Podcasts
CyberWire Daily
Ep 2309
The CyberWire Daily Podcast 5.15.25
Ep 2309 | 5.15.25

Bypassing Bitlocker encryption.

Show Notes
Transcript

Google issues an emergency patch for a high-severity Chrome browser flaw. Researchers bypass BitLocker encryption in minutes. A massive Chinese-language black market has shut down. The CFPB cancels plans to curb the sale of personal information by data brokers. A cyberespionage campaign called Operation RoundPress targets vulnerable webmail servers. Google warns that Scattered Spider is now targeting U.S. retail companies. The largest steelmaker in the U.S. shut down operations following a cybersecurity incident. Our guest is Devin Ertel, Chief Information Security Officer at Menlo Security, discussing redefining enterprise security. The long and the short of layoffs.

Today is Thursday May 15th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Google issues an emergency patch for a high-severity Chrome browser flaw. 

Google has issued an emergency patch for a high-severity Chrome browser flaw (CVE-2025-4664) that could allow full account takeovers. Discovered by Solidlab researcher Vsevolod Kokorin, the bug stems from weak policy enforcement in Chrome’s Loader component, letting attackers leak sensitive cross-origin data via malicious HTML. This can expose OAuth tokens through manipulated referrer policies—especially dangerous in authentication flows. Google confirmed a public exploit exists, implying possible active use. The fix is rolling out in Chrome version 136.0.7103.113/114 across platforms. Users should update manually or let Chrome auto-update on restart. This follows a March patch for another critical Chrome zero-day (CVE-2025-2783) used in espionage attacks targeting Russian entities, which exploited Chrome sandbox bypasses to deliver malware.

Researchers bypass BitLocker encryption in minutes. 

A newly revealed flaw in Microsoft BitLocker (CVE-2023-21563) allows attackers to bypass encryption in under five minutes using a software-only method called “Bitpixie.” The exploit targets systems without pre-boot authentication and has a public proof-of-concept available. Unlike hardware-based hacks, Bitpixie extracts BitLocker’s Volume Master Key (VMK) entirely through software by exploiting a flaw in the Windows bootloader during PXE soft reboots. Two attack versions—Linux and Windows PE—allow access using signed components, with no need for physical tampering or a full disk image. The attack is stealthy and effective on unattended or stolen devices. Experts strongly advise enabling pre-boot authentication (PIN, USB key, etc.) to block access to the VMK and prevent such breaches.

A massive Chinese-language black market has shut down. 

A massive Chinese-language black market for crypto scams and money laundering, known as Haowang Guarantee (formerly Huione Guarantee), has shut down after Telegram banned thousands of related accounts. This underground marketplace operated openly on Telegram, facilitating over $27 billion in illicit transactions, mainly using Tether. Vendors offered services like money laundering, victim data, and even tools used in forced labor at scam compounds across Southeast Asia. The takedown followed an investigation by crypto-tracing firm Elliptic and media inquiries by WIRED. Another market, Xinbi Guarantee, was also banned but may attempt to relaunch. Telegram’s crackdown is seen as a major victory against online fraud, though experts warn these groups may shift to other platforms. The operation’s ties to powerful Cambodian elites underscore the challenge of dismantling such networks.

Elsewhere, German police have seized the crypto platform eXch and over $30 million in digital assets linked to money laundering in the $1.46 billion Bybit hack. Authorities acted swiftly after eXch announced plans to shut down amid pressure from law enforcement. The platform had rejected Bybit’s request to freeze stolen funds, later traced by Elliptic to North Korea’s Lazarus Group. Launched in 2014, eXch processed around $1.9 billion in crypto and operated on both the clearnet and darknet.

The CFPB cancels plans to curb the sale of personal information by data brokers. 

The Consumer Financial Protection Bureau (CFPB) has withdrawn a proposed rule aimed at curbing data brokers from selling sensitive personal information without consent. Initially introduced to combat commercial surveillance and protect national security, the rule would have required brokers to obtain consent before sharing data like Social Security numbers and financial histories. Acting CFPB Director Russell Vought said the move aligns with revised policies and interpretations of the Fair Credit Reporting Act. Critics, including privacy advocates and veterans’ groups, argue the rollback protects corporate interests at the expense of public safety and national security. They warn that data brokers continue to endanger Americans—particularly military personnel—by enabling scams, surveillance, and blackmail. The rule’s cancellation follows a broader downsizing of the CFPB under Trump’s administration and pressure from fintech industry lobbyists.

Across the pond, a Belgian Court of Appeal has ruled the “Transparency & Consent Framework” (TCF)—used by Google, Amazon, Microsoft, and others to justify online tracking—as illegal under the GDPR. The court upheld a 2022 decision by the Belgian Data Protection Authority, confirming multiple violations, including failures to secure data, properly obtain consent, and ensure transparency. TCF underpins the tracking-heavy Real-Time Bidding (RTB) advertising system active on 80% of the web. Critics, led by Dr. Johnny Ryan of the Irish Council for Civil Liberties, say tech firms used deceptive consent popups to mask widespread data misuse. The ruling applies across Europe and pressures the ad industry to move away from surveillance-based models. The court also found IAB Europe, which created the TCF, violated GDPR, although not for actions within the RTB protocol itself.

A cyberespionage campaign called Operation RoundPress targets vulnerable webmail servers. 

A cyberespionage campaign called Operation RoundPress, likely run by the Sednit group (aka APT28/Fancy Bear), is targeting vulnerable webmail servers—Roundcube, Horde, MDaemon, and Zimbra—to steal sensitive email data. Research from We Live Security reveals attackers use spearphishing emails to exploit XSS flaws, including a zero-day in MDaemon (CVE-2024-11182). The payloads, dubbed SpyPress, steal credentials, emails, and contact lists, and can bypass two-factor authentication. Some even set up malicious mail forwarding rules for persistent access. Targets are primarily defense and government entities in Ukraine, Eastern Europe, and globally. SpyPress variants are obfuscated and communicate with hardcoded C&C servers. The campaign underscores the continued targeting of outdated or unpatched webmail systems in cyberespionage, particularly during times of geopolitical tension like the war in Ukraine. Security experts urge regular patching and phishing awareness to mitigate such risks.

Google warns that Scattered Spider is now targeting U.S. retail companies. 

Google warns that hackers tied to the Scattered Spider group, known for crippling UK retailers like M&S, are now targeting U.S. retail companies. These attackers are skilled at bypassing strong cybersecurity defenses and tend to focus on one industry at a time. Scattered Spider has also been linked to past breaches of MGM Resorts and Caesars Entertainment. U.S. retail security groups are actively monitoring the threat, with Google helping coordinate briefings to prepare major companies like Costco, McDonald’s, and Lowe’s.

The largest steelmaker in the U.S. shut down operations following a cybersecurity incident. 

Nucor, the largest U.S. steelmaker, temporarily shut down some operations following a cybersecurity incident involving unauthorized access to its IT systems. The company activated its incident response plan, took affected systems offline, and is working to restore operations. While Nucor didn’t specify which facilities were impacted, it emphasized the shutdown was precautionary. With 300 sites and 25,000 employees, Nucor is a major global player.

Up next on our Industry Voices segment and direct from RSAC 2025, our guest is Devin Ertel, Chief Information Security Officer at Menlo Security, discussing redefining enterprise security. We’ll be right back

Welcome back.

The long and the short of layoffs. 

Layoffs are hitting the cybersecurity sector hard this summer, with major players like Microsoft and CrowdStrike slimming down despite healthy profits. Microsoft recently let go of 6,000 employees—many in tech roles—as it shifts more investment into AI. CrowdStrike trimmed 500 positions while announcing record earnings. The message seems clear: automation is in, and human jobs are, well, negotiable.

But behind the financials are real people—skilled professionals who’ve spent years building defenses now finding themselves out of work. And the ripple effects aren’t just personal. Experts warn that sudden layoffs, especially in cyber teams, can carry serious security risks. Departing employees may (intentionally or not) walk out with sensitive data, and stretched-thin security teams may miss emerging threats.

As SANS Institute’s Rob T. Lee puts it, “You’re not just losing people—you’re losing the people who know how to stop attacks.” Companies might see cost savings now, but the long-term bill could come in the form of a breach headline.

And nobody wants that. 

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Menlo Security
Sponsored by Menlo Security

Menlo Security revolutionizes enterprise cybersecurity with a cutting-edge, cloud-native browser security platform. By isolating web traffic in the cloud, Menlo eliminates phishing, malware, and ransomware threats—empowering organizations to protect users and data without compromising productivity or user experience. Learn more.