
It was DDoS, not us.
DeepSeek blames DDoS for recent outages. Hackers behind last year’s AT&T data breach targeted members of the Trump family, Kamala Harris, and Marco Rubio’s wife.The EU sanctions Russians for cyberattacks against Estonia. ENGlobal confirms personal information was taken in last year’s ransomware attack. CISA issues a critical warning about a SonicWall vulnerability actively exploited. A large-scale phishing campaign exploits users’ trust in PDF files and the USPS. Apple patches a zero-day affecting many of their products. A ransomware attack on an Ohio-based operator of skilled nursing and rehabilitation facilities affects over 70,000. President Trump has a tumultuous first week back in office. Our guest is Bogdan Botezatu, Director, Threat Research and Reporting at Bitdefender, to discuss the dark market subculture and its parallels to holiday shopping. A nonprofit aims to clean up the AI industry’s mess.
Today is Tuesday January 28th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
DeepSeek blames DDoS for recent outages.
Chinese AI company DeepSeek attributed a registration outage to a cyberattack on its servers, which it believes was a DDoS attack. While existing users remained unaffected, new user registrations were temporarily halted. This comes as DeepSeek faces scrutiny over security vulnerabilities in its open-source R1 AI model, which the company touts as competitive with OpenAI’s ChatGPT and Google’s Gemini.
Security firm Kela reported successfully jailbreaking R1 using methods like “Evil Jailbreak” and “Leo,” which have been patched in other models. The firm also demonstrated R1’s capability to fabricate sensitive data, such as personal details of OpenAI employees. Kela highlighted R1’s unreliability, calling its outputs inaccurate and potentially harmful.
The incident has raised concerns about privacy and data security, especially given the geopolitical context of Chinese tech. Experts urge users to question data origins, ownership, and ethical training practices, echoing broader fears over foreign AI platforms.
As a side note, Ben Thompson at Stratechery has written an excellent explainer of DeepSeek and why it matters. We’ll have a link to that in the show notes.
Hackers behind last year’s AT&T data breach targeted members of the Trump family, Kamala Harris, and Marco Rubio’s wife.
Hackers behind the 2024 AT&T data breach targeted phone records tied to prominent individuals, including members of the Trump family, Kamala Harris, and Marco Rubio’s wife, according to sources cited by 404 Media. The breach, which impacted nearly all AT&T customers’ call and text metadata from May to October 2022, poses significant national security risks. Hackers planned to create a paid lookup tool for the stolen data, which they enriched using publicly available resources to associate phone numbers with names.
The breach exploited an AT&T instance of Snowflake, a data warehousing tool. Despite the severity of the attack, concerns have been raised about FCC Chairman Brendan Carr’s leniency toward telecom companies. Senator Ron Wyden criticized AT&T’s lax security and called for encrypted communication services to replace traditional telecom offerings to prevent future incidents.
The EU sanctions Russians for cyberattacks against Estonia.
The European Union sanctioned three Russian GRU officers for 2020 cyberattacks against Estonia. Nikolay Korchagin, Vitaly Shevchenko, and Yuriy Denisov, linked to Unit 29155, allegedly hacked Estonian ministries, stealing classified data, health records, and sensitive business information. The EU claims the attacks aimed to undermine Estonia’s security and cyber capabilities. Unit 29155, tied to global cyberespionage and sabotage, including the WhisperGate malware, is accused of targeting other EU states and Ukraine. The sanctions mark a response to escalating cyber threats.
ENGlobal confirms personal information was taken in last year’s ransomware attack.
ENGlobal Corporation, a major supplier to the energy sector, confirmed that personal information was compromised in a November 25, 2024 ransomware attack. Systems were taken offline, limiting access to essential operations for six weeks. Initially, ENGlobal reported encrypted data but did not disclose theft. A new SEC filing revealed sensitive personal information was accessed, though details on the breach’s scope remain unclear. The company has since restored systems and resumed normal operations. ENGlobal stated the attack had no material financial impact but has not identified the threat actor responsible.
CISA issues a critical warning about a SonicWall vulnerability actively exploited.
CISA has issued a critical warning about CVE-2025-23006, a vulnerability in SonicWall SMA 1000 appliances that allows remote attackers to execute commands without authentication. With a CVSS score of 9.8, this flaw, exploited in the wild, impacts versions 12.4.3-02804 and earlier. SonicWall has released a hotfix (version 12.4.3-02854) to address the issue and advises immediate updates. Organizations unable to patch should restrict AMC and CMC access to trusted IPs. The flaw’s exploitation risks full system compromise, emphasizing urgent mitigation.
A large-scale phishing campaign exploits users’ trust in PDF files and the USPS.
A large-scale phishing campaign exploits users’ trust in PDF files and the USPS to steal credentials and sensitive data, according to Zimperium researchers. Attackers send SMS messages with malicious PDFs mimicking USPS communications, embedding hidden phishing links to bypass security tools. Victims are directed to fake USPS sites, where they provide personal and payment information under the guise of resolving delivery issues.
Zimperium found over 20 malicious PDFs and 630 phishing pages targeting users across 50 countries. This tactic leverages the assumption that PDFs are safe, exploiting their widespread use in business. Attackers also impersonate other delivery services like UPS and FedEx.
Experts warn that inadequate mobile security and limited visibility into file contents make such campaigns effective.
Apple patches a zero-day affecting many of their products.
Apple has patched CVE-2025-24085, a zero-day vulnerability exploited in the wild affecting iPhones, iPads, Macs, and other devices. The flaw, a use-after-free() issue in the CoreMedia component, could allow rogue apps to elevate privileges and gain system control. While details of the exploitation remain sparse, Apple confirmed it targeted older iOS versions before iOS 17.2.
The fix is available in updates for iOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, and watchOS 11.3. Affected devices include iPhone XS and later, various iPad models, Apple Vision Pro, and Apple Watch Series 6 or newer.
Additional vulnerabilities patched include issues allowing unauthorized code execution via AirPlay, privilege escalation, and Safari address bar spoofing. Users are strongly advised to update to protect against potential exploits targeting unpatched devices.
A ransomware attack on an Ohio-based operator of skilled nursing and rehabilitation facilities affects over 70,000.
HCF Management, an Ohio-based operator of skilled nursing and rehabilitation facilities, is notifying 70,000 individuals affected by a ransomware attack in fall 2024. The Russian-speaking RansomHub gang claims to have stolen and published 250GB of data. The breach affected multiple facilities, with Heritage Health Care reporting the largest impact (12,162 people) and Hempfield Manor (4,744 individuals) most affected among single sites.
HCF discovered unauthorized access on October 3, 2024, and later determined attackers infiltrated its systems on September 17, stealing residents’ personal and medical data, including Social Security numbers and health insurance details. The company engaged forensic experts and secured its network but now faces at least two federal class action lawsuits alleging negligence. It remains unclear if the attackers encrypted HCF’s systems during the breach.
President Trump has a tumultuous first week back in office.
On his first week back in office, President Trump shook up the nation’s cybersecurity and governance landscape with a series of controversial executive orders, according to a report from Krebs on Security. Among the most dramatic moves, he fired all members of the Cyber Safety Review Board (CSRB), a bipartisan body created to investigate major cyber incidents. The CSRB had produced key reports on crises like Log4Shell and the 2023 Microsoft Exchange breach and was in the midst of investigating Chinese cyber intrusions targeting U.S. telecoms when Trump dismissed its advisors.
Critics likened the move to halting airline crash investigations mid-flight. Meanwhile, Trump dismantled a Biden-era order on artificial intelligence safety, replacing it with a new “AI Action Plan” led by venture capitalist David Sacks. The plan focuses on maintaining U.S. AI dominance but raises concerns due to Trump’s personal ties to cryptocurrency, including his family’s recent ventures into memecoins.
Trump also pardoned January 6 rioters and revoked Biden’s disinformation governance policies and organized crime task force. These sweeping changes left many security experts questioning the future of federal cyber defense and governance under Trump’s administration.
Coming up next, we are joined by Bitdefender’s Director of Threat Research and Reporting Bogdan Botezatu to discuss the dark market subculture and its parallels to holiday shopping. And, hear about the proposal to use AI’s largest training dataset for good. We’ll be right back.
Welcome back.
A nonprofit aims to clean up the AI industry’s mess.
And finally, AI coding assistants are revolutionizing programming, but their “mystery box” training data raises ethical questions. Enter Software Heritage, the nonprofit on a mission to clean up the AI industry’s mess. Think of them as the Marie Kondo of code: they’ve collected over 22 billion source files from platforms like GitHub to create the world’s largest repository of ethically sourced code.
Their new initiative, CodeCommons, aims to make AI training datasets transparent, reproducible, and accountable. But don’t think it’s all smooth sailing—cleaning up AI’s data pipeline is like untangling a million pairs of headphones. Software Heritage must unify messy metadata, build opt-out tools for developers, and ensure that training data aligns with open-source licenses.
The team has big dreams, including creating a tool to flag when AI outputs resemble existing code. While it’s an uphill battle, they’re determined to steer AI development in a responsible direction.
And that’s the CyberWire.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.