CyberWire Daily Podcast Summary: “When ‘Out of the Box’ Becomes ‘Out of Control’”

Release Date: May 29, 2025
Host: Maria Varmazas (in for Dave Bittner)
Produced by N2K Networks

1. U.S. Customs and Border Protection’s Expanded DNA Collection

Overview:
Between 2020 and 2024, U.S. Customs and Border Protection (CBP) collected DNA samples from over 133,000 migrants, including children as young as four. These genetic profiles were uploaded to the FBI’s Combined DNA Index System (CODIS), a database traditionally reserved for criminal offenders.

Key Points:

• Age and Exceptions: Official policy restricts routine DNA collection to individuals aged 14 and older. However, CBP made numerous exceptions, often without any criminal charges.
• Privacy and Ethical Concerns: The inclusion of minors, especially U.S. citizen children, has sparked significant debate. Privacy experts warn about the risks of indefinite storage of raw DNA, including unauthorized profiling and surveillance.
• Blurring Lines: Critics argue that this practice conflates civil immigration enforcement with criminal investigation, treating undocumented migrants and their families as potential criminals.

Notable Quote:
"Storing raw DNA samples indefinitely poses risks of misuse, including unauthorized profiling and surveillance." – Maria Varmazas [02:40]

Implications:
This expansion of biometric surveillance highlights the urgent need for stringent oversight and clear guidelines to protect vulnerable populations from unwarranted surveillance.

2. ASUS Routers Compromised by Sophisticated Campaign

Overview:
Gray Noise uncovered a campaign that compromised over 9,000 ASUS routers, primarily targeting small office and home office (SOHO) environments.

Key Points:

• Attack Methods: Initial access was gained through brute force attacks and authentication bypasses, utilizing techniques not yet assigned Common Vulnerabilities and Exposures (CVEs).
• Exploitation: Attackers exploited the CVE-2023-39780A command injection vulnerability to execute arbitrary commands.
• Persistence Mechanism: SSH access was enabled on non-standard ports, and attackers inserted their public SSH keys using legitimate ASUS configuration methods. These changes were stored in non-volatile memory (nvram), allowing the backdoor to survive reboots and firmware updates.
• Evasion Tactics: No malware was deployed. Instead, attackers disabled logging and security features, such as Trend Micro’s AI protection, to avoid detection.

Notable Quote:
"The adversaries establish persistence by enabling SSH access on a non-standard port and inserting their public SSH keys using legitimate ASUS configuration methods." – Maria Varmazas [05:10]

Implications:
The absence of malware makes detection more challenging, emphasizing the need for robust network monitoring and proactive security measures for SOHO devices.

3. APT41’s “Tough Progress” Malware Utilizes Google Calendar for C2

Overview:
Google’s Threat Intelligence Group identified a new strain of malware, named Tough Progress, employed by the Chinese threat actor APT41. This malware leverages Google Calendar for command and control (C2) communications.

Key Points:

• Operation Mechanics: Upon execution, Tough Progress creates a zero-minute calendar event on a hard-coded date (May 30, 2023). Data from the compromised host is encrypted and embedded in the event description.
• Command Execution: Encrypted commands are placed in calendar events dated July 30th and 31st, 2023. The malware polls the calendar for these events, decrypts the commands, and executes them on the host.
• Response Handling: Results from executed commands are encrypted and written back to separate calendar events.
• Evasion: By using legitimate Google services, Tough Progress blends in with normal traffic, making it harder to detect malicious activities.

Notable Quote:
"Tough Progress creates a zero-minute calendar event at a hard-coded date, specifically May 30, 2023, with data collected from the compromised host being encrypted and written in the calendar event description." – Maria Varmazas [07:15]

Implications:
Leveraging widely trusted platforms like Google Calendar for C2 communications presents a sophisticated method for attackers to evade traditional security measures, necessitating advanced monitoring techniques.

4. Interlock Ransomware Gang Deploys Node Snake Trojan Targeting Universities

Overview:
The Interlock ransomware gang is utilizing a new Trojan named Node Snake to target academic institutions, with recent deployments noted in two UK universities.

Key Points:

• Distribution Method: Node Snake is disseminated via phishing emails containing malicious links or attachments.
• Technical Details: Encoded in JavaScript and executed with Node.js, the Trojan offers persistent access, system reconnaissance, and remote command execution.
• Evasion Techniques: Employs multiple evasion strategies, communicates with C2 servers via HTTP/HTTPS, and deploys secondary payloads to maintain control and facilitate further compromise.
• Impact: Recent infections have affected two UK universities, highlighting the vulnerability of the education sector to targeted attacks.

Notable Quote:
"Node Snake demonstrates typical capabilities expected from a modern-day RAT, designed for persistent access system reconnaissance and remote command execution." – Maria Varmazas [09:20]

Implications:
Academic institutions must bolster their defenses against phishing attacks and ensure robust endpoint security measures to mitigate the risks posed by advanced Trojans like Node Snake.

5. Massive Pharmacy Data Breach in Estonia Leads to International Arrest

Overview:
Estonia has issued an international arrest warrant for a Moroccan national, Adrar Khalid, accused of hacking Allium UPI’s customer card database, impacting nearly 700,000 pharmacy customers.

Key Points:

• Breach Details: Occurred in February 2024, exposing personal identification codes and linking pharmacy purchases to customer accounts.
• Scope: Affected data belonging to almost half of Estonia’s population, underscoring the breach's extensive impact.
• Method of Attack: Khalid accessed the database using a stolen password for an administrator account, highlighting vulnerabilities in credential management.
• Authority Response: Estonia’s Central Criminal Police are actively pursuing the suspect, emphasizing international cooperation in cybercrime enforcement.

Notable Quote:
"The breach affected data belonging to almost half of the Estonian population, exposing nearly 700,000 personal identification codes used by pharmacy customers." – Maria Varmazas [11:05]

Implications:
This incident underscores the critical importance of robust password policies and access controls to protect sensitive customer data in the healthcare sector.

6. North Korean Cyber Attack Exploits Trust Vulnerabilities in Western Companies

Overview:
Israeli cybersecurity firm Signia uncovered a sophisticated cyber attack by a North Korean threat actor impersonating a legitimate IT employee within a Western company.

Key Points:

• Attack Strategy: The attacker utilized standard tools like Zoom and basic network protocols to maintain a low profile.
• Access and Control: Gained entry through corporate VPN and a company-issued laptop, establishing a multi-layered covert control channel.
• Operations: Enabled lateral movement, execution of malicious code, and data exfiltration under the guise of routine remote work.
• Investigation Findings: The breach was discovered after the FBI recovered a client-issued laptop during a raid on a suspected laptop farm. These farms facilitate foreign workers impersonating U.S. citizens to secure remote roles in Western companies.
• Security Recommendations: Shoham Simon, Signia’s Senior VP of Cyber Services, emphasized the need for detection models that account for anomalies in protocol usage and the misuse of legitimate tools.

Notable Quote:
"The attacker established a multi-layered covert control channel enabling lateral movement, execution of malicious code, and data exfiltration, all under the guise of routine remote work activities." – Maria Varmazas [12:30]

Implications:
Organizations must enhance their monitoring for unusual activities and ensure strict verification processes to prevent impersonation and unauthorized access by malicious actors.

7. Cyber Attack Disrupts Massachusetts-Based Covenant Health Hospitals

Overview:
A cyber incident has disrupted operations at several Covenant Health-affiliated hospitals in New England, notably impacting St. Joseph Healthcare in Bangor and St. Mary’s Hospital in Lewiston.

Key Points:

• Impact: St. Joseph’s Hospital in Nashua, New Hampshire, had to divert ambulances to other facilities due to the disruption.
• Nature of Attack: While specifics were not detailed, the incident underscores the vulnerability of healthcare systems to cyber threats.
• Current Status: Victoria’s Secret is concurrently experiencing a significant breach, drawing attention to the increasing frequency and impact of cyber attacks across various sectors.

Notable Quote:
"St. Joseph's Hospital in Nashua, New Hampshire is diverting ambulances to different hospitals due to the cyber attack." – Maria Varmazas [13:50]

Implications:
Healthcare institutions must prioritize cybersecurity to protect critical infrastructure and ensure uninterrupted patient care, especially in emergency situations.

8. In-Depth Interview: Tim Starks on Salt Typhoon and Victoria’s Secret Breaches

Overview:
In an exclusive interview, Dave Bittner speaks with Tim Starks, Senior Reporter at CyberScoop, about his investigative piece titled “Whatever We Did Was Not Enough: How Salt Typhoon Slipped Through the Government’s Blind Spots.”

Key Points:

• Salt Typhoon Intrusion: The breach, orchestrated by Chinese hackers, significantly impacted the telecommunications sector, one of the largest in the industry.
• Government Response:
  • Efforts: The government made diligent attempts to address the intrusion but ultimately failed to eradicate the Salt Typhoon presence.
  • Criticism: Industry leaders and cybersecurity officials criticized the response, citing insufficient alarm and inadequate vulnerability management.
• Telecommunications Sector Vulnerabilities:
  • Challenges: Despite being more advanced, telecom companies still possess significant vulnerabilities due to their extensive attack surfaces.
  • Responsibility: Both the telecom sector and government agencies bear responsibility for the breach, highlighting the complexity of attributing fault.
• Future Measures:
  • Government Initiatives: Discussions around strengthening the Cybersecurity Information Sharing Act and conducting comprehensive investigations.
  • Industry Response: Emphasis on improving collaboration between private sectors and government bodies to prevent future breaches.

Notable Quote:
"The telecommunications sector was really vulnerable. Even if you don't blame the victim, it's possible to be hacked and for it not to be your fault." – Tim Starks [19:15]

Implications:
This breach emphasizes the necessity for robust public-private partnerships, enhanced vulnerability management, and proactive strategies to safeguard critical infrastructure from sophisticated cyber threats.

9. Victoria’s Secret Suffers Major Cybersecurity Breach

Overview:
Victoria’s Secret experienced a significant cybersecurity breach over the Memorial Day weekend, resulting in the US website being taken offline and some in-store services being paused.

Key Points:

• Website Outage: Online shoppers encountered a black screen with a brief message confirming the incident as the company worked to restore operations.
• Financial Impact: Digital sales constitute nearly a third of Victoria’s Secret revenue. The breach led to a nearly 7% drop in the company’s shares.
• Customer Data Concerns: While the company has not confirmed whether customer data was compromised, the lack of information has fueled speculation and concern.
• Timing of Attack: Experts note the breach’s occurrence during a period when staff coverage is typically lighter, a common pattern exploited by cybercriminals.
• Company Response: Victoria’s Secret has stated that its team is working around the clock to investigate and mitigate the breach.

Notable Quote:
"Victoria's Secret hasn't revealed whether customer data was compromised, fueling plenty of speculation on that front." – Maria Varmazas [23:10]

Implications:
Retailers must ensure robust cybersecurity measures, especially during high-traffic periods, to protect revenue streams and maintain customer trust in the face of increasing cyber threats.

Conclusion

The episode “When ‘Out of the Box’ Becomes ‘Out of Control’” delves into a range of critical cybersecurity issues, from state surveillance and sophisticated malware campaigns to significant breaches affecting major industries. Through detailed analysis and expert interviews, the CyberWire Daily provides listeners with comprehensive insights into the evolving landscape of cyber threats and the imperative for robust security measures across all sectors.

Stay Informed:
For more detailed coverage and updates on these stories, visit The CyberWire and subscribe to the CyberWire Daily for your essential cybersecurity news and analysis.

End of Summary