Podcasts
CyberWire Daily
Ep 2310
The CyberWire Daily Podcast 5.16.25
Ep 2310 | 5.16.25

Preparing for the cyber battlespace.

Show Notes
Transcript

NATO hosts the world’s largest cyber defense exercise. The DOJ charges a dozen people in a racketeering conspiracy involving the theft of over $230 million in cryptocurrency. Japan has enacted a new Active Cyberdefense Law. Lawmakers push to reauthorize the Cybersecurity Information Sharing Act. Two critical Ivanti Endpoint Manager Mobile vulnerabilities are under active exploitation. Hackers use a new fileless technique to deploy Remcos RAT. The NSA’s Director of Cybersecurity hangs up their hat. Our guest is Chris Cleary, VP of ManTech's Global Cyber Practice, discussing the cyber battlespace of the future. Coinbase flips the script on an extortion attempt.

Today is Friday May 16th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

NATO hosts the world’s largest cyber defense exercise. 

Earlier this week, the NATO Cooperative Cyber Defence Centre of Excellence hosted Locked Shields 2025, the world’s largest cyber defense exercise, in Tallinn, Estonia. Around 4,000 experts from 41 countries participated remotely, simulating the defense of over 8,000 systems against thousands of cyberattacks. The event, which began in 2010 with just four nations, now features advanced challenges, including AI-driven narratives and quantum computing scenarios. Teams also tackled legal, strategic, and disinformation challenges. While Germany-Singapore, Poland-France, and Italy-Slovenia-U.S. teams scored highest, organizers stressed scores don’t reflect overall national readiness. The exercise, planned by 450 experts and 25 industry partners, highlights growing global focus on cyber resilience. Looking ahead, 2026 will expand cloud infrastructure and introduce Critical Special Systems to further bolster national defense capabilities.

The DOJ charges a dozen people in a racketeering conspiracy involving the theft of over $230 million in cryptocurrency. 

Twelve people have been charged by the DOJ in a racketeering conspiracy involving the theft of over $230 million in cryptocurrency. They allegedly used spoofed phone calls and social engineering to breach victim accounts, reset 2FA, and access private keys. A major theft involved 4,100 Bitcoin stolen from a D.C. victim in August 2024. The group used crypto mixers, exchanges, VPNs, and “peel chains” to launder funds into currencies like Monero. The money funded extravagant lifestyles—private jets, exotic cars, $500K nightclub tabs, and luxury goods. Two suspects, Malone Lam and Jeandiel Serrano, were arrested earlier. The scheme involved roles ranging from hackers to money launderers. Despite laundering efforts, investigators linked the stolen funds back to the group with help from crypto sleuth ZachXBT and the FBI.

Japan has enacted a new Active Cyberdefense Law. 

Japan has enacted a new Active Cyberdefense Law, allowing preemptive cyber operations to disrupt threats before they cause harm. This marks a shift from Japan’s traditionally defensive stance and aligns its cyber policy more closely with Western powers. The law authorizes law enforcement to neutralize hostile servers and grants the Self-Defence Forces authority over complex attacks. It also permits monitoring of foreign internet traffic entering or transiting Japan, with oversight measures in place. The move follows a surge in state-sponsored and financially driven cyberattacks.

Lawmakers push to reauthorize the Cybersecurity Information Sharing Act. 

Lawmakers from both parties are pushing to reauthorize the Cybersecurity Information Sharing Act (CISA 2015) before it expires on September 30. The law is seen as vital for enabling threat intelligence sharing between the government and private sector, bolstered by liability and privacy protections. Despite strong support from DHS Secretary Kristi Noem, reauthorization faces a tight deadline and unclear leadership support. Privacy concerns remain the biggest hurdle, though a recent DHS report found no violations under the law. Lawmakers are calling for a “clean reauthorization,” with possible updates later. Subcommittee members also pushed to expand security clearance access to more technical professionals, arguing that current restrictions limit response effectiveness. The law has enabled the sharing of critical cyber threat data and is considered key to national cyber defense.

Meanwhile, seventeen Republican lawmakers, led by Sen. Tom Cotton, urged the Trump administration to ban U.S. sales of TP-Link routers, citing national security concerns. They allege the Chinese company has ties to the CCP, uses predatory pricing, and poses a surveillance risk. TP-Link denies these claims, calling them baseless and politically motivated. Lawmakers referenced Executive Order 13873 to justify the ban, signed by President Donald Trump in May 2019. It grants the U.S. Secretary of Commerce the authority to block transactions involving information and communications technology or services (ICTS) linked to foreign adversaries if they pose an “unacceptable risk” to national security. TP-Link, which has a U.S. office in California, insists it isn’t state-sponsored and has not been contacted by U.S. regulators.

Two critical Ivanti Endpoint Manager Mobile vulnerabilities are under active exploitation. 

Two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2025-4427 and CVE-2025-4428 — are actively being exploited, putting organizations at risk of unauthenticated remote code execution. The flaws affect all on-premises versions up to 12.5.0.0 and stem from open-source library issues, not Ivanti’s core code. When chained, they let attackers bypass authentication and inject malicious Java code via improperly validated API input. The vulnerabilities allow attackers to install malware, access data, or disable device management. Ivanti and global cybersecurity agencies urge immediate patching to fixed versions. If updating isn’t possible, temporary mitigations and close monitoring are essential. Unpatched systems are at high risk as proof-of-concept code circulates publicly.

Hackers use a new fileless technique to deploy Remcos RAT. 

Hackers are using a new fileless technique to deploy Remcos RAT malware through a PowerShell-based loader, bypassing Windows Defender. The attack begins with a malicious ZIP file containing a spoofed LNK shortcut. When opened, it triggers an obfuscated script that alters registry settings for persistence and injects multiple payloads, including Remcos V6.0.0 Pro. This updated version adds idle-time tracking and infected host management. Researchers stress monitoring for LNK files, PowerShell misuse, and registry changes to detect and prevent such threats.

The NSA’s Director of Cybersecurity hangs up their hat. 

Dave Luber, the National Security Agency’s Director of Cybersecurity, will retire on May 30 after 38 years of distinguished service. Luber’s career, which began as a high school work-study participant, reflects deep commitment and steady leadership across decades of change. Rising through roles including Executive Director of U.S. Cyber Command and Director of NSA Colorado, Luber brought a calm, collaborative approach to cybersecurity at a time of global digital unrest. Colleagues praise his efforts to improve intelligence-sharing and strengthen public-private partnerships amid escalating threats like China’s Volt Typhoon campaign. Former NSA Deputy Director George Barnes called him “competent, caring, communicative, and an all-around great leader,” adding that Luber’s presence will be sorely missed. His legacy, rooted in service and strategy, will continue shaping national cybersecurity for years to come.

 

Next up, we've got our Industry Voices segment. Joining us is Christopher Cleary, VP of ManTech's Global Cyber Practice, talking about the battlespace of the future. We’ll be right back

Welcome back. You can finda. link to the full-length conversation between Chris and me in our show notes.

Coinbase flips the script on an extortion attempt. 

Coinbase is offering a $20 million bounty — but not for lost treasure. The crypto giant is hunting the modern-day pirate who tried to extort the company using stolen customer data. The would-be blackmailer emailed Coinbase demanding $20 million or else they’d leak user info. Coinbase’s response? A firm “No,” followed by a blog post worthy of a cyber-thriller.

According to Coinbase, the breach stemmed from a small group of overseas customer support agents — reportedly in India — who were persuaded by cash offers to leak data affecting fewer than 100,000 users. The company fired the insiders and is now prepping for remediation costs between $180 million and $400 million — because apparently, loose lips really do sink crypto ships.

While no funds or login credentials were stolen, customer info like emails, masked SSNs, and transaction histories were. Coinbase urges users to beware of imposters and phishing scams, promising reimbursement to any victims duped by the fallout.

Moral of the story? If you plan to extort a crypto giant, don’t forget that karma is also decentralized.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT

ManTech provides mission-focused technology solutions and services for U.S. Defense, Intelligence and Federal Civilian agencies. ManTech is a leading provider of AI solutions that power full-spectrum cyber, data collection & analytics, enterprise IT, high-end engineering and software application development solutions that support national and homeland security. Learn more.