Reflections in a broken vault.

Dave Bittner

You're listening to the Cyberwire network, powered by N2K.

David Weissman

And now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise Solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only act access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

Maria Vermazes

Researchers uncover multiple vulnerabilities in a popular open source Secrets manager software Bugs threaten satellite safet Columbia University confirms a cyber attack Researchers uncover malicious NPM packages posing as WhatsApp development tools. A new EDR killer tool is being used by multiple ransomware gangs. Home improvement stores integrate AI license plate readers into their parking lots. The US Federal judiciary announces new cybersecurity measures after cyber attacks compromised its case management system. CISA officials reaffirm their commitment to the CVE program.

David Weissman

Our guest is David Weissman from BlackBerry.

Maria Vermazes

Discussing the challenges of secure communications and AI watermarking breaks under spectral pressure. It's Friday, August 8th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Foreign thanks for joining us here today. Happy Friday. It is great to have you with us. Researchers at Sciata uncovered nine vulnerabilities in HashiCorp Vault, a popular open source secrets manager. These flaws, eight of which are now patched, allowed attackers to bypass authentication, escalate privileges, and even execute remote code. The bugs stem from logic errors in Vault's core components, including authentication, mfa and plugin handling. Some exploits, like case variations in usernames, bypass lockouts or mfa. Others abuse policy normalization to gain root access or trick Vault's trust model using forged certificates. The most severe enables RCE by uploading malicious plugins via the audit log system, a flaw hiding in plain sight site for nearly a decade, affecting both open source and enterprise editions. The report highlights the importance of patching tight configuration and strong identity enforcement to prevent full infrastructure compromise. Anti satellite missiles may be flashy, but hacking is the new space warfare. While four nations have tested kinetic anti satellite weapons, it turns out knocking a satellite offline could be as simple as exploiting bad code. At this year's Black Hat Conference, researchers from Vision Space Technologies demonstrated just how easy it is to hijack a satellite or its ground station using known software vulnerabilities to break down what they found and what it means for satellite security and the growing space economy, here's our own Maria Vermazes, our top story comes.

Unknown Host

From the world of space cybersecurity because right now it is a very special time in Las Vegas for cybersecurity professionals. It's affectionately known as Hacker Summer Camp, a mega week of professional conferences in Las Vegas, including major events like Black Hat and defcon, where researchers often share key findings from their work. This year's Black Hat conference included a major finding in the realm of space cybersecurity from researchers at Vision Space Technologies. According to a new piece from the Register, the researchers found a number of vulnerabilities, some rated critical, in a number of software that is heavily used in the space industry, onboard satellites as well as in ground stations, and those include cryptolib, yams, OpenC3 cosmos, and NASA's core flight system Aquila. During their Black Hat presentation, the Vision Space researchers simulated being able to send an unauthorized command to fire a satellite's thrusters and immediately change its course. Another vulnerability that they found when exploited using an unauthenticated telephone could completely crash a satellite's onboard software, forcing it to reboot and in some cases fully reset. VisionSpace showed that other flaws that they discovered in spaceflight system software allowed for remote code executions, denial of service attacks, credential leakage, cross site scripting attacks, or even granted full code execution permissions. And it is crucial to note here that the researchers responsibly disclosed these vulnerabilities with the software owners and the vulnerabilities have subsequently been remediated prior to the Black Hat presentation. In plain language, there are fixes for all of these problems and we will have links to the full research posts from VisionSpace in the show Notes for you, which includes more detail on their research along with the specific CVEs for these vulnerabilities. If that is information that you need.

Maria Vermazes

That'S Maria Vermazes, host of the T Minus daily Space podcast Columbia University has confirmed a cyber attack that exposed personal data of nearly 870,000 individuals. The breach, discovered in late June, affected Social Security numbers, contact details, academic records, financial aid and health insurance information. The hackers accessed systems in mid May and stole data to allegedly support a political agenda opposing affirmative action. While patient data at Columbia's medical center was untouched, the attack disrupted IT systems campus wide. The university is offering two years of free credit monitoring to those impacted. Researchers at Socket have uncovered two malicious npm packages posing as WhatsApp development tools that contain destructive data data wiping code. These packages still live on npm, have been downloaded over 1100 times and mimic legitimate WhatsApp bot libraries. A hidden function fetches a JSON kill switch list from GitHub, sparing specific Indonesian phone numbers. If not on the list, a package executes and recursively deletes local files. Though currently inactive, the code includes a commented out data exfiltration feature. Additional packages by the same publisher could turn malicious with future updates. Meanwhile, Socket also identified 11 malicious Go packages using obfuscated code to run remote payloads in memory. Most are still active, primarily targeting CI servers and Windows machines. Developers are urged to double check dependencies for hidden threats. A new EDR killer tool, seen as the successor to EDR killshifter, is being used by eight ransomware gangs, including Ransom, Hub, Medusa and Keelin. The tool disables antivirus and security tools on compromised systems, helping attackers move laterally and deploy ransomware undetected. It uses obfuscated code and loads a malicious driver via a bring your own vulnerable driver method. Sophos researchers believe the tool was developed collaboratively with each gang using a unique build, reflecting a growing trend of shared tooling in ransomware operations. Public records reveal that Lowe's and Home Depot have quietly integrated AI powered Flock license plate readers into their parking lots and shared access to this surveillance data with law enforcement. According to an investigation by 404 Media, the Johnson County, Texas Sheriff's Office has access to 173 Lowe's locations nationwide and and multiple Home Depot sites within Texas, as well as gunshot detection tools at some stores. Flock says private businesses choose whom to share data with, but the records suggest extensive law enforcement partnerships. While Home Depot confirmed law enforcement collaborations, neither company addressed specifics. Critics like the EFF warn of risks to customer privacy, especially when surveillance tech can be used without warrants or accountability. The report highlights a growing private businesses feeding real time surveillance data into public law enforcement networks, often without customers knowledge. The US Federal judiciary has announced new cybersecurity measures after recent sophisticated cyberattacks compromised its case management system. The breach, first reported by Politico, may have exposed confidential court documents and identities of informants in multiple federal courts. The Administrative Office of the US Courts is now working with courts to secure sensitive data and restrict access to sealed filings. While most documents are public by design, some contain protected or classified information, making them prime targets for nation state hackers and cybercriminals. The judiciary had previously pledged to isolate sensitive documents after a 2020 breach. Officials warn that the threat landscape is growing, with adversaries seeking to exploit legal systems for espionage disruption or extortion. The judiciary aims to restore trust through tighter digital safeguards. This week at Black Hat, CISA officials reaffirmed their commitment to the CVE program after an April contract dispute raised fears about its future. The CVE system, vital for tracking cybersecurity vulnerabilities, faced a brief funding scare that CISA now says was a contract issue, not a budget problem. Despite calls to shift CVE oversight to a non profit with global governance, CISA plans to continue managing and improving the program. Officials emphasized its foundational role in cybersecurity and pledged enhancements like richer vulnerability data and expanded collaboration with international partners. CISA also discussed broader efforts including AI threat response, cyber hygiene tools and reducing exposed industrial systems online. So far, the agency has contacted 3,000 entities to secure Internet exposed systems, achieving an 80% success rate in reducing risks. Yesterday, CISA issued 10 advisories warning of critical vulnerabilities in various industrial control systems affecting sectors like energy, manufacturing and transportation. The flaws include unauthenticated access buffer overflows, path traversal and improper certificate validation across platforms from Delta Electronics, Rockwell Automation, Mitsubishi Electric and others. Some vulnerabilities score as high as 9.8 on CVSS. These advisories emphasize the urgency for ICS operators to patch systems and reinforce security. Coming up after the break, my conversation with David Weissman from BlackBerry discussing the church challenges of secure communications and AI watermarking breaks under spectral pressure. Stay with us.

David Moulton

New adversary tactics and emerging tech to meet these threats is developing all the time. On Threat Vector we keep you a step ahead. We dig deep into the threats that matter and the strategies that work.

Maria Vermazes

How do they help that customer know that what they just created is safe.

Unknown Guest

The future is now and our expectations are wrong.

David Moulton

Join me David Moulton, Senior Director of thought leadership for Unit 42 at Palo Alto Networks and our guest who live this work every day.

Unknown Host

We're not just talking about some encryption and paying multi million dollar ransom. We're talking about fundamentally being unable to operate automated eradication and containment. So being able to very rapidly ID what's going on in an environment contain that immediately.

Ryan Reynolds

They're hiding in plain sight.

David Moulton

So if you're looking to sharpen your strategy and stay ahead of what's next, tune in and listen to Threat Vector, your front line for security insights.

David Weissman

CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1 and without securing them trust, uptime outages and compliance clients are at risk. Cyber Ark is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds, and all AI agents. Designed for scale, automation and quantum readiness, Cyber ARC helps modern enterprises secure their machine future. Visit cyberark.com machines to see how compliance.

Maria Vermazes

Regulations, third party risk and customer security.

David Weissman

Demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo.

Maria Vermazes

That's V A n t a dot.

David Weissman

Com Cyber.

Maria Vermazes

David Weissman is Vice President of Secure Communications at BlackBerry. I recently caught up with him for a discussion about the challenges and misconceptions about secure communications.

Unknown Guest

Where we find ourselves today is the number of risk that people are facing in real life to their communication. Security is higher than ever and the pace of those risk and the sophistication is accelerating. And that's really driven by two things. One, the focused attacks on the telecommunication networks around the world by third parties, including governments, coupled with the rise of AI for generating deep fakes and for targeting when to do identity and spoofing attacks.

Maria Vermazes

Well, let's dig into both of those. I mean, when you talk about the threats to the telecoms themselves, how does that trickle down to the users, the business users, and us as individuals?

Unknown Guest

Yeah. What was found out? Last year in the US there was an attack called Salt Typhoon that was reportedly launched by the Chinese government. And what they did is they embedded malware into all of the U.S. telephone networks. And with that they were able to have real time visibility into who's calling whom, who's messaging whom, and even listening into phone calls and reading text messages. And since then, it turns out those types of attacks are happening around the world. So, you know, at this point you have to assume that, you know, all of the telephone networks are compromised. And as a result, people are saying, I need to start protecting my communications by using things that are end to end encrypted. So we've seen a massive rise in consumer apps such as WhatsApp, such as Signal, these types of applications. And while that does mitigate some of the risk, at least from this particular salt typhoon type of attack, it opens up a whole other set of risk, particularly for regulated industries and for governments.

Maria Vermazes

Well, I mean, let's go there. What are some of the risks that people need to be concerned with with some of these secure apps?

Unknown Guest

Yeah, the first risk is around identity and having confidence who you're communicating with. You know, there's been a lot of also in the US press recently around the wrong persons added into a chat group. Right.

Maria Vermazes

Sort of famously.

Unknown Guest

Yes, yes, yes. So what drives that is these. At the end of the day, they're open registration systems. Anyone can sign up and anyone can basically fake an identity. So these types of, since it's open, you have no true confidence in who you're communicating with. And sometimes it may just be mistakes, other times it could be specific malicious activity. Either one are possible because of the open registration, public registration nature of most of these consumer applications. The other thing that happens is since you can spoof identities, you can use AI deep fakes to start delivering very convincing messages. So it's been in the press recently that senior government officials on these type of applications got voice messages from the Secretary of state. It sounded 100% like the Secretary of State. Now, fortunately, they called back and said, hey, did you really leave me this message? That just kind of shows how easy it is to, once you have access to a system, how easy it is to introduce fake information, do spoofing of attacks. And then it's even been identified that with these types of systems, the Russian intelligence has found a way to insert themselves into the middle silently as a secondary device and see all of the communications and listen in and no one even knows they're there. So, you know, while the first set of attacks was the public phone network itself, this next one round of attacks has been, okay, now that we've got everybody on these platforms, let's take advantage of that.

Maria Vermazes

What about the encryption itself? I mean, if we say we're using an app like Signal, for example, just, you know, hypothetically, how much confidence should we have in that part of the.

Unknown Guest

Chain, I think the encryption itself, there's not a problem with it. It's very high quality encryption. At the end of the day, all of these systems, whether they're ones from BlackBerry, whether they're ones from Signal, and by the way, WhatsApp uses the Signal encryption protocols as an example. They're all built on the same foundational algorithms. So the difference is, have they been specifically certified? Do we know who's running the systems versus something a customer or government controls? But that's operational. It's not the security of the actual encryption algorithms, it's really the environment they're used in. And then the whole identity topic is the real risk driver there.

Maria Vermazes

What about the metadata? Do folks get a false sense of security that the communications are secure, but then perhaps the metadata itself is accessible?

Unknown Guest

Yeah, absolutely. And there's two aspects to that. One is visibility of metadata. So it was. There have been numerous reports. One of the most recent was last summer at&t said they'd lost a year's worth of call records for all of their users around the world. So that's a case where retrospectively they had had the data somewhere, someone stole it. What happened with the salt typhoon is instead of that being retrospective, it became real time. So you didn't need to steal it and then analyze it. You could get it as it happened. Which means the efficacy of attacks can be much more effective. When you start to think about the messaging applications themselves, often that metadata is inside the encryption tunnel. So just a casual observer on the network doesn't have access to it, but the provider of the service has access to it. So if you read the meta terms and conditions, they explicitly say, hey, we're not going to listen to your call, but we're going to mine all that metadata for business purposes. That means for selling ads. And that's why you get weird things like you were chatting with someone about some topic and all of a sudden you get an Instagram ad, right? And they didn't even know you were chatting about, but they knew who you were talking to, they knew what that person's interested in. You might be interested also.

Maria Vermazes

And I suppose there's the potential for sharing with law enforcement as well, right?

Unknown Guest

Well, absolutely. And that's the U.S. law that, you know, these service providers, if they're asked, they have to share that data. So that's the one aspect. And that sharing of that data, that's the second part, right, is, you know, particularly for regulated industries, for governments, they need to keep records of communications for legal purposes. And if you're using the consumer type system, you don't actually have those records yourself. So you know, you got to figure out how could I get them? And if you're talking about message content, what did you type, what documents did you share? They're not going to be able to give you that. So you need a system such as BlackBerry provides that gives the government or the organization the ability to have those records, but have it in a way that they have full control over it. So if there is a government request, if there is a subpoena, they have to come to you directly. They can't get your data from a telco, they can't get your data from Meta or whoever because they don't have it. And that's kind of the second part of, you know, if the risk, if you do use those systems, then that data is discoverable versus if it's the system you have, it's only discoverable with your own knowledge and your own legal team authorizing release of the information.

Maria Vermazes

I see, so you're not worrying about, I guess they refer to them as canaries. Right. Where to even know whether or not someone has requested the data.

Unknown Guest

Right.

Maria Vermazes

You want to have control over that. So what are your recommendations then? I mean, if I'm a security professional and I want to put the word out to my team members as to what the best practices are, where should we begin?

Unknown Guest

Yeah, I think the first best practice is you need to segregate your personal and your professional communications. And most people have done that. They have work emails, they have personal emails, but with messaging apps, a lot of times they just mix it all together and that can lead to mistakes that can lead to data leakages. So the first advice is separate those two. Hey, maybe use one for personal, one for professional, at least the data segregated. But then really for your organization, you need to look at, hey, what's the sensitivity of what we're doing? How embarrassed are we going to be if this information's out on the Internet and public? Or what are the legal ramifications from privacy and such? And think about does it make sense that we actually do our official communications in a system that's more sovereign and we have total control over versus a consumer grade service? So those are my core recommendations.

Maria Vermazes

And then I guess making sure that you're fulfilling whatever regulatory obligations you have as well?

Unknown Guest

Well, yeah, and that's a part of understanding the risks that are involved. So you know, if you're a financial institution, if you're a government agency, you need to keep records of all calls and messages. Well, to keep proper records, you have to have copy of the data. And that's another reason why the way why I say segregate your personal and your professional because since people need a copy of the data, well, that copy should be in the professional business communications, not your personal communications with your family, Right?

Maria Vermazes

Right. Nobody needs to know what time you pick the kids up from camp, right? That's David Weissman, vice president of secure communications at BlackBerry.

Dave Bittner

On WhatsApp, no one can see or hear your personal messages. Whether it's a voice call message or sending a password to WhatsApp, it's all just this. So whether you're sharing the streaming password in the family chat or trading those late night voice messages that could basically become a podcast, your personal messages stay between you, your friends and your family. No one else, not even us. WhatsApp message privately with everyone.

Ryan Reynolds

Ryan Reynolds here from Mint Mobile. With the price of just about everything going up, we thought we'd bring our prices down. So to help us, we brought in a reverse auctioneer, which is apparently a.

Unknown Guest

Thing Mint Mobile Unlimited Premium wireless everybody.

Unknown Host

Get 30, 30 better get 30, better.

Unknown Guest

Get 20, 2020 get 20, 20 get 15, 15, 15, 15 just 15 bucks a month.

Ryan Reynolds

So give it a try. @mintmobile.com Switch upfront payment of $45 for.

Unknown Host

Three month plan equivalent to $15 per month required new customer offer for first three months only. Speed slow after 35 gigabytes of network's busy taxes and fees extra see mintmobile.com.

Maria Vermazes

And finally, AI generated images have become so indistinguishable from the real thing that identifying them now rivals reading tea leaves, only with less success. A Microsoft study pegged human accuracy at 62%, suggesting we may soon outsource image detection to darts and blindfolds. In response, watermarking emerged as the industry's digital signature, a spectral seal cleverly tucked where human eyes can't wander. Until Unmarker, unveiled at the IEEE Symposium, which doesn't so much seek the watermark as quietly dismantle the scaffolding that holds it up. Developed by a Canadian PhD student, it erases watermark signals across frequency space elegantly, precisely, and with unnerving consistency. The very subtlety that makes spectral watermarking undetectable also makes it remarkably predictable to machines. Watermarking promised authenticity. Unmarker replies with a raised eyebrow. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Nicolas Charaviglio, chief scientist from Zimperium's Z Labs. The research we're discussing is titled Behind Random Double Trouble, Mobile Banking Trojan Revealed. That's Research Saturday. Check it out. We'd love to hear from you. We're conducting our annual audience survey. To learn more about our listeners. We're collecting your insights through the end of this month. There's a link in the show Notes. Please take a moment and check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original.

Unknown Guest

Oops.

Maria Vermazes

We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.

Unknown Guest

Sa.