No click, all tricks. - CyberWire Daily

Summary7 min read

CyberWire Daily Podcast Summary Episode Title: No Click, All Tricks
Release Date: March 26, 2025
Host: Dave Bittner | Produced by N2K Networks

Introduction

On March 26, 2025, the CyberWire Daily episode titled "No Click, All Tricks" delved into a range of pressing cybersecurity issues, from newly discovered vulnerabilities to sophisticated cyber-espionage campaigns. The episode also featured an insightful interview with Brian Levine, CEO of FormerGov.com, and highlighted the UK's National Cyber Security Centre (NCSC) innovative approach to promoting two-factor authentication (2FA).

Security News Highlights

1. New Windows Zero-Day Vulnerability

A critical zero-day vulnerability has been uncovered affecting all Windows versions from Windows 7 and Server 2008 R2 through to Windows 11 and Server 2025. Researchers at Zero Patch identified that this flaw enables attackers to steal NTLM authentication credentials without requiring user interaction—"No clicks required," as highlighted by Dave Bittner at [00:02].

Technical Details: The vulnerability can be exploited via shared folders, USB drives, or maliciously downloaded files, allowing unauthorized access by manipulating Windows Explorer.
Response: Zero Patch has released temporary micro patches, offering protection free of charge until Microsoft provides an official fix. This marks the fourth zero-day vulnerability identified by the same research team.
Impact: The patches are designed for a broad array of Windows systems and are deployable automatically without necessitating a system reboot.

2. Covert Chinese-Linked Network Targeting Former US Government Workers

Researchers uncovered a covert network, allegedly linked to China, targeting recently laid-off US government employees through deceptive job advertisements. Max Lesser reported that these fake consulting firms, such as River Merge Strategies, disseminate job ads requiring government experience to harvest sensitive information.

Deployment Channels: The fraudulent ads appeared on platforms like LinkedIn and Craigslist before being removed.
Government Response: U.S. officials likened these tactics to past Chinese espionage operations, with the FBI confirming that foreign intelligence frequently employs fake recruiters to exploit former federal employees.
National Security Concerns: The scheme raises significant national security alarms, especially amidst recent federal workforce reductions.

3. Malicious NPM Packages Injecting Reverse Shell Backdoors

Reversing Labs discovered two malicious NPM packages that inject persistent reverse shell backdoors into legitimate local packages. These backdoors remain active even after the removal of the malicious packages, posing a stealthy and dangerous threat to developers.

Mechanism: The attack involves replacing files in the popular ETHERS package with Trojanized versions that retrieve additional payloads from remote servers.
Developer Advisory: Developers are urged to meticulously scan their environments and validate the legitimacy of the packages they utilize to mitigate this threat.

4. Evolution of macOS Malware Loader “Reader Update”

SentinelOne reported an evolution in the macOS malware loader known as "Reader Update," now existing in five variants compiled using Python, Crystal, Nim, Rust, and Go.

Original Deployment: Initially observed in 2020, it primarily deployed Genio adware.
Current Capabilities: The Go variant can collect system information and execute remote commands, indicating potential for more severe malware applications under a Malware-as-a-Service model.
Distribution: The malware now spreads through Trojanized software installers hosted on third-party download sites.

5. Global Draytek Router Disruptions

A surge of disruptions affecting Draytek routers has been reported globally, causing devices to enter persistent reboot loops. This issue, commencing around March 22, is linked to the exploitation of known vulnerabilities in Draytek firmware.

Vulnerabilities Exploited: The attacks target three Draytek flaws, including remote code execution and directory traversal bugs.
Affected Regions: The disruptions span the UK, Vietnam, Germany, and other countries.
Mitigation Steps: Users are advised to disconnect from the WAN, update firmware immediately, disable remote access features, enable 2FA, and apply Access Control Lists (ACLs).

6. Growing Cyber Risks to the Commercial Space Sector

The European Union's cybersecurity agency, ENISA, released a comprehensive Space Threat Landscape Report highlighting escalating cyber risks in the commercial space sector.

Critical Services Supported: Over 10,000 satellites provide essential services such as internet access, logistics tracking, and remote monitoring.
Identified Vulnerabilities: These include weaknesses from commercial off-the-shelf components, legacy systems, inadequate encryption, and human error.
Recommendations: ENISA advocates for security by design, robust encryption, regular patching, and the adoption of zero-trust principles to safeguard against increasingly sophisticated digital threats.

7. CISA Issues Four ICS Advisories

The Cybersecurity and Infrastructure Security Agency (CISA) released four Industrial Control Systems (ICS) advisories addressing critical vulnerabilities in products from ABB, Rockwell Automation, and Inaba Denki Sangyo.

Severity: Vulnerabilities have CVSS scores reaching up to 9.3, capable of enabling denial-of-service (DoS) attacks, device takeovers, or unauthorized system access.
Patch Status: While ABB and Rockwell have issued patches, Inaba Denki Sangyo's devices remain unpatched.
Protective Measures: CISA recommends immediate firmware updates, network segmentation, restricting physical access, and securing remote access to protect critical infrastructure.

8. Arrest in Multimillion-Dollar Cryptocurrency Heist

U.S. Marshals apprehended Veer Sheetal, aka "Whiz," a central figure in a $243 million cryptocurrency heist that unfolded in September 2024.

Modus Operandi: The scam involved phishing tactics where perpetrators impersonated support teams from Google and Gemini to deceive victims into resetting their 2FA, subsequently allowing the theft of crypto holdings.
Investigation: Blockchain investigator ZacxBT traced the stolen funds, revealing laundering activities that funded an opulent lifestyle for the conspirators.
Implications: This case underscores the paramount importance of robust personal cybersecurity practices, as Brian Levine emphasized the irreplaceable role of user vigilance against sophisticated phishing threats.

Interview: Brian Levine, Co-Founder and CEO of FormerGov.com

Timestamp: [11:29] - [20:44]

Dave Bittner engages in a conversation with Brian Levine, who shares his journey and the rationale behind launching FormerGov.com—a specialized networking directory for former government and military professionals.

Background of Brian Levine:
- Former cybercrime Prosecutor with the U.S. Department of Justice.
- National coordinator for over 300 cybercrime prosecutors across the country.
- Maintains a vast network with approximately 13,000 LinkedIn connections.
Genesis of FormerGov.com:
- Faced challenges in fulfilling referral requests for specific former government professionals, leading Levine to recognize a gap in existing networking tools.
- Quote [12:34]: "The problem is actually the Internet. And what he meant by that was that Internet search, AI search, all of these tools that we use, they're all looking for structured data. And everybody is naturally structuring their data based on what they currently do, not what they used to do."
Platform Features:
- A comprehensive directory enabling easy search and discovery of former government and military personnel based on their past roles and expertise.
- Structured profiles that detail former positions, facilitating connections for consultancy, media inquiries, and more.
Value Proposition:
- Quote [15:21]: "If you can find someone who has the most direct knowledge as possible because they're going to be the most helpful and the most insightful."
- Addresses the inefficiencies of traditional job boards by offering a passive, searchable repository that connects demand with specialized expertise effortlessly.
Market Need:
- Quote [17:06]: "We are trying to make this very simple. We're trying to make this a directory, a place to find and be found."
- Recognizes that former government employees often have reduced visibility post-service and lack effective channels for business development.
Timeliness and Relevance:
- Amidst significant workforce changes in Washington D.C., FormerGov.com emerges as a timely resource to support the influx of former government professionals seeking new opportunities.

UK’s NCSC Goes Full Influencer to Promote Two-Factor Authentication

The UK's National Cyber Security Centre (NCSC) has adopted an unconventional strategy to bolster cyber resilience by partnering with social media influencers to advocate for two-factor authentication (2FA).

Campaign Approach:
- Utilizes Instagram skits and TikTok sketches featuring comedy creators who parody hacker clichés, ultimately emphasizing the importance of 2FA.
Messaging Highlights:
- Funny Scenarios: Hackers frustrated by the simplicity and effectiveness of 2FA, depicted humorously to engage a broader audience.
- Serious Reminders: Influencer Millennial Money UK underscores the dangers of weak passwords and the necessity of 2FA with a more earnest tone.
Strategic Objective:
- Transition from traditional, often mundane cybersecurity tips to engaging, relatable content that resonates with the general public, thereby increasing adoption rates of 2FA.
Impact and Reception:
- While the campaign's effectiveness remains to be fully assessed, it represents a significant shift in the NCSC's communication strategy, aiming to reach diverse demographics through popular social media platforms.

Conclusion

The "No Click, All Tricks" episode of CyberWire Daily encapsulated a spectrum of critical cybersecurity developments, from emergent threats and vulnerabilities to innovative mitigation strategies and community-driven solutions. The interview with Brian Levine provided a deeper understanding of the challenges faced by former government professionals in the private sector and introduced a promising platform to bridge that gap. Additionally, the NCSC's creative approach to promoting 2FA highlights the evolving tactics necessary to enhance cybersecurity awareness and adoption in an increasingly digital world.

For a comprehensive overview of today’s stories and more, listeners are encouraged to visit the CyberWire Daily Briefing.

Notable Quotes:

"No clicks required." – Dave Bittner [00:02]
"If you can find someone who has the most direct knowledge as possible because they're going to be the most helpful and the most insightful." – Brian Levine [15:21]
"The problem is actually the Internet. And what he meant by that was that Internet search, AI search, all of these tools that we use, they're all looking for structured data..." – Brian Levine [12:34]

Credits:

Host: Dave Bittner
Producer: Liz Stokes
Senior Producer: Alice Carruth
Executive Producer: Jennifer Ivan
Publisher: Peter Kilpe
Sound Design: Elliot Peltzman
Mixed by: Trey Hester

For further details and to share feedback, visit CyberWire Daily or connect via email at cyberwire@thecyberwire.com.

Loading summary

Transcript13 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network, powered by N2K. Investigating is hard enough. Your tools shouldn't make it harder. Maltego brings all your intelligence into one platform and gives you curated data along with a full suite of tools to handle any digital investigation. Plus with on demand courses and live training, you your team won't just install the platform, they'll actually use it and connect the dots so fast cybercriminals won't realize they're already in cuffs. Maltego is trusted by global law enforcement, financial institutions and security teams worldwide. See it in action now@maltego.com Researchers uncover a new Windows zero day a covert Chinese linked network targets recently laid off US government workers. Malicious NPM packages are found injecting persistent reverse shell backdoors. A macOS malware loader evolves Draytek router disruptions affect users worldwide. A new report warns of growing cyber risks to the commercial space sector. CISA issues four ICS advisories U.S. marshals arrest a key suspect in a multimillion dollar cryptocurren heist our guest is Brian Levine, co founder and CEO of FormerGov.com, speaking about creating a networking directory for former government and military professionals and the UK's NCSC goes full influencer to promote 2fa it's Wednesday, March 26, 2025. I'm Dave Buett and this is your CyberWire Intel Briefing. Thanks for joining us here today. It's great to have you with us. A new zero day vulnerability affects all Windows versions from Windows 7 and Server 2008 R2 up through Windows 11 and Server 2025. Researchers at Zero Patch say the flaw allows attackers to steal NTLM authentication credentials just by tricking users into viewing a malicious file in Windows Explorer. No clicks required. It can be triggered through shared folders, USB drives or files downloaded from malicious websites. Though similar in impact to a previously recorded cve, this issue is technically distinct and previously undocumented. Security researchers have reported the flaw to Microsoft and released temporary micro patches via Zero Patch, free until an official fix is issued. This marks the fourth zero day from the same research team. The patches cover a broad range of Windows systems and deploy automatically with no reboot needed. A covert Chinese linked network is allegedly targeting recently laid off U.S. government workers with fake job ads aiming to gather sensitive information. Researcher Max Lesser found the campaign uses bogus consulting firms with overlapping websites and fake contact details. One firm, River Merge Strategies, posted ads for roles requiring government experience with connections traced to a Chinese tech company. Some ads ran on LinkedIn and Craigslist, but were later deleted. Reuters couldn't confirm if any hires occurred or direct ties to the Chinese government. U.S. officials warn these tactics mirror past Chinese espionage operations. The FBI confirmed that foreign intelligence often uses fake recruiters to exploit former federal workers. Financial vulnerability the firm's activity raises concerns about national security, especially amid recent federal workforce layoffs. Two malicious NPM packages were found injecting persistent reverse shell back doors into legitimate, locally installed packages. Even if the malicious packages were removed, the back door remains active, discovered by Reversing Labs. The attack replaces files in the popular ETHERS package with Trojanized versions that fetch further payloads from a remote server. The tactic is stealthy and dangerous, targeting developers through clever installer scripts. Additional linked packages were also identified. Developers are urged to scan environments and verify package legitimacy. The macOS malware loader reader update has evolved, now existing in five variants compiled in Python, Crystal, Nim, Rust, and go, according to SentinelOne. Originally seen in 2020, it still deploys the Genio adware, but now spreads through Trojanized software installers on third party download sites. The Go variant collects system information and can execute remote commands, hinting at broader malware potential. While current payloads are adware, Reader Update's design suggests it could be used for more serious threats under a Malware as a service model A wave of Draytek router disruptions is affecting users worldwide, causing devices to enter constant reboot loops. The issue began around March 22 and appears linked to the exploitation of known vulnerabilities. Security firm Graynoise observed active attacks on three Draytek flaws, including remote code execution and directory traversal bugs. Affected regions include the UK, Vietnam, Germany and others. ISPs confirm that outdated firmware is a key risk factor. Draytek urges users to disconnect from the WAN and update firmware immediately. Additional steps include disabling remote access features, enabling two factor authentication, and applying ACLs. The disruptions impact both consumers and businesses, with instability reported across various sectors. Security researchers continue to track live attacks, urging quick action to prevent further outages. The EU's cybersecurity agency ENISA has released a new Space Threat Landscape Report warning of growing cyber risks to the commercial space sector. With over 10,000 satellites in orbit, most privately owned space infrastructure now supports critical services like Internet access, logistics tracking and remote monitoring. Enisa warns that cyberattacks could trigger cascading effects from service disruptions to geopolitical tensions. The report highlights vulnerabilities from commercial off the shelf components, legacy systems, weak encryption and human error. ANISA recommends security by design, strong encryption, regular patching, and adopting zero trust principles. Despite space being classified as an essential sector under the NIS 2 directive, many operators still struggle with compliance. The report underscores the urgent need for robust cybersecurity as digital threats to space systems grow alongside sector expansion. CISA issued four ICS advisories revealing critical vulnerabilities in abb, Rockwell Automation, and Inaba Denki Sangyo products. Flaws with CVSS scores up to 9.3 could enable denial of service device takeovers or unauthorized access in systems used across oil, gas and manufacturing sectors. While ABB and Rockwell have released patches, Anaba Denki Sangyo's device remains unpatched. CISA urges immediate mitigation, including firmware updates, network segmentation, limiting physical access, and secure remote access to protect critical infrastructure. U.S. marshals have reportedly arrested Veer Sheetal, also known as Whiz, a key suspect in a $243 million cryptocurrency heist. According to blockchain investigator ZacxBT, the September 2024 scam involved phishing tactics where hackers impersonated Google and Gemini's support to trick a victim into resetting their two factor authentication. Sheetal, along with two co conspirators, then looted the victim's crypto holdings. Zach XBT traced the stolen funds and exposed how the group laundered money to fund a lavish lifestyle. Chetal's arrest marks a major breakthrough in the case. The incident highlights the critical need for strong personal cybersecurity practices. No software can replace user vigilance when facing sophisticated phishing threats. Investigations into the broader scam and remaining suspects are ongoing. Coming up after the break, my conversation with Brian Levine from about creating a networking directory for former government and military professionals and the UK's NCSC goes full influencer. Stay with us. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off.
[11:30]
Brian Levine
Foreign.
[11:36]
Dave Bittner
Looking for a career where innovation meets impact? Vanguard's technology team is shaping the future of financial services by solving complex challenges with cutting edge solutions. Whether you're passionate about AI, cybersecurity or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas drive change. With career growth opportunities and a focus on work life balance, you'll have the flexibility to thrive both professionally and personally. Explore open cybersecurity and technology roles today@vanguardjobs.com Brian Levine is co founder and CEO of formergov.com I caught up with him for insights on creating a networking directory for former government and military professionals.
[12:34]
Brian Levine
So I am a former cybercrime Prosecutor with the U.S. department of justice and I was national coordinator for the other 300 cybercrime prosecutors around the country. So I have a very large network of former government people. I have about 13,000 LinkedIn connections and I have LinkedIn Premium. And so I started getting referral requests, requests for attorneys based on what they used to do in government. So the request might be, I need a former prosecutor from the District of Connecticut who's now doing white collar defense. And I was very excited to help with these requests because I am sort of a natural yenta or matchmaker, if you will. And that's true for romance, it's true for work. Anytime I can connect two people together, I feel happy about that. And I thought I'd be really good at this because I have such a big network of, of people who are sort of right for these requests. So I went to LinkedIn and I found that it was surprisingly hard to find these people. I tried Google, I tried AI, I tried front pages, and it was just taking way too long. So I reached out to a colleague of mine, Max Lang, who is an expert in digital marketing and the Internet. And I said, I know that I'm supposedly a cyber expert, but you're going to have to teach me to use the Internet. And he was really excited to prove that he was smarter than me. And he spent three weeks studying this problem. And he came back to me and he said in a very disappointed way, the problem is not you. The problem is actually the Internet. And what he meant by that was that apparently Internet search, AI search, all of these tools that we use, they're all looking for structured data. And everybody is naturally structuring their data based on what they currently do, not what they used to do, which makes a lot of sense. But he explained to me, if you're getting referral requests based on what people used to do in the government. Then for this piece of the population, there's something missing out there. So we spent the last year trying to solve this problem and to build the first directory for former government and military professionals, which makes these people easy to find and be found.
[15:05]
Dave Bittner
Well, help me understand why this is a necessity here. I mean, when you're out looking for folks that you want to network with or connect, you know, person A with person B, why is their former connection to the government an important factor?
[15:22]
Brian Levine
Yeah, so the way I think about it is if you have an important problem, a significant problem, or a significant opportunity with the government, and this could be anywhere in the government, it could be federal, state, local, tribal, foreign or military. And all of those people are welcome to join the site. If you have an important problem or an important opportunity, you ideally want to work with the person who's closest to the office that's going to be making that decision as possible, who's going to be thinking about this issue as possible. So if you can find an employee or you can find representation, or in your case, if you want somebody for the media who you want to interview about what's going on in a particular office, you just want someone who has the most direct knowledge as possible because they're going to be the most helpful and the most insightful. So that's really what we're trying to do here. And based on the amount of referral requests I was getting, I think a lot of people who deal with the government already know this to be the case. But part of what we're doing is also helping to get the word out to other people, to educate other people, that this is a key advantage to have someone with this kind of experience, knowledge, insight and expertise on your team.
[16:47]
Dave Bittner
So explain to me what this is not. I mean, I've been looking at the beta site and it strikes me that this is not a jobs board. You know, there's plenty of those out there where people like either there are jobs boards for people with clearances. There are jobs, you know, all sorts of jobs boards. That doesn't seem to be the primary focus of this. Am I right there?
[17:06]
Brian Levine
Yes. We are trying to make this very simple. We're trying to make this a directory, a place to find and be found. We want it to be passive for the member, and the member is the former government or military employee, and we want it to be passive in part because the job boards aren't working. I talk to so many people who Tell me they've applied to 100 jobs a day, or they've applied to thousands and thousands of jobs or they've made a thousand posts on this social network or that social network. It's way too much work and it's having very little return on investment. So our idea here is we just put, put everybody available on one directory. We give them the tools to explain exactly what they did and exactly what insights and experience and information they had in a way that's very easily, very well structured and very easily searchable. And then we market very heavily and advertise very heavily to the searcher audience, the in house counsel, the recruiters, the people who place board members on boards of directors, the media, the conference organizers. And we get them to come to this site, we make sure they know about it and they come for free and they just find the, they were able to search for and find their former government needle in a haystack.
[18:37]
Dave Bittner
It's a really interesting proposition. And as you say, I mean, I guess most of these government folks who have left the government, you know, they're doing other things now, which kind of makes finding them a little bit of a needle in a haystack.
[18:52]
Brian Levine
Yeah, well, and the other problem is that when you're in government, you have to keep your visibility low. Almost every agency requires that if you can use social media at all, there's limitations on what you can post. And because you've been in government, you have no book of business, you're not super well networked, and you probably don't even know so much about doing business development unless you had previous experience in the private sector. And so first of all, when you leave government, you're not necessarily in the best position to network and generate business because your profile was low. And to your point, you're in a different job and your focus becomes on doing that job. And it's most easy to find you on that employer's website or if you're looking for that. But for these people, it's their prior experience that really distinguishes them.
[19:48]
Dave Bittner
Yeah. They say timing is everything. And it seems to me like the chaos that's happening in Washington D.C. right now with so many government people, I don't want to be flippant about it, but there's so many who are becoming former government people as we speak. This seems to me to be a valuable resource for them potentially.
[20:12]
Brian Levine
Yes. So again, we had no premonition. People asked me what kind of crystal ball we had that we knew this was coming. We did not. We had no idea that this was coming. And frankly these are all my former colleagues and friends and peers, so I would prefer that we have not had not had this timing. But I am glad if this tool that I was sort of building with a different idea in mind can be helpful now to so many more people.
[20:44]
Dave Bittner
That's Brian Levine from FormerGov.com Is your AppSec program actually reducing risk? Developers and AppSec teams drown in critical alerts, yet 95% of fixes don't reduce real risk. Why? Traditional tools use generic prioritization and lack the ability to filter real threats from noise. High impact threats slip through and surface in production, costing 10 times more to fix. AUX Security helps you focus on the 5% of issues that truly matter before they reach the cloud. Find out what risks deserve your attention in 2025. Download the application Security Benchmark from AUX Security and finally, the UK's National Cybersecurity Centre has gone full influencer to sell the masses on two factor authentication. Because nothing says cyber resilience like Instagram skits and TikTok laughs as part of the Stop Think Fraud campaign, comedy creators parody TV hacker cliches talking firewalls, logic bombs and copying the blockchain, only to be foiled by that pesky second verification step. What now? One faux hacker sighs. Well, that's the end of the film, really. Another concedes it's mission impossible with less hacking and more humble pie. Meanwhile, personal finance influencer Millennial Money UK keeps it serious, reminding us that weak passwords and no. 2 FA equal big trouble. The NCSC, known for blogs and boring but useful tips, hopes these social media antics will get more folks locking down their logins. No word yet on what they paid the influencers, but presumably it's not in cryptocurrency. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire. 2N 2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner, thanks for listening. We'll see you back here tomorrow. And now, a brief message from our sponsor, Dropzone AI. Is your SOC drowning in alerts with legitimate threats sitting in queues for hours or even days? The latest San SOC survey report reveals alert fatigue and limited automation are SOC Team's greatest barriers. DropZone AI, recognized by Gartner as a cool vendor, directly addresses these challenges through autonomous recursive reasoning investigations, quickly eliminating false positives, enriching context, and enabling analysts to prioritize real incidents faster. Take control of your alerts and investigations with Dropzone AI.