Podcasts
CyberWire Daily
Ep 2307
The CyberWire Daily Podcast 5.13.25
Ep 2307 | 5.13.25

Jamming in a ban on state AI regulation.

Show Notes
Transcript

House Republicans look to limit state regulation of AI. Spain investigates potential cybersecurity weak links in the April 28 power grid collapse. A major security flaw has been found in ASUS mainboards’ automatic update system. A new macOS info-stealing malware uses PyInstaller to evade detection. The U.S. charges 14 North Korean nationals in a remote IT job scheme. Europe’s cybersecurity agency launches the European Vulnerability Database. CISA pares back website security alerts. Moldovan authorities arrest a suspect in DoppelPaymer ransomware attacks. On today’s Threat Vector, host David Moulton speaks with ⁠Noelle Russell⁠, CEO of the AI Leadership Institute, about how to scale responsible AI in the enterprise. Dave & Buster’s invites vanish into the void.

Today is Tuesday May 13th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

House Republicans look to limit state regulation of AI. 

House Republicans have added controversial language to the new Budget Reconciliation bill that could severely limit state regulation of artificial intelligence. The bill, introduced by Rep. Brett Guthrie, includes a clause barring states from enforcing any AI-related laws for ten years. This sweeping language could nullify existing laws in states like California and New York that require transparency and bias audits for AI tools in healthcare and hiring. Critics argue this is a major gift to the AI industry, which has close ties to Trump-era officials and has resisted oversight. If passed, the bill would block states from protecting citizens from unchecked AI use, marking a dramatic shift in tech policy.

Spain investigates potential cybersecurity weak links in the April 28 power grid collapse. 

Spain is investigating whether small renewable energy generators were a cybersecurity weak link in the April 28 power grid collapse that cut 60% of the country’s electricity, the Financial Times reports. The National Cybersecurity Institute (Incibe) is questioning solar and wind operators about their cyber defenses, remote access, and system anomalies. While no cyberattack has been confirmed, authorities haven’t ruled one out, and a judge is now probing that possibility. Spain’s shift from centralized fossil fuel plants to thousands of smaller renewable sites has increased potential cyberattack targets. Devices managing energy flow and communication links may offer entry points. Red Eléctrica, the grid operator, said no attack hit its systems but flagged risks tied to data gaps from small producers. Despite skepticism from energy experts about the likelihood of a coordinated cyberattack, officials stress that all scenarios remain under review. Spain is investing €1.1 billion to boost national cybersecurity across sectors.

A major security flaw has been found in ASUS mainboards’ automatic update system. 

A major security flaw has been found in ASUS mainboards’ automatic update system, affecting Armoury Crate and DriverHub tools on AMD and Intel platforms. Two vulnerabilities (CVE-2025-3463 and CVE-2025-3462) allow remote attackers to alter system behavior or access features via crafted HTTP requests. The root issue lies in software auto-installed from the UEFI BIOS using Windows Platform Binary Table. ASUS has released updates to fix these issues. Users should update immediately and scan BIOS files for threats using VirusTotal.

A new macOS info-stealing malware uses PyInstaller to evade detection. 

A new info-stealing malware targeting macOS systems has been uncovered, using PyInstaller to evade detection. First spotted in January 2025 and analyzed by Jamf Threat Labs, the malware is bundled in Mach-O binaries and remains undetected by most antivirus tools. PyInstaller allows the malware to run without a native Python installation—especially effective since macOS 12.3 removed built-in Python. The malware harvests user credentials via fake AppleScript dialogs, extracts data from the Keychain, and targets crypto wallets. It uses multiple obfuscation layers, including base85 encoding, XOR encryption, and zlib compression. The malware’s behavior is stealthy, leaving little trace on disk, and operates across Mac architectures. Researchers warn users to be wary of unsigned executables and unexpected password prompts. They recommend monitoring for PyInstaller activity and suspicious environment variables as this method grows more popular among attackers.

Meanwhile, Apple has issued a critical security update for macOS Sequoia (version 15.5) to patch eight major vulnerabilities that could allow malicious apps to access sensitive user data. The flaws affect key components like Apple Intelligence Reports, Core Bluetooth, Finder, and the TCC privacy framework. Notable issues include permission bypasses and improper state management that could expose personal data. Though no active exploitation has been reported, security experts warn these flaws underscore growing challenges in maintaining privacy across complex operating systems.

The U.S. charges 14 North Korean nationals in a remote IT job scheme. 

The U.S. has charged 14 North Korean nationals in a scheme that used stolen identities to secure remote IT jobs at U.S. companies, sending at least $88 million to the DPRK over six years. Flashpoint’s investigation, based on a DOJ indictment, revealed that the group used fake companies, malware, and remote access tools to infiltrate corporate networks. Domains linked to fake firms like Baby Box Info and Cubix Tech US were used to build fake resumes and references. Infected devices in places like Pakistan, Nigeria, and Dubai were found with saved credentials, job board activity, and evidence of coordination with North Korean handlers. Signs included Korean language settings, VPNs masking DPRK connections, and tactics to avoid detection, like faking voice calls and smuggling laptops. The findings point to a global operation aimed at stealing money, data, and access, reinforcing the need for stronger cybersecurity and hiring verification across industries.

Europe’s cybersecurity agency launches the European Vulnerability Database. 

Europe’s cybersecurity agency, ENISA, has officially launched the European Vulnerability Database (EUVD), a centralized platform for tracking cybersecurity flaws. Developed under the NIS2 directive, the EUVD mirrors the U.S. National Vulnerability Database and aims to enhance risk management and transparency across the EU. It gathers data from sources like CSIRTs, vendors, and databases such as MITRE’s CVE and CISA’s KEV Catalog. Users can access three dashboards highlighting critical, exploited, and EU-coordinated vulnerabilities. Each entry includes details like affected products, severity, and mitigation steps. Concerns over the future of the U.S.-based CVE program have increased interest in the EUVD as a stable, independent resource. ENISA says the tool is vital for public users, companies, and authorities to better manage threats and respond effectively to known vulnerabilities.

CISA pares back website security alerts. 

CISA announced a major change in how it shares cybersecurity updates: only urgent alerts about emerging threats or major cyber activity will now appear on its website. Routine guidance, vulnerability notices, and product warnings will be distributed via email, RSS, and X (formerly Twitter). This shift, possibly tied to budget cuts and staff reductions under a Trump-aligned cost-cutting initiative, has raised concerns among experts. Critics, including former CISA director Jen Easterly, warn that reducing visibility for routine security updates undermines national cybersecurity. The policy reflects a broader trend of federal agencies moving communications to X, despite its limitations. Agencies like the NTSB and Social Security Administration have also begun phasing out traditional press releases and email updates. Observers worry this change favors Elon Musk’s platform and limits accessibility to critical public information. CISA urges users to subscribe to its email notifications to stay informed.

Moldovan authorities arrest a suspect in DoppelPaymer ransomware attacks. 

Moldovan authorities have arrested a 45-year-old foreign national suspected of involvement in DoppelPaymer ransomware attacks, including a 2021 attack on the Dutch Research Council (NWO) that caused €4.5 million in damages. The suspect, whose identity remains undisclosed, is accused of ransomware deployment, extortion, and money laundering. Seized items included laptops, phones, and €84,800 in cash. The arrest follows international efforts to dismantle DoppelPaymer, a ransomware strain linked to the TA505 group, which has targeted critical infrastructure and multiple sectors since 2019.

 

Threat Vector segment. 

Coming up, we've got David Moulton from Palo Alto Networks sharing a segment of his discussion about how to scale responsible AI in the enterprise with Noelle Russell⁠, CEO of the AI Leadership Institute. We’ll be right back

Welcome back. You can find a link in our show notes for David and Noelle's full conversation. Be sure to find Threat Vector in your favorite podcast app and catch new episodes each Thursday. 

Dave & Buster’s invites vanish into the void. 

A recent episode of the Search Engine podcast tackled an absurd but very real iOS bug: say the phrase “Dave and Buster’s” in an audio message, and poof—the message vanishes into the void. It never reaches the recipient, leaving only a ghostly “dot dot dot” typing animation behind. Why? It’s all thanks to iOS’s hyper-vigilant BlastDoor service. Turns out, the transcription engine hears “Dave and Buster’s,” transcribes it with an ampersand (“&”), and forgets to properly escape it in XHTML. The poor parser sees the rogue ampersand, panics, and nopes out, crashing the message. Basically, Apple’s message security is so strict it breaks over the mention of a popular sports bar. The bug isn’t dangerous—it’s actually a sign that BlastDoor is doing its job. But still, maybe don’t invite anyone to Dave & Buster’s via voice message… unless you want your plans to mysteriously disappear.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.