Podcasts
CyberWire Daily
Ep 2301
The CyberWire Daily Podcast 5.5.25
Ep 2301 | 5.5.25

Hardcoded credentials and hard lessons.

Show Notes
Transcript

Researchers uncover serious vulnerabilities in the Signal fork reportedly used by top government officials. CISA adds a second Commvault flaw to its Known Exploited Vulnerabilities catalog. xAI exposed a private API key on GitHub for nearly two months. FortiGuard uncovers a cyber-espionage campaign targeting critical national infrastructure in the Middle East. Threat brokers advertise a new SS7 zero-day exploit on cybercrime forums. The StealC info-stealer and malware loader gets an update. Passkeys blaze the trail to a passwordless future. On our Afternoon Cyber Tea segment with Ann Johnson, Ann speaks with Christina Morillo, Head of Information Security at the New York Giants. Cubism meets computing: the Z80 goes full Picasso. 

Today is Monday May 5th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Hey everyone, and welcome back! It’s really good to be home—back in the Baltimore area after an exciting, energizing trip to San Francisco for this year’s RSA Conference. The conference was a hit—great sessions, lively conversations, and plenty of time spent with friends, both familiar faces and some fantastic new ones. And yes, I spotted my new favorite t-shirt: “My Agentic AI has purchase authority.” Because nothing says cutting-edge like giving your AI a company credit card. Let’s get into it.

Researchers uncover serious vulnerabilities in the Signal fork reportedly used by top government officials. 

It’s hard not to groan a little at this one. Researchers have uncovered a serious vulnerability in TM SGNL, an obscure, non-public messaging app reportedly used by former National Security Advisor Mike Waltz—known for yes, that Waltz, of the “accidentally addingadded a journalist to a classified chat” fame. TM SGNL turns out to be a lightly tweaked version of Signal, modified to archive messages, which may explain its appeal to officials needing to comply with record-keeping laws. But here’s the kicker: the app uses hardcoded credentials, a rookie-level security blunder. Oh, and the company behind the app, TeleMessage? According to hackers, the company behind the app TeleMessage it was also breached too—exposing messages, user data, and even backend credentials. The breach reportedly took “15-20 minutes.” It raises uncomfortable questions about why officials are turning to fringe apps instead of secure government systems. Whatever the rationale, it’s clear that security hygiene took a backseat—and that needs to change, fast.

What happened here appears to be a textbook case of bypassing the rules that exist for a reason. Instead of going through proper U.S. government channels to vet and approve software, officials reportedly sidestepped protocol and deployed a messaging app tied to some shadowy Israeli intel-adjacent developers—through what amounts to shadow IT. It’s the kind of move that makes the whole “cutting red tape” mantra look reckless rather than efficient. Bureaucracy may be frustrating, but it’s built on hard-learned lessons about risk and control. Ignoring it in favor of quick fixes isn’t innovation—it’s dangerousnegligence. And if this is what’s being done in the open, you have to wonder what else is being quietly waved through under the banner of “efficiency.” It’s not just sloppy—it’s dangerous.

CISA adds a second Commvault flaw to its Known Exploited Vulnerabilities catalog. 

CISA has added a second Commvault flaw (CVE-2025-34028) to its Known Exploited Vulnerabilities catalog in less than a week, highlighting rising threat activity. The critical vulnerability (CVSS 10.0) affects Commvault Command Center versions 11.38.0 to 11.38.19 and allows unauthenticated remote code execution via malicious ZIP files. Though not yet confirmed exploited in the wild, proof-of-concept code is public. Federal agencies must patch by May 23 under BOD 22-01. CISA also added a related Yii framework flaw used in Craft CMS attacks.

xAI exposed a private API key on GitHub for nearly two months. 

A serious security misstep at Elon Musk’s AI company, xAI, exposed a private API key on GitHub for nearly two months. The key granted unauthorized access to internal, fine-tuned LLMs used by SpaceX, Tesla, and Twitter/X, including unreleased Grok models. Discovered by security expert Philippe Caturegli and later investigated by GitGuardian, the leak stemmed from a mistakenly committed environment file. Despite early alerts, the key remained active until April 30. The exposed credentials had access to at least 60 sensitive datasets, underscoring lapses in xAI’s credential management and internal monitoring. GitGuardian flagged that this kind of mistake—committing secrets to public repos—is unfortunately common. xAI has not commented publicly. The incident highlights how even top-tier tech firms can fall short on basic operational security when secret management protocols are weak or overlooked.

FortiGuard uncovers a cyber-espionage campaign targeting critical national infrastructure in the Middle East. 

FortiGuard’s Incident Response Team has uncovered a prolonged cyber-espionage campaign targeting critical national infrastructure in the Middle East, attributed to an Iranian state-sponsored group. The intrusion spanned from May 2023 to early 2025, with activity possibly dating back to 2021. Attackers used stolen VPN credentials to access the network, deploying custom malware like HanifNet, HXLibrary, and NeoExpressRAT, and evaded segmentation using proxy tools. They also attempted to regain access post-containment via web app vulnerabilities and phishing attacks. The campaign showed a high level of sophistication, with an emphasis on persistence and stealth. No operational disruptions were confirmed, but the attackers demonstrated strong interest in OT systems. The report urges better credential hygiene, stronger segmentation, and proactive monitoring to defend against such advanced threats.

Threat brokers advertise a new SS7 zero-day exploit on cybercrime forums. 

A newly advertised SS7 zero-day exploit on cybercrime forums is raising alarms about global mobile network security. Priced at $5,000, the kit allows attackers to intercept SMS messages, track phones in real time, and potentially eavesdrop on calls or bypass two-factor authentication. The exploit targets vulnerabilities in the Mobile Application Part (MAP) of the SS7 protocol, spoofing legitimate network nodes to manipulate routing and location data. Despite SS7’s outdated design, it still underpins many 2G and 3G telecom systems worldwide—used by around 30% of mobile connections. While newer networks offer stronger security, legacy systems remain vulnerable. Experts urge telecom providers to adopt SS7 firewalls and stricter controls, and recommend users move away from SMS-based authentication. This incident highlights the ongoing risks from legacy telecom infrastructure, even decades after SS7’s known flaws were first exposed.

The StealC  info-stealer and malware loader gets an update. 

StealC, a popular info-stealer and malware loader, has released its second major version, now at v2.2.4. First spotted in March 2025 by Zscaler, the update includes improved payload delivery, Chrome cookie theft bypasses, RC4 encryption, and real-time alerts via Telegram. It also adds a new admin panel and support for 64-bit systems. Notably, anti-VM checks were removed, possibly due to a major code overhaul. StealC remains actively used in attacks, often delivered via malware loaders like Amadey.

Passkeys blaze the trail to a passwordless future. 

Microsoft is advancing its commitment to a passwordless future by making passkeys the default sign-in method for all new Microsoft accounts. This shift aligns with the industry’s move towards more secure and user-friendly authentication methods. Passkeys utilize device-based biometric or PIN authentication, eliminating the need for traditional passwords and reducing the risk of phishing attacks. Microsoft reports a 98% success rate for passkey sign-ins, significantly higher than the 32% for password-based logins.  

Security expert Troy Hunt emphasizes the vulnerabilities associated with traditional two-factor authentication methods, such as one-time passwords (OTPs), which can be susceptible to phishing. In a post titled “Passkeys for normal people,” he advocates for the adoption of passkeys, highlighting their resistance to such attacks. Hunt’s insights underscore the importance of transitioning to more secure authentication methods.  

As major tech companies like Microsoft, Apple, and Google adopt passkeys, users are encouraged to embrace this change for enhanced security and a more streamlined login experience.

Cubism meets computing: the Z80 goes full Picasso. 

What happens when you mash up a 19th-century art icon and a retro CPU from the golden age of microcomputing? Apparently, you get the RC2014 Mini II Picasso. This limited-edition Z80-based single-board computer runs old-school BASIC, Forth, and CP/M—but does so with a flair even your art teacher would admire. Think standard RC2014 guts, but laid out like Picasso himself dropped by with a soldering iron and no regard for straight lines. Resistors pirouette over each other, components are skewed like cubist portraits, and no two boards look exactly the same—thanks to a wild mix of silkscreen colors and socket styles. It’s a PCB that says, “I contain multitudes… and 8-bit computing nostalgia.” Available via Z80Kits, this delightful mashup of silicon and surrealism is a refreshing reminder that PCBs don’t have to be neat—they can be expressive, eccentric, and maybe just a bit 1990s rave-chic too.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.