Loading summary
Maria Varmazas
You're listening to the Cyberwire network, powered by N2K.
Dave Bittner
Hey everybody, Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.
Maria Varmazas
Children'S DNA in Criminal Databases ASUS routers get an unwanted House Guest New APT41 malware uses Google Calendar for command and control Interlock Ransomware Gang deploys new Trojan Estonia Issues arrest Warrant for Suspect in Massive Pharmacy breach the Enemy within the Endpoint New England Hospitals Disrupted by Cyber Attack Tim Starks from cyberscoop is discussing Whatever we Did was Not Enough how salt typhoons slipped through the government's blind spots and Victoria's secrets are leaked today is May 29, 2025. Maria I'm T minus Space Daily host Maria Varmazas in for Dave Bittner and this is your Cyber Wire Intel Briefing. Happy Thursday everybody. Thanks for joining us. Let's get into today's intel briefing. Between 2020 and 2024, US Customs and Border Protection collected DNA samples from over 133,000 migran, including at least one as young as four years old, and uploaded their genetic profiles to the FBI's Combined DNA Index System, or CODIS, which is a database traditionally reserved for criminal offenders. This expansion of biometric surveillance, justified by the Department of Justice as a crime prevention measure, has raised significant privacy and ethical concerns. While official policy limits routine DNA collection to individuals aged 14 and older, exceptions were widely made, often without any criminal charges. Notably, 122 minors identified as US citizens had their DNA collected, 53 of whom were not detained for any criminal arrest. Critics argue that this practice blurs the line between civil immigration enforcement and criminal investigation, effectively treating undocumented migrants, especially children, as potential criminals. Privacy experts warn that storing raw DNA samples indefinitely poses risks of misuse, including unauthorized profiling and surveillance. The inclusion of minors in codis, a system designed for tracking criminal offenders, underscores the need for stringent oversight and clear guidelines to protect vulnerable populations from unwarranted surveillance. Gray Noise has uncovered a sophisticated campaign compromising over 9,000 ASUS routers, primarily targeting small office and home office environments. The attackers gain initial access through brute force attacks and authentication bypasses, including techniques not yet assigned CVEs. Subsequently, they exploit CVE2023 39780A command injection vulnerability to execute arbitrary commands. The adversaries establish persistence by enabling SSH access on a non standard port and and inserting their public SSH keys using legitimate ASUS configuration methods. These changes are stored in non volatile memory or nvram, allowing the backdoor to survive reboots and firmware updates. Notably, no malware is deployed. Instead, the attackers disable logging and security features like Trend Micro's AI protection to evade detection. Google's Threat Intelligence Group says the Chinese threat actor APT41 used a compromised government website to host a new strain of malware dubbed Tough Progress. Notably, the malware uses Google Calendar events for command and control communications. Google explains. Once executed, Tough Progress creates a zero minute calendar event at a hard coded date, specifically May 30, 2023, with data collected from the compromised host being encrypted and written in the calendar event description. The operator places encrypted commands and calendar events on July 30th and 31st, 2023, which are predetermined dates also hard coded into the malware. TufProgress then begins polling calendar for these events. When an event is retrieved, the event description is decrypted and the command it contains is executed on the compromised host. Results from the command execution are encrypted and written back to another calendar event. The Interlock ransomware gang is using a new Trojan dubbed Node Snake to target universities. According to a report from Bleeping Computer, the malware is distributed via phishing emails with malicious links or attachments. Quorum Cyber has published a report on the RAT, noting that the malware is encoded in JavaScript and executed with Node JS. The researchers state that Node Snake demonstrates typical capabilities expected from a modern day rat. It is designed for persistent access system reconnaissance and remote command execution. It employs multiple evasion techniques, communicates with command and control servers via HTTP HTTPs, and deploys secondary payloads to maintain control and facilitate further compromise, quorum observed. Node Snake deployed against two universities in the UK within the last two months. Estonian authorities have issued an international arrest warrant for a Moroccan national accused of hacking a customer card database belonging to Allium upi, which is a major provider of pharmacy and healthcare products across the Baltic countries. According to a report from the Record, the breach occurred in February 2024 and exposed nearly 700,000 personal identification codes used by pharmacy customers, revealing pharmacy purchases linked to customer accounts. The incident affected data belonging to almost half of the Estonian population. Estonia's Central Criminal Police alleges that 25 year old Adrar Khalid gained access to the database using a stolen password for an administrator account. In mid-2024, Israeli cybersecurity company Signia uncovered a sophisticated North Korean cyber attack involving a threat actor posing as a legitimate IT employee at a Western company. The attacker, operating from within the organization, used standard tools like zoom and basic network protocols to avoid detection. By leveraging access through a corporate VPN and a company issued laptop, the attacker established a multi layered covert control channel enabling lateral movement, execution of malicious code and data exfiltration, all under the guise of routine remote work activities. Signia's investigation began after the FBI recovered a client issued laptop during a raid on a suspected laptop farm, which is a service that facilitates foreign workers impersonating US Citizens to secure remote roles in Western companies. Shoham Simon, Signia's senior VP of cyberservices, emphasized that the breach exploited a trust vulnerability rather than a code flaw, highlighting the need for detection models that account for anomalies in protocol usage and the misuse of legitimate tools. A cyber incident affecting Massachusetts based health system Covenant Health is disrupting several affiliated hospitals in New England, according to WMUR News Center Maine reports that St. Joseph Healthcare in Bangor and St. Mary's Hospital in Lewiston were both impacted and St. Joseph's has attributed the disruption to a cyber attack. WMUR says St. Joseph's Hospital in Nashua, New Hampshire is diverting ambulances to different hospitals. Coming up after the break, Dave Buettner sits down with Tim Starks, senior reporter at Cyber Scoop. They'll unpack his recent piece called Whatever We Did Was Not Enough, How Salt Typhoon slipped through the government's blind Spots. Plus, what's the story behind Victoria's secrets getting leaked? Stick around.
Dave Bittner
And now a word from our sponsor. Spy Cloud identity is the new battle battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing. To neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear, there is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust. Making your security posture stronger. Yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com cyber from time to time, a piece of reporting cuts through the noise and lays bare not just the breach, but a breakdown, a systemic failure that affects national security, industry, trust, and how we define public private partnership in the digital age. And that is exactly what Tim Stark's recent coverage at cyberscoop has done with a deep dive into Salt Typhoon. We're going to dig into that together today. Tim, welcome. It is always great to have you with us.
Tim Starks
Yeah, great. Great to be back and thanks for the kind words.
Dave Bittner
Yeah. So let's start off with what prompted you to pursue this story. There's a lot here.
Tim Starks
So it was actually there's my story and then there's a second story that my colleague Derek Johnson did. But they both stem from the same idea, which is our editor Greg Otto said that he was flummoxed by the notion that the government officials have been saying we're not sure that Salt Typhoon will ever exit the telecommunications networks that were part of the biggest breach, arguably ever of, of the industry by those Chinese hackers. And so he wanted us to explore how that could be and why that could be. And in starting from that premise, we, we broke it out into me deciding to take a deep dive on what the government did or did not do well, in the ways that might have allowed salt Typhoon to, to get into the systems and what made it, made it hard for them to get rid of them and what, what didn't go well about the government's response in the eyes of the people who were critical of it. And then Derek's piece, I'm sure we're going to talk about less, but I just want to encourage people to read it too, is about what the telecommunications sector did that may have led to this happening and worsened it once it did happen. So that's where it started and this is where we ended.
Dave Bittner
Yeah. Well, let's dig into it from the beginning. Your story outlines how is it correct to say that the telecom companies were surprised and disappointed at the way and where the messaging came from on this one?
Tim Starks
Certainly a good number of them were. The way we started the story was just to say there were a number of large companies, I said some that first heard about this from an article in the Wall Street Journal. If you're talking about the public private partnership that we've all been talking about for decades and the government has detected this intrusion and the victims don't know about it from the government, they're upset. But then also it was kind of an interesting dynamic where just on the notifications piece, because there are several pieces of this just on the who found out about it when and from whom. There was also the issue of starting off with too little is what some of the complaints were, and then ending up with too much. So one of the things we dive into deeper in the story is about what kind of effort there was to identify victims and how that played out and who was in charge of it. But, but at least one telecom industry source pointed out to me that there was a little bit of a, to use their phrase, puppies piling on phenomenon where after they got notifications that they were victims, they were getting calls from too many agencies and getting too much demands for this and that while they were trying to, to mitigate. So it was this kind of multifaceted before, after, during problem. I do think that to the government's credit, there was at minimum an effort to address this and there was a diligent effort to address this and try to do it differently than they've done it in the past. But that doesn't mean that the outcome satisfied all the players. I mean, even the CIS official I talked to in background pointed out that, yeah, when the Wall Street Journal came out, we heard from industry. They were not happy.
Dave Bittner
Well, let's talk about the government response. As you say, you spoke to a number of people in government and granted some of them anonymity so that they could speak more freely. How do they self assess the way that this went down?
Tim Starks
Whenever you're talking to people who are, you're writing something critical about them and they potentially can be on the defensive. I think what their assessment was was that we didn't get everything perfect. You know, I talked to someone who was in the government during when the time that this was happening. That person explained a lot of the things that they did to try to respond to this. But the quote that's in the headline is, whatever we did, it wasn't enough because they didn't stop it. So that's a realistic appraisal. That was a former person, a current person said, look, we think we did a good job. The government discovered this early salt typhoon activity and without us, would, would the victims even know that it was there? Fair point. Of course, you know, there's counterpoints to that too, that we can discuss. But, but also ultimately they were, you know, they were of the mind that, you know, hey, this could have been done better. Even though we tried hard, the victim notifications still could have gone better. And then you start to get into people who are in the government now, like, you know, Christine Ohm has been making the point as head of DHS that yes, they did discover this intrusion, but they didn't really know how, how it came to be and what to do about it. And I talked to some people who were critical of that element of it that, okay, yes, cisa, through their threat hunters, discovered this in government networks. Why didn't that sound bigger alarms? Why didn't that cause more activity not just on the victim notification front, but on other things? And then of course, there were the questions of things like the beforehand. Did they, you know, there were vulnerabilities that were known here, but did they target those notifications to the communities that needed them most? Did they directly interact with telecoms? And why didn't they? It's a big complicated story that breaks down some of these things and however much you want to go into what parts of that next, I'm ready to go. But it's a sweeping story about the ways in which all of this unfolded.
Dave Bittner
How do you break down who ultimately bears responsibility here? I mean, is it and has there been much finger pointing?
Tim Starks
There has been much finger pointing, yeah. One of the cool things about the story. I'm sorry, I feel like I'm almost like talking up the story too much, but I'm going to talk about it. One of the cool things about the story that I have anything to do with was the art that's attached to it, which does have, you know, it's some visible finger pointing. You know, you'll recall that in real time. Ann Neuberger, who was the White House national security official who was lead on cyber, had said these were basic vulnerabilities that could, that were. That the telecommunications sector had or that, or that their supply chain had. And they weren't addressed. Basic hygiene didn't happen. So I think you can definitely point the finger at telecoms here. I think you can point the finger at the government about how they handled it and whether they responded as best they could have, whether they should have done more. Certainly you can blame the hackers. I was talking to somebody about this, these two, these two stories, and someone asked about why wasn't there a third. You gotta have three in a series, right? And I was like, who else would you blame? I'm like, well, the hackers, I mean, they were clever. They, you know, they, they targeted an industry that, you know, you can make the case that some, like some people did in my story that had been getting a little bit neglected because of, you know, this is something even people who were in the government at the time conceded that they were focused on the people who were really desperately in need, the people who were really far behind. And the thought was the telecom sector was further ahead. That. That may have, well have been true. But, you know, the telecom sector has vulnerabilities too. There was a. There was a section of this we kind of left on the cutting room floor which was, you know, size in cyber is both a valuable thing to have and a dangerous thing to have. It's why you see Microsoft constantly attacked. You would think Microsoft, with as much money as they have, that they would be able to address these things, but they have such a gigantic attack surface. And that's one of the things I think we learned here, is that the telecom sector was really vulnerable. And even if you don't play blame the victim, it's really possible to be hacked and to not have any culpability and for it not to be your fault. I think in this case, just in my broader assessment, I think there was fault to be found on all sides. How much individuals want to blame one side more than the other? I'm going to leave to them. But I think that there were real faults that I think our stories outlined that pointed to culpability on the telecom sector side of things and the government side of things.
Dave Bittner
And what are you seeing going forward here in terms of both real substantive changes and aspirational change?
Tim Starks
Yeah, I think there is the sort of vague things that Kristi Noem has said about how to get SISA back on mission. We haven't heard yet about how she wants to do that. Certainly we've talked about the things that are sidelines that are not really part of what our story was about. But you and I have talked about those things. But in terms of like how do you get SISSA back on mission such that if something like Salt Typhoon might happen again, how do you avoid it happening? We don't have a plan for that yet. We haven't heard that plan yet. On the government side, certainly there have been people who have been advocating for strengthening things like the Cybersecurity Information Sharing Act. We'll see whether that happens at all. But that's another idea that's out there about how that this could have been helped. I think we're going to be hearing more from Congress on that and more from Congress on their investigation. There's a House Homeland Security investigation into what really went wrong with Salt Typhoon. So I think that could produce more ideas. I think we're kind of still at the idea stage, frankly, if you think about this. You know, the public first learned about this back in September, but some of this wasn't really, we didn't really get a real sense of some of the scope of this until closer to like December. And then we had an administration change and you know, there's been some chaos there, to say the least. Above and beyond, I think the usual kind of administration change where you have turnover of personnel and you have turnover of ideas. So I think we're, I think we're behind on that for reasons that are both valid and perhaps questionable. So I think that, I think that we'll see more once some of those cards start to play out on things like Congress, its investigation, what the administration decides to do. I think that there's more to be seen there about. I think like you talked about, it's more at the aspirational phase than the deliberative. This is what we're going to do now.
Dave Bittner
Tim Starks is senior reporter at cyberscoop. We will have a link to his in depth reporting on Salt Typhoon in our show notes. Do check it out. It is worth your time. Tim Starks, thanks so much for taking the time for us today.
Tim Starks
Thank you, Big Talk. Dave.
Maria Varmazas
And for our last story, Victoria's Secret is making headlines this week, and not for reasons you might suspect, not for a new collection. Everybody just settle down. The retailer has taken its US Website offline and paused some in store services after a major cybersecurity breach was discovered over the Memorial Day weekend. Online shoppers were met with a black screen and a brief message confirming the incident as the company scrambles to investigate. With digital sales making up nearly a third of its revenue, this outage isn't just inconvenient, it is quite costly, with shares in the company dropping nearly 7% so far, Victoria's Secret hasn't revealed whether customer data was compromised, fueling plenty of speculation on that front. Experts say that the timing follows a familiar pattern, with cybercriminals often striking when staff coverage is light. Victoria's Secret says its team is working around the clock to restore operations. And as one viral song goes, I know Victoria's Secret well. Now hackers might, too. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Heltzman. Our executive producer is Jennifer Ivan. Peter Kilby is our publisher. And I'm Maria Varmazes in for Dave Bittner. Thanks for listening.
Dave Bittner
And now a word from our sponsor, Threat Locker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com.
CyberWire Daily Podcast Summary: “When ‘Out of the Box’ Becomes ‘Out of Control’”
Release Date: May 29, 2025
Host: Maria Varmazas (in for Dave Bittner)
Produced by N2K Networks
Overview:
Between 2020 and 2024, U.S. Customs and Border Protection (CBP) collected DNA samples from over 133,000 migrants, including children as young as four. These genetic profiles were uploaded to the FBI’s Combined DNA Index System (CODIS), a database traditionally reserved for criminal offenders.
Key Points:
Notable Quote:
"Storing raw DNA samples indefinitely poses risks of misuse, including unauthorized profiling and surveillance." – Maria Varmazas [02:40]
Implications:
This expansion of biometric surveillance highlights the urgent need for stringent oversight and clear guidelines to protect vulnerable populations from unwarranted surveillance.
Overview:
Gray Noise uncovered a campaign that compromised over 9,000 ASUS routers, primarily targeting small office and home office (SOHO) environments.
Key Points:
Notable Quote:
"The adversaries establish persistence by enabling SSH access on a non-standard port and inserting their public SSH keys using legitimate ASUS configuration methods." – Maria Varmazas [05:10]
Implications:
The absence of malware makes detection more challenging, emphasizing the need for robust network monitoring and proactive security measures for SOHO devices.
Overview:
Google’s Threat Intelligence Group identified a new strain of malware, named Tough Progress, employed by the Chinese threat actor APT41. This malware leverages Google Calendar for command and control (C2) communications.
Key Points:
Notable Quote:
"Tough Progress creates a zero-minute calendar event at a hard-coded date, specifically May 30, 2023, with data collected from the compromised host being encrypted and written in the calendar event description." – Maria Varmazas [07:15]
Implications:
Leveraging widely trusted platforms like Google Calendar for C2 communications presents a sophisticated method for attackers to evade traditional security measures, necessitating advanced monitoring techniques.
Overview:
The Interlock ransomware gang is utilizing a new Trojan named Node Snake to target academic institutions, with recent deployments noted in two UK universities.
Key Points:
Notable Quote:
"Node Snake demonstrates typical capabilities expected from a modern-day RAT, designed for persistent access system reconnaissance and remote command execution." – Maria Varmazas [09:20]
Implications:
Academic institutions must bolster their defenses against phishing attacks and ensure robust endpoint security measures to mitigate the risks posed by advanced Trojans like Node Snake.
Overview:
Estonia has issued an international arrest warrant for a Moroccan national, Adrar Khalid, accused of hacking Allium UPI’s customer card database, impacting nearly 700,000 pharmacy customers.
Key Points:
Notable Quote:
"The breach affected data belonging to almost half of the Estonian population, exposing nearly 700,000 personal identification codes used by pharmacy customers." – Maria Varmazas [11:05]
Implications:
This incident underscores the critical importance of robust password policies and access controls to protect sensitive customer data in the healthcare sector.
Overview:
Israeli cybersecurity firm Signia uncovered a sophisticated cyber attack by a North Korean threat actor impersonating a legitimate IT employee within a Western company.
Key Points:
Notable Quote:
"The attacker established a multi-layered covert control channel enabling lateral movement, execution of malicious code, and data exfiltration, all under the guise of routine remote work activities." – Maria Varmazas [12:30]
Implications:
Organizations must enhance their monitoring for unusual activities and ensure strict verification processes to prevent impersonation and unauthorized access by malicious actors.
Overview:
A cyber incident has disrupted operations at several Covenant Health-affiliated hospitals in New England, notably impacting St. Joseph Healthcare in Bangor and St. Mary’s Hospital in Lewiston.
Key Points:
Notable Quote:
"St. Joseph's Hospital in Nashua, New Hampshire is diverting ambulances to different hospitals due to the cyber attack." – Maria Varmazas [13:50]
Implications:
Healthcare institutions must prioritize cybersecurity to protect critical infrastructure and ensure uninterrupted patient care, especially in emergency situations.
Overview:
In an exclusive interview, Dave Bittner speaks with Tim Starks, Senior Reporter at CyberScoop, about his investigative piece titled “Whatever We Did Was Not Enough: How Salt Typhoon Slipped Through the Government’s Blind Spots.”
Key Points:
Notable Quote:
"The telecommunications sector was really vulnerable. Even if you don't blame the victim, it's possible to be hacked and for it not to be your fault." – Tim Starks [19:15]
Implications:
This breach emphasizes the necessity for robust public-private partnerships, enhanced vulnerability management, and proactive strategies to safeguard critical infrastructure from sophisticated cyber threats.
Overview:
Victoria’s Secret experienced a significant cybersecurity breach over the Memorial Day weekend, resulting in the US website being taken offline and some in-store services being paused.
Key Points:
Notable Quote:
"Victoria's Secret hasn't revealed whether customer data was compromised, fueling plenty of speculation on that front." – Maria Varmazas [23:10]
Implications:
Retailers must ensure robust cybersecurity measures, especially during high-traffic periods, to protect revenue streams and maintain customer trust in the face of increasing cyber threats.
The episode “When ‘Out of the Box’ Becomes ‘Out of Control’” delves into a range of critical cybersecurity issues, from state surveillance and sophisticated malware campaigns to significant breaches affecting major industries. Through detailed analysis and expert interviews, the CyberWire Daily provides listeners with comprehensive insights into the evolving landscape of cyber threats and the imperative for robust security measures across all sectors.
Stay Informed:
For more detailed coverage and updates on these stories, visit The CyberWire and subscribe to the CyberWire Daily for your essential cybersecurity news and analysis.
End of Summary