CyberWire Daily: "Lights out for Lumma" – May 22, 2025

Hosted by N2K Networks

Introduction

On the May 22, 2025 episode of CyberWire Daily, host Dave Bittner delivers a comprehensive overview of the latest cybersecurity developments, including significant breaches, regulatory actions, and evolving threats. The episode culminates with an in-depth interview with David Holmes, CTO for Application Security at Imperva, who provides expert insights into the role of artificial intelligence (AI) in bot-driven cyber attacks and scams.

Key Highlights

1. Joint Operation Takes Down Luma Infrastructure

A major international collaboration involving U.S., EU, and Japanese authorities, supported by Microsoft and other cybersecurity firms, successfully dismantled the infrastructure behind Luma, a notorious infostealer malware also known as Luma C2. Since its emergence in 2023, Luma has infected over 10 million devices, exfiltrating sensitive data such as passwords, credit card information, and cryptocurrency wallets. According to the FBI, Luma facilitated approximately $36.5 million in credit card thefts in 2023 alone. Microsoft reported nearly 400,000 infections between March and May 2025.

“This takedown is a significant setback for cybercriminals, but they may attempt to rebuild,” warned the FBI at [02:30].

The operation successfully took down around 2,300 domains, disrupting communications between infected devices and Luma servers. Developed by a Russian actor known as Shamel, Luma was distributed via Telegram and utilized in phishing and malvertising campaigns, making it accessible even to low-skilled criminals through a subscription model.

2. FTC Finalizes Security Settlement with GoDaddy

The Federal Trade Commission (FTC) has imposed a security settlement on GoDaddy following years of data breaches attributed to inadequate security measures. The FTC identified critical lapses, including the absence of multi-factor authentication (MFA), improper software updates, and insufficient threat monitoring, which led to multiple breaches from 2019 to 2022. In one notable incident, attackers installed malware and stole source code after prolonged undetected access.

Under the settlement, GoDaddy is mandated to:

• Implement MFA for all users, including non-phone options.
• Ensure all software and firmware are regularly updated.
• Establish a robust security program, including independent security assessments every two years.
• Report any data exposure incidents within 10 days.

GoDaddy has acknowledged the changes but the settlement does not include any admission of fault or financial penalties.

“GoDaddy must not mislead customers about security,” stated the FTC spokesperson at [05:45].

3. Telemessage Breach Compromises US Officials’ Messages

A breach of Telemessage, a government-secured messaging service based on Signal, has exposed messages from over 60 US officials, including those from FEMA, Customs, the Secret Service, and even one White House staffer. Reuters, analyzing data leaked by Distributed Denial of Secrets, discovered intercepted chats that included sensitive travel discussions. Although much of the data was fragmentary, the breach heightens metadata-related counterintelligence risks.

“The breach raises significant concerns about the security of metadata,” noted a cybersecurity expert at [08:15].

Telemessage, which archives encrypted messages for compliance, went offline on May 5 after a Reuters photo revealed its use by former Trump national security adviser Mike Waltz. The White House has acknowledged the incident but has provided limited details.

In response, Signal Desktop has introduced a new screen security feature for Windows 11 to block screenshots and protect chats from Microsoft's Recall feature, enhancing user privacy against similar vulnerabilities.

4. Insider Breach at Opexus Affects Multiple Federal Agencies

Opexus, a software provider servicing nearly all US federal agencies, suffered a significant breach in February 2025 due to insider threats. Twin brothers Muneeb and Sahaib Akhtar, previously convicted hackers hired as engineers, allegedly accessed and deleted sensitive data from agencies including the IRS and GSA. The breach resulted in the permanent loss of records, including FOIA requests, and disrupted key systems.

A Mandiant report highlighted severe security lapses at Opexus, such as improper access controls during employee terminations and inadequate data security measures. As a result, the FBI is investigating, and federal agencies are reassessing their contracts with Opexus.

“The breach exposed critical vulnerabilities in contractor vetting and data security within government IT systems,” explained a Mandiant analyst at [10:50].

5. US Telecom Providers Fail to Notify Senate of Data Requests

An investigation led by Senator Ron Wyden revealed that major US telecom providers—AT&T, Verizon, and T-Mobile—failed to notify the Senate when law enforcement agencies requested data from Senate-issued devices. This oversight left senators unaware of potential surveillance activities. One carrier even admitted to providing Senate data to law enforcement without the required notifications.

In response, all three companies have initiated compliance with the Senate's notification requirements for Senate-funded lines. However, gaps remain, particularly concerning personal and campaign devices commonly used by senators. T-Mobile has agreed to notify about surveillance requests on personal and campaign devices flagged by the Senate sergeant at arms, while AT&T and Verizon are limited to Senate-issued lines.

“We urge our colleagues to consider carriers that comply with notification requirements,” stated Senator Wyden at [12:20].

6. Dragon Force Ransomware Group Evolves

Dragon Force, an emerging ransomware group, is redefining the threat landscape with its aggressive tactics and strategic repositioning. Initially appearing in 2023 with a ransomware-as-a-service model, Dragon Force rebranded as a cartel in March 2025, allowing affiliates to use its infrastructure while branding their own campaigns. They have targeted both IT and virtualized environments and have reportedly collaborated with the Ransom Hub group, including defacing rival leak sites and attempting a hostile takeover of Ransom Hub's infrastructure.

Recent attacks by Dragon Force have included malware linked to Gold Harvest (Scattered Spider), a cybercriminal collective known for social engineering, MFA bypasses, and the use of infostealers. High-profile targets include UK retailers like Marks & Spencer, underscoring the group's sophisticated and adaptable nature.

“Organizations must reinforce social engineering defenses and monitor credentials to combat these evolving threats,” advised a Sophos security expert at [14:35].

7. Data Breach at UK’s Legal Aid Agency Exposes Domestic Abuse Survivors

A cyberattack on the UK's Legal Aid Agency has compromised the personal data of over 2 million individuals, including survivors of domestic abuse. The Ministry of Justice confirmed that applicants for legal aid since 2010 are affected, with exposed data including addresses, national IDs, and contact details. This breach poses significant risks, such as harassment, impersonation, and tracking of survivors.

The Ministry of Justice has refused to pay ransom and is proactively contacting vulnerable individuals, prioritizing abuse survivors, asylum seekers, and trafficking victims. Refuge, a charity supporting abuse survivors, warns that the data leak could escalate abuse campaigns despite a court injunction against distribution.

“We urge affected individuals to contact legal advisors immediately,” stated a Refuge spokesperson at [16:10].

8. Lexmark Discloses Critical Printer Vulnerability

Lexmark has identified a critical vulnerability in the embedded web server of over 120 printer models. The flaw combines a path traversal and concurrent execution issue, enabling remote attackers to access unauthorized files and execute arbitrary code. Exploiting this vulnerability could allow full compromise of affected printers.

Users are strongly advised to update their firmware to mitigate the threat and prevent potential exploitation.

“This vulnerability could allow attackers to fully compromise your Lexmark printer,” warned Lexmark's security team at [17:40].

In-Depth Interview: The Role of AI in Bot Attacks with David Holmes

In the latter part of the episode, Dave Bittner engages in a detailed conversation with David Holmes, CTO for Application Security at Imperva. They delve into the findings of the 2025 Bad Bot Report, highlighting the escalating sophistication and prevalence of bot-driven cyber threats.

Bot Traffic Surpasses Human Traffic

• David Holmes explains that for the first time in over a decade, automated traffic surpassed human-generated traffic, constituting 51% of all web traffic. Of this, 37% is malicious automation, meaning approximately 80% of bot traffic is harmful, leaving only 20% as benign bots like web crawlers.

  “The average Joe on the street has no idea that a hidden war is being fought across every website they visit,” said Dave Bittner at [15:23].

AI’s Dual Role in Bot Attacks

• Holmes discusses how AI tools have lowered the barrier for cyber attackers. Even novice hackers can create malicious bots with minimal effort by leveraging AI-driven scripts.

  “The number of accessible AI tools has significantly lowered the barrier of entry for cyber attackers,” Holmes noted at [16:34].

• Advanced attackers utilize AI to refine their bots, making them more effective and harder to detect. This dual use of AI—both by low-skilled and highly skilled attackers—has expanded the complexity and volume of bot attacks.

  “We’re seeing AI at both the simple end and the advanced end of the spectrum,” Holmes added at [17:00].

Common Evasion Tactics

• Bots continuously evolve to evade detection. As soon as defenders identify and block a bot's fingerprint, the attackers adapt by modifying their tactics to bypass new defenses.

  “It’s a constant retooling on their part to evade your fingerprint and continue conducting business,” Holmes explained at [18:04].

Exploitation of APIs

• A significant concern highlighted is the exploitation of APIs by malicious bots. Holmes emphasizes that about half of the advanced malicious bots are attacking APIs, targeting high-value digital assets like bank accounts and airline reservations.

  “It’s easier for them to directly machine to machine for their attack,” stated Holmes at [19:20].

Recommendations to Combat Bot Threats

Holmes outlines several strategies to mitigate bot attacks:

1. Implement Risk Identification: Understanding the value of assets and monitoring potential targets for attacks.
2. Enhance API Security: Evolving API defenses to address the increasing targeting by bots.
3. Use Automation in Defense: Leveraging automation and AI to defend against automated attacks, while acknowledging the need for human oversight.
4. Monitor and Respond Continuously: Establishing robust monitoring systems to detect and respond to bot activities promptly.

“It’s time for everybody to start evolving their API security,” Holmes urged at [20:25].

Future Outlook

Looking ahead, Holmes predicts a steady increase in malicious bot attacks due to the ease and cost-effectiveness of launching such attacks. Unlike seasonal spikes seen in previous years, bot attacks are expected to continue year-round, driven by the persistent financial incentives for cybercriminals.

“We’re not going to see as much seasonality and we’re just going to see more and more malicious attacks,” concluded Holmes at [21:44].

Conclusion

The "Lights out for Lumma" episode of CyberWire Daily provides a thorough examination of current cybersecurity challenges, from major malware takedowns and regulatory actions to sophisticated ransomware groups and critical data breaches. The feature interview with David Holmes offers valuable perspectives on the evolving landscape of bot-driven threats, emphasizing the critical role of AI in both facilitating and combating cyber attacks. Cybersecurity professionals and enthusiasts alike will find the episode's insights and recommendations crucial for navigating the increasingly complex digital defense environment.

For more detailed stories and updates, visit CyberWire Daily and subscribe to their daily briefing.