Podcasts
CyberWire Daily
Ep 2287
The CyberWire Daily Podcast 4.15.25
Ep 2287 | 4.15.25

OCC breach jolts financial sector.

Show Notes
Transcript

Some U.S. banks pause electronic communications with the OCC following a major breach of the agency’s email system. Uncertainty spreads at CISA. China accuses three alleged U.S. operatives of conducting cyberattacks during February’s Asian Games. Microsoft Teams suffers filesharing issues. Fraudsters use ChatGPT to create fake passports. Car rental giant Hertz confirms data stolen in last year’s Cleo breach. Researchers describe a novel process injection method called Waiting Thread Hijacking. A new macOS malware-as-a-service threat is being sold on underground forums. A UK man is sentenced to over eight years for masterminding the LabHost phishing platform. Kim Jones joins us with a preview of the newly relaunched CISO Perspective podcast. David Moulton from Unit 42 sits down with Rob Wright, Security News Director at Informa TechTarget for the latest Threat Vector. Fighting the flood of AI generated experts. 

Today is Tuesday April 15th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Several U.S. banks pause electronic communications with the OCC following a major breach of the agency’s email system.

Several major U.S. banks, including JPMorgan Chase and BNY Mellon, have paused electronic communications with the Office of the Comptroller of the Currency (OCC) following a major breach of the agency’s email system, Bloomberg reports. Hackers accessed over 100 accounts for more than a year, prompting fears that sensitive data—such as banks’ cybersecurity reports and even National Security Letters—may have been exposed. The OCC is working with Microsoft, CrowdStrike, and Mandiant to investigate. Though on-site examiners still have access, banks worry the compromised data could aid future cyberattacks. The incident, now deemed a “major” breach, has triggered congressional scrutiny and raised serious concerns about the OCC’s cybersecurity safeguards, with experts warning that trust between banks and regulators has been fundamentally shaken.

Uncertainty spreads at CISA. 

Uncertainty is spreading at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as staff face a deadline to accept resignation or payout offers from the Department of Homeland Security. Reports suggest CISA could lose up to 1,300 employees—about a third of its workforce—amid broader federal cyber staffing cuts. The move has alarmed officials and experts who warn it could weaken the nation’s defenses against cyber threats to critical infrastructure like water, energy, and transportation. Staff describe the atmosphere as chaotic, with many eyeing exits to the private sector. CISA says it’s committed to supporting employees while continuing its mission. However, the scope of the reductions far exceeds previous cuts and threatens to cripple key divisions within the federal cyber defense agency.

China accuses three alleged U.S. operatives of conducting cyberattacks during February’s Asian Games. 

China has accused three alleged U.S. operatives of conducting cyberattacks during February’s Asian Games in Harbin. According to Chinese authorities, the individuals, reportedly linked to the NSA, targeted event management systems holding sensitive personal data. The cyberattacks allegedly disrupted Games operations and extended to critical infrastructure in Heilongjiang province, including energy, telecom, and defense institutions, as well as tech giant Huawei. China claims the attacks caused serious national harm and has urged the U.S. to stop its alleged cyber operations. While offering no concrete evidence, China says it will take further steps to protect its cybersecurity. The U.S. has not responded to the accusations. Both countries routinely blame each other for cyber espionage, fueling ongoing tensions in cyberspace.

Microsoft Teams suffers filesharing issues. 

Earlier today, Microsoft Teams users experienced a major issue affecting file sharing, prompting an ongoing investigation by Microsoft. The company acknowledged the disruption via its Microsoft 365 Status account and is tracking the issue. Although the Microsoft 365 Service Health page initially showed no problems, users reported widespread difficulties accessing files, particularly via SharePoint. Microsoft has not provided a fix timeline but recommends using alternatives like OneDrive for sharing. 

Fraudsters use ChatGPT to create fake passports. 

OpenAI’s ChatGPT image generator has been exploited to create realistic fake passports in minutes, according to the 2025 Cato CTRL Threat Report. This marks a major shift in cybercrime, where generative AI allows non-experts—termed “zero-knowledge threat actors”—to forge documents without coding skills or access to illicit tools. By tweaking prompts, users can bypass ChatGPT’s safeguards, producing convincing passports for fraud. This ease enables scams like new account fraud, insurance fraud, and identity theft. Traditional ID verification methods, such as photo uploads, are now vulnerable. Experts urge stronger defenses like NFC-based document checks, liveness detection, and device-anchored identity verification. 

Car rental giant Hertz confirms data stolen in last year’s Cleo breach. 

Car rental giant Hertz has confirmed that customer data was stolen in last year’s Cl0p ransomware attacks exploiting Cleo file transfer software. The breach affected Hertz, Dollar, and Thrifty customers, exposing personal details like names, contact info, birthdates, credit card and driver’s license data, and in some cases, Social Security numbers and medical claim information. The stolen files came from a Cleo product used by Hertz. While there’s no evidence of misuse, Hertz is offering two years of identity and dark web monitoring.

Researchers describe a novel process injection method called Waiting Thread Hijacking. 

Check Point Research describes a novel process injection method called Waiting Thread Hijacking (WTH), offering a stealthier alternative to traditional thread hijacking techniques. Unlike conventional methods that rely on suspending and modifying active threads—actions often detected by Endpoint Detection and Response (EDR) systems—WTH targets dormant threads within Windows thread pools. By identifying threads in a waiting state, WTH manipulates their return addresses to redirect execution to malicious code without triggering common security alerts. This approach avoids the use of high-risk APIs like SetThreadContext and SuspendThread, instead utilizing standard operations such as VirtualAllocEx, WriteProcessMemory, and GetThreadContext. To further evade detection, the technique can distribute its steps across multiple processes, obfuscating behavioral signatures typically monitored by security tools. WTH exemplifies the evolving tactics in cyber threats, emphasizing the need for advanced behavioral analysis in cybersecurity defenses.

A new macOS malware-as-a-service threat is being sold on underground forums. 

A new macOS malware-as-a-service threat, iNARi Loader, is being sold on underground forums, marking a serious escalation in Apple-targeted cyberattacks. Unlike previous macOS stealers, iNARi offers a premium toolkit with remote desktop access, advanced data exfiltration, and password bypass capabilities—allowing attackers to harvest credentials without fake prompts. The malware is modular and can be deployed through multiple vectors like .dmg files or malicious apps. It also reportedly evades detection without added obfuscation. Offered at $5,000–$10,000 per month, it’s priced well above competitors like Atomic and Banshee, likely reflecting its powerful features. The loader adds to a growing wave of macOS threats seen in 2023–2024, such as MacStealer and MetaStealer. Researchers warn this development could lead to broader exploitation of macOS systems. Users should stay alert, avoid unverified downloads, enable 2FA, and keep their devices updated with the latest security patches.

A UK man is sentenced to over eight years for masterminding the LabHost phishing platform. 

Zak Coyne, 23, from Huddersfield in the UK, has been sentenced to eight and a half years in prison for creating LabHost, one of the world’s largest phishing-as-a-service platforms. Operating from 2021 to 2024, LabHost was used by over 2,000 fraudsters to build fake websites imitating banks, healthcare providers, and postal services to steal personal and financial data. The platform enabled global fraud, causing losses exceeding £100 million, far more than initially estimated. Coyne profited by charging membership fees for access to pre-made phishing templates or custom-built sites. LabHost was dismantled in April 2024 following a major international takedown involving the Met Police, NCA, Microsoft, and Europol. Authorities also arrested 24 suspects and searched 70+ locations. This case underscores law enforcement’s growing focus on dismantling cybercrime infrastructure and prosecuting those who enable mass fraud, with the Met vowing to pursue anyone who facilitates such schemes.

 

Fighting the flood of AI generated experts. 

Here at the CyberWire, we rely on credible experts to provide context and clarity on breaking cyber and tech news. So imagine our concern over reports of a growing number of seemingly authoritative sources—from “senior analysts” to “psychologists”—started sounding a little too slick, replying to quote requests faster than you can say “generative AI.”

According to Press Gazette, some of these “experts” flooding journalist inboxes aren’t real people at all. They’re the product of PR platforms and clever prompts, offering ready-made commentary attributed to fabricated identities like “Rebecca”—a supposed science educator who’s also a budgeting guru and music industry analyst. Or “Barbara,” who’s been quoted by nearly every outlet imaginable but whose main online presence is tied to an adult toy shop.

The problem is these fake personas are often indistinguishable from the real thing—until you scratch beneath the surface. In a landscape where trust is everything, this AI-enabled fakery is more than a curiosity—it’s a credibility crisis.

Stay vigilant, friends. Stay vigilant. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.