CyberWire Daily - A wolf in DOGE’s clothing?
Episode Date: February 4, 2025DOGE’s unchecked access to federal networks sparks major cybersecurity fears. Senator Hawley’s AI ban targets China and raises free speech concerns. Apple service ticket portal vulnerability expos...ed millions of users’ data. North Korean ‘FlexibleFerret’ malware targets macos via job scams and fake zoom apps. February 2025 android security update fixes 48 vulnerabilities, including exploited zero-day. Grubhub data breach exposes customer and driver information. Abandoned cloud infrastructure creates major security risks. Texas to launch its own Cyber Command amid rising cyber threats. Dell PowerProtect vulnerabilities pose critical security risks. On our Threat Vector segment, David Moulton and his guests look at the potential dangers of DeepSeek. U.S. Government is quietly altering the Head Start database. And a moment of inspiration from a spacefaring poet. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment Artificial intelligence is advancing fast, but with innovation comes risk. In this segment of Threat Vector, host David Moulton sits down with Sam Rubin, SVP of Consulting and Threat Intelligence at Unit 42, and Kyle Wilhoit, Director of Threat Research, to explore the vulnerabilities of DeepSeek, a new large language model. To listen to the full discussion, please check out the episode here or on your favorite podcast app, and tune in to new episodes of Threat Vector by Palo Alto Networks every Thursday. Selected Reading Musk’s DOGE effort could spread malware, expose US systems to threat actors (CSO Online) As DOGE teams plug into federal networks, cybersecurity risks could be huge, experts say (The Record) Senator Hawley Proposes Jail Time for People Who Download DeepSeek (404 Media) Apple Service Ticket portal Vulnerability Exposes Millions of Users Data (Cyber Security News) N. Korean ‘FlexibleFerret’ Malware Hits macOS with Fake Zoom, Job Scams (Hackread) Google fixes Android kernel zero-day exploited in attacks (Bleeping Computer) GrubHub Data Breach - Customers Phone Numbers Exposed (Cyber Security News) Here’s all the ways an abandoned cloud instance can cause security issues (CyberScoop) Texas to Establish Cyber Command Amid “Dramatic” Rise in Attacks (Infosecurity Magazine) Multiple Dell PowerProtect Vulnerabilities Let Attackers Compromise System (Cyber Security News) ‘Forbidden Words’: Github Reveals How Software Engineers Are Purging Federal Databases (404 Media) T-Minus Deep Space: Inspiration4 with Dr. Sian “Leo” Proctor. (T-Minus Deep Space podcast) Dr. Sian Proctor got her ticket to space after being selected for her poetry (Instagram) 2025 SpaceCom: Interview with Dr. Sian Proctor (YouTube) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n2k and use promo code n2k at checkout.
The only way to get 20 percent off is to go to join delete me dot com slash n2k and enter
code n2k at checkout.
That's join delete me dot com slash n2k code n2k. Doge's unchecked access to federal networks sparks major cybersecurity fears.
Senator Hawley's AI ban targets China and raises free speech concerns.
Apple's service ticket portal vulnerabilities expose
millions of users' data. North Korea's flexible ferret malware targets macOS via job scams and
fake Zoom apps. A February 2025 Android security update fixes 48 vulnerabilities, including an
exploited zero-day. A Grubhub data breach exposes customer and driver information.
Abandoned cloud infrastructure creates major security risks.
Texas is going to launch its own cyber command.
Dell PowerProtect vulnerabilities pose critical security risks.
On our Threat Vector segment, David Moulton and his guests look at the potential dangers
of DeepSeek.
The U.S. government is quietly altering the Head Start database and a moment of inspiration
from a spacefaring poet.
It's Tuesday, February 4, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It is great to have you with us.
Elon Musk's Department of Government Efficiency, DOGE,
has been given unprecedented access
to sensitive federal networks,
raising severe cybersecurity concerns.
Experts warn that allowing DOGE workers,
many young and inexperienced,
to plug personal computers into systems
like the Office of Personnel Management
and Treasury Department
creates massive security risks, including potential breaches by foreign adversaries.
Experts like Jason Kitka, former U.S. Cyber Command official, say this could be the largest
government security breach in history.
DOJ has unchecked access to OPM's background check and clearance records, treasuries, trillions
in payments, and systems at USAID.
The New York Times also reports, MuskAIDs requested access to Medicare and Medicaid
financial systems.
Security professionals highlight the lack of oversight.
DOGE workers may be bypassing cybersecurity controls, using unauthorized devices, and storing sensitive
data improperly.
China and other foreign adversaries are likely watching for vulnerabilities.
Experts emphasize that random individuals should not be granted access to federal networks,
warning that Musk's actions may have long-term security consequences.
Senator Josh Hawley, Republican from Missouri, has introduced the Decoupling America's Artificial
Intelligence Capabilities from China Act, which would criminalize importing, exporting, or
collaborating on AI with China.
The bill would impose up to 20 years in prison and a $1 million fine for knowingly downloading
Chinese-developed AI models such as DeepSeek, which recently surged in popularity.
Critics argue the bill stifles scientific collaboration and threatens free speech.
Kevin Bankston from the Center for Democracy and Technology warns it could penalize AI
researchers who publish openly, while the
Electronic Frontier Foundation says it favors big tech monopolies over open AI research.
The bill also bans US companies from investing in Chinese AI and criminalizes research partnerships
with Chinese entities, potentially disrupting AI development in the U.S. Though seen as political posturing, bipartisan support for China-related bans suggests legislation
like this could gain traction despite its far-reaching implications.
A critical security flaw in Apple's service ticket portal exposed millions of users'
sensitive data due to a combination of insecure
direct object reference and privilege escalation vulnerabilities.
Researcher Virtueville discovered the issue when submitting a repair ticket and found
he could access other users' service tickets, MAC serial numbers, IMEI numbers, and personal
details.
By modifying a URL parameter, he bypassed authentication and gained admin access, potentially
allowing attackers to alter repair appointments or access customer databases.
The lack of rate limiting worsened the risk, enabling automated data harvesting.
Apple patched the flaw after disclosure through its bug bounty program, reinforcing authorization checks and implementing rate limiting.
A new North Korean macOS malware, FlexibleFerret, is spreading through fake Zoom apps,
job scams, and GitHub bug reports. Linked to the Contagious Interview campaign,
it tricks job seekers and developers into installing it
by disguising itself as legitimate software updates. Discovered by Sentinel Labs, the
malware uses a dropper to install itself unnoticed, creates fake Zoom apps, and establishes persistence
after system reboots. Initially signed with a valid Apple Developer Certificate, it bypassed security checks before Apple revoked it.
FlexibleFerret shares code similarities with Chrome Update Malware,
but has evolved to evade Apple's XProtect security tool.
The February 2025 Android Security Update
patches 48 vulnerabilities, including a zero-day privilege escalation
flaw in the Android kernel's USB Video Class driver, actively exploited in the wild.
This flaw allows local attackers to elevate privileges through low-complexity attacks,
potentially leading to arbitrary code execution or system crashes.
Another critical flaw affects Qualcomm's WLAN component, enabling
remote code execution due to improper validation of array indexes. Attackers could modify memory,
execute commands, or crash devices without user interaction. Google has released two
security patch levels, with Pixel devices receiving immediate updates while other manufacturers
may take longer to deploy fixes.
Grubhub has disclosed a data breach caused by a compromised third-party contractor account
exposing customer, merchant, and driver data.
The breach, linked to unauthorized access within a customer support provider's systems,
prompted GrubhHub to revoke
access and launch an investigation. Exposed data includes names, emails, phone numbers,
hashed passwords, and partial payment details for some users. However, full payment card
numbers, social security numbers, and bank details were not accessed. The incident highlights
supply chain security risks as attackers increasingly target third-party
vendors to bypass direct security controls.
Grubhub says they've strengthened defenses, their rotating credentials and enhancing anomaly
detection and improving vendor risk management to prevent future breaches. An investigation by Watchtower revealed that abandoned Amazon S3 buckets, once used by
governments, Fortune 500 companies, and cybersecurity firms, still receive sensitive data requests,
posing serious security risks.
Over four months, researchers took control of 150 neglected AWS assets, which were still
being pinged by organizations worldwide for software updates, system configurations, and
critical infrastructure files.
Attackers could hijack these assets to launch supply chain attacks, distribute malware,
or steal credentials.
Examples include an abandoned CISA advisory S3 bucket, which
could have been misused to distribute malicious patches and outdated SSL VPN
configurations allowing attackers to impersonate users. The research
underscores systemic weaknesses in cloud security emphasizing that abandoned
cloud resources without proper decommissioning leaves organizations
vulnerable.
AWS has since sink-holed the compromised infrastructure, but Watchtower warns that these issues persist
across the industry, making neglected cloud assets a growing cybersecurity threat.
Texas Governor Greg Abbott announced plans to establish the Texas Cyber Command to combat
the growing wave of cyber attacks targeting the state.
Highlighting recent attacks on a city, hospital, and business, Abbott warned of threats from
China, Russia, and Iran.
Headquartered in San Antonio, the command will anticipate threats, coordinate incident
response, and support post-attack investigations.
It will also focus on cybersecurity training and awareness. Texas, a major economic and military hub,
remains a lucrative target for cybercriminals and nation-state actors. No official launch date has
been set. Dell Technologies has disclosed multiple critical vulnerabilities affecting its PowerProtect
product line, including data domain appliances and PowerProtect management center.
These flaws, with CVSS scores up to 9.8, could enable privilege escalation, arbitrary code
execution, and system compromise.
Key vulnerabilities include an arbitrary code execution flaw and another which impacts Docker's
Mobi project.
Exploits could allow remote attacks with minimal privileges.
Dell urges organizations to update, implement network segmentation, and monitor systems
for suspicious activity. A story from 404 Media examines a quiet but deliberate shift where software engineers
managing a government database for the Department of Health and Human Services' Head Start
program have been tasked with systematically removing references to diversity, equity,
and inclusion, DEI.
The effort, part of a project called Remove DEI, aligns with Trump's executive orders
restricting any mention of race or gender in federal agencies.
The updates, visible in GitHub commits, reveal discussions among engineers on how best to
eliminate forbidden words from the system.
This includes removing the ability to search
for or filter programs that support families affected by systemic
discrimination. Though thousands of government data sets are disappearing
from the Internet, even those that remain are being subtly altered, undermining
their original purpose without public awareness. Head Start, which spends 12
billion dollars annually to help disadvantaged children prepare for without public awareness. Head Start, which spends $12 billion annually
to help disadvantaged children prepare for school,
has already faced uncertainty under Trump's spending freezes.
Now, its tracking systems are being stripped of key tools
used to evaluate program effectiveness
for marginalized communities.
The coding changes were executed by Ad Hoc LLC,
a government contractor paid $7.2 million
to manage the database.
Internal messages show engineers asking colleagues to scan for other forbidden words to delete.
HHS declined to comment, citing a pause on public communications under the new administration.
These database alterations are part of a larger trend,
with over 2,000 datasets disappearing from data.gov
and federal scripts actively removing gender pronouns
from employee emails.
The erasure of DEI language is happening quietly,
but at a sweeping scale. Coming up after the break on our Threat Vector segment, David Moulton and his guests look
at the potential dangers of Deep Seek and a moment of inspiration from a spacefaring
poet.
Stay with us.
Cyber threats are evolving every second and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by
businesses worldwide. ThreatLocker is a full suite of solutions designed to give
you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a
default deny approach can keep your company safe and compliant.
Do you know the status of your compliance controls right now? Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also
centralize key workflows like policies, access reviews, and reporting, and helps
you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off
Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for a
thousand dollars off.
In this segment from the Threat Vector podcast, host David Moulton sits down with Sam Rubin, Senior Vice President of Consulting and Threat Intelligence at Unit 42, and Kyle Wilhoyt,
Director of Threat Research, to explore the vulnerabilities of DeepSeq, the new
large-language model from China.
Welcome to this week's preview of Threat Vector. Make sure you're subscribed so
you never miss a moment of the action.
If you've been following the tech news lately, you've probably heard of DeepSeek.
This new large language model, or LLM, has been making waves, touted as a potential game
changer in the world of AI.
It's fast, or cheaper, and even open source, which has everyone from tech enthusiasts to
major companies buzzing about the possibilities.
But as with any powerful technology, there are security implications to consider.
And that's what we're diving into today.
Our Unit 42 threat researchers have been putting DeepSeq to the test,
specifically looking at how vulnerable it is to a technique called jailbreaking.
To help us unpack this critical topic, I'm joined by two experts
from Palo Alto Networks, Unit 42. Sam Rubin, SVP of Unit 42 Consulting. Great to
be here, David. And Kyle Wilhoy, Director of Threat Research. Great to be here,
David. Kyle, let's start with you. You led the research on DeepSeek. What raised the
red flags for you and your team, and what made you want to dig deeper into its security,
especially when it comes to jailbreaking?
Anytime that a new model or kind of a new entrant into the field of LLMs kind of goes,
and it becomes notable and kind of public,
it's kind of one of those things that, you know, 42 researchers will oftentimes go out
and look at that particular LLM to see does it present
any type of vulnerabilities on the surface? Is there anything of interest about that particular
model itself around safety concerns, etc. And from our perspective, you know, that's
one of those things that we're just going out and we want to explore that technology
a little bit and really understand what's going on there. Kyle, for organizations that are using or considering LLMs,
what are the most important takeaways from your research?
The biggest is do not have inherent trust in LLMs
that you have not trained or you do not control the data
itself, meaning the training data, et cetera.
Do not put inherent trust into these LLMs.
Yes, they are useful.
Yes, they are fast.
And yes, they function well.
But there's definite security concerns that need to be taken
into account.
Those security concerns should be top of mind,
especially if you're planning on implementing this into any
type of production system or tying to tie this into any
type of production data.
And that is my primary and chief concern,
is basically trying to make sure that everyone understands
that there are still inherent risks with these openly
developed LLMs.
And put trust where applicable, meaning don't inherently trust
out of the box when these new LLMs are released.
Put it through the ringer.
Make sure you understand the caveats
behind using the system and the data itself is my biggest message about this research.
Sam, let me take it over to you.
Is DeepSeq's model strong enough to entice companies to rethink their AI investment strategies?
Well, first of all, there's no doubt that DeepSeq does add some pretty strong capability.
But I think before companies jump into the latest and greatest, they need to really be
considering security in addition to just the effectiveness of the model, right?
They need to look at the data integrity and the reliability of the model itself. Where is the information going? Can you trust
the systems and the security of where your data might be residing? And can you trust the output,
the integrity of what's coming back? Or is it susceptible to manipulation
or otherwise changing the output in a way you can't trust.
I'm going to ask you a personal question.
Would you ever consider using an AI platform
like DeepSeek that's new or unproven
but incredibly cost effective?
I think I wouldn't be candid with you if I said I wouldn't consider it.
There's no doubt cost is a huge consideration.
Am I getting something valuable for what I'm paying?
And is there something that costs less that gives me equal or comparable value back.
No doubt about it.
But before you ultimately make a decision, you have to think about it.
Is my information going to be safe?
And that is a big concern.
So for me, being in security, doing incident response, a lot of times where we're responding to nation-state
adversaries coming after organizations, and China being one of the most prolific actors
that we see.
I would be very careful about using and putting my sensitive information into a model
that resides there.
Thanks for listening to this segment
of the Threat Vector podcast.
If you want to hear the whole conversation,
you can find the show in your podcast player.
Just search for Threat Vector by Palo Alto Networks.
Each week I interview leaders from across our industry and from Palo Alto Networks to
get their insights on cybersecurity, the threat landscape, and the constant changes we face.
See you there.
Be sure to check out the Threat Vector Podcast wherever you get your favorite podcasts.
And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors more easily than ever with AI
tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users
only to specific apps, not the entire network, continuously verifying every request based
on identity and context, simplifying security management with AI-powered automation, and
detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Hit pause on whatever you're listening to
and hit play on your next adventure.
Stay two nights and get a $50 Best Western gift card.
Life's the trip.
Make the most of it at Best Western.
Visit bestwestern.com for complete terms and conditions.
And finally, we close with a moment of inspiration. Dr. Cyan Leo Proctor is an artist, futurist, and explorer whose work bridges the worlds
of science, space exploration, humanity, and creative expression.
Our T-minus Daily Podcast team caught up with the Inspiration4 astronaut to find out about
her journey into space and how it inspires her art here on Earth.
As we close today, we offer her poem
that earned her a ticket to space.
If you're looking for space to inspire, look no further.
You've got space.
I've got space.
We all have space to inspire.
That's why we dream of going higher and higher.
But what is space if you can't breathe?
Let's stop sucking out the air of our humanity.
We have a moment to seize the light.
Earth from space, both day and night.
We have J for justice, to ignite the bold.
We have E for equity, to cut past the old.
We have D for diversity, to end the fight.
We have I for inclusion, to try to make it right.
A Jedi space to rally behind.
A universal force so big it binds. Inspiration to change the world.
A new beginning for us to hold. It's not about you. It's not about me. It's about space to
inspire for all of humanity. Science, technology, engineering math, sending us out on the explorer's path.
But don't forget the arts, the heartbeat of time.
Consider sending a poet who knows how to rhyme.
So let us drop the mic and close the capsule door,
but please make sure Dr. Proctor is on board.
My space to inspire is what we need inspiration for, for all of humanity. And that's the CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iven.
Peter Kilpe is our publisher and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. you