CyberWire Daily: "Open Source, Open Target" – July 31, 2025

In this episode of CyberWire Daily, host Dave Buettner delves into a series of pressing cybersecurity issues, ranging from sophisticated malware campaigns to innovative incident response tools. The highlight of the episode is an in-depth conversation with Germaine Roebuck and Ann Galschute from the Cybersecurity and Infrastructure Security Agency (CISA) about their newly released open-source eviction strategy tool for cyber incident response.

1. Lazarus Group's Targeted Malware Campaign

Sonatype has uncovered a significant malware campaign orchestrated by North Korea's notorious Lazarus Group targeting open-source ecosystems such as npm and PyPi. From January to July 2025, Sonatype blocked 234 malicious packages masquerading as developer tools. These packages were actually espionage tools designed to steal data, profile systems, and install persistent backdoors, potentially affecting over 36,000 systems. Lazarus, known for high-profile attacks like Sony Pictures and WannaCry, is now shifting its focus from disruption to infiltration. Developers frequently install packages without thorough vetting, making CI/CD pipelines and developer environments prime targets. This campaign underscores that open source has become a critical cyber battleground, emphasizing the necessity of securing the software supply chain.

2. President Trump's New Electronic Health Records System

President Trump announced a new electronic health records (EHR) system aimed at simplifying data sharing among healthcare providers. Backed by tech giants like Google, Apple, Amazon, and OpenAI, the opt-in system is overseen by the Centers for Medicare and Medicaid Services. It features AI tools to assist users in managing symptoms and navigating care, particularly for chronic conditions such as diabetes and obesity. Trump assured the public, stating, “[There] will be no centralized government database” (02:02), yet experts express concerns regarding data protection and unclear privacy standards, especially for third-party apps not covered by HIPAA. Critics also note that similar past initiatives have struggled, highlighting significant regulatory hurdles that the new system must overcome.

3. Chinese State-Sponsored Hackers Collaborating with Tech Companies

A report from Sentinel Labs reveals intricate connections between Chinese state-sponsored hackers and Chinese tech companies developing offensive cyber tools. The group Silk Typhoon, also known as Hafnium, implicated in attacks on U.S. government entities and global IT infrastructures, is linked to firms such as Isoon, Shanghai Firetech, and others. These companies allegedly collaborate with China's Ministry of State Security and regional bureaus like the Shanghai State Security Bureau. Notably, the report suggests that these firms may have contributed to exploiting Microsoft Exchange zero-days in 2021. This collaboration blurs the lines between the private sector and state cyber operations, complicating attribution and showcasing China's expanded cyber capabilities through quasi-corporate fronts.

4. New Prompt Injection Threat Targeting Large Language Models (LLMs)

LayerX researchers have identified a novel prompt injection threat targeting Large Language Models (LLMs) via browser extensions used by 99% of enterprise users. These malicious extensions can silently read, modify, and inject prompts into AI tools like ChatGPT, Gemini, and internal LLMs without requiring special permissions. Dubbed "Man in the Prompt," this exploit leverages how AI prompts are handled in the browser's Document Object Model (DOM). Once compromised, an extension can exfiltrate data, delete its activity, and evade detection. Proof-of-concept attacks on ChatGPT and Gemini demonstrate the malware's ability to leak intellectual property, financial data, and personally identifiable information (PII). To combat this threat, experts recommend shifting to behavior-based browser monitoring and restricting risky extensions in real-time.

5. Palo Alto Networks Unit 42 Introduces a New Attribution Framework

Palo Alto Networks' Unit 42 has proposed a new attribution framework aimed at standardizing the process of attributing cyber threat activities. Traditional attribution methods relied heavily on individual analysts and lacked consistency. Inspired by the Diamond Model and Admiralty System, the framework employs systematic scoring for source reliability and information credibility. Analysts categorize threats into three clusters: activity clusters, temporary threat groups, and named threat actors. By linking related incidents, even without knowing the actor's identity, these clusters can evolve into temporary groups or fully attributed threat actors over time. The framework emphasizes ongoing reassessment, evidence-based confidence scoring, and rigorous review processes, ultimately aiming to reduce confusion in threat naming and enhance the professionalism of threat intelligence across the industry.

6. Honeywell Patches Critical Vulnerabilities in Experion Process Knowledge System

Honeywell has addressed six vulnerabilities in its Experion Process Knowledge system, widely used in critical infrastructure sectors globally. These vulnerabilities, flagged by CISA, include remote code execution via the controlled data access component and denial of service (DoS) attacks. Additionally, a medium-severity bug could disrupt communication and system behavior. Reported by Russian firm Positive Technologies, these flaws affect isolated industrial systems. Honeywell advises users to apply the latest updates promptly and recommends robust vulnerability management practices to safeguard against potential exploits.

7. Evolution of a Sophisticated Android Banking Trojan

Zimperium's Z Labs has traced the rapid evolution of an advanced Android banking trojan initially disseminated through phishing sites. The malware, which impersonates European banks, now infiltrates devices via bogus websites shared on platforms like Discord. Its capabilities have expanded from basic overlays and keylogging to more sophisticated features such as screen capture, fake lock screens, and real-time data exfiltration. By abusing Android's accessibility services and employing session-based installation, the malware can bypass user suspicion. It effectively steals passwords, one-time passwords (OTPs), crypto wallets, and other critical information. This campaign highlights the increasing threats in mobile malware and underscores the need for stringent app permission scrutiny and robust mobile threat defenses.

8. Scattered Spider Group Goes Dormant Following Arrests

The cybercriminal group Scattered Spider, associated with attacks on British retailers and airlines like Hawaiian and WestJet, has gone quiet following the July 10 arrest of four UK-based suspects. While these individuals are not the only members, their apprehension appears to have spooked the remaining members, leading to a temporary halt in the group's activities, according to Mandiant. Despite no direct link being confirmed to recent attacks, experts warn that similar groups, such as Shiny Hunters, continue to employ comparable social engineering tactics, ensuring that the threat persists even if specific groups go dormant.

Interview: CISA’s Open Source Eviction Strategy Tool for Cyber Incident Response

Guests: Germaine Roebuck, Associate Director for Threat Hunting at CISA
Ann Galschute, Technical Lead at CISA

In a detailed discussion, Roebuck and Galschute introduce CISA's open-source eviction strategy tool designed to enhance cyber incident response. The tool addresses a critical gap in the incident response lifecycle—eradicating adversaries from compromised environments effectively and thoroughly.

Background and Development Roebuck explains, “[The tool] was really designed to address a gap that we've seen throughout the incident response lifecycle” (14:39). Historically, organizations have either reset credentials or taken systems offline, measures that are insufficient against sophisticated threats. The new tool aims to provide a structured approach to completely remove adversaries, preventing revictimization.

Challenges in Evicting Adversaries Ann Galschute highlights the complexities incident responders face: “Understanding how the attacker works, what they could have done in the environment… to catch everything and not leaving enough for them to hide” (15:48). Effective eviction requires comprehensive knowledge of the adversary’s actions and ensuring no remnants remain that could allow re-entry.

How the Tool Works The tool utilizes a database called COUNTER (with a '7' instead of a 'T'), developed alongside MITRE’s ATT&CK framework. COUNTER comprises atomic countermeasures derived from analyzing top attacker TTPs (Tactics, Techniques, and Procedures). As Galschute explains, “Counter is a database that CISA developed along with MITRE to basically [provide] those atomic countermeasures… How do we stop them in the network” (18:48). Users input the detected TTPs, and the tool generates a customized remediation plan with ordered steps to effectively evict the adversary.

Target Audience and Application Roebuck emphasizes that the tool is designed for any organization that has experienced a cyberattack, regardless of size. It facilitates collaboration across various departments—system admins, network engineers, and security operations—by providing a clear, actionable plan. Galschute adds, “People should not wait until the emergency to begin doing this… [they can] create scenarios for tabletop exercises” (21:02). This proactive approach ensures organizations are prepared for swift and efficient incident response.

Open Source Advantage By releasing the tool as open source, CISA ensures broad accessibility and adaptability. Galschute states, “I wanted the guidance to be out there for everyone to use” (21:55), allowing organizations with closed or classified environments to implement the tool without concerns over proprietary restrictions. This openness fosters community collaboration, enabling continuous improvement and customization to meet diverse security needs.

CISA’s Mission Alignment Roebuck ties the tool’s significance to CISA’s broader mission: enhancing national cybersecurity resilience. “[This tool] highlights that [the] containment and eradication side of the response effort” (23:14) is equally important as detection. By providing structured eviction strategies, CISA empowers organizations to mitigate threats effectively and prevent future compromises.

Final Thoughts Galschute expresses personal satisfaction with the tool’s development: “Being able to do something about it is really important” (25:03). The open-source eviction strategy tool represents a significant advancement in cyber incident response, equipping organizations with the necessary tools to thoroughly remove adversaries and enhance their overall security posture.

9. Legal Action Against Hackers Fixing Polish Trains

In a unique twist, Polish train manufacturer Newag has filed lawsuits worth over $3 million against both a repair shop and ethical hackers from the group Dragon Sector. The legal action stems from these hackers removing anti-repair booby traps to fix trains, actions that led to Newag locking up three more trains and briefly refusing to unlock them. Newag alleges that the hackers implanted malicious code, manipulated the software to disable trains, and caused disruptions at train stations. The lawsuits are perceived as an attempt to suppress the right to repair within Poland's $40 million train repair market, raising questions about the balance between security measures and repair freedoms.

As cybersecurity threats continue to evolve, this episode of CyberWire Daily highlights the critical importance of robust security practices, innovative response tools, and the intricate interplay between state-sponsored activities and private sector vulnerabilities. The featured interview with CISA experts provides valuable insights into enhancing incident response strategies, emphasizing the need for comprehensive and proactive measures in the face of sophisticated cyber adversaries.