When spies get spied on. - CyberWire Daily

Summary

CyberWire Daily Summary: "When Spies Get Spied On"
Release Date: August 13, 2025
Host: Dave Bittner, N2K Networks

Episode Overview

In the August 13, 2025 episode of CyberWire Daily, host Dave Bittner delves into the latest cybersecurity developments, ranging from critical vulnerability patches to sophisticated ransomware operations targeting global infrastructure. The episode features an in-depth interview with Jack Jones, the pioneer behind the Factor Analysis of Information Risk (FAIR) model, exploring advancements in cyber risk quantification. Additionally, the episode sheds light on the challenges consumers face under California law when attempting to remove their data from brokers.

Patch Tuesday: A Comprehensive Security Update

Timestamp: [00:02]

The episode kicks off with a detailed analysis of August 2025's Patch Tuesday, highlighting a surge in security updates across major technology platforms:

Microsoft patched over 100 vulnerabilities across Windows, Office, and Hyper-V, addressing 12 critical issues, including a high-severity GDI remote code execution flaw with a CVSS score of 9.8. "Although none appear actively exploited, the severity warrants immediate attention," notes Bittner.
Intel, AMD, and Nvidia issued multiple advisories:
- Intel addressed high-severity flaws in Xeon drivers and firmware, mitigating potential privilege escalations and denial-of-service attacks.
- AMD resolved issues related to stacking engine attacks and an EDK2 SMM code execution vulnerability.
- Nvidia fixed high-severity bugs in its Nemo, Isaac, and Apex tools, preventing remote code executions and data tampering in industrial systems.
Adobe released updates for over 60 vulnerabilities across 13 products, including Photoshop and InDesign, primarily fixing critical code execution flaws not yet exploited in the wild.
Fortinet and Avanti also rolled out critical patches addressing remote code executions and authentication bypasses in their respective platforms.
The Matrix Foundation patched two high-severity vulnerabilities in its open-source federated communications protocol, enhancing security for sensitive governmental and enterprise communications.

Curly Comrades: Russian-Aligned APT Targets Critical Infrastructure

Timestamp: [07:45]

Bitdefender Labs unveiled insights into Curly Comrades, a Russian-aligned Advanced Persistent Threat (APT) group active since mid-2024. This group has been targeting critical infrastructure in Georgia and Moldova, infiltrating judicial, governmental, and energy sectors to steal credentials and exfiltrate sensitive data.

Key findings include:

Utilization of the custom Mukur agent Backdoor, which bypasses AMSI to execute encrypted PowerShell scripts.
Techniques such as command hijacking of disabled engine tasks for system re-entry.
Blending legitimate utilities with custom malware using proxy relays and compromised websites for covert command and control (C2) operations.

“The stealthy, redundant infrastructure underscores both the resilience and geopolitical intent of Curly Comrades,” explains Bittner.

Recommendations:

Deployment of Extended Detection and Response (XDR) solutions.
Implementation of LOL bin monitoring and managed detection services.

Microsoft Advises Ignoring Certificate Services Client Errors

Timestamp: [09:30]

Microsoft has issued a caution to Windows 11 users regarding new certificate services client errors appearing post-July 2025 updates. Despite logs showing Error ID 57 related to a failed Microsoft Pluton cryptographic provider load, Microsoft assures users that these errors are harmless and linked to an unfinished feature. "These events do not affect system performance or security," Microsoft states, advising users to disregard the alerts.

NJRAT Malware in Fake Minecraft Clone Exposed

Timestamp: [10:58]

Point Wild's LAT61 threat intelligence team has detected a malware campaign embedding the NJRAT Remote Access Trojan (RAT) within a counterfeit Minecraft clone, specifically the Eaglecraft 1.12 offline version popular in educational and restricted environments. The RAT silently steals passwords, keystrokes, personal data, and can activate webcams and microphones.

Key Indicators:

Installation of WindowsServices.exe for persistence.
Connection to remote servers in India via Amazon's cloud infrastructure.
Evasion techniques to disable security tools like Wireshark.

Expert Advice: “Players should only download Minecraft from official sources and avoid unofficial mods or installers to prevent spyware infections and data theft,” warns Bittner.

Royal Enfield Ransomware Attack Disrupts Operations

Timestamp: [12:52]

Motorcycle manufacturer Royal Enfield has been hit by a ransomware attack, with hackers claiming to have encrypted all servers and wiped backups. This attack led to the suspension of online ordering and certain workshop services. The Chennai-based company confirmed the cybersecurity incident and initiated an internal investigation without disclosing specific details about the compromised data.

Implications:

Potential regulatory fines.
Reputational damage and loss of trust among dealers, suppliers, and customers.

DOJ's Operation Against Black Suit Ransomware Gang

Timestamp: [14:06]

The U.S. Department of Justice (DOJ) announced a significant operation against the Black Suit Ransomware Group, formerly known as Royal. This multinational effort, dubbed Operation Checkmate, involved agencies from the US, UK’s NCA, Europe, and Canada. The operation resulted in the seizure of four servers, nine domains, and $1.1 million in cryptocurrency stolen from victims who paid a $1.4 million ransom in April 2023.

Key Points:

Black Suit, active since 2022 and linked to Conti, has demanded over $500 million from victims across manufacturing, government, healthcare, and commercial sectors.
The operation emphasizes a disruption-first strategy to protect critical infrastructure and US businesses from ransomware threats.

Interview: Jack Jones on Cyber Risk Quantification and FAIR Model

Timestamp: [15:19] - [23:51]

Guest: Jack Jones, Father of the Factor Analysis of Information Risk (FAIR) model and creator of the Fair Controls Analytics Model

Discussion Highlights:

Origin of FAIR:
- Jack Jones recounts his early experiences as a Chief Information Security Officer (CISO) at Nationwide Insurance in 2000.
- Faced with the challenge of communicating risk to executives, Jones developed FAIR to quantitatively measure and present cyber risk, transforming abstract risk discussions into actionable insights.
- “I put together my strategy and went on my dog and pony show… and he said… ‘how much less risk will we have?’” (Transcript [12:52])
Adoption and Evolution:
- FAIR has been adopted as an open standard by The Open Group, with professional certifications available.
- Taught in over two dozen universities and supported by the FAIR Institute, which boasts 17,000 global members.
- “FAIR has been around for over 20 years now, and it has stood the test of time,” Jones emphasizes. (Transcript [18:00])
How FAIR Works:
- Begins by defining risk as a clearly scoped loss event scenario (e.g., operational outage due to ransomware).
- Utilizes data from internal and external experts, employing methodologies like Monte Carlo simulations and Bayesian analysis to account for uncertainty.
- Facilitates informed decision-making by presenting loss exposure and recommending cost-effective mitigation strategies.
- “Fair is still going to be perfectly capable of analyzing those… the model itself has really proven to be very resilient,” Jones states. (Transcript [15:27], [18:00])
Comparative Analysis:
- Jones acknowledges the existence of other risk models but asserts that many proprietary models resemble FAIR in structure and function.
- “Not everybody's happy with, with the notion of quantifying risk. And, to date, it has stood the test of time,” he notes. (Transcript [19:49], [21:29])
Recommendations for Adoption:
- Do your homework: Utilize resources from the FAIR Institute and The Open Group.
- Engage with the community: Reach out to experts and participate in local FAIR chapters.
- “Don’t hesitate to reach out, including reaching out to me through LinkedIn,” Jones advises. (Transcript [21:42])
Reflections on FAIR’s Success:
- Jones expresses pride in FAIR's enduring impact, attributing its success to community support and collaborative growth.
- “I’m incredibly grateful… it would not be nearly what it was or what it's turned out to be,” he reflects. (Transcript [23:51])

California Law vs. Data Brokers: The Opt-Out Maze

Timestamp: [24:00]

The episode concludes by examining the practical challenges consumers face when exercising their right to delete personal information from data brokers under California law. A review by The Markup and CalMatters revealed that out of 499 registered brokers, only 35 had accessible opt-out pages. Many brokers deliberately hid these pages from search engines using obfuscated code, rendering them virtually inaccessible.

Findings:

Hidden Opt-Out Pages: Some brokers concealed opt-out links in tiny fonts or behind multiple scrolling layers, making them as elusive as "Atlantis."
Company Responses: While some brokers removed the obscuring code after media attention, others defended their practices citing spam prevention.

“It’s all legal, of course, just not particularly findable. Which one suspects is probably the case,” Bittner concludes.

Closing Notes

Survey Announcement: CyberWire is conducting an audience survey until the end of the month. Participants can find the link in the show notes.
Production Credits:
- Senior Producer: Alice Carruth
- CyberWire Producer: Liz Stokes
- Mixing: Trey Hester
- Original Music: Elliot Heltzman
- Executive Producer: Jennifer Ibin
- Publisher: Peter Kilpe

“Thanks for listening. We'll see you back here tomorrow,” concludes Dave Bittner.

For more detailed information and links to today's stories, visit CyberWire Daily Briefing.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire Network powered by N2K. We got your patch Tuesday. Notes the Matrix foundation patches high severity vulnerabilities in its open source communications protocol. The Curly Comrades Russian aligned APT targets critical infrastructure Microsoft tells users to ignore new certificate services client errors Researchers uncover a malware campaign hiding the NJ RAT remote access Trojan in a fake Minecraft clone. Motorcycle manufacturer Royal Enfield suffers a ransomware attack. The DOJ details a major operation against the Black Suit ransomware gang. Our guest is Jack Jones, father of Factor Analysis of Information Risk and the Fair Controls Analytics Model model sharing insights on cyber risk quantification and data brokers digital hide and seek It's Wednesday, August 13, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief Foreign thanks for joining us here today. It's great as always to have you with us. August 2025's Patch Tuesday brought a major wave of security updates across the tech stack. Microsoft patched over 100 vulnerabilities spanning Windows Office Hyper V and flagged a publicly disclosed privilege escalation bug. 12 are rated critical, with the most severe being a GDI remote code execution issue with a CVSS of 9.8, though none appear actively exploited and overall exploitation is judged unlikely. Intel, AMD and Nvidia release dozens of advisories. Intel patched high severity flaws affecting Xeon drivers, firmware and networking, many enabling privilege escalation, denial of service or information disclosure. AMD fixed issues tied to research on stacking engine attacks and an EDK2 SMM code execution bug. Nvidia resolved several high severity flaws in its Nemo, Isaac, Groot, Apex and Deep learning tools that could lead to remote code execution or data tampering in the industrial and control system. Space vendors including Schneider Electric, Honeywell, abb, Phoenix, Contact and Aviva fixed code execution, privilege escalation and denial of service vulnerabilities across SCADA controllers, analytics and management tools. Several were high severity. Adobe issued Updates for over 60 vulnerabilities across 13 products, including Commerce, Photoshop, InDesign, FrameMaker, and Substance 3D tools. Many were critical code execution flaws, though none are known to be exploited in the wild. Finally, Fortinet released 14 advisories, including a critical Fortasim bug allowing unauthenticated remote code execution with a proof of concept Public, a high severity authentication bypass in fortaweb and other important fixes in fortamanager, fortamail and more were also addressed. Avanti patched two high severity authenticated RCE issues in Avalanche. The Matrix foundation has patched two high severity vulnerabilities in its open source federated communications protocol, used by governments and enterprises for sensitive discussions. The flaws could have allowed attackers to seize control of classified channels or predict room IDs, enabling them to infiltrate or redirect communications. One bug let malicious admins override a channel creator's permissions, potentially disrupting crisis coordination. The other allowed prediction of room IDs, risking authentication. Access fixes elevate room creators privileges and switch to cryptographic hashing for IDs. The off cycle embargoed update required complex coordination and delayed full disclosure to allow test. Room upgrades may cause user disruption and testing before deployment is advised. Bitdefender Labs has detailed Curly Comrades, a Russian aligned APT active since mid-2024, targeting critical infrastructure in Georgia and Moldova. The group infiltrates judicial, government, and energy entities to steal credentials, maintain persistence, and exfiltrate sensitive data. Key tools include the custom Mukur agent Backdoor, which bypasses AMSI to run encrypted PowerShell scripts, and techniques like comm hijacking of disabled engine tasks for system level reentry operations. Blend legitimate utilities with custom malware using proxy relays, Socks5 servers, and compromised websites for covert C2 credential theft exploits, NTDs, database copies, LSAs, dumps, and adapted open source tools. Data is staged, encrypted, disguised as PNGs, and updated via curl exe. The stealthy redundant infrastructure underscores resilience and geopolitical intent. Bitdefender urges XDR deployment, LOL bin monitoring, and managed detection. To counter this persistent espionage threat, Microsoft is asking Windows 11 users to ignore new certificate Services client errors appearing after the July 2025 preview and later updates. The Event Viewer logs error id 57, citing a failed Microsoft Pluton cryptographic provider load, but Microsoft says it's harmless, linked to an unfinished feature. Similar false warnings have surfaced in recent months, including Windows Firewall, BitLocker, and WinRE update errors, all without functional impact. The company confirms no action is needed, as these events don't affect system performance OR security. Point Wild's LAT61 threat intelligence team has uncovered a malware campaign hiding the Njrat remote access Trojan in a fake Minecraft clone. Eaglecraft 1.12 offline popular in schools and restricted environments, the game distracts players while NJRAT silently steals passwords, keystrokes, and personal data, and spies via webcam and microphone. The malware installs WindowsServices EXE for persistence, spawning hidden processes for command execution and payload handling. It can crash systems if security tools like wireshark are detected. The RAT connects to a remote server in India hosted on Amazon's cloud for attacker control. Given Minecraft's long history as a malware target, experts warn players to download only from official sources and avoid unofficial mods or installers to prevent spyware infections and data theft. Motorcycle manufacturer Royal Enfield has reportedly suffered a ransomware attack with hackers claiming to have encrypted all servers and wiped backups, crippling operations. Posted on an underground forum as a complete breach notice, the attack prompted temporary suspension of online ordering and some workshop services. The Chennai based company confirmed a cybersecurity incident and and launched an internal investigation, but disclosed no details on affected data. The breach risks regulatory fines, reputational damage and loss of trust among dealers, suppliers and customers in the motorcycle community. The U.S. department of justice has detailed a major operation against the Black Suit Ransomware group formerly known as Royal authorities seized four servers, nine domains and $1.1 million in cryptocurrency stolen from a vict who paid a $1.4 million ransom in April of 2023. The funds, repeatedly moved through a crypto exchange, were frozen in January 2024. This covert seizure preceded Operation Checkmate, a multinational effort involving US agencies, the UK's NCA and partners from Europe and Canada disrupting the gang's infrastructure and seizing digital assets. Active since 2022 and linked to Conti, Black Suit has demanded over $500 million from victims targeting manufacturing, government, healthcare and commercial sectors. Officials say the action reflects a disruption first strategy to protect critical infrastructure and US businesses from ransomware threats. Coming up Break my conversation with Jack Jones, father of Factor Analysis of Information Risk Fair and Data Brokers Digital Hide and Seek Stay with us.