The CyberWire Daily Podcast 5.3.24
Ep 2060 | 5.3.24

Ransomware attack turns legal attack.


A Texas operator of rehab facilities faces multiple lawsuits after a ransomware attack. Microsoft warns Android developers to steer clear of the Dirty Stream. The Feds warn of North Korean social engineering. A flaw in the R programming language has been patched. Zloader borrows stealthiness from ZeuS. The GAO highlights gaps in NASA’s cybersecurity measures. Indonesia is a spyware hot-spot. Germany summons a top Russian envoy to address cyber-attacks linked to Russian military intelligence. An Israeli PI is arrested in London following allegations of a cyberespionage campaign. In our Industry Voices segment, Allison Ritter, Senior Product Manager from Cyberbit shares her career journey, off the bench and onto the court. A cybersecurity consultant allegedly attempts to extort a one-point-five million dollar exit package. 

Today is May 3rd, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A Texas operator of rehab facilities faces multiple lawsuits after a ransomware attack. 

Ernest Health, a Texas-based operator of rehabilitation hospitals, is facing multiple federal class action lawsuits following a ransomware attack that compromised the sensitive data of over 101,000 individuals across its facilities in 12 states. The breach reports, filed with the U.S. Department of Health and Human Services, detail incidents of hacking involving network servers at various Ernest Health locations. The data exposed includes names, addresses, medical information, and for some, Social Security and driver's license numbers. In response, Ernest Health has implemented additional security measures and is offering affected patients complimentary credit monitoring and identity protection services. The series of lawsuits allege negligence in failing to adequately protect patient data, putting them at risk of identity theft and other crimes. The breach has also led to fraudulent phone calls targeting patients and their families, further complicating the situation for Ernest Health.

Microsoft warns Android developers to steer clear of the Dirty Stream. 

Microsoft has issued a warning to Android app users and developers about a new attack method called Dirty Stream, which exploits a path traversal vulnerability within Android’s content provider component, particularly the 'FileProvider' class. This vulnerability can lead to the takeover of apps and theft of sensitive data. Notably affected are popular apps like Xiaomi File Manager and WPS Office, which together boast over 1.5 billion installs. The vulnerability has been identified in applications totaling four billion installations and could potentially be present in other apps. Dirty Stream allows malicious apps to overwrite files in another app's directory, facilitating arbitrary code execution and token theft. This can give attackers complete control over the app and access to user accounts. Microsoft has informed affected developers, who have patched their apps, and urges all developers to review their apps for this security flaw. Google has also published guidance for developers on handling this issue.

The Feds warn of North Korean social engineering. 

The U.S. government, including the Department of State, the FBI, and the NSA, has issued a warning about sophisticated social engineering attacks by North Korean hackers from the group Kimsuky. This group, part of North Korea's military intelligence, targets a diverse set of entities such as think tanks, academic institutions, and media organizations. Kimsuky has been exploiting email vulnerabilities, particularly poorly configured DMARC records, to spoof legitimate email domains and enhance the effectiveness of their spearphishing campaigns. The advisory details Kimsuky's tactics and offers mitigation strategies to help organizations and individuals protect against these phishing efforts. It underscores the importance of enhancing email security, monitoring for spearphishing indicators, and reporting any suspected Kimsuky-related activities as part of a broader effort to counter these state-sponsored cyber threats.

A flaw in the R programming language has been patched. 

Security researchers have identified a high-risk deserialization flaw in the R statistics programming language, which could potentially be exploited in a supply chain attack. The vulnerability, designated as CVE-2024-27322, was disclosed by HiddenLayer and has been patched by the R Foundation as of April 24. The flaw involves how R deserializes data, specifically through the readRDS serialization interface used by over 135,000 R source files, including those from major vendors like R Studio, Facebook, Google, Microsoft, and AWS. Attackers could potentially overwrite an .rdx metadata file with malicious code, leading to automatic execution when an R package is loaded. Fortunately, no attacks have been reported yet, and researchers were able to address the vulnerability promptly.

Zloader borrows stealthiness from ZeuS. 

Zloader, a modular trojan derived from the leaked ZeuS source code, has reintroduced an anti-analysis feature from the original ZeuS 2.x versions after being inactive for nearly two years. This feature prevents the malware from executing on any machine other than the one initially infected, effectively countering attempts to analyze or replicate it on different systems. It achieves this by checking for a specific registry key/value that is uniquely generated for each infection. If this check fails, Zloader terminates immediately after injecting into a new process, making detection and analysis significantly more difficult. This evolution of Zloader, noted by Zscaler in their recent analysis, highlights the malware’s increased sophistication and targeted approach to system infections.

The GAO highlights gaps in NASA’s cybersecurity measures. 

The U.S. Government Accountability Office (GAO) has identified gaps in NASA's cybersecurity measures for spacecraft acquisition, emphasizing the need for updated policies and standards. The GAO's review highlighted that while NASA has implemented cybersecurity requirements in contracts for projects like Orion and SPHEREx, the agency lacks a comprehensive plan to incorporate newer security controls consistently across all spacecraft programs. This inconsistency could lead to vulnerabilities and varied implementation of cybersecurity measures. The GAO recommends that NASA develop a clear plan with timelines to update its policies to ensure robust defense against cyber threats. This review follows NASA's issuance of a space best practices guide in 2023, which remains optional for programs. The lack of mandatory guidelines leaves NASA and its projects at potential risk of cyberattacks.

Indonesia is a spyware hot-spot. 

A report from Amnesty International reveals that Indonesia has become a significant market for spyware and surveillance technologies, compromising citizens' privacy and rights. Through a collaborative investigation with media outlets from Switzerland, Greece, Israel, and Indonesia, evidence was found of extensive sales and use of intrusive surveillance tools in Indonesia from 2017 to 2023, sourced mainly from Israel, Greece, Singapore, and Malaysia. Key suppliers include Q Cyber Technologies, Intellexa, Saito Tech, FinFisher, and Wintego Systems. Indonesian government bodies like the National Police and the National Cyber and Crypto Agency were identified as purchasers, utilizing intermediary companies in Singapore to obscure the technology's origins. Despite the pervasive deployment of these tools, Indonesia lacks robust laws to regulate their use, posing significant risks to civil rights and transparency. Amnesty has called for a global moratorium on such technology until adequate human rights safeguards are established.

Germany summons a top Russian envoy to address cyber-attacks linked to Russian military intelligence. 

Germany has summoned a top Russian envoy to address cyber-attacks linked to Russian military intelligence that targeted German entities, including members of the governing Social Democrats and sectors like defense and technology. These attacks, blamed on the hacker group APT28, exploited a vulnerability in Microsoft Outlook to compromise email servers. German Foreign Minister Annalena Baerbock declared the attacks as state-sponsored and intolerable, promising consequences. The attacks are part of a broader pattern of Russian cyber aggression that also affected the Czech Republic and other EU countries. These incidents are seen as part of Russia’s hybrid warfare strategy, which includes disinformation campaigns alongside direct cyber-attacks, posing significant threats to democracy and security in Europe.

An Israeli PI is arrested in London following allegations of a cyberespionage campaign. 

An Israeli private investigator named Amit Forlit was recently arrested in London following allegations that he conducted a cyberespionage campaign on behalf of a Washington-based public relations and lobbying firm. According to the U.S. authorities, Forlit and his companies were paid 16 million pounds ($20 million) to gather sensitive information related to the Argentinian debt crisis.

Forlit is wanted in the U.S. on multiple charges, including one count of conspiracy to commit computer hacking, one count of conspiracy to commit wire fraud, and one count of wire fraud.

Despite the serious nature of the allegations, the extradition process encountered a significant hiccup. Judge Michael Snow ruled that the extradition could not proceed because Forlit was not produced in court within the required timeframe as stipulated by British extradition law. The judge stated, "He was not produced at court as soon as practicable and the consequences of that... he must—I have no discretion—he must be discharged."

Forlit was initially detained under an Interpol red notice at London's Heathrow Airport as he attempted to board a flight to Israel. However, the exact timing of his arrest remains unclear.


Coming up, we’ve got our Industry Voices segment with Cyberbit’s Senior Product Manager Allison Ritter sharing her cybersecurity journey.

We’ll be right back

Welcome back

A cybersecurity consultant allegedly attempts to extort a one-point-five million dollar exit package. 

Vincent Cannady, a 57-year-old former cybersecurity consultant, was arrested for allegedly attempting to extort $1.5 million from a New York-based multinational IT company. After being fired for poor performance, Cannady used a company-issued laptop to illegally download sensitive data, including trade secrets and vulnerability lists. He then threatened to release this information unless the company paid him, citing employment discrimination. His demands escalated, involving threats to damage the company’s reputation and investor confidence by releasing the information publicly or through legal and regulatory channels. Cannady also involved the staffing firm that employed him, communicating his extortion demands and legal threats through them. Charged with extortion under 18 U.S.C. § 1951, Cannady faces a maximum sentence of 20 years in prison if convicted.

Tomorrow is May the 4th and far be it from us to pass up any opportunity to slip in a Star Wars reference, so let’s just say if you are a cybersecurity consultant and you are considering turning to the dark side,

These aren’t the files you’re looking for.
These aren’t the files we’re looking for.
It’s best to just go about your business.
It’s best to just go about our business.
Move along.

I’ve got a very bad feeling about this. May the 4th be with you. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.