The Take It Down Act walks a fine line. - CyberWire Daily

Summary10 min read

CyberWire Daily: Episode Summary – "The Take It Down Act Walks a Fine Line"
Release Date: May 20, 2025
Host/Author: N2K Networks

Introduction

In this episode of CyberWire Daily, host Dave Bittner delves into the latest cybersecurity developments, including significant legislative changes, escalating ransomware attacks, sophisticated malware campaigns, and critical updates from cybersecurity authorities. The episode also features an insightful interview with Chris Novak, Vice President of Global Cybersecurity Solutions at Verizon, who provides an in-depth analysis of the 2025 Verizon Data Breach Investigations Report (DBIR) and discusses emerging trends in the cybersecurity landscape.

Legislative Updates: The Take It Down Act

President Trump Signs the Take It Down Act into Law

President Donald Trump has officially signed the Take It Down Act into law, marking a significant step towards combating the distribution of non-consensual intimate images and AI-generated deepfakes. The legislation mandates that social media platforms remove such content within 48 hours of notification and grants the Federal Trade Commission (FTC) enhanced enforcement powers.

Key Provisions:

Removal Requirement: Social media platforms must act swiftly to remove harmful content.
Enforcement: The FTC is empowered to oversee and enforce compliance.
Penalties: Violators face up to three years in prison and substantial fines.

Controversies and Criticisms: While the law has garnered support from various tech companies and advocacy groups, it faces opposition from organizations like the Cyber Civil Rights Initiative and the Electronic Frontier Foundation. Critics argue that the law's vague definitions could lead to potential abuse, impacting victims and stifling free expression. Concerns are further amplified by President Trump's insinuations about using the law to shield himself from online criticism, raising fears of selective enforcement and legal overreach.

Notable Quote:
"The law mandates that social media platforms remove such content within 48 hours of notification and gives the FTC enforcement power," explains Dave Bittner [02:30].

Ransomware Attacks Targeting the UK Logistics Sector

UK Grocer’s Logistics Firm Hit by Ransomware

A prominent UK logistics firm, supplying major grocery chains like Tesco and Aldi, fell victim to a ransomware attack last week. The incident disrupted order processing operations but did not impact the transportation segment. The company is actively managing the disruption and maintaining regular updates with its clients.

Industry Impact: This attack is part of a burgeoning trend targeting the UK's food sector. Recent ransomware incidents have impacted major retailers such as Marks & Spencer, Co-op, and Harrods, all experiencing system outages. Cybersecurity experts highlight the vulnerability of the cold chain's stringent delivery schedules and complex operations, which are attractive targets for threat actors.

Consequences:

Operational Risks: Disruptions can lead to significant delays and inefficiencies.
Food Waste: Compromised communications may result in increased food spoilage.
Financial Fraud: Altered or intercepted communications pose risks of financial deceit.

Notable Quote:
"These attacks risk not just operations but also food waste and financial fraud through compromised communications," states Dave Bittner [04:10].

Exploitation of Software Vulnerabilities: Trojanized KeePass

Researchers Uncover Trojanized Versions of KeePass

Security researchers have identified malicious versions of the popular KeePass password manager, dubbed KeyLoader, which covertly installs a Cobalt Strike beacon and exfiltrates password databases in cleartext. This sophisticated campaign, active for at least eight months, spreads through malicious Bing ads and counterfeit software websites that mimic KeePass's domain.

Attack Mechanism:

Malware Distribution: Delivered via deceptive Bing advertisements and fake download sites.
Stealth Operations: KeyLoader operates silently, avoiding detection while extracting sensitive data.
Attribution: The malware is linked to the blkbasta ransomware group, with some variants signed using legitimate certificates.

Ongoing Threat: One malicious domain remains active, continuing to distribute the KeyLoader installer, posing a persistent threat to users.

Notable Quote:
"Distribution occurred through malicious Bing ads and fake software sites with domains mimicking KeePass's name," explains Dave Bittner [06:15].

Advancements in Security Metrics: Likely Exploited Vulnerabilities (LEV)

CISA and NIST Introduce LEV Metric

Researchers from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have developed a new metric, Likely Exploited Vulnerabilities (LEV), aimed at enhancing the prediction of actively exploited software flaws.

Components of LEV:

Data Integration: Combines inputs from the Exploit Prediction Scoring System (EPSS), known exploited vulnerabilities (KEV) lists, and key vulnerability dates.
Objective: To improve patch prioritization by estimating the probability that a vulnerability has been exploited.
Advantages Over Existing Metrics: LEV addresses the incompleteness and inaccuracies inherent in using KEV or EPSS alone by identifying high-risk vulnerabilities that may otherwise be overlooked.

Future Initiatives: NIST is seeking industry partners to test and refine the LEV metric using real-world data, aiming to provide a more comprehensive tool for cybersecurity professionals.

Notable Quote:
"LEV helps fill gaps by identifying high-risk vulnerabilities that might be overlooked," notes Dave Bittner [07:50].

Sophisticated Malware Campaigns: Bumblebee via SEO Poisoning

SEO Poisoning Delivers Bumblebee Malware

A newly discovered malware campaign employs SEO Poisoning tactics on Microsoft Bing to distribute the Bumblebee malware, specifically targeting IT professionals and developers. The attackers create typo-squatted domains resembling legitimate software tools like WinMTR and Milestone XProtect, hosting malicious installers alongside the legitimate applications.

Characteristics of the Campaign:

Target Audience: IT professionals and developers seeking technical software.
Malware Delivery: The installer packages include both the legitimate software and the Bumblebee malware.
Evasion Techniques: Utilizes stealthy methods to bypass detection, linking to multiple command and control servers via the life domain.

Strategic Shift: This campaign signifies a move from targeting widely-used software to focusing on niche technical tools, aiming at high-value targets with elevated system access.

Notable Quote:
"This shift from targeting common software to niche technical tools signals a strategic focus on high-value targets," comments Dave Bittner [09:30].

Advanced Phishing Schemes: Zoom Meeting Impersonation

Phishing Campaign Mimics Zoom Invites

A sophisticated phishing campaign is impersonating Zoom meeting invitations to harvest user credentials. These deceptive emails replicate legitimate Zoom notifications, complete with authentic company branding and falsified video previews of participants, persuading users to enter their login details on spoofed meeting pages.

Attack Techniques:

Domain Mimicry: Utilizes subtly altered domain names to appear legitimate.
Personalization: Employs personalized URLs, potentially leveraging leaked data to enhance believability.
Credential Theft: Stolen credentials are likely exfiltrated via compromised APIs or messaging services, granting attackers broader access to corporate systems.

Recommendations for Defense: Experts advise verifying unexpected meeting invitations, enabling multi-factor authentication (MFA), utilizing advanced email security tools, and conducting regular user awareness training to mitigate such threats.

Notable Quote:
"The use of personalized URLs suggests attackers may be leveraging leaked data to tailor emails and increase believability," states Dave Bittner [11:00].

CISA Updates: Actively Exploited Vulnerabilities Added

CISA Expands Known Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has incorporated six additional actively exploited vulnerabilities into its Known Exploited Vulnerabilities (KEV) Catalog. These include flaws in:

Ivanti ePmm M. Damon Email Server
srimax Output Messenger
Zimbra Collaboration Suite
ZK Tech Biotime

Implications for Federal Agencies: Federal entities are mandated to remediate these vulnerabilities by specified deadlines. CISA emphasizes the critical importance of prioritizing the patching of KEV-listed vulnerabilities to mitigate exposure to ongoing cyber threats.

Notable Quote:
"Federal agencies must remediate these issues by the set deadlines," emphasizes Dave Bittner [12:20].

Legislative Efforts: Federal Cyber Workforce Training Act

Bipartisan Bill Aims to Bolster Federal Cybersecurity Workforce

The Federal Cyber Workforce Training Act, a bipartisan initiative introduced by Representatives Pat Fallon (R-Texas) and Marcy Kaptor (D-Ohio), seeks to address the diminishing federal cybersecurity workforce. The bill assigns the National Cyber Director the responsibility of establishing a centralized training center focused on hands-on, role-specific onboarding.

Key Features:

Target Groups: Entry-level and transitioning workers.
Training Modules: Developed in collaboration with the Department of Homeland Security (DHS) and the Department of Defense (DoD), including specialized training for HR staff to enhance recruitment and hiring processes.
Rationale: The initiative responds to prior workforce reductions under the Trump administration, including hiring freezes and program disruptions, which have had lasting adverse effects on recruitment efforts.

Criticisms and Support: While the bill garners support for its intent to create sustainable cyber career paths and elevate training standards, some critics, like Representative Eric Swalwell, highlight the long-term recruitment challenges exacerbated by past layoffs at CISA.

Notable Quote:
"The bill seeks to reverse these trends by creating sustainable cyber career paths and raising training standards across federal agencies," explains Dave Bittner [13:00].

Interview with Chris Novak: Insights from the 2025 DBIR

Overview of the DBIR

Chris Novak, VP of Global Cybersecurity Solutions at Verizon, discusses the 2025 Verizon Data Breach Investigations Report (DBIR). The report, now in its 18th year, provides a comprehensive, data-driven analysis of data breaches, focusing on how they occur, their targets, and mitigation strategies.

Notable Quote:
"The key behind the report has always been how do we take a data and evidence-driven approach to understanding how data breaches happen," Chris Novak explains [13:42].

Expansion and Depth of the Report

This year's DBIR has expanded globally, incorporating data from nearly 100 contributors across 139 countries, encompassing over 22,000 incidents and 12,000 data breaches. This extensive dataset allows for more nuanced and accurate conclusions.

Notable Quote:
"The report has gotten even more global... covering 139 victim countries, over 22,000 incidents and over 12,000 data breaches," Novak notes [14:47].

Key Findings: Vulnerability Exploitation and Ransomware

Increase in Vulnerability Exploitation:
- Exploitation of vulnerabilities as an initial access method surged by 34%, now accounting for 20% of all breaches.
- A significant number of these vulnerabilities are tied to perimeter devices, undermining traditional security perimeters.
Notable Quote:
"A lot of the zero days and other vulnerabilities that have been exploited have been in those perimeter devices," Novak highlights [15:49].
Ransomware Trends:
- A 37% increase in ransomware events compared to the previous year.
- Ransomware now features in 44% of all breaches, up from 32%.
- Small and medium-sized businesses (SMBs) are disproportionately targeted, constituting 88% of ransomware impacts within this segment.
Notable Quote:
"64% of the victim organizations did not pay the ransom," Novak observes [18:00].

Generative AI and Cybersecurity

The integration of generative AI in cyber threats is evolving. While generative AI is being leveraged by threat actors primarily for social engineering, the report identifies that most AI-related security issues are self-inflicted due to improper governance and controls within organizations.

Notable Quote:
"A lot of what we see right now is a lot of self-inflicted things," Novak explains [20:00].

Future Trends and Recommendations

As organizations navigate the second half of 2025, key focus areas include managing third-party risks and implementing robust cyber risk quantification methods to prioritize vulnerability remediation effectively.

Notable Quote:
"We encourage organizations to look into cyber risk quantification as a way to understand and prioritize their risks," advises Novak [23:49].

Geopolitical Concerns: UAE’s Recruitment of US Cyber Talent

UAE’s Effort to Recruit Former Pentagon Cyber Experts

Kim Zetter reports that Brigadier General Musalam Al Rashidi of the UAE's military extended job offers to former members of the Pentagon's Defense Digital Service (DDS) who resigned in protest over departmental inefficiencies. The UAE aims to build an AI unit for its Ministry of Defense, collaborating with Analog AI, a firm associated with the Emirati company G42, which has known ties to the Chinese government and military.

Risks and Implications:

Sensitive Expertise Transfer: Recruiting US cyber talent could lead to inadvertent sharing of sensitive knowledge or dual-use technologies.
Geopolitical Tensions: Past instances have shown that recruited operatives may engage in surveillance and offensive hacking against US allies and dissidents.
Security Posture Weakening: The loss of top-tier cyber experts diminishes the US's cybersecurity defenses and empowers adversarial entities.

Notable Quote:
"Losing these experts not only weakens America's cyber posture, it opens the door to our adversaries," warns a former DDS staffer [24:30].

Conclusion

This episode of CyberWire Daily provides a comprehensive overview of the current cybersecurity landscape, highlighting significant legislative changes, escalating threats targeting critical infrastructure, and the evolving role of AI in cyber operations. The insightful discussion with Chris Novak offers valuable perspectives on emerging trends and strategic recommendations for organizations aiming to bolster their cybersecurity resilience. Additionally, the geopolitical dimension underscores the complex interplay between national security and the global talent market in the realm of cybersecurity.

For more detailed information and to access the 2025 DBIR, listeners are encouraged to visit the show notes and the CyberWire Daily briefing at thecyberwire.com.

Produced by Alice Carruth, CyberWire Senior Producer. Edited by Liz Stokes, CyberWire Producer. Mixed by Trey Hester with original music and sound design by Elliot Peltzman. Executive Producer: Jennifer Ivan. Publisher: Peter Kilpe.

Loading summary

Transcript20 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic Identity Threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire President Trump signs the Take It down act into law A UK grocer logistics firm gets hit by ransomware Researchers discover Trojanized versions of the Keepass password manager. Researchers from CISA and NIST promote a new metric to better predict actively exploited software flaws. A new campaign uses SEO poisoning to deliver Bumblebee malware. A sophisticated phishing campaign is impersonating Zoom meeting invites to steal user credentials. CISA adds six actively exploited vulnerabilities to the known exploited vulnerability catalog. A bipartisan bill aims to strengthen the shrinking federal cybersecurity workforce. Our guest is Chris Novak, Vice President of Global Cybersecurity Solutions at Verizon, sharing insights on the 2025 dbir and doge downsizes and the UAE recru. It's Tuesday, May 20, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief. Thanks for joining us here today. It's great to have you with us. President Trump has signed the Take It down act into law, criminalizing the distribution of non consensual intimate images, including AI generated deep fakes. The law mandates that social media platforms remove such content within 48 hours of notification and gives the FTC enforcement power. Violators face up to three years in prison and fines. While tech companies and some advocacy groups supported the law, others like the Cyber Civil Rights Initiative and the Electronic Frontier foundation, warn it could harm victims and chill free expression. Critics fear the takedown process is vague and could be abused, especially under a politically charged ftc. Trump even hinted at using the law to protect himself from online criticism, adding to concerns about selective enforcement and legal overreach. Peter Green Chilled A UK logistics firm supplying major grocers like Tesco and Aldi was hit by a ransomware attack last week, halting order processing but not affecting transport. The firm is working around the disruption and updating clients regularly. This attack adds to a growing pattern targeting the UK's food sector. Recent victims include Marks Spencer, Co Op and Harrods, all of which faced system outages from ransomware. Cybersecurity experts warn that the cold chain's tight delivery schedules and complexity make it a prime target. These attacks risk not just operations but also food waste and financial fraud through compromised communications. The Cold Chain Federation notes a surge in unreported incidents, while security firms say threat activity is only accelerating, putting the entire food supply chain at ongoing risk. Threat actors have been using Trojanized versions of the Keepass password manager to infiltrate networks and launch ransomware attacks. The campaign, active for at least eight months, was uncovered by with Secure. During a ransomware investigation, attackers altered KeePass's open source code to create KeyLoader, a version that functions normally but secretly installs a Cobalt strike beacon and exports users. Password databases in Cleartext. Distribution occurred through malicious Bing ads and fake software sites with domains mimicking Keepass's name. The beacons used carry watermarks tied to a known initial access broker linked to blkbasta ransomware operations. Some variants of keyloader were even signed with legitimate certificates. One such domain remains active, still pushing the Trojanized installer, raising concerns about continued exposure. Researchers from CISA and NIST have introduced a new metric called likely exploited vulnerabilities to better predict which software flaws are being actively exploited. Developed by Peter Mel from NIST and Jonathan Spring from cisa, LEV uses equations that combine data from the Exploit Prediction Scoring System, known exploited vulnerabilities lists, and key dates tied to each vulnerability. The goal is to improve patch prioritization by estimating the probability that a flaw has been exploited. Unlike KEV or EPSS alone, which can be incomplete or inaccurate, LEV helps fill gaps by identifying high risk vulnerabilities that might be overlooked. It can also gauge how comprehensive Kev lists really are. NIST is now seeking industry partners to test and refine LEV with real world data. A new malware campaign using SEO Poisoning on Microsoft Bing is delivering Bumblebee malware by luring users searching for technical software. Discovered in May by syjax researchers, the campaign targets IT professionals and developers by spoofing download sites for tools like WinMTR and Milestone XProtect threat actors registered typo squatted domains hosting them on the same server as Nairobi. When users downloaded from these sites, a malicious installer delivers both the legitimate app and the Bumblebee malware using stealthy techniques to evade detection. Bumblebee linked to ransomware groups like Conti connects to multiple command and control servers via the life domain. This shift from targeting common software to niche technical tools signals a strategic focus on high value targets with elevated system access. A sophisticated phishing campaign is impersonating zoom meeting invites to steal user credentials, exploiting workplace urgency and trust. Victims receive emails mimicking real zoom notifications, complete with company branding and a fake video of participants prompting users to enter login details on a spoofed meeting page. These fake sites use subtly altered domain names to appear legitimate, researchers note. The use of personalized URLs suggests attackers may be leveraging leaked data to tailor emails and increasing believability. Stolen credentials are likely exfiltrated via compromised APIs or messaging services, potentially granting access to broader corporate systems. Experts warn this targeted approach is more dangerous than generic phishing and recommend verifying unexpected invites, enabling multi factor authentication, and using email security tools and user awareness training to defend against such threats. CISA has added six actively exploited vulnerabilities to its known Exploited vulnerabilities catalog. These include flaws in Ivanti epmm M. Damon Email Server, srimax Output Messenger, Zimbra Collaboration Suite and ZK Techo biotime. Federal agencies must remediate these issues by the set deadlines. CISA urges all organizations to prioritize patching kev listed vulnerabilities to reduce exposure to cyber threats. A new bipartisan bill, the Federal Cyber Workforce Training act, aims to strengthen the shrinking federal cybersecurity workforce. Introduced by Representatives Pat Fallon, Republican from Texas, and Marcy Kaptor, Democrat from Ohio, the bill tasks the National Cyber Director with creating a centralized training center focused on hands on role specific onboarding. The initiative would target entry level and transitioning workers while also developing modules for HR staff to improve recruitment and hiring. The curriculum would be crafted in coordination with DHS and dod. Lawmakers say the effort is in response to ongoing challenges in federal cyber hiring worsened under the Trump administration by workforce cuts, hiring freezes and program disruptions. Critics like Representative Eric Swalwell warn these actions have had long term effects on recruitment, especially following layoffs at cisa. The bill seeks to reverse these trends by creating sustainable cyber career paths and raising training standards across federal agencies. Coming up after the break, Chris Novak from Verizon shares insights on the 2025 DBIR and DOGE downsizes and the UAE recruits stay with US compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track. You're not alone, but let's be clear, there is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger. Yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com Cyber Worried about cyber attacks? Cyber Care from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts, so if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors, and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care Cyberwire. Chris Novak is Vice President of Global Cybersecurity Solutions at Verizon and I recently caught up with him for insights on the 2025 dbir. Well, Chris, it is always a treat for me to be able to catch up with you, it seems on an annual basis to talk about the Verizon DBIR as it comes out every year. So welcome back.
[13:32]
Chris Novak
Thank you. It's always a pleasure to be here. Dave, thanks.
[13:35]
Dave Bittner
For folks who may not be familiar with the report, what's the premise? What prompts the creation of this report year after year?
[13:42]
Chris Novak
Absolutely, yeah. So it's interesting because we've been putting the report together now for, believe it or not, 18 years. So hopefully everyone out there has seen and heard of it. But the premise of it was, you know, way back in the beginning, people didn't speak about data breaches. It was a taboo thing. You know, everybody, everybody knew everybody was having them, but nobody admitted to them. And now, you know, I think that that landscape has changed a little bit. But the key here behind the report has always been how do we take a data and evidence driven approach to understanding, you know, how data breaches happen, who they're happening to, why they're happening, and most importantly and you know, I draw a lot of analogies to healthcare is how do we learn from what's happening in the world to understand what controls we need to put in place, what education needs to improve, such that we can ultimately mitigate and reduce the amount or the consequences or the impacts of these kind of data breaches.
[14:38]
Dave Bittner
Well, given where we find ourselves in this world today, were there any specific approaches that you and your colleagues took as you embarked on this year's dbir?
[14:48]
Chris Novak
I think probably some of the biggest ones are the report has gotten even more global than it has been in the past, which I think sometimes people may sometimes think that Verizon, they think of it as being a very US organization based on where we're headquartered. The reality of it is we have nearly 100 data contributors to the report, all providing evidence and data to describe the various incidents and data breaches that happen. And the report has gotten even bigger in terms of the data corpus this year. So now we're up to, you know, covering 139 victim countries, over 22,000 incidents and over 12,000 data breaches. So it's one of the biggest, if not the biggest data corpus that we've ever had in doing the analysis, which allows us to draw, you know, not to say that the numbers being bigger means the situation's necessarily worse. I look at it more as the numbers being bigger means we have more data to draw better conclusions from.
[15:43]
Dave Bittner
Well, let's dig into some of the key findings together here. What are some of the things that caught your eye?
[15:49]
Chris Novak
One of the big things that really jumped out at us, it was pretty alarming, was the increase in exploitation of vulnerabilities as an initial access step for these data breaches. It grew by 34% and now accounts for 20% of all the data breaches in the data set, which is, I think, very significant. When you see it kind of creeping up on the heels of things like credential abuse, which we've seen time and time again play a major role in data breaches. It's responsible for about 22% exploitation of vulnerabilities. Now makes up 20. So you see there that there's a lot of zero days, for example, being exploited as a mechanism of getting in. And also a lot of what we saw, which was really interesting, was a lot of those vulnerabilities were tied to perimeter devices. So I think we often think that, well, we'll take the information and the systems and the applications that are most important and put them behind firewalls and VPN devices. Think of them as behind the big castle walls. And now what we're finding is a lot of the zero day and other vulnerabilities that have been exploited have been in those perimeter devices. So now that big hard castle wall we thought we had in front of our sensitive data and applications, it's got some zero day holes in it, which is allowing the threat actors to get past it and get ultimately access to kind of that soft, chewy middle.
[17:13]
Dave Bittner
Hmm. Can we touch on ransomware here? I mean, I think in my mind at least recently there's been sort of mixed messages on the ransomware front with, you know, maybe people are paying less. What sort of information did you all gather when it comes to that?
[17:30]
Chris Novak
So ransomware is still alive and well, unfortunately. So we've seen a, still yet again an increase. So this year's report shows a 37% increase from last year in ransomware events. What's interesting is, you know, it was present in about 44% of all breaches, which is up from 32% last year. What's interesting is if you look at it and split the demographics of large businesses and organizations and your small and medium, there's a very outsized role that it plays in more of the small and medium sized businesses. So it actually makes up about 88% in that SMB market, which tells us that the threat actors, and kind of like we probably always thought or assumed, they're mostly after financial gain and they'll get it from wherever they can. And if the larger organizations are doing, I'd say arguably a better job in terms of maturing, implementing controls, what ends up happening is it puts pressure on the SMB market that maybe has not yet caught up or has not implemented those controls. The threat actors go where sometimes there's just that weakest link and, and that may be in that SMB market. And so a lot of that is being hit with these ransomware events. And unfortunately, many of them not being well prepared to handle it, are in a position of, well, they either have to pay or, you know, some part of their business becomes, you know, not, not operational. And you know, to, to your earlier point around paying, we've actually seen overall the entire data set, there's actually been a pretty significant shift. So if you look back two years ago, it was about 50, 50 in terms of organizations that paid the ransom versus those that didn't. This year what we found was it's actually now a bigger split and 64% of the victim organizations did not pay the ransom. So I'd say arguably that's a little bit of an improvement in the sense that if they're not having to pay or paying, that generally means that they've got more robust controls, resiliency measures in place to be able to recover from the event without actually having the payment be the vehicle to do so.
[19:41]
Dave Bittner
That's an interesting insight. You know, we can't go through a report like this without mentioning generative AI. What were some of the data points that you all gathered there?
[19:51]
Chris Novak
Generative AI. Never heard of it. What is it?
[19:55]
Dave Bittner
Sorry, I'm sorry, we just finished RSA conference. I meant to say agentic AI.
[20:01]
Chris Novak
There you go. So generative AI is also one of those things is interesting because in last year's report we were like, what should we say about generative AI? What does the data tell us? And this year's report, while it's interesting in that so generative AI definitely plays a role, the area that we see it most often causing problems from a threat actor perspective in terms of where they're using it, still tends to be around the use of social engineering. They're using it to craft, phishing and smishing types of attacks. Interestingly enough though, the large majority of what we see happening from a gen AI or agentic or whatever AI flavor is the one you want to discuss, the majority of it is, I would say, self inflicted. And what I mean by that is more organizations are still finding that it's their internal use misuse, lack of appropriate governance or controls that's getting them in more trouble with AI than the threat actors using it against them. Generally speaking, what we find is when we looked across all the different entities out there, we saw that, for example, a big thing that stood out is people using AI on their personal devices as a way to get around corporate controls. And then they will use that to upload corporate data, to pick your platform of flavor, to upload corporate data to a Genai platform and say, share back insights with me, crunch this data for me, tell me what I don't know about this. And as a result, obviously it exposes corporate trade secrets and intellectual property. And obviously that again the example kind of self inflicted. And then the other areas where we still see a lot of issues is organizations that are kind of trying to roll their own gen AI or agentic AI platforms internally, but maybe struggling to tie it in with things like identity and access, management and authorization privileges, or even just generally doing things like penetration testing to understand where there may be vulnerabilities and holes. The amount of times we get calls into our hotline asking for help because someone had built a platform. I'll give you a perfect example of one where an organization had built a platform for their internal use for HR purposes. And they said, look, we're going to load all of our HR data into this platform and allow it to be the first path for employees to get HR assistance rather than having to reach out to a person each time they can ask a question to this platform and if it doesn't have the answer, then they go to an actual HR rep. But what ended up happening was they had not figured in the security controls and authorization and access rights. So anybody could ask the platform anything, including tell me who the highest paid person in the company is. How much does Bob or Nancy make?
[22:44]
Dave Bittner
Yeah, I was just thinking of. Boy, I was a half step. I'm with you. Wow. Yeah. Who could have predicted that, Chris?
[22:54]
Chris Novak
Right. And just imagine where that goes from here. So that's why I say a lot of what we see right now is a lot of self inflicted things like that. Organizations struggling to manage it and people finding other creative ways. And I think what's also interesting is people are now growing more and more used to using generative AI and the various flavors of it in their personal life. They think nothing of just pulling up a ChatGPT or a Gemini on their, their mobile phone to ask a question. And so they expect, look, if I can do this with this kind of ease in my everyday personal life, I should be able to do this at work too. And that obviously doesn't necessarily translate. It doesn't necessarily secured or monitored by the organization. And so there's a lot of, kind of unintended consequences or unmonitored risks there.
[23:38]
Dave Bittner
As you all are tracking the trends from this year's report, what sorts of things do you think organizations should be aware of as we're heading into the second half of 2025 and beyond?
[23:50]
Chris Novak
So I'd say one, one thing that I would call out is around third party risk. We saw that third party risk increased dramatically year over year. So it actually doubled from to 30%. And the reason why I call that out is third party supply chain. Especially with kind of the geopolitical landscape being kind of particularly frothy right now. Everybody's got a third party and you probably have third parties of third parties. And so the thing that we're encouraging a lot of organizations to look at is not just what you see in the report here which highlights this challenge, but what is it that you're doing in your own organization, when did you last evaluate what your third party ecosystem looks like and how well do you understand what their third party ecosystem looks like? Are you doing things like, you know, cyber risk quantification, for example, as a way to kind of understand not just what your risks are, but how do you prioritize the approach to them? Because we continue, you know, for example, the zero day vulnerabilities. A lot of organizations are struggling to keep up with the rate and the pace in which they're uncovering these. And now it becomes an important element to figure out, okay, if I can't do it all right now, I can't solve all my problems today. I need to have a really kind of smart and science based approach towards prioritization of how I tackle them. So I'd encourage organizations to very much look into that if they're not already doing it.
[25:13]
Dave Bittner
That's Chris Novak, Vice President of Global Cybersecurity Solutions at Verizon. We'll have a link to the DBIR in our show notes and finally, Kim Zetter's Zero Day reveals a potentially troubling new development as the UAE seeks to recruit former members of the Pentagon's Defense Digital Service who recently resigned in protest over interference from the Department of Government Efficiency. Brigadier General Musalam Al Rashidi, representing the UAE's military, offered the entire DDS team jobs in Abu Dhabi to help build an AI unit for the UAE's Ministry of Defense. While the outreach came through official US defense channels, the general's involvement with Analog AI, a firm linked to the controversial Emirati company G42, raises serious red flags. G42 has been under scrutiny for its ties to the Chinese government and military. Intelligence officials warn that hiring US Cyber talent could inadvertently transfer sensitive expertise or dual use technologies to foreign powers like China. These risks are compounded by past instances where US Cyber operatives recruited by Emirati firms unknowingly engaged in surveillance and offensive hacking operations against US allies and dissidents. Though none of the DDS workers have so far accepted the UAE's offer, they say this effort reflects a larger threat. The US Is shedding top tier cyber talent, and foreign governments are eager to scoop them up. As one former DDS staffer warned, losing these experts not only weakens America's cyber posture, it opens the door to our adversaries. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign hey, everybody. Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The DeleteMe team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k. Code N2K.
[29:52]
Chris Novak
Sam.