Transcript
A (0:02)
You're listening to the Cyberwire Network powered by N2K. If securing your network feels harder than it should be, you're not imagining it. Modern businesses need strong protection, but they don't always have the time, staff or patience for complex setups. That's where Nord layer comes in. Nordlayer is a toggle ready network security platform built for businesses. It brings VPN access control and threat protection together in one place. No hardware, no complicated configuration. You can deploy it in minutes and be up and running in less than 10. It's built on zero trust principles so only the right people can get access to the right resources. It works across all major platforms scales easily as your teams grow and integrates with what you already use and and now Nordlayer goes even further through its partnership with CrowdStrike, combining NordLayer's network security with Falcon Endpoint protection for small and mid sized businesses. Enterprise grade security made manageable. Try Nordlayer risk free and get up to 22% off yearly plans plus an extra 10% with the code CYBERWIRE10. Visit nordlayer.com cyberwire daily to learn more. Google dismantles a huge residential proxy network did the FBI take down the notorious Ramp Cybercrime forum? A long running North Korea backed cyber operation has splintered into three specialized threat groups. U.S. military cyber operators carried out a covert operation to disrupt Russian troll networks ahead of the 2020 for elections. Phishing campaigns target journalists using the Signal app. SolarWinds patches vulnerabilities in its Web Help Desk product. Amazon found CSAM and its AI training data. Initial access brokers switch up their preferred bot China executes Scam center kingpins. Our guest is Tom Pace, CEO of Netrise, explaining how open source vulnerabilities can be open doors for nation states and an unsecured webcam peers into Pyongyang. It's Thursday, January 29th, 2026. I'm Dave Bittner and this is your Cyberwire Intel Brief. Thanks for joining us here today. Great as always to have you with us. Google and its partners have launched a coordinated operation to dismantle iPidia, a residential proxy network security experts describe as one of the largest of its kind. The service routes Internet traffic through millions of everyday consumer devices worldwide, allowing attackers to blend malicious activity into normal user traffic. According to analysts at Google Cloud, this infrastructure has been widely abused by criminal and nation state groups to support cyber attacks, espionage and data theft. IPadia operates by embedding hidden software development kits into legitimate looking apps such as games and utilities. Once installed, these SDKs quietly turn user devices into proxy exit nodes without clear consent. Google reports that In a single seven day period in January of this year, more than 550 tracked threat groups relied on iPadia nodes for activities including business system access and password spraying. Enforcement actions supported by partners like Cloudflare disrupted core infrastructure and removed millions of infected devices, though experts warned similar networks continue to grow. The notorious Ramp cybercrime forum, widely used by ransomware groups and initial access brokers, appears to have been seized by the Federal Bureau of Investigation after its websites were replaced with an FBI seizure notice. The U.S. department of justice has not confirmed the action publicly, prompting some skepticism given past exit scams in the cybercrime ecosystem. DNS records reportedly showed Ramp redirecting to an FBI controlled domain, though the notice lacks the international partner logos typically seen in coordinated takedowns. Ramp served Russian, Chinese and English speaking criminals and was previously administered by Mikhail Madv before control reportedly passed to a hacker known as Stallman, who now claims law enforcement has taken over the forum. Former US Intelligence official Laura Galante said such disruptions are intended to fragment cybercrime markets, making them less stable and harder for dominant groups to emerge. CrowdStrike reports that a long running North Korea backed cyber operation has splintered into three specialized threat groups reflecting a more mature and bureaucratic structure. The original group, dubbed Labyrinth Kolyma, now focuses primarily on espionage, targeting manufacturing, logistics, defense and aerospace organizations in Europe and the United States. Two offshoots, Golden Colima and Pressure Colima, concentrate on cryptocurrency theft to generate revenue for the regime. According to CrowdStrike, Pressure Colima carried out last year's record $1.46 billion crypto theft and is among North Korea's most technically advanced actors. The groups share infrastructure and lineage with the broader Lazarus group, indicating centralized coordination. CrowdStrike says the continued diversification allows Pyongyang to expand cyber operations while funding them under the pressure of international sanctions. CNN reports that weeks before the 2024 election, US military cyber operators carried out a covert OPER disrupt Russian troll networks targeting American voters. According to sources briefed on the effort from U.S. cyber Command, hackers interfered with servers and personnel linked to Russian firms, spreading fabricated news aimed at swing states, particularly attacking politicians supportive of Ukraine. One source said the operation slowed but did not stop the activity. The action was part of a broader multi agency push involving the FBI and the Department of Homeland Security to blunt foreign election interference. However, under President Donald Trump's second administration, many election security and counter influence programs have since been cut or dismantled. Current and former officials warn those reductions have weakened the federal response just as Russia, China and Iran continue to refine influence operations, raising concerns ahead of the 2026 midterms. Journalists and civil society figures in Germany and elsewhere in Europe are being targeted by a sustained phishing campaign abusing the Signal messaging app. According to reporting by netspolitik.org the attacks impersonate signal support, warning recipients of suspicious activity and urging them to share a verification code. Security experts say the campaign appears highly targeted, focused on journalists, lawyers, politicians and activists, and may be spreading through stolen address book data. According to Amnesty International, the campaign is active, although it remains unclear how many victims were compromised. If users share both the verification code and their signal pin, attackers can take over accounts, lock out legitimate users and access contacts and group memberships, potentially exposing sources and networks. Signal says the attacks do not exploit flaws in its software and stresses it never contacts users via in app chats, urging users to enable registration, lock and never share codes or pins. Signal Foundation President Meredith Whitaker warned that artificial intelligence agents embedded in operating systems are undermining the real world protections of end to end encryption. Speaking to Bloomberg at the World Economic Forum in Davos, Whitaker said encryption remains mathematically sound, but AI assistants often require broad system access that exposes decrypted messages. She cited research showing misconfigured AI agent tools linked to signal accounts allowing plain text message access, and argued that encryption cannot compensate for near root level access by AI systems. SolarWinds has released patches for six vulnerabilities in its web help desk product, including four critical flaws with CVSS scores of 9.8. The most severe is an unauthenticated deserialization bug that could enable remote code execution, according to researchers at Horizon. Three AI Three additional critical issues include another deserialization flawless and two authentication bypass bugs. Two high severity issues involve security control bypass and hard coded credentials. All flaws are fixed in the latest version of Web help desk, and SolarWinds urges organizations to update promptly. Amazon reported hundreds of thousands of suspected child sexual abuse material, or csam, discoveries last year while scanning data used to train its artificial intelligence models, according to reporting by Bloomberg. The material was removed before training, but officials at the national center for Missing and Exploited Children say Amazon provided little detail about the content's origin, limiting law enforcement's ability to identify perpetrators or protect victims. NCMEC says AI related CSAM reports surged more than 15 fold in 2025, with Amazon accounting for the vast majority. Amazon says the data came from external sources and was flagged through automated scanning using deliberately over inclusive thresholds that may produce false positives, child safety experts warn. The findings highlight risks in rapidly assembling large AI training datasets without sufficient safeguards or transparency. Researchers at Proofpoint report that prolific initial access broker TA584 has escalated operations by deploying tsunderebot alongside the Exworm remote access trojan activity that could enable follow on ransomware attacks. Proofpoint has tracked TA584 since 2020 and says its campaign volume tripled in late 2025, expanding beyond North America and the UK into Europe and Australia. The attack chain relies on phishing emails sent from compromised accounts via services like SendGrid and Amazon. SES victims are funneled through Captcha and Click Fix pages that prompt them to run PowerShell commands loading malware directly into memory. Sundarabot, first documented by Kaspersky, supports data theft, lateral movement and payload delivery. Proofpoint assesses with high confidence that these infections could ultimately lead to ransomware deployment. China has executed 11 people linked to cyber scam centers operating in Myanmar, according to state media. The individuals, described as core members of the Ming Family criminal gang, were convicted of fraud, running illegal casinos and intentional homicide. Authorities say the syndicate handled more than $1.4 billion in illicit funds and was tied to multiple deaths. The executions come amid broader regional crackdowns on scam operations, which the United Nations Office on Drugs and Crime says are expanding across Southeast Asia and often involve human trafficking. Coming up after the break, Tom Pace from Netrise explains how open source vulnerabilities are opening doors for nation states and an unsecured webcam peers into Pyongyang. Stay with us. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep. Get started@vanta.com cyber that's v a n t a dot com cyber foreign. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Tom Pace is a former DOE Cyber Analyst and now CEO of Netrise. We recently sat down to discuss how open source vulnerabilities are opening doors for nation states and why visibility into who maintains code repositories matters.