Podcasts
CyberWire Daily
Ep 2286
The CyberWire Daily Podcast 4.14.25
Ep 2286 | 4.14.25

AI ambitions clash with cyber caution.

Show Notes
Transcript

The Department of the Interior removes top cybersecurity and tech officials. The DOJ looks to block foreign adversaries from acquiring sensitive personal data of U.S. citizens. Microsoft issues emergency updates to fix an Active Directory bug. Hackers are installing stealth backdoors on FortiGate devices. Researchers warn of a rise in “Dangling DNS” attacks. A pair of class action lawsuits allege a major adtech firm secretly tracks users online without consent. Google is fixing a 20-year-old Chrome privacy flaw. The Tycoon2FA phishing-as-a-service platform continues to evolve. My guest is Tim Starks from CyberScoop, discussing the latest from CISA and Chris Krebs. Slopsquatting AI totally harshes the supply chain vibe.

Today is Monday April 14th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Department of the Interior removes top cybersecurity and tech officials. 

The U.S. Department of the Interior has removed top cybersecurity and tech officials, including CIO Darren Ash and CISO Stan Lowe, following a dispute with the Department of Government Efficiency (DOGE). The conflict centers on DOGE’s push—backed by President Trump and Elon Musk—to use AI to cut federal spending, which critics say bypasses key security protocols. DOGE’s unvetted access attempts triggered legal backlash and judicial restraining orders. The personnel shake-up, first reported by Nextgov, also includes Associate Solicitor Tony Irish, who disputes claims of being fired and is pursuing administrative recourse. The Interior Department has not commented. This follows a broader trend of cybersecurity leadership removals across federal agencies, including the recent dismissal of NSA and U.S. Cyber Command head Gen. Timothy Haugh.

The DOJ looks to block foreign adversaries from acquiring sensitive personal data of U.S. citizens. 

The U.S. Department of Justice has launched a Data Security Program aimed at blocking foreign adversaries from acquiring sensitive personal data of U.S. citizens. This follows a February 2024 executive order and targets countries like China, Russia, and Iran that allegedly use commercial means or national laws to access such data. The program prohibits unauthorized data transfers—covering health, biometric, financial, and other personal information—via brokerage, vendor, employment, or investment agreements. The DoJ warns that adversaries exploit bulk data using AI for espionage, manipulation, and strategic advantage. Violators face civil and criminal penalties, including up to 20 years in prison. The program took effect April 8, 2025, with a 90-day grace period for those making good-faith compliance efforts.

Microsoft issues emergency updates to fix an Active Directory bug. 

Microsoft has issued emergency updates to fix a bug affecting audit logon policies in Active Directory Group Policy. The issue causes local policies to incorrectly show “No auditing” for logon/logoff events, even if auditing is active. This can confuse admins but doesn’t affect actual event logging. The out-of-band (OOB) updates apply to various Windows versions and are intended for enterprise environments only. Microsoft also warned of related issues, including potential Windows Server 2025 restarts and Office 2016 crashes tied to recent updates.

Hackers are installing stealth backdoors on FortiGate devices. 

Hackers are exploiting known Fortinet vulnerabilities to install stealth backdoors on FortiGate devices, allowing them to maintain access even after patches are applied. The attackers use symbolic links to quietly read configuration files through the SSL-VPN interface, avoiding detection. Devices without SSL-VPN enabled are not affected. Fortinet has responded with updates across multiple FortiOS versions (7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16), tools to detect and remove the backdoor, and changes to the SSL-VPN interface to prevent future abuse. CEO of watchTowr, Benjamin Harris, warned this reflects a broader trend—attackers now design backdoors to survive patches and resets. Fortinet urges all users to update immediately to block these persistent threats and protect their systems from ongoing exploitation.

Researchers warn of a rise in “Dangling DNS” attacks. 

Cybersecurity researchers are warning of a rise in “Dangling DNS” attacks, where attackers exploit outdated or misconfigured DNS records to hijack organizational subdomains. These vulnerabilities often occur when companies discontinue cloud services or SaaS tools but leave behind DNS entries—like CNAME records—pointing to decommissioned resources. Attackers can then register the abandoned destination (e.g., a Zendesk subdomain) and serve malicious content through the legitimate domain, creating a serious supply chain risk.

SentinelOne found over 1,250 vulnerable subdomains in the past year, with one case showing 150 deleted AWS S3 buckets receiving over 8 million requests. These requests included software updates and VPN configurations, which could have been weaponized by attackers. The real danger lies in the trust users and systems place in subdomains, unknowingly connecting to attacker-controlled infrastructure.

To mitigate the threat, experts recommend regular DNS audits, immediate removal of stale records, and runtime security monitoring for anomalous activity.

A pair of class action lawsuits allege a major adtech firm secretly tracks users online without consent. 

Two class action lawsuits filed in California allege that adtech firm The Trade Desk secretly tracks users online without consent, violating privacy laws. The suits target the company’s Unified ID 2.0 (UID2) and Adsrvr tracking tools, accusing them of collecting personal data—like email addresses, IPs, and even health info—for profiling and real-time ad bidding. Plaintiffs argue the firm acts like a data broker, monetizing user data without disclosure. One case claims UID2 circumvents privacy protections and may breach California wiretapping laws. Legal experts say UID2’s unique methods could draw closer court scrutiny. While proving harm in such privacy cases is tough, the suits are seen as strategic and timely amid growing privacy advocacy. The Trade Desk, a $25 billion firm, has not responded to the allegations.

Google is fixing a 20-year-old Chrome privacy flaw. 

Google is fixing a 20-year-old Chrome privacy flaw that allowed websites to detect users’ browsing history by checking if links had been previously visited. The issue stems from the :visited CSS selector, which changes a link’s color if a user has clicked it before. Malicious sites could exploit this to infer which sites users visited, enabling tracking and profiling.

Chrome version 136 will introduce triple-key partitioning for visited links, using the link URL, top-level site, and frame origin. This change ensures a link appears as visited only in the same site and context where it was first clicked, preventing cross-site history leaks. Google chose not to eliminate :visited entirely to preserve user experience and rejected a permissions-based model as too vulnerable to abuse. The feature is experimental in Chrome 132–135 and will be enabled by default in version 136. Other browsers offer partial protections but lack full partitioning.

The Tycoon2FA phishing-as-a-service platform continues to evolve. 

The Tycoon2FA phishing-as-a-service platform has received major updates, enhancing its ability to bypass multi-factor authentication and evade detection. Originally discovered in October 2023, the phishing kit now hides malicious JavaScript using invisible Unicode characters, evading manual and static analysis. It has also replaced Cloudflare Turnstile with a self-hosted CAPTCHA using randomized HTML5 canvas elements to avoid reputation checks and enable better customization. Additionally, new anti-debugging scripts detect and block browser automation tools like PhantomJS and Burp Suite, redirecting suspicious users to legitimate sites.

Trustwave also reports a surge in phishing attacks using malicious SVG files—a tactic favored by Tycoon2FA and similar platforms. These SVGs, disguised as voicemails or logos, contain obfuscated JavaScript that redirects victims to fake Microsoft 365 login pages. Phishing-resistant MFA and blocking SVG attachments at the email gateway level are recommended defenses. SVG-based phishing jumped 800% from April 2024 to March 2025.

Slopsquatting AI totally harshes the supply chain vibe. 

If AI coding assistants were chefs, they’d be whipping up recipes on the fly—sometimes tossing in a mystery spice that no one remembers buying. Welcome to the world of slopsquatting, where attackers scoop up the “hallucinated” ingredients (a.k.a. fake packages) your friendly LLM invented and serve them back as malware.

Coined by developer Seth Larson and popularized by Andrew Nesbitt, slopsquatting targets the packages AIs like Copilot and ChatGPT dream up but that don’t actually exist—yet. Attackers register these ghost packages, waiting for some unwitting dev to copy-paste them into their project.

A recent study found that nearly 20% of packages recommended by 16 code-generating LLMs are pure fiction. Worse, these hallucinations are often weirdly consistent and suspiciously plausible. With “vibe coding” on the rise (thanks, Karpathy), devs are more likely to install first, question later. Moral of the story? Don’t trust that suspiciously convenient import—your AI might be freelancing for the bad guys.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.