CyberWire Daily: "Taxing Times for Cyber Fraudsters"
Released on July 14, 2025
Host: Dave Bittner
Guest: Cynthia Kaiser, Senior Vice President of Halcyon's Ransomware Research Center and Former Deputy Assistant Director at the FBI's Cyber Division

Introduction

In this episode of CyberWire Daily, host Dave Bittner delves into the latest developments in the cybersecurity landscape, highlighting significant incidents and providing expert insights into emerging threats. The episode features an in-depth conversation with Cynthia Kaiser, a leading authority in ransomware research, who shares her expertise on one of today's most formidable cybercriminal groups, Scattered Spider.

News Highlights

1. Major Tax Fraud Scheme Busted in UK and Romania

British and Romanian authorities recently apprehended 14 individuals connected to a substantial tax fraud operation. The gang exploited stolen personal data to fraudulently claim millions in UK tax refunds through phishing attacks that harvested taxpayer information.

• Details:
  • Arrests: 13 in Romania, 1 in England.
  • Seizures: Luxury goods and cash.
  • Financial Impact: £47 million stolen in 2023 through similar frauds, with £1.9 billion in attempted fraud thwarted.
  • Notification: Approximately 100,000 individuals alerted; no reported personal financial losses.

HM Revenue and Customs clarified that the data breach was due to phishing and third-party breaches, explicitly denying any direct hacking involvement.

2. Interlock Ransomware Gang Introduces New PHP-Based RAT

The Interlock Ransomware Gang has unveiled a new remote access Trojan (RAT) written in PHP, marking a departure from their previous JavaScript-based Node Snake RAT. This evolution allows for more sophisticated system reconnaissance and data exfiltration.

• Capabilities:
  • Automated system reconnaissance via PowerShell.
  • Data exfiltration in JSON format.
  • Establishment of command and control through Cloudflare Tunnel with backup IPs.
  • Supports file execution, persistence, shell access, RDP movement, and self-termination.

Researchers from DFIR Reports and Proofpoint noted that initial access is often achieved through the "File Fix" social engineering tactic, where users are tricked into executing malicious PowerShell commands.

3. Google Gemini for Workspace Faces New Vulnerability

A newly discovered prompt injection vulnerability in Google Gemini for Workspace enables attackers to embed malicious instructions within emails. Discovered by Mozilla researcher Marco Figueroa, the flaw allows hidden commands in zero-sized text using HTML and CSS, making them invisible to end-users but readable by Gemini during summary generation.

• Impact:
  • Fake security alerts or trusted phone numbers can be generated.
  • Bypasses many existing email filters.

Google has acknowledged the issue and is working on implementing new defenses, although no real-world abuse has been reported yet. Security experts advise enhancing filters to detect hidden content and scrutinizing Gemini-generated summaries for suspicious requests.

4. Chinese Hackers Breach Major D.C. Law Firm

A significant breach at Wiley, a prominent D.C. law firm, has been attributed to suspected Chinese hackers, likely linked to the Chinese government. The attackers accessed Microsoft 365 accounts of attorneys and advisers, targeting sensitive information related to trade, tariffs, and foreign investments.

• Response:
  • Wiley is collaborating with law enforcement and cybersecurity firm Mandiant.
  • Incident occurs amid escalating U.S.-China trade tensions and follows other suspected Chinese intrusions into U.S. agencies.

Chinese officials have denied involvement, labeling the accusations as unfounded without concrete evidence.

5. Firmware Vulnerabilities in Gigabyte Technology Products

Researchers have identified multiple firmware vulnerabilities in products from Taiwanese manufacturer Gigabyte Technology. These flaws could allow attackers to bypass UEFI security and gain deep control over affected systems.

• Technical Details:
  • Located in System Management Mode (SMM).
  • Caused by improper buffer validation in SMHandlers.
  • Enables arbitrary code execution before OS loads, modifying protected memory and tampering with Flash operations.

Gigabyte has acknowledged the vulnerabilities and issued firmware updates. Users are urged to apply these updates immediately to mitigate risks.

6. Nvidia Alerts Users to Rowhammer Attack Risks

Nvidia has issued a warning regarding potential Rowhammer attacks across its product line, following successful exploitation by researchers at the University of Toronto on an A6000 GPU with GDDR6 memory and ECC disabled.

• Mitigations:
  • Nvidia's Recommendation: Enable ECC, which is default on Hopper and Blackwell data center products.
  • Affected Models: Includes Blackwell, Ada, Hopper, Amper, Jetson, Turing, and Volta series.

Rowhammer attacks manipulate memory by repeatedly accessing memory rows to induce data corruption, posing significant security threats.

7. Louis Vuitton UK's Data Breach Notification

Louis Vuitton UK has reported a data breach affecting customers' personal information, including names, contact details, birth dates, and shopping preferences. While no misuse of data has been detected, the company advises customers to remain vigilant against potential phishing or fraud attempts.

• Context:
  • Similar breaches have occurred at LVMH's Korean operations and other brands like Dior and Tiffany.
  • Experts suggest the breaches may stem from shared vulnerabilities within LVMH's systems.

The Information Commissioner's Office (ICO) has been notified, and investigations are ongoing.

8. Dismantling of International Cyber Fraud Gang by Indian Authorities

Indian authorities have successfully dismantled a cyber fraud gang accused of scamming victims in the UK, US, and Australia through fake tech support calls. The operation, named Operation Chakra 5, involved collaboration with the UK's National Crime Agency, the FBI, and Microsoft.

• Modus Operandi:
  • Victims were deceived by scareware pop-ups claiming their computers were compromised.
  • Scammers coerced payments for bogus repair services.

Impact:

• Over 100 UK victims lost at least £390,000.
• Gang operated under the name First Idea using spoofed numbers and VoIP calls.

Two suspects, including the ringleader, were arrested, highlighting the effectiveness of international cooperation in combating cybercrime.

9. Critical Vulnerability in American Train Systems

A longstanding vulnerability in American train systems, initially discovered in 2012, has garnered renewed attention after CISA issued a public advisory. The flaw affects the wireless end of train systems, allowing attackers with low-cost software-defined radios to send false brake commands.

• Details:
  • Located in systems used since the 1980s.
  • Lack of strong authentication protocols.

American Association of Railways (AAR) initially dismissed the issue as theoretical but has since acknowledged the problem following CISA's involvement. Remediation is expected to be slow, with full implementation targeted for 2027, underscoring persistent industry resistance to cybersecurity enhancements despite public safety risks.

In-Depth Interview: Cynthia Kaiser on Scattered Spider

Cynthia Kaiser provides a comprehensive analysis of Scattered Spider, one of today's most aggressive and disruptive cybercriminal groups. Her insights reveal the group's operational strategies, recruitment tactics, and the evolving nature of their cyber offensives.

Group Overview and Tactics

Dave Bittner:
"They're really one of the most disruptive and aggressive cybercriminal groups active today. So we hear about them a lot because they typically go after big payments, which means they target large companies. And when large companies are disrupted, a lot more customers are impacted like you, me and many of the folks listening today. And what's really made them stand out is their deep focus on social engineering and the speed at which they can compromise victims. Most ransomware groups take days to encrypt systems, but in just hours, Scattered Spider can get onto a network, steal data, and in many cases deploy ransomware."
[14:20]

Cynthia Kaiser:
"Your research mentions that they're targeting business process outsourcing companies. Can you unpack that for us? Why would that be a target?"
[15:07]

Dave Bittner:
"Sure. And it's more like what's old is new again. So back in 2023, Scattered Spider first compromised third-party services companies, you hear them called business process outsourcing providers, BPOs, and then they use that compromise to attack major casinos. While in 2024 we saw the group use other tactics, their recent tactics appear to use more of those old tricks. Their recent attacks against retail and likely insurance were facilitated in part by compromising these third-party service companies like call centers or any other outsourcing processes that a company wants to do. And what's interesting here is they're not just cyber intrusions. Some of their activities include insider recruitment at these providers, identifying individual employees that may be in financial distress or otherwise vulnerable, and then either paying or coercing these employees to give Scattered Spider access to the provider. And you know, from my old days at the FBI to my new days here at Halcyon, I know I probably shouldn't find a lot shocking anymore, but when I really stop and think about it, it feels really crazy that we're talking about this kind of insider recruitment aspect among all the other technical aspects that we expect in a ransomware operation."
[15:19 - 16:50]

Key Insights from Cynthia Kaiser:

1. Targeting Business Process Outsourcing (BPO) Providers:
   Scattered Spider strategically compromises BPOs to infiltrate larger targets, such as major casinos, retail, and insurance firms. This method leverages the trusted relationship between corporations and their outsourced service providers, making it a potent vector for widespread disruption.

2. Insider Recruitment Tactics:
   The group employs sophisticated social engineering techniques to identify and exploit employees within compromised BPOs. By targeting individuals under financial or social stress, Scattered Spider coerces or incentivizes insiders to grant access, thereby facilitating deeper network penetrations.

3. Use of Backup and File Replication Tools for Data Theft:
   Unlike traditional ransomware groups that focus solely on system encryption, Scattered Spider emphasizes data exfiltration. This dual approach serves both extortion purposes and the broader objective of financing their operations through data sales, enhancing their strategic flexibility and financial sustainability.

4. Organizational Structure:
   Scattered Spider operates as a decentralized yet tightly coordinated entity, resembling a business with defined roles—from strategic leaders to junior affiliates responsible for operational tasks like phishing and initial intrusions. This structure promotes scalability and resilience, allowing the group to adapt swiftly to countermeasures.

5. Sector Rotation Strategy:
   The group's propensity to rotate across different industries—such as insurance, aviation, manufacturing, and utilities—ensures unpredictability and minimizes the risk of sustained pressure from defense mechanisms or law enforcement. This deliberate shifting complicates detection and eradication efforts.

Recommendations for Organizations:

• Immediate Defensive Measures:

  • Monitor for Spoof Domains and Suspicious Logins: Implement robust monitoring systems to detect and respond to anomalous login activities and cloned authentication pages, especially those mimicking internal communications like help desk or HR messages.
  • Audit Third-Party Access: Regularly review and verify the security practices of outsourced service providers, ensuring they adhere to stringent security protocols and are willing to share logs and security incident data.

• Long-Term Security Enhancements:

  • Upgrade Multi-Factor Authentication (MFA): Transition from voice and text-based MFA to phishing-resistant methods such as number matching or hardware tokens to prevent credential compromise.
  • Secure Outsourcing Providers: Partner with providers that employ strong security measures, including insider reporting systems similar to bug bounties, to detect and mitigate suspicious activities proactively.
  • Limit Access Controls: Enforce the principle of least privilege by restricting network access to trusted third-party providers only, minimizing potential breach vectors.

Future Outlook:

Cynthia Kaiser anticipates that Scattered Spider will continue to expand its targets into sectors like manufacturing, food, and utilities. Organizations within these industries should remain vigilant, recognizing that past targeting increases the likelihood of future assaults.

Cynthia Kaiser:
"We believe they're likely to move towards manufacturing, food industry or even utility targets moving forward. And remember, they rotate across these industries. So if you've been targeted in the past by these actors, don't be surprised that you may be targeted again in the near future."
[23:53 - 24:15]

Conclusion

This episode of CyberWire Daily underscores the evolving tactics of cybercriminal organizations like Scattered Spider, emphasizing the need for robust, adaptive security measures. Cynthia Kaiser's expert analysis provides valuable guidance for organizations aiming to bolster their defenses against sophisticated threats. Meanwhile, the news highlights serve as a stark reminder of the diverse and persistent nature of cyber threats facing industries worldwide.

Stay informed and proactive in your cybersecurity endeavors by tuning into CyberWire Daily each weekday.

For more detailed insights and to access the full research by Cynthia Kaiser and her team, refer to the show notes.