Podcasts
CyberWire Daily
Ep 2305
The CyberWire Daily Podcast 5.9.25
Ep 2305 | 5.9.25

Scrutinizing the security of messaging apps continues.

Show Notes
Transcript

The messaging app used by CBP and the White House faces continued security scrutiny. Hacktivists breach the airline used for U.S. deportation flights. The FBI warns that threat actors are exploiting outdated, unsupported routers. Education giant Pearson confirms a cyberattack. Researchers report exploitation of Windows Remote Management (WinRM) for stealthy lateral movement in Active Directory (AD) environments. A sophisticated email attack campaign uses malicious PDF invoices to deliver a cross-platform RAT. A zero-day vulnerability in SAP NetWeaver enables remote code execution. An Indiana health system reports a data breach affecting nearly 263,000 individuals. Our guest is Alex Cox, Director of Information Security at LastPass, discussing tax-related lures targeting refunds. AI empowers a murder victim to speak from beyond the grave.

Today is Friday May 9th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The messaging app used by CBP and the white house faces continued security scrutiny.

The U.S. Customs and Border Protection (CBP) confirmed it uses at least one app from TeleMessage, a service that clones popular messaging apps like Signal and WhatsApp but adds archiving features for compliance. Following a detected cyber incident, CBP disabled the app. TeleMessage, now owned by U.S.-based Smarsh, paused all services amid investigations into multiple security breaches and flaws in its Android app’s source code. A recent photo showed former national security adviser Mike Waltz using the app, appearing to chat with officials including Vice President JD Vance. Senator Ron Wyden has urged the DOJ to investigate, calling the software a national security risk. Despite being a federal contractor, TeleMessage’s consumer apps aren’t approved under FedRAMP. The full scope of government use remains unclear.

Hacktivists breach the airline used for U.S. deportation flights. 

Hacktivists claiming ties to Anonymous breached GlobalX Airlines, a U.S. government contractor used for deportation flights, stealing flight records, passenger lists, and months of itinerary data. They defaced the airline’s website with a political message and a Guy Fawkes mask image, criticizing the company’s role in deportations. The hackers contacted journalists and leaked data showing details of flights deporting hundreds of Venezuelan migrants, some mid-flight while legal challenges were still pending. According to 404 Media, the hackers accessed GlobalX’s AWS cloud by exploiting a developer token and retrieving access keys. They also reportedly sent messages to pilots using a flight operations tool and accessed the company’s GitHub. The breach highlights severe security lapses. As of now, neither GlobalX nor U.S. immigration officials have commented.

The FBI warns that threat actors are exploiting outdated, unsupported routers. 

The FBI has warned that threat actors are exploiting outdated, unsupported routers—likely from brands like Cisco’s Linksys and Ericsson’s Cradlepoint—using unpatched vulnerabilities and remote management software. Hackers bypassed authentication to gain shell access, installed malware, and turned the devices into part of a botnet. These compromised routers were then used as proxies via the Anyproxy and 5Socks networks, helping criminals hide their activities. Malware communications included a two-way handshake with a command-and-control server. While no specific group was named, the FBI noted that Chinese cyber actors have exploited similar vulnerabilities in the past. Users are urged to replace old routers or disable remote access. This alert follows the release of OpenEoX, a proposed standard to better manage end-of-life disclosures for tech products.

Education giant Pearson confirms a cyberattack. 

UK-based education giant Pearson confirmed a cyberattack in which threat actors stole corporate and customer data, mostly described as “legacy data.” The breach reportedly stemmed from an exposed GitLab Personal Access Token in a public .git/config file, allowing attackers to access source code and embedded cloud credentials. Over months, they allegedly exfiltrated terabytes of data from AWS, Google Cloud, and services like Salesforce and Snowflake. Pearson says no employee data was stolen and is continuing its investigation while enhancing security.

Researchers report exploitation of Windows Remote Management (WinRM) for stealthy lateral movement in Active Directory (AD) environments. 

Researchers at Practical Security Analytics report that threat actors are increasingly exploiting Windows Remote Management (WinRM) for stealthy lateral movement in Active Directory (AD) environments. WinRM, used for legitimate remote administration via PowerShell, becomes a powerful tool for attackers once they obtain valid credentials through phishing, brute-force, or credential dumping. Using WinRM commands like Invoke-Command, attackers scan for accessible systems on ports 5985/5986, authenticate remotely, and execute malicious payloads under normal-looking processes like wsmprovhost.exe. Advanced techniques, including PowerShell cradles and reflective .NET loaders, allow payloads to run entirely in memory, bypassing AMSI and logging. The researchers outline a typical attack chain: initial access, reconnaissance, credential abuse, payload deployment, and privilege escalation. They recommend restricting WinRM access, monitoring anomalies, and enhancing endpoint detection to catch misuse of this native Windows tool.

A sophisticated email attack campaign uses malicious PDF invoices to deliver a cross-platform RAT. 

Fortinet researchers have uncovered a sophisticated email attack campaign using malicious PDF invoices to deliver a cross-platform Remote Access Trojan (RAT) called RATty. While primarily targeting Windows, the malware also affects Linux and macOS systems running Java. The attack starts with deceptive emails that pass SPF validation using the serviciodecorreo.es service, luring victims into clicking buttons in the PDF that launch a multi-stage infection. The process uses Dropbox and MediaFire to host files, Ngrok tunneling, and geofencing to evade detection. Victims in Italy receive a Java-based JAR file, while others see harmless documents, fooling email scanners. Once active, RATty enables attackers to execute commands, log keystrokes, and access webcams and files. This campaign highlights how attackers combine social engineering and advanced evasion to bypass security and maintain persistent access.

A zero-day vulnerability in SAP NetWeaver enables remote code execution. 

A critical zero-day vulnerability (CVE-2025-31324) in SAP NetWeaver has been exploited by threat actors to compromise hundreds of systems worldwide, enabling remote code execution (RCE). Onapsis and Mandiant began tracking attacks as early as January, with active exploitation confirmed before SAP issued patches on April 24. Attackers deployed webshells and executed commands to maintain access, targeting industries from energy to government. Onapsis warns that attackers possess deep SAP knowledge and urges immediate patching, compromise assessment, and updated detection measures.

An Indiana health system reports a data breach affecting nearly 263,000 individuals. 

Union Health System in Indiana has reported a data breach affecting nearly 263,000 individuals, linked to a January cyberattack on legacy Cerner servers during a migration to Oracle’s cloud. The compromised data includes sensitive patient information such as Social Security numbers, medical records, and insurance details. The breach, confirmed by Oracle Health/Cerner in March, did not impact Union Health’s live systems. Lawsuits allege negligence by both Union Health and Oracle, and claim a threat actor named “Andrew” is extorting affected hospitals. Oracle denies a breach of its Cloud Infrastructure but acknowledged unauthorized access to outdated servers. While Oracle will cover credit monitoring costs, it won’t notify individuals directly. Union Health is offering free credit protection and is facing mounting legal pressure over its handling of the incident.

 

Up next, I speak with Alex Cox of LastPass. We’ll be right back

Welcome back

AI empowers a murder victim to speak from beyond the grave. 

And finally, our “speaking from beyond the grave” desk tells us of the story of an Arizona courtroom that just heard from a murder victim. But not in the usual way. Christopher Pelkey was shot and killed in a 2021 road rage incident. At the sentencing, an AI-generated version of him took the stand.

That’s right. His sister built an avatar using AI and voice cloning tools. It looked and sounded like Chris. And it spoke directly to the man who killed him.

The avatar forgave the shooter. It said they could’ve been friends.

The judge was moved. The defense even quoted the avatar. The family said their goal was to bring Chris back—to humanize him.

And it worked.

No one objected. It was all labeled as AI. Still, it raises big questions. Tech gave a voice to the dead. And that voice helped decide a sentence.

As powerful as this moment was, we should tread carefully before letting digital ghosts shape real-world justice.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.