The CyberWire Daily Podcast 5.29.24
Ep 2077 | 5.29.24

Alleged leaked files expose a dirty secret.


An alleged leak of Google’s search algorithm contradicts the company’s public statements.  German researchers discover a critical vulnerability in a TP-Link router. Breachforums is back…maybe. The Seattle Public Library suffers a ransomware attack. A Georgia man gets ten years for money laundering and romance scams, and the Treasury department sanctions a group of botnet operators. 44,000 individuals are affected by the breach of a major U.S. title insurance company. Microsoft describes North Korea’s Moonstone Sleet. Advocating for a more architectural approach to cybersecurity. Maria Varmazis speaks with WiCyS Executive Director Lynn Dohm and a panel of N2K experts about the 2024 Cyber Talent Study. A cracked password results in a multimillion dollar windfall. 

Today is Wednesday May 29th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

An alleged leak of Google’s search algorithm contradicts the company’s public statements.  

A significant leak of 2,500 internal Google documents reveals detailed insights into how the company’s search algorithm functions, contradicting Google’s long-standing public statements. SEO expert Rand Fishkin, who received the documents, claims they show Google has misled the public about its ranking processes. The documents detail Google’s search API and data collection practices, offering technical insights valuable to developers and SEO professionals.

Key revelations include discrepancies about the use of Chrome data in rankings and the role of E-E-A-T (experience, expertise, authoritativeness, and trustworthiness). Despite Google’s claims that Chrome data isn’t used for ranking and E-E-A-T isn’t a ranking factor, the documents suggest otherwise. They show Google tracks author data, which may influence search results, contrary to Google’s public statements.

This leak challenges Google’s transparency, showing a complex, secretive system influencing web content and sparking calls for more critical examination of Google’s claims by journalists and the SEO industry. The U.S. government’s antitrust case against Google adds to this scrutiny, highlighting the need for greater accountability in how Google operates its search engine.

German researchers discover a critical vulnerability in a TP-Link router. 

Security researchers from German cybersecurity firm ONEKEY have discovered a critical vulnerability in TP-Link’s Archer C5400X router with a maximum severity score of 10.0. The flaw in the “rftest” network service o allows remote, unauthenticated attackers to execute arbitrary commands, compromising the device completely. Exploiting this vulnerability can let hackers inject malware or use the router for further attacks. TP-Link has released a patched version, and users should update their firmware immediately to secure their routers from potential exploitation.

Breachforums is back…maybe. 

The notorious data leak site BreachForums is back online after being seized by law enforcement. The site, including its dark web domain, has raised suspicions about whether it is a genuine revival or a law enforcement trap. The new administrator, using the handle ShinyHunters, associated with previous breaches, posted a dataset for sale allegedly from Live Nation/Ticketmaster. However, this dataset was also offered on another forum by a user named SpidermanData, raising doubts. The dataset’s size and the new requirement for user registration further fuel skepticism. The true operators behind the site remain unclear.

The Seattle Public Library suffers a ransomware attack. 

A ransomware attack on the Seattle Public Library has disrupted services, including the wireless network, staff and patron computers, and the online catalog. The incident began on Saturday, just as the library planned maintenance. Serving nearly 800,000 residents across 27 branches, the library has taken all systems offline and contacted law enforcement. There is no recovery timeline yet. Libraries remain open, lending books and CDs manually. This attack is part of a larger trend, with libraries worldwide targeted by ransomware gangs. Previous victims include The British Library and Toronto Public Library. In response, U.S. officials have proposed a program to improve library cybersecurity.

A Georgia man gets ten years for money laundering and romance scams, and the Treasury department sanctions a group of botnet operators. 

A Georgia man, Malachi Mullings, was sentenced to 10 years in prison on federal charges for laundering over $4.5 million from business email compromise (BEC) and romance fraud schemes. Mullings, 31, of Sandy Springs, used 20 bank accounts under a sham company, The Mullings Group LLC, to launder the fraud proceeds from 2019 to 2021. The schemes targeted a health care benefit program, private companies, and elderly victims. Mullings and his co-conspirators concealed the fraud proceeds and bought luxury items, including a Ferrari. He pleaded guilty in January 2023 to conspiracy to commit money laundering and multiple money laundering offenses.

The U.S. Treasury's Office of Foreign Assets Control has sanctioned three individuals—Yunhe Wang, Jingping Liu, and Yanni Zheng—for their involvement with the malicious 911 S5 botnet. This botnet compromised 19 million IP addresses, enabling cybercriminals to hide their activities, including fraudulent claims under the CARES Act and bomb threats. OFAC also sanctioned three entities, Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited, controlled by Wang. The individuals used the botnet's proceeds to purchase luxury items and real estate. These actions, taken in collaboration with international partners, highlight the ongoing efforts to disrupt cybercriminal activities and the associated money laundering risks in the real estate industry.

The OFAC sanctions freeze all U.S. assets of the alleged perpetrators and their entities, blocking access to U.S. financial systems. U.S. persons are prohibited from transactions with them, and secondary sanctions risk deters international business. These actions aim to disrupt the 911 S5 botnet's operations, cut off illicit activities, and damage their reputations. Violations of these sanctions can result in severe legal and financial penalties, effectively isolating the designated parties globally.

44,000 individuals are affected by the breach of a major U.S. title insurance company. 

First American Financial Corporation, the second-largest U.S. title insurance company, disclosed a December cyberattack that affected 44,000 individuals. Founded in 1889, the California-based firm offers financial services for real estate transactions, employs over 21,000 people, and earned $6 billion in revenue last year. The breach, revealed in a May 28 SEC filing, exposed personal data. First American will notify and offer free credit monitoring to those affected. The breach came after the company settled a $1 million penalty for a 2019 data exposure incident. 

Microsoft describes North Korea’s Moonstone Sleet. 

Microsoft has identified Moonstone Sleet, a new North Korean threat actor, targeting companies with financial and cyberespionage attacks. Formerly known as Storm-1789, Moonstone Sleet uses techniques common to North Korean actors but also employs unique methods. These include setting up fake companies and job opportunities, using trojanized tools, creating malicious games, and delivering custom ransomware. Initially overlapping with Diamond Sleet, Moonstone Sleet has since established its own infrastructure and attack strategies. Microsoft’s report details these tactics and offers recommendations for defense.

Advocating for a more architectural approach to cybersecurity. 

An editorial in CSO Online from Jon Oltsik advocates for a shift in Cybersecurity towards an architectural security approach. This means large organizations must move from product-centric solutions to a cohesive, scalable framework built on cloud-native technologies like containers, serverless functions, and APIs. This transition will enable better handling of the increasing complexity and volume of security operations.

Research shows 45% of cybersecurity professionals find their jobs more challenging now than two years ago. Challenges include a growing attack surface, evolving threats, more security alerts, and large data volumes. Cloud-native apps and new devices will further increase vulnerabilities.

Oltsik says Generative AI will assist with basic tasks but also enable more sophisticated attacks. Effective data management and automation will be crucial. Many organizations will rely on Managed Security Service Providers (MSSPs) to maintain advanced security architectures. Collective defense and cooperative security efforts will become more common, with new companies emerging to support this approach.


Coming up on our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K’s comprehensive CISSP training course, CISSP practice test, and CISSP practice labs. Sam and Joe dive into Domain 6 which focuses on Security Assessment and Testing. You can check out a sample question in our show notes. 

Thanks Sam and Joe-don’t forget, we’ve got details on the course Joe is using to prepare for his CISSP and a sample question in our show notes. 

Today, we’ve got a group of guests for you. We welcome back Maria Varmazis to introduce you to WiCyS Executive Director Lynn Dohm and N2K's Simone Petrella, Dr. Heather Monthie, and Jeff Welgan talking about the 2024 Cyber Talent Study.

We’ll be right back

Thanks Maria and crew. You can find details about the 2024 Cyber Talent study in our show notes. Welcome back

A weak password gets cracked for three millions bucks. 

And finally, Kim Zetter writes for Wired about the tantalizing tale of Michael, a crypto owner, who two years ago asked hacker Joe Grand to recover access to $2 million in bitcoin stored in an encrypted file. Grand initially turned him down. Michael had generated his password using RoboForm, an early password manager.  He has stored the password in an encrypted file that got corrupted. This left Michael unable to access his 43.6 BTC, worth around $5,300 back in 2013.

Joe Grand, aka "Kingpin," is a hardware hacker who had successfully cracked another crypto wallet in 2022. This time, the challenge was software-based, and Michael couldn’t remember the exact date or parameters he used to generate his password.

After several failed attempts and much pestering of Michael for details, Grand and his friend Bruno discovered a flaw in the old RoboForm version used by Michael. The password generator tied passwords to the computer’s date and time, making them predictable. Using this flaw, they generated passwords from the relevant time period.

Eventually, they hit the jackpot. The correct password was generated on May 15, 2013. Michael could finally access his bitcoin, and he gladly gave Joe Grand and his partner Bruno their share of the proceeds. He sold some of it at $62,000 per coin, ending up with 30 BTC, now worth about $3 million.

He reflects, "Losing the password turned out to be a financial blessing. Otherwise, I would've sold the bitcoin at $40,000 and missed out on a greater fortune."

I found $20 in a jacket pocket once. Practically the same thing. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.