CyberWire Daily: "Typhoon on the Line" – Detailed Summary
Release Date: June 18, 2025
Host: Dave Bittner, N2K Networks
1. Viasat Breached by Salt Typhoon
Overview:
Viasat, a key provider of secure communications for both commercial and government sectors, confirmed a breach by the Chinese state-sponsored espionage group, Salt Typhoon. The attack is linked to previous intrusions into U.S. telecom infrastructure ahead of the 2024 presidential election.
Key Details:
- Targeted Entities: Previous targets include Verizon, AT&T, and T-Mobile.
- Accessed Data: Phone records of political figures such as Donald Trump and J.D. Vance.
- Impact: Viasat reported that no customer data was compromised. The breach originated from a compromised device, and collaboration with federal authorities has neutralized the immediate threat.
- Group Profile: Salt Typhoon has been active since 2020, noted for its stealth and long-term access strategies. U.S. officials associate the group with broader cyber espionage activities, including a 2024 Treasury Department breach.
- Chinese Stance: The Chinese government denies any involvement.
Notable Quote:
Dave Bittner highlights the ongoing threat:
"SALT Typhoon, active since 2020, is known for its stealth and long term access strategies, raising concerns that the group may still be embedded in some networks." [02:06]
2. Microsoft’s June 2025 Security Update Crisis
Overview:
Microsoft released a critical security update on June 10, 2025, addressing vulnerabilities but inadvertently created significant operational dilemmas for administrators.
Key Issues:
- Patch Impact: The update disrupts DHCP failover configurations on Windows Server versions 2016 through 2025, leading to potential network outages.
- Security Trade-off: Administrators face a choice between installing the flawed patch, which causes service disruptions, or leaving servers vulnerable to 66 known vulnerabilities, including two zero-day exploits.
- Exploits in Play: One critical vulnerability is an actively exploited WebDAV flaw associated with the Stealth Falcon group.
- Additional Affected Systems: Surface Hub devices and L2TP VPN connections are also impacted.
Expert Commentary:
Dave Bittner underscores the broader implications:
"Experts warn this reflects a growing trend of rushed patches causing major system failures, leaving admins effectively testing mission-critical updates in production environments." [04:15]
3. QUALYS Discovers Critical Linux Vulnerabilities
Overview:
Researchers at QUALYS identified two local privilege escalation flaws that can grant root access on major Linux distributions.
Vulnerabilities Identified:
- PAM Configuration Flaw: Affects OpenSUSE and SUSE Linux Enterprise.
- Libblock Dev and uDisk Daemon Flaw: Present in most Linux systems by default.
Exploitation:
Proof-of-concept exploits have been successfully tested on Ubuntu, Debian, Fedora, and OpenSUSE. The ability to chain these bugs facilitates easy escalation from local to root access.
Security Recommendations:
Admins are urged to apply patches immediately to prevent potential persistence, lateral movement, and full system compromise.
Notable Quote:
Highlighting the severity, Dave Bittner states:
"Even on their own, especially the U disk's flaw, they pose a critical risk." [06:00]
4. Beyond Trust Addresses Remote Code Execution Flaw
Overview:
Beyond Trust has patched a critical remote code execution (RCE) vulnerability in its remote support and privileged access tools.
Vulnerability Details:
- Affected Feature: Chat functionality due to improper input handling in the template engine.
- Exploitation Risk: Allows unauthenticated attackers to execute arbitrary code on affected servers.
- Patch Status: Cloud systems were patched by June 16, but on-premises customers need to update manually.
- Mitigations: Enabling SAML for public portals and disabling certain features.
Security Context:
No active exploitation has been reported; however, historical data shows past flaws have been targeted by attackers.
Notable Quote:
Dave Bittner emphasizes mitigation steps:
"Mitigations include enabling SAML for the public portal and disabling certain features." [07:30]
5. Risks in Low-Cost SMS Routing Exposed
Overview:
Tech giants like Google, Meta, and Amazon rely on contractors for delivering one-time login codes via SMS. This cost-saving measure introduces significant security risks.
Investigation Findings:
- Involved Providers: Fink Telecom Services, a Swiss firm with a controversial reputation.
- Data Exposure: Over 1,000 companies were sending sensitive login messages through Fink, resulting in millions of messages, including account names and phone numbers, traversing insecure networks.
- Historical Links: Fink has connections to global surveillance efforts and cyber incidents.
- Regulatory Gaps: Despite bans in regions like the UK, the SMS routing industry remains largely unregulated, leading to inadequate vetting of providers.
Notable Quote:
Dave Bittner critiques industry practices:
"Critics argue that tech companies are failing to vet these providers adequately, leaving customer data vulnerable in a system designed for more cost savings than security." [09:00]
6. Erie Insurance Outage and Legal Challenges
Overview:
Erie Insurance reported a network outage lasting ten days, denying allegations of a ransomware attack. However, two class-action lawsuits counter these claims, alleging data breaches and ransomware involvement.
Incident Details:
- Erie’s Statement: Detected unauthorized activity and contained it without confirming a data breach.
- Lawsuits: Filed by a customer and a former employee, each seeking $5 million for alleged negligence in protecting personal data.
- Threat Attribution: Google Threat Intelligence links the timing to Scattered Spider, a known cybercrime group targeting insurers.
- Operational Impact: Communications services like phones and emails remain disrupted.
- Security Measures: Erie is enhancing its defenses and working with cybersecurity experts but declined to comment on ongoing litigation.
Notable Quote:
Dave Bittner summarizes the situation:
"Erie Insurance denies any evidence of ransomware or ongoing cyber threats following a 10-day network outage that began June 7th." [10:45]
7. Challenges in Cloud Backup Strategies
Overview:
A report from EON titled "2025 State of Cloud Backup" reveals that half of organizations struggle to locate backup data when needed, despite the increasing threats from ransomware.
Key Insights:
- Backup Reliance: Many organizations still depend on outdated, manual backup methods.
- Survey Findings: Out of over 150 IT leaders surveyed, 18% experienced data loss, and 22% were uncertain about their backup status.
- Causes of Data Loss:
- Human error (64%)
- Ransomware attacks (25%)
- Backup Practices: Only 49% utilize fully automated backups, and merely 29% have layered defenses against ransomware.
- Vulnerabilities: 13% of organizations lack any backup protection.
Recommendations:
EON advocates for modernization using AI-driven, cross-cloud solutions to ensure robust, automated, and comprehensive backup strategies.
Notable Quote:
Dave Bittner highlights the urgency:
"Effective backups not only guard against loss, but can also fuel analytics and AI if properly managed." [12:30]
8. Veeam Patches Critical Backup Software Vulnerability
Overview:
Veeam has addressed a critical RCE vulnerability in its backup and replication (VBR) software, discovered by Watchtower and Codewhite.
Vulnerability Details:
- Affected Systems: Domain-joined VBR installations from version 12 onwards.
- Exploitation Method: Allows any authenticated domain user to execute code remotely on the backup server.
- Patch Availability: Fixed in the latest version released on June 18, 2025.
- Best Practices Reminder: Despite recommendations against domain-joining backup servers, many organizations continue to do so, increasing exposure to such threats.
Notable Quote:
Dave Bittner underscores the risk:
"Many companies still domain join backup servers, increasing their exposure to this threat." [14:10]
9. Emergence of SuperCard Malware in Russia
Overview:
Russian cybersecurity firm F6 reports the first domestic attacks utilizing SuperCard, a modified version of the legitimate NFC Gate tool. This malware targets Android users, facilitating payment card data theft for ATM fraud and direct bank transfers.
Malware Characteristics:
- Distribution: Available via Telegram, including Chinese language channels with subscription and support models.
- Infection Tactics: Disguised as legitimate apps, employs social engineering to infect victims.
- Targeting: Identifies users' payment systems (e.g., Visa, MasterCard) to streamline theft.
- Impact: Over 175,000 devices infected in Russia, resulting in $5.5 million in losses during Q1 2025.
- Geographical Reach: Designed to target users in the U.S., Europe, and Australia.
Notable Quote:
Dave Bittner comments on the malware's scope:
"SuperCard is marketed as capable of targeting users in the US, Europe, and Australia." [16:00]
10. Post-Break Discussion: Juneteenth and Cybersecurity
Participants:
- Maria Vermazes: T Minus Space Daily
- Kim Jones: CISO Perspectives podcast
- Dave Bittner: Host
Discussion Highlights:
- Historical Context: Sam reflects on the significance of Juneteenth, emphasizing the challenges African Americans faced in preserving lineage and history due to slavery and systemic disruptions.
- Community Preservation: Importance of maintaining cultural and historical records within ethnic communities, drawing parallels to Chinatowns.
- Modern Implications:
- Cybersecurity Neutrality: Historically, cybersecurity enjoyed bipartisan neutrality, similar to the space sector. However, recent events like the "Doge" situation in Washington have politicized the field.
- Policy and Security Practices:
- Identity Access Management: Concerns over data protection and the politicization of security practices.
- Professional Responsibility: Cybersecurity professionals feel compelled to question and challenge political decisions impacting security, striving for data-driven and fact-based responses rather than partisan debates.
Notable Quotes:
-
Sam on Historical Challenges:
"The ability for us to keep history even back 150, 200 years has been difficult... It's been something I've known about for a while." [14:13] -
Dave on Security Neutrality:
"My perception though, is that it's not that we're straying out of our lane, it's that they've come careening into ours... cybersecurity used to enjoy sort of bipartisan neutrality." [15:57] -
Sam on Professional Responsibility:
"I'm a cyber guy. I should be asking those statements because my customers are going to ask them of me." [17:00]
11. Closing Stories and Announcements
Active Directory Security Alert:
Dave Bittner emphasizes the vulnerability of Active Directory, being targeted in 90% of cyberattacks. He promotes Semprase’s Purple Knight, a free security assessment tool designed to scan Active Directory for vulnerabilities.
John Graham Cumming’s "LowBackgroundSteel AI" Launch:
Former Cloudflare executive launches a website dedicated to preserving the web's pre-AI cultural heritage. The site serves as a digital time capsule, archiving human-authored content from sources like Wikipedia dumps, Project Gutenberg, and GitHub's Arctic Code Vault. Initiated in 2023, it aims to provide context against the backdrop of AI-generated content proliferation.
Future Content:
The podcast announces a special edition episode on Juneteenth to be released the following day, encouraging listeners to engage with their annual audience survey.
Notable Quote:
Dave Bittner concludes:
"Think of it as civilization's backup." [22:30]
Conclusion
In this episode of CyberWire Daily, Dave Bittner delivers a comprehensive overview of significant cybersecurity incidents and vulnerabilities impacting major organizations and systems. From state-sponsored espionage and critical software vulnerabilities to emerging malware threats and challenges in backup strategies, the episode underscores the evolving and multifaceted nature of cybersecurity threats. Additionally, the post-break discussion bridges historical perspectives with modern cybersecurity challenges, highlighting the intersection of culture, policy, and security practices.
Listeners are encouraged to stay informed, adopt robust security measures, and engage with the broader cybersecurity community to navigate the complex landscape effectively.
