Podcasts
CyberWire Daily
Ep 2299
The CyberWire Daily Podcast 5.1.25
Ep 2299 | 5.1.25

AI on the offensive.

Show Notes
Transcript

Updates from RSAC 2025. Former NSA cyber chief Rob Joyce warns that AI is rapidly approaching the ability to develop high-level software exploits. An FBI official warns that China is the top threat to U.S. critical infrastructure. Mandiant and Google raise alarms over widespread infiltration of global companies by North Korean IT workers. France accuses Russia’s Fancy Bear of targeting at least a dozen French government and institutional entities. SonicWall has issued an urgent alert about active exploitation of a high-severity vulnerability in its Secure Mobile Access appliances. A China-linked APT group known as “TheWizards” is abusing an IPv6 networking feature. Gremlin Stealer emerges as a serious threat. A 23-year-old Scottish man linked to the Scattered Spider hacking group has been extradited from Spain to the U.S.. Senators urge FTC action on consumer neural data. New WordPress malware masquerades as an anti-malware plugin. Our guest is Andy Cao from ProjectDiscovery, the Winner of the 20th Annual RSAC™ Innovation Sandbox Contest. Our intern Kevin returns with some Kevin on the Street interviews from the RSAC floor. Research reveals the risk of juice jacking isn’t entirely imaginary. 

Today is Thursday May 1st 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Updates from RSAC 2025. 

Day three of the RSAC 2025 conference concluded, having delivered a packed agenda of insights, warnings, and inspiration.

The day opened with Dmitri Alperovitch’s keynote, World on the Brink, offering a sobering look at rising Indo-Pacific tensions and how cyber warfare is now central to geopolitical instability.

Kevin Mandia followed with his annual state-of-cyber address, highlighting the evolving CISO role, AI’s growing influence, and resilience strategies. He was joined by journalist Nicole Perlroth for a sharp analysis of the year’s major threats and what lies ahead.

In a shift from technical talk, NBA legend Magic Johnson took the stage, drawing parallels between sports leadership and cybersecurity teamwork in The Art of the Assist.

A fireside chat between GCHQ Director Anne Keast-Butler and Chris Inglis emphasized the need for cross-sector collaboration. The day closed with SANS Institute’s breakdown of the five most dangerous new attack techniques — and how to prepare for them.

We’ll continue our coverage of RSAC 2025 over the next few days.

Former NSA cyber chief Rob Joyce warns that AI is rapidly approaching the ability to develop high-level software exploits. 

At RSAC, former NSA cyber chief Rob Joyce warned that AI is rapidly approaching the ability to develop high-level software exploits. Joyce, now an advisor to Sandfly Security, predicted AI could become a reliable exploit developer as soon as this year or next. He pointed to AI’s strong performance in coding contests and the recent Hack The Box challenge, where an AI team nearly matched top human competitors. While he’s not worried about AI creating “script kiddie” attackers, he cautions that AI will enable skilled hackers to work faster and at scale.

AI also enhances phishing attacks by generating convincing, personalized emails—even with fake email threads and PDFs. On defense, AI offers speed advantages: reversing complex code in seconds instead of hours. Joyce also shared a clever ransomware attack that pivoted to a Linux video camera to encrypt data—highlighting how attackers exploit weak spots in unexpected places.

An FBI official warns that China is the top threat to U.S. critical infrastructure.

Elsewhere at the RSA Conference, FBI Deputy Assistant Director Cynthia Kaiser called China the top threat to U.S. critical infrastructure. She said Chinese state-backed hackers are increasingly using AI to boost their cyber capabilities. This includes crafting fake business profiles, launching more convincing spear-phishing campaigns, and improving early-stage network scans. While AI isn’t yet creating shapeshifting malware, it’s enhancing targeting efforts. Kaiser stressed the importance of multi-factor authentication as a defense against these evolving, AI-powered threats.

Mandiant and Google raise alarms over widespread infiltration of global companies by North Korean IT workers.

Mandiant and Google are raising alarms over widespread infiltration of global companies by North Korean IT workers, a threat more pervasive than previously believed. At RSA 2025, Mandiant CTO Charles Carmakal revealed that most Fortune 500 firms have unknowingly received job applications—and often hired—North Korean nationals. These operatives earn high salaries, often holding multiple jobs, funneling millions back to Pyongyang. While initially seen as a revenue strategy, the risk has escalated, with some ex-employees resorting to extortion after termination. Mandiant and Google warn these insiders could leak data or disrupt critical systems, especially under pressure. Evidence links some operatives to IP addresses used by North Korea’s intelligence bureau, suggesting potential handovers of access to state-sponsored threat actors. Though companies are catching and removing infiltrators more quickly, the embedded nature of these actors poses a significant long-term cybersecurity risk to corporate and national infrastructure.

France accuses Russia’s Fancy Bear of targeting at least a dozen French government and institutional entities. 

France has publicly accused Russian state-backed hacking group APT28—also known as Fancy Bear and linked to the GRU—of targeting or compromising at least a dozen French government and institutional entities. Active since 2004, APT28 has increasingly focused on espionage, using phishing, vulnerability exploitation, and brute-force attacks, often with low-cost, disposable infrastructure. The French cybersecurity agency ANSSI and Cyber Crisis Coordination Centre identified attacks on local governments, ministries, research institutions, and think tanks, including efforts targeting the 2024 Olympics. APT28 has used tools like the HeadLace backdoor and OceanMap stealer, hiding infrastructure behind compromised routers and free services. France condemned these cyberattacks as a violation of UN norms and vowed to respond, highlighting past incidents including interference in the 2017 French elections and attacks on TV5Monde. The government pledged continued vigilance and coordinated defense with international partners.

SonicWall has issued an urgent alert about active exploitation of a high-severity vulnerability in its Secure Mobile Access (SMA) appliances.

SonicWall has issued an urgent alert about active exploitation of a high-severity vulnerability in its Secure Mobile Access (SMA) appliances. The flaw allows authenticated attackers with admin access to execute arbitrary commands, risking full system compromise. Initially disclosed in December 2023, it’s now being weaponized in real attacks. SonicWall urges customers to upgrade firmware, audit devices for unauthorized access, and strengthen authentication practices immediately.

A China-linked APT group known as “TheWizards” is abusing an IPv6 networking feature. 

A China-linked APT group known as “TheWizards” is abusing an IPv6 networking feature to conduct adversary-in-the-middle (AitM) attacks and hijack software updates on Windows systems, according to ESET. Active since at least 2022, the group targets entities in Asia and the Middle East, including individuals and gambling firms. Their tool, “Spellbinder,” exploits IPv6’s Stateless Address Autoconfiguration (SLAAC) by sending spoofed Router Advertisement messages, tricking nearby systems into routing traffic through attacker-controlled gateways. Spellbinder is deployed via a fake AVG archive and uses DLL sideloading to load malicious code into memory. It captures traffic to Chinese software update domains, redirects requests, and installs the “WizardNet” backdoor for persistent access. ESET warns that organizations should monitor IPv6 traffic or disable IPv6 if not required. This tactic mirrors similar supply chain hijacking seen in January by another APT group, “Blackwood.”

Gremlin Stealer emerges as a serious threat. 

A new malware dubbed Gremlin Stealer has emerged as a serious threat, targeting sensitive data like credit cards, browser cookies, and credentials. Discovered by Palo Alto Networks’ Unit 42, the malware—written in C sharp—is aggressively promoted on Telegram and uses advanced techniques to bypass browser protections. It harvests data from browsers, cryptocurrency wallets, apps like Telegram and Discord, and exfiltrates it via a Telegram bot or a dedicated server. With ongoing development and a polished user interface, Gremlin Stealer signals a growing, professionalized cybercrime threat.

A 23-year-old Scottish man linked to the Scattered Spider hacking group has been extradited from Spain to the U.S. 

Krebs on Security reports that Tyler Robert Buchanan, a 23-year-old Scottish man linked to the Scattered Spider hacking group, has been extradited from Spain to the U.S. to face charges of wire fraud, conspiracy, and identity theft. Prosecutors allege Buchanan and co-conspirators hacked dozens of companies, stealing over $26 million, primarily through SMS phishing and SIM-swapping attacks in 2022. Victims included Twilio, DoorDash, and Mailchimp. The FBI tied Buchanan to the phishing campaign using domain registration data and IP addresses linked to his U.K. residence. Buchanan fled the U.K. after being targeted by a rival gang and was arrested in Mallorca in 2024. U.S. authorities seized 20 digital devices, revealing stolen credentials and crypto wallet transactions involving 391 bitcoin. Buchanan is one of five indicted in November 2024, as investigators continue probing Scattered Spider’s broader cybercrime operations, including links to ransomware attacks on MGM and Caesars.

Senators urge FTC action on consumer neural data.

On April 28, 2025, U.S. Senators Chuck Schumer, Maria Cantwell, and Ed Markey urged the Federal Trade Commission (FTC) to scrutinize consumer neurotechnology companies over the handling of neural data. They highlighted concerns that brain-computer interface (BCI) devices—ranging from medical implants to consumer-grade wearables—collect sensitive neural information capable of revealing mental health conditions and emotional states, often without adequate user consent or transparency. The senators called for the FTC to investigate potential unfair or deceptive practices under Section 5 of the FTC Act, to assess data transfers to foreign entities under Section 6(b), to clarify how existing privacy standards apply to neural data, and to enforce the Children’s Online Privacy Protection Act (COPPA) to safeguard minors' neural information. They also recommended initiating rulemaking to establish clear safeguards for neural data, ensuring protections extend beyond existing biometric and health data rules, and setting appropriate limits on secondary uses such as AI training or behavioral profiling.

New WordPress malware masquerades as an anti-malware plugin.

​A sophisticated malware strain is targeting WordPress sites by masquerading as a legitimate anti-malware plugin. Discovered by Wordfence on January 22, 2025, this malware grants attackers persistent access through remote code execution, admin privilege escalation, and JavaScript injection for adware. It employs stealth tactics, such as hiding from the plugin dashboard and modifying wp-cron.php to reinstall itself upon deletion. The malware communicates with a C&C server in Cyprus every minute, reporting site details. Wordfence released detection signatures to premium users in January, with free users receiving updates by May 23, 2025.

Stick around after the break—Dave Bittner sits down with Andy Cao (Chow) from ProjectDiscovery, winner of the 20th Annual RSAC™ Innovation Sandbox Contest. Plus, juice jacking: not just a myth. 

Andy Cao of ProjectDiscovery was recently named the winner of the 20th Annual RSAC™ Innovation Sandbox Contest at RSAC 2025. While at the conference, Dave Bittner caught up with him to discuss the event. Here’s their conversation.

That was Andy Cao from ProjectDiscovery, winner of the 20th Annual RSAC™ Innovation Sandbox Contest, speaking with Dave Bittner. If you’d like to learn more about the Innovation Sandbox Contest, check out the link in our show notes.

Research reveals the risk of juice jacking isn’t entirely imaginary. 

And finally, despite years of skepticism and scaremongering about “juice jacking,” new research reveals the risk isn’t entirely imaginary. Security researchers have uncovered a method called ChoiceJacking that defeats both Apple and Google’s decade-old mitigations designed to stop malicious chargers from accessing your phone’s data. The attack abuses weaknesses in the USB protocol and OS-level trust models, allowing chargers to spoof user input and hijack file access permissions. It works on 10 of 11 tested devices and can steal files in under 30 seconds—if the attacker controls the charger and the device is vulnerable. Still, it’s worth noting there are no known real-world attacks of this kind. The biggest risk remains for Android phones with USB Debugging enabled. Apple and Google have issued fixes, but many Android devices haven’t adopted them. So while juice jacking still sounds like a hacker horror story, some caution around public chargers might be justified—barely.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.