The nightmare you can’t ignore.

Critical Remote Code Execution vulnerabilities affect Kubernetes controllers. Senior Trump administration officials allegedly use unsecured platforms for national security discussions. Even experts like Troy Hunt get phished. Google acknowledges user data loss but doesn’t explain it. Chinese hackers spent four years inside an Asian telecom firm. SnakeKeylogger is a stealthy, multi-stage credential-stealing malware. A cybercrime crackdown results in over 300 arrests across seven African countries. Ben Yelin, Caveat co-host and Program Director, Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, joins to discuss the Signal national security leak. Pew Research Center figures out how its online polling got slightly forked.

Today is Tuesday March 25th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Critical Remote Code Execution vulnerabilities affect Kubernetes controllers. 

Wiz Research discovered four critical Remote Code Execution (RCE) vulnerabilities—dubbed IngressNightmare—in the Ingress NGINX Controller for Kubernetes. These flaws allow unauthenticated attackers to inject malicious NGINX configurations, leading to full cluster takeover and unauthorized access to all secrets across namespaces. The attack targets the admission controller, which lacks authentication and is often exposed to the public internet. With a CVSS score of 9.8, this issue affects at least 6,500 clusters, including Fortune 500 environments. Exploits use NGINX features like ssl_engine to load malicious libraries. Mitigation includes patching to versions 1.12.1 or 1.11.5, disabling or securing the admission controller, and applying strict network policies. The research also highlights systemic security weaknesses in Kubernetes admission controllers and calls for better hardening practices.

Senior Trump administration officials allegedly use unsecured platforms for national security discussions.

A major national and cybersecurity concern surfaced after The Atlantic’s editor-in-chief, Jeffrey Goldberg, was accidentally added to a Signal group chat involving senior Trump administration figures discussing potential airstrikes in Yemen. The encrypted messaging thread—believed authentic—included sensitive military details like weapons, targets, and timing. Though Defense Secretary Pete Hegseth denied it was a “war plan,” Goldberg noted the chat mirrored CENTCOM’s operational timeline and included high-level coordination. The use of Signal, a commercial, unclassified app, for such discussions raises alarms about secure communication practices. Goldberg exited the group after realizing it was likely real, and no one noticed his presence. The White House confirmed it’s reviewing the incident, underscoring risks of misrouted sensitive information and the vulnerabilities introduced when officials use unsecured platforms for national security discussions. 

Stay tuned for my discussion of this story with our policy expert Ben Yelin. 

And speaking of Signal, Mandiant warns that Russian hacking groups are exploiting Signal’s “linked devices” feature to secretly spy on encrypted chats. By tricking users into scanning malicious QR codes, attackers can add their own device to the victim’s Signal account, receiving messages in real time without breaking encryption. Targets include military personnel, journalists, and politicians. The technique has low detection risk and has been used in both remote phishing and battlefield operations. Mandiant urges users to audit linked devices and follow strong security practices.

Even experts like Troy Hunt get phished. 

Security expert Troy Hunt fell for a convincing Mailchimp phishing attack while jet-lagged, resulting in the compromise of his account and the export of his 16,000-subscriber mailing list. The phish, hosted on a spoofed Mailchimp site, tricked him into entering login credentials and a one-time password. Moments later, attackers accessed his account from a New York IP and exported the list, which included both active and unsubscribed users—raising concerns about Mailchimp’s data retention practices. Hunt quickly changed credentials and notified subscribers but reflected on how fatigue and subtle social engineering contributed to the breach. He emphasized the limitations of OTP-based 2FA and called for phishing-resistant authentication, like passkeys. The phishing site was disabled within hours. Hunt plans a deeper technical analysis and urges users to remain vigilant against sophisticated scams.

Google acknowledges user data loss but doesn’t explain it. 

Google says a technical issue caused the loss of Timeline data for some Google Maps users—possibly permanently. The Timeline feature tracks users’ location history and can include photos, creating a visual travel log. Users noticed missing data over the weekend, and Google confirmed the issue in emails. Those with encrypted backups can restore their data manually, but users without backups have lost it for good. Google hasn’t detailed the cause or scope of the incident, raising broader concerns about data resilience.

Chinese hackers spent four years inside an Asian telecom firm. 

Chinese state-linked hackers, dubbed “Weaver Ant,” infiltrated an unnamed Asian telecom firm and remained undetected for over four years, according to incident response firm Sygnia. The hackers initially breached the network using compromised Zyxel home routers and maintained persistence through a network of web shells, including the China Chopper tool. Weaver Ant used an “ORB network” of hijacked routers and IoT devices to mask their activity and move laterally across systems. Their objective: long-term espionage and data theft. Sygnia discovered the intrusion during a separate investigation and linked it to Chinese actors based on tools, working hours, and targeted infrastructure. The attackers demonstrated high-level sophistication, using multiple custom tools and evasion techniques to stay hidden. 

SnakeKeylogger is a stealthy, multi-stage credential-stealing malware. 

SnakeKeylogger is a stealthy, multi-stage credential-stealing malware that uses malicious spam emails with deceptive disk image (.img) files to trick victims. The attached file mimics a business document, increasing the chance of user interaction. Once opened, it deploys an executable that initiates an infection chain, downloading and decrypting a hidden payload disguised as an MP3. The malware executes in memory via process hollowing, targeting InstallUtil.exe to evade detection. It harvests credentials from web browsers, email clients, FTP apps, and WiFi settings, exfiltrating data to attacker-controlled servers.

A cybercrime crackdown results in over 300 arrests across seven African countries. 

Interpol coordinated a major international crackdown on cybercrime, resulting in over 300 arrests across seven African countries between November and February. Authorities in Nigeria, South Africa, Zambia, and others dismantled cross-border cybercriminal networks behind mobile banking, investment, and messaging app scams, which defrauded over 5,000 victims. Nigeria arrested 130 suspects, including 113 foreign nationals, some allegedly coerced into scams via human trafficking. South Africa disrupted a SIM box fraud operation used in SMS phishing attacks, while Zambia arrested hackers targeting banking data through malicious links. Seized assets included vehicles and properties. Private cybersecurity firms like Kaspersky and Group-IB supported the effort by analyzing malware and sharing data. Interpol cited Africa’s growing cybercrime risks, with the region leading in average weekly cyberattacks per organization in 2023. 

Pew Research Center figures out how its online polling got slightly forked. 

Imagine taking a serious survey only to be asked: “Forks or no?” That’s exactly what happened in a Pew Research Center online poll thanks to a wonderfully weird bug. Turns out, a glitch triggered Google Chrome’s auto-translate, mistaking the English-language survey for Spanish. Chrome then “helpfully” translated “yes” to… “forks.” This culinary chaos stemmed from a bizarre Google Translate quirk, where “yes” in Spanish oddly became “forks” in English. Pew traced the issue, squashed the bug with some HTML wizardry, and double-checked that their data remained deliciously intact. Only 0.2% of users reported seeing the error, and no measurable impact was found on the results. Bonus weirdness: Chrome also thought “lean” meant “read.” Pew’s now got safeguards in place so future surveys don’t serve up accidental utensils. So yes, it was a strange ride—but no data (or forks) were harmed in the making of this research.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.