measures in response to these evolving threats."

Sophisticated Threat Actors and Emerging Vulnerabilities

Cisco Talos on Toymaker and Cactus Threat Actors

Cisco Talos uncovered a sophisticated attack on critical infrastructure orchestrated by two distinct threat actors, Toymaker and Cactus:

Toymaker: A financially motivated initial access broker that exploited internet-facing vulnerabilities to deploy a custom backdoor named Lag Toy, enabling remote command execution and credential theft.
Cactus: Known for double extortion ransomware tactics, Cactus took over after Toymaker's initial breach, deploying ransomware after extensive data exfiltration and employing defense evasion techniques like safe mode reboots and credential hiding.

Key Insights:

The operational handoff between Toymaker and Cactus underscores the interconnected nature of modern cyber threats.
The incident accentuates the necessity for organizations to model and recognize interconnected threats to bolster their defenses.

ARMO's Discovery of a Major Linux Security Flaw

Researchers at ARMO identified a significant security flaw in the Linux IO_URing interface:

Vulnerability: Allows rootkits to bypass traditional detection methods that monitor system calls.
Demonstration: ARMO developed a stealthy rootkit named Curing, which executes commands without triggering alerts. Notably, traditional security tools like Falco and Tetragon failed to detect it under default settings.
Recommendations: Implement kernel runtime security instrumentation to effectively monitor and mitigate such threats.
Availability: The Curing rootkit is publicly available for testing on GitHub, serving as a tool for further research and defense enhancement.

Ransomware Groups Dragonforce and Anubis' New Business Models

SecureWorks reports on the evolving business models of ransomware groups Dragonforce and Anubis:

DragonForce:
- Evolution: Transitioned from a traditional ransomware-as-a-service operation to a cartel model.
- Offerings: Provides shared infrastructure and management tools, allowing affiliates to deploy their own malware.
- Impact: This flexible model potentially broadens DragonForce's affiliate base but introduces operational risks due to shared resources.
Anubis:
- Monetization Options: Offers multiple revenue streams, including ransom demands, extortion, and access sales.
- Profit Sharing: Affiliates receive 50-80% of profits.
- Pressure Tactics: Utilizes public shaming and threats to report breaches to regulators, increasing pressure on victims.

Observations:
These strategies reflect a shift towards decentralization in the ransomware ecosystem, particularly in response to disruptions faced by major players like Lockbit. Experts note that while ransomware attacks persist, early signs indicate that profit-cutting measures may be beginning to influence the threat landscape.

In-Depth Interview: Deputy Assistant Director Cynthia Kaiser on Salt Typhoon

Overview of Salt Typhoon's Cyber Espionage Campaign

Dave Bittner welcomes Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division to discuss the latest developments regarding Salt Typhoon, a group affiliated with the Chinese government.

Key Points from Kaiser:

Scope of the Campaign:
Salt Typhoon orchestrated a broad cyber espionage campaign targeting commercial telecommunications infrastructure. The group breached multiple telecom companies with objectives to:
- Steal customer call records data.
- Compromise the private communications of selected individuals.
- Copy sensitive information related to law enforcement.
Impact on U.S. Citizens:
Kaiser emphasizes the indiscriminate nature of the data collection:
"China is collecting vast swaths of data, including information on 13-year-olds. This data is forever, impacting individuals' privacy and security for years to come."
Future Risks:
The extensive data harvested can significantly bolster China’s AI efforts, allowing for the training of models that can identify patterns relevant to intelligence objectives.
"The sum of all this data is really dangerous, just even a few years in the future."

FBI's Response and Call to Action

Kaiser outlines the FBI's proactive measures:

Investigation and Attribution:
The FBI has a long history of disrupting botnets and malicious activities, citing the disruption of a botnet used by Volt Typhoon over a year ago.
Collaboration and Support:
The FBI has been actively notifying affected companies, providing technical assistance, and collaborating with government and intelligence partners to share threat intelligence and indicators of compromise.
Public Involvement:
Kaiser calls for public assistance in identifying individuals involved with Salt Typhoon:
"FBI has issued a request for information about the individuals who compromised these companies or who might make up this Salt Typhoon group."
She highlights the Department of State's Rewards for Justice program, offering up to $10 million for information leading to the identification of foreign government-linked individuals involved in malicious cyber activities against U.S. critical infrastructure.
Best Practices for Defense:
The FBI, along with government partners, has released a guide with best practices to enhance network visibility and secure network devices against exploitation by state-affiliated cyber actors.

Notable Quote:
"China has the data they steal forever. So if they're collecting these vast swaths of data and a 13-year-old's data is included, China has that child's information ever."
— Cynthia Kaiser [11:36]

Global Cybersecurity Trends and Observations

Internet Shutdowns and Digital Blackouts

The episode highlights a significant trend in global cybersecurity dynamics:

Pause on Internet Shutdowns:
According to Cloudflare’s Q1 report, there were no new government-mandated internet blackouts in 2025. These shutdowns are typically employed during elections, protests, or significant events to control information flow.
Possible Reasons for the Pause:
- Reduced Protests and National Exams: Fewer triggers for governments to enforce blackouts.
- Shifts in External Support and Regulations:
  NetBlocks' Alex Tolker suggests deeper shifts, such as the reduction of U.S. aid programs and increased compliance by social media platforms with government censorship requests, leading to fewer reasons for regimes to initiate shutdowns.
Environmental Factors:
Natural disasters like fires, storms, and earthquakes continue to impact network stability globally, affecting regions from New Jersey to Myanmar.

Expert Insight:
While the current pause is positive, experts caution that it may be temporary, suggesting ongoing vigilance is necessary.

Conclusion

The April 24, 2025 episode of CyberWire Daily provides a thorough examination of the current cybersecurity landscape, emphasizing the persistent and evolving nature of cyber threats. From the detailed analyses of the Verizon DBIR and Mandiant M Trends reports to insights on sophisticated threat actors and significant vulnerabilities, the episode underscores the critical need for robust, layered security strategies. The interview with FBI Deputy Assistant Director Cynthia Kaiser offers a sobering perspective on state-sponsored cyber espionage and the broader implications for U.S. national security and individual privacy. As cyber threats continue to adapt and grow in complexity, CyberWire Daily remains an essential resource for staying informed and prepared.

Notable Quotes:

"Cyber risks are expanding and proactive defense is no longer optional."
— Dave Bittner [05:10]
"China has the data they steal forever. So if they're collecting these vast swaths of data and a 13-year-old's data is included, China has that child's information ever."
— Cynthia Kaiser [11:36]
"The sum of all this data is really dangerous, just even a few years in the future."
— Cynthia Kaiser [14:15]

Sources:

Verizon 2025 Data Breach Investigations Report
Mandiant M Trends 2025 Report
Cisco Talos Threat Reports
ARMO Security Flaw Disclosure
SecureWorks Ransomware Group Analysis
Cloudflare Q1 Report on Internet Shutdowns
Interview with Deputy Assistant Director Cynthia Kaiser, FBI Cyber Division

For more detailed insights and daily cybersecurity updates, subscribe to CyberWire Daily and stay ahead in the rapidly changing world of cybersecurity.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire Verizon and Mandiant call for layered defenses against evolving threats. Cisco Talos describes toymaker and cactus threat actors. Researchers discover a major Linux security flaw which allows rootkits to bypass traditional detection methods. Ransomware groups are experimenting with new business models. Deputy Assistant Director Cynthia Kaiser from the FBI FBI Cyber Division shares the latest on Salt Typhoon and global censorship Takes a Coffee break It's Thursday, April 24, 2024. I'm Dave Bittner and this is your Cyberwire Intel Brief. Thanks for joining us again here today. It's great to have you with us. Two of the cybersecurity industry's most anticipated annual reports the Verizon 2025 Data Breach Investigations Report, the DBIR and Mandiant's M Trends 2025 report offer a revealing look at the evolving threat landscape. Drawing on tens of thousands of real world incidents, both reports provide critical insights into how threat actors operate, what vulnerabilities they exploit, and which sectors are most at risk. Together, they highlight rising trends in credential theft, ransomware, supply chain attacks and the persistent human element in security breaches. The 2025 Verizon data breach Investigations Report reveals critical shifts in the cybersecurity landscape, drawing insights from over 22,000 incidents and over 12,000 confirmed breaches. Credential abuse and vulnerability exploitation remain the top attack vectors, with the latter jumping 34%. Driven by a surge in zero day exploits targeting VPNs and Edge accounts, ransomware continues its relentless rise, now appearing in 44% of breaches despite a dip in ransom payouts. Alarmingly, breaches involving third party vendors have doubled to 30%, underscoring growing supply chain vulnerabilities. Human error and manipulation, especially through social engineering, remain a major factor in successful attacks. Espionage driven breaches are also on the rise, particularly in manufacturing and healthcare, suggesting a shift in threat actor priorities to counter these evolving threats Verizon recommends a layered security strategy enforcing strong password policies, timely vulnerability patching, robust employee training and tighter controls over third party access. The report makes it clear cyber risks are expanding and proactive defense is no longer optional. The Mandiant M Trends 2025 report paints a clear picture of an evolving cyber threat landscape marked by a rise in financially motivated attacks. Now making up 55% of all observed threat activity exploits remain the leading entry point for attackers, but the use of stolen credentials has reached an all time high at 16%, highlighting a growing vulnerability. The financial sector emerged as the most targeted industry involved in over 17% of all cases studied. Meanwhile, attackers are lingering longer within networks with the median dwell time increasing to 11 days, a sign that detection capabilities may be lagging behind the sophistication of modern threats. New and evolving risks include the growing presence of infostealer malware insecure cloud data repositories, insider threats from foreign IT operatives, and a surge in attacks on cryptocurrency and web3 platforms. In response, Mandiant stresses the need for multi layered defense strategies emphasizing better logging, proactive threat hunting, strong identity and access controls, and adoption of FIDO 2 compliant multi factor authentication to help organizations stay a step ahead. In 2023, Cisco Talos uncovered a sophisticated attack on critical infrastructure involving two threat actors, Toymaker and Cactus. Toymaker, a financially motivated initial access broker, breached the organization by exploiting Internet facing vulnerabilities and deployed a custom backdoor lag toy. This tool enabled remote command execution and credential theft. After initial reconnaissance and credential harvesting, Toymaker handed off access to Cactus, a ransomware group known for double extortion. Cactus launched a full scale attack using various remote tools, creating malicious accounts and eventually deploying ransomware. Their tactics included extensive data exfiltration and defense evasion, such as safe mode reboots and credential hiding. The incident highlights the operational handoff between access brokers and ransomware actors and underscores the need for organizations to recognize and model interconnected threats for better defense. Researchers at ARMO discovered a major Linux security flaw involving the IO URing interface, which allows rootkits to bypass traditional detection methods that rely on monitoring system calls. To demonstrate this, they created a stealthy rootkit called curing that uses iouring to execute commands without triggering alerts. Most security tools, including Falco and Tetragon in default settings, failed to detect it. ARMO recommends kernel runtime security instrumentation for monitoring such threats, and Curing is now publicly available for testing on GitHub. Ransomware groups like Dragonforce and Anubis are experimenting with new business models to attract affiliates and boost profits. According to SecureWorks, DragonForce, which began as a traditional ransomware as a service operation, has rebranded as a cartel, offering hackers shared infrastructure and management tools while allowing them to use their own malware. This flexible model may broaden its affiliate base, though shared resources introduce operational risks. Meanwhile, Anubis offers multiple monetization options, ransom, extortion and access sales, sharing 50 to 80% of profits with affiliates. It also increases pressure on victims through public shaming and threats to report breaches to regulators. These evolving strategies reflect a shift towards decentralization in the ransomware ecosystem, especially following disruptions to major players like Lockbit. While ransomware attacks continue, experts note early signs that profit cutting efforts may be impacting the threat landscape. Coming up after the break, Deputy Assistant Cynthia Kaiser from the FBI Cyber Division is back with the latest on Salt Typhoon and Global censorship takes a coffee break. Stay with us. Foreign what's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit who but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by SpectreOps. Head to SpectreOps IO today to learn more. Spectrops see your attack paths the way adversaries do. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. Look at this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000. It is my pleasure to welcome back to the show Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division. Dad Kaiser, welcome back.