The CyberWire Daily Podcast 5.21.24
Ep 2072 | 5.21.24

The secrets of a dark web drug lord.


The alleged operator of Incognito Market is collared at JFK. The UK plans new ransomware reporting regulations. Time to update your JavaScript PDF library. CISA adds a healthcare interface engine to its Known Exploited Vulnerabilities (KEV) catalog. HHS launches a fifty million dollar program to help secure hospitals. A Fluent Bit vulnerability impacts major cloud platforms. The EPA issues a cybersecurity alert for drinking water systems. BiBi Wiper grows more aggressive. Siren is a new threat intelligence platform for open source software. On our Industry Voices segment, guest Amit Sinha, CEO of DigiCert, joins N2K’s Rick Howard to discuss “Innovation: balancing the good with the bad.” And is it just me, or does that AI assistant sound awfully familiar?

Today is Month Day, Year. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The alleged operator of Incognito Market is collared at JFK.

Rui-Siang Lin, a 23-year-old from Taiwan, was arrested for operating “Incognito Market,” an online dark web marketplace for illegal narcotics. Lin was apprehended at JFK Airport on May 18 and is set to appear in Manhattan federal court. Attorney General Merrick B. Garland noted that Lin was behind a $100 million dark web drug trafficking operation. The marketplace ran from October 2020 until its closure in March 2024, selling narcotics, including cocaine and methamphetamines, accessible globally via the Tor web browser. Lin, known online as “Pharoah,” oversaw all aspects of the marketplace, including supervising employees, vendors, and customers.

Incognito Market mimicked legitimate e-commerce sites with features like branding, advertising, and customer service, allowing users to anonymously buy and sell a variety of illegal drugs. The site required vendors to register and pay fees, with transactions facilitated through an in-site cryptocurrency bank. If convicted, Lin faces a mandatory minimum life sentence for engaging in a continuing criminal enterprise, a maximum life sentence for narcotics conspiracy, 20 years for money laundering, and five years for conspiracy to sell adulterated and misbranded medication. The FBI, HSI, DEA, FDA-OCI, and NYPD collaborated on the investigation.

The UK plans new ransomware reporting regulations. 

In an exclusive, The Record from Recorded Future reports that Britain plans a major overhaul of its ransomware response, requiring all victims to report incidents and obtain a license before paying ransoms. The proposal, part of a public consultation next month, includes banning ransom payments for critical national infrastructure to deter hackers.

The mandatory reporting aims to reveal the true extent of the problem. It’s unclear how the licensing system will work, but concerns exist about potential delays in recovery.

Public consultations will shape the final proposals, which might need new legislation post-general election. The opposition Labour Party hasn’t detailed its stance on cybersecurity. Despite criticism of the current response, the government emphasizes its preparedness and international efforts against ransomware.

Time to update your JavaScript PDF library. 

Security experts found a major vulnerability in PDF.js, a JavaScript library for displaying PDFs, maintained by Mozilla and widely used in browsers like Firefox and via NPM (pdfjs-dist).

The vulnerability involves a missing type check in font handling, allowing arbitrary JavaScript execution when a malicious PDF is opened. Discovered by Thomas Rinsma from Codean Labs, it was fixed in PDF.js on May 14, 2024.

The flaw affects all Firefox versions before 126 and poses a high risk, enabling potential XSS attacks, data breaches, and account takeovers. Developers must update to PDF.js version 4.2.67 or higher to mitigate the issue. As a temporary fix, setting ‘isEvalSupported’ to ‘false’ can disable the vulnerable code path.

CISA adds a healthcare interface engine to its Known Exploited Vulnerabilities (KEV) catalog. 

The US cybersecurity agency CISA added a vulnerability in NextGen Healthcare’s Mirth Connect to its Known Exploited Vulnerabilities (KEV) catalog. Mirth Connect, an interface engine for healthcare information management, has a data deserialization flaw (CVE-2023-43208) allowing remote code execution. Discovered by in October 2023, the vulnerability was patched in version 4.4.1. warned the flaw is easily exploitable, posing significant risks to healthcare data. Over 1,200 internet-exposed instances were noted, with 440 still vulnerable by mid-January 2024. CISA instructed agencies to address the issue by June 10. Microsoft linked the flaw to ransomware attacks by the China-based Storm-1175 group.

HHS launches a fifty million dollar program to help secure hospitals. 

The U.S. Department of Health and Human Services (HHS) is launching a $50 million program, UPGRADE, to enhance cybersecurity for hospitals. Managed by the Advanced Research Projects Agency for Health (ARPA-H), the program aims to secure medical device systems and networks at scale. It seeks proposals from the private sector to develop a vulnerability mitigation software platform, auto-detection systems, and digital replicas of hospital equipment for testing. The initiative comes amid rising cyberattacks on healthcare, including a recent incident at Ascension. HHS emphasizes the challenge of securing diverse, internet-connected medical devices, which often cannot be patched promptly. UPGRADE aims to automate vulnerability detection and patch deployment, reducing hospital equipment downtime and enhancing patient care security.

A Fluent Bit vulnerability impacts major cloud platforms. 

Fluent Bit, a logging and metrics solution used extensively in cloud computing environments, has a newly discovered vulnerability that impacts major cloud platforms like Microsoft Azure, Google Cloud, and AWS. Cybersecurity researchers at Tenable identified the flaw, CVE-2024-4323, which could allow hackers to execute remote code or launch denial-of-service (DDoS) attacks.

Jimi Seebree of Tenable advises users to upgrade to the latest version of Fluent Bit immediately or secure its monitoring API to authorized users only. The vulnerability involves a memory corruption issue that can potentially leak sensitive information. Tenable informed Fluent Bit and major cloud providers about the flaw in May, but no public statement has been made by Fluent Bit yet. Seebree stresses the importance of regular updates, defense-in-depth measures, and the principle of least privilege to mitigate such risks.

The EPA issues a cybersecurity alert for drinking water systems. 

The US Environmental Protection Agency (EPA) issued an alert on Monday to enhance the cybersecurity of drinking water systems. Inspections since September 2023 revealed over 70% non-compliance with the Safe Drinking Water Act, with critical cyber vulnerabilities such as default passwords. The EPA recommends reducing internet exposure, conducting regular assessments, changing default passwords, inventorying IT and OT assets, developing incident response plans, backing up systems, addressing vulnerabilities, and conducting awareness training. The agency plans to increase inspections and enforce compliance through civil and criminal actions. Recent cyberattacks on water systems by state-sponsored actors from Iran, Russia, and China have prompted these measures. Security experts advise robust IoT device management and consider outsourcing security for resource-limited utilities.

BiBi Wiper grows more aggressive. 

A new version of BiBi Wiper malware now deletes the disk partition table to complicate data restoration and extend downtime. Linked to the Iranian hacking group Void Manticore (Storm-842), suspected of affiliations with Iran's Ministry of Intelligence and Security, BiBi Wiper has targeted Israel and Albania. Security Joes first identified BiBi Wiper in October 2023, leading to an alert from Israel's CERT in November 2023. A Check Point Research report reveals newer variants and two other custom wipers, Cl Wiper and Partition Wiper, used by Void Manticore. The group uses fake personas like 'Karma' and 'Homeland Justice' on Telegram to amplify damage, and often cooperates with another group, Scarred Manticore, for initial access and subsequent attacks.

Siren is a new threat intelligence platform for open source software. 

The Open Source Security Foundation (OpenSSF) has launched Siren, a centralized platform for sharing threat intelligence to enhance the security of open source projects. Open source software, which powers up to 90% of modern applications, faces increased threats from cyber actors. Siren addresses the need for efficient communication about exploits by providing real-time updates, following TLP:CLEAR guidelines for transparent information sharing, and fostering community-driven collaboration. This initiative aims to improve cybersecurity defenses and awareness within the open source community. Developers, maintainers, and security enthusiasts are encouraged to join Siren to help build a more resilient and secure open source ecosystem.

Coming up after the break, we’ve got our Industry Voices segment. N2K’s Rick Howard caught up with DigiCert’s CEO Amit Sinha at the RSA Conference recently. They discuss “Innovation: balancing the good with the bad.”  We’ll be right back.

Welcome back. You can find more information about Amit Sinha and DigiCert in today’s show notes. 

And boy, does that AI assistant sound familiar. 

And finally, Just before OpenAI unveiled its new, flirty voice assistant, CEO Sam Altman made another unsuccessful attempt to get Scarlett Johansson to license her voice. Johansson had already turned down a similar request earlier in the year. Despite her refusals, the assistant, named "Sky," sounded uncannily like Johansson, prompting her to hire a lawyer and demand OpenAI stop using the voice. OpenAI paused "Sky" and clarified that the voice was from a different actress, not intended to mimic Johansson.

This episode is eerily reminiscent of Johansson’s role in the film "Her," where she voices an AI assistant. Altman even hinted at this parallel in a cryptic post on X with the word “her.” Johansson's public statement and the subsequent legal tussle add to her recent history of high-profile disputes, including a notable lawsuit against Disney over the release strategy for "Black Widow."

OpenAI, facing criticism and multiple copyright suits, including from the Authors Guild of America and The New York Times, insists that Sky's voice was not intended to resemble Johansson’s. They claimed to have cast the voice actor before reaching out to Johansson. Meanwhile, OpenAI continues to prepare for the launch of their latest technology, GPT-4o, emphasizing their commitment to not deliberately mimicking celebrity voices.

Despite this, Johansson received numerous messages from friends and the public noting the similarity, adding fuel to the controversy. Critics and tech observers continue to debate the ethics and implications of AI-generated voices, especially when they so closely resemble those of well-known personalities.

I have reached out to Scarlett Johannson for an interview, but she has not responded to my numerous emails. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.