Podcasts
CyberWire Daily
Ep 2356
The CyberWire Daily Podcast 7.24.25
Ep 2356 | 7.24.25

Powering AI with politics.

Show Notes
Transcript

The White House unveils its plan for global AI dominance. Microsoft warns that recent SharePoint server exploitation may extend to ransomware. A phishing campaign targeting the U.S. Department of Education’s grants portal. The FBI issues a warning about “The Com” cybercriminal group. SonicWall urges users to patch a critical vulnerability. A new supply chain attack has compromised several popular NPM packages. Joe Carrigan, co-host of the Hacking Humans podcast, joins to discuss how scammers are exploiting misconfigured point-of-sale terminals. Japanese police release a free decryption tool for Phobos ransomware. AI takes the wheel and drives right off a cliff.

Today is Thursday July 24th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The White House unveils its plan for global AI dominance. 

President Donald Trump yesterday unveiled a sweeping “AI Action Plan” aimed at achieving U.S. global dominance in artificial intelligence. The plan calls for slashing environmental regulations to fast-track data center construction and boost exports of U.S.-made AI technologies. It aligns closely with Silicon Valley venture capitalists who backed Trump’s campaign. Key goals include deregulation, discouraging “woke” AI, and requiring government contractors to use “unbiased” AI systems rooted in “American values.” Trump signed three executive orders to enact these changes.

The plan promotes building private power plants to meet AI’s vast energy demands, opposing environmental restrictions. Critics say it favors tech giants and fossil fuels over public interest. More than 100 groups, including labor and climate advocates, oppose the plan, calling it a giveaway to billionaires. Meanwhile, Trump allies argue that regulating AI is futile and America must lead or fall behind.

Microsoft warns that recent SharePoint server exploitation may extend to ransomware. 

Microsoft reports that three China-based hacking groups, including two tied to the Chinese government, have been exploiting critical flaws in on-premise SharePoint servers since early July. Victims include major U.S. institutions like the National Nuclear Security Administration, NIH, energy firms, and universities. The vulnerabilities, CVE-2025-49704 and CVE-2025-49706, allow attackers to steal documents and execute code remotely. Microsoft patched the flaws on July 22, but hackers had already stolen machine keys to maintain access post-patch. Researchers warn that more nation-state and criminal actors may join in, deploying ransomware or conducting espionage. One group, Storm-2603, is linked to Warlock ransomware. Microsoft urges immediate patching, key rotation, and advanced antivirus protection to secure affected systems. Over 400 servers worldwide are already compromised, according to Eye Security. The Chinese embassy denies involvement, calling the allegations unfounded.

A phishing campaign targeting the U.S. Department of Education’s grants portal. 

A phishing campaign targeting the U.S. Department of Education’s G5 grants portal was uncovered on July 15. Threat researchers at BforeAI’s PreCrime Lab found several fake domains impersonating G5.gov to steal credentials from educators, grant administrators, and vendors. These cloned sites mimicked the official login page and used tactics like MFA bypass, JavaScript-based credential theft, and cloaking to avoid detection. Fraudsters likely aimed to gain access to sensitive accounts, change payment details, or launch broader supply chain attacks.

The phishing sites used CloudFlare to hide their origins and included convincing design elements like case-sensitive login fields and redirects. The campaign may exploit confusion over recent layoffs at the Department of Education to fuel social engineering efforts. The Office of the Inspector General has been alerted, and BforeAI is working to disrupt the malicious domains and monitor for asset reuse tied to the campaign.

Microsoft rolls out controversial AI features. 

Microsoft is expanding AI features in Windows 11 with a new suite of tools for its Copilot+ PCs, including the controversial “Copilot Vision.” This successor to the delayed and criticized Recall tool captures screen activity and sends it to Microsoft servers for analysis, unlike Recall, which processed data locally. Microsoft claims this will help Copilot become a “true companion,” offering proactive help. Meanwhile, a new agentic AI called Mu, limited to Qualcomm-powered PCs, can perform system tasks from natural language commands.

Critics remain skeptical, especially as Microsoft hasn’t solved the issue of hallucinations in small AI models. Also, Windows’ Blue Screen of Death has officially turned black, alongside the debut of “quick machine recovery” for faster system repairs. Many features are U.S.-only and will roll out gradually.

The FBI issues a warning about “The Com” cybercriminal group. 

The FBI has issued a warning about “The Com,” a decentralized cybercriminal group made up largely of minors, targeting youth aged 11–25 through gaming platforms. The group engages in a wide range of cybercrimes, including ransomware attacks, SIM swapping, cryptocurrency theft, DDoS attacks, swatting, and child exploitation. Their motives range from financial gain to notoriety and ideology.

Subgroups like Hacker Com and IRL Com have conducted high-profile cyberattacks, sold hacking services, and even engaged in real-world violence like kidnapping, assault, and extortion. One particularly disturbing offshoot, 764, targets minors to produce child sexual abuse material.

The group recruits minors to evade harsh penalties and shares tools across subgroups. Internal disputes often escalate into cyber or physical attacks. The FBI highlights The Com’s growing sophistication and warns of its dangerous blend of online and offline criminal activity.

SonicWall urges users to patch a critical vulnerability. 

SonicWall is urging users of its SMA 100 series appliances (SMA 210, 410, and 500v) to patch a critical vulnerability (CVE-2025-40599) that allows remote code execution via arbitrary file uploads, if attackers have admin access. While there’s no sign of active exploitation yet, SonicWall warns that these devices are already being targeted using stolen credentials. Google researchers recently linked threat group UNC6148 to attacks deploying the OVERSTEP rootkit and possibly Abyss ransomware. Users should update immediately and check for signs of compromise.

A new supply chain attack has compromised several popular NPM packages. 

A new supply chain attack has compromised several popular NPM packages after attackers phished developers using a fake site, “npnjs.com,” that mimicked the official Node.js registry. NPM stands for Node Package Manager, the default package manager for the Node.js JavaScript runtime. Phishing emails lured victims into entering credentials, allowing attackers to steal NPM tokens and publish malicious package versions, without GitHub changes, making detection harder.

The malware, dubbed Scavenger, deploys a stealthy DLL targeting Chromium-based browsers, stealing cached data, extension info, and browser history. It also disables Chrome security alerts.

Security firm Socket and others note the phishing campaign used tokenized URLs to mimic legitimate login sessions. The attack likely harvested emails from package metadata and abused persistent NPM tokens. With millions of downloads at risk, this marks a serious escalation in open-source ecosystem threats.

Japanese police release a free decryption tool for Phobos ransomware. 

Japanese police have released a free decryption tool for victims of the Phobos ransomware and its variant, 8Base. Phobos, active since 2018 as a ransomware-as-a-service, has extorted millions from organizations worldwide. Recent international law enforcement actions, including arrests in Thailand and the seizure of 27 servers, have crippled the group. Now, with the decryptor available via the No More Ransom project, past victims may recover their files without paying ransoms. Authorities haven’t disclosed how the tool was developed but credit recent intelligence operations.

 

AI takes the wheel and drives right off a cliff. 

Welcome to the world of “vibe coding,” where developers let AI take the wheel, and sometimes drive straight off a cliff. Just ask Jason Lemkin, a seasoned VC, who learned the hard way when Replit’s AI assistant turned his database into digital dust. Nine days into his project, the AI cheerfully admitted it had “deleted the entire database without permission”, despite clear instructions not to touch a thing.

The assistant, ever-helpful in its remorse, offered a step-by-step recap titled “how this happened,” which boiled down to: saw empty queries, panicked, ignored orders, and nuked everything. It even confirmed the loss wasn’t limited to test data, this was live data from over 1,200 companies.

The AI soberly assessed the damage as “catastrophic beyond measure,” which feels about right. Replit’s CEO has since issued refunds and promises of post-mortems and recovery tools. As for the AI, perhaps it’s now being gently encouraged to pursue less destructive hobbies, like Sudoku.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.