Podcasts
CyberWire Daily
Ep 2294
The CyberWire Daily Podcast 4.24.25
Ep 2294 | 4.24.25

Lessons from the latest breach reports.

Show Notes
Transcript

Verizon and Mandiant call for layered defenses against evolving threats. Cisco Talos describes ToyMaker and Cactus threat actors. Researchers discover a major Linux security flaw which allows rootkits to bypass traditional detection methods. Ransomware groups are experimenting with new business models. Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division shares the latest on Salt Typhoon. Global censorship takes a coffee break.

Today is Thursday April 24th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Verizon and Mandiant call for layered defenses against evolving threats. 

Two of the cybersecurity industry’s most anticipated annual reports—the Verizon 2025 Data Breach Investigations Report (DBIR) and Mandiant’s M-Trends 2025—offer a revealing look at the evolving threat landscape. Drawing on tens of thousands of real-world incidents, both reports provide critical insights into how threat actors operate, what vulnerabilities they exploit, and which sectors are most at risk. Together, they highlight rising trends in credential theft, ransomware, supply chain attacks, and the persistent human element in security breaches. 

The 2025 Verizon Data Breach Investigations Report (DBIR) reveals critical shifts in the cybersecurity landscape, drawing insights from over 22,000 incidents and 12,195 confirmed breaches. Credential abuse and vulnerability exploitation remain the top attack vectors, with the latter jumping 34%—driven by a surge in zero-day exploits targeting VPNs and edge devices. Ransomware continues its relentless rise, now appearing in 44% of breaches despite a dip in ransom payouts. Alarmingly, breaches involving third-party vendors have doubled to 30%, underscoring growing supply chain vulnerabilities. Human error and manipulation, especially through social engineering, remain a major factor in successful attacks. Espionage-driven breaches are also on the rise, particularly in Manufacturing and Healthcare, suggesting a shift in threat actor priorities. To counter these evolving threats, Verizon recommends a layered security strategy: enforcing strong password policies, timely vulnerability patching, robust employee training, and tighter controls over third-party access. The report makes it clear—cyber risks are expanding, and proactive defense is no longer optional.

The Mandiant M-Trends 2025 report paints a clear picture of an evolving cyber threat landscape, marked by a rise in financially motivated attacks—now making up 55% of all observed threat activity. Exploits remain the leading entry point for attackers, but the use of stolen credentials has reached an all-time high at 16%, highlighting a growing vulnerability. The financial sector emerged as the most targeted industry, involved in over 17% of all cases studied. Meanwhile, attackers are lingering longer within networks, with the median dwell time increasing to 11 days, a sign that detection capabilities may be lagging behind the sophistication of modern threats. New and evolving risks include the growing presence of infostealer malware, insecure cloud data repositories, insider threats from foreign IT operatives, and a surge in attacks on cryptocurrency and Web3 platforms. In response, Mandiant stresses the need for a multi-layered defense strategy—emphasizing better logging, proactive threat hunting, strong identity and access controls, and adoption of FIDO2-compliant multi-factor authentication to help organizations stay a step ahead.

Cisco Talos describes ToyMaker and Cactus threat actors. 

In 2023, Cisco Talos uncovered a sophisticated attack on critical infrastructure involving two threat actors: ToyMaker and Cactus. ToyMaker, a financially motivated initial access broker (IAB), breached the organization by exploiting internet-facing vulnerabilities and deployed a custom backdoor, LAGTOY. This tool enabled remote command execution and credential theft. After initial reconnaissance and credential harvesting, ToyMaker handed off access to Cactus, a ransomware group known for double extortion. Cactus launched a full-scale attack, using various remote tools, creating malicious accounts, and eventually deploying ransomware. Their tactics included extensive data exfiltration and defense evasion, such as Safe Mode reboots and credential hiding. The incident highlights the operational handoff between access brokers and ransomware actors, and underscores the need for organizations to recognize and model interconnected threats for better defense.

Researchers discover a major Linux security flaw which allows rootkits to bypass traditional detection methods. 

ARMO researchers discovered a major Linux security flaw involving the io_uring interface, which allows rootkits to bypass traditional detection methods that rely on monitoring system calls. To demonstrate this, they created a stealthy rootkit called “Curing” that uses io_uring to execute commands without triggering alerts. Most security tools, including Falco and Tetragon (in default settings), failed to detect it. ARMO recommends Kernel Runtime Security Instrumentation (KRSI) for monitoring such threats, and “Curing” is now publicly available for testing on GitHub.

Ransomware groups are experimenting with new business models. 

Ransomware groups like DragonForce and Anubis are experimenting with new business models to attract affiliates and boost profits, according to Secureworks. DragonForce, which began as a traditional ransomware-as-a-service (RaaS) operation, has rebranded as a “cartel,” offering hackers shared infrastructure and management tools while allowing them to use their own malware. This flexible model may broaden its affiliate base, though shared resources introduce operational risks. Meanwhile, Anubis offers multiple monetization options—ransom, extortion, and access sales—sharing 50-80% of profits with affiliates. It also increases pressure on victims through public shaming and threats to report breaches to regulators. These evolving strategies reflect a shift toward decentralization in the ransomware ecosystem, especially following disruptions to major players like LockBit. While ransomware attacks continue, experts note early signs that profit-cutting efforts may be impacting the threat landscape.

 

Global censorship takes a coffee break. 

2025 opened with a noteworthy global phenomenon: governments pressing pause on internet shutdowns. According to Cloudflare’s Q1 report, not a single new government-mandated internet blackout was recorded. These digital blackouts, often tied to elections, protests, or even school exams, have long been a tool for control. But this sudden lull has analysts scratching their heads. Cloudflare suggests fewer protests and national exams may be a factor, while NetBlocks’ Alp Toker points to deeper shifts—like the shuttering of USAID programs and increased compliance from social media platforms with government censorship requests. With fewer “objectionable” voices online, regimes have less reason to pull the plug. Still, mother nature didn’t get the memo. Fires, storms, and earthquakes knocked out networks from New Jersey to Myanmar. While the pause in shutdowns is welcome, experts warn it may be short-lived.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.