Zero-day déjà vu.

Summary

CyberWire Daily: Zero-day Déjà Vu
Hosted by N2K Networks
Release Date: June 3, 2025

Introduction

In today’s episode of CyberWire Daily, hosted by Dave Bittner from N2K Networks, listeners are treated to an in-depth analysis of the latest cybersecurity threats, vulnerabilities, and industry responses. The episode, titled "Zero-day Déjà Vu," covers critical security patches, emerging malware campaigns, geopolitical cyber threats, regulatory developments, and insightful interviews with industry leaders.

Zero-Day Vulnerabilities and Patches

Google Chrome Emergency Patch

At the outset, Dave Bittner discusses a critical update from Google addressing a zero-day vulnerability in Chrome's JavaScript engine.

Summary:
Google has released an emergency patch for a zero-day vulnerability affecting Chrome's version 8 JavaScript engine. This flaw allows out-of-bounds memory access and has been exploited in the wild three times this year, primarily for espionage and account hijacking. Google's Threat Analysis Group identified the vulnerability, and a mitigation was deployed within a day. The comprehensive fix is now available in the latest versions for Windows, Mac, and Linux. To safeguard users, Google is withholding full exploit details until the majority apply the patch.
Notable Quote:
“Google is withholding full details of the exploit until more users apply the patch.”
— Dave Bittner [00:12]

New Malware Campaigns

Fake DocuSign CAPTCHA to Deploy RATs

A sophisticated malware campaign is leveraging fake DocuSign CAPTCHA pages to deceive users into installing the NetSupport Remote Access Trojan (RAT).

Details:
According to Domain Tools, attackers create spoofed websites mimicking DocuSign branding. Users are tricked into checking a box, which triggers clipboard poisoning. A malicious PowerShell script is then copied to the clipboard with instructions for manual execution. If executed, the script downloads additional payloads, establishes persistence through GitHub-hosted malware, and installs the NetSupport RAT, granting remote control over the victim’s system. The campaign employs techniques like ROT13 encoding and script chaining to evade detection, with domains also imitating services like Okta, Netflix, and Spotify.
Advisory:
“Domain Tools warns users to be cautious of sites prompting script execution and to inspect URLs and certificates carefully to avoid deception-based threats.”
— Dave Bittner [00:19]

Splunk Universal Forwarder Vulnerability

High-Severity Flaw in Splunk

A significant vulnerability has been identified in Splunk Universal Forwarder for Windows, posing severe risks to organizations relying on Splunk for log forwarding and security.

Key Points:
The vulnerability allows non-admin users to modify critical directories due to improper permission settings during installation or upgrades. With a CVSS score of 8, this flaw affects multiple versions and can lead to data breaches or tampered audit trails. Splunk has urged immediate upgrades to patched versions and provided a mitigation to strip vulnerable permissions, emphasizing the necessity of these measures post-installation or upgrades to maintain security integrity.
Notable Quote:
“The bug enables potential exposure or manipulation of log data, which could lead to data breaches or tampered audit trails.”
— Dave Bittner [00:24]

Geopolitical Cyber Threats

China’s Cyber Infiltration and Preparations for War

Retired Lt. Gen. H.R. McMaster has raised alarms about China’s deep infiltration into U.S. telecommunications and critical infrastructure, framing it as part of a broader strategy for potential warfare.

Insights:
During a House Homeland Security committee field hearing, McMaster linked cyber campaigns like Volt Typhoon to China’s expanding military capabilities, including a 44-fold increase in defense budget and the development of first-strike nuclear capabilities. He also referenced Chinese surveillance balloons targeting U.S. strategic communications.
Industry Perspective:
Wendy Whitmore from Palo Alto Networks echoed these concerns, highlighting that alongside nations like Russia, Iran, and North Korea, China is becoming increasingly aggressive in cyberspace. Palo Alto Networks reportedly blocks up to 31 billion attacks daily, emphasizing the need for enhanced public-private collaboration and supportive legislation to strengthen joint cyber defense efforts.
Notable Quote:
“China, alongside Russia, Iran and North Korea, is becoming more aggressive in cyberspace.”
— Wendy Whitmore, Palo Alto Networks [00:44]

Regulatory Developments

FCC’s Proposed Ownership Reporting Rules

The Federal Communications Commission (FCC) has proposed new rules to expand ownership reporting requirements, aiming to identify and mitigate control by foreign adversaries.

Summary:
The proposed regulations will affect entities not previously required to report ownership, including private radio license holders and video service providers. Companies must disclose if they are controlled by foreign adversaries such as China, Russia, Iran, or North Korea, especially if these parties hold 10% or more in voting or equity interest. Non-compliance could result in fines or license revocation. Additionally, the FCC is considering periodic reporting updates, with the final rules expected to take effect by 2026.
Legislative Action:
Senators Jim Risch and John Hickenlooper introduced the Energy Threat Analysis Program Act to bolster cybersecurity collaborations within the US energy sector. This legislation seeks to formalize the Department of Energy’s Energy Threat Analysis center as a central hub for cyber threat intelligence, addressing fragmented threat reporting and enhancing early warnings and threat mitigation strategies.
Notable Quote:
“The goal is to improve early warnings and threat mitigation in response to increasingly complex cyber attacks.”
— Dave Bittner [00:32]

Mobile Threats

Krokodylis Android Malware Evolves

The Krakodielis Android malware has introduced new features that add fake contacts to victims' phones, enabling attackers to spoof calls from trusted sources like banks or friends.

Details:
Initially observed in Turkey in early 2025, Krokodylis has since expanded globally, targeting victims across all continents. The malware now incorporates advanced social engineering tactics and enhanced evasion techniques such as code packing and local data parsing. Researchers urge users to download apps exclusively from trusted sources to mitigate these threats.
Warning:
“Krokodylis is evolving fast and urges users to download apps only from trusted sources.”
— Dave Bittner [00:36]

Recent Incidents

SentinelOne Global Outage

SentinelOne experienced a significant outage on May 29, impacting its services for approximately 20 hours.

Impact:
The outage affected access to the SentinelOne management console but did not compromise endpoint protection or customer data. The disruption was caused by a flaw in a legacy infrastructure control system, triggered by a faulty configuration from a new account setup. In response, SentinelOne is accelerating its transition to a new infrastructure-as-code architecture, enhancing automated recovery processes, and improving customer communication protocols. Notably, GovCloud customers remained unaffected due to infrastructure segregation.
Notable Quote:
“SentinelOne has published a detailed analysis of the global outage that impacted its services...”
— Dave Bittner [00:37]

Swatting Campaign Case

A Romanian citizen, Tomasz Szabo, has pleaded guilty to orchestrating a swatting campaign targeting around 100 individuals, including a former US president and members of Congress.

Details:
The campaign involved making false emergency calls to provoke aggressive police responses, including hoaxes of fake murders and bomb threats at officials' residences. Szabo acted in collaboration with Serbian co-defendant Namanja Radovanovic, who faces pending charges.
Notable Quote:
“The indictment describes politically neutral targeting and includes a January 2024 hoax involving a fake murder and bomb threat at a former official's home.”
— Dave Bittner [00:38]

Cartier Data Breach

Luxury brand Cartier has disclosed a data breach where an unauthorized party accessed its systems, collecting names, emails, and countries of residence.

Response:
Cartier assured customers that it has strengthened its cybersecurity measures and advised vigilance against any suspicious or mysterious messages. The company emphasized that the breach was brief and not intended for malicious purposes, humorously noting, “presumably not for a holiday card list.” This incident follows similar breaches reported by DeOrr and Tiffany in May.
Notable Quote:
“Cartier advises staying wary of any mysterious messages.”
— Dave Bittner [00:39]

Featured Interviews

John Miller, CEO and Co-founder of Halcyon: Combating Ransomware and Vulnerable Drivers

Dave Bittner engages in a comprehensive discussion with John Miller, CEO and co-founder of Halcyon, focusing on ransomware threats and innovative defense mechanisms.

Halcyon’s Focus on Anti-Ransomware:
Miller explains that Halcyon is the first company dedicated exclusively to anti-ransomware solutions. Unlike generalized cybersecurity tools that adhere to frameworks like MITRE’s ATT&CK, Halcyon dissects ransomware behaviors to build tailored defenses, effectively addressing the specific tactics used by ransomware groups.
Ransomware as a Business Model:
“Ransomware is a business. They're all about ROI... if you build the biggest obstacle for that, you break them.”
— John Miller [14:20]
Evolution of Ransomware Tactics:
The conversation delves into the shift from traditional encryption-based ransomware to double and potentially triple extortion techniques. Double extortion involves threatening to leak stolen data alongside encrypting it, increasing pressure on victims to pay ransoms. Miller anticipates the future of triple extortion, where attackers leverage AI to exploit stolen data further, making ransomware attacks even more devastating.
- Notable Insight:
  “With AI, it's like go through every piece of hay and separate out all the needles.”
  — John Miller [19:06]
Bring Your Own Vulnerable Driver (BYOVD) Attacks:
Miller introduces the concept of BYOVD attacks, where attackers exploit outdated, still-signed Windows drivers with known vulnerabilities to gain kernel-level access, bypassing traditional Endpoint Detection and Response (EDR) systems.
- Explanation:
  “Instead of going out and finding a zero-day and writing an exploit, I can take an old Windows driver that's still signed and valid.”
  — John Miller [21:01]
- Halcyon’s Defensive Strategy:
  Halcyon employs multiple layers of protection, including machine learning models trained specifically on ransomware behavior, to detect and halt ransomware activities before they can inflict significant damage. Their approach emphasizes resilience, ensuring that even if a ransomware attack is partially successful, recovery processes can neutralize the threat swiftly.
- Notable Quote:
  “If we think it's ransomware, we kill it.”
  — John Miller [23:40]
Future of Ransomware:
The discussion concludes with Miller warning of the escalating sophistication and accessibility of ransomware attacks, highlighting the low barrier to entry and the potential for widespread disruption in the coming years.
- Key Statement:
  “The next five to 10 years are going to be not great.”
  — John Miller [27:03]

Hacker Group Naming Collaboration: Clarifying the Chaos

Dave Bittner also features a dialogue with Maria Vermazes from the T Minus Space Daily Podcast, delving into the collaborative efforts by major cybersecurity firms to standardize hacker group nomenclature.

Current Challenges:
The cybersecurity community faces significant confusion due to disparate naming conventions for hacker groups across different organizations. This fragmentation complicates threat intelligence sharing and communication.
- Maria’s Observation:
  “It feels like a good move... But I have some concerns about how this will actually work.”
  — Maria Vermazes [30:40]
Collaboration Efforts:
Microsoft, CrowdStrike, Google's Mandiant, and Palo Alto Networks have joined forces to create a unified framework for naming hacker groups. The initiative aims to act as a "Rosetta Stone," allowing cross-referencing between existing naming standards.
- John Miller’s Input:
  “If you really want to help... include phonetic pronunciation guides for all of these.”
  — John Miller [32:25]
Implementation Concerns:
Both guests express skepticism about the practicality and effectiveness of the new standard, citing potential redundancies and maintenance challenges.
- Maria’s Concern:
  “Good luck to whoever has to maintain that. That's gonna be such a nightmare...”
  — Maria Vermazes [31:32]
- John’s Suggestion:
  “We will be forever grateful and we will forgive you for the redundancy that this new standard seems to be introducing to the ecosystem.”
  — John Miller [32:25]

Conclusion

Dave Bittner wraps up the episode by encouraging listeners to access the CyberWire daily briefing for comprehensive coverage of today’s stories. Additionally, he invites audience participation through the annual survey to gather listener insights.

Final Note:
“For links to all of today's stories, check out our daily briefing@thecyberwire.com. We'd love to hear from you.”
— Dave Bittner [33:24]

Notable Advertisements Skipped

Following the structured content, the podcast includes sponsored messages from Spy Cloud, Vanta, and DeleteMe. As per the summary guidelines, these advertisements have been omitted to focus solely on the informative and analytical content of the episode.

Credits
N2K's Senior Producer: Alice Carruth
CyberWire Producer: Liz Stokes
Mixed by: Trey Hester
Original Music and Sound Design: Elliot Peltzman
Executive Producer: Jennifer Ibin
Publisher: Peter Kilpe

This detailed summary encapsulates the key discussions, insights, and conclusions presented in the "Zero-day Déjà Vu" episode of CyberWire Daily, providing a comprehensive overview for those who may not have had the chance to listen.

Summary

CyberWire Daily: Zero-day Déjà Vu
Hosted by N2K Networks
Release Date: June 3, 2025

Introduction

Zero-Day Vulnerabilities and Patches

Google Chrome Emergency Patch

At the outset, Dave Bittner discusses a critical update from Google addressing a zero-day vulnerability in Chrome's JavaScript engine.

Summary:
Google has released an emergency patch for a zero-day vulnerability affecting Chrome's version 8 JavaScript engine. This flaw allows out-of-bounds memory access and has been exploited in the wild three times this year, primarily for espionage and account hijacking. Google's Threat Analysis Group identified the vulnerability, and a mitigation was deployed within a day. The comprehensive fix is now available in the latest versions for Windows, Mac, and Linux. To safeguard users, Google is withholding full exploit details until the majority apply the patch.
Notable Quote:
“Google is withholding full details of the exploit until more users apply the patch.”
— Dave Bittner [00:12]

New Malware Campaigns

Fake DocuSign CAPTCHA to Deploy RATs

A sophisticated malware campaign is leveraging fake DocuSign CAPTCHA pages to deceive users into installing the NetSupport Remote Access Trojan (RAT).

Details:
According to Domain Tools, attackers create spoofed websites mimicking DocuSign branding. Users are tricked into checking a box, which triggers clipboard poisoning. A malicious PowerShell script is then copied to the clipboard with instructions for manual execution. If executed, the script downloads additional payloads, establishes persistence through GitHub-hosted malware, and installs the NetSupport RAT, granting remote control over the victim’s system. The campaign employs techniques like ROT13 encoding and script chaining to evade detection, with domains also imitating services like Okta, Netflix, and Spotify.
Advisory:
“Domain Tools warns users to be cautious of sites prompting script execution and to inspect URLs and certificates carefully to avoid deception-based threats.”
— Dave Bittner [00:19]

Splunk Universal Forwarder Vulnerability

High-Severity Flaw in Splunk

A significant vulnerability has been identified in Splunk Universal Forwarder for Windows, posing severe risks to organizations relying on Splunk for log forwarding and security.

Key Points:
The vulnerability allows non-admin users to modify critical directories due to improper permission settings during installation or upgrades. With a CVSS score of 8, this flaw affects multiple versions and can lead to data breaches or tampered audit trails. Splunk has urged immediate upgrades to patched versions and provided a mitigation to strip vulnerable permissions, emphasizing the necessity of these measures post-installation or upgrades to maintain security integrity.
Notable Quote:
“The bug enables potential exposure or manipulation of log data, which could lead to data breaches or tampered audit trails.”
— Dave Bittner [00:24]

Geopolitical Cyber Threats

China’s Cyber Infiltration and Preparations for War

Insights:
During a House Homeland Security committee field hearing, McMaster linked cyber campaigns like Volt Typhoon to China’s expanding military capabilities, including a 44-fold increase in defense budget and the development of first-strike nuclear capabilities. He also referenced Chinese surveillance balloons targeting U.S. strategic communications.
Industry Perspective:
Wendy Whitmore from Palo Alto Networks echoed these concerns, highlighting that alongside nations like Russia, Iran, and North Korea, China is becoming increasingly aggressive in cyberspace. Palo Alto Networks reportedly blocks up to 31 billion attacks daily, emphasizing the need for enhanced public-private collaboration and supportive legislation to strengthen joint cyber defense efforts.
Notable Quote:
“China, alongside Russia, Iran and North Korea, is becoming more aggressive in cyberspace.”
— Wendy Whitmore, Palo Alto Networks [00:44]

Regulatory Developments

FCC’s Proposed Ownership Reporting Rules

The Federal Communications Commission (FCC) has proposed new rules to expand ownership reporting requirements, aiming to identify and mitigate control by foreign adversaries.

Summary:
The proposed regulations will affect entities not previously required to report ownership, including private radio license holders and video service providers. Companies must disclose if they are controlled by foreign adversaries such as China, Russia, Iran, or North Korea, especially if these parties hold 10% or more in voting or equity interest. Non-compliance could result in fines or license revocation. Additionally, the FCC is considering periodic reporting updates, with the final rules expected to take effect by 2026.
Legislative Action:
Senators Jim Risch and John Hickenlooper introduced the Energy Threat Analysis Program Act to bolster cybersecurity collaborations within the US energy sector. This legislation seeks to formalize the Department of Energy’s Energy Threat Analysis center as a central hub for cyber threat intelligence, addressing fragmented threat reporting and enhancing early warnings and threat mitigation strategies.
Notable Quote:
“The goal is to improve early warnings and threat mitigation in response to increasingly complex cyber attacks.”
— Dave Bittner [00:32]

Mobile Threats

Krokodylis Android Malware Evolves

The Krakodielis Android malware has introduced new features that add fake contacts to victims' phones, enabling attackers to spoof calls from trusted sources like banks or friends.

Details:
Initially observed in Turkey in early 2025, Krokodylis has since expanded globally, targeting victims across all continents. The malware now incorporates advanced social engineering tactics and enhanced evasion techniques such as code packing and local data parsing. Researchers urge users to download apps exclusively from trusted sources to mitigate these threats.
Warning:
“Krokodylis is evolving fast and urges users to download apps only from trusted sources.”
— Dave Bittner [00:36]

Recent Incidents

SentinelOne Global Outage

SentinelOne experienced a significant outage on May 29, impacting its services for approximately 20 hours.

Impact:
The outage affected access to the SentinelOne management console but did not compromise endpoint protection or customer data. The disruption was caused by a flaw in a legacy infrastructure control system, triggered by a faulty configuration from a new account setup. In response, SentinelOne is accelerating its transition to a new infrastructure-as-code architecture, enhancing automated recovery processes, and improving customer communication protocols. Notably, GovCloud customers remained unaffected due to infrastructure segregation.
Notable Quote:
“SentinelOne has published a detailed analysis of the global outage that impacted its services...”
— Dave Bittner [00:37]

Swatting Campaign Case

A Romanian citizen, Tomasz Szabo, has pleaded guilty to orchestrating a swatting campaign targeting around 100 individuals, including a former US president and members of Congress.

Details:
The campaign involved making false emergency calls to provoke aggressive police responses, including hoaxes of fake murders and bomb threats at officials' residences. Szabo acted in collaboration with Serbian co-defendant Namanja Radovanovic, who faces pending charges.
Notable Quote:
“The indictment describes politically neutral targeting and includes a January 2024 hoax involving a fake murder and bomb threat at a former official's home.”
— Dave Bittner [00:38]

Cartier Data Breach

Luxury brand Cartier has disclosed a data breach where an unauthorized party accessed its systems, collecting names, emails, and countries of residence.

Response:
Cartier assured customers that it has strengthened its cybersecurity measures and advised vigilance against any suspicious or mysterious messages. The company emphasized that the breach was brief and not intended for malicious purposes, humorously noting, “presumably not for a holiday card list.” This incident follows similar breaches reported by DeOrr and Tiffany in May.
Notable Quote:
“Cartier advises staying wary of any mysterious messages.”
— Dave Bittner [00:39]

Featured Interviews

John Miller, CEO and Co-founder of Halcyon: Combating Ransomware and Vulnerable Drivers

Dave Bittner engages in a comprehensive discussion with John Miller, CEO and co-founder of Halcyon, focusing on ransomware threats and innovative defense mechanisms.

Halcyon’s Focus on Anti-Ransomware:
Miller explains that Halcyon is the first company dedicated exclusively to anti-ransomware solutions. Unlike generalized cybersecurity tools that adhere to frameworks like MITRE’s ATT&CK, Halcyon dissects ransomware behaviors to build tailored defenses, effectively addressing the specific tactics used by ransomware groups.
Ransomware as a Business Model:
“Ransomware is a business. They're all about ROI... if you build the biggest obstacle for that, you break them.”
— John Miller [14:20]
Evolution of Ransomware Tactics:
The conversation delves into the shift from traditional encryption-based ransomware to double and potentially triple extortion techniques. Double extortion involves threatening to leak stolen data alongside encrypting it, increasing pressure on victims to pay ransoms. Miller anticipates the future of triple extortion, where attackers leverage AI to exploit stolen data further, making ransomware attacks even more devastating.
- Notable Insight:
  “With AI, it's like go through every piece of hay and separate out all the needles.”
  — John Miller [19:06]
Bring Your Own Vulnerable Driver (BYOVD) Attacks:
Miller introduces the concept of BYOVD attacks, where attackers exploit outdated, still-signed Windows drivers with known vulnerabilities to gain kernel-level access, bypassing traditional Endpoint Detection and Response (EDR) systems.
- Explanation:
  “Instead of going out and finding a zero-day and writing an exploit, I can take an old Windows driver that's still signed and valid.”
  — John Miller [21:01]
- Halcyon’s Defensive Strategy:
  Halcyon employs multiple layers of protection, including machine learning models trained specifically on ransomware behavior, to detect and halt ransomware activities before they can inflict significant damage. Their approach emphasizes resilience, ensuring that even if a ransomware attack is partially successful, recovery processes can neutralize the threat swiftly.
- Notable Quote:
  “If we think it's ransomware, we kill it.”
  — John Miller [23:40]
Future of Ransomware:
The discussion concludes with Miller warning of the escalating sophistication and accessibility of ransomware attacks, highlighting the low barrier to entry and the potential for widespread disruption in the coming years.
- Key Statement:
  “The next five to 10 years are going to be not great.”
  — John Miller [27:03]

Hacker Group Naming Collaboration: Clarifying the Chaos

Current Challenges:
The cybersecurity community faces significant confusion due to disparate naming conventions for hacker groups across different organizations. This fragmentation complicates threat intelligence sharing and communication.
- Maria’s Observation:
  “It feels like a good move... But I have some concerns about how this will actually work.”
  — Maria Vermazes [30:40]
Collaboration Efforts:
Microsoft, CrowdStrike, Google's Mandiant, and Palo Alto Networks have joined forces to create a unified framework for naming hacker groups. The initiative aims to act as a "Rosetta Stone," allowing cross-referencing between existing naming standards.
- John Miller’s Input:
  “If you really want to help... include phonetic pronunciation guides for all of these.”
  — John Miller [32:25]
Implementation Concerns:
Both guests express skepticism about the practicality and effectiveness of the new standard, citing potential redundancies and maintenance challenges.
- Maria’s Concern:
  “Good luck to whoever has to maintain that. That's gonna be such a nightmare...”
  — Maria Vermazes [31:32]
- John’s Suggestion:
  “We will be forever grateful and we will forgive you for the redundancy that this new standard seems to be introducing to the ecosystem.”
  — John Miller [32:25]

Conclusion

Final Note:
“For links to all of today's stories, check out our daily briefing@thecyberwire.com. We'd love to hear from you.”
— Dave Bittner [33:24]

wavePod

Powered by Wave AI

Summary

Introduction

Zero-Day Vulnerabilities and Patches

New Malware Campaigns

Splunk Universal Forwarder Vulnerability

Geopolitical Cyber Threats

Regulatory Developments

Mobile Threats

Recent Incidents

Featured Interviews

John Miller, CEO and Co-founder of Halcyon: Combating Ransomware and Vulnerable Drivers

Hacker Group Naming Collaboration: Clarifying the Chaos

Conclusion

Notable Advertisements Skipped

Summary

Introduction

Zero-Day Vulnerabilities and Patches

New Malware Campaigns

Splunk Universal Forwarder Vulnerability

Geopolitical Cyber Threats

Regulatory Developments

Mobile Threats

Recent Incidents

Featured Interviews

John Miller, CEO and Co-founder of Halcyon: Combating Ransomware and Vulnerable Drivers

Hacker Group Naming Collaboration: Clarifying the Chaos

Conclusion

Notable Advertisements Skipped