Podcasts
CyberWire Daily
Ep 2302
The CyberWire Daily Podcast 5.6.25
Ep 2302 | 5.6.25

No hocus pocus—MagicINFO flaw is the real threat.

Show Notes
Transcript

A critical flaw in a Samsung’s CMS is being actively exploited. President Trump’s proposed 2026 budget aims to slash funding for CISA. “ClickFix” malware targets both Windows and Linux systems through advanced social engineering. CISA warns of a critical Langflow vulnerability actively exploited in the wild. A new supply-chain attack targets Linux servers using malicious Go modules found on GitHub. The Venom Spider threat group targets HR professionals with fake resume submissions. The Luna Moth group escalates phishing attacks on U.S. legal and financial institutions. The U.S. Treasury aims to cut off a Cambodia-based money laundering operation. Our guest is Monzy Merza, Co-Founder and CEO of Crogl, discussing the CISO's conundrum in the face of AI. Malware, mouse ears, and mayhem: Disney hacker pleads guilty. 

Today is Tuesday May 6th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A critical flaw in Samsung’s MagicINFO 9 Server CMS is being actively exploited. 

A critical flaw in Samsung’s MagicINFO 9 Server CMS is being actively exploited just days after proof-of-concept code went public, Arctic Wolf warns. Tracked as CVE-2024-7399 with a CVSS score of 8.8, the vulnerability allows unauthenticated attackers to upload and execute malicious files with system-level privileges. The flaw stems from improper input validation, enabling arbitrary file writes through crafted JavaServer Pages (JSP). Remote code execution is possible. Though Samsung patched the bug in version 21.1050 released in August 2024, Arctic Wolf detected exploitation starting April 30, 2025, following public disclosure. With an easy path to exploitation and public PoC code available, experts expect continued targeting. Organizations using MagicINFO are urged to update immediately to avoid potential attacks.

President Trump’s proposed 2026 budget aims to slash funding for CISA. 

President Trump’s proposed 2026 budget aims to slash funding for the Cybersecurity and Infrastructure Security Agency (CISA) by $491 million—about 17%. The cuts, currently symbolic and requiring congressional approval, are framed as an effort to dismantle what the administration calls the “censorship industrial complex.” The White House accuses CISA of prioritizing misinformation policing over its core mission of protecting critical infrastructure and election security. The budget would eliminate programs related to misinformation, international outreach, and public engagement, accusing them of violating free speech and mismanaging resources.

The move follows Trump’s longstanding, unfounded claims that the 2020 election was stolen. CISA’s minimal presence at this year’s RSA Conference and a surprise keynote by Homeland Security Secretary Kristi Noem signaled the agency’s shifting status. While CISA faces cuts, the Department of Homeland Security would see a $43 billion increase for border security and deportations. TSA and FEMA are also targeted for reductions, sparking early resistance from lawmakers.

“ClickFix” malware targets both Windows and Linux systems through advanced social engineering. 

A new malware campaign, dubbed “ClickFix,” is targeting both Windows and Linux systems through advanced social engineering. Hackers have created convincing Ministry of Defense website clones in multiple countries, tricking defense workers into downloading fake security updates. The malware, first seen in April 2025, spreads via spear-phishing emails and uses spoofed domains with slight misspellings to appear legitimate. Once installed, it exploits system-specific vulnerabilities—using a hidden PowerShell task on Windows and a fake service on Linux—to maintain access and steal data. ClickFix’s realism and cross-platform design make it hard to detect. Researchers at Hunt.io uncovered the campaign after spotting suspicious traffic from defense contractor networks. Security agencies have since confirmed breaches at several mid-level contractors and two government agencies. Attribution is still unknown, but the operation shows hallmarks of a well-funded threat actor. Experts recommend stricter verification of official communications and improved endpoint defenses.

CISA warns of a critical Langflow vulnerability actively exploited in the wild. 

CISA has issued an alert about CVE-2025-3248, a critical Langflow vulnerability actively exploited in the wild. Langflow, an AI development framework, is affected by a code injection flaw in its validation endpoint, allowing remote code execution without authentication. The bug, present in versions before 1.3.0, was detailed by Horizon3.ai, which released PoC exploit code. While version 1.3.0 adds authentication, full mitigation may require restricting network access. Agencies must patch by May 26, per federal directives.

A new supply-chain attack targets Linux servers using malicious Go modules found on GitHub. 

A recent supply-chain attack targets Linux servers using malicious Go modules found on GitHub, which deliver a disk-wiping Bash script named done.sh. The attack uses three obfuscated Golang modules—prototransform, go-mcp, and tlsproxy—to fetch and execute a payload that verifies it’s on a Linux system before running a destructive dd command. This command overwrites the entire primary storage volume (/dev/sda) with zeroes, rendering the system unbootable and all data unrecoverable. Researchers at Socket discovered the campaign in April 2025. The malicious modules impersonated legitimate developer tools to trick users. Because Go’s decentralized ecosystem allows similar module names, attackers can sneak destructive code into unsuspecting projects. Once the script is downloaded, it runs immediately, leaving no time to respond. All three malicious modules have since been removed from GitHub, but developers are urged to vet dependencies carefully to avoid catastrophic damage.

The Venom Spider threat group targets HR professionals with fake resume submissions. 

The Venom Spider threat group is targeting HR professionals with malware disguised as fake resume submissions. According to Arctic Wolf, attackers are sending phony job applications and links to fake personal websites. These sites display a CAPTCHA to appear legitimate, then prompt the user to download a resume, which is actually a malicious ZIP file. This file contains the More_eggs malware—a JavaScript-based remote access tool that steals credentials and gives attackers backdoor access. Historically focused on e-commerce and payment platforms, Venom Spider has now shifted to targeting HR portals and job boards like LinkedIn, putting nearly every industry at risk. The group uses cloud infrastructure, anonymous domains, and evasive communication methods to avoid detection. The campaign is especially dangerous because HR staff are expected to open emails and files from unknown sources, making them ideal targets under high-volume hiring pressures.

The Luna Moth group escalates phishing attacks on U.S. legal and financial institutions. 

The Luna Moth group, also known as Silent Ransom Group, is escalating its callback phishing attacks on U.S. legal and financial institutions. These campaigns impersonate IT support staff via email and phone, tricking victims into calling fake helpdesk numbers. Victims are then persuaded to install remote monitoring tools like AnyDesk or Zoho Assist, granting attackers direct access to their systems. Luna Moth avoids malware, relying entirely on social engineering. Once inside, they search for sensitive data and exfiltrate it using tools like WinSCP or Rclone. The attackers then extort victims, threatening to leak stolen data unless ransoms—ranging from $1 to $8 million—are paid. The group has registered dozens of typosquatted domains to support this scheme and remains difficult to detect due to its use of legitimate software. Organizations are advised to restrict unused RMM tools and block known Luna Moth infrastructure.

The U.S. Treasury aims to cut off a Cambodia-based money laundering operation. 

The U.S. Treasury has begun the process of cutting off Cambodia-based Huione [hwee-own] Group from the dollar financial system, citing its role in laundering billions for North Korean and Southeast Asian cybercriminal groups. Huione facilitated scams and laundered over $4 billion from 2021 to early 2025, including $37 million tied to North Korean cyber activities. The company operates Huione Guarantee, a massive illicit online marketplace that, according to Chainalysis and Elliptic, has processed up to $49 billion in crypto transactions—far surpassing past darknet markets like Hydra. Huione’s network includes crypto and payment services that support scams and money laundering. The U.S. aims to disrupt Huione’s financial operations, with Treasury officials labeling it a central hub for global cybercrime. The move follows a broader crackdown on cyber scams in East and Southeast Asia, where organized crime thrives amid weak enforcement and systemic corruption.

Malware, mouse ears, and mayhem: Disney hacker pleads guilty. 

And finally, in a tale worthy of a Disney villain, 25-year-old Californian Ryan Kramer—alias “NullBulge”—pled guilty to hacking into Disney’s Slack and stealing 1.1 terabytes of internal data. How? With a malware-laced “AI image generator” disguised as a legit program on GitHub. One unsuspecting Disney employee, Matthew Van Andel, downloaded the malware, unknowingly handing over his digital keys—including those stored in 1Password. Kramer used them to sneak into Disney’s Slack like a tech-savvy Ursula, grabbing data from nearly 10,000 channels. Then, with the flair of a B-movie hacker, Kramer posed as a Russian hacktivist group, threatening Van Andel to stay quiet or face the public dump of Disney’s secrets. When Van Andel didn’t bite, Kramer made good on the threat and posted the massive haul on BreachForums. Kramer now faces up to 10 years in prison, proving once again that trying to blackmail a mouse never ends well.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.