Podcasts
CyberWire Daily
Ep 2255
The CyberWire Daily Podcast 2.28.25
Ep 2255 | 2.28.25

Pay the ransom or risk data carnage.

Show Notes
Transcript

Qilin ransomware gang claims responsibility for attack against Lee Enterprises. Thai police arrest suspected hacker behind more than 90 data leaks. JavaGhost uses compromised AWS environments to launch phishing campaigns. LotusBlossum cyberespionage campaigns target Southeast Asia. Malware abuses Microsoft dev tunnels for C2 communication. Protecting the food supply. Today’s guest is Keith Mularski, Chief Global Ambassador at Qintel and former FBI Special Agent, discussing crypto being the target of the cyber underground. And an interview with Iron Man?

Today is Friday, February 28th, 2025. I’m Maria Varmazis, host of T-Minus Space Daily in for Dave Bittner. And this is your CyberWire Intel Briefing.

Qilin ransomware gang claims responsibility for attack against Lee Enterprises.

The Qilin ransomware group yesterday claimed responsibility for an attack against Iowa-based newspaper publisher Lee Enterprises, SecurityWeek reports. The group claims to have stolen around 350 GB of data, including "investor records, financial arrangements that raise questions, payments to journalists and publishers, funding for tailored news stories, and approaches to obtaining insider information." Qilin is threatening to publish the data on March 5th unless the company pays the ransom.

Lee Enterprises, which publishes more than 350 newspapers across 25 US states, sustained a cyberattack on February 3rd which disrupted at least 75 of its publications. The company has avoided using the term "ransomware," but it did mention in an SEC filing that the attackers "encrypted critical applications and exfiltrated certain files."

Thai police arrest suspected hacker behind more than 90 data leaks.

Police in Thailand have arrested a 39-year-old Singaporean man suspected of involvement in over ninety data leaks, SecurityWeek reports. Group-IB, which assisted in the joint operation between the Royal Thai Police and the Singapore Police Force, said in a press release, "the arrested individual was one of the most active cybercriminals in the Asia-Pacific since 2021, targeting companies and businesses in Thailand, Singapore, Malaysia, Indonesia, India and many more."

The security firm added, "The main goal of his attacks was to exfiltrate the compromised databases containing personal data and to demand payment for not disclosing it to the public. If the victim refused to pay, he did not announce the leaks on dark web forums. Instead he notified the media or personal data protection regulators, with the aim of inflicting greater reputational and financial damage on his victims. Later he also asserted pressure on his victims by sending direct customer notifications via email or via instant messengers to force them into submission."

JavaGhost uses compromised AWS environments to launch phishing campaigns.

Palo Alto Networks' Unit 42 warns that the JavaGhost threat actor is compromising misconfigured AWS environments and using them to launch phishing campaigns. The group gains entry to the AWS environments via exposed long-term access keys. Once they've gained access, the attackers use the victim's Amazon Simple Email Service (SES) and WorkMail services to send out phishing emails. Since the emails are sent from a legitimate source, they're more likely to bypass security filters.

To defend against these attacks, Unit 42 recommends that AWS users limit access to administrative rights, rotate IAM credentials regularly, use short term/just-in-time access tokens, and enable multi-factor authentication.

LotusBlossum cyberespionage campaigns target Southeast Asia.

Cisco Talos is tracking multiple cyberespionage campaigns by the Lotus Blossom threat actor, targeting government, manufacturing, telecommunications, and media entities in Vietnam, Taiwan, Hong Kong, and the Philippines. The researchers note that the operation "appears to have achieved significant success." The campaigns involve the Sagerunex remote access tool, which is exclusively used by Lotus Blossom. The Sagerunex backdoor abuses legitimate cloud services such as Dropbox, Twitter (now X), and Zimbra for its C2 communication.

Talos doesn't attribute LotusBlossom to any particular nation-state, but Microsoft has previously linked the group to China.

Malware abuses Microsoft dev tunnels for C2 communication.

In a new twist, cybercriminals are exploiting Microsoft’s dev tunnels service to send data back and forth from malware-infected devices. This service, designed for developers to test apps and collaborate securely, is now being abused to help malware avoid detection.

Recently, researchers found two versions of Njrat malware using Microsoft’s dev tunnels to connect to command-and-control servers. The malware communicates through hidden URLs, making it harder for traditional security systems to spot.

The malware checks in with its remote servers, reporting its status, and can even spread through USB devices. Experts say that organizations not using dev tunnels should keep an eye on DNS logs for any unusual dev tunnel URLs as a way to spot potential attacks early.

Longwall Security has published a report on “pass-the-cookie” attacks. 

 

Cybercriminals are using Pass-the-Cookie attacks to bypass multi-factor authentication (MFA), according to Longwall Security. Instead of stealing passwords, attackers target session cookies, which allow them to hijack active sessions without triggering MFA.

Infostealer malware like LummaC2 is often used to extract authentication cookies from victims' browsers. Once stolen, these cookies let attackers impersonate users and access accounts. These stolen cookies are even being traded on dark web marketplaces, making it easier for cybercriminals to access accounts undetected.

Longwall Security recommends shortening session expiration times, monitoring login behavior, and educating users on phishing to defend against this rising threat. As attackers evolve, organizations must strengthen their security to stay ahead.

Protecting the food supply.

Cyber threats to agriculture are no longer hypothetical. The Farm and Food Cybersecurity Act, reintroduced in Congress, aims to secure the U.S. food supply chain from digital attacks. With bipartisan support, the bill mandates the USDA to conduct biennial cybersecurity assessments and coordinate crisis response exercises with Homeland Security and intelligence agencies.

Recent attacks, like the 2021 JBS ransomware incident, highlight the growing risks to precision agriculture and food production. A new Food and Ag Sector Cyber Threat Report found that 90% of cyberattacks exploit readily available tools, and 83% involve spearphishing.

With backing from key industry groups, this legislation pushes for stronger public-private collaboration. The message is clear: food security is national security, and cyber resilience must be a priority.

 

Coming up next, we’ve got Dave’s conversation with Qintel (pronounced cue-intel) Chief Global Ambassador and former FBI special agent Keith Mularski (pronounced ma-LARR-ski) discussing crypto being the target of the cyber underground. And an interview with a superhero, courtesy of N2K Producer Liz Stokes. We’ll be right back

 

Last week, some of our team hit the ground in Orlando for ThreatLocker Zero Trust World 2025, where we brought Hacking Humans Live to the stage. But we didn’t stop there—our very own producer, Liz Stokes, took to the floor to capture the buzz, chatting with attendees about the event and even scoring a conversation with a certain superhero you just might recognize. She’s joined by Collin Ellis, Senior Solutions Engineer at ThreatLocker, to dive into what made this year’s event one to remember.

If you want to catch more of Liz’s interviews from ThreatLocker Zero Trust World 2025, head over to our YouTube page, where we’ll be posting all the conversations she had on the floor. And while you’re there, don’t miss our Hacking Humans Live event—or tune in wherever you get your podcasts!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
And don’t forget to tune into Research Saturday, where Dave Bittner sits down with Phil Stokes, a threat researcher at SentinelOne's SentinelLabs, as they discuss the research on "macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed." That’s Research Saturday, Check it out. 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.