Podcasts
CyberWire Daily
Ep 2312
The CyberWire Daily Podcast 5.20.25
Ep 2312 | 5.20.25

The Take It Down Act walks a fine line.

Show Notes
Transcript

President Trump signs the Take It Down Act into law. A UK grocer logistics firm gets hit by ransomware. Researchers discover trojanized versions of the KeePass password manager. Researchers from CISA and NIST promote a new metric to better predict actively exploited software flaws. A new campaign uses SEO poisoning to deliver Bumblebee malware. A sophisticated phishing campaign is impersonating Zoom meeting invites to steal user credentials. CISA has added six actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. A bipartisan bill aims to strengthen the shrinking federal cybersecurity workforce. Our guest is Chris Novak, Vice President of Global Cybersecurity Solutions at Verizon, sharing insights on their 2025 DBIR. DOGE downsizes, and the UAE recruits.

Today is Tuesday May 20th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

President Trump signs the Take It Down Act into law. 

President Trump has signed the Take It Down Act into law, criminalizing the distribution of nonconsensual intimate images (NCII), including AI-generated deepfakes. The law mandates that social media platforms remove such content within 48 hours of notification and gives the FTC enforcement power. Violators face up to three years in prison and fines. While tech companies and some advocacy groups supported the law, others, like the Cyber Civil Rights Initiative and the Electronic Frontier Foundation, warn it could harm victims and chill free expression. Critics fear the takedown process is vague and could be abused, especially under a politically charged FTC. Trump even hinted at using the law to protect himself from online criticism, adding to concerns about selective enforcement and legal overreach.

A UK grocer logistics firm gets hit by ransomware. 

Peter Green Chilled, a UK logistics firm supplying major grocers like Tesco and Aldi, was hit by a ransomware attack last week, halting order processing but not affecting transport. The firm is working around the disruption and updating clients regularly. This attack adds to a growing pattern targeting the UK’s food sector—recent victims include Marks & Spencer, Co-op, and Harrods, all of which faced system outages from ransomware. Cybersecurity experts warn that the cold chain’s tight delivery schedules and complexity make it a prime target. These attacks risk not just operations but also food waste and financial fraud through compromised communications. The Cold Chain Federation notes a surge in unreported incidents, while security firms say threat activity is only accelerating, putting the entire food supply chain at ongoing risk.

Researchers discover trojanized versions of the KeePass password manager. 

Threat actors have been using trojanized versions of the KeePass password manager to infiltrate networks and launch ransomware attacks. The campaign, active for at least eight months, was uncovered by WithSecure during a ransomware investigation. Attackers altered KeePass’s open-source code to create “KeeLoader,” a version that functions normally but secretly installs a Cobalt Strike beacon and exports users’ password databases in cleartext. Distribution occurred through malicious Bing ads and fake software sites, with domains mimicking KeePass’s name. The beacons used carry watermarks tied to a known initial access broker linked to Black Basta ransomware operations. Some variants of KeeLoader were even signed with legitimate certificates. One such domain, keeppaswrd[.]com, remains active, still pushing the trojanized installer, raising concerns about continued exposure.

Researchers from CISA and NIST promote a new metric to better predict actively exploited software flaws. 

Researchers from CISA and NIST have introduced a new metric called Likely Exploited Vulnerabilities (LEV) to better predict which software flaws are being actively exploited. Developed by Peter Mell (NIST) and Jonathan Spring (CISA), LEV uses equations that combine data from the Exploit Prediction Scoring System (EPSS), Known Exploited Vulnerabilities (KEV) lists, and key dates tied to each vulnerability. The goal is to improve patch prioritization by estimating the probability that a flaw has been exploited. Unlike KEV or EPSS alone—which can be incomplete or inaccurate—LEV helps fill gaps by identifying high-risk vulnerabilities that might be overlooked. It can also gauge how comprehensive KEV lists really are. NIST is now seeking industry partners to test and refine LEV with real-world data.

A new campaign uses SEO poisoning to deliver Bumblebee malware. 

A new malware campaign using SEO poisoning on Microsoft Bing is delivering Bumblebee malware by luring users searching for technical software. Discovered in May 2025 by Cyjax researchers, the campaign targets IT professionals and developers by spoofing download sites for tools like WinMTR and Milestone XProtect. Threat actors registered typosquatted domains like “winmtr.org” and “milestonesys.org,” hosting them on the same server in Nairobi. When users download from these sites, a malicious installer delivers both the legitimate app and the Bumblebee malware, using stealthy techniques to evade detection. Bumblebee, linked to ransomware groups like Conti, connects to multiple command-and-control servers via the “.life” domain. This shift from targeting common software to niche technical tools signals a strategic focus on high-value targets with elevated system access.

A sophisticated phishing campaign is impersonating Zoom meeting invites to steal user credentials. 

A sophisticated phishing campaign is impersonating Zoom meeting invites to steal user credentials, exploiting workplace urgency and trust. Victims receive emails mimicking real Zoom notifications, complete with company branding and a fake video of “participants,” prompting users to enter login details on a spoofed meeting page. These fake sites use subtly altered domain names to appear legitimate. Researchers note the use of personalized URLs suggests attackers may be leveraging leaked data to tailor emails, increasing believability. Stolen credentials are likely exfiltrated via compromised APIs or messaging services, potentially granting access to broader corporate systems. Experts warn this targeted approach is more dangerous than generic phishing and recommend verifying unexpected invites, enabling multi-factor authentication, and using email security tools and user awareness training to defend against such threats.

CISA has added six actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.

CISA has added six actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. These include flaws in Ivanti EPMM (CVE-2025-4427, CVE-2025-4428), MDaemon Email Server, Srimax Output Messenger, Zimbra Collaboration Suite, and ZKTeco BioTime. Federal agencies must remediate these issues by the set deadlines. CISA urges all organizations to prioritize patching KEV-listed vulnerabilities to reduce exposure to cyber threats.

A bipartisan bill aims to strengthen the shrinking federal cybersecurity workforce.

A new bipartisan bill—the Federal Cyber Workforce Training Act—aims to strengthen the shrinking federal cybersecurity workforce. Introduced by Reps. Pat Fallon (R-TX) and Marcy Kaptur (D-OH), the bill tasks the National Cyber Director with creating a centralized training center focused on hands-on, role-specific onboarding. The initiative would target entry-level and transitioning workers while also developing modules for HR staff to improve recruitment and hiring. The curriculum would be crafted in coordination with DHS and DOD. Lawmakers say the effort is a response to ongoing challenges in federal cyber hiring, worsened under the Trump administration by workforce cuts, hiring freezes, and program disruptions. Critics like Rep. Eric Swalwell warn these actions have had long-term effects on recruitment, especially following layoffs at CISA. The bill seeks to reverse these trends by creating sustainable cyber career paths and raising training standards across federal agencies.

 

DOGE downsizes, and the UAE recruits. 

Kim Zetter’s Zero Day reveals a potentially troubling new development, as the UAE seeks to recruit former members of the Pentagon’s Defense Digital Service (DDS), who recently resigned in protest over interference from the Department of Government Efficiency (DOGE). Brig. Gen. Musallam Al Rashidi, representing the UAE’s military, offered the entire DDS team jobs in Abu Dhabi to help build an AI unit for the UAE’s Ministry of Defense. While the outreach came through official U.S. defense channels, the general’s involvement with Analog AI—a firm linked to the controversial Emirati company G42—raises serious red flags.

G42 has been under U.S. scrutiny for its ties to the Chinese government and military. Intelligence officials warn that hiring U.S. cyber talent could inadvertently transfer sensitive expertise or dual-use technologies to foreign powers like China. These risks are compounded by past instances where U.S. cyber operatives, recruited by Emirati firms, unknowingly engaged in surveillance and offensive hacking operations against U.S. allies and dissidents.

Though none of the DDS workers have so far accepted the UAE’s offer, they say this effort reflects a larger threat: the U.S. is shedding top-tier cyber talent, and foreign governments are eager to scoop them up. As one former DDS staffer warned, losing these experts not only weakens America’s cyber posture—it opens the door to our adversaries.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.