CyberWire Daily: Lessons from the Latest Breach Reports
Episode Release Date: April 24, 2025
Host: N2K Networks

Introduction

In the April 24, 2025 episode of CyberWire Daily, host Dave Bittner delves into the latest cybersecurity breach reports, providing a comprehensive analysis of the evolving threat landscape. The episode features insights from pivotal industry reports, expert analysis on sophisticated threat actors, significant security vulnerabilities, and an in-depth interview with Deputy Assistant Director Cynthia Kaiser from the FBI's Cyber Division.

Key Annual Reports: Verizon DBIR 2025 and Mandiant M Trends 2025

Verizon 2025 Data Breach Investigations Report (DBIR)

Drawing from over 22,000 incidents and 12,000 confirmed breaches, the Verizon DBIR 2025 highlights critical shifts in cybersecurity:

• Top Attack Vectors: Credential abuse remains predominant, with vulnerability exploitation increasing by 34%.
• Ransomware Trends: Despite a decrease in ransom payouts, ransomware now appears in 44% of breaches, driven by a surge in zero-day exploits targeting VPNs and Edge accounts.
• Supply Chain Vulnerabilities: Breaches involving third-party vendors have doubled to 30%, emphasizing the need for robust supply chain security.
• Human Element: Social engineering and human error continue to play significant roles in successful attacks.
• Espionage: There's a noticeable rise in espionage-driven breaches, particularly within the manufacturing and healthcare sectors.

Verizon's Recommendations:
Verizon advocates for a layered security strategy, which includes:

• Enforcing strong password policies.
• Timely patching of vulnerabilities.
• Comprehensive employee training.
• Enhanced controls over third-party access.

Dave Bittner emphasizes the report's message:
"Cyber risks are expanding and proactive defense is no longer optional."

Mandiant M Trends 2025 Report

Mandiant's report provides a nuanced view of the financial motivations behind cyber threats:

• Financially Motivated Attacks: Constitute 55% of all observed threat activity.
• Credential Theft: Reaches an all-time high at 16%, underscoring growing vulnerabilities.
• Targeted Industries: The financial sector is the most targeted, accounting for over 17% of cases.
• Dwell Time: Median dwell time within networks has increased to 11 days, indicating that detection capabilities are struggling to keep pace with sophisticated threats.
• Emerging Risks: Include infostealer malware, insecure cloud data repositories, insider threats from foreign IT operatives, and a surge in attacks on cryptocurrency and Web3 platforms.

Mandiant's Recommendations:
The report stresses the importance of multi-layered defense strategies, highlighting:

• Improved logging and proactive threat hunting.
• Strong identity and access controls.
• Adoption of FIDO2-compliant multi-factor authentication.

Dave summarizes:
"Organizations need to stay a step ahead by enhancing their defensive measures in response to these evolving threats."

Sophisticated Threat Actors and Emerging Vulnerabilities

Cisco Talos on Toymaker and Cactus Threat Actors

Cisco Talos uncovered a sophisticated attack on critical infrastructure orchestrated by two distinct threat actors, Toymaker and Cactus:

• Toymaker: A financially motivated initial access broker that exploited internet-facing vulnerabilities to deploy a custom backdoor named Lag Toy, enabling remote command execution and credential theft.
• Cactus: Known for double extortion ransomware tactics, Cactus took over after Toymaker's initial breach, deploying ransomware after extensive data exfiltration and employing defense evasion techniques like safe mode reboots and credential hiding.

Key Insights:

• The operational handoff between Toymaker and Cactus underscores the interconnected nature of modern cyber threats.
• The incident accentuates the necessity for organizations to model and recognize interconnected threats to bolster their defenses.

ARMO's Discovery of a Major Linux Security Flaw

Researchers at ARMO identified a significant security flaw in the Linux IO_URing interface:

• Vulnerability: Allows rootkits to bypass traditional detection methods that monitor system calls.
• Demonstration: ARMO developed a stealthy rootkit named Curing, which executes commands without triggering alerts. Notably, traditional security tools like Falco and Tetragon failed to detect it under default settings.
• Recommendations: Implement kernel runtime security instrumentation to effectively monitor and mitigate such threats.
• Availability: The Curing rootkit is publicly available for testing on GitHub, serving as a tool for further research and defense enhancement.

Ransomware Groups Dragonforce and Anubis' New Business Models

SecureWorks reports on the evolving business models of ransomware groups Dragonforce and Anubis:

• DragonForce:

  • Evolution: Transitioned from a traditional ransomware-as-a-service operation to a cartel model.
  • Offerings: Provides shared infrastructure and management tools, allowing affiliates to deploy their own malware.
  • Impact: This flexible model potentially broadens DragonForce's affiliate base but introduces operational risks due to shared resources.

• Anubis:

  • Monetization Options: Offers multiple revenue streams, including ransom demands, extortion, and access sales.
  • Profit Sharing: Affiliates receive 50-80% of profits.
  • Pressure Tactics: Utilizes public shaming and threats to report breaches to regulators, increasing pressure on victims.

Observations:
These strategies reflect a shift towards decentralization in the ransomware ecosystem, particularly in response to disruptions faced by major players like Lockbit. Experts note that while ransomware attacks persist, early signs indicate that profit-cutting measures may be beginning to influence the threat landscape.

In-Depth Interview: Deputy Assistant Director Cynthia Kaiser on Salt Typhoon

Overview of Salt Typhoon's Cyber Espionage Campaign

Dave Bittner welcomes Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division to discuss the latest developments regarding Salt Typhoon, a group affiliated with the Chinese government.

Key Points from Kaiser:

• Scope of the Campaign:
  Salt Typhoon orchestrated a broad cyber espionage campaign targeting commercial telecommunications infrastructure. The group breached multiple telecom companies with objectives to:

  • Steal customer call records data.
  • Compromise the private communications of selected individuals.
  • Copy sensitive information related to law enforcement.

• Impact on U.S. Citizens:
  Kaiser emphasizes the indiscriminate nature of the data collection:
  "China is collecting vast swaths of data, including information on 13-year-olds. This data is forever, impacting individuals' privacy and security for years to come."

• Future Risks:
  The extensive data harvested can significantly bolster China’s AI efforts, allowing for the training of models that can identify patterns relevant to intelligence objectives.
  "The sum of all this data is really dangerous, just even a few years in the future."

FBI's Response and Call to Action

Kaiser outlines the FBI's proactive measures:

• Investigation and Attribution:
  The FBI has a long history of disrupting botnets and malicious activities, citing the disruption of a botnet used by Volt Typhoon over a year ago.

• Collaboration and Support:
  The FBI has been actively notifying affected companies, providing technical assistance, and collaborating with government and intelligence partners to share threat intelligence and indicators of compromise.

• Public Involvement:
  Kaiser calls for public assistance in identifying individuals involved with Salt Typhoon:
  "FBI has issued a request for information about the individuals who compromised these companies or who might make up this Salt Typhoon group."
  She highlights the Department of State's Rewards for Justice program, offering up to $10 million for information leading to the identification of foreign government-linked individuals involved in malicious cyber activities against U.S. critical infrastructure.

• Best Practices for Defense:
  The FBI, along with government partners, has released a guide with best practices to enhance network visibility and secure network devices against exploitation by state-affiliated cyber actors.

Notable Quote:
"China has the data they steal forever. So if they're collecting these vast swaths of data and a 13-year-old's data is included, China has that child's information ever."
— Cynthia Kaiser [11:36]

Global Cybersecurity Trends and Observations

Internet Shutdowns and Digital Blackouts

The episode highlights a significant trend in global cybersecurity dynamics:

• Pause on Internet Shutdowns:
  According to Cloudflare’s Q1 report, there were no new government-mandated internet blackouts in 2025. These shutdowns are typically employed during elections, protests, or significant events to control information flow.

• Possible Reasons for the Pause:

  • Reduced Protests and National Exams: Fewer triggers for governments to enforce blackouts.
  • Shifts in External Support and Regulations:
    NetBlocks' Alex Tolker suggests deeper shifts, such as the reduction of U.S. aid programs and increased compliance by social media platforms with government censorship requests, leading to fewer reasons for regimes to initiate shutdowns.

• Environmental Factors:
  Natural disasters like fires, storms, and earthquakes continue to impact network stability globally, affecting regions from New Jersey to Myanmar.

Expert Insight:
While the current pause is positive, experts caution that it may be temporary, suggesting ongoing vigilance is necessary.

Conclusion

The April 24, 2025 episode of CyberWire Daily provides a thorough examination of the current cybersecurity landscape, emphasizing the persistent and evolving nature of cyber threats. From the detailed analyses of the Verizon DBIR and Mandiant M Trends reports to insights on sophisticated threat actors and significant vulnerabilities, the episode underscores the critical need for robust, layered security strategies. The interview with FBI Deputy Assistant Director Cynthia Kaiser offers a sobering perspective on state-sponsored cyber espionage and the broader implications for U.S. national security and individual privacy. As cyber threats continue to adapt and grow in complexity, CyberWire Daily remains an essential resource for staying informed and prepared.

Notable Quotes:

• "Cyber risks are expanding and proactive defense is no longer optional."
  — Dave Bittner [05:10]

• "China has the data they steal forever. So if they're collecting these vast swaths of data and a 13-year-old's data is included, China has that child's information ever."
  — Cynthia Kaiser [11:36]

• "The sum of all this data is really dangerous, just even a few years in the future."
  — Cynthia Kaiser [14:15]

Sources:

• Verizon 2025 Data Breach Investigations Report
• Mandiant M Trends 2025 Report
• Cisco Talos Threat Reports
• ARMO Security Flaw Disclosure
• SecureWorks Ransomware Group Analysis
• Cloudflare Q1 Report on Internet Shutdowns
• Interview with Deputy Assistant Director Cynthia Kaiser, FBI Cyber Division

For more detailed insights and daily cybersecurity updates, subscribe to CyberWire Daily and stay ahead in the rapidly changing world of cybersecurity.