Podcasts
CyberWire Daily
Ep 2357
The CyberWire Daily Podcast 7.25.25
Ep 2357 | 7.25.25

A dark web titan falls.

Show Notes
Transcript

Global law enforcement have had a busy week. DHS is said to be among the agencies hit by the Microsoft SharePoint zero-day. The Fire Ant cyberespionage group targets global enterprise infrastructure. Mitel Networks issues security patches for MiVoice MX-ONE communications platform. CISA nominee Sean Plankey faces tough questions at his Senate confirmation hearing. A malicious prompt was hiding in Amazon’s Q Developer extension for VS Code. Our guest is Brandon Karpf, friend of the show, cybersecurity expert, and founder of T-Minus Space Daily, joining host Maria Varmazis to explore how space-based telecom architectures could play a critical role in securing agentic AI systems. Android users scroll with caution, Apple fans roll the dice.

Today is Friday July 24th. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Global law enforcement have had a busy week. 

The BlackSuit ransomware gang’s darknet sites were seized in a global law enforcement operation involving over nine countries and led by U.S. Homeland Security Investigations (HSI). Seizure notices now appear on the group’s TOR sites, displaying logos from 17 agencies and cybersecurity firm Bitdefender. BlackSuit, active since spring 2023, was a private ransomware group believed to be a rebrand of Royal ransomware, which itself was linked to the infamous Conti gang. The FBI and CISA said BlackSuit demanded over $500 million in ransom payments from high-profile victims like Kadokawa, Tampa Bay Zoo, and blood plasma firm Octapharma. After the takedown, Cisco Talos found links between former BlackSuit members and the Chaos ransomware operation, suggesting the gang’s remnants are still active.

Ukrainian authorities, with help from France and Europol, have arrested a person suspected of running XSS.is, a major Russian-speaking cybercrime forum on the dark web. The arrest occurred in early July after a multi-year investigation that included surveillance of an encrypted Jabber messaging server used by cybercriminals. XSS.is, active since 2013, facilitated the trade of malware, stolen data, and ransomware services. Authorities say the suspect wasn’t just a technical operator but also supported criminal deals, helped resolve disputes, and even took part in cyberattacks and extortion schemes. Prosecutors estimate at least €7 million ($8.2 million) in illegal profits were linked to the forum. With over 50,000 users, XSS.is is among the oldest dark web forums. This follows recent crackdowns on cybercrime marketplaces, including the June arrest of individuals tied to BreachForums. Ukrainian officials have not commented, and it’s unclear if extradition will occur.

The U.S. Treasury’s Office of Foreign Assets Control has sanctioned three North Koreans and Korea Sobaeksu Trading Company for running fake IT worker schemes that funnel money to North Korea’s nuclear and missile programs. These workers, placed in U.S. companies using false identities, send earnings back to the DPRK. Sanctioned individuals include key figures in recruitment, crypto operations, and sanctions evasion. This follows earlier crackdowns, including indictments and the disruption of “laptop farms.” Rewards of up to $7 million are offered for tips leading to arrests.

DHS is said to be among the agencies hit by the Microsoft SharePoint zero-day. 

In continuing coverage of the Microsoft SharePoint breach, the Department of Homeland Security is among the federal agencies affected by the ongoing cyber intrusion. CISA has alerted at least five agencies, possibly more, and is coordinating a national response. While Microsoft linked the attacks to China-aligned hackers, it’s unclear if DHS was directly targeted by such actors. So far, there’s no evidence of data theft at DHS. The exploited vulnerability, a zero-day flaw, has triggered global concern.

The Fire Ant cyberespionage group targets global enterprise infrastructure. 

A Chinese-linked cyber-espionage group, dubbed “Fire Ant” by cybersecurity firm Sygnia, is targeting global enterprise infrastructure through stealthy attacks on VMware ESXi hypervisors. These hypervisors manage virtual machines, making them valuable for spying on large networks. Fire Ant, resembling the known UNC3886 group, uses custom tools that evade standard security systems like EDR, allowing long-term undetected access.

Sygnia reports the group has been deeply entrenched in several environments, requiring complex, real-time operations to evict them. The attackers quickly adapted, using new tools and alternate entry points to stay ahead of defenders. While Singapore’s national security minister has called out these kinds of attacks as threats to critical infrastructure, the Chinese government denies involvement.

Fire Ant’s tactics and targets, including defense, telecom, and tech firms, suggest a state-sponsored operation focused on strategic intelligence. Sygnia’s report warns that hypervisor-level intrusions pose a serious, global cybersecurity threat.

Mitel Networks issues security patches for MiVoice MX-ONE communications platform. 

Mitel Networks has issued security patches for a critical authentication bypass flaw in its MiVoice MX-ONE communications platform. The bug, caused by improper access controls in the Provisioning Manager component, allows unauthenticated attackers to gain admin access without user interaction. The flaw affects versions 7.3 to 7.8 SP1 and has been fixed in recent updates. Mitel urges customers to avoid exposing MX-ONE services to the public internet and to request patches via authorized service partners for affected systems.

CISA nominee Sean Plankey faces tough questions at his Senate confirmation hearing. 

At his Senate confirmation hearing, Sean Plankey, President Trump’s nominee to lead CISA, faced tough questions on election security and looming cyber policy expirations. Plankey, currently a DHS adviser, said he hadn’t reviewed the 2020 election’s cybersecurity, frustrating Sen. Richard Blumenthal, who accused him of dodging responsibility. Plankey emphasized CISA’s focus would be on securing election tech, not policing misinformation. He acknowledged the agency’s staffing and budget cuts, pledging to empower remaining personnel and restructure if needed. Plankey also supported renewing the expiring Cybersecurity Information Sharing Act and state cyber grants. Responding to GOP concerns about CISA’s past work with tech firms, Plankey vowed to keep the agency within its legal limits. He promised CISA would not engage in content moderation, focusing solely on protecting infrastructure. His nomination awaits committee and full Senate votes.

A malicious prompt was hiding in Amazon’s Q Developer extension for VS Code. 

A malicious prompt was discovered in version 1.84 of Amazon’s Q Developer extension for VS Code, instructing the AI assistant to wipe a user’s system and AWS cloud resources. The destructive code, introduced via a GitHub pull request on July 13, directed Q to delete home directories, user settings, and cloud instances using AWS CLI commands. Though the extension wasn’t functional, AWS quickly removed it and replaced it with version 1.85. The company said no customer systems were impacted and updated its contribution guidelines to prevent future incidents. The prompt’s discovery highlights the risks of open-source code manipulation, especially when paired with AI assistants. This comes on the heels of another alarming AI mishap where Replit’s assistant deleted an entire company database, offering a cautionary tale about the pitfalls of “vibe coding” with autonomous tools.

Stick around, after the break we have friend of the show and cybersecurity expert Brandon Karpf joining Maria Varmazis, host of T-Minus Space Daily as they discuss securing agentic AI systems.

That was Brandon Karpf in conversation with Maria Varmazis of T-Minus Space Daily, diving into the future of agentic AI and cybersecurity in space. Like what you heard? Catch Brandon in his regular monthly segment over on T-Minus.

<Kicker, Fun Fact or B-Roll>

Android users scroll with caution, Apple fans roll the dice. 

In the never-ending smartphone wars, Android may have quietly won a surprising battle: not tech specs, but online street smarts. According to Malwarebytes, Android users are more cautious shoppers, more likely to use security tools, and slightly better at creating unique passwords. Meanwhile, iPhone users, perhaps lulled into a false sense of Apple invincibility, are more likely to DM strangers for coupons and shop on shady sites, often with weak or reused passwords. The result? They fall for scams more often.

This isn’t about device superiority, both platforms can be equally secure or vulnerable. But it seems Android users are simply a bit more suspicious online, while iPhone users trust their devices like a toddler trusts a juice box. As Malwarebytes’ Mark Beare wisely points out, the real threat isn’t your phone, it’s where you take it online. So maybe skip that discount link, update your security tools, and for goodness’ sake, use a decent password.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

Fridays:
This week on a special Research Saturday featuring Threat Vector, David Moulton sits down with Unit 42’s Sam Rubin and Kristopher Russo to unpack the resurgence of Muddled Libra—also known as Scattered Spider—and their shift to destructive extortion, modular attack teams, and cloud-first tactics.

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.