Intune Wipers, Veeam RCEs, and DPRK's $800M IT Empire

This week on Dragon News Bytes, Eli Woodward and Will Thomas hold down the fort while Will Baxter is in Japan. The team breaks down a highly active week in the cyber world, covering critical unauthenticated vulnerabilities, the weaponization of foundational IT tools, and the staggering financial scale of nation-state operations. From Handala's devastating Intune wiper attacks to Shiny Hunters' 60-second data exfiltration capabilities, we explore the tactical shifts security teams need to prioritize right now.

‍

Topics & References

‍

Part 1: Critical RCEs & AI Bug Hunting

• Veeam Backup RCE: A critical, unauthenticated remote code execution vulnerability was identified in Veeam backup and replication software. Threat groups like Fin7, Black Cat, Akira, and Fog Ransomware have historically targeted these systems, making immediate patching and network isolation essential.
• Telnet D Exposure: Another unauthenticated pre-auth RCE was discovered in Telnet D (Port 23), reinforcing the dangers of leaving legacy remote access services exposed.
• AI Supercharging Discovery: Anthropic partnered with Mozilla and used AI to find 22 vulnerabilities in Firefox in just two weeks—almost double the normal output in half the time.

Part 2: Cybercrime Speed & Vishing

• Gone in 60 Seconds: Unit 42 research on Shiny Hunters (part of the Scattered Lapses Hunters Alliance) revealed the group moving from initial access to data exfiltration in under 60 seconds.
• Salesforce Targeting: Attackers are using custom Data Loader apps and routing traffic through Tor nodes and Mullvad VPNs to siphon cloud data.
• Automated Vishing (P1 Bot): Security researcher Ross Lazerwitz uncovered "P1 Bot", an AI-enabled voice phishing campaign that automates account takeovers using compromised 11 Labs accounts.

Part 3: Nation-State Disruptions

• The Intune Wiper Nightmare: The pro-Iranian hacktivist group Handala successfully compromised Microsoft Intune administrator accounts at Stryker, a multinational medical device company. Attackers used the mobile device management (MDM) platform to remotely wipe thousands of employee devices, including the personal phones of the C-suite.
• Middle East Espionage: Proofpoint and Checkpoint observed Chinese-linked APTs using spearfishing and PlugX malware to target Middle Eastern governments like Qatar.
• DPRK's $800M IT Hustle: The US Treasury sanctioned individuals tied to North Korean IT worker operations, revealing they generated a massive $800 million in 2024 alone.
• APT 28 Open Directory: Researchers found a RoundCube toolkit belonging to the GRU-affiliated APT 28 exposed in an open directory, which was being used to target Ukrainian government entities.

Events & Community

• RSA Conference: March 23 in San Francisco, US
  
  • 🔗 to register: https://www.rsaconference.com/usa
• NCAA March Madness Watch Party:  March 27th in Atlanta, US
  
  • 🔗 to register: https://go.team-cymru.com/march-madness-atlanta-2026 
• RISEx Sydney: May 6 in Sydney, Australia
  
  • 🔗 to register: https://www.team-cymru.com/events/rise-sydney-2026
• RISEx Frankfurt: May 28 in Frankfurt, Germany‍
  
  • 🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026

• RISEx New York: June 16 in New York City, US
  
  • 🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026

Connect with Us

• Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
• Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb

Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.