The invisible force fueling cyber chaos. - CyberWire Daily

Summary8 min read

CyberWire Daily: The Invisible Force Fueling Cyber Chaos – April 3, 2025

Host: Dave Bittner | Guest: Johannes Ulrich, Dean of Research at the SANS Technology Institute

Introduction

In the April 3, 2025 episode of CyberWire Daily, hosted by Dave Bittner, the discussion delves deep into the myriad of cybersecurity challenges shaping the digital landscape. Titled "The Invisible Force Fueling Cyber Chaos," the episode navigates through emerging threats, significant breaches, and evolving cyber tactics, offering listeners a comprehensive analysis of the current state of cybersecurity.

1. Fast Flux Techniques Emerging as a National Security Threat

The episode opens with an exploration of Fast Flux, a sophisticated technique employed by cybercriminals and nation-state actors to obscure malicious domains by rapidly rotating DNS records and IP addresses. This method enhances the resilience of command and control infrastructures, facilitating persistent malicious activities such as ransomware distribution, phishing schemes, and botnet operations.

A joint advisory from the NSA, CISA, FBI, and international partners underscores Fast Flux as a significant national security concern. The advisory emphasizes the urgency for Internet Service Providers (ISPs) and cybersecurity firms to bolster their detection and mitigation strategies. Dave Bittner cites a quote from the advisory:

"Fast Flux is a national security threat that requires immediate attention from ISPs and cybersecurity providers to develop robust detection and mitigation capabilities." (02:45)

Recommended Strategies:

DNS Analysis & Anomaly Detection: Monitoring DNS traffic for irregular patterns.
IP Blocking & Sinkholing: Restricting harmful IP addresses and redirecting malicious traffic.
Threat Intelligence Sharing: Collaborating across organizations to exchange vital threat information.

The discussion highlights the challenge of differentiating malicious Fast Flux activities from legitimate services like Content Delivery Networks (CDNs), urging organizations to enhance their Protective DNS (PDNS) measures and engage in collaborative defense initiatives.

2. CISA Funding and Its Crucial Role in US Cybersecurity

Shifting focus to national cybersecurity infrastructure, the episode scrutinizes the recent criticisms aimed at CISA (Cybersecurity and Infrastructure Security Agency) stemming from budget cuts during the Trump administration. Representatives Andrew Garbarino and Eric Swalwell advocate for expanded responsibilities and increased funding for CISA to strengthen the United States' cyber defense mechanisms.

Garbarino emphasized:

"We need CISA Central to lead US cyber efforts, reauthorize the Cyber Info Sharing Law, and extend key grant programs to ensure robust protection against cyber threats." (05:30)

Swalwell echoed the sentiment, criticizing chaotic firings and supporting legislation to stabilize and formalize joint cyber defense collaborations. The overarching goal is to shield CISA from political turmoil and reinforce congressional support to enhance its operational effectiveness.

3. Europol's Landmark Takedown of Kidflix

A significant cybersecurity victory highlighted in the episode is Europol's dismantling of Kidflix, heralded as the largest dark web platform for child sexual abuse material (CSAM). This multi-year investigation resulted in 79 arrests across 39 countries and the rescue of 39 minors.

Key Points:

Scope of Operation: Kidflix hosted approximately 91,000 videos with 1.8 million users.
Method of Access: Users obtained access through cryptocurrency transactions, incentivized by content tagging.
Technological Measures: German and Dutch authorities seized servers containing 72,000 videos.
Operational Tactics: Europol highlighted the platform's real-world harm, debunking narratives that cyber issues are isolated from tangible societal impacts.

Europol stated:

"The takedown of Kidflix underscores the commitment to combat real-world harms facilitated through cyber platforms." (07:15)

The investigation remains active, with ongoing efforts to dismantle remaining infrastructure and prosecute involved individuals.

4. AI Nomis Data Leak Raises Alarms Over AI Misuse

The episode addresses a critical data breach at AI Nomis, a South Korean AI image generation platform, which leaked 47.8 gigabytes of sensitive data, including over 93,000 images. Alarming content included depictions of minors in explicit scenarios and deepfake images of celebrities.

Key Concerns:

Exposed Data: User command logs and personal images were compromised.
Platform Capabilities: AI Nomis allowed face swapping and nude image generation, posing significant risks of non-consensual explicit content creation.
Discovery & Response: Researcher Jeremiah Fowler identified the unsecured database, prompting the platform to go offline.

The breach sparks urgent calls for stricter safeguards and accountability measures for developers to prevent AI misuse and protect vulnerable populations from exploitation.

5. Oracle Reports Data Breach Amidst Ongoing Investigations

Oracle disclosed a data breach involving the theft of login credentials from a legacy system, separate from a previous incident reported last month. The breach, which has attracted attention from the FBI and CrowdStrike, involves credentials dating back to 2024, heightening concerns over prolonged vulnerabilities.

Highlights:

Attackers' Intent: Attempted extortion and sale of stolen data online.
System Compromise: Oracle asserts the affected system hasn't been accessed in eight years.
Current Status: The investigation is ongoing, with Oracle yet to provide a public statement.

This incident underscores the persistent risks associated with legacy systems and the importance of vigilant cybersecurity practices to safeguard sensitive credentials.

6. New Apache Tomcat Attack: Tomcat Campaign 25 Unveiled

A newly identified attack vector, Tomcat Campaign 25, is targeting Apache Tomcat servers through the deployment of sophisticated, encrypted malware compatible with both Windows and Linux systems. Attackers exploit weak credentials using brute force methods, compromising servers to deploy Java-based web shells for sustained access.

Attack Characteristics:

Malware Behavior: Steals SSH keys, facilitates lateral movement, and commandeers resources for cryptocurrency mining.
Detection Evasion: Disguises payloads within fake 404 error pages and mimics legitimate kernel processes.
Attribution: Linked to Chinese-speaking actors, though definitive attribution remains uncertain.

Researchers recommend enhancing server security measures, including robust credential practices and advanced malware detection systems to mitigate such threats.

7. Hunters International Group Shifts Away from Ransomware

The episode examines the strategic pivot of Hunters International Group, a ransomware-as-a-service (RaaS) entity previously associated with the Hive Gang. Transitioning to exfiltration-only attacks, Hunters focuses on data theft without employing encryption, aiming to streamline operations and reduce associated risks.

Notable Developments:

Operational Changes: Cessation of ransom note usage; direct communication with executives to expedite payments.
Service Offerings: Affiliates provided with tools for data theft, ransom negotiation, and victim communications, retaining 80% of payments.
New Initiatives: Launch of "World Leaks" project to abandon file encryption, though paused due to infrastructure issues.

Group IB anticipates other ransomware groups may emulate Hunters' model, automating data theft processes to enhance profitability and minimize exposure.

8. Surge in Juniper Routers Exploitation via Default Credentials

A concerning rise in exploitation attempts targeting Juniper Network's Session Smart Router (SSR) platform has been reported. Between March 23rd and 28th, approximately 3,000 unique IPs attempted logins using default credentials, likely associated with the Mirai botnet's resurgence.

Attack Details:

Purpose: Compromise unpatched or unsecured SSR devices for Distributed Denial of Service (DDoS) attacks.
Response: Juniper's recent patch for a critical authentication bypass vulnerability temporarily curtailed the activity, though a selective and automated effort suggests sophisticated orchestration.

The episode underscores the imperative for organizations to promptly update and secure network infrastructure to thwart such large-scale exploitation attempts.

9. Controversy Over Crush FTP Vulnerability CVE Delay

A heated debate surfaces around a critical vulnerability in Crush FTP, which permits remote attackers to bypass authentication and gain administrative access. The disclosure on March 21 led to confusion due to a delayed Common Vulnerabilities and Exposures (CVE) assignment.

Key Issues:

CVE Assignment Delays: Outpost24 independently assigned a CVE without coordinating with Crush FTP or the original discloser, Vulnchek, causing industry-wide confusion.
Exploitation Impact: Upon disclosure, Shadow Server Foundation noted widespread attacks exploiting the flaw, with 1,800 exposed instances initially, and over 500 remaining unpatched in the U.S. alone.
Crush FTP's Stance: Criticized the premature sharing of vulnerability details, which inadvertently accelerated exploitation rates.

Outpost24 awaits MITRE's official CVE designation, highlighting the critical balance between timely vulnerability disclosure and the potential risks of rapid exploitation.

10. In-Depth Analysis: Next JS Vulnerabilities with Johannes Ulrich

The latter portion of the episode features an insightful conversation with Johannes Ulrich, Dean of Research at the SANS Technology Institute, focusing on vulnerabilities within Next JS, a popular JavaScript framework for building web applications.

Discussion Highlights:

Complexity of Modern Web Architectures: Johannes explains how Next JS facilitates sophisticated web applications by enabling seamless JavaScript execution on both client and server sides. However, this complexity introduces potential security loopholes.

"It's not really just individual software that's the problem here. It's more about how we architect some of these web applications." (13:56)
Authentication Bypasses: The conversation delves into a recent authentication bypass vulnerability, where malicious actors exploit headers manipulated by users to bypass authorization checks.

"Users are always evil. They're out there to get you." (17:28)
System Loops and Header Manipulation: Johannes elaborates on how intertwined components in web applications can inadvertently create loops, allowing unauthorized access through manipulated headers.

"These headers can be created by the user... there is a repeating pattern that I keep seeing, not just with Next JS but with a lot of different software." (17:28)
Mitigation Strategies: Emphasizing a return to foundational security practices, Johannes advocates for robust authentication mechanisms, such as digital signatures and JSON Web Tokens (JWTs), implemented correctly to prevent exploitation.

"Every request needs to be authenticated, access controlled, input validated... learn how to use [JWTs] correctly." (20:14)

The discussion underscores the necessity for developers to prioritize security in complex web architectures, ensuring that authentication and authorization processes are airtight to thwart potential breaches.

Conclusion

The April 3rd episode of CyberWire Daily offers a comprehensive overview of pressing cybersecurity issues, from sophisticated evasion techniques like Fast Flux to significant data breaches and evolving ransomware strategies. The in-depth conversation with Johannes Ulrich provides valuable insights into the vulnerabilities inherent in modern web frameworks, emphasizing the critical need for robust security architectures.

Key Takeaways:

Proactive Defense: Organizations must adopt advanced detection and mitigation strategies to counter emerging threats.
Infrastructure Security: Promptly addressing vulnerabilities in network infrastructure is paramount to prevent large-scale compromises.
Evolving Threat Landscapes: Cybercriminals continuously adapt their tactics, necessitating dynamic and resilient cybersecurity measures.
Developer Awareness: Prioritizing security in application development can mitigate potential exploitation of complex web architectures.

Staying informed and adaptable remains essential in navigating the ever-evolving cyber landscape, ensuring that both individuals and organizations can safeguard their digital assets against persistent and emerging threats.

For more detailed insights and daily cybersecurity news, visit CyberWire Daily.

Loading summary

Transcript25 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network, powered by N2K. Looking for a career where innovation meets impact? Vanguard's technology team is shaping the future of financial services by solving complex challenges with cutting edge solutions. Whether you're passionate about AI, cybersecurity or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas drive change. With career growth opportunities and a focus on work life balance, you'll have the flexibility to thrive both professionally and personally. Explore open cybersecurity and technology roles today@vanguard jobs.com a joint advisory labels Fast Flux announced security threat Europol shuts down a major international CSAM platform. Oracle verifies a data breach. A new attack targets Apache Tomcat servers. The Hunters International Group pivots away from ransomware. Hackers target Juniper routers using default credentials. A controversy erupts over a critical crush FTP vulnerability. Our guest is Johannes Ulrich, dean of research at the SANS Technology Institute. He unpacks next JS and abracadabra. Alakazam. Your credentials are great ON It's Thursday, April 3, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief. Foreign thanks for joining us here today. It is great to have you with us. Fast Flux is a technique used by cybercriminals and nation state actors to evade detection by rapidly rotating DNS records and IP addresses linked to malicious domains. This tactic supports resilient command and control infrastructure and enables persistent malicious activity such as ransomware, phishing and botnets. Variants include single flux and double flux, changing DNS servers too often supported by bulletproof hosting services. A joint advisory from the nsa, cisa, FBI and international partners warns of Fast Flux as a national security threat and urges ISPs and cybersecurity providers, especially protective DNS services, to develop detection and mitigation capabilities. Recommended strategies include DNS analysis, anomaly detection, IP blocking, sinkholing, and threat intelligence sharing. Distinguishing malicious Fast Flux from legitimate services like CDNS remains a challenge. Organizations are encouraged to verify PDNS protections, train staff on phishing, and participate in collaborative defense efforts to reduce exposure to Fast Flux enabled cyber threats. Meanwhile, speaking of cisa, House cybersecurity leaders criticize Trump era cuts to cisa, urging expanded responsibilities instead. Representative Andrew Garbarino wants CISA Central to US cyber efforts, including reauthorizing the 2015 Cyber Info Sharing Law and extending a key grant program. He criticized cuts that harmed operations and signaled support for nominee Sean Planky. Representative Eric Swalwell slammed chaotic firings as inefficient and backs legislation to formalize the Joint Cyber Defense Collaborative. Both aim to shield CISA from political attacks and ensure strong congressional support moving forward. Europol announced the takedown of Kidflix, a major dark web child sexual abuse material platform, calling it the largest child exploitation operation in its history. The multi year effort led to 79 arrests so far, with 1393 suspects identified and 39 children rescued. Over 39 countries participated in the investigation. Offenders used cryptocurrency to access the site, which hosted up to 91,000 videos, many previously unknown to law enforcement. German and Dutch authorities seized servers containing 72,000 videos. Users could earn access tokens by tagging content. Europol emphasized the real world harm behind the platform's operations, rejecting attempts to frame the case as a purely cyber issue. The platform had 1.8 million users, with over three new videos uploaded every hour. The investigation remains ongoing. Elsewhere, a major data leak at gen Nomis and AI image generation platform by South Korea's AI Nomis exposed 47.8 gigabytes of sensitive data, including over 93,000 images, some appearing to depict underage individuals in explicit content. Discovered by researcher Jeremiah Fowler, the unsecured database also contained deepfakes of celebrities as children and user command logs. The platform, now offline, allowed face swapping and nude image generation. The incident raises alarm over AI misuse in creating non consensual explicit content, especially involving minors, prompting urgent calls for stricter safeguards and developer accountability. Oracle has informed customers of a data breach involving stolen login credentials from a legacy system, Bloomberg reports. The breach, now under investigation by the FBI and CrowdStrike, is separate from another incident Oracle disclosed last month. The attacker reportedly tried to extort the company and began selling the stolen data online, though Oracle claims the compromise system hasn't been used in eight years. Some stolen credentials date back to 2024, raising concerns about lingering risks. Oracle has not publicly commented. A new attack, dubbed Tomcat Campaign 25, is targeting Apache Tomcat servers with sophisticated encrypted malware designed for both Windows and Linux. Hackers use brute force methods to exploit weak credentials, quickly compromise servers, and deploy Java based web shells for persistent access. The malware steals SSH keys, enables lateral movement and hijacks resources for crypto mining. Notably, it hides payloads in fake 404 error pages and mimics kernel processes to evade detection. Researchers suggest links to Chinese speaking actors, though attribution remains uncertain. Hunters International, a ransomware as a service group believed to be a rebrand of the defunct Hive Gang, is shifting to exfiltration only attacks, according to threat firm Group IB. Active since late 2023, Hunters has targeted around 300 organizations, mostly in North America, with sectors like real estate, healthcare and energy most affected. The group offers affiliates tools to steal data, set ransoms and communicate with victims, keeping 80% of payments. Recently, Hunters stopped using ransom notes, instead contacting executives directly to pressure payment. Their affiliate panel includes storage software to manage and transmit stolen data. On January 1st of this year, Hunters launched a new project called World Leaks, aiming to abandon file encryption entirely, though it was paused due to infrastructure issues. Group IB predicts other ransomware groups may follow suit, automating data theft and focusing purely on exfiltration to reduce risk and increase profitability. SANS has reported a sharp rise in targeted scans exploiting default credentials in Juniper Network's Session smart router platform. From March 23rd through the 28th, around 3,000 unique IPs attempted logins using default credentials. The campaign, likely linked to the Mirai botnet, aimed to compromise unpatched or improperly secured SSR devices for use in DDoS attacks. This surge followed Juniper's recent patch for a critical authentication bypass flaw. The activity dropped off abruptly, indicating a coordinated automated effort. A controversy has erupted over a critical Crush FTP vulnerability now tracked with two CVEs. The flaw, disclosed on March 21, allows remote attackers to bypass authentication and gain admin access. While patches and workarounds were quickly released, a delay in issuing a CVE prompted Vulnchek to assign one independently without contacting Crush FTP or original discloser Outpost24, who had requested a CVE via MITRE on March 13. This led to confusion as the security industry began referencing Voncheck's cve. Exploitation began shortly after disclosure with the Shadow Server foundation observing widespread attacks. Initially, 1,800 Internet exposed instances were vulnerable. Over 500 remain unpatched in the U.S. as of April 2, Crush FTP criticized firms for accelerating exploitation by sharing details too soon. Attackers goals remain unclear, but the flaw could enable data theft or deeper intrusions. Outpost 24 is awaiting Mitre's decision on the official CVE designation. Coming up after the break, Johannes Ulrich, dean of research at the SANS Technology Institute, joins us to unpack. Next JS and abracadabra. Alakazam and poof. Your credentials are gone. Stay with us.
[11:24]
Johannes Ulrich
Foreign.
[11:30]
Dave Bittner
Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try delete me. I have to say, delete me is a game changer. Within days of signing up they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your DeleteMe plan when you go to JoinDeleteMe.com n2k and use promo code n2k at checkout. The only way to get 20% off is to go to JoinDeleteMe.com N2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K are you.
[12:46]
Unknown
Frustrated with cyber risk scores backed by mysterious data, zero context and cloudy reasoning? Typical cyber ratings are ineffective and the true risk story is begging to be told. It's time to cut the bs. Black Kite believes in seeing the full picture with more than a score. One where companies have complete clarity in their third party cyber risk using reliable quantitative data. Make better decisions, reduce your uncertainty.
[13:15]
Dave Bittner
Trust Black Kite and I am pleased to be joined once again by Johannes Ulrich. He is the Dean of Research at the SANS Technology Institute and also the host of the SANS ISC Stormcast podcast. Johannes, it's always great to have you back.
[13:42]
Johannes Ulrich
Yeah, it's great to be back.
[13:44]
Dave Bittner
I want to talk to you about something that you've been looking into lately. This is Next js. There's some stuff to unpack here. Unpack it for me, please.
[13:57]
Johannes Ulrich
Yeah, so of course this was the big vulnerability here, that authentication bypass. But it's really a symptom of sort of a group of vulnerabilities that ICB keep getting more and more. And it's not really just individual software that's the problem here. Like it manifests itself in software like Next js. It's a little bit more about how we architect some of these web applications.
[14:23]
Dave Bittner
Well, for folks who aren't familiar with it, can you explain to us what Next JS is and how it plays into this?
[14:29]
Johannes Ulrich
Yeah, so Next JS is a framework that makes it easy to create fancy web applications. To put it simple, the JS stands for JavaScript. It's sort of around that entire Node JS idea where you're creating code and JavaScript not just in the browser, but also on the back end. And Next JS provides you a bunch of functionality so you don't have to code the same thing over and over again, that's sort of what these frameworks are doing. They make it easy to create complex web applications.
[15:03]
Dave Bittner
So that all sounds good. What's the issue here?
[15:06]
Johannes Ulrich
Yeah, sometimes things are maybe a little bit too easy or appear to be too easy. So what's happening here is with these modern web applications that traditionally, when you talk about a web application, you think about your browser sending a request to a server. The server runs a magic code and creates a response. That's not really what's happening in a modern web application. Instead of one server and one big piece of code creating the response, you have many web services that are essentially running on their own web server. Of course, the fancy serverless part comes in here, and each one of these web services does one little thing. So what was a problem here was that one component in your web application that's implemented with Next JS may take care of authorization. And then you have a proxy that looks at the request that says, oh, you want to go to the admin page, Dave, so I'll send you to my authorization server. It checks if it's really you, Dave, and then if you're an admin, then you can go on to do whatever admins are doing. The problem here was that because of the complexity of these systems, there's always a chance that you end up with loops. So your request being authenticated, it's being passed on to the next step, to the admin API. And then for whatever reason, some bug or whatever, the admin API sends it back to the authorization service and it could sort of go like forward and back forever. So. Well, Next js, we have a solution for you here. Whenever it goes through a component, let's just add the name of that component to a special header. And so now the service knows, okay, this already went through the authorization service. I don't have to send it back there again. But those headers, they can be created by the user. And rule number one in web applications, users are always evil. They're out there to get you.
[17:21]
Dave Bittner
Can I make a T shirt that says that? Sure.
[17:29]
Johannes Ulrich
So basically, basically, now the user just tells, hey, my request already went through the authorization server. So trust me, it's me, it's Dave. And let me do whatever Dave wants to do. That was the problem here, that you have these headers that are being added by these middle boxes, and these headers are then implicitly trusted by other components. And they really don't have a good way to figure out if these headers are authentic, if they were actually added by the authorization server or if they were added by a user or some completely different process. Like I said, this is sort of a repeating pattern that I keep seeing, not just with NEXT JS but with a lot of different software.
[18:13]
Dave Bittner
So is this a fundamental flaw in the way these things are designed?
[18:20]
Johannes Ulrich
Yes, it's somewhat these very complex systems that probably the people who develop them no longer quite understand in some ways and where they sometimes overlook some of these bypass methods, like how someone could bypass some of the front ends. I think recently one of the famous ones that I like the best because I think was outright funny in a weird web application security way, was Palo Alto. They actually added a header xpan auth check off, so you could just tell them, hey, don't bother actually checking the authentication of this particular request because I tell you so. Wow.
[19:06]
Dave Bittner
What could go wrong?
[19:07]
Johannes Ulrich
What could possibly go wrong? But the intent here was that the request was supposed to go through other components that basically add or remove that header, depending on where the request is going to. Some requests don't need authentication, so let's just turn it off for those requests. And that's sort of how this happens. And of course all of this gets really complex. There are so many headers, there are so many ways how proxies manipulate headers, how they remove, move them, add them, and that is really hard to get. And like I said, as the users are evil, developers actually usually are nice people. They're really nice and if you leave them in their cubicle and don't touch them. But they believe in standards, they believe in software actually complying with these standards, and that also often doesn't happen. And that then leads to some of these bypasses.
[20:04]
Dave Bittner
I see. Well, is this a fixable issue? Is this a configuration problem or are we best avoiding these sorts of things?
[20:14]
Johannes Ulrich
Well, I think it's fixable. If you really look at the system overall and really get back to basics. Every request needs to be authenticated, access controlled, input validated, put something in the request that actually can be authenticated, like digital signatures. We have jwts, these JSON web tokens that provide some of that. Again, if you implement them correctly. That's always the big caveat here, and they're not always easy to implement correctly. But there are solutions. The solutions are complex, but learn how to use them.
[20:50]
Dave Bittner
Yeah, well, that's always the trick, isn't it? It keeps folks like you in business.
[20:54]
Johannes Ulrich
Yeah.
[20:56]
Dave Bittner
All right, Johannes Elrich, thanks so much for joining us.
[20:59]
Johannes Ulrich
Thank you.
[21:16]
Dave Bittner
Is your AppSec program actually reducing risk? Developers and AppSec teams drown in critical alerts, yet 95% of fixes don't reduce real risk. Why? Traditional tools use generic prioritization and lack the ability to filter real threats from noise. High impact threats slip through and surface in production, costing 10 times more to fix. AUX Security helps you focus on the 5% of issues that truly matter before they reach the cloud. Find out what risks deserve your attention in 2025. Download the application Security benchmark from AUX Security and finally, our Prestidigitation desk tells us a new cybertrick has hit the magic world. And no, it's not an illusion. Meet Abracadabra Stealer, the malware campaign targeting magicians, magic shop owners, and dedicated wand wielders worldwide. This cyber heist starts with emails promising exclusive trick tutorials or never before seen Houdini footage. It's a trap. Open the attachment and poof. Your login credentials vanish faster than a coin behind an Earth Kaspersky researchers uncovered this act after magicians reported account breaches and disappearing proprietary tricks. Turns out the malware uses coded JavaScript and a touch of villainy to swipe browser data, log keystrokes, and snap screenshots during logins. It even hides like a stagehand disguised as an Adobe update in your system registry. About 1200 victims, mostly premium users and trick developers, have been hit since early this year. So if your magic act suddenly appears for sale on a sketchy forum, you've probably been Abracadabra'd. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I, Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Cyber threats are evolving every second, and staying ahead is more than just just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.