In this episode of Cybersecurity today, host Jim Love reports on various critical cyber threats and data breaches. A newly discovered flaw in Windows Server 2025 allows attackers to seize full domain control, referred to by researchers as the 'bad successor' exploit. Government messaging app Telem Message, a customized version of Signal, was hacked, exposing sensitive communications of over 60 officials, leading to its shutdown. Microsoft disrupted the global Luma Stealer malware operation, which had infected nearly 400,000 computers. Coinbase suffered a major data breach affecting over 69,000 customers due to an insider compromise. Additionally, hackers distributed a malicious version of the KeyPass password manager, embedding it with malware to steal data and deploy ransomware. Jim Love encourages listeners to stay vigilant and download software only from official sources. He teases an upcoming interview with a knowledgeable guest working on open-source solutions to cybersecurity issues.
00:00 Introduction to Cybersecurity News
00:36 Windows Server 2025 Vulnerability
03:09 Telem Messages Hack Scandal
05:37 Microsoft Disrupts Luma Malware
07:29 Coinbase Breach Details
08:54 Malicious Password Manager Alert
10:55 Conclusion and Upcoming Interview
Episode Transcript
An unpatched Windows server 2025 flawlets attackers seize full domain control.
the tele messages hack affects awider range of government departments.
Microsoft disrupts Luma malwareoperations behind 394,000 infections.
The Coinbase breach is revealedthat over 69,000 customers affected
(00:26):
and Hackers distribute a maliciousversion of a popular password manager.
This is Cybersecurity today.
I'm your host, Jim Love.
A newly discovered vulnerability inWindows Server 2025 can allow attackers to
take control of any user account in activedirectory, including domain admins without
(00:47):
triggering traditional security alerts.
Akamai researchers have dubbedthe exploit bad successor.
It abuses the delegated Manager serviceaccount or DMSA feature, which was
introduced in Windows Server 2025to replace older server accounts
with more secure alternatives.
The problem lies in how thesedmsa inherit permissions.
(01:11):
Researchers found that manipulatingjust two attributes, one that links
A-D-M-S-A to a legacy account, and anotherthat marks the migration as complete.
Using these attackers can cause A-D-M-S-Ato inherit full access privileges
from any user or computer account
Crucially, the ability to createnew dmsa isn't restricted to admins.
(01:37):
In over 90% of environments surveyedAkamai found non-ad admin users with the
necessary permissions to create theseaccounts, making the attack trivial
to execute in real world environments.
This issue likely affects mostorganizations that rely on active
directory said Yuval Gordon, the Akamairesearcher who led the discovery.
(01:59):
We didn't change any group membershipsor elevate existing accounts,
just two attribute changes and anew object was crowned successor.
The attack bypasses traditional privilege,escalation detection, and doesn't require
any pre-existing high level access.
Once a dMSA is linked and flaggedas migrated, it can request service
(02:22):
tickets from the key distributioncenter or KDC, effectively
gaining access to any resource.
In the domain, the researchers haveinformed Microsoft and they're working
on a fix, but no patch is yet available.
In the meantime, Akamai recommendsrestricting dMSA creation permissions
to trusted administrators, onlylogging and auditing all dMSA creation
(02:46):
and modification events, monitoringauthentication activity linked to dMSA,
and using akamai's provided script toidentify risky permissions in your domain.
Even domains not actively using dmsaare exposed if they have at least one
Windows server 2025 domain controller.
(03:09):
By now most people are aware of the nameMike Waltz, the former National Security
Advisor and one of the central figuresin Signal Gate where a number of the most
senior officials in the US Departmentof Defense were supposedly using Signal,
a commercial messaging application, andsharing classified government information.
This became a huge scandal,but it wasn't the whole story.
(03:32):
It turns out that waltz and others werenot using Signal, which would've been bad
enough, but were actually using a systemcalled Telem Message, a Signal clone,
and that clone had an added feature ofarchiving the discussions and that kept
up with the federal government rules.
The problem is this application,unlike Signal, does not have
(03:53):
full end to end encryption.
Shortly after this revelation, a hackerdemonstrated they could breach Telem
messages in less than 20 minutes andgain access to messages and metadata.
They subsequently did this and posteda file with the data on the internet,
quoting an abundance of caution.
Telem message shut their servicedown after this was revealed.
(04:18):
Now it turns out that Telem messages,a customized version of Signal built to
meet Federal archiving rules was beingused by over 60 officials across fema, the
Secret Service and other federal agencies.
A researcher has previously investigatedflaws in messaging apps used by
lawmakers confirmed that there was afile containing chat logs, contact lists,
(04:41):
And even travel plansfor senior officials.
The file was reportedly posted online,but was subsequently taken down.
This breach adds to the mountingconcerns over government use of third
party apps for secure communicationsand with content and metadata.
Now possibly in the hand of foreignadversaries, the fallout could range
from diplomatic consequences tooperational risks, telem messages.
(05:06):
Failure has also reopened.
Questions about how government agenciesvet the security of modified communication
tools, especially those designed forcompliance rather than protection.
Although it will not be Mike Waltzwho heads this investigation, he
was moved from his national securityadvisor position to be nominated as
Ambassador to the United Nations.
(05:28):
Although that appointment hasto be ratified by the US Senate
and given the current situation.
That might not be an easy thing to do.
Microsoft said it has dismantled aglobal infrastructure of the Luma Steeler
malware, which had infected nearly 400,000Windows computers and was widely used
(05:48):
by cyber criminals to steal passwords,credit card data, and crypto wallets.
Between March 16th and May 16th,Microsoft's digital crimes unit
tracked over 394,000 Windowsmachines compromised by Luma.
Working with law enforcement and industrypartners, including Europol, CloudFlare,
(06:08):
and BitSight, Microsoft took control ofover 1300 domains tied to the malware
and redirected them to sink holes tostop further communication between the
infected systems and the attackers.
The US Department of Justice secureda court order to seize luma's
command and control infrastructureand shut down the underground
(06:29):
marketplaces that sold the malware.
Authorities in Japan also help disablelocal servers linked to the operation.
Luma Steeler has been sold atunderground forums since 2022.
It's ease of use, ability to bypass somesecurity tools and steady feature updates.
Make it a go-to tool for hackers,criminals have used it in phishing
(06:49):
campaigns, including one impersonatingbooking.com, and to others.
Targeting schools, gamingcommunities, logistics firms,
and even healthcare systems.
The take down shows growing cooperationbetween tech firms and law enforcement
to dismantle cyber crime infrastructure.
But with malware like Luma, easilycopied and adapted experts warn that
(07:10):
similar tools may quickly resurface.
Well, it might be some time, if everbefore we know how much damage was done
before Microsoft was able to shut thisgroup down, and although these guys
seem to resurface very rapidly, at leastfor now, score one for the good Guys,
we are getting a better picture of theimpact of the recent Coinbase breach.
(07:33):
The company is the largest US-basedcryptocurrency exchange, and it confirmed
that at least 69,461 customers hadpersonal and financial data stolen in a
breach that had lasted several months.
The result of support staff beingbribed by a hacker who later
demanded a $20 million ransom.
(07:54):
In a regulatory filing with Maine'sAttorney General, Coinbase said
the breach began on December 26th,2024, and wasn't discovered until
earlier this month when the companyreceived a credible ransom note.
The attacker claimed to haveexfiltrated sensitive customer data
and demanded $20 million to delete it.
Coinbase refused to pay.
The company said in a blog postthat the attacker gained access by
(08:17):
bribing customer support employees.
The stolen information includes names,contact details, government issued ID
documents, account balances, and eventransaction histories, raising concerns
that high value users could be targetedfor further fraud or phishing attacks.
as we heard earlier, the attackwas a long-term insider compromise
(08:39):
and not a traditional system hack.
Coinbase has not disclosed howmany employees were involved or
how access controls failed todetect the activity for months.
The breach has not yet impacted customerfunds, at least according to the company.
And here's everyone's nightmare.
All of your passwords, supposedlyin that safe password manager
(09:02):
are revealed and it's happening.
Hackers are distributing a maliciousversion of a popular password manager,
KeyPass embedding it with malware thatsteals data and deploys ransomware.
This tainted software is being spreadthrough typo squatted websites that
closely mimic the legitimate KeyPass site.
(09:23):
Once installed the fake KeyPassexports, saved passwords in
clear text, and transmits them toattackers via a cobalt strike beacon.
The attackers then use thesecredentials to infiltrate
networks and deploy ransomware
Security researchers from with Securehave identified this campaign, which
appears to be orchestrated by aninitial access broker group linked
(09:45):
to the Black Basta Ransomware gang.
The group tracked as UNC 4 6 96 has previously been associated
with nitrogen loader campaigns.
The malicious key pass variant.
Maintains all functionalities ofthe legitimate tool, but includes
additional malicious components.
The typo squatted website hostingthis version remains active, posing
(10:08):
ongoing risks to unsuspecting users.
This is an opportunity for us tohave an educational moment here with
our users, and it underscores theimportance of downloading software
only from official sources and beingvigilant against lookalike websites.
No one should download softwarevia a link sent to them or
(10:29):
on any webpage they have to.
Always access the legitimate siteand if necessary, work their way.
From there, it's just too easy to have alookalike page and even to disguise the
URL so effectively that even a trainedeye might miss it, and that goes double.
For highly secure apps like forinstance, a password manager.
(10:55):
And that's our show this weekend.
We have an interview, I think, well, Ihope you'll find as interesting as I did.
My guest is not only hugely knowledgeable,but he's working on some of the issues
that we're all struggling with and makingsolutions available as open source.
Check it out Saturday morning or any othertime you listen to long form podcasts.
(11:15):
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.