The CyberWire Daily Podcast 5.24.24
Ep 2075 | 5.24.24

Cybercriminals target London drugs.


Lockbit drops 300 gigabytes of data from London Drugs. Video software used in courtrooms worldwide contains a backdoor. Google patches another Chrome zero-day. The EU seeks collaboration between research universities and intelligence agencies. Atlas Lion targets retailers with gift card scams. Researchers explore an Apple reappearing photo bug. Hackers access a Japanese solar power grid. Congress floats a bill to enhance cyber workforce diversity. Ben Yelin joins us with a groundbreaking legal case involving AI generated CSAM. Whistling past the expired domain graveyard.

Today is May 24th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Lockbit drops 300 gigabytes of data from London Drugs. 

Last month, cybercriminals stole files from London Drugs' head office and have now released some data after the company refused to pay a ransom. The Richmond, B.C.-based retailer said the files might contain employee information and is offering affected staff credit monitoring and identity theft protection. The hacking group LockBit claimed responsibility, releasing over 300 gigabytes of data. London Drugs, which shut down its stores temporarily, stated there's no evidence customer data was compromised. LockBit, described as the "world’s most harmful cybercrime group," has been disrupted by international law enforcement efforts, but it remains active.

Video software used in courtrooms worldwide contains a backdoor. 

A software update for JAVS Viewer 8, used by over 10,000 courtrooms worldwide, contained a hidden backdoor, researchers from Rapid7 reported. The software, part of the JAVS Suite 8, helps courtrooms record, play back, and manage audio and video from proceedings. The malicious update, available on the Justice AV Solutions (JAVS) website, allowed persistent communication with a command-and-control server, stealing passwords and system information. Users of version 8.3.7 are at high risk and should reimage affected systems and reset credentials. The update was digitally signed by “Vanguard Tech Limited” instead of the legitimate “Justice AV Solutions Inc.” JAVS confirmed the breach, removed the malicious version, and assured that current downloads are safe. 

Google patches another Chrome zero-day. 

Google has released an emergency security update for Chrome to fix the eighth zero-day vulnerability of the year. This high-severity “type confusion” flaw affects Chrome’s V8 JavaScript engine and is being actively exploited. Google advises users to update Chrome to the latest version. 

The EU seeks collaboration between research universities and intelligence agencies. 

EU member states recommend that Europe’s leading research universities collaborate more with intelligence agencies to secure their research from hostile states. This follows increased concerns over espionage, particularly from China. The recommendation aims to address research security risks from international cooperation, focusing on critical areas like advanced semiconductors, AI, quantum technologies, and biotech.

Key proposals include facilitating information exchange between research organizations and intelligence services and increasing political focus on intellectual property theft. The UK is considering security vetting for key researchers by MI5, while the US has a similar program through the National Counterintelligence and Security Center. The recommendations come amid heightened threats from Russia following its invasion of Ukraine.

Atlas Lion targets retailers with gift card scams. 

Earlier this month, the FBI warned about Storm-0539 (aka Atlas Lion), a Morocco-based cybercriminal group targeting retailers with fraudulent gift cards. Microsoft detailed the group’s tactics, highlighting their strong reconnaissance skills, cloud environment exploitation, and cost-effective operations. Storm-0539 uses fake non-profits for discounted cloud services, free trials, and compromised WordPress domains for phishing.

They gather employees’ contact details from public information, send phishing messages, and redirect victims to credential-stealing pages. They then use stolen credentials for multifactor authentication (MFA) and move laterally through networks to create and redeem fraudulent gift cards. The group’s activity increased by 30% in recent months, targeting large retailers, luxury brands, and fast-food chains. 

Researchers explore an Apple reappearing photo bug. 

Security researchers discovered that a bug in Apple’s iOS, not iCloud, caused deleted images to reappear on devices after the iOS 17.5 update. Despite widespread user reports, Apple remained silent on the issue, leading to privacy concerns. The bug, affecting images deleted months or years ago, was fixed in iOS 17.5.1 released on Monday. Analysts at Synactiv identified changes in the ‘PhotoLibraryServices’ function that reindexed old files, causing them to reappear. This finding reassures users that Apple isn’t indefinitely storing deleted files in iCloud but highlights that deleted files can persist locally until overwritten. Apple has not responded to inquiries about the bug or the researchers’ findings.

Hackers access a Japanese solar power grid. 

Japanese media reported a significant cyberattack on the solar power grid infrastructure, marking what might be the first publicly confirmed incident of its kind. Malicious actors hijacked 800 SolarView Compact remote monitoring devices, manufactured by industrial control electronics company Contec, at various solar power generation facilities. The cybercriminals used these compromised devices to engage in bank account thefts - they were after compute power.

The hacker group responsible for the attack is likely Hacker CN, also known as Arsenal Depository. South Korean security firm S2W identified Hacker CN as a group potentially based in China or Russia. This group was previously linked to hacktivist attacks targeting Japanese infrastructure, particularly after the Japanese government released contaminated water from the Fukushima nuclear power plant, under an operation termed "Operation Japan."

Though the exploitation of these remote monitoring devices did not threaten power system operations, experts caution that such intrusions could be more dangerous if highly capable adversaries gained access. 

Congress floats a bill to enhance cyber workforce diversity. 

Two U.S. House Representatives introduced the ‘Diverse Cybersecurity Workforce Act’ to create a program within CISA that encourages underrepresented communities to pursue cybersecurity careers. Sponsored by Reps. Haley Stevens and Shontel Brown, the bill mandates CISA to expand education and outreach activities, promoting cybersecurity to diverse groups. The program will target disadvantaged communities, minorities, women, people with disabilities, veterans, and more. The bill authorizes $20 million annually through 2030 and requires CISA to report on the program's efficacy. The aim is to fill cybersecurity jobs and enhance national security by diversifying the workforce. This aligns with the updated National Cybersecurity Strategy Implementation Plan.


Coming up after our break, my Caveat co host Ben Yelin joins me to discuss about a recent article involving a man arrested by the FBI for generating AI child sexual abuse Images.

We’ll be right back

Welcome back. You can find a link to the article Ben discussed in our show notes. 

Whistling past the expired domain graveyard. 

And finally, as you likely know, domain names are leased. If no one renews them, they go up for sale. This raised an eyebrow for one curious investigator in Belgium. Inti De Ceukelaire wondered about the fate of old cloud accounts tied to these expired domains.

He set off to investigate if old cloud accounts could be revived. First on the agenda: find companies and institutions whose emails vanished due to bankruptcy, mergers, or rebranding. This was a breeze, as these changes are usually publicized. 

Even more concerning, many expired domains belonged to Belgian social welfare institutions.

To save the day (and sensitive data), he bought 107 domains for a total of €850. Suddenly, his inbox was flooded with emails, including password reset links for cloud accounts, revealing access to a treasure trove of sensitive information: justice information, payment reminders, health details. 

This investigation shines a light on the ghostly dangers lurking in the digital graveyard of expired domains. The lessons learned are clear: expired domains can still harbor sensitive data, posing significant cybersecurity risks. Proper domain lifecycle management and secure decommissioning are essential to prevent these digital hauntings. Implementing robust measures, like two-factor authentication, can safeguard against unauthorized access. As our investigator’s adventure shows, vigilance is crucial in ensuring our digital past doesn’t come back to haunt us. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.