Typhoon on the line.

Dave Bittner

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire Viasat confirms it was breached by Salt Typhoon Microsoft's June 2025 security update giveth and Microsoft's June 2025 security update taketh away Local privilege escalation flaws grant root access on major Linux distributions Beyond trust patches a critical remote code execution flawless SMS low cost routing exposes users to serious risks. Erie Insurance says their ongoing outage isn't ransomware. Backups are no good if you can't find them. Veeam patches a critical vulnerability in its backup software. Supercard malware steals payment card data for ATM fraud and direct bank transfers. We preview our Juneteenth Special edition and Backing up humanity.

Sam

Foreign.

Dave Bittner

It's Wednesday, June 18, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us. It's great to have you with us. Viasat has confirmed it was breached by Salt Typhoon, the Chinese state sponsored espionage group, in a cyberattack linked to intrusions into US telecom infrastructure ahead of the 2024 presidential election. The group had previously targeted firms like Verizon, AT&T and T Mobile and reportedly accessed phone records of political figures including Donald Trump and J.D. vance. ViaSat, which provides secure communications to both commercial and government sectors, stated the breach stemmed from a compromised device but found no customer data was affected. The company worked with federal authorities and believes the threat has been neutralized. SALT typhoon, active since 2020, is known for its stealth and long term access strategies, raising concerns that the group may still be embedded in some networks. U.S. officials have linked the group to broader cyber espionage efforts, including a 2024 Treasury Department breach. While China denies all allegations, Microsoft's June 2025 security update has created a dilemma for it. Admins install a patch that breaks DHCP services or leave servers vulnerable to serious exploits. The update, released June 10, disrupts DHCP failover configurations on Windows Server 2016 through 2025 causing network outages. Microsoft confirms the bug but has yet to issue a fix, forcing some to uninstall the Update, exposing systems to 66 vulnerabilities, including 2/0 days. One is an actively exploited WebDAV flaw used by the Stealth Falcon group. The same update has also caused issues with Surface hub devices and L2TP VPN connections. Experts warn this reflects a growing rushed patches causing major system failures. Admins are effectively left testing mission critical updates in production environments. Researchers at QUALYS have uncovered two local privilege escalation flaws that can grant root access on major Linux distributions. The first affects the PAM configuration on Open SUSE and SUSE Linux Enterprise, while the second targets Libblock Dev and the uDisk daemon installed by default on most Linux systems. Together these bugs can be chained for an easy local to root exploit. Even on their own, especially the U disk's flaw, they pose a critical risk. Proof of concept Exploits have already worked on Ubuntu, Debian, Fedora and OpenSUSE. Admins are urged to patch both immediately as root access can lead to persistence, lateral movement and full system compromise. Beyond Trust has patched a critical remote code execution flaw in its remote support and privileged remote access tools. The bug found in the chat feature stems from improper input handling in the template engine, enabling unauthenticated attackers to run arbitrary code on affected servers. Cloud systems were patched by June 16, but on prem customers must update manually. Mitigations include enabling SAML for the public portal and disabling certain features. No active exploitation has been reported, but past flaws have been targeted. Tech giants like Google, Meta and Amazon rely on a global web of contractors to to deliver one time login codes via sms, Aiming for speed and low cost but this low cost routing strategy exposes users to serious risks. Middlemen, some with links to surveillance and cybercrime, can access and potentially misuse these codes. A recent investigation from Lighthouse Reports and Bloomberg revealed that over 1,000 companies sent sensitive login messages through Fink Telecom Services, a Swiss firm with a controversial track record. Millions of messages, including account names and phone numbers, were found traveling through this insecure network. Fink has been previously linked to surveillance efforts and cyber incidents worldwide. Despite bans on such practices in places like the uk, the opaque SMS routing industry remains largely unregulated. Critics argue that tech companies are failing to vet these providers adequately, leaving customer data vulnerable in a system designed for more cost savings than security. Erie Insurance denies any evidence of ransomware or ongoing cyber threats following a 10 day network outage that began June 7th. This contradicts two class action lawsuits alleging a ransomware attack and data breach. Erie says it detected unauthorized activity and took immediate steps to contain it, adding that no data breach has been confirmed. The lawsuits filed by a customer and a former employee each seek $5 million claiming negligence over exposed personal data. One plaintiff says Erie notified him of a data leak. Meanwhile, Google Threat Intelligence has linked the timing to Scattered Spider, a known cybercrime group targeting insurers. Erie continues to work with cybersecurity experts and has strengthened its defenses but declined to comment on litigation. The company urges customers to monitor their financial activity and practice good security hygiene. Communications services, including phones and emails, remain impacted by the incident. Half of organizations struggle to locate backup data when needed, according to Eon's 2025 State of Cloud Backup report. Despite rising ransomware threats, many still rely on outdated manual backup strategies. A survey of over 150 IT leaders found 18% experienced data loss and 22% were unsure if they had. Human error caused 64% of losses, while 25% were ransomware related. Only 49% used fully automated backups and just 29% had layered ransomware defenses. Alarmingly, 13% had no protection at all. Fragmented approaches, such as using individual cloud providers disaster recovery tools leave gaps in visibility and consistency. Compliance is the top driver for backup investments, but mismanaged data raises risks of violations and business disruption. EON urges companies to modernize with AI driven cross cloud solutions. They say effective backups not only guard against loss, but can also fuel analytics and AI if properly managed. Veeam has patched a critical remote code execution vulnerability in its backup and replication software discovered by Watchtower and codewhite. The flaw affects domain joined VBR installations and allows any authenticated domain user to execute code remotely on the backup server. It impacts VBR version 12 and later and is fixed in a version released today. Despite veeam's best practices advising against domain joining backup servers, many companies still do, increasing their exposure to this threat. Russian cybersecurity firm F6 has reported the first domestic attacks using SuperCard, a modified version of NFC Gate, a legitimate tool for relaying NFC data. SuperCard, now part of a malware as a service scheme, targets Android users and has previously been used in Europe to steal payment card data for ATM fraud and direct bank transfers. First detected in Italy in April and Russia in May, the malware disguises itself as a legitimate app and uses social engineering to infect victims. It identifies the user's payment system like Visa or MasterCard to facilitate theft. Unique to Supercard is its open commercial distribution via Telegram, including Chinese language channels with subscription models and support. F6 notes that this malware has infected over 175,000 devices in Russia, causing $5.5 million in losses in the first quarter of this year alone. It's marketed as capable of targeting users in the us, Europe and Australia. Coming up after the break, we're sharing an excerpt from our Juneteenth Special Edition conversation between T Minus Space Daily's Maria Vermazes, CISO Perspectives podcasts Kim Jones and myself. We'll be right back. Stay with us.

Maria Vermazes

Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear. There is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger, yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com cyber.

Dave Bittner

And now a word from our sponsor cloud range. Cybersecurity isn't just a technology issue, it's a people challenge. While tools can detect threats, it's the humans who decide how to respond. That's why Cloudrange uses immersive simulation based training to build real world instincts and confidence. This approach helps transform good security teams into great ones ready to face today's evolving threats. Discover how Cloudrange is empowering defenders@www.cloudrange.com.

Sam

Let me take this back a little bit. I'm old enough to remember the publication of Alex Haley's Roots and Levar Burton in his breakout role before Jodi laforge as Kunta Kinte. Within that series. What we don't necessarily recognize or realize is why that was such a big deal is because of the history of African Americans coming over as slaves and families being broken up. It was thought that it was not just difficult, but damnably impossible to put together A lineage on an individual that dates back as they do in other communities within the environment. So the ability for us to keep history even back 150, 200 years has been difficult. Has been, I won't call it underground because it really hasn't been underground. It's been more a matter of kept within ethnic communities. Is not unusual and we're not unique. Think about towns and cities that have Chinatowns and think about how much we don't know regarding the history and the calendars, et cetera, there. So for me, I've been aware of Juneteenth for decades because this is part of the history that my father made sure that we did not forget as children growing up. So yeah, it's been lifelong for me. It's been something I've known about for a while. It's been something that I've taken a quiet moment and reflected upon in my adult years before the rest of the world became aware of it.

Dave Bittner

My perception though, is that it's not that we're straying out of our lane, it's that they've come careening into ours with things like Doge, with the current situation in Washington and the White House that cybersecurity used to, much more than it does today, enjoy sort of bipartisan neutrality. Same thing for space, by the way.

Sam

Yes.

Dave Bittner

Yeah. And it's not so much that way anymore. And that's not the fault of the folks in cyber.

Sam

Right. But the fault is, is how we approach it. And DOGE goes beyond Juneteenth. But as an example, what we get is into identity access management, exposure of data and data protection. The way we argue this problem isn't politically over, you know, the President's right to do X and how this happens with Y. But in understanding that what we are doing in certain cases and be specific and fact based about those cases, violates some basic tenants that we've grown up under. But I what we tend to do is we tend to do what I just did and get on the soapbox and rail at things and we contribute to the noise engine rather than this particular problem violates basic practices of security that we've done for three to four decades. And if you wish to do this, which is your right as Commander in chief or is your right as the government and those conversations to whether it is or ain't or well outside of my wheelhouse, then I have a right as not only a private citizen, but but as a decades old cyber professional to ask what the hell are you doing? To take care of these concerns. And that's not a political statement. That's a I'm a cyber guy. I should be asking those statements because my customers are going to ask them of me. So I'm your customer. It's not wrong for me to ask them of you. So for me the issue is not just that these things are careening in Dave, but our response is again, it is not thoughtful, data driven experiential response. It is knee jerk reaction that feeds the engine and allows others to dismiss the argument.

Dave Bittner

Be sure to tune in to your Cyberwire Daily feed tomorrow on your favorite podcast app to hear the full conversation. Did you know Active Directory is targeted in 9 out of 10 cyber attacks? Once attackers get in, they can take control of your entire network. That's why Sempras created Purple Knight, the free security assessment tool that scans your Active directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands of IT pros using Purple Knight to stay ahead of threats. Download it now@sempris.com purple-knight that's sempris.com purple knight and finally, former Cloudflare executive John Graham Cumming has launched a website with a distinctly postmodern preserving the web's low background cultural heritage that is media created by humans before AI turned content into a buffet of statistically probable sentences. His site, LowBackgroundSteel AI pays homage to the Cold War era concept of low background steel metal forged before nuclear testing filled the air and everything else with radiation. Think of it as a digital time capsule where archives like pre2022, Wikipedia dumps, Project Gutenberg books, and GitHub's Arctic Code Vault bask in their human authored glory. The site quietly launched in 2023, but stayed low key until now, perhaps wisely so. Since ChatGPT's debut, AI generated sludge has oozed across the web, sinking projects like Word Freak, a beloved language tool that gave up in 2024 citing overwhelming synthetic noise. Graham Cumming isn't launching an anti AI crusade, just tagging the before in case the after ever needs context. Think of it as civilization's backup. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com Please note that we will not be publishing tomorrow. In observance and celebration of the Juneteenth Holiday in the US we invite you to check out our special edition episode on Juneteenth tomorrow in your Cyberwire Daily Podcast feed. We'd love to hear from you. We're conducting our annual audience survey to to learn more about our listeners. We're collecting your insights through the end of the summer. There's a link in the show Notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here Friday. Hey, everybody. Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. DeleteMe keeps finding and removing my personal information from data broker sites. And they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Delete Me team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.

Sam

Sam.