Podcasts
CyberWire Daily
Ep 2324
The CyberWire Daily Podcast 6.6.25
Ep 2324 | 6.6.25

Beware of BADBOX.

Show Notes
Transcript

The DOJ files to seize over $7 million linked to illegal North Korean IT workers. The FBI warns of BADBOX 2.0 malware targeting IoT devices. Researchers uncover a major security flaw in Chrome extensions. ESET uncovers Iranian hackers targeting Kurdish and Iraqi government officials. Hitachi Energy, Acronis and Cisco patch critical vulnerabilities. 20 suspects are arrested in a major international CSAM takedown. Hackers exploit a critical flaw in Roundcube webmail. Today’s guest is Ian Bramson, Global Head of Industrial Cybersecurity at Black & Veatch, exploring how organizations can close the cyberattack readiness gap. ChatGPT logs are caught in a legal tug-of-war.

Today is Friday June 6th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The DOJ files to seize over $7 million linked to illegal North Korean IT workers. 

The U.S. Department of Justice has filed a civil forfeiture complaint to seize over $7.74 million in cryptocurrency linked to North Korean IT workers who used stolen identities to gain illegal remote employment. These workers, often based in China and Russia, secretly funneled earnings to fund North Korea’s weapons program, skirting U.S. sanctions. The scheme was allegedly orchestrated with Sim Hyon Sop, a Foreign Trade Bank rep, and Kim Sang Man, head of Chinyong, a Ministry of Defense-linked firm. The IT workers laundered funds through tactics like chain-hopping, token swapping, and buying NFTs. The action is part of a broader crackdown—DPRK RevGen: Domestic Enabler Initiative—targeting North Korea’s global revenue networks and their U.S. enablers. The FBI and DOJ are leading the investigations.

The FBI warns of BADBOX 2.0 malware targeting IoT devices. 

The FBI is warning about BADBOX 2.0, a malware campaign that has infected over 1 million consumer IoT devices worldwide. Found mostly on low-cost Android-based TVs, tablets, and projectors—often made in China—BADBOX 2.0 turns these gadgets into residential proxies for cybercriminals. The malware comes preloaded or is installed during setup via malicious apps or firmware updates. Once infected, devices can be used for ad fraud, credential stuffing, and masking criminal traffic. Despite earlier disruptions, the botnet continues to grow. Most infections are in Brazil, the U.S., Mexico, and Argentina. The FBI urges consumers to avoid unofficial app stores, monitor home network traffic, keep devices updated, and disconnect any suspected compromised devices to halt the malware’s activity.

Researchers uncover a major security flaw in Chrome extensions. 

Researchers have uncovered a major security flaw in Chrome extensions affecting over 15 million users. The issue centers around developers hardcoding sensitive credentials directly into their JavaScript code — things like API keys, authentication tokens, and cloud access secrets. Since Chrome extension code is public, these credentials are easily accessible to attackers. Exposed secrets include Google Analytics, Azure speech APIs, and even AWS keys. The risks range from corrupting analytics data to incurring massive cloud costs or exposing broader infrastructure. Symantec found the problem across multiple high-profile extensions, including those from Avast and Equatio. This points to a widespread issue in extension development: convenience often overrides secure coding practices. Attackers could exploit these keys to spam services, hijack cloud resources, or even pivot into connected systems with elevated permissions.

ESET uncovers Iranian hackers targeting Kurdish and Iraqi government officials. 

Iran-linked hackers, identified as BladedFeline, have been conducting a years-long cyberespionage campaign targeting Kurdish and Iraqi government officials, according to ESET. Believed to be a subgroup of Iran’s OilRig (APT34), BladedFeline has operated since at least 2017, initially breaching the Kurdistan Regional Government (KRG) and later expanding to Iraq’s central government and even a telecom provider in Uzbekistan. The group uses custom malware like Shahmaran, Whisper, and PrimeCache to spy on systems, exfiltrate data, and maintain remote access. Entry points likely include exploited server vulnerabilities and webshells. Researchers say the campaign likely supports Iran’s geopolitical goals by monitoring the KRG’s Western ties and countering U.S. influence in Iraq. OilRig has a history of targeting critical sectors and using compromised networks for supply chain attacks.

Hitachi Energy, Acronis and Cisco patch critical vulnerabilities. 

Hitachi Energy has patched two critical vulnerabilities (CVE-2020-35198 and CVE-2020-28895) in its Relion 670, 650 series, and SAM600-IO devices, which are widely used in power grid protection and control. The flaws could allow remote attackers to trigger memory corruption, risking grid stability. Hitachi Energy has released targeted updates and recommends users upgrade to secure revisions. No public exploitation has been reported, but mitigation steps are advised for older systems.

Acronis Cyber Protect users are urged to update immediately due to multiple critical vulnerabilities, including three with the highest CVSS score of 10.0. These flaws allow attackers to bypass authentication, access sensitive data, and escalate privileges. Updates have been available for a month. If updating isn’t possible right away, restrict network access and monitor systems for suspicious activity.

Cisco has patched 12 vulnerabilities across its products, including a critical flaw (CVE-2025-20286, CVSS 9.9) in cloud deployments of Identity Services Engine (ISE). This bug affects AWS, Azure, and Oracle Cloud ISE instances where shared credentials are improperly generated, allowing attackers to access sensitive data or modify configurations. No workarounds exist, and proof-of-concept (PoC) code is public. Cisco also addressed two high-severity SSH flaws in its IMC and Nexus Dashboard Fabric Controller (CVE-2025-20261 and CVE-2025-20163), which could allow unauthorized access or man-in-the-middle attacks. Additionally, nine medium-severity bugs were patched across various Cisco communication and management tools. Two have public PoC code, though no active exploitation is reported. Cisco strongly urges users to apply updates immediately.

20 suspects are arrested in a major international CSAM takedown. 

An international law enforcement operation has led to the arrest of 20 suspects involved in producing and distributing child sexual abuse material (CSAM). Launched after Spanish police uncovered messaging groups sharing CSAM in late 2024, Operation Vibora identified 88 suspects globally. INTERPOL and Europol coordinated efforts across the Americas, Europe, Asia, and Oceania. Spain arrested seven individuals, including a teacher and healthcare worker. Ten more were arrested in Latin America, including three in El Salvador and a teacher in Panama. Additional arrests occurred in Europe and the U.S. This operation follows earlier global actions against CSAM platforms, including Operation Stream, which dismantled the dark web site Kidflix, and another that targeted AI-generated CSAM. These efforts have collectively identified hundreds of suspects and seized thousands of devices.

Hackers exploit a critical flaw in Roundcube webmail. 

Cybersecurity company FearsOff reports that Hackers are now exploiting CVE-2025-49113, a critical post-authentication remote code execution flaw in Roundcube webmail, which impacts versions 1.1.0 to 1.6.10. The bug, present for over a decade, was patched on June 1, but attackers quickly reverse-engineered the fix and began selling a working exploit online. Dubbed “email armageddon,” the flaw stems from unsanitized session variables leading to PHP object injection. Despite requiring login access, attackers claim credentials can be extracted from logs, brute-forced, or obtained via CSRF. Roundcube is widely used by hosting providers and organizations across government, education, and tech sectors. With over 1.2 million instances online, the attack surface is significant. Security researchers urge immediate patching, given the vulnerability’s severity (CVSS 9.9) and the active exploitation in the wild.

 

We’ll be right back. Today’s guest is Ian Bramson, Global Head of Industrial Cybersecurity at Black & Veatch. Ian joins us to explore how organizations can close the cyberattack readiness gap in industrial environments—especially as cyber threats grow more sophisticated and aggressive.

Welcome back.

ChatGPT logs are caught in a legal tug-of-war. 

OpenAI is squaring off with a federal judge over a sweeping court order that, in essence, forces it to save everything—every deleted ChatGPT message, every “temporary” chat, even the API-based confessions of businesses panicking about quarterly earnings. Why? Because The New York Times and others suing OpenAI over copyright concerns suspect that users are deleting chats to cover their digital tracks.

The judge agreed and ordered OpenAI to preserve all logs. OpenAI, now somewhere between “concerned” and “hair-on-fire,” argues this defies logic, privacy policy, and possibly several international laws. Their message: We didn’t destroy data, we just honored users’ decisions. And now? They’re being told to keep everything—yes, even your wedding vow drafts and that ill-fated budget spreadsheet.

Caught between litigation and privacy commitments, OpenAI wants the order tossed. Until then, users everywhere are side-eyeing their chat history—and perhaps even considering a fling with Gemini.

 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.