Podcasts
CyberWire Daily
Ep 2348
The CyberWire Daily Podcast 7.14.25
Ep 2348 | 7.14.25

Taxing times for cyber fraudsters.

Show Notes
Transcript

British and Romanian authorities make arrests in a major tax fraud scheme. The Interlock ransomware gang has a new RAT. A new vulnerability in Google Gemini for Workspace allows attackers to hide malicious instructions inside emails. Suspected Chinese hackers breach a major DC law firm. Multiple firmware vulnerabilities affect products from Taiwanese manufacturer Gigabyte Technology. Nvidia warns against Rowhammer attacks across its product line. Louis Vuitton joins the list of breached UK retailers. Indian authorities dismantle a cyber fraud gang. CISA pumps the brakes on a critical vulnerability in American train systems. Our guest is Cynthia Kaiser, SVP of Halcyon’s Ransomware Research Center and former Deputy Assistant Director at the FBI’s Cyber Division, with insights on Scattered Spider. Hackers ransack Elmo’s World. 

Today is Monday July 14th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

British and Romanian authorities make arrests in a major tax fraud scheme. 

British and Romanian authorities have arrested 14 people linked to a major tax fraud scheme that used stolen personal data to falsely claim millions in U.K. tax refunds. HM Revenue and Customs (HMRC) said the gang used phishing attacks to harvest taxpayer info, then filed fake PAYE, VAT, and child benefit claims. Raids across Romania led to 13 arrests, while one suspect was arrested in England. Authorities seized luxury goods and cash during the bust. HMRC previously reported £47 million was stolen in 2023 through similar fraud, though £1.9 billion in attempted fraud was stopped. HMRC emphasized it wasn’t hacked; the data came from phishing or third-party breaches. Around 100,000 individuals were notified of suspicious activity, but no personal financial losses were reported.

The Interlock ransomware gang has a new RAT. 

The Interlock ransomware gang is deploying a new remote access trojan (RAT) written in PHP as part of a broad campaign active since May 2025, researchers from The DFIR Report and Proofpoint revealed. This marks a shift from Interlock’s earlier JavaScript-based “NodeSnake” RAT. The PHP version enables automated system reconnaissance via PowerShell, exfiltrates data as JSON, checks user privileges, and establishes command-and-control through Cloudflare Tunnel, with backup IPs for resilience. It supports file execution, persistence, shell access, RDP movement, and self-termination. Initial access is gained using a social engineering trick called “FileFix,” where users are duped into running PowerShell commands by pasting malicious paths into File Explorer. Interlock, known for double-extortion, has previously targeted U.S. and U.K. government agencies.

A new vulnerability in Google Gemini for Workspace allows attackers to hide malicious instructions inside emails. 

A new prompt-injection vulnerability in Google Gemini for Workspace allows attackers to hide malicious instructions inside emails, tricking the AI into generating phishing-style summaries. Discovered by Mozilla researcher Marco Figueroa, the attack hides commands in white, zero-sized text using HTML/CSS. These are invisible to users but read by Gemini when generating a summary. The result might include fake security alerts or phone numbers that appear trustworthy. Because there are no links or attachments, these emails bypass many filters. Despite prior reports and Google’s security updates, this method remains effective. Google says it’s implementing new defenses and has seen no real-world abuse yet. Security experts recommend filters to detect hidden content and flag Gemini summaries with urgent messages or contact info as suspicious.

Suspected Chinese hackers breach a major DC law firm.  

Suspected Chinese hackers breached email accounts at major DC law firm Wiley in an intelligence-gathering operation, the firm told clients. The attackers, possibly linked to the Chinese government, accessed Microsoft 365 accounts belonging to attorneys and advisers, likely targeting sensitive trade, tariff, and foreign investment information. Wiley, known for advising Fortune 500 clients and the U.S. government on trade with China, is investigating what data was accessed and is working with law enforcement and Mandiant. The hack comes amid escalating U.S.-China trade tensions and follows other suspected Chinese intrusions into U.S. agencies. The FBI, already probing multiple Beijing-linked cyber operations, warns China’s hacking capabilities surpass all other foreign powers. Chinese officials deny involvement, calling accusations baseless without solid evidence.

Multiple firmware vulnerabilities affect products from Taiwanese manufacturer Gigabyte Technology. 

Multiple firmware vulnerabilities in products from Taiwanese manufacturer Gigabyte Technology could let attackers bypass UEFI security and gain deep control over affected systems, researchers warn. Found in System Management Mode (SMM), a privileged CPU mode used for hardware-level tasks, the flaws stem from improper buffer validation in SMI handlers. This allows arbitrary code execution before the OS loads. Tracked as CVE-2025-7026 through CVE-2025-7029, the bugs enable writing to protected memory, modifying System Management RAM, and tampering with flash operations. Attackers with admin access, local or remote, could exploit these to disable Secure Boot, install persistent firmware backdoors, and bypass OS-level protections. The issues, first seen in AMI firmware, have now been identified in Gigabyte products. Gigabyte has acknowledged the flaws and issued firmware updates. Users are advised to update promptly.

Nvidia warns against Rowhammer attacks across its product line. 

Nvidia has warned users to enable mitigations against Rowhammer attacks after researchers at the University of Toronto successfully exploited the issue on an A6000 GPU with GDDR6 memory and ECC disabled. Rowhammer manipulates memory by repeatedly accessing memory rows, potentially causing data corruption. In a July 9 advisory, Nvidia emphasized that ECC is enabled by default on its Hopper and Blackwell Data Center products and recommended enabling ECC on various models across its product lines, including Blackwell, Ada, Hopper, Ampere, Jetson, Turing, and Volta.

Louis Vuitton joins the list of breached UK retailers. 

Louis Vuitton UK has suffered a data breach, notifying customers on July 2 that personal information may have been exposed, including names, contact details, birthdates, and shopping preferences. While there’s no evidence of misuse, the company warned customers to watch for phishing or fraud attempts. The breach follows similar incidents at LVMH’s Korean operations and other brands like Dior and Tiffany. Security experts suggest the breaches may stem from shared vulnerabilities across LVMH’s systems. The ICO has been notified, and investigations are ongoing.

Indian authorities dismantle a cyber fraud gang. 

Indian authorities have dismantled a cyber fraud gang accused of scamming victims in the UK, US, and Australia through fake tech support calls. The Central Bureau of Investigation (CBI) raided the gang’s call center after an 18-month probe dubbed Operation Chakra-V, coordinated with the UK’s National Crime Agency (NCA), the FBI, and Microsoft. Victims were tricked by scareware popups claiming their computers were hacked, then coerced into paying for bogus repairs. Over 100 UK victims lost at least £390,000. The scammers used spoofed numbers and VoIP calls to mask their identity. The case highlights international collaboration, sparked by Microsoft’s tip to the NCA in early 2024. Two suspects, including the ringleader, were arrested. The call center reportedly operated under the name “FirstIdea.”

CISA pumps the brakes on a critical vulnerability in American train systems. 

A critical vulnerability in American train systems, first discovered in 2012, has only recently gained official attention after CISA issued a public advisory. Researcher Neils found that the wireless End-of-Train (EoT) system, used since the 1980s, lacks strong authentication, allowing attackers with low-cost software-defined radios to send false brake commands. Despite repeated warnings, the American Association of Railways (AAR) dismissed the issue as theoretical. The vulnerability remained unresolved due to AAR’s refusal to permit testing and the Federal Railroad Administration’s lack of test facilities. AAR finally acknowledged the problem after CISA’s involvement, but remediation is slow, with full implementation not expected until 2027. Experts say the situation highlights long-standing industry resistance to cybersecurity warnings, even when public safety is at risk.

 

Hackers ransack Elmo’s World. 

And finally, it’s hard to imagine something more jarring than seeing Elmo, the cheerful, red Muppet who teaches kids about kindness, suddenly spewing racist and antisemitic hate. But that’s exactly what happened when his verified X account was hacked over the weekend. For a brief but painful moment, the lovable “Sesame Street” icon became an unwitting mouthpiece for vile, hateful rhetoric. The posts were quickly taken down, and Sesame Workshop issued a statement expressing outrage and confirming the breach. Sadly, this incident is just another symptom of a broader crisis. Since Elon Musk took over X, the platform has become a breeding ground for hate speech. Even Grok, X’s own chatbot, was caught parroting antisemitic nonsense. All of this is unfolding against a disturbing backdrop: antisemitic incidents in the U.S. hit record highs in 2024. The digital and real-world threats are converging—and not even Elmo is safe. One can’t help wonder why Elmo and the rest of the Sesame Street gang still maintain their verified accounts on X-Twitter. 

At any rate, today’s Cyberwire was brought to you by the number 404, but not by the letter X. 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.