Podcasts
CyberWire Daily
Ep 2282
The CyberWire Daily Podcast 4.8.25
Ep 2282 | 4.8.25

Using AI to sniff out opposition.

Show Notes
Transcript

Is DOGE using AI to monitor federal employees? Google’s latest Android update addresses two zero-days. Scattered Spider continues its phishing and malware campaigns. Ransomware’s grip is slipping. ToddyCat exploits a critical flaw in ESET products. Oracle privately confirms a legacy system breach. Over 5,000 Ivanti Connect Secure appliances remain exposed online to a critical remote code execution vulnerability. CISA confirms active exploitation of a critical vulnerability in CrushFTP. In our Industry Voices segment, we are joined by Matt Radolec, VP of Incident Response at Varonis, on turning to gamers to to Build Resilient Cyber Teams. AI outphishes human red teams.

Today is Tuesday April 8th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Is DOGE using AI to monitor federal employees?

The Trump administration’s use of Elon Musk’s DOGE team continues to raise serious cybersecurity and transparency concerns. According to a Reuters exclusive, DOGE is reportedly using AI to monitor federal employee communications for perceived disloyalty to Trump or Musk, including scanning platforms like Microsoft Teams. Sources say the team communicates using Signal, a disappearing-messages app that may violate federal records laws. Ethics experts warn this could be an abuse of power and a breach of federal data retention rules. DOGE has also restricted access to key government systems, such as the Office of Personnel Management’s cloud, locking out over 100 staffers. Only two people now control sensitive personnel data for millions of federal workers. Critics say this level of secrecy and control over federal IT infrastructure could enable political targeting and undermines democratic accountability. Lawsuits and a federal court order are now pushing DOGE to release documents, but watchdogs say transparency remains dangerously low.

Meanwhile, President Trump’s declared national emergency and sweeping tariffs have launched a global trade war that itself poses major cybersecurity risks. Starting April 9, a 10% baseline tariff will hit all imports, with harsher rates for China, the EU, and India. Enterprise tech and cybersecurity leaders face soaring hardware costs, delays, and increased reliance on outdated systems—raising the risk of cyberattacks. Compliance challenges, end-of-life vulnerabilities, and shrinking budgets will force leaders to rethink strategies, lean into cloud options, and prioritize core security investments.

Google’s latest Android update addresses two zero-days.

Google’s April 2025 Android Security Bulletin addresses multiple critical vulnerabilities, including two zero-days—CVE-2024-53150 and CVE-2024-53197—actively exploited in targeted attacks. Both impact the Linux kernel’s ALSA USB-audio driver and pose serious risks to Android devices running versions 12 through 15. CVE-2024-53150 allows information disclosure via an out-of-bounds read, while CVE-2024-53197 enables privilege escalation through memory corruption triggered by malicious USB devices. These flaws may bypass standard device locks and resemble methods used by surveillance firms. Google and Samsung have released urgent patches, with fixes included in the 2025-04-05 security level. The continued targeting of Android underscores the ecosystem’s security challenges, with Google reporting a significant rise in zero-day attacks. Users are urged to update devices immediately to avoid exploitation.

Scattered Spider continues its phishing and malware campaigns. 

Despite multiple arrests, Scattered Spider continues its phishing and malware campaigns in 2025, targeting major firms like T-Mobile, Pure Storage, and Louis Vuitton. The cybercrime group has ditched its Rickrolling antics, focusing instead on advanced tools like an updated Spectre RAT, which now features new obfuscation and command capabilities. Silent Push researchers detailed five phishing kits used by the group, noting the latest integrates multiple brands and is hosted on Cloudflare. The criminals exploit SMS phishing to steal credentials, bypass MFA, and deploy malware for persistent access and data theft. Notably, Scattered Spider is now using publicly rentable subdomains—making their operations harder to track. Silent Push has released a Spectre RAT decoder and command-and-control emulator to help defenders. Despite a law enforcement crackdown, the group’s evolving tactics remain a serious threat to organizations worldwide.

Ransomware’s grip is slipping. 

Ransomware attacks surged in early 2025, hitting a record 2,040 victims in three months, with schools and healthcare providers especially affected. Yet despite the chaos, ransomware’s grip is slipping. As Allan Liska, a threat intelligence analyst at Recorded Future outlined in a blog post, profits dropped from $1.25 billion in 2023 to $818 million in 2024, as fewer victims pay ransoms—and when they do, they pay less. Cybercriminals now favor data theft over encryption, hoping to extort payment for deletion. Still, organizations are resisting, and law enforcement crackdowns are fracturing major ransomware groups. Newer, lesser-known gangs like Arkana and Babuk 2.0 are stepping in, often recycling old code and tactics under fresh branding. Meanwhile, global crises—from cyberespionage to trade wars—are pulling attention away from ransomware threats. Russia’s tighter control over hackers may also be curbing major attacks. While ransomware isn’t disappearing, its dominance and profitability are clearly being tested.

ToddyCat exploits a critical flaw in ESET products. 

A critical flaw (CVE-2024-11859) in multiple ESET products has been exploited by the Chinese-linked APT group ToddyCat to deploy stealthy malware, Kaspersky reports. The vulnerability, a DLL search order hijack, requires administrative access and enables arbitrary code execution. ToddyCat used this flaw to load TCESB, a sophisticated C++ tool that bypasses security monitoring and manipulates kernel structures. ESET patched the issue in January and urges users to update. The group has targeted military and government entities across Europe and Asia since 2020.

Oracle privately confirms a legacy system breach. 

Oracle has privately confirmed a breach in a legacy system, contradicting earlier public denials. Hackers accessed old client login credentials, including encrypted passwords, and exfiltrated data, some of which dates to 2024. The threat actor, ‘rose87168’, demanded $20 million and deployed malware targeting Oracle’s Identity Manager. Oracle insists Oracle Cloud wasn’t affected, calling the breached system “Oracle Classic.” However, experts criticize this as misleading rebranding. This is Oracle’s second breach disclosure in months, prompting an FBI investigation and a class action lawsuit.

Over 5,000 Ivanti Connect Secure appliances remain exposed online to a critical remote code execution vulnerability. 

Over 5,000 Ivanti Connect Secure appliances remain exposed online to CVE-2025-22457, a critical vulnerability (CVSS 9.0) allowing remote code execution. The flaw, a stack-based buffer overflow, is being actively exploited by Chinese threat group UNC5221, which deploys backdoors via Ivanti VPNs. Ivanti issued a fix in February but initially misdiagnosed the issue, enabling ongoing attacks. Most vulnerable devices are outdated Pulse Connect Secure 9.x versions, no longer supported since December 2024. Ivanti urges users to patch or upgrade to supported versions immediately.

CISA confirms active exploitation of a critical vulnerability in CrushFTP. 

CISA has confirmed that a critical vulnerability in CrushFTP (CVE-2025-31161) is being actively exploited. This authentication bypass flaw (CVSS 9.8) allows unauthenticated attackers to fully compromise unpatched CrushFTP v10 and v11 systems. CISA added it to its Known Exploited Vulnerabilities catalog on April 7 and urges all organizations to patch immediately. The flaw was initially discovered by Outpost24 and disclosed under a 90-day embargo. However, another group, VulnCheck, released a separate CVE (CVE-2025-2825) without coordination, leading to public exposure and exploitation. MITRE later rejected VulnCheck’s CVE, sparking debate over vulnerability disclosure ethics. Shadowserver observed over 1,500 unpatched instances and noted in-the-wild exploitation using proof-of-concept code. While the flaw has been fixed in CrushFTP versions 10.8.4 and 11.3.1, the disclosure conflict highlights challenges in coordinated vulnerability reporting.

Coming up on our Industry Voices segment, I speak with Varonis’ VP of Incident Response, Cloud Operations & SE EU Matt Radolec. Matt shares he on “From Gamer to Leader: How to Build Resilient Cyber Teams.”

That was Matt Radolec from Varonis on Industry Voices. You can find a link in our show notes to Matt’s upcoming keynote on the topic at RSAC 2025. 

 

AI outphishes human red teams. 

Move over chess grandmasters—AI has now leveled up to out-hustle human red teams in the world of phishing. According to cybersecurity firm Hoxhunt, their AI phishing agent, code-named JKR (yes, like “Joker”), beat human-crafted phishing attempts by 24% in March. That’s a glow-up from last year, when JKR lagged 31% behind.

Think of it as a Skynet-meets-email moment. JKR adapts like a social engineering ninja, customizing bait with user-specific context like job roles and locations. It’s not just phishing—it’s precision phishing, in bulk. Hoxhunt says this could make mass phishing campaigns as effective as today’s spear-phishing attempts. Great.

The Anti-Phishing Working Group also reported a global spike in phishing sites and smishing scams, including hilariously off-target toll collection texts. So, while humans still bring creativity, AI brings scale, 24/7 hustle, and zero need for coffee. Experts say defending against AI-driven threats will still require one vital element: human judgment.

We’d have more good judgment if it weren’t constantly busy cleaning up after bad judgment.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.