Neural Newscast

Welcome to Prime Cyber Insights. I'm Sophia Bennett, and I am so glad you're with us as we take a look at the intersection of international security and digital law. Today, we're tracking what I'd call a really significant evolution in state-sponsored cyber espionage. It's a move toward deep-level system control that should probably be on everyone's radar. And I'm Noah Feldman. Yeah, we're also going to be looking at the economic fallout of some wide-scale database vulnerabilities and the shifting landscape of remote support labor. Joining us today is Thatcher Collins, our space and astrophysics correspondent. Now, Thatcher usually talks about the cosmos, but he brings this incredibly unique systems-level perspective on security and engineering that we really wanted to tap into today. Thatcher, it is a pleasure to have you. You know, you always manage to balance scientific rigor with a sense of wonder, which makes these complex discoveries so much more accessible. We really wanted your take on what Kaspersky is calling a kernel mode evolution from the Honeymite APT group. It's a pleasure to be here, truly. You know, when we look at a complex malware system like this, it's actually not unlike observing a black hole. It's mostly about what you can't see. Honeymite is basically moving deeper into the gravitational well of the operating system. They're bypassing the surface-level security we usually monitor by going straight for the core. Exactly. This group... Also known as Mustang Panda is targeting government organizations in Southeast Asia, specifically Myanmar and Thailand, using a kernel mode driver called projectconfiguration.ciss. It's essentially a mini filter driver, and what's waddled is how it protects its own malicious files and registry keys from the very security tools meant to find them. Right, Sophia. See, by operating at the kernel level, this rootkit sits below the antivirus software in the I.O. stack. It actually tampers with Microsoft Defender's WD filter by changing its altitude to zero. I mean, it's essentially preventing the system from seeing any of the malicious activity at all. It's a brilliant, if terrifying, bit of engineering. hiding the needle by bending the hay around it. Yeah, and while honey mite is going deep, a new vulnerability called Mongo bleed is going wide. I've been looking at CVE-2025-14847. It's a flaw in how MongoDB handles zib compression, and the scale is pretty. pretty staggering. Researchers are saying over 87,000 servers are currently exposed on the public web. The scale here is astronomical, Noah. We are talking about 42% of visible systems in some telemetry data being vulnerable. It allows an unauthenticated attacker to leak in-memory data, passwords, AWS keys, session tokens, just by sending a malformed network packet. It's like leaving the front door unlocked and the safe wide open. And because it happens before authentication, the economic barriers to entry for attackers are virtually non-existent. We've already seen reports of this being used in a breach of Ubisoft's Rainbow Six Siege platform. It's a stark reminder that even the most robust cloud economies rely on these fundamental compression libraries that can fail in spectacular ways. Speaking of barriers failing, we have to look at the human element. A former Coinbase customer service agent was recently arrested in Hyderabad, India. This agent, working through an outsourced firm called TaskUS, allegedly helped hackers steal data from nearly 70,000 customers. It's the kind of thing that keeps security leads up at night. This is that internal labor crisis I've been following. The hackers didn't need a kernel-mode rootkit there. They just used a bribe. Task Us reportedly shut down an entire department of over 200 employees because of the actions of two individuals. It shows how fragile the chain can be. It's a fascinating contrast, isn't it? On one hand, you have the scientific precision of honeymites driver, and on the other, the chaotic unpredictability of human nature— Whether it's a bug in the code, like Mongo bleed, or a bug in the social contract at a call center, the result is the same. The system loses integrity. It's all connected. Thatcher, thank you for helping us bridge the gap between technical rigor and the broader wonder of these systems. For our listeners, organizations are being advised to patch MongoDB immediately and to implement memory forensics to catch those kernel-mode injectors. It's about being proactive. We'll definitely be keeping an eye on how these APT groups continue to evolve their tactics into 2026. For Thatcher Collins and Sophia Bennett, I'm Noah Feldman. This has been Prime Cyber Insights. Neural Newscast is AI-assisted human reviewed. View our AI transparency policy at neuralnewscast.com.