Podcasts
CyberWire Daily
Ep 2331
The CyberWire Daily Podcast 6.17.25
Ep 2331 | 6.17.25

Can’t DOGE the inquiry.

Show Notes
Transcript

A House oversight committee requests DOGE documents from Microsoft. Predatory Sparrow claims a cyberattack on an Iranian bank. Microsoft says data that happens in Europe will stay in Europe. A complex malware campaign is using heavily obfuscated Visual Basic files to deploy RATs. A widely used CMS platform suffers potential RCE bugs. North Korea’s Kimsuky targets academic institutions using password-protected research documents. Asus patches a high-severity vulnerability in its Armoury Crate software. CISA’s new leader remains in confirmation limbo. Our guest is Brian Downey, VP of Product Management from Barracuda, talking about how security sprawl increases risk. Operation Fluffy Narwhal thinks it’s time to rethink adversary naming.

Today is Tuesday June 17th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A House oversight committee requests DOGE documents from Microsoft. 

Rep. Stephen F. Lynch, Democrat from Massachusetts and  Acting Ranking Member of the Committee on Oversight and Government Reform, has requested documents from Microsoft CEO Satya Nadella regarding reports that individuals linked to Elon Musk’s Department of Government Efficiency (DOGE) tried to remove sensitive data from the National Labor Relations Board (NLRB). According to NPR and whistleblower reports, DOGE staff allegedly used high-level access to exfiltrate data, possibly including union activities, and hid their actions by deleting logs and installing backdoors. A DOGE engineer reportedly wrote code titled “NxGenBdoorExtract” and uploaded it to GitHub, which is owned by Microsoft. Lynch raised concerns over potential misconduct, privacy violations, and conflicts of interest given Musk’s history with the NLRB. In April and May 2025, congressional Democrats launched investigations into Musk and DOGE’s alleged interference and data breaches at the NLRB.

Predatory Sparrow claims a cyberattack on an Iranian bank. 

A hacking group known as Predatory Sparrow, believed to be tied to Israeli intelligence, claimed a cyberattack on an Iranian bank. The group says the strike was in retaliation for the bank’s alleged role in funding Iran’s military and nuclear programs. The attack disrupted banking services and reportedly affected gas stations, delayed salaries, and closed some branches. The group claimed support from “brave Iranians” and vowed to target institutions backing “the dictator’s terrorist fantasies.” The hack follows rising tensions, including Israeli strikes on Iranian facilities and cyber retaliation by pro-Iranian groups. Predatory Sparrow has previously hit Iran’s steel and fuel sectors. While Iran has not commented, experts see escalating cyber conflict between Iran and Israel, with hacktivists warning regional allies of Israel they could be targeted too.

Microsoft says data that happens in Europe will stay in Europe. 

Microsoft announced that data from its European cloud customers will remain in Europe, comply with EU laws, and be managed by local staff. This move addresses growing concerns about foreign access to sensitive data. Microsoft also confirmed that any remote access by its engineers will be approved and monitored by European personnel. The company is expanding its cloud and AI operations in the region and plans to launch a sovereign private cloud—now in preview—by the end of the year.

A complex malware campaign is using heavily obfuscated Visual Basic files to deploy RATs. 

Researchers at Censys have uncovered a complex malware campaign using heavily obfuscated Visual Basic Script (VBS) files named “sostener.vbs” to deploy remote access trojans (RATs). Discovered in June 2025, the attack unfolds in three stages, beginning with bloated VBS droppers that decode base64 payloads and launch PowerShell scripts. These scripts fetch additional malware from platforms like archive.org, where payloads are hidden in JPEG images. The campaign delivers RATs such as Remcos, AsyncRAT, DCRat, and LimeRAT. It uses resilient infrastructure via duckdns.org to avoid takedowns. Though similar to attacks by the Blind Eagle group, attribution is unconfirmed. Researchers advise disabling macros, filtering emails, and monitoring PowerShell use to reduce risk. The campaign’s advanced obfuscation and use of legitimate hosting services make detection and response especially challenging.

A widely used CMS platform suffers potential RCE bugs. 

WatchTowr has revealed seven serious vulnerabilities in Sitecore, a widely used CMS platform powering major companies like HSBC, United Airlines, and L’Oréal. Three of the flaws, disclosed in a June 17 report, enable unauthenticated remote code execution (RCE) on Sitecore Experience Platform 10.4.1. A key issue is a hardcoded default password—“b”—which, when combined with two post-auth RCE bugs, creates a full pre-auth RCE chain. WatchTowr found over 22,000 exposed instances and warns the actual number is likely much higher. The vulnerabilities—identified as WT-2025-0024, WT-2025-0032, and WT-2025-0025—were patched in May after Sitecore was notified in February. No CVEs have been assigned yet. WatchTowr urges immediate patching and credential rotation, warning of the high risk to enterprise environments. Four more flaws will be detailed in a future report.

 North Korea’s Kimsuky targets academic institutions using password-protected research documents. 

A new malware campaign by North Korea-linked Kimsuky is targeting academic institutions using password-protected research documents to deliver multi-stage malware. Disguised as review requests from professors, phishing emails contain Hangul Word Processor (HWP) files with malicious OLE objects. These bypass security tools and trick recipients into opening them, launching a sophisticated infection chain. Upon activation, the malware installs six files, performs system reconnaissance, and establishes remote access using AnyDesk. The campaign exploits academic trust and collaboration, making detection harder and expanding risks to connected government and private networks. The malware uses obfuscation techniques and disguises malicious actions under the appearance of legitimate documents. Analysts warn this campaign marks an evolution in social engineering, blending technical precision with realistic academic bait, and urge institutions to remain vigilant.

Asus patches a high-severity vulnerability in its Armoury Crate software. 

Asus has patched a high-severity vulnerability (CVE-2025-3464, CVSS 8.8) in its Armoury Crate software, which could allow attackers to gain full system access. The flaw, an authorization bypass caused by a Time-of-check Time-of-use (TOCTOU) issue, was discovered by Cisco Talos. Attackers can exploit it by creating a hard link to bypass restrictions on a driver used by Armoury Crate. The bug affects versions 5.9.9.0 to 6.1.18.0. Users are urged to update immediately to avoid privilege escalation risks.

CISA’s new leader remains in confirmation limbo. 

Sean Plankey, President Trump’s nominee to lead the Cybersecurity and Infrastructure Security Agency (CISA), remains in confirmation limbo due to procedural delays and a Senate hold. Plankey, a former DOE and NSC cybersecurity official, missed his June hearing over an incomplete FBI clearance, causing confusion and postponements. Despite bipartisan support for his qualifications, his nomination is blocked by Sen. Ron Wyden, who demands CISA release a 2022 report on telecom vulnerabilities linked to the Salt Typhoon hack. Wyden accuses CISA of covering up critical cybersecurity failures and says public release of the report is vital. The delay hampers a major overhaul at CISA, including proposed budget cuts and staff reductions. With former Acting Director Bridget Bean gone, staff are concerned about leadership gaps and the agency’s uncertain future under incoming Trump appointees.

Next up, I speak with Bryan Downey, VP of Product Marketing and Product Management from Barracuda, talking about how security sprawl increases risk. We’ll be right back.

Welcome back. You can find more information about what Brian discussed in our show notes. 

 

Operation Fluffy Narwhal thinks it’s time to rethink adversary naming. 

And finally, when a Russian military unit hacks an election, but we call them “Fancy Bear,” it’s no wonder folks think cybersecurity is some elaborate comic book. In a sharply wry op-ed for Just Security, Jen Easterly and Ciaran Martin argue it’s time to stop branding our cyber adversaries like Pokémon and start naming them for what they are: nation-states and criminals. Microsoft and CrowdStrike’s recent alliance to align threat actor names is a welcome baby step. But Easterly and Martin say it’s not enough. Until the cybersecurity world adopts a single, clear, vendor-neutral naming system, we’ll keep confusing defenders and glamorizing adversaries. The idea that naming can’t be standardized is, they argue, nonsense—we do it in medicine, defense, and even for missiles. So why not malware? It’s time to ditch the marketing mascots. Let’s trade “Charming Kitten” for “Iranian espionage” and call the cyber criminals what they are—without the flair.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.