CyberWire Daily - A leadership shift.
Episode Date: April 4, 2025President Trump fires the head of NSA and Cyber Command. The Health Sector Coordinating Council asks the White House to abandon Biden-era security updates. Senators introduce bipartisan legislation to... help fight money laundering. A critical vulnerability has been discovered in the Apache Parquet Java library. The State Bar of Texas reports a ransomware-related data breach. New Android spyware uses a password-protected uninstallation method. A Chinese state-backed threat group exploits a critical Ivanti vulnerability for remote code execution. Today’s guest is Dave Dewalt, Founder and CEO of NightDragon, with the latest trends and outlook from cyber leaders. Malware masquerades as the tax man. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest is Dave Dewalt, Founder and CEO of NightDragon, sharing 2024 trends and a 2025 outlook. Selected Reading Haugh fired from leadership of NSA, Cyber Command (The Record) Defense Sec Hegseth in Signalgate Pentagon watchdog probe (The Register) HSCC Urges White House to Shift Gears on Health Cyber Regs (BankInfo Security) Lawmakers seek to close loophole limiting Secret Service investigations into cyber laundering (The Record) Critical Apache Parquet RCE Vulnerability Lets Attackers Run Malicious Code (Cyber Security News) State Bar of Texas Says Personal Information Stolen in Ransomware Attack (SecurityWeek) New Android Spyware That Asks Password From Users to Uninstall (TechCrunch) Chinese State Hackers Exploiting Newly Disclosed Ivanti Flaw (Infosecurity Magazine) Hackers Leveraging URL Shorteners & QR Codes for Tax-Related Phishing Attacks (Microsoft) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity,
or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas
drive change. With career growth opportunities and a focus on work-life balance, you'll have
the flexibility to thrive both professionally and personally. Explore open cybersecurity
and technology roles today at VanguardJobs.com.
President Trump fires the head of NSA and Cyber Command.
The Health Sector Coordinating Council asks the White House to abandon Biden-era security
updates.
Senators introduce bipartisan legislation to help fight money laundering.
A critical vulnerability has been discovered in the Apache Parquet Java Library.
The State Bar of Texas reports a ransomware-related data breach.
New Android spyware uses a password protected uninstallation method.
A Chinese state backed threat group exploits a critical Avanti vulnerability for remote
code execution.
Our guest today is Dave DeWalt, founder and CEO of NightDragon, with the latest trends
and outlook from cyber leaders.
And malware masquerades as the tax man.
It's Friday, April 4th, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us and happy Friday.
It's great to have you with us.
Late yesterday, President Donald Trump dismissed Air Force General Timothy Hogg from his role as
Director of the National Security Agency and commander of US Cyber Command.
Hogg's civilian deputy, Wendy Noble, was reassigned within the Pentagon.
Army Lieutenant General William Hartman has assumed leadership of both organizations in an acting
capacity.
The specific reasons for these changes remain unclear.
However, far-right activist Laura Loomer, who recently met with President Trump, claimed
credit for the dismissals, alleging disloyalty among officials.
Senator Mark Warner criticized the move, questioning its impact on national security amid escalating cyber threats, such as the recent salt typhoon cyber attack attributed to China.
This development follows other significant shifts within the national security apparatus, including the February firing of Air Force General CQ Brown Jr. as Chairman of the Joint Chiefs of Staff.
Meanwhile, the Pentagon's Acting Inspector General has launched an investigation into
Defense Secretary Pete Hegseth for using the encrypted app Signal to discuss sensitive
government matters. The probe follows a report that journalist Jeffrey Goldberg was accidentally
added to a Signal group where top officials, including Hegseth, discussed an upcoming airstrike in Yemen.
Senators Jack Reed and Roger Wicker raised concerns about possible
mishandling of classified information. The IG aims to assess compliance with
communication, classification, and records policies. President Trump has dismissed concerns.
The Health Sector Coordinating Council is urging the Trump administration to abandon
proposed HIPAA security rule updates introduced in the final days of the Biden administration.
Instead, HSCC advocates for a one-year collaborative effort between the government and healthcare
sector leaders to develop more practical, cost-effective cybersecurity standards.
Greg Garcia, HSCC's cybersecurity executive director, emphasized that the sector supports
stronger cybersecurity but criticized the proposed rules as overly vague or stringent,
making compliance difficult.
Garcia pointed to successful past collaborations, like the 2014 NIST cybersecurity framework,
as a model. The proposal aims to improve cybersecurity outcomes and patient safety through clear
consensus-based standards. HSCC submitted its alternative plan to the White House and HHS, suggesting
regulators avoid creating burdensome rules in isolation and instead work with industry
experts to design flexible, impactful cybersecurity controls that can be widely adopted across
the healthcare sector.
Senators Catherine Cortez Masto and Chuck Grassley have reintroduced the Combating Money
Laundering in Cybercrime Act, aiming to expand the U.S. Secret Services Authority to investigate
digital asset crimes.
Current laws limit the agency's reach, especially regarding unlicensed money transmitting businesses, entities often used
in laundering cybercrime profits.
The bill would update these laws to help the Secret Service pursue modern cybercriminal
tactics, including structuring transactions to evade detection.
The legislation comes amid growing concern over North Korean hackers laundering over
$1 billion in stolen crypto.
While earlier versions of the bill stalled in Congress, lawmakers argue this update is
critical as digital financial crimes outpace enforcement.
Cortez Masto emphasized the need for law enforcement to evolve with criminal tactics, while Grassley
highlighted the importance of proactive measures to disrupt
laundering schemes tied to ransomware, terrorism, and rogue nations.
A critical remote code execution vulnerability has been discovered in the Apache Parquet
Java library, affecting all versions through 1.15.0.
With a maximum CVSS score of 10.0, the flaw stems from insecure deserialization
in the Parquet Avro module and allows attackers to execute arbitrary code via malicious Parquet
files, no user interaction or authentication needed. The issue impacts data platforms like
Hadoop, Spark, and Flink, as well as cloud environments
used by companies like Netflix, Uber, and LinkedIn.
If exploited, it could lead to system control, data theft, or service disruption.
Discovered by Amazon's K.E.
Li, the vulnerability has not yet been exploited publicly.
The Apache Software Foundation urges immediate upgrades
and enhanced validation and monitoring.
Given its severity, organizations must act swiftly
to protect their big data infrastructure.
The State Bar of Texas is notifying over 2,700 individuals
about a ransomware-related data breach
that occurred between January
28 and February 9 of this year.
Discovered on February 12, the attack led to the theft of sensitive files containing
Social Security numbers, financial data, medical records, and government-issued ID details.
While no fraudulent use has been reported, affected individuals are being offered up to two years of free identity and credit monitoring.
The Inc. ransomware gang has claimed responsibility for the attack.
A new Android spyware app has emerged that uses a password-protected uninstallation method, making it harder for victims to remove. Once installed, typically by someone with
physical access, the app hides its icon, gains device admin privileges, and uses Android's
overlay feature to display a password prompt if removal is attempted. The spyware monitors
text, photos, location, and more. Researchers at TechCrunch found it can be bypassed by booting the phone into safe mode, which disables third-party apps, allowing
users to revoke admin access and uninstall it. Security experts warn this
is part of a growing market for stalkerware, often disguised as parental
or employee monitoring tools. Users are advised to enable Google Play Protect, check for unauthorized
admin apps, and use trusted antivirus tools. Unusual phone behavior may signal infection.
Chinese state-backed threat actor UNC 5221 is actively exploiting a critical Avanti vulnerability, which allows remote code execution via buffer overflow.
Initially seen as a low-risk issue, the flaw has since been weaponized in attacks,
targeting multiple versions of Avanti Connect Secure.
Mandient researchers observe the group deploying two new malware families,
Trailblaze and Brushfire, both memory-resident and designed for stealth.
UNC 5221 also deployed advanced spawn malware variants to disable logging, extract encrypted
kernel images, and maintain persistence. Active exploitation has been ongoing since mid-March
2025. Mandiant and Devante urge immediate patching.
The group's targeting of edge devices is part of a broader Chinese espionage strategy, with
operations extending across global government and critical infrastructure sectors.
Experts warn of growing sophistication and intensity in China-linked cyber campaigns.
Coming up after the break, my conversation with Dave DeWalt, founder and CEO of Night
Dragon, we're discussing the latest trends and outlook from cyber leaders, and malware
masquerades as the Taxman.
Stick around.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers. I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports
so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan
when you go to joindeleteeme.com slash n2k and use promo code n2k at checkout. The only way to get
20% off is to go to joindeleteeme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Are you frustrated with cyber risk scores backed by mysterious data, zero context, and cloudy
reasoning? Backed by mysterious data, zero context and cloudy reasoning, typical cyber ratings are
ineffective and the true risk story is begging to be told.
It's time to cut the BS.
BlackKite believes in seeing the full picture with more than a score, one where companies
have complete clarity in their third party cyber risk using reliable quantitative data.
Make better decisions.
Reduce your uncertainty.
Trust BlackKite.
Dave DeWalt is founder and CEO of NightDragon.
I recently caught up with him for insights on their latest report on trends and outlooks
from cyber leaders.
NightDragon as you probably know is an investment advisory firm.
We focus in on what I call the security tech space, growth stage primarily.
And we look at all aspects of spending and trends and
threats that are happening in that space and as a result we have a very large
access and influence to chief security officers around the world and this
report each year is pretty instrumental to you know obviously not just what's
happening from a budget point of view
with this particular report, but also trends and outlooks that really shape the industry.
So this is our third annual one.
And this one's probably the most comprehensive of all,
because it really gives you a sense of 2024 and the outlook for 2025.
I think it's noteworthy, as I was reading reading through the report the level of access that you had here
I mean these are high-level folks that you got to contribute to this anonymous survey
Yeah, it really is. It's a hundred plus member advisory council even more is
Got representation from nearly every critical infrastructure vertical and nearly every major geography
critical infrastructure vertical and nearly every major geography.
So we're able to see not just trends from a particular segment of the market, but
you know, a pretty comprehensive view across many markets. So very, very depth oriented, but also breadth oriented as well.
Well, let's dig into the report here.
I mean, looking at budget trends, the report indicates that over 50% of CISOs expect their
cybersecurity budgets to increase in 2025.
What factors are driving this anticipated rise in spending?
Yeah, it's a combination of events and confluences, Dave.
I've talked about this for nearly 20 years, so I apologize if it's a similar kind of analogy,
but I call it the perfect cyber storm, right?
We've continued to see the threat environment reach dramatically, and that comes from a
variety of things that are going on in the industry.
Probably most notable is the technology inertia that we continue to benefit from.
New devices, new phones, new ways to access the internet, IoT, industrial situations, which is incredible to watch the AI kind of tailwinds and things
happening there as well, but that creates vulnerabilities and it creates an
expanded attack surface and that attack surface gets exploited.
We do not have in this community that we live in of technology, what I call security by design,
which is really hardening of platforms before the release to the consumers and corporations
and governments, which creates a plethora of vulnerabilities. That enables a plethora of vulnerabilities that enables a plethora of attackers to exploit those vulnerabilities.
And we continue to see that cyber storm grow.
The number of threat actors, the number of attacks, the number of breaches,
the number of really payments for ransomware, almost every category of threat increased year over year.
You add to that the geopolitical tensions that we all are living with.
And we've created this environment that really has chief security officers, chief information
security officers guarded as it does the boardroom, as it does the leadership of nearly every
company.
And so here we have budgets that are pretty consistent
with that threat environment and this kind of unsafe
environment that we live in.
So that's what's driving it.
What specific areas or types of technologies
do you see CISO's planning to prioritize with these budgets?
Yeah, there's a number of things that are kind of new areas of exploits that we
really have seen and we've seen a number of new areas of technology inertia that
are essentially areas that they need to protect and create better visibility to.
You know, the obvious big trend there is AI, AI, AI.
It's hard not to say it three times.
It's almost worthy of saying it three times, but it's a game changer.
And our report really showed that.
It's a game changer from the attacker's perspective, because we're seeing AI as now a tool that can be used to automate malware and exploitation.
Access to vulnerabilities have never been easier for the attackers to do to
assemble exploit kits against those vulnerabilities has never been easier
for them to do, you know, you're a chat GPT question away from learning about
just about anything you want to know in the security space, but also on the
defensive side, now we're starting to see autonomy driven from agentic AI
that's providing ways to scale the SOC
and the security operations center.
That's very positive.
I mean, if there was ever an error in my career
where you have a game changing defensive opportunity,
where if you might have five, 10, 20,
or a hundred people in your SOC, you might have five, 10, 20, or 100 people in your
sock, you can multiply them by millions, literally millions, using a gentic
capabilities, automation capabilities that really enabled the defender to
also be as cutting edge as the offense can be.
So this asymmetric environment we've always lived in where the offense was
always a little ahead of the defense. AI is an
interesting promise for the future. The other areas that
you know are really concerning that we're seeing short up,
where budget increases have clearly happened is supply
chains. You know, it's, you know, you say supply chains, but
you really mean not just third party risk management, TPRM,
but really fourth and fifth chains of suppliers as well. Because what we've learned in the last
couple of years, supply chain attacks have a massive ripple effect. You know, we all saw this
with CrowdStrike's outage on July 18, 2024, where 30,000 or so customers were affected directly, but 674,000 companies were
affected indirectly and causing billions of dollars of damage.
Even though CrowdStrike spend might not have been high on many Fortune 500s list of suppliers,
it became a critical juncture.
So you start to, how do you manage third party risk better?
How do you monitor it? How do you manage third-party risk better? How do you monitor
it? How do you detect anomalies in it? It could be a physical event, a cyber event. It could
be just about anything affecting it. So a lot of chief security officer types are now
learning that they got to monitor that much like they monitor their endpoint or their
network or their cloud. Because if you don't monitor it, there could be a breach in that,
which could affect the breach for you.
So AI and third-party risk management, and then an area that continues to be really an
environment that we've always had to watch, cloud and identity security.
Now, this area continues to be a problem because we see the emanation of spearfishing and credential harvestings and
usage of dark net to gain access to these credentials as something that continues to
exist.
So how do we better manage multifactor authentications, the ability to look for anomalous behaviors,
east-west traffic movement by the attackers, privileged
access controls.
This is an area that's got to evolve better.
And CSOs are looking at this because they know identity detection and response and a
life cycle around protecting identities is important and made even bigger because at
one point it was the identity of humans in your network,
then it was the identity of humans and devices in your network, and now it's the identity
of humans, devices, and RPAs or robotic processes made possible to agents and agentic AI, multiplying
it into a much bigger problem of not just access to systems, but authorization
of these types of devices to these systems and types of agents as well.
So those are a couple of the really big ones, just to summarize.
The report mentions that the role of the CISO is becoming more strategic.
Can we touch on that?
How have we seen a shift in things
like organizational priorities relative to CISOs out there?
Yeah, we're seeing some really, I think,
overdue evolution of the CISOs role.
And the reason for it is I've always called it
future fusion, you know, for many years,
the fusion of these tangential markets in the cyber looked obvious to me as somebody been around
for a couple decades watching this. The fusion of cyber and physical, the fusion of cyber and
supply chain, the fusion of cyber and AI, the fusion of cyber and industrial networks, the fusion of cyber and other domains
like space and communications.
And now the CISO's role is beginning to become bigger
and bigger and more and more important
because you're not just trying
to protect your digital architecture,
you got to protect the external environment
that you might have,
the internal environment that you might have, you got to protect the external environment that you might have, the internal environment that you might have.
You got to protect that physical environment, which is now digitized, that supply chain that
we've talked about. And more and more, this role in the company has almost evolved to a chief risk
officer that's highly technical. We still call it a chief security officer type, but the business acumen, the Google acumen, the capabilities of understanding
threats and risks from all aspects of the business is really the role it's becoming.
And like I said at the beginning, it's long overdue because this role is incredibly important to
the shareholder value of companies because we've seen the ramifications
when there is a breach or when there is a threat,
that it really creates shareholder risk.
And shareholder risk is something that every board member
and management and CEO have to pay attention to,
because their number one thing is
to care of shareholders value.
And now the chief security officer
is becoming a part of that.
What are the take homes for you?
What are the things that you hope people
reading the report come away with?
Yeah, I think there's a couple things.
Number one, we have to keep our guard up, so to speak.
Obviously, this is a incredibly difficult
threat environment that obviously hasn't changed
and is growing and continues to be large in terms of risk.
But I'd also say it takes a village.
We walk away with this where public-private partnerships, private-private partnerships,
public-public partnerships.
It takes a village, as we say, as a team sport in cyber
and a team sport to solve.
And we need the communities to come together more and more.
And with some of the changes the administration's
going into 2025 and beyond, it's going to become even more
important for the community to work together
to solve threats, respond to threats,
and really solve some of these problems.
But the last thing I'd leave you with on that is optimism.
Because for the first time, as I mentioned earlier
in the podcast, I see a great equalizer coming.
And I would really encourage our chief information security
officer community to look at AI enablement, autonomy.
I know they are.
But wow, watching the use cases that we're
starting to see, watching the young companies that are emerging in this world is fascinating.
And the multiplicity of scale that they're creating is something we haven't seen in a long,
long time. And this is something that we look forward to. And hopefully in the next one year, we start to see real
rollout and productions of these systems that creates a much
better defense architecture than we've ever seen before.
That's Dave DeWalt from NightDragon.
We'll have a link to the report in the show notes. Is your AppSec program actually reducing risk?
Developers and AppSec teams drown in critical alerts, yet 95% of fixes don't reduce real risk. Why?
Traditional tools use generic prioritization and lack the ability to
filter real threats from noise. High-impact threats slip through and
surface in production, costing 10 times more to fix.
OxSecurity helps you focus on the 5% of issues that truly matter before they reach the cloud.
Find out what risks deserve your attention in 2025.
Download the Application Security Benchmark from OX Security. And finally, ah, tax season.
The most wonderful time of the year for cybercriminals.
As April 15th looms, Microsoft reports a swarm of phishing campaigns dressed up in IRS garb,
all hoping to trick you out of your data and
into downloading malware.
These scammers are going full Hollywood with QR codes, fake DocuSign pages, and PDF files
claiming unusual IRS activity.
Once clicked, you might get a bonus gift like Lactradectis, Remcos, or Brutretel C4. Malware that's anything but deductible.
One charming crew, Storm0249, sent thousands of fake IRS notices designed to land malware
on victims' devices. Another campaign handed out malicious QR codes like candy. And for
the truly social, some attackers even made small
talk before zipping over goo loader or AHK bot. The message is clear, if it's
tax themed and digital, treat it with suspicion, because this year the only
thing scarier than doing your taxes might be the phishing emails about them.
Plus, the way things are going in Washington, there may not be anyone left working at the
IRS by the time tax day comes around.
Interesting times, my friends.
Interesting times. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Be sure to check out this weekend's research Saturday and my conversation with Zach Edwards
from Silent Push.
The research is titled, New Lazarus Group Infrastructure Acquires Sensitive Intel Related
to $1.4 Billion Bybit Hack and Past Attacks.
That's Research Saturday.
Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening.
We'll see you back here next week. Cyber threats are evolving every second, and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit threatlocker.com today to see how a default deny approach
can keep your company safe and compliant.