The CyberWire Daily Podcast 1.17.25
Ep 2227 | 1.17.25

Hacking the bureau.

Transcript

The FBI warns agents of hacked call and text logs. The US Treasury sanctions entities tied to North Korea’s fake IT worker operations. Russian hacking group Star Blizzard attempted to infiltrate WhatsApp accounts of nonprofits supporting Ukraine. Yubico discloses a critical vulnerability in its Pluggable Authentication Module)software.  Google releases an open-source library for software composition analysis. CISA hopes to close the software understanding gap. Pumakit targets critical infrastructure. Simplehelp patches multiple flaws in their remote access software. The FTC bans GM from selling driver data. HHS outlines their efforts to protect hospitals and healthcare. Our guest Maria Tranquilli, Executive Director at Common Mission Project, speaks with N2K’s Executive Editor Brandon Karpf about the origins and impact of Hacking for Defense. Even the best of red teamers are humbled by AI. 

Today is Friday January 17th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The FBI warns agents of hacked call and text logs. 

According to an FBI document reviewed by Bloomberg, Hackers breached AT&T’s systems in 2022, stealing months of FBI agents’ call and text logs, triggering concerns about exposing confidential informants. The stolen data, including agents’ phone numbers and call details, could link investigators to their secret sources but excluded content of communications and encrypted messaging records. AT&T disclosed the breach in July, which involved six months of customer data, following an extortion attempt by hackers.

The FBI has raced to mitigate risks to its sources and investigations, underscoring concerns about the bureau’s operational security. The breach was part of a broader campaign targeting AT&T and Snowflake customers, with hackers exploiting accounts lacking multifactor authentication. Federal prosecutors charged individuals connected to the breach and related extortion schemes. Despite efforts to secure the data, it’s unclear if the information remains at risk, raising alarms about safeguarding sensitive data in third-party systems.

The US Treasury sanctions entities tied to North Korea’s fake IT worker operations.

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned two individuals and four entities tied to North Korea’s scheme to generate illicit funds through fake IT worker operations. North Korean operatives used stolen identities and AI to secure IT jobs in Western countries, funneling earnings to the regime. Hundreds of companies in the U.S., UK, and Australia unknowingly hired these workers, while others were stationed in Russia, China, and beyond.

North Korea’s government withholds up to 90% of these workers’ wages, funding weapons programs, including WMDs and ballistic missiles. Sanctions target North Korean front companies Korea Osong Shipping Co. and Chonsurim Trading Corporation, as well as their leaders, Son Kyong Sik and Jong In Chol. A Chinese company, Liaoning China Trade Industry Co., was also sanctioned for supplying electronics to facilitate these activities. These operations generate hundreds of millions annually for Pyongyang’s regime.

Russian hacking group Star Blizzard attempted to infiltrate WhatsApp accounts of nonprofits supporting Ukraine. 

The Russian hacking group Star Blizzard attempted to infiltrate WhatsApp accounts of nonprofits supporting Ukraine, using phishing messages impersonating U.S. officials. Victims were invited to join a fake WhatsApp group, “US-Ukraine NGOs Group,” and prompted to scan a malicious QR code, giving attackers access to their messages. This marks the first use of WhatsApp by the group, which is linked to Russia’s FSB. Despite recent U.S. actions dismantling its infrastructure, Star Blizzard quickly adapted, demonstrating resilience. Their targets include government entities, nonprofits, and Ukraine aid organizations.

Yubico discloses a critical vulnerability in its Pluggable Authentication Module)software.  

Yubico has disclosed a critical vulnerability, CVE-2025-23013, in its PAM (Pluggable Authentication Module) software package, specifically affecting versions of “pam-u2f” before 1.3.1. This flaw could allow attackers to bypass authentication under certain configurations, particularly when used as a single-factor authentication method or with the “nouserok” option enabled. The vulnerability, rated “High” with a CVSS score of 7.3, impacts macOS and Linux systems but does not affect Yubico hardware devices. Users should upgrade to the latest version or modify PAM configurations to mitigate risks.

Google releases an open-source library for software composition analysis. 

Google has released OSV-SCALIBR, an open-source Go library for software composition analysis (SCA). The tool scans software inventory, identifies vulnerabilities, and generates Software Bills of Materials (SBOMs) in SPDX and CycloneDX formats. It supports Linux, Windows, and macOS and works with OS packages, binaries, and source code. OSV-SCALIBR is used within Google for scanning live hosts, repositories, and containers and will integrate further with Google’s OSV-Scanner. Users can leverage its plugins for software extraction and vulnerability detection, with custom plugins supported.

CISA hopes to close the software understanding gap. 

The Cybersecurity and Infrastructure Security Agency (CISA), alongside federal partners, released a report titled “Closing the Software Understanding Gap,” calling for a national effort to better understand and secure software critical to infrastructure and national security. The report urges collaboration between public and private sectors to prioritize software analysis under all conditions. Recommendations include stronger security in software development, such as network segmentation, multi-factor authentication, encrypted data storage, and robust supply chain risk management. CISA also launched the ‘Vulnrichment’ program to enhance the National Vulnerability Database by adding detailed metadata for better vulnerability tracking. These measures align with CISA’s Secure by Design principles, aiming to shift the security burden from users to manufacturers, ultimately improving resilience against cyber threats to critical infrastructure systems.

Pumakit targets critical infrastructure. 

The advanced Linux rootkit Pumakit has been identified targeting critical infrastructure sectors, including telecommunications, finance, and national security. Discovered by Elastic Security Labs, Pumakit operates at the kernel level, employing sophisticated evasion techniques to remain undetected. It conceals malicious activities, ensures persistence through reboots, and disables security tools, enabling long-term access to compromised systems. Indicators of compromise include unusual kernel modules, suspicious traffic to specific IPs, and concealed processes. Organizations are urged to apply security patches, enforce multi-factor authentication, monitor for anomalies, and use Elastic’s YARA Rule for detection.

Simplehelp patches multiple flaws in their remote access software. 

Critical vulnerabilities in SimpleHelp remote access software could allow attackers to compromise servers and client machines, Horizon3.ai reports. These include a path traversal flaw (CVE-2024-57727, CVSS 7.5) enabling unauthorized file access, an arbitrary file upload vulnerability (CVE-2024-57728, CVSS 7.2) allowing remote code execution, and a privilege escalation bug (CVE-2024-57726, CVSS 9.9) enabling technicians to gain admin access. SimpleHelp patched the issues in January 2024 and urges users to update and reset admin and technician passwords promptly to mitigate risks.

The FTC bans GM from selling driver data. 

The FTC has imposed a five-year ban on General Motors (GM) and its OnStar subsidiary from selling sensitive driver data, including geolocation and driving behavior, to data brokers. The ban stems from allegations that GM misled customers about data collection and shared precise driver information, such as location and habits, without consent. This data, often sold to insurers, led to premium spikes or policy cancellations for some drivers.

The FTC settlement requires GM to obtain explicit consent for data collection, improve transparency, and provide mechanisms for consumers to delete or limit data collection. The automaker must also allow users to disable precise geolocation tracking. GM, which ended its Smart Driver program and related third-party contracts in 2023, stated the FTC order enforces stricter privacy standards beyond current laws.

HHS outlines their efforts to protect hospitals and healthcare. 

In an editorial for CyberScoop, deputy secretary of the Department of Health and Human Services Andrea Palm describes the significant steps the agency has taken to combat rising cyberattacks targeting hospitals and health systems. These attacks disrupt care, jeopardize patient safety, and erode trust. Palm says HHS has focused on three areas: policy, resources, and coordination. Policies include updated HIPAA rules and new cybersecurity requirements for medical devices. Funding efforts, like $240 million for hospital preparedness and a proposed $1.3 billion through Medicare, aim to bolster cybersecurity for under-resourced organizations. The agency also provides free training, a cybersecurity risk map, and plans to use AI to guide security improvements. HHS emphasizes a sector-wide approach to protect interconnected health systems and has enhanced incident response and collaboration with industry. Despite progress, HHS stresses continued investment and bipartisan support are crucial to strengthening cybersecurity and protecting national security.

Today, we’ve got N2K’s Executive Editor Brandon Karpf speaking with guest Maria Tranquilli, Executive Director at Common Mission Project about the origins and impact of Hacking for Defense. And, sometimes keeping AI in check is a full-contact sport. We’ll be right back.

Welcome back.

Even the best of red teamers are humbled by AI. 

And finally, our Sysiphus desk tells us that Microsoft’s red team took a hard look at over 100 of its own generative AI products and walked away with a humbling realization: AI security is a moving target that’s never fully secure. Their paper, Lessons from Red-Teaming 100 Generative AI Products, outlines eight key lessons, with one undeniable truth: AI doesn’t just amplify existing security risks—it invents new ones.

Lesson one? Know what your AI does. Larger models follow instructions better, but that means they’re also better at following malicious ones—great for hackers, less so for defenders. Lesson two? Fancy gradient-based attacks are overrated when simpler tricks—like phishing or UI manipulation—work just fine. Lesson three? Red teaming is about uncovering novel risks, not just checking benchmarks.

Microsoft developed PyRIT, an open-source toolkit, to automate red-teaming tasks, but human input remains vital. Experts not only spot subtle vulnerabilities but also handle AI-generated horrors that would make anyone’s eyes water. (Yes, red teamers need mental health care, too.)

AI’s harms, lesson six notes, are tricky to quantify—like bias baked into image prompts showing male bosses and female secretaries, reinforcing stereotypes. Finally, lesson seven slams home: feed AI bad inputs, and it’ll gleefully produce bad outputs, including spilling sensitive data.

The takeaway? AI isn’t just a security headache—it’s the whole migraine. But hey, at least it’s job security for infosec folks, because every new AI risk is another reason to hire a defender. 

PROGRAMMING NOTE: We will not be publishing on Monday, January 20th in observance of Martin Luther King Jr. Day. Check out your CyberWire Daily podcast feed for some crossover with our T-Minus Space Daily team for an interview with Kayhan Space about data automation and space domain awareness. You won’t want to miss it.  

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.