The CyberWire Daily Podcast 4.11.24
Ep 2044 | 4.11.24

Apple's worldwide warning on mercenary attacks.


Apple warns targeted users of mercenary spyware attacks. CISA expands its Malware Next-Gen service to the private sector. US Cyber Command chronicles their “hunt forward” operations. Taxi fleets leak customer data. Trend Micro tracks DeuterBear malware. The BatBadBut vulnerability enables command injection on Windows. Cybercriminals manipulate GitHub's search functionality. Scully Spider may be utilizing AI generated Powershells scripts. A study from ISC2 shed’s light on salary disparities. On our Threat Vector segment, host David Moulton, Director of Thought Leadership at Unit 42, welcomes Donnie Hasseltine, VP of Security at Second Front Systems and a former Recon Marine, as they delve into the indispensable role of a military mindset in cybersecurity. Guest Dr. Sasha Vanterpool, Cyber Workforce Consultant with N2K, introducing the new podcast series Cyber Talent Insights. And AI music sings the license.

Today is April 11th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Apple warns targeted users of mercenary spyware attacks. 

Apple has issued alerts to iPhone users in 92 countries, warning them of potential mercenary spyware attacks aiming to compromise devices linked to their Apple IDs. The company expressed high confidence in the detection of these targeted attacks, emphasizing their specificity towards the individuals' identities or professions. Despite the lack of details on the provocations for these alerts—due to concerns over helping attackers elude future detection—Apple reassured users of its diligent internal investigations to identify such threats. This isn't a new occurrence; since 2021, users in over 150 countries have received similar warnings, with notable alerts sent to journalists and politicians in India. If you are an iPhone user and you believe you are someone who might be a potential target for this sort of thing, you may want to check out Apple’s lockdown mode, which adds an extra layer of security protection to your iOS device. We will have a link in the show notes. 

CISA expands its Malware Next-Gen service to the private sector. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is expanding its Malware Next-Gen service to the private sector, allowing businesses to submit malware samples for analysis. Previously exclusive to government and military personnel since November, the service aims to enhance cyber threat understanding and protection. The automated system assists in analyzing and sharing cyber threat insights. Eric Goldstein, executive assistant director for cybersecurity at CISA, emphasized the program's role in improving malware detection and prevention, thereby securing critical infrastructure. The service also accepts other suspicious digital artifacts, but only authorized users can access the results. Since its launch, nearly 400 users have submitted around 1,600 files, identifying approximately 200 suspicious or malicious files and URLs. CISA is optimistic about handling an increased submission volume despite recent budgetary challenges.

US Cyber Command chronicles their “hunt forward” operations. 

In the past year, US Cyber Command (USCYBERCOM) deployed personnel to 17 countries as part of its "hunt forward" operations aimed at monitoring and deterring cyber adversaries. General Timothy D. Haugh, the commander of USCYBERCOM and director of the NSA, shared this information yesterday with the Senate Armed Services Committee. These operations, carried out by the Cyber National Mission Force (CNMF), are designed to defend the U.S. in cyberspace by deterring, disrupting, and defeating cyber threats. By assisting allies and partners in auditing their networks for intrusions and vulnerabilities, these missions help improve global cyber defenses and generate valuable insights for the U.S.'s own cyber protection. Last year, 22 hunt forward missions led to the public release of over 90 malware samples, enhancing global internet safety and challenging authoritarian regimes' cyber capabilities.

Taxi fleets leak customer data. 

iCabbi, a taxi software company, recently resolved a data breach exposing personal information of nearly 300,000 individuals in the UK and Ireland, including names, email addresses, phone numbers, and user IDs. The leak affected diverse individuals, including senior media figures, government officials, former MPs, a senior policy advisor, an EU ambassador, and around 2,000 academics. The breach, identified by cybersecurity researcher Jeremiah Fowler, was due to an unprotected database easily found via an IoT search engine's API. iCabbi's apps, serving over 800 taxi fleets in 15 countries, were linked to the exposed customer data. The company, acknowledging the breach as a result of human error during a migration process, quickly secured the database following Fowler's ethical disclosure. 

Trend Micro tracks DeuterBear malware. 

Researchers at Trend Micro are tracking the cyberespionage group Earth Hundun, which has been targeting technology and government sectors in the Asia-Pacific region for years. Earth Hundun employs complex tools like Waterbear malware, which has evolved through over 10 versions since 2009. The latest version, known as Deuterbear, introduced significant changes including anti-memory scanning and decryption routines, distinguishing it as a separate malware entity. Earth Hundun's operations involve advanced evasion techniques and the use of Waterbear for stealthy network intrusions and data exfiltration. The sophistication of these attacks underscores the necessity for enhanced cyber defense mechanisms and awareness of the evolving threat landscape, particularly for organizations within the targeted sectors.

The BatBadBut vulnerability enables command injection on Windows. 

Security engineer RyotaK (@ryotkak) from Flatt Security Inc. disclosed vulnerabilities in several programming languages that enable command injection attacks on Windows under certain conditions. Named "BatBadBut," this vulnerability arises when Windows applications that rely on the CreateProcess function to execute batch files (.bat, .cmd, etc.) do not correctly escape command arguments, allowing cmd.exe's complex parsing rules to be exploited. This issue can lead to arbitrary command execution if the application executes a command containing user-controlled input without specifying the file extension or improperly escaping arguments for cmd.exe. Despite high CVSS scores reflecting worst-case scenarios, the actual risk depends on specific application implementations. RyotaK advises developers to specify file extensions when executing commands and to properly escape user-controlled inputs, highlighting the necessity for increased awareness and mitigation efforts regarding this command injection vulnerability.

Cybercriminals manipulate GitHub's search functionality. 

CheckMarx tracks cybercriminals manipulating GitHub's search functionality, creating repositories with popular names and injecting malware, notably targeting cryptocurrency wallets. They used automated updates and fake stars to enhance search visibility, concealing malicious code within Visual Studio project files to execute automatically upon project build. The malware, resembling the "Keyzetsu clipper," is designed to establish persistence by setting up a daily scheduled task to run the executable, avoiding detection by padding the file size. Developers are advised to exercise caution when sourcing code from public repositories, paying attention to signs of manipulation such as unusual commit frequencies and the profiles of users endorsing the repositories. 

Scully Spider may be utilizing AI generated Powershells scripts. 

A threat actor, identified as TA547 and also known as Scully Spider, utilized a PowerShell script possibly created with artificial intelligence (AI) tools like OpenAI's ChatGPT, Google's Gemini, or Microsoft's CoPilot, in an email campaign to distribute the Rhadamanthys information stealer to German organizations. Proofpoint researchers, who have tracked TA547 since 2017, noticed the AI-generated characteristics in the script's detailed comments and structure. This campaign, impersonating the German Metro cash-and-carry brand, marks TA547's first use of Rhadamanthys malware, distributed under the malware-as-a-service (MaaS) model since September 2022. The script executed Rhadamanthys in memory, avoiding disk detection. This incident highlights the growing trend of cybercriminals leveraging AI for sophisticated cyberattacks, including phishing and malware deployment.

A study from ISC2 shed’s light on salary disparities. 

A recent study conducted by the nonprofit organization ISC2 has shed light on salary disparities within the U.S. cybersecurity sector, revealing nuanced outcomes for women and various racial and ethnic minorities. Despite the existence of pay gaps, the cybersecurity field appears to be outperforming broader societal norms in terms of pay equity, with signs of ongoing improvement.

According to ISC2's research, which collected data from 5,915 participants in April and May 2023, the average annual salary in U.S. cybersecurity roles stands at $147,138. 

The study highlighted that gender disparities in compensation vary across different job levels within the cybersecurity field. Specifically, women in nonmanagerial to mid-advanced staff positions earn approximately 5% less than their male counterparts, and the gap widens to 9% among managerial roles. However, the tide turns at higher levels of leadership: at the director and middle-manager levels, women slightly out-earn men by 1%, and this lead increases to 4% at the C-suite and executive level.

These findings mark a positive shift from previous ISC2 studies, which had recorded gender pay gaps as high as 20%. Clar Rosso, CEO of ISC2, attributed this improvement to the cybersecurity profession making incremental progress in addressing salary imbalances. Rosso also noted the role of unconscious bias in hiring and promotion practices, suggesting that such biases contribute to pay disparities.

Despite these encouraging signs, Rosso acknowledged potential limitations in the data, particularly at the higher echelons of leadership where fewer women may have contributed responses, potentially skewing results. The study drew responses from 780 women, constituting 15% of participants, compared to 4,540 responses from men.

The ISC2 study highlights a cybersecurity industry that is gradually moving towards greater pay equity, outpacing broader societal trends. While disparities remain, especially in lower to mid-level positions, the progress at senior levels and among various racial and ethnic groups signals a promising direction for the future of cybersecurity employment.

Next up, we’ve got our Threat Vector Segment with host David Moulton from Palo Alto Networks Unit 42. David speaks with Donnie Hasseltine, VP of Security at Second Front Systems and a former Recon Marine, about the indispensable role a military mindset can play in cybersecurity. 

You can hear David’s full discussion with Donnie on Threat Vector. The link is in your show notes. Catch the show every other Thursday on the N2K CyberWire network. 

We’ve got one of our own as a guest today. Dr. Sasha Vanterpool, Cyber Workforce Consultant with N2K, introduces the new 3-part podcast series Cyber Talent Insights that launches on Friday, April 12, 2024. We’ll be right back.

Thanks for joining me, Sasha. Looking forward to hearing your first episode tomorrow in the CyberWire Daily podcast feed. The rest of the series will run the following 2 Fridays. You can read more about Cyber Talent Insights in the show notes. 


AI music sings the license. 

What you are hearing is the MIT License for open source software, set to music using the AI synthesis engine Suno. Using  the prompt, “Sad girl piano ballad; jazz-trained female singer-songwriter”, the AI platform puts out what is arguably a pretty compelling bit of musical artistry. Sure, you could say it lacks soul and it sounds auto-tuned, but…does it really? Another interesting wrinkle is that current interpretation of US copyright laws say that this sort of thing is not eligible for copyright protection.

I can imagine a future where I can say, “Hey Siri, make me a new David Bowie album based on his catalog before “Let’s Dance.” Will it sound authentic, or will it sound like a lame but well-meaning tribute band? And what does that mean to the estate of David Bowie, especially if AI generated music isn’t copyright eligible?

If you’re like me and you enjoy pondering these sorts of sticky policy issues, be sure to check out the Caveat podcast where I’m joined by my cohost Ben Yelin and we do just that. 

In the mean time, if you’ll excuse me, I’m going to go listen to Station to Station…

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.