Lights out for Lumma. - CyberWire Daily

Summary

CyberWire Daily: "Lights out for Lumma" – May 22, 2025

Hosted by N2K Networks

Introduction

On the May 22, 2025 episode of CyberWire Daily, host Dave Bittner delivers a comprehensive overview of the latest cybersecurity developments, including significant breaches, regulatory actions, and evolving threats. The episode culminates with an in-depth interview with David Holmes, CTO for Application Security at Imperva, who provides expert insights into the role of artificial intelligence (AI) in bot-driven cyber attacks and scams.

Key Highlights

1. Joint Operation Takes Down Luma Infrastructure

A major international collaboration involving U.S., EU, and Japanese authorities, supported by Microsoft and other cybersecurity firms, successfully dismantled the infrastructure behind Luma, a notorious infostealer malware also known as Luma C2. Since its emergence in 2023, Luma has infected over 10 million devices, exfiltrating sensitive data such as passwords, credit card information, and cryptocurrency wallets. According to the FBI, Luma facilitated approximately $36.5 million in credit card thefts in 2023 alone. Microsoft reported nearly 400,000 infections between March and May 2025.

“This takedown is a significant setback for cybercriminals, but they may attempt to rebuild,” warned the FBI at [02:30].

The operation successfully took down around 2,300 domains, disrupting communications between infected devices and Luma servers. Developed by a Russian actor known as Shamel, Luma was distributed via Telegram and utilized in phishing and malvertising campaigns, making it accessible even to low-skilled criminals through a subscription model.

2. FTC Finalizes Security Settlement with GoDaddy

The Federal Trade Commission (FTC) has imposed a security settlement on GoDaddy following years of data breaches attributed to inadequate security measures. The FTC identified critical lapses, including the absence of multi-factor authentication (MFA), improper software updates, and insufficient threat monitoring, which led to multiple breaches from 2019 to 2022. In one notable incident, attackers installed malware and stole source code after prolonged undetected access.

Under the settlement, GoDaddy is mandated to:

Implement MFA for all users, including non-phone options.
Ensure all software and firmware are regularly updated.
Establish a robust security program, including independent security assessments every two years.
Report any data exposure incidents within 10 days.

GoDaddy has acknowledged the changes but the settlement does not include any admission of fault or financial penalties.

“GoDaddy must not mislead customers about security,” stated the FTC spokesperson at [05:45].

3. Telemessage Breach Compromises US Officials’ Messages

A breach of Telemessage, a government-secured messaging service based on Signal, has exposed messages from over 60 US officials, including those from FEMA, Customs, the Secret Service, and even one White House staffer. Reuters, analyzing data leaked by Distributed Denial of Secrets, discovered intercepted chats that included sensitive travel discussions. Although much of the data was fragmentary, the breach heightens metadata-related counterintelligence risks.

“The breach raises significant concerns about the security of metadata,” noted a cybersecurity expert at [08:15].

Telemessage, which archives encrypted messages for compliance, went offline on May 5 after a Reuters photo revealed its use by former Trump national security adviser Mike Waltz. The White House has acknowledged the incident but has provided limited details.

In response, Signal Desktop has introduced a new screen security feature for Windows 11 to block screenshots and protect chats from Microsoft's Recall feature, enhancing user privacy against similar vulnerabilities.

4. Insider Breach at Opexus Affects Multiple Federal Agencies

Opexus, a software provider servicing nearly all US federal agencies, suffered a significant breach in February 2025 due to insider threats. Twin brothers Muneeb and Sahaib Akhtar, previously convicted hackers hired as engineers, allegedly accessed and deleted sensitive data from agencies including the IRS and GSA. The breach resulted in the permanent loss of records, including FOIA requests, and disrupted key systems.

A Mandiant report highlighted severe security lapses at Opexus, such as improper access controls during employee terminations and inadequate data security measures. As a result, the FBI is investigating, and federal agencies are reassessing their contracts with Opexus.

“The breach exposed critical vulnerabilities in contractor vetting and data security within government IT systems,” explained a Mandiant analyst at [10:50].

5. US Telecom Providers Fail to Notify Senate of Data Requests

An investigation led by Senator Ron Wyden revealed that major US telecom providers—AT&T, Verizon, and T-Mobile—failed to notify the Senate when law enforcement agencies requested data from Senate-issued devices. This oversight left senators unaware of potential surveillance activities. One carrier even admitted to providing Senate data to law enforcement without the required notifications.

In response, all three companies have initiated compliance with the Senate's notification requirements for Senate-funded lines. However, gaps remain, particularly concerning personal and campaign devices commonly used by senators. T-Mobile has agreed to notify about surveillance requests on personal and campaign devices flagged by the Senate sergeant at arms, while AT&T and Verizon are limited to Senate-issued lines.

“We urge our colleagues to consider carriers that comply with notification requirements,” stated Senator Wyden at [12:20].

6. Dragon Force Ransomware Group Evolves

Dragon Force, an emerging ransomware group, is redefining the threat landscape with its aggressive tactics and strategic repositioning. Initially appearing in 2023 with a ransomware-as-a-service model, Dragon Force rebranded as a cartel in March 2025, allowing affiliates to use its infrastructure while branding their own campaigns. They have targeted both IT and virtualized environments and have reportedly collaborated with the Ransom Hub group, including defacing rival leak sites and attempting a hostile takeover of Ransom Hub's infrastructure.

Recent attacks by Dragon Force have included malware linked to Gold Harvest (Scattered Spider), a cybercriminal collective known for social engineering, MFA bypasses, and the use of infostealers. High-profile targets include UK retailers like Marks & Spencer, underscoring the group's sophisticated and adaptable nature.

“Organizations must reinforce social engineering defenses and monitor credentials to combat these evolving threats,” advised a Sophos security expert at [14:35].

7. Data Breach at UK’s Legal Aid Agency Exposes Domestic Abuse Survivors

A cyberattack on the UK's Legal Aid Agency has compromised the personal data of over 2 million individuals, including survivors of domestic abuse. The Ministry of Justice confirmed that applicants for legal aid since 2010 are affected, with exposed data including addresses, national IDs, and contact details. This breach poses significant risks, such as harassment, impersonation, and tracking of survivors.

The Ministry of Justice has refused to pay ransom and is proactively contacting vulnerable individuals, prioritizing abuse survivors, asylum seekers, and trafficking victims. Refuge, a charity supporting abuse survivors, warns that the data leak could escalate abuse campaigns despite a court injunction against distribution.

“We urge affected individuals to contact legal advisors immediately,” stated a Refuge spokesperson at [16:10].

8. Lexmark Discloses Critical Printer Vulnerability

Lexmark has identified a critical vulnerability in the embedded web server of over 120 printer models. The flaw combines a path traversal and concurrent execution issue, enabling remote attackers to access unauthorized files and execute arbitrary code. Exploiting this vulnerability could allow full compromise of affected printers.

Users are strongly advised to update their firmware to mitigate the threat and prevent potential exploitation.

“This vulnerability could allow attackers to fully compromise your Lexmark printer,” warned Lexmark's security team at [17:40].

In-Depth Interview: The Role of AI in Bot Attacks with David Holmes

In the latter part of the episode, Dave Bittner engages in a detailed conversation with David Holmes, CTO for Application Security at Imperva. They delve into the findings of the 2025 Bad Bot Report, highlighting the escalating sophistication and prevalence of bot-driven cyber threats.

Bot Traffic Surpasses Human Traffic

David Holmes explains that for the first time in over a decade, automated traffic surpassed human-generated traffic, constituting 51% of all web traffic. Of this, 37% is malicious automation, meaning approximately 80% of bot traffic is harmful, leaving only 20% as benign bots like web crawlers.

“The average Joe on the street has no idea that a hidden war is being fought across every website they visit,” said Dave Bittner at [15:23].

AI’s Dual Role in Bot Attacks

Holmes discusses how AI tools have lowered the barrier for cyber attackers. Even novice hackers can create malicious bots with minimal effort by leveraging AI-driven scripts.

“The number of accessible AI tools has significantly lowered the barrier of entry for cyber attackers,” Holmes noted at [16:34].
Advanced attackers utilize AI to refine their bots, making them more effective and harder to detect. This dual use of AI—both by low-skilled and highly skilled attackers—has expanded the complexity and volume of bot attacks.

“We’re seeing AI at both the simple end and the advanced end of the spectrum,” Holmes added at [17:00].

Common Evasion Tactics

Bots continuously evolve to evade detection. As soon as defenders identify and block a bot's fingerprint, the attackers adapt by modifying their tactics to bypass new defenses.

“It’s a constant retooling on their part to evade your fingerprint and continue conducting business,” Holmes explained at [18:04].

Exploitation of APIs

A significant concern highlighted is the exploitation of APIs by malicious bots. Holmes emphasizes that about half of the advanced malicious bots are attacking APIs, targeting high-value digital assets like bank accounts and airline reservations.

“It’s easier for them to directly machine to machine for their attack,” stated Holmes at [19:20].

Recommendations to Combat Bot Threats

Holmes outlines several strategies to mitigate bot attacks:

Implement Risk Identification: Understanding the value of assets and monitoring potential targets for attacks.
Enhance API Security: Evolving API defenses to address the increasing targeting by bots.
Use Automation in Defense: Leveraging automation and AI to defend against automated attacks, while acknowledging the need for human oversight.
Monitor and Respond Continuously: Establishing robust monitoring systems to detect and respond to bot activities promptly.

“It’s time for everybody to start evolving their API security,” Holmes urged at [20:25].

Future Outlook

Looking ahead, Holmes predicts a steady increase in malicious bot attacks due to the ease and cost-effectiveness of launching such attacks. Unlike seasonal spikes seen in previous years, bot attacks are expected to continue year-round, driven by the persistent financial incentives for cybercriminals.

“We’re not going to see as much seasonality and we’re just going to see more and more malicious attacks,” concluded Holmes at [21:44].

Conclusion

The "Lights out for Lumma" episode of CyberWire Daily provides a thorough examination of current cybersecurity challenges, from major malware takedowns and regulatory actions to sophisticated ransomware groups and critical data breaches. The feature interview with David Holmes offers valuable perspectives on the evolving landscape of bot-driven threats, emphasizing the critical role of AI in both facilitating and combating cyber attacks. Cybersecurity professionals and enthusiasts alike will find the episode's insights and recommendations crucial for navigating the increasingly complex digital defense environment.

For more detailed stories and updates, visit CyberWire Daily and subscribe to their daily briefing.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire network, powered by N2K.

David Holmes (0:12)

And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire a joint operation takes down Luma infrastructure the FTC finalizes a security settlement with GoDaddy. The telemessage breach compromised far more US officials than initially known Twin hackers allegedly breach a major federal software provider from the inside. US telecom providers fail to notify the Senate when law enforcement agencies request data from Senate issued devices. Dragon Force makes its mark on the ransomware front. A data leak threatens survivors of domestic abuse in the UK Lexmark discloses a critical vulnerability affecting over 120 printer models. Our guest is David Holmes, CTO for application security at Imperva, with insights on the role of AI in bot attacks and scammers. Ships stolen cash in squishmallows Foreign It's Thursday, May 22, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Great to have you with us as always. A joint operation by us, EU and Japanese authorities, with help from Microsoft and other cybersecurity firms, has dismantled the infrastructure behind Luma, a major infostealer malware also known as Luma C2. The malware has infected millions of devices since 2023, stealing sensitive data like passwords, credit card info and cryptocurrency wallets. Luma was sold via subscription, making it easy for even low skilled criminals to exploit. The FBI tracked over 10 million infections and estimated $36.5 million in credit card thefts in 2023 alone. Microsoft identified nearly 400,000 infections between March and May of this year. The operation took down about 2,300 domains and disrupted communications between infected devices and Luma servers. Developed by a Russian actor known as Shamel, Luma has been marketed on Telegram and used in phishing and malvertising campaigns. The FBI warned that while this takedown is a blow, Luma's operations may attempt to rebuild. The Federal Trade Commission has finalized an order requiring GoDaddy to bolster its security after years of data breaches due to weak practices, the agency found GoDaddy lacked key protections like multi factor authentication, proper software updates and threat monitoring leading to breaches between 2019 and 2022. In one case, attackers installed malware and stole source code after years of undetected access. Under the new order, GoDaddy must not mislead customers about security, implement HTTPs for APIs, ensure software and firmware are updated, and set up a robust security program. The company must also add MFA for all users, including non phone options, and undergo independent security assessments every two years. GoDaddy must report any data exposure incidents within 10 days. While GoDaddy says it's already making changes, the settlement includes no admission of fault or fines. A hacker breach of Telemessage, a government used messaging service based on Signal compromised messages from over 60 US officials, far more than previously known. Reuters reviewed a cache of leaked data provided by Distributed Denial of Secrets. The material revealed intercepted chats from fema, Customs, the Secret Service, US Diplomats, and even one White House staffer. Though much of the data was fragmentary and not overtly sensitive, it included travel related discussions for senior officials. Telemessage, little known outside federal circles, became public after a Reuters photo showed former Trump national security adviser Mike Waltz using the app. The service, which archives encrypted messages for compliance, went offline May 5. The breach raises metadata related counterintelligence risks, experts say. While some users confirmed message authenticity, federal agencies have offered little comment. The White House acknowledged the cybersecurity incident but didn't elaborate on its use of the platform. Elsewhere, Signal Desktop has added a new screen security feature for Windows 11 to block screenshots and protected chats from Microsoft Recall, which captures app screenshots every few seconds. This setting, now enabled by default, uses a DRM flag to prevent content from appearing in Recall or similar tools. Signal made the move after Microsoft relaunched Recall despite prior backlash. While the setting may impact usability and accessibility, users can disable it with a warning. Signal urges OS vendors to better support privacy focused apps. Bloomberg reports that opexis, a software provider for nearly all US Federal agencies, suffered a major cyber breach in February caused by insider threats. Twin brothers Muneeb and Sahaib Akhtar, both convicted hackers hired as engineers despite their past, they allegedly accessed and deleted sensitive data across multiple agencies, including the IRS and gsa. The attack disrupted key systems and permanently erased records, including FOIA requests. The FBI is investigating, and federal agencies are reassessing contracts with opexus A Mandiant report revealed serious security lapses, including improper access during termination and file exfiltration, contradicting opex's public claims the breach exposed the vulnerabilities in contractor vetting and data security within government IT systems. Under contracts established in 2020, major US telecom providers at and T, Verizon and T Mobile are required to notify the Senate when law enforcement agencies request data from Senate issued devices. However, an investigation by Senator Ron Wyden revealed that these carriers failed to implement such notification systems, leaving senators unaware of potential surveillance activities. One carrier even admitted to providing Senate data to law enforcement without the mandated notification. Following the investigation, all three companies have begun complying with the notification requirement for Senate funded lines. Nevertheless, significant gaps remain, particularly concerning personal and campaign devices, which are commonly used by Senators but fall outside the scope of current protections. While AT and T and Verizon limit notifications to Senate issued lines, T Mobile has agreed to notify about surveillance requests on personal and campaign devices flagged by the Senate sergeant at arms. Senator Wyden urges his colleagues to consider switching to carriers like T Mobile, Google, fi, US Mobile and cape, which have policies to inform customers of government surveillance demands whenever legally permissible. Dragon Force is a rising ransomware group reshaping the threat landscape through aggressive tactics and strategic repositioning, Sophos reports. First appearing in 2023 with a standard ransomware as a service model, the group rebranded in March of this year as a cartel, offering affiliates flexibility to use its infrastructure while branding their own campaigns. Dragon Force has targeted both IT and virtualized environments and reportedly teamed up, if contentiously, with the prolific Ransom Hub group. This included defacing rival leak sites and a potential hostile takeover of Ransom Hub's infrastructure. In recent attacks, Dragon Force linked malware was used by Gold Harvest, also known as Scattered Spider, a decentralized cybercriminal collective known for social engineering, MFA bypasses and use of infostealers. Attacks on UK retailers including Marks and Spencer, highlight their threat as internal feuds destabilize ransomware networks, organizations must reinforce social engineering defenses, monitor credentials and strengthen incident response to withstand unpredictable attacks from increasingly flexible and chaotic cybercrime groups. A CyberAttack on the UK's Legal Aid Agency has exposed sensitive data of over 2 million people, including survivors of domestic abuse, raising fears of imminent leaks. The Ministry of Justice confirmed that anyone who applied for legal aid since 2010 could be affected. Compromised data includes addresses, national IDs and contact details, potentially revealing the locations of confidential women's refuges. The MOJ has refused to pay ransom and is preparing to contact vulnerable individuals, prioritizing abuse survivors, asylum seekers and trafficking victims. Refuge, a charity supporting abuse survivors, warns the breach could escalate abuse campaigns, including harassment, impersonation or tracking survivors. While a court injunction has been issued against the data's distribution, it's unlikely to deter cybercriminals. Refuge is working to identify at risk individuals and urges anyone affected to contact legal advisors immediately. Lexmark has disclosed a critical vulnerability affecting the embedded web server in over 120 printer models. The flaw combines a path traversal and concurrent execution issue, allowing remote attackers to access unauthorized files and execute arbitrary code. If exploited, this vulnerability could let attackers fully compromise affected Lexmark printers. Users are urged to update firmware to mitigate the threat. Coming up after the break, my conversation with David Holmes from Imperva. We're discussing the role of AI in bot attacks and scammers ship stolen cash in squishmallows. Stay with us.