The CyberWire Daily Podcast 3.28.24
Ep 2034 | 3.28.24

A battle against malware.


PyPI puts a temporary hold on operations. OMB outlines federal AI governance. Germany sounds the alarm on Microsoft Exchange server updates. Cisco patches potential denial of service vulnerabilities. The US puts a big bounty on BlackCat. Darcula and Tycoon are sophisticated phishing as a service platforms. Don’t dilly-dally on the latest Chrome update. On our Threat Vector segment, host David Moulton has guest Sam Rubin, VP and Global Head of Operations at Unit 42, to discuss Sam's testimony to the US Congress on the multifaceted landscape of ransomware attacks, AI, and automation, the need for more cybersecurity education. And Data brokers reveal alleged visitors to pedophile island.

Today is Thursday, March 28, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

PyPI puts a temporary hold on operations. 

To combat an ongoing malware upload campaign, the Python Package Index (PyPI) temporarily halted new project creations and user registrations earlier today. Researchers from Checkmarx identified a series of malicious packages linked to a typosquatting attack aimed at installing these packages via the command line. This sophisticated multi-stage attack targets the theft of cryptocurrency wallets, browser data, and various credentials. The malware, embedded within the file of each package, uses obfuscated and encrypted code to execute upon installation, retrieving further encrypted payloads designed to pilfer sensitive information. Additionally, it incorporates a mechanism to maintain its presence on infected systems across reboots. PyPI later reported the issues as being resolved, and resumed normal operations.

OMB outlines federal AI governance. 

The White House has mandated U.S. federal agencies to implement AI safeguards by December, including appointing chief AI officers and establishing AI governance boards. This directive, outlined in a memo from the Office of Management and Budget (OMB), aims to ensure responsible AI usage that benefits the public and enhances mission effectiveness, while acknowledging AI's limitations and risks. Agencies are instructed to detail AI tool usage in annual reports and make government-owned AI code public. This is in addition to completion of all actions from President Biden's AI executive order, requiring agencies to cease using non-compliant AI systems unless critical operations are at risk. The memo also emphasizes transparency, encouraging the sharing of custom-developed AI code via open-source platforms, and mentions a $5 million proposal to expand AI training within the government.

Germany sounds the alarm on Microsoft Exchange server updates. 

Germany's cybersecurity authority, the BSI, is urgently calling on thousands of organizations to update their Microsoft Exchange software, highlighting that at least 17,000 servers are at risk from critical vulnerabilities. These flaws are being exploited by cybercriminals and state actors for malware distribution, cyberespionage, and ransomware attacks. Particularly vulnerable sectors include education, healthcare, judiciary, local government, and medium-sized businesses. Despite repeated warnings and a "red" threat level declaration since 2021, many servers remain outdated, with about 12% lacking security updates and 25% running on old patch versions of Exchange 2016 and 2019. BSI President Claudia Plattner emphasized the critical need for cybersecurity prioritization, noting the unnecessary risk to IT systems, services, and sensitive data due to neglect in updating these servers.

Cisco patches potential denial of service vulnerabilities. 

Cisco announced patches for several vulnerabilities in its IOS and IOS XE software that pose a risk of unauthorized denial-of-service (DoS) attacks. The most critical flaws, with a CVSS score of 8.6. Additionally, vulnerabilities were found in the multicast DNS (mDNS), OSPF version 2 (OSPFv2), and the IS-IS protocol, all exploitable without authentication through crafted packets. A secure boot bypass in AP software, allowing modified software loading via physical access, was also patched. Seven other medium-severity issues were addressed, including privilege escalation and command injection. Cisco has not observed these vulnerabilities being exploited in the wild but urges users to update their devices promptly to prevent potential attacks.

The US puts a big bounty on BlackCat. 

The US State Department is offering a $10 million bounty for information on the 'BlackCat' ransomware group, responsible for the cyberattack on UnitedHealth. This initiative, part of the Rewards for Justice (RFJ) program, seeks details leading to the identification or location of individuals involved in state-sponsored cybercrime. The BlackCat group, also known as ALPHV, targeted UnitedHealth's tech unit Change Healthcare, affecting over 100 applications and compromising sensitive data, including medical records and payment details. The attack severely disrupted healthcare payments and treatments, with UnitedHealth only recently starting to address a $14 billion medical claims backlog. Despite claims of a $22 million ransom payment to BlackCat, it's unclear if system control was restored. 

Darcula and Tycoon are sophisticated phishing as a service platforms. 

Cybersecurity analysts at Netcraft have uncovered the use of the 'darcula' Phishing-as-a-Service (PhaaS) platform by threat actors to launch sophisticated attacks via iMessage. Darcula has supported over 20,000 phishing domains targeting more than 100 brands worldwide, primarily impersonating postal services. This service distinguishes itself by leveraging encrypted messaging platforms like iMessage and RCS for "smishing" attacks, bypassing traditional SMS scam defenses and exploiting user trust. Darcula offers easy-to-deploy phishing sites with numerous templates, monetizing through paid subscriptions. Its anti-detection measures include obfuscating malicious content paths and using domains with cloaked front pages, significantly enhancing its evasion capabilities. Researchers say about 120 new darcula domains are appearing per day in 2024.

Meanwhile, The Tycoon 2FA phishing kit, targeting Microsoft 365 and Gmail accounts, has been updated to evade detection more effectively. Active since August 2023 and discovered by Sekoia, this Phishing-as-a-Service (PhaaS) platform uses an adversary-in-the-middle (AitM) tactic to bypass Multi-Factor Authentication (MFA) by stealing session cookies. Recent enhancements to the kit's JavaScript and HTML coding, alongside improved evasion of security scans and selective traffic acceptance, make tracking Tycoon 2FA more challenging. The kit, known for sophisticated phishing attacks including email phishing links and imitation Microsoft login pages, has been linked to over 1,200 domains. These updates have made Tycoon 2FA a more formidable tool in the phishing landscape.

Don’t dilly-dally on the latest Chrome update. 

Google has updated Chrome for Windows, Mac, and Linux, addressing seven security issues. Users are advised to update Chrome promptly, especially due to a critical vulnerability, a Use After Free (UAF) flaw in the Angle component, which handles WebGL content. This vulnerability could allow attackers to exploit heap corruption via a crafted HTML page, potentially leading to compromised systems. If you can, don’t delay - update Chrome today. 


Coming up on our Threat Vector segment, host David Moulton & guest Sam Rubin discuss Sam's testimony to the US Congress on the multifaceted landscape of ransomware attacks, AI, and automation, the need for more cybersecurity education and more. 


Data brokers track the visitors to pedophile island. 

The recent discovery from WIRED that nearly 200 mobile devices left a digital breadcrumb trail from Jeffrey Epstein’s notorious island back to their owners' homes and workplaces is a disturbing testament to the pervasive lack of privacy in our digital age. While the visitors to Epstein's "pedophile island" might have been engaging in morally reprehensible activities, the fact that their movements were tracked and exposed by data broker Near Intelligence, throws a stark light on the double-edged sword of surveillance technology.

WIRED's uncovering of this data demonstrates not just the potential for holding the corrupt accountable but also the terrifying precision with which individuals can be monitored. This capability, rooted in the murky dealings of data brokers under the lax privacy regulations of the US, shows a concerning disregard for personal boundaries. The data accurately tracked individuals from luxury accommodations to Epstein's lair, highlighting the ease with which personal movements are commodified.

This incident should serve as a wake-up call for the urgent need for robust privacy protections. While the individuals tracked to Epstein's island may not evoke sympathy due to the island's dark reputation, the broader implications for privacy rights cannot be ignored. The readiness with which detailed location data can be exploited underscores the dire consequences of the US's fragmented privacy laws compared to stronger protections like those in Europe.

The revelation about Epstein's island visitors, while showcasing the potential to uncover illicit activities, primarily exposes a gaping hole in our privacy defenses. It's a glaring example of how individuals' whereabouts, regardless of their actions, can be traced and traded like currency. This should alarm not just privacy advocates but anyone who believes in the fundamental right to personal privacy without unwarranted intrusion. The ongoing failure of Congress to pass comprehensive privacy legislation not only leaves citizens exposed to surveillance capitalism but also to the whims of any entity willing to exploit their data for gain or scrutiny.

Over on our Caveat podcast my cohost Ben Yelin and I often wonder just what it’s going to take to get our dysfunctional US congress to act on federal privacy legislation. It is a sad reality that maybe, just maybe, something like this, where the rich and powerful are caught being where they should not be, could be the thing that moves the needle. Maybe. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.