The CyberWire Daily Podcast 6.26.24
Ep 2096 | 6.26.24

LockBit picks a brawl with banks.


LockBit drops files that may or may not be from the Federal Reserve. Progress Software patches additional flaws in MOVEit file transfer software. A popular polyfil open source library has been compromised. DHS starts staffing up its AI Corps. Legislation has been introduced to evaluate the manual operations of critical infrastructure during cyber attacks. Researchers discover a new e-skimmer targeting CMS platforms. A breach at Neiman Marchus affects nearly 65,000 people. South African health services grapple with ransomware amidst a monkeypox outbreak. Medusa is back. On the Learning Layer, Sam and Joe discuss the CISSP's CAT format and how to walk into test day with confidence. The VA works to clear the backlog caused by the ransomware attack onChange Healthcare. 

Today is Wednesday June 26th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

LockBit drops files that may or may not be from the Federal Reserve. 

Following an apparent failure in negotiations, the LockBit ransomware gang published a trove of files it claims to have stolen from the US Federal Reserve. This Russian-linked gang posted 21 links to files, including directories, torrents, and archives from Evolve Bank and Trust. Recently, the Feds accused Evolve Bancorp Inc., Evolve's parent company, of unsafe banking practices.

LockBit had threatened to release the data on June 25th if the ransom wasn't paid. They claimed to have 33 terabytes of sensitive banking information and criticized the US central bank's negotiator. Cybersecurity experts doubt LockBit’s claims, suggesting the gang seeks attention after Operation Cronos damaged its reputation. The release of Evolve's files supports this skepticism.

This month, the Federal Reserve Board issued a cease-and-desist order to Evolve Bank and Trust for deficiencies in anti-money laundering, risk management, and consumer compliance. The Federal Reserve hasn't addressed LockBit’s claims, but some data may have been collected during their investigations.

Evolve, based in Memphis, Tennessee, serves individuals and small businesses in at least 17 states and reported $1.3 billion in assets in 2022. Known for partnerships with Fintech platforms like Mastercard and Visa, Evolve is investigating the breach and cooperating with law enforcement. The bank plans to provide more information as it confirms the details.

Progress Software patches additional flaws in MOVEit file transfer software. 

Progress Software has issued a security alert about two new vulnerabilities in its MOVEit file transfer software. CVE-2024-5805 is a critical authentication bypass issue in MOVEit Gateway, and CVE-2024-5806 is a high-severity bypass flaw in MOVEit Transfer's SFTP service. Progress has released patches and advises immediate upgrades to the latest versions. Testing by Rapid7 confirmed the vulnerabilities in default configurations, highlighting risks if attackers know a username, the account can authenticate remotely, and the SFTP service is exposed.

Over 1,000 public-facing MOVEit Transfer servers are mainly in the US, and hackers are already exploiting these vulnerabilities. Previous similar vulnerabilities have led to widespread exploitation, including by the Clop ransomware gang.

A popular polyfil open source library has been compromised. 

Polyfill software is a JavaScript library that enables older browsers to support modern web features by providing necessary code implementations. Researchers now say Polyfill.js, a widely-used open source library, has been compromised. Over 100K sites, including JSTOR, Intuit, and the World Economic Forum, embed it using In February, a Chinese company acquired the domain and Github account, subsequently injecting malware into mobile devices via these sites. Complaints on Github were quickly removed.

The malware, decoded by Sansec, redirects mobile users to a fake sports betting site using a domain mimicking Google Analytics. It targets specific mobile devices at certain times, avoids admin users, and delays execution when web analytics are detected. The original author advises against using Polyfill as modern browsers no longer need it. Trustworthy alternatives are available from Fastly and Cloudflare.

DHS starts staffing up its AI Corps. 

The Department of Homeland Security (DHS) has hired its first 10 members for its new 50-person AI Corps, aiming to leverage artificial intelligence across its operations. This team will focus on areas such as countering fentanyl trafficking, combating online child sexual exploitation, and enhancing cybersecurity. DHS Secretary Alejandro Mayorkas highlighted the significant interest in this initiative, which aims to safely and responsibly deploy AI within the federal government. The initial hires come from diverse backgrounds, including government, Big Tech, startups, and research communities. Mayorkas noted the stiff competition for these roles, with over 3,000 applications, facilitated by new flexible hiring practices for AI jobs.

Legislation has been introduced to evaluating the manual operations of critical infrastructure during cyber attacks. 

Bipartisan legislation has been introduced in the U.S. House to create a public report for evaluating the manual operations of critical infrastructure during cyber attacks. The bill, led by Congressman Dan Crenshaw and Rep. Seth Magaziner, aims to address rising cyber threats from nations like China, Russia, Iran, and North Korea. The Contingency Plan for Critical Infrastructure Act requires the Cybersecurity and Infrastructure Security Agency (CISA) and FEMA to assess how critical infrastructure can transition to manual operation during cyber incidents and evaluate current response plans. This includes examining costs, challenges, and policy recommendations to ensure continuous operation. The bill underscores the need for private sector involvement in protecting vital systems such as water, energy, transportation, and communications.

Researchers discover a new e-skimmer targeting CMS platforms. 

Researchers at Sucuri discovered a new e-skimmer, the Caesar Cipher Skimmer, targeting e-stores using CMS platforms like WordPress, Magento, and OpenCart. This skimmer modifies the WooCommerce checkout PHP page to steal credit card data, using tactics such as mimicking Google Analytics and obfuscating code. The skimmer uses a Caesar cipher to conceal its payload by encoding the domain hosting the malicious code. Attackers registered domains with slight misspellings to evade detection. The malware connects to a remote server via WebSocket, customizing responses for each infected site. Some scripts check for logged-in WordPress users. Researchers found Russian comments in older script versions.

A breach at Neiman Marchus affects nearly 65,000 people. 

Luxury retail chain Neiman Marcus has informed customers of a May cyberattack compromising a database with personal information. The breach affected 64,472 people, exposing names, contact details, dates of birth, and gift card numbers (excluding PINs). The attacker, "Sp1d3r," offered the data for sale on BreachForums, including customer shopping records and employee data. The breach is linked to the Snowflake incident, affecting multiple brands. The sale post has since disappeared from BreachForums.

South African health services grapple with ransomware amidst a monkeypox outbreak.  

South Africa’s National Health Laboratory Service (NHLS) is grappling with a ransomware attack disrupting lab result dissemination amid an outbreak of Monkeypox. The attack began Saturday, deleting system sections, including backups, requiring extensive rebuilding. The NHLS, operating 265 labs nationwide, has shut down certain systems for repairs and enlisted external cybersecurity firms. Despite functional labs, automated report generation is disabled, forcing urgent results to be communicated manually. The attack, using an unidentified ransomware strain, did not compromise patient databases. South Africa's health sector, already strained by ransomware attacks, faces increased urgency due to the mpox outbreak, with three deaths and 16 confirmed cases. The government is under pressure to enhance cybersecurity, especially as global healthcare systems face similar ransomware threats.

Medusa is back. 

The Medusa banking trojan for Android, also known as TangleBot, has re-emerged after a year of relative inactivty, targeting countries including France, Italy, the US, and the UK. Active since May, the latest campaigns use compact variants with fewer permissions and new features, like initiating transactions directly from compromised devices. Discovered by researchers at Cleafy, these campaigns involve 24 different operations using SMS phishing to distribute malware through fake apps. Medusa’s updated versions now request fewer permissions, retain keylogging and SMS manipulation capabilities, and introduce commands for actions like screen overlay and screenshot capturing. Despite no presence on Google Play, the threat is growing as its distribution methods evolve.


Coming up on our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K’s comprehensive CISSP training course, CISSP practice test, and CISSP practice labs. Sam and Joe discuss the CISSP's CAT format and how to walk into test day with confidence. We’ll be right back.

Welcome back. Thanks Sam and Joe and good luck to Joe! Don’t forget, we’ve got details on the course Joe is using to prepare for his CISSP and today’s sample question in our show notes. 

The VA works to clear the backlog caused by the ransomware attack Change Healthcare. 

Four months after a devastating ransomware attack on Change Healthcare, which handles prescription processing and community provider payments for the Department of Veterans Affairs (VA), efforts to clear the backlog of payments to pharmacies and medical providers are ongoing. The February 21 cyberattack disrupted services at hospitals and clinics, including those under the Defense Department and VA. Despite immediate disconnection from the affected network and thorough system checks, the VA faced a significant backlog of claims and invoices for services and prescriptions.

The attack caused delays in pharmacy services for some veterans and greatly impacted the companies managing the VA's network of community and non-network providers. This disruption led to over 1 million delayed pharmacy prescriptions and 6 million delayed invoices handled by Optum Public Sector Solutions and TriWest Healthcare Alliance.

During a press conference, VA officials shared that the backlog of pharmacy prescriptions should be cleared by August, with payments completed by October 1. They also aim to restore claims processing payments for CHAMPVA by July and regularize direct VA provider payments by February. Despite these challenges, officials reassured that patient care remains unaffected.

Some providers have struggled due to delayed payments, but VA Secretary Denis McDonough emphasized that the department prioritized payments to non-network providers, ensuring continuity of care. While the breach exposed some VA data, the full extent remains unclear, as Change Healthcare has not provided detailed information.

Cyberattacks on the U.S. healthcare industry have increased significantly, with the Department of Health and Human Services noting a 256% rise over the past five years. In response, the VA has enhanced its IT security measures and continuous training for employees to prevent future attacks.

It's frustrating to see our military veterans, who have sacrificed so much, caught in the middle of this cyberattack.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.


We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.