Transcript
A (0:02)
You're listening to the Cyberwire Network powered by N2K. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave, and with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. Stolen Target source code looks real. CISA pulls the plug on gogs SAP rushes patches for critical flaws. A suspected Russian spy emerges in Sweden, while cloudflare threatens to walk away from Italy. Researchers flag a WI Fi chipset bug, a long running magecart skimming campaign, and a surge in browser in the browser phishing against Facebook users, Mandiant releases a new Salesforce defense tool and NIST asks how to secure agentic AI before it secures itself. Our guests are Christine Blake and Madison Farbaugh from the Inside the Media Minds podcast plus a Dutch court says seven years is still the going rate for a USB powered cocaine plot. It's Tuesday, january 13, 2025. I'm dave bittner and this is your cyberwire intel brief. Thanks for joining us here today. It's great to have you with us. Multiple current and former employees at Target have confirmed to Bleeping Computer that source code and documentation recently shared by a threat actor appear to be authentic and tied to real internal systems. Employees recognized internal platform names, proprietary project identifiers, and elements of Target's technology stack, including its customized tooling. Shortly after Bleeping Computer contacted the company about the alleged leak, Target implemented an accelerated security change, restricting access to its internal Git server to corporate networks or vpn only. The source of the leak remains unclear. A researcher at Hudson Rock reported a compromised Target employee WorkStation infected with InfoSteeler malware in 2025, though no direct link to the leaked code has been confirmed. The Threat Actor claims the full data set is roughly 860 gigabytes, raising concerns about potential exposure. CISA has ordered federal agencies to immediately stop using or to lock down gogs after a high severity vulnerability was added to its known exploited vulnerabilities catalog. Gogs is an open source self hosted git service used to manage source code repositories. The flaw is a path traversal bug that allows authenticated users to overwrite arbitrary files, effectively enabling remote code execution. According to cisa, the vulnerability is actively exploited and poses significant risk across federal systems. The issue was identified by researchers at Wiz who found hundreds of exposed gogs servers already compromised. GOGS has not yet released a fix forcing users to rely on mitigations like disabling registrations or restricting access behind VPNs. CISA warns that unprotected Internet exposed instances remain at high risk. SAP has released 17 security notes as part of its January 2026 Security Patch Day, including fixes for four critical vulnerabilities. The most severe is a SQL injection flaw in S4HANA that could allow full system compromise. Another critical issue enables remote code execution in wily Intrascope via malicious Java Web Start files. SAP also patched two additional critical code injection bugs that could lead to operating system command execution. Researchers at Onapsis discovered and reported several of the flaws. Beyond the critical issues, SAP addressed multiple high, medium and low severity vulnerabilities across hana, netweaver, Fiori and other products. SAP customers are urged to apply patches promptly as exposed SAP systems are high value targets for attackers. Swedish authorities have detained a 33 year old former IT consultant to the armed forces on suspicion of spying for Russian intelligence. Prosecutors say the alleged activity occurred during 2025, though it may date back to 2022. The suspect previously worked with Sweden's military through an IT services firm and is listed as head of a small cybersecurity company. Officials have released few details, citing national security concerns. The case comes amid heightened scrutiny of suspected Russian espionage across Europe as Sweden continues its support for Ukraine. Cloudflare is threatening to scale back or exit operations in Italy after the Country's communications regulator, AGCOM, fined the company roughly 14 million euros for failing to comply with Italy's anti piracy system. The fine equals about 1% of Cloudflare's global revenue and exceeds what it earns in Italy. Piracy shield allows rights holders to request rapid IP and DNS blocking of suspected pirate services, a process Cloudflare argues lacks judicial oversight and risks widespread collateral censorship. Cloudflare's CEO Matthew Prince called the system incompatible with democratic values and said the company will appeal. He warned Cloudflare could withdraw free services, remove Italian servers and halt support for the upcoming Winter Olympics if the dispute is not resolved. Researchers say a flaw in Broadcom wireless chipsets can let attackers Repeatedly disable the 5 GHz Wi Fi band on affected routers, regardless of security settings. Black Duck found that a single malformed wireless frame could knock all 5 GHz clients offline during testing on an Asus router. The issue stems from a chipset level vulnerability, not configuration errors, and does not require authentication. Broadcom has issued a patch, but researchers warn protocol level flaws can bypass even strong encryption and and enable follow on attacks like rogue evil twin networks. Mandiant has released Aura Inspector, an open source tool designed to help Salesforce administrators identify misconfigurations that could expose sensitive data. The tool focuses on access control issues in Salesforce Aura, the user interface framework behind Experience Cloud sites. While Aura itself is not inherently insecure, configuration mistakes can allow unauthenticated users to access records or abuse APIs to extract data. Aura Inspector automates common abuse scenarios and provides remediation guidance while operating in read only mode. Mandiant says the tool is intended to help defenders secure legacy Aura deployments that remain widely used despite newer frameworks. Security researchers at Silent Push are warning about a large scale magecart style digital skimming campaign that has operated largely undetected since 2022. The campaign uses malicious JavaScript to target checkout pages tied to major payment networks including Visa competitors such as American Express, MasterCard, Discover, JCB, Diners Club and Unionpay, putting most credit card users at risk. The skimmers run client side in victims browsers, making them difficult for site owners to detect. Silent Push traced the activity to infrastructure linked to a bulletproof hosting provider and found long running infections across multiple sites. The attacks replace legitimate payment forms with convincing fakes silently stealing card and personal data. Researchers urge stronger content security policies, access controls and regular monitoring to reduce exposure. Researchers at Trellix say attackers are increasingly using the browser in the browser phishing technique to steal Facebook account credentials. The method uses fake login popups built with iframes that closely mimic legitimate authentication windows, making scams harder to spot. Recent campaigns impersonate law firms or meta security alerts and often rely on shortened links and trusted cloud hosting platforms. Trellix warns the approach marks an escalation in phishing sophistication and urges users to navigate directly to official sites, avoid embedded links and enable multi factor authentication to reduce account takeover risk. The National Institute of Standards and Technology is seeking public input on how to secure agentic artificial intelligence systems as their use expands across government and critical infrastructure. In a new request for information, NIST asks industry and researchers to assess security risks tied to AI agents, defined as systems that combine generative models with software that enables planning and autonomous action. NIST warns these systems introduce unique threats, including hijacking, data poisoning, prompt injection and hidden back doors. Security leaders say those risks are already emerging as agencies deploy AI faster than protective controls mature. Qualus noted that weak governance could allow attackers to manipulate alerts or disable defenses. NIST aims to use the feedback to develop guidelines, evaluation methods and best practices before agentic AI becomes deeply embedded in high impact government operations. Coming up after the break, my conversation with Christine Blake and Madison Faribaugh from the Inside the Media Mind Space podcast. Plus a Dutch court says seven years is still the going rate for a USB powered cocaine plot. Stay with us.