CyberWire Daily: Episode Summary – "The Take It Down Act Walks a Fine Line"
Release Date: May 20, 2025
Host/Author: N2K Networks

Introduction

In this episode of CyberWire Daily, host Dave Bittner delves into the latest cybersecurity developments, including significant legislative changes, escalating ransomware attacks, sophisticated malware campaigns, and critical updates from cybersecurity authorities. The episode also features an insightful interview with Chris Novak, Vice President of Global Cybersecurity Solutions at Verizon, who provides an in-depth analysis of the 2025 Verizon Data Breach Investigations Report (DBIR) and discusses emerging trends in the cybersecurity landscape.

Legislative Updates: The Take It Down Act

President Trump Signs the Take It Down Act into Law

President Donald Trump has officially signed the Take It Down Act into law, marking a significant step towards combating the distribution of non-consensual intimate images and AI-generated deepfakes. The legislation mandates that social media platforms remove such content within 48 hours of notification and grants the Federal Trade Commission (FTC) enhanced enforcement powers.

Key Provisions:

• Removal Requirement: Social media platforms must act swiftly to remove harmful content.
• Enforcement: The FTC is empowered to oversee and enforce compliance.
• Penalties: Violators face up to three years in prison and substantial fines.

Controversies and Criticisms: While the law has garnered support from various tech companies and advocacy groups, it faces opposition from organizations like the Cyber Civil Rights Initiative and the Electronic Frontier Foundation. Critics argue that the law's vague definitions could lead to potential abuse, impacting victims and stifling free expression. Concerns are further amplified by President Trump's insinuations about using the law to shield himself from online criticism, raising fears of selective enforcement and legal overreach.

Notable Quote:
"The law mandates that social media platforms remove such content within 48 hours of notification and gives the FTC enforcement power," explains Dave Bittner [02:30].

Ransomware Attacks Targeting the UK Logistics Sector

UK Grocer’s Logistics Firm Hit by Ransomware

A prominent UK logistics firm, supplying major grocery chains like Tesco and Aldi, fell victim to a ransomware attack last week. The incident disrupted order processing operations but did not impact the transportation segment. The company is actively managing the disruption and maintaining regular updates with its clients.

Industry Impact: This attack is part of a burgeoning trend targeting the UK's food sector. Recent ransomware incidents have impacted major retailers such as Marks & Spencer, Co-op, and Harrods, all experiencing system outages. Cybersecurity experts highlight the vulnerability of the cold chain's stringent delivery schedules and complex operations, which are attractive targets for threat actors.

Consequences:

• Operational Risks: Disruptions can lead to significant delays and inefficiencies.
• Food Waste: Compromised communications may result in increased food spoilage.
• Financial Fraud: Altered or intercepted communications pose risks of financial deceit.

Notable Quote:
"These attacks risk not just operations but also food waste and financial fraud through compromised communications," states Dave Bittner [04:10].

Exploitation of Software Vulnerabilities: Trojanized KeePass

Researchers Uncover Trojanized Versions of KeePass

Security researchers have identified malicious versions of the popular KeePass password manager, dubbed KeyLoader, which covertly installs a Cobalt Strike beacon and exfiltrates password databases in cleartext. This sophisticated campaign, active for at least eight months, spreads through malicious Bing ads and counterfeit software websites that mimic KeePass's domain.

Attack Mechanism:

• Malware Distribution: Delivered via deceptive Bing advertisements and fake download sites.
• Stealth Operations: KeyLoader operates silently, avoiding detection while extracting sensitive data.
• Attribution: The malware is linked to the blkbasta ransomware group, with some variants signed using legitimate certificates.

Ongoing Threat: One malicious domain remains active, continuing to distribute the KeyLoader installer, posing a persistent threat to users.

Notable Quote:
"Distribution occurred through malicious Bing ads and fake software sites with domains mimicking KeePass's name," explains Dave Bittner [06:15].

Advancements in Security Metrics: Likely Exploited Vulnerabilities (LEV)

CISA and NIST Introduce LEV Metric

Researchers from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have developed a new metric, Likely Exploited Vulnerabilities (LEV), aimed at enhancing the prediction of actively exploited software flaws.

Components of LEV:

• Data Integration: Combines inputs from the Exploit Prediction Scoring System (EPSS), known exploited vulnerabilities (KEV) lists, and key vulnerability dates.
• Objective: To improve patch prioritization by estimating the probability that a vulnerability has been exploited.
• Advantages Over Existing Metrics: LEV addresses the incompleteness and inaccuracies inherent in using KEV or EPSS alone by identifying high-risk vulnerabilities that may otherwise be overlooked.

Future Initiatives: NIST is seeking industry partners to test and refine the LEV metric using real-world data, aiming to provide a more comprehensive tool for cybersecurity professionals.

Notable Quote:
"LEV helps fill gaps by identifying high-risk vulnerabilities that might be overlooked," notes Dave Bittner [07:50].

Sophisticated Malware Campaigns: Bumblebee via SEO Poisoning

SEO Poisoning Delivers Bumblebee Malware

A newly discovered malware campaign employs SEO Poisoning tactics on Microsoft Bing to distribute the Bumblebee malware, specifically targeting IT professionals and developers. The attackers create typo-squatted domains resembling legitimate software tools like WinMTR and Milestone XProtect, hosting malicious installers alongside the legitimate applications.

Characteristics of the Campaign:

• Target Audience: IT professionals and developers seeking technical software.
• Malware Delivery: The installer packages include both the legitimate software and the Bumblebee malware.
• Evasion Techniques: Utilizes stealthy methods to bypass detection, linking to multiple command and control servers via the life domain.

Strategic Shift: This campaign signifies a move from targeting widely-used software to focusing on niche technical tools, aiming at high-value targets with elevated system access.

Notable Quote:
"This shift from targeting common software to niche technical tools signals a strategic focus on high-value targets," comments Dave Bittner [09:30].

Advanced Phishing Schemes: Zoom Meeting Impersonation

Phishing Campaign Mimics Zoom Invites

A sophisticated phishing campaign is impersonating Zoom meeting invitations to harvest user credentials. These deceptive emails replicate legitimate Zoom notifications, complete with authentic company branding and falsified video previews of participants, persuading users to enter their login details on spoofed meeting pages.

Attack Techniques:

• Domain Mimicry: Utilizes subtly altered domain names to appear legitimate.
• Personalization: Employs personalized URLs, potentially leveraging leaked data to enhance believability.
• Credential Theft: Stolen credentials are likely exfiltrated via compromised APIs or messaging services, granting attackers broader access to corporate systems.

Recommendations for Defense: Experts advise verifying unexpected meeting invitations, enabling multi-factor authentication (MFA), utilizing advanced email security tools, and conducting regular user awareness training to mitigate such threats.

Notable Quote:
"The use of personalized URLs suggests attackers may be leveraging leaked data to tailor emails and increase believability," states Dave Bittner [11:00].

CISA Updates: Actively Exploited Vulnerabilities Added

CISA Expands Known Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has incorporated six additional actively exploited vulnerabilities into its Known Exploited Vulnerabilities (KEV) Catalog. These include flaws in:

• Ivanti ePmm M. Damon Email Server
• srimax Output Messenger
• Zimbra Collaboration Suite
• ZK Tech Biotime

Implications for Federal Agencies: Federal entities are mandated to remediate these vulnerabilities by specified deadlines. CISA emphasizes the critical importance of prioritizing the patching of KEV-listed vulnerabilities to mitigate exposure to ongoing cyber threats.

Notable Quote:
"Federal agencies must remediate these issues by the set deadlines," emphasizes Dave Bittner [12:20].

Legislative Efforts: Federal Cyber Workforce Training Act

Bipartisan Bill Aims to Bolster Federal Cybersecurity Workforce

The Federal Cyber Workforce Training Act, a bipartisan initiative introduced by Representatives Pat Fallon (R-Texas) and Marcy Kaptor (D-Ohio), seeks to address the diminishing federal cybersecurity workforce. The bill assigns the National Cyber Director the responsibility of establishing a centralized training center focused on hands-on, role-specific onboarding.

Key Features:

• Target Groups: Entry-level and transitioning workers.
• Training Modules: Developed in collaboration with the Department of Homeland Security (DHS) and the Department of Defense (DoD), including specialized training for HR staff to enhance recruitment and hiring processes.
• Rationale: The initiative responds to prior workforce reductions under the Trump administration, including hiring freezes and program disruptions, which have had lasting adverse effects on recruitment efforts.

Criticisms and Support: While the bill garners support for its intent to create sustainable cyber career paths and elevate training standards, some critics, like Representative Eric Swalwell, highlight the long-term recruitment challenges exacerbated by past layoffs at CISA.

Notable Quote:
"The bill seeks to reverse these trends by creating sustainable cyber career paths and raising training standards across federal agencies," explains Dave Bittner [13:00].

Interview with Chris Novak: Insights from the 2025 DBIR

Overview of the DBIR

Chris Novak, VP of Global Cybersecurity Solutions at Verizon, discusses the 2025 Verizon Data Breach Investigations Report (DBIR). The report, now in its 18th year, provides a comprehensive, data-driven analysis of data breaches, focusing on how they occur, their targets, and mitigation strategies.

Notable Quote:
"The key behind the report has always been how do we take a data and evidence-driven approach to understanding how data breaches happen," Chris Novak explains [13:42].

Expansion and Depth of the Report

This year's DBIR has expanded globally, incorporating data from nearly 100 contributors across 139 countries, encompassing over 22,000 incidents and 12,000 data breaches. This extensive dataset allows for more nuanced and accurate conclusions.

Notable Quote:
"The report has gotten even more global... covering 139 victim countries, over 22,000 incidents and over 12,000 data breaches," Novak notes [14:47].

Key Findings: Vulnerability Exploitation and Ransomware

1. Increase in Vulnerability Exploitation:

   • Exploitation of vulnerabilities as an initial access method surged by 34%, now accounting for 20% of all breaches.
   • A significant number of these vulnerabilities are tied to perimeter devices, undermining traditional security perimeters.

   Notable Quote:
   "A lot of the zero days and other vulnerabilities that have been exploited have been in those perimeter devices," Novak highlights [15:49].

2. Ransomware Trends:

   • A 37% increase in ransomware events compared to the previous year.
   • Ransomware now features in 44% of all breaches, up from 32%.
   • Small and medium-sized businesses (SMBs) are disproportionately targeted, constituting 88% of ransomware impacts within this segment.

   Notable Quote:
   "64% of the victim organizations did not pay the ransom," Novak observes [18:00].

Generative AI and Cybersecurity

The integration of generative AI in cyber threats is evolving. While generative AI is being leveraged by threat actors primarily for social engineering, the report identifies that most AI-related security issues are self-inflicted due to improper governance and controls within organizations.

Notable Quote:
"A lot of what we see right now is a lot of self-inflicted things," Novak explains [20:00].

Future Trends and Recommendations

As organizations navigate the second half of 2025, key focus areas include managing third-party risks and implementing robust cyber risk quantification methods to prioritize vulnerability remediation effectively.

Notable Quote:
"We encourage organizations to look into cyber risk quantification as a way to understand and prioritize their risks," advises Novak [23:49].

Geopolitical Concerns: UAE’s Recruitment of US Cyber Talent

UAE’s Effort to Recruit Former Pentagon Cyber Experts

Kim Zetter reports that Brigadier General Musalam Al Rashidi of the UAE's military extended job offers to former members of the Pentagon's Defense Digital Service (DDS) who resigned in protest over departmental inefficiencies. The UAE aims to build an AI unit for its Ministry of Defense, collaborating with Analog AI, a firm associated with the Emirati company G42, which has known ties to the Chinese government and military.

Risks and Implications:

• Sensitive Expertise Transfer: Recruiting US cyber talent could lead to inadvertent sharing of sensitive knowledge or dual-use technologies.
• Geopolitical Tensions: Past instances have shown that recruited operatives may engage in surveillance and offensive hacking against US allies and dissidents.
• Security Posture Weakening: The loss of top-tier cyber experts diminishes the US's cybersecurity defenses and empowers adversarial entities.

Notable Quote:
"Losing these experts not only weakens America's cyber posture, it opens the door to our adversaries," warns a former DDS staffer [24:30].

Conclusion

This episode of CyberWire Daily provides a comprehensive overview of the current cybersecurity landscape, highlighting significant legislative changes, escalating threats targeting critical infrastructure, and the evolving role of AI in cyber operations. The insightful discussion with Chris Novak offers valuable perspectives on emerging trends and strategic recommendations for organizations aiming to bolster their cybersecurity resilience. Additionally, the geopolitical dimension underscores the complex interplay between national security and the global talent market in the realm of cybersecurity.

For more detailed information and to access the 2025 DBIR, listeners are encouraged to visit the show notes and the CyberWire Daily briefing at thecyberwire.com.

Produced by Alice Carruth, CyberWire Senior Producer. Edited by Liz Stokes, CyberWire Producer. Mixed by Trey Hester with original music and sound design by Elliot Peltzman. Executive Producer: Jennifer Ivan. Publisher: Peter Kilpe.