Summary

Podcast Summary: CyberWire Daily – "Open-source, Open Season"

Episode Information:

Title: Open-source, Open Season
Release Date: June 25, 2025
Host: Dave Bittner, CyberWire Network, Powered by N2K Networks

1. Overview

In the June 25, 2025 episode of CyberWire Daily, host Dave Bittner delivers an in-depth analysis of recent cybersecurity threats, vulnerabilities, and industry developments. The episode covers a broad spectrum of topics, including cybercriminal activities targeting African financial institutions, exploitation of legitimate software for malicious purposes, emerging security vulnerabilities in everyday devices, and significant industry reports highlighting trends in cyber insurance and identity fraud. Additionally, the episode features an interview with Tim Starks from Cyberscoop, discussing regulatory changes and proposals for federal cyber insurance backstops.

2. Key Cyber Threats and Incidents

a. Cyberattacks Targeting African Financial Institutions

Timestamp: [02:33]
Details: Research from Palo Alto Networks Unit 42 uncovers that cybercriminals, identified as CLCRI 1014, are systematically targeting financial institutions across Africa. These actors utilize open-source tools such as Posh C2, Chisel, and Classroom Spy, originally designed for penetration testing and remote administration, repurposing them to facilitate lateral movement, maintain persistence, and exfiltrate sensitive data.
Quote: "The attackers disguise these tools using forged signatures and names resembling legitimate software." – Dave Bittner [02:33]

b. Abuse of ConnectWise Remote Access Software

Timestamp: [05:00]
Details: Threat actors are exploiting ConnectWise’s remote access software through a technique known as Authenticode Stuffing. By injecting malicious code into the software's certificate table without disrupting its digital signature, attackers create seemingly legitimate applications that bypass security checks. This method is employed in the campaign dubbed "Evil Conwe," where modified ConnectWise clients masquerade as utilities like AI image converters, thereby stealing user credentials.
Quote: "The attackers altered two files in the installer to bypass certificate validation and enable data exfiltration." – Dave Bittner [05:00]

c. Fake SonicWall’s NetXtender VPN App Campaign

Timestamp: [08:15]
Details: SonicWall and Microsoft have identified a widespread campaign involving fake versions of SonicWall’s NetXtender VPN application. These counterfeit installers, signed with fraudulent certificates and distributed via spoofed download sites, capture VPN credentials, usernames, and passwords, sending them to remote servers. The malware’s stealth tactics include bypassing certificate validations and hiding installation indicators.
Quote: "Users are advised to download software only from trusted sources like official vendor websites to avoid falling victim to similar credential-stealing campaigns." – Dave Bittner [08:15]

d. CISA and NSA’s Guide on Memory Safe Languages

Timestamp: [10:00]
Details: The Cybersecurity and Infrastructure Security Agency (CISA) alongside the National Security Agency (NSA) have released a comprehensive guide advocating for the adoption of memory safe languages (MSLs) such as Rust, Java, Go, and Python. These languages incorporate built-in protections like bounds checking and automated memory management, significantly reducing vulnerabilities like buffer overflows and use-after-free errors, which constitute up to 75% of Common Vulnerabilities and Exposures (CVEs) in major platforms.
Quote: "The guide recommends starting with memory safe languages in new projects and high-risk components rather than rewriting all existing code." – Dave Bittner [10:00]

e. Security Vulnerabilities in Printing Devices

Timestamp: [12:45]
Details: Rapid7 researchers have identified eight critical security vulnerabilities affecting nearly 700 models of Brother printers, scanners, and label makers, as well as devices from Fujifilm, Ricoh, Konica, Minolta, and Toshiba. The most severe flaw allows attackers to bypass authentication by generating default admin passwords based on device serial numbers, facilitating unauthorized access and potential denial of service attacks. While Brother has patched most vulnerabilities, one flaw in existing firmware remains unaddressed, with workarounds provided.
Quote: "Six of the vulnerabilities can be exploited without authentication and could lead to denial of service attacks, unauthorized configuration changes, or data exposure." – Dave Bittner [12:45]

f. AI-themed Malware Distribution via Fake Websites

Timestamp: [14:50]
Details: Zscaler Threat Labs has uncovered a malware distribution campaign exploiting the surge in interest around AI tools like ChatGPT and Luma AI. Attackers employ black hat SEO strategies to position malicious websites at the top of search engine results. These sites deploy JavaScript to collect browser data, perform fingerprinting, and redirect users through multiple layers to deliver malware payloads such as Vidar Stealer, LumaStealer, and Legion Loader. The malware often resides within deceptive installer files, evading detection through antivirus checks and process hollowing techniques.
Quote: "These payloads are often hidden in large, deceptive installer files and use tricks like antivirus checks, DLL sideloading, and process hollowing to evade detection." – Dave Bittner [14:50]

g. Surge in Signup Fraud Driven by Bots

Timestamp: [17:30]
Details: According to Okta’s 2025 Customer Identity Trends report, bots accounted for 46% of customer registration attempts in 2024, indicating a significant rise in signup fraud. Attackers leverage AI-driven workflows to exploit signup processes for purposes such as claiming rewards, locating existing accounts, and executing resource-draining attacks. The retail and e-commerce sectors are particularly affected, followed by financial services and utilities.
Quote: "Retail and e-commerce sectors were most affected, followed by financial services and utilities." – Dave Bittner [17:30]

h. Launch of the Common Good Cyber Fund

Timestamp: [19:10]
Details: A new initiative, the Common Good Cyber Fund, has been established to support nonprofits delivering essential cybersecurity services for public benefit. Backed by the UK and Canadian governments and endorsed by all G7 leaders, the fund aims to enhance the resilience and sustainability of civil society organizations combating threats like transnational repression. Led by Common Good Cyber, a coalition including the Global Cyber Alliance and CyberPeace Institute, the fund will provide tools, training, and rapid response services to protect vulnerable communities.
Quote: "The Fund will assist organizations that secure core digital infrastructure and provide cybersecurity aid to high-risk communities." – Dave Bittner [19:10]

3. Interview with Tim Starks (Cyberscoop)

In the latter half of the episode, Dave Bittner interviews Tim Starks, a senior reporter at Cyberscoop, delving into recent regulatory changes and proposals impacting the cybersecurity landscape.

a. SEC Withdraws Cyber Regulations for Investment Companies

Timestamp: [14:30]
Discussion:
- Context: The Securities and Exchange Commission (SEC) has retracted certain cybersecurity regulations previously imposed on investment advisors and companies.
- Details: These regulations required entities to notify the SEC of major cyber incidents within specified timeframes, publicly disclose such incidents after a set period, and develop written cybersecurity procedures and risk assessments.
- Reasoning: The withdrawal is part of a broader rollback of regulations instituted during the Biden administration, aligning with former President Trump's agenda to reduce regulatory burdens.
- Quote: "Investment advisors... were required to notify of major incidents within a certain time to the SEC, to publicly disclose them after a certain period of time..." – Tim Starks [14:30]
Insights:
- The rollback was facilitated by the fact that these rules had not yet been fully implemented.
- Speculation exists that internal doubts about the efficacy and construction of these regulations influenced the SEC's decision to revoke them before they could become more entrenched.

b. Proposal for a Federal Cyber Insurance Backstop

Timestamp: [15:30]
Discussion:
- Context: The Defense of Democracies foundation, through Nick Thee, has proposed a federal backstop for cyber insurance, intending to stabilize and enhance the cyber insurance market.
- Details:
  - The proposal suggests linking the federal backstop to the expiring Terrorism Risk Insurance Act (TRIA) set for renewal in 2027.
  - Aimed at mitigating "tail risks" associated with catastrophic cyber events, the backstop could encourage competition, lower premiums, and expand coverage options in the cyber insurance sector.
  - The initiative includes recommendations for capping total liability and improving data sharing between third parties and insurers.
- Challenges:
  - The cyber insurance market is currently stagnant, with numerous policy exclusions, particularly concerning acts of war by foreign governments.
  - Implementing such a backstop is theoretical, with uncertainties about its practical effectiveness and the mechanisms for data sharing and risk assessment.
  - The timing is critical, given the legislative calendar and upcoming elections in 2026.
- Quote: "The idea is to attach it to the Terrorism Risk Insurance Act, which is expiring in 2027... this is an opportunity." – Tim Starks [16:45]
Insights:
- Comparing cyber insurance to flood insurance raises concerns about the sustainability and efficacy of private cyber insurance markets without federal intervention.
- There's an ongoing debate about whether cyber insurance contributes to the rise in ransomware attacks by providing assurance of payout to victims, potentially making them more attractive targets.

c. Additional Considerations and Implications

Timestamp: [20:06]
Discussion:
- The proposal includes mechanisms for handling multi-factor authentication effectiveness and incentivizing data sharing to better assess and mitigate cyber risks.
- The potential impact on ransomware demands if a federal backstop establishes a baseline coverage amount, possibly influencing attackers' strategies regarding ransom expectations.
- The necessity for comprehensive legislation and bipartisan support to advance the proposal within the constrained legislative timeframe.
- Quote: "There might have been some internal doubt about whether these were wise or whether they were wisely constructed." – Tim Starks [15:19]
Insights:
- The lack of detailed data on cyberattack prevention measures hampers the ability to create effective insurance frameworks.
- The proposal seeks to create a more dynamic and resilient cyber insurance market, but its success hinges on legislative action and industry cooperation.

Conclusion of the Interview:

Timestamp: [23:22]
Summary: Tim Starks emphasizes the necessity for timely action to implement the federal cyber insurance backstop and the complexities involved in reshaping the cyber insurance landscape. The discussion concludes with mutual appreciation for the insights shared.
Quote: "It's a good thing we have folks like you to help us understand them." – Dave Bittner [22:23]

4. Notable Conclusions and Insights

Evolving Threat Landscape: The episode highlights the adaptive tactics of cybercriminals, leveraging legitimate tools and exploiting software trust mechanisms to perpetrate sophisticated attacks across various sectors, including finance and technology.
Regulatory Shifts: The SEC’s withdrawal of cybersecurity regulations underscores the fluctuating regulatory environment, influenced by political agendas and industry pressures. This volatility poses challenges for organizations striving to maintain robust cybersecurity postures.
Cyber Insurance Dynamics: The stagnant cyber insurance market, burdened by exclusions and growing risks, may benefit from federal intervention. However, the proposal for a federal backstop introduces uncertainties regarding implementation and market impacts, particularly concerning ransomware incentives.
Vulnerability Proliferation: The discovery of numerous vulnerabilities in widespread devices like printers and the rise of malware through AI-themed websites emphasize the pervasiveness of cyber threats and the critical need for proactive security measures.
Support for Nonprofits: The establishment of the Common Good Cyber Fund signifies a collaborative effort to bolster cybersecurity defenses within civil society, highlighting the importance of supporting organizations that protect vulnerable communities from cyber threats.
International Cyber Operations: The episode concludes with a reflection on international cybercrime dynamics, illustrated by the case of Russian court sentencing and the subsequent outsourcing of cyber operations, pointing to the complex interplay between state actions and cybercriminal activities.

5. Final Thoughts

The June 25, 2025 episode of CyberWire Daily offers a comprehensive overview of the current cybersecurity landscape, marked by innovative attacks, regulatory changes, and evolving defense strategies. Through detailed analysis and expert interviews, the podcast provides valuable insights for industry leaders, cybersecurity professionals, and organizations seeking to navigate the complexities of digital security in an increasingly interconnected world.

For more detailed information and access to daily briefings, listeners are encouraged to visit thecyberwire.com and participate in their annual audience survey to contribute to future content development.

Summary

Podcast Summary: CyberWire Daily – "Open-source, Open Season"

Episode Information:

Title: Open-source, Open Season
Release Date: June 25, 2025
Host: Dave Bittner, CyberWire Network, Powered by N2K Networks

1. Overview

2. Key Cyber Threats and Incidents

a. Cyberattacks Targeting African Financial Institutions

Timestamp: [02:33]
Details: Research from Palo Alto Networks Unit 42 uncovers that cybercriminals, identified as CLCRI 1014, are systematically targeting financial institutions across Africa. These actors utilize open-source tools such as Posh C2, Chisel, and Classroom Spy, originally designed for penetration testing and remote administration, repurposing them to facilitate lateral movement, maintain persistence, and exfiltrate sensitive data.
Quote: "The attackers disguise these tools using forged signatures and names resembling legitimate software." – Dave Bittner [02:33]

b. Abuse of ConnectWise Remote Access Software

Timestamp: [05:00]
Details: Threat actors are exploiting ConnectWise’s remote access software through a technique known as Authenticode Stuffing. By injecting malicious code into the software's certificate table without disrupting its digital signature, attackers create seemingly legitimate applications that bypass security checks. This method is employed in the campaign dubbed "Evil Conwe," where modified ConnectWise clients masquerade as utilities like AI image converters, thereby stealing user credentials.
Quote: "The attackers altered two files in the installer to bypass certificate validation and enable data exfiltration." – Dave Bittner [05:00]

c. Fake SonicWall’s NetXtender VPN App Campaign

Timestamp: [08:15]
Details: SonicWall and Microsoft have identified a widespread campaign involving fake versions of SonicWall’s NetXtender VPN application. These counterfeit installers, signed with fraudulent certificates and distributed via spoofed download sites, capture VPN credentials, usernames, and passwords, sending them to remote servers. The malware’s stealth tactics include bypassing certificate validations and hiding installation indicators.
Quote: "Users are advised to download software only from trusted sources like official vendor websites to avoid falling victim to similar credential-stealing campaigns." – Dave Bittner [08:15]

d. CISA and NSA’s Guide on Memory Safe Languages

Timestamp: [10:00]
Details: The Cybersecurity and Infrastructure Security Agency (CISA) alongside the National Security Agency (NSA) have released a comprehensive guide advocating for the adoption of memory safe languages (MSLs) such as Rust, Java, Go, and Python. These languages incorporate built-in protections like bounds checking and automated memory management, significantly reducing vulnerabilities like buffer overflows and use-after-free errors, which constitute up to 75% of Common Vulnerabilities and Exposures (CVEs) in major platforms.
Quote: "The guide recommends starting with memory safe languages in new projects and high-risk components rather than rewriting all existing code." – Dave Bittner [10:00]

e. Security Vulnerabilities in Printing Devices

Timestamp: [12:45]
Details: Rapid7 researchers have identified eight critical security vulnerabilities affecting nearly 700 models of Brother printers, scanners, and label makers, as well as devices from Fujifilm, Ricoh, Konica, Minolta, and Toshiba. The most severe flaw allows attackers to bypass authentication by generating default admin passwords based on device serial numbers, facilitating unauthorized access and potential denial of service attacks. While Brother has patched most vulnerabilities, one flaw in existing firmware remains unaddressed, with workarounds provided.
Quote: "Six of the vulnerabilities can be exploited without authentication and could lead to denial of service attacks, unauthorized configuration changes, or data exposure." – Dave Bittner [12:45]

f. AI-themed Malware Distribution via Fake Websites

Timestamp: [14:50]
Details: Zscaler Threat Labs has uncovered a malware distribution campaign exploiting the surge in interest around AI tools like ChatGPT and Luma AI. Attackers employ black hat SEO strategies to position malicious websites at the top of search engine results. These sites deploy JavaScript to collect browser data, perform fingerprinting, and redirect users through multiple layers to deliver malware payloads such as Vidar Stealer, LumaStealer, and Legion Loader. The malware often resides within deceptive installer files, evading detection through antivirus checks and process hollowing techniques.
Quote: "These payloads are often hidden in large, deceptive installer files and use tricks like antivirus checks, DLL sideloading, and process hollowing to evade detection." – Dave Bittner [14:50]

g. Surge in Signup Fraud Driven by Bots

Timestamp: [17:30]
Details: According to Okta’s 2025 Customer Identity Trends report, bots accounted for 46% of customer registration attempts in 2024, indicating a significant rise in signup fraud. Attackers leverage AI-driven workflows to exploit signup processes for purposes such as claiming rewards, locating existing accounts, and executing resource-draining attacks. The retail and e-commerce sectors are particularly affected, followed by financial services and utilities.
Quote: "Retail and e-commerce sectors were most affected, followed by financial services and utilities." – Dave Bittner [17:30]

h. Launch of the Common Good Cyber Fund

Timestamp: [19:10]
Details: A new initiative, the Common Good Cyber Fund, has been established to support nonprofits delivering essential cybersecurity services for public benefit. Backed by the UK and Canadian governments and endorsed by all G7 leaders, the fund aims to enhance the resilience and sustainability of civil society organizations combating threats like transnational repression. Led by Common Good Cyber, a coalition including the Global Cyber Alliance and CyberPeace Institute, the fund will provide tools, training, and rapid response services to protect vulnerable communities.
Quote: "The Fund will assist organizations that secure core digital infrastructure and provide cybersecurity aid to high-risk communities." – Dave Bittner [19:10]

3. Interview with Tim Starks (Cyberscoop)

In the latter half of the episode, Dave Bittner interviews Tim Starks, a senior reporter at Cyberscoop, delving into recent regulatory changes and proposals impacting the cybersecurity landscape.

a. SEC Withdraws Cyber Regulations for Investment Companies

Timestamp: [14:30]
Discussion:
- Context: The Securities and Exchange Commission (SEC) has retracted certain cybersecurity regulations previously imposed on investment advisors and companies.
- Details: These regulations required entities to notify the SEC of major cyber incidents within specified timeframes, publicly disclose such incidents after a set period, and develop written cybersecurity procedures and risk assessments.
- Reasoning: The withdrawal is part of a broader rollback of regulations instituted during the Biden administration, aligning with former President Trump's agenda to reduce regulatory burdens.
- Quote: "Investment advisors... were required to notify of major incidents within a certain time to the SEC, to publicly disclose them after a certain period of time..." – Tim Starks [14:30]
Insights:
- The rollback was facilitated by the fact that these rules had not yet been fully implemented.
- Speculation exists that internal doubts about the efficacy and construction of these regulations influenced the SEC's decision to revoke them before they could become more entrenched.

b. Proposal for a Federal Cyber Insurance Backstop

Timestamp: [15:30]
Discussion:
- Context: The Defense of Democracies foundation, through Nick Thee, has proposed a federal backstop for cyber insurance, intending to stabilize and enhance the cyber insurance market.
- Details:
  - The proposal suggests linking the federal backstop to the expiring Terrorism Risk Insurance Act (TRIA) set for renewal in 2027.
  - Aimed at mitigating "tail risks" associated with catastrophic cyber events, the backstop could encourage competition, lower premiums, and expand coverage options in the cyber insurance sector.
  - The initiative includes recommendations for capping total liability and improving data sharing between third parties and insurers.
- Challenges:
  - The cyber insurance market is currently stagnant, with numerous policy exclusions, particularly concerning acts of war by foreign governments.
  - Implementing such a backstop is theoretical, with uncertainties about its practical effectiveness and the mechanisms for data sharing and risk assessment.
  - The timing is critical, given the legislative calendar and upcoming elections in 2026.
- Quote: "The idea is to attach it to the Terrorism Risk Insurance Act, which is expiring in 2027... this is an opportunity." – Tim Starks [16:45]
Insights:
- Comparing cyber insurance to flood insurance raises concerns about the sustainability and efficacy of private cyber insurance markets without federal intervention.
- There's an ongoing debate about whether cyber insurance contributes to the rise in ransomware attacks by providing assurance of payout to victims, potentially making them more attractive targets.

c. Additional Considerations and Implications

Timestamp: [20:06]
Discussion:
- The proposal includes mechanisms for handling multi-factor authentication effectiveness and incentivizing data sharing to better assess and mitigate cyber risks.
- The potential impact on ransomware demands if a federal backstop establishes a baseline coverage amount, possibly influencing attackers' strategies regarding ransom expectations.
- The necessity for comprehensive legislation and bipartisan support to advance the proposal within the constrained legislative timeframe.
- Quote: "There might have been some internal doubt about whether these were wise or whether they were wisely constructed." – Tim Starks [15:19]
Insights:
- The lack of detailed data on cyberattack prevention measures hampers the ability to create effective insurance frameworks.
- The proposal seeks to create a more dynamic and resilient cyber insurance market, but its success hinges on legislative action and industry cooperation.

Conclusion of the Interview:

Timestamp: [23:22]
Summary: Tim Starks emphasizes the necessity for timely action to implement the federal cyber insurance backstop and the complexities involved in reshaping the cyber insurance landscape. The discussion concludes with mutual appreciation for the insights shared.
Quote: "It's a good thing we have folks like you to help us understand them." – Dave Bittner [22:23]

4. Notable Conclusions and Insights

Evolving Threat Landscape: The episode highlights the adaptive tactics of cybercriminals, leveraging legitimate tools and exploiting software trust mechanisms to perpetrate sophisticated attacks across various sectors, including finance and technology.
Regulatory Shifts: The SEC’s withdrawal of cybersecurity regulations underscores the fluctuating regulatory environment, influenced by political agendas and industry pressures. This volatility poses challenges for organizations striving to maintain robust cybersecurity postures.
Cyber Insurance Dynamics: The stagnant cyber insurance market, burdened by exclusions and growing risks, may benefit from federal intervention. However, the proposal for a federal backstop introduces uncertainties regarding implementation and market impacts, particularly concerning ransomware incentives.
Vulnerability Proliferation: The discovery of numerous vulnerabilities in widespread devices like printers and the rise of malware through AI-themed websites emphasize the pervasiveness of cyber threats and the critical need for proactive security measures.
Support for Nonprofits: The establishment of the Common Good Cyber Fund signifies a collaborative effort to bolster cybersecurity defenses within civil society, highlighting the importance of supporting organizations that protect vulnerable communities from cyber threats.
International Cyber Operations: The episode concludes with a reflection on international cybercrime dynamics, illustrated by the case of Russian court sentencing and the subsequent outsourcing of cyber operations, pointing to the complex interplay between state actions and cybercriminal activities.

wavePod

Open-source, open season.

Powered by Wave AI

Summary

1. Overview

2. Key Cyber Threats and Incidents

a. Cyberattacks Targeting African Financial Institutions

b. Abuse of ConnectWise Remote Access Software

c. Fake SonicWall’s NetXtender VPN App Campaign

d. CISA and NSA’s Guide on Memory Safe Languages

e. Security Vulnerabilities in Printing Devices

f. AI-themed Malware Distribution via Fake Websites

g. Surge in Signup Fraud Driven by Bots

h. Launch of the Common Good Cyber Fund

3. Interview with Tim Starks (Cyberscoop)

a. SEC Withdraws Cyber Regulations for Investment Companies

b. Proposal for a Federal Cyber Insurance Backstop

c. Additional Considerations and Implications

4. Notable Conclusions and Insights

5. Final Thoughts

Summary

1. Overview

2. Key Cyber Threats and Incidents

a. Cyberattacks Targeting African Financial Institutions

b. Abuse of ConnectWise Remote Access Software

c. Fake SonicWall’s NetXtender VPN App Campaign

d. CISA and NSA’s Guide on Memory Safe Languages

e. Security Vulnerabilities in Printing Devices

f. AI-themed Malware Distribution via Fake Websites

g. Surge in Signup Fraud Driven by Bots

h. Launch of the Common Good Cyber Fund

3. Interview with Tim Starks (Cyberscoop)

a. SEC Withdraws Cyber Regulations for Investment Companies

b. Proposal for a Federal Cyber Insurance Backstop

c. Additional Considerations and Implications

4. Notable Conclusions and Insights

5. Final Thoughts