Taxing times for cyber fraudsters. - CyberWire Daily

Summary9 min read

CyberWire Daily: "Taxing Times for Cyber Fraudsters"
Released on July 14, 2025
Host: Dave Bittner
Guest: Cynthia Kaiser, Senior Vice President of Halcyon's Ransomware Research Center and Former Deputy Assistant Director at the FBI's Cyber Division

Introduction

In this episode of CyberWire Daily, host Dave Bittner delves into the latest developments in the cybersecurity landscape, highlighting significant incidents and providing expert insights into emerging threats. The episode features an in-depth conversation with Cynthia Kaiser, a leading authority in ransomware research, who shares her expertise on one of today's most formidable cybercriminal groups, Scattered Spider.

News Highlights

1. Major Tax Fraud Scheme Busted in UK and Romania

British and Romanian authorities recently apprehended 14 individuals connected to a substantial tax fraud operation. The gang exploited stolen personal data to fraudulently claim millions in UK tax refunds through phishing attacks that harvested taxpayer information.

Details:
- Arrests: 13 in Romania, 1 in England.
- Seizures: Luxury goods and cash.
- Financial Impact: £47 million stolen in 2023 through similar frauds, with £1.9 billion in attempted fraud thwarted.
- Notification: Approximately 100,000 individuals alerted; no reported personal financial losses.

HM Revenue and Customs clarified that the data breach was due to phishing and third-party breaches, explicitly denying any direct hacking involvement.

2. Interlock Ransomware Gang Introduces New PHP-Based RAT

The Interlock Ransomware Gang has unveiled a new remote access Trojan (RAT) written in PHP, marking a departure from their previous JavaScript-based Node Snake RAT. This evolution allows for more sophisticated system reconnaissance and data exfiltration.

Capabilities:
- Automated system reconnaissance via PowerShell.
- Data exfiltration in JSON format.
- Establishment of command and control through Cloudflare Tunnel with backup IPs.
- Supports file execution, persistence, shell access, RDP movement, and self-termination.

Researchers from DFIR Reports and Proofpoint noted that initial access is often achieved through the "File Fix" social engineering tactic, where users are tricked into executing malicious PowerShell commands.

3. Google Gemini for Workspace Faces New Vulnerability

A newly discovered prompt injection vulnerability in Google Gemini for Workspace enables attackers to embed malicious instructions within emails. Discovered by Mozilla researcher Marco Figueroa, the flaw allows hidden commands in zero-sized text using HTML and CSS, making them invisible to end-users but readable by Gemini during summary generation.

Impact:
- Fake security alerts or trusted phone numbers can be generated.
- Bypasses many existing email filters.

Google has acknowledged the issue and is working on implementing new defenses, although no real-world abuse has been reported yet. Security experts advise enhancing filters to detect hidden content and scrutinizing Gemini-generated summaries for suspicious requests.

4. Chinese Hackers Breach Major D.C. Law Firm

A significant breach at Wiley, a prominent D.C. law firm, has been attributed to suspected Chinese hackers, likely linked to the Chinese government. The attackers accessed Microsoft 365 accounts of attorneys and advisers, targeting sensitive information related to trade, tariffs, and foreign investments.

Response:
- Wiley is collaborating with law enforcement and cybersecurity firm Mandiant.
- Incident occurs amid escalating U.S.-China trade tensions and follows other suspected Chinese intrusions into U.S. agencies.

Chinese officials have denied involvement, labeling the accusations as unfounded without concrete evidence.

5. Firmware Vulnerabilities in Gigabyte Technology Products

Researchers have identified multiple firmware vulnerabilities in products from Taiwanese manufacturer Gigabyte Technology. These flaws could allow attackers to bypass UEFI security and gain deep control over affected systems.

Technical Details:
- Located in System Management Mode (SMM).
- Caused by improper buffer validation in SMHandlers.
- Enables arbitrary code execution before OS loads, modifying protected memory and tampering with Flash operations.

Gigabyte has acknowledged the vulnerabilities and issued firmware updates. Users are urged to apply these updates immediately to mitigate risks.

6. Nvidia Alerts Users to Rowhammer Attack Risks

Nvidia has issued a warning regarding potential Rowhammer attacks across its product line, following successful exploitation by researchers at the University of Toronto on an A6000 GPU with GDDR6 memory and ECC disabled.

Mitigations:
- Nvidia's Recommendation: Enable ECC, which is default on Hopper and Blackwell data center products.
- Affected Models: Includes Blackwell, Ada, Hopper, Amper, Jetson, Turing, and Volta series.

Rowhammer attacks manipulate memory by repeatedly accessing memory rows to induce data corruption, posing significant security threats.

7. Louis Vuitton UK's Data Breach Notification

Louis Vuitton UK has reported a data breach affecting customers' personal information, including names, contact details, birth dates, and shopping preferences. While no misuse of data has been detected, the company advises customers to remain vigilant against potential phishing or fraud attempts.

Context:
- Similar breaches have occurred at LVMH's Korean operations and other brands like Dior and Tiffany.
- Experts suggest the breaches may stem from shared vulnerabilities within LVMH's systems.

The Information Commissioner's Office (ICO) has been notified, and investigations are ongoing.

8. Dismantling of International Cyber Fraud Gang by Indian Authorities

Indian authorities have successfully dismantled a cyber fraud gang accused of scamming victims in the UK, US, and Australia through fake tech support calls. The operation, named Operation Chakra 5, involved collaboration with the UK's National Crime Agency, the FBI, and Microsoft.

Modus Operandi:
- Victims were deceived by scareware pop-ups claiming their computers were compromised.
- Scammers coerced payments for bogus repair services.

Impact:

Over 100 UK victims lost at least £390,000.
Gang operated under the name First Idea using spoofed numbers and VoIP calls.

Two suspects, including the ringleader, were arrested, highlighting the effectiveness of international cooperation in combating cybercrime.

9. Critical Vulnerability in American Train Systems

A longstanding vulnerability in American train systems, initially discovered in 2012, has garnered renewed attention after CISA issued a public advisory. The flaw affects the wireless end of train systems, allowing attackers with low-cost software-defined radios to send false brake commands.

Details:
- Located in systems used since the 1980s.
- Lack of strong authentication protocols.

American Association of Railways (AAR) initially dismissed the issue as theoretical but has since acknowledged the problem following CISA's involvement. Remediation is expected to be slow, with full implementation targeted for 2027, underscoring persistent industry resistance to cybersecurity enhancements despite public safety risks.

In-Depth Interview: Cynthia Kaiser on Scattered Spider

Cynthia Kaiser provides a comprehensive analysis of Scattered Spider, one of today's most aggressive and disruptive cybercriminal groups. Her insights reveal the group's operational strategies, recruitment tactics, and the evolving nature of their cyber offensives.

Group Overview and Tactics

Dave Bittner:
"They're really one of the most disruptive and aggressive cybercriminal groups active today. So we hear about them a lot because they typically go after big payments, which means they target large companies. And when large companies are disrupted, a lot more customers are impacted like you, me and many of the folks listening today. And what's really made them stand out is their deep focus on social engineering and the speed at which they can compromise victims. Most ransomware groups take days to encrypt systems, but in just hours, Scattered Spider can get onto a network, steal data, and in many cases deploy ransomware."
[14:20]

Cynthia Kaiser:
"Your research mentions that they're targeting business process outsourcing companies. Can you unpack that for us? Why would that be a target?"
[15:07]

Dave Bittner:
"Sure. And it's more like what's old is new again. So back in 2023, Scattered Spider first compromised third-party services companies, you hear them called business process outsourcing providers, BPOs, and then they use that compromise to attack major casinos. While in 2024 we saw the group use other tactics, their recent tactics appear to use more of those old tricks. Their recent attacks against retail and likely insurance were facilitated in part by compromising these third-party service companies like call centers or any other outsourcing processes that a company wants to do. And what's interesting here is they're not just cyber intrusions. Some of their activities include insider recruitment at these providers, identifying individual employees that may be in financial distress or otherwise vulnerable, and then either paying or coercing these employees to give Scattered Spider access to the provider. And you know, from my old days at the FBI to my new days here at Halcyon, I know I probably shouldn't find a lot shocking anymore, but when I really stop and think about it, it feels really crazy that we're talking about this kind of insider recruitment aspect among all the other technical aspects that we expect in a ransomware operation."
[15:19 - 16:50]

Key Insights from Cynthia Kaiser:

Targeting Business Process Outsourcing (BPO) Providers:
Scattered Spider strategically compromises BPOs to infiltrate larger targets, such as major casinos, retail, and insurance firms. This method leverages the trusted relationship between corporations and their outsourced service providers, making it a potent vector for widespread disruption.
Insider Recruitment Tactics:
The group employs sophisticated social engineering techniques to identify and exploit employees within compromised BPOs. By targeting individuals under financial or social stress, Scattered Spider coerces or incentivizes insiders to grant access, thereby facilitating deeper network penetrations.
Use of Backup and File Replication Tools for Data Theft:
Unlike traditional ransomware groups that focus solely on system encryption, Scattered Spider emphasizes data exfiltration. This dual approach serves both extortion purposes and the broader objective of financing their operations through data sales, enhancing their strategic flexibility and financial sustainability.
Organizational Structure:
Scattered Spider operates as a decentralized yet tightly coordinated entity, resembling a business with defined roles—from strategic leaders to junior affiliates responsible for operational tasks like phishing and initial intrusions. This structure promotes scalability and resilience, allowing the group to adapt swiftly to countermeasures.
Sector Rotation Strategy:
The group's propensity to rotate across different industries—such as insurance, aviation, manufacturing, and utilities—ensures unpredictability and minimizes the risk of sustained pressure from defense mechanisms or law enforcement. This deliberate shifting complicates detection and eradication efforts.

Recommendations for Organizations:

Immediate Defensive Measures:
- Monitor for Spoof Domains and Suspicious Logins: Implement robust monitoring systems to detect and respond to anomalous login activities and cloned authentication pages, especially those mimicking internal communications like help desk or HR messages.
- Audit Third-Party Access: Regularly review and verify the security practices of outsourced service providers, ensuring they adhere to stringent security protocols and are willing to share logs and security incident data.
Long-Term Security Enhancements:
- Upgrade Multi-Factor Authentication (MFA): Transition from voice and text-based MFA to phishing-resistant methods such as number matching or hardware tokens to prevent credential compromise.
- Secure Outsourcing Providers: Partner with providers that employ strong security measures, including insider reporting systems similar to bug bounties, to detect and mitigate suspicious activities proactively.
- Limit Access Controls: Enforce the principle of least privilege by restricting network access to trusted third-party providers only, minimizing potential breach vectors.

Future Outlook:

Cynthia Kaiser anticipates that Scattered Spider will continue to expand its targets into sectors like manufacturing, food, and utilities. Organizations within these industries should remain vigilant, recognizing that past targeting increases the likelihood of future assaults.

Cynthia Kaiser:
"We believe they're likely to move towards manufacturing, food industry or even utility targets moving forward. And remember, they rotate across these industries. So if you've been targeted in the past by these actors, don't be surprised that you may be targeted again in the near future."
[23:53 - 24:15]

Conclusion

This episode of CyberWire Daily underscores the evolving tactics of cybercriminal organizations like Scattered Spider, emphasizing the need for robust, adaptive security measures. Cynthia Kaiser's expert analysis provides valuable guidance for organizations aiming to bolster their defenses against sophisticated threats. Meanwhile, the news highlights serve as a stark reminder of the diverse and persistent nature of cyber threats facing industries worldwide.

Stay informed and proactive in your cybersecurity endeavors by tuning into CyberWire Daily each weekday.

For more detailed insights and to access the full research by Cynthia Kaiser and her team, refer to the show notes.

Loading summary

Transcript18 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network.
[00:04]
Cynthia Kaiser
Powered by N2, Krogle is AI built for the enterprise SOC. Fully private schema, free and capable of running in sensitive air gapped environments. Krogle autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context aware auditable decisions aligned to your workflows. Krogle empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your SOC operate at scale with precision and control. Learn more@krogle.com that's C R O gl.com British and Romanian authorities make arrests in a major tax fraud scheme the Interlock Ransomware gang has a new rat. A new vulnerability in Google Gemini for Workspace allows attackers to hide malicious instructions inside emails. Suspected Chinese hackers breach a major D.C. law firm. Multiple firmware vulnerabilities affect products from Taiwanese manufacturer Gigabyte Technology. Nvidia warns against rowhammer attacks across its product line. Louis Vuitton joins a list of breached UK retailers Indian authorities dismantle a cyber fraud gang CISA pumps the brakes on a critical vulnerability in American train systems. Our guest is Cynthia Kaiser, senior vice president of Halcyon's Ransomware Research center and former deputy assistant director at the FBI's Cyber Division, with insights on scattered spider and hackers. Ransack Elmo's world It's Monday, July 14, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief. Foreign thanks for joining us. It is great to have you with us. British and Romanian authorities have arrested 14 people linked to a major tax fraud scheme that used stolen personal data to falsely claim millions in UK tax refunds. HM Revenue and Customs said the gang used phishing attacks to harvest taxpayer information, then filed fake benefit claims. Raids across Romania led to 13 arrests, while one suspect was arrested in England. Authorities seized luxury goods and cash during the bust. HMRC previously reported 47 million pounds was stolen in 2023 through similar fraud, though 1.9 billion pounds in attempted fraud was stopped. HMRC emphasized it wasn't hacked. The data came from phishing or third party breaches. About 100,000 individuals were notified of suspicious activity, but no personal financial losses were reported. The Interlock Ransomware Gang is deploying a new remote access Trojan written in PHP as part of a broad campaign active since May, researchers from the DFIR report and Proofpoint revealed. This marks a shift from Interlock's earlier JavaScript based Node Snake Rat. The PHP version enables automated System reconnaissance via PowerShell, exfiltrates data as JSON, checks user privileges and establishes command and control through Cloudflare Tunnel with backup IPs for resilience. It supports file execution, persistence, shell access, RDP movement and self termination. Initial access is gained using the File Fix social engineering trick, where users are duped into running PowerShell commands by pasting malicious paths into File Explorer. Interlock, known for double extortion, has previously targeted US and UK government agencies. A new prompt injection vulnerability in Google Gemini for Workspace allows attackers to hide malicious instructions inside emails, tricking the AI into generating phishing style summaries. Discovered by Mozilla researcher Marco Figueroa, the attack hides commands in white zero sized text using HTML and css. These are invisible to users but read by Gemini when generating a summary. The result might include fake security alerts or phone numbers that appear trustworthy because there are no links or attachments. These emails bypass many filters. Despite prior reports and Google security updates, this method remains effective. Google says it's implementing new defenses and has seen no real world abuse yet. Security experts recommend filters to detect hidden content and flag Gemini summaries with urgent messages or contact info as suspicious. Suspected Chinese hackers breached email accounts at major D.C. law firm Wiley in an intelligence gathering operation. The firm told clients the attackers, possibly linked to the Chinese government accessed Microsoft 365 accounts belonging to attorneys and advisers, likely targeting sensitive trade, tariff and foreign investment information. Wiley, known for advising Fortune 500 clients and the US government on trade with China, is investigating what data was accessed and is working with law enforcement and mandiant. The hack comes amid escalating US China trade tensions and follows other suspected Chinese intrusions into US Agencies. The FBI, already probing multiple Beijing linked cyber operations, warns China's hacking capabilities surpass all other foreign powers. Chinese officials deny involvement, calling accusations baseless without solid evidence. Multiple firmware vulnerabilities in products from Taiwanese manufacturer Gigabyte Technologies could let attackers bypass UEFI security and and gain deep control over affected systems, researchers warn. Found in System Management Mode, a privileged CPU mode used for hardware level tasks. The flaws stem from improper buffer validation in Smihandlers. This allows arbitrary code execution before the OS loads. The bugs enable writing to protected memory, modifying system management RAM and tampering with Flash operations. Attackers with admin access local or remote could exploit these to disable secure boot, install persistent firmware backdoors and bypass OS level protections. The issues first seen in AMI firmware have now been identified in Gigabyte products. Gigabyte has acknowledged the flaws and issued firmware updates. Users are advised to update promptly. Nvidia has warned users to enable mitigations against Rowhammer attacks after researchers at the University of Toronto successfully exploited the issue on an A6000 GPU with GDDR6 memory and ECC disabled. Rowhammer manipulates memory by repeatedly accessing memory rows, potentially causing data corruption. In a July 9th advisory, Nvidia emphasized that ECC is enabled by default on its Hopper and Blackwell data center products and recommended enabling ECC on various models across its product lines, including Blackwell, Ada, Hopper, Amper, Jetson, Turing and volta. Louis Vuitton UK has suffered a data breach, notifying customers on July 2 that personal information may have been exposed, including names, contact details, birth dates and shopping preferences. While there's no evidence of misuse, the company warned customers to watch for phishing or fraud attempts. The breach follows similar incidents at LVMH's Korean operations and other brands like Deore and Tiffany. Security experts suggest the breaches may stem from shared vulnerabilities across LVMH's systems. The ICO has been notified and investigations are ongoing. Indian authorities have dismantled a cyber fraud gang accused of scamming victims in the uk, US and Australia through fake tech support calls. The Central Bureau of Investigation raided the gang's call center after an 18 month probe dubbed Operation Chakra 5, coordinated with the UK's National Crime Agency, the FBI and Microsoft. Victims were tricked by scareware pop ups claiming their computers were hacked, then coerced into paying for bogus repairs. Over 100 UK victims lost at least 390,000 pounds. The scammers used spoof numbers and voiceover IP calls to mask their identity. The case highlights international collaboration sparked by Microsoft's tip to the NCA in early 2024. Two suspects, including the ringleader, were arrested. The call center reportedly operated under the name First Idea. A critical vulnerability in American train systems, first discovered in 2012, has only recently gained official attention after CISA issued a public advisory. Researcher Neils found that the wireless end of train system used since the 1980s lacks strong authentication, allowing attackers with low cost software defined radios to send false brake commands despite repeated warnings. The American association of Railways dismissed the issue as theoretical. The vulnerability remained unresolved due to AAR's refusal to permit testing and the Federal Railroad Administration's lack of test facilities. AAR finally acknowledged the problem after CISA's involvement, but remediation is slow with full implementation not expected until 2027. Experts say the situation highlights long standing industry resistance to cybersecurity warnings, even when public safety is at risk. Coming up after the break, my conversation with Cynthia Ky, senior vice president of Halcyon's Ransomware Research center, with her insights on Scattered Spider and hackers Ransack Elmo's World. Stay with us. Hey, everybody. Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Delete Me team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees, personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. Did you know Active Directory is targeted in 9 out of 10 cyber attacks? Once attackers get in, they can take control of your entire network. That's why Semperis created Purple Knight, the free security assessment tool that scans your active directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands of IT pros using Purple Night to stay ahead of threats. Download it now at sempras.com purple-knight that's sempras.com purple-night Cynthia Kaiser is senior vice president of Halcyon's Ransomware Research center and former deputy assistant director at the FBI's Cyber Division. I caught up with her for insights on Scattered Spider.
[14:20]
Dave Bittner
They're really one of the most disruptive and aggressive cybercriminal groups active today. So we hear about them a lot because they typically go after big payments, which means they target large companies. And when large companies are disrupted, a lot more customers are impacted like you, me and many of the folks listening today. And what's really made them stand out is their deep focus on social, social engineering and the speed at which they can compromise victims. Most ransomware groups take days to encrypt systems, but in just hours, Scattered Spider can Get onto a network, steal data, and in many cases deploy ransomware.
[15:07]
Cynthia Kaiser
Now, the research that you all have published about Scattered Spider, you mention that they're targeting business process outsourcing companies. Can you unpack that for us? Why would that be a target?
[15:20]
Dave Bittner
Sure. And it's more like what's old is new again. So back in 2023, scattered spider first compromised third party services company, you hear them called business process outsourcing providers, BPOs, and then they use that compromise to then attack major casinos. And while in 2024 we saw the group use other tactics, their recent tactics appear to use more of those old tricks. So their recent attacks against retail and likely insurance were facilitated in part by compromising these third party service companies think call centers or any other outsourcing processes that a company want to do. And what's interesting here is they're not just cyber intrusions. Some of their activities include insider recruitment at these providers. So identifying individual employees that may be in financial distress or otherwise vulnerable, and then either paying or coercing these employees to give Scattered Spider access to the provider. And you know, from my old days at the FBI to my new days here at Halcyon, I know I probably shouldn't find a lot shocking anymore, but when I really stop and think about it, it feels really crazy that we're talking about this kind of insider recruitment aspect among all the other technical aspects that we expect in a ransomware operation.
[16:51]
Cynthia Kaiser
Yeah, I mean, to put a fine point on that, your research mentions that they actually seek out employees who might be under financial or social stress.
[17:01]
Dave Bittner
Absolutely. They're going onto social media trying to identify those employees, and they're targeting these providers oftentimes that they believe may have less security or are newer on the scene and maybe don't have some of the controls in place. And to be clear, these are global outsourcing companies, not necessarily in the country where those attacks are happening, like the US Or Ukraine.
[17:29]
Cynthia Kaiser
Now, the research notes that Scattered Spider uses backup and file replication tools for data theft. Can you walk us through how they make use of those?
[17:39]
Dave Bittner
We see actually more often data theft in the cases of Scattered Spider intrusions than necessarily ransomware all the time. But it's all extortion. So scattered spiders going in, they're stealing data, they're stealing information from a company. And it's for really kind of two reasons. One is for extortion. Tell the company, hey, we have your data. We're not going to give it back unless you do X or we're going to sell it. But it's the sale of it also and the use of it that really helps facilitate Scattered Spiders financing and their future operations. Think about what it means to compromise an insurance provider. Think about the information that's there, that's present with those providers, whether that's personal data that you can use for identity theft or information about the networks and systems that are used by companies that are supported by that insurer. It's vast and it helps Scattered Spider try to identify how they may want to target other entities in the future.
[18:54]
Cynthia Kaiser
Can you give us some insights on how the group operates, like what the structure is of the group internally? Do we have any insights about that?
[19:04]
Dave Bittner
Yeah, it's decentralized, but also really tightly aligned group with really clear division of roles and responsibilities. So you'll almost kind of like a business. You have some leaders at the top, they're setting strategic direction, they're identifying where to go, what to do. But then you also have, they also are having junior affiliates or newcomers. And what they're trying to do is prove themselves. So they might be deploying off the shelf tools, testing detection thresholds, handling initial phishing, really doing some more of the low level work. To say, I can be a part of this group, I want to do more. And then you have kind of a lot of different entities in between. They may be seeking out and just recruiting people to do one part of their business. They're outsourcing too, and trying to figure out the most effective way to be able to do their really disruptive activities.
[20:11]
Cynthia Kaiser
I think one of the hallmarks of this group is they're going from sector to sector. You mentioned insurance, and it seems as though perhaps they targeted aviation. Is there something we can take from that? The fact that they're being deliberate?
[20:29]
Dave Bittner
Yes. So they oftentimes are focused on one sector, and that's a function of they've been able to get the access to that sector, maybe through a commonly shared business process, outsourcing provider. But they also like to rotate sectors so that their attacks come as a surprise and they're able to escape the heat that might come from either network, defense or law enforcement. So staying on a sector for just a period of time, compromising multiple entities and then moving on helps them to be more efficient, but then also not dwell too long so that people can take the necessary steps to counter this group that has shown itself to be pretty highly adaptive.
[21:27]
Cynthia Kaiser
What are your recommendations then for organizations to best defend themselves against this sort of adversary?
[21:35]
Dave Bittner
So I think that really depends about whether you're talking about Securing your systems for the future or are worried scattered Spider or similar groups are targeting your industry right now. So if your industry is currently being targeted, monitoring for spoof domains, suspicious login flows or cloned authentication pages, especially those mimicking help desk or HR communications are going to be critical, as is auditing access and activity from your outsourcing or managed service providers, especially device monitoring, privilege access use and insider risk reporting. But to protect your organization from future targeting, one of the hallmarks of Scatterspider really has been their ability to get around multifactor authentication. So eliminating voice and text based multi factor authentication and disabling legacy authentication protocols helps to prevent some of these types of attacks in the future. So instead of having that type of mfa, you really want to implement or enforce phishing resistant multi factor authentication. So something like number matching or hardware tokens and across having that with internal users and also your third party service accounts. And then finally identify whether you're using secure outsourcing providers. So providers with strong security measures often have insider reporting systems akin to bug bounties to detect and report suspicious activities. It is critical that providers also be willing to share logs and security incidents with their clients. And if they aren't willing to share that information, it may mean they're not adequately monitoring their system. So really making sure that you're using the strongest account controls possible and limiting the access you provide to your networks to only secure third party providers.
[23:43]
Cynthia Kaiser
We mentioned that we've seen scattered Spider, target insurance and aviation. Is there any sense for where they might be headed next?
[23:53]
Dave Bittner
I think that we believe they're likely to move towards manufacturing, food industry or even utility targets moving forward. And remember, they rotate across these industries. And so if you've been targeted in the past by these actors, don't be surprised that you may be targeted again in the near future.
[24:15]
Cynthia Kaiser
That's Cynthia Kaiser, Senior Vice President of the Ransom Research center at Halcyon. We'll have a link to her team's research in the show Notes. You hear from us here at the Cyberwire daily every single day now. We'd love to hear from you. Your voice can help shape the future of N2K networks. Tell us what matters most to you by completing our annual audience survey. Your insights help us grow to better meet your needs. There's a link to the survey in our show notes. We're collecting your comments through August 31st. Thanks. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed. Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring. And here at N2K CyberWire, many of my colleagues here came to us through Indeed. Plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility@indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Foreign is AI built for the enterprise soc, fully private schema free and capable of running in sensitive air gapped environments. Krogle autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context aware, auditable decisions aligned to your workflows. Krogle empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your SOC operate at scale with precision and control. Learn more@krogel.com that's C-R-O GL.com and finally, it's hard to imagine something more jarring than seeing Elmo, the cheerful red muppet who teaches kids about kindness, suddenly spewing racist and anti Semitic hate. But that's exactly what happened when his Verified X account was hacked over the weekend. For a brief but painful moment, the lovable Sesame street icon became an unwitting mouthpiece for vile, hateful rhetoric. The posts were quickly taken down and Sesame Workshop issued a statement expressing outrage and confirming the breach. Sadly, this incident is just another symptom of a broader crisis. Since Elon Musk took over X, the platform has become a breeding ground for hate speech. Even Grok X's own chatbot was caught parroting anti Semitic nonsense. All of this is unfolding against a disturbing backdrop. Antisemitic incidents in the US hit record highs in 2024. The digital and real world threats are converging, and not even Elmo is safe. One can't help wonder why Elmo and the rest of the Sesame street gang still maintain their verified accounts on X Twitter. At any rate, today's Cyberwire was brought to you by the number 404, but not, I repeat, not by the letter X. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of the summer. There's a link in the show notes. Please take a minute and check it out. N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Iban. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Buying more tools won't make you more secure. Continually training your people will. In this episode, Cloud Range co founder and CEO Debbie Gordon shares how real world simulations are transforming readiness in 2025. Because your last line of defense isn't software, it's your team. Tune in now. Your stack depends on it.