CyberWire Daily - AI ambitions clash with cyber caution.
Episode Date: April 14, 2025The Department of the Interior removes top cybersecurity and tech officials. The DOJ looks to block foreign adversaries from acquiring sensitive personal data of U.S. citizens. Microsoft issues emerge...ncy updates to fix an Active Directory bug. Hackers are installing stealth backdoors on FortiGate devices. Researchers warn of a rise in “Dangling DNS” attacks. A pair of class action lawsuits allege a major adtech firm secretly tracks users online without consent. Google is fixing a 20-year-old Chrome privacy flaw. The Tycoon2FA phishing-as-a-service platform continues to evolve. My guest is Tim Starks from CyberScoop, discussing the latest from CISA and Chris Krebs. Slopsquatting AI totally harshes the supply chain vibe. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Tim Starks from CyberScoop, and he is discussing the latest with CISA and Chris Krebs. Selected Reading Interior Department Ousts Key Cyber Leaders Amid DOGE Spat (Data Breach Today) US Blocks Foreign Governments from Acquiring Citizen Data (Infosecurity Magazine) Microsoft: New emergency Windows updates fix AD policy issues (Bleeping Origin) Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access (Hackread) Dangling DNS Attack Let Hackers Gain Control Over Organization’s Subdomain (Cyber Security News) Two Lawsuits Allege The Trade Desk Secretly Violates Consumer Privacy Laws (AdTech) Chrome 136 fixes 20-year browser history privacy risk (Bleeping Computer) Tycoon2FA phishing kit targets Microsoft 365 with new tricks (Bleeping Computer) AI Hallucinations Create a New Software Supply Chain Threat (SecurityWeek) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
The Department of the Interior removes top cybersecurity and tech officials.
The DOJ looks to block foreign adversaries from acquiring sensitive personal data of
U.S. citizens.
Microsoft issues emergency updates to fix an active directory bug.
Hackers are installing stealth backdoors on FortiGate devices.
Researchers warn of a rise in dangling DNS attacks.
A pair of class-action lawsuits allege a major ad tech firm
secretly tracks users online without consent.
Google is fixing a 20-year-old Chrome privacy flaw.
The tycoon 2FA phishing as a service platform
continues to evolve.
My guest is Tim Starks from Cyberscoop discussing the
latest from CISA and Chris Krebs.
And slop-squatting AI totally harshes the supply chain vibe.
It's Monday, April 14th, 2025. I'm Dave Fittner and this is your CyberWire Intel Briefing.
Happy Monday and thanks for being with us here today. It's great to have you here.
The U.S. Department of the Interior has removed top cybersecurity and tech officials, including
CIO Darren Ash and CISO Stan Lowe, following a dispute with the Department of Government
Efficiency, DOJ.
The conflict centers on DOJ's push, backed by President Trump and Elon Musk, to use AI
to cut federal spending, which critics say bypasses key security protocols.
Doge's unvetted access attempts triggered legal backlash and judicial restraining orders.
The personnel shakeup, first reported by NextGov, also includes associate solicitor Tony Irish, who disputes claims
of being fired and is pursuing administrative recourse.
The Interior Department has not commented.
This follows a broader trend of cybersecurity leadership removals across federal agencies,
including the recent dismissal of NSA and U.S. Cyber Command head, General Timothy Hogg.
The U.S. Department of Justice has launched a data security program aimed at blocking
foreign adversaries from acquiring sensitive personal data of U.S. citizens.
This follows a February 2024 executive order and targets countries like China, Russia,
and Iran that allegedly use commercial means or national laws to access such data.
The program prohibits unauthorized data transfers,
covering health, biometric, financial, and other personal information,
via brokerage, vendor, employment, or investment agreements.
The DOJ warns that adversaries exploit bulk data using AI for espionage, manipulation,
and strategic advantage.
Violators face civil and criminal penalties, including up to 20 years in prison.
The program took effect April 8 with a 90-day grace period for those making good-faith compliance
efforts.
Microsoft has issued emergency updates to fix a bug affecting audit login policies in
Active Directory Group Policy.
The issue causes local policies to incorrectly show no auditing for logon and logoff events,
even if auditing is active.
This can confuse admins, but doesn't affect actual event logging.
The out-of-band updates apply to various Windows versions and are intended for enterprise environments
only.
Microsoft also warned of related issues, including potential Windows Server 2025 restarts and
Office 2016 crashes tied to recent updates.
Hackers are exploiting known Fortinet vulnerabilities to install stealth backdoors on FortiGate
devices, allowing them to maintain access even after patches are applied.
The attackers use symbolic links to quietly read configuration files through the SSL VPN interface, avoiding
detection. Devices without SSL VPN enabled are not affected. Fortinet has responded with
updates across multiple FortiOS versions, along with tools to detect and remove the
backdoor and changes to the SSL VPN interface to prevent future abuse.
CEO of Watchtower, Benjamin Harris, warned this reflects a broader trend.
Attackers now design backdoors to survive patches and resets.
Fortinet urges all users to update immediately to block these persistent threats and protect
their systems from ongoing exploitation.
Cybersecurity researchers are warning of a rise in dangling DNS attacks, where attackers
exploit outdated or misconfigured DNS records to hijack organizational subdomains.
These vulnerabilities often occur when companies discontinue cloud services or SaaS tools but leave behind DNS
entries, like CNAME records, pointing to decommissioned resources.
Attackers can then register the abandoned destination and serve malicious content through
the legitimate domain, creating a serious supply chain risk.
Sentinel-1 found over 1,250 vulnerable subdomains in the past year, with one case showing 150
deleted AWS S3 buckets receiving over 8 million requests.
These requests included software updates and VPN configurations, which could have been
weaponized by attackers.
The real danger lies in the trust users and systems place in subdomains
unknowingly connecting to attacker controlled infrastructure. To mitigate the threat, experts
recommend regular DNS audits, immediate removal of stale records, and runtime security monitoring
for anomalous activity.
Two class-action lawsuits filed in California allege that ad tech firm The Trade Desk secretly
tracks users online without consent, violating privacy laws.
The suits target the company's unified ID 2.0 and ad-serve tracking tools, accusing
them of collecting personal data, like email addresses, IPs,
and even health info, for profiling and real-time ad bidding. Plaintiffs argue the firm acts
like a data broker, monetizing user data without disclosure. One case claims UID2 circumvents
privacy protections and may breach California's wiretapping laws. Legal experts say UID2's
unique methods could draw closer court scrutiny. While proving harm in such privacy cases is
tough, the suits are seen as strategic and timely amid growing privacy advocacy. The
trade desk, a $25 billion firm, has not responded to the allegations.
Google is fixing a 20-year-old Chrome privacy flaw that allowed websites to detect users'
browsing history by checking if links had been previously visited.
The issue stems from the Visited CSS selector, which changes a link's color if a user has
clicked it before.
Malicious sites could exploit this to infer which sites users visited, enabling tracking
and profiling.
Chrome version 136 will introduce triple-key partitioning for visited links using the link
URL, top-level site, and frame origin.
This change ensures a link appears as visited only in the
same site and context where it was first clicked, preventing
cross-site history leaks.
Google chose not to eliminate the visited functionality
entirely to preserve user experience and rejected a
permissions-based model as too vulnerable to abuse.
The feature is experimental in Chrome 132 through 135 and will be enabled by default
in version 136.
Other browsers offer partial protections but lack full partitioning.
The Tycoon 2FA phishing-as-a-service platform has received major updates, enhancing its
ability to bypass multi-factor
authentication and evade detection.
Originally discovered in October 2023, the phishing kit now hides malicious JavaScript
using invisible Unicode characters, evading manual and static analysis.
It has also replaced Cloudflare turnstile with a self-hosted CAPTCHA using randomized HTML5
canvas elements to avoid reputation checks and enable better customization.
Additionally, new anti-debugging scripts detect and block browser automation tools like PhantomJS
and Burp Suite, redirecting suspicious users to legitimate sites. Trustwave also reports a surge in phishing attacks using malicious
SVG files, a tactic favored by Tycoon 2FA and similar platforms.
These SVGs, disguised as voicemails or logos,
contain obfuscated JavaScript that redirects victims to fake Microsoft 365
login pages.
Phishing-resistant MFA and blocking that redirects victims to fake Microsoft 365 login pages.
Phishing-resistant MFA and blocking SVG attachments
at the email gateway level are recommended defenses.
SVG-based phishing jumped 800% from April 2024 to March 2025. Coming up after the break, my conversation with Tim Starks from Cyberscoop with the latest
from Sysa and Chris Krebs.
And slop-squatting AI totally harshes the supply chain vibe.
Stay with us.
What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets. With bad directory hygiene and years of technical debt,
Identity attack paths are easy targets for threat actors to exploit but hard
for defenders to detect. This poses risk in active directory, entra ID and hybrid
configurations. Identity leaders are reducing such risks with
Attack Path Management. You can learn how Attack Path Management is connecting
identity and security teams while reducing risk with Bloodhound Enterprise
powered by SpectorOps. Head to spectorops.io today to learn more. SpectorOps, see your attack paths the way adversaries do.
It is always my pleasure to welcome back to the show Tim Starks. He is a senior reporter
at CyberScoop. Tim, welcome back.
Great to be back Tim
Your beat is
Washington DC and the policy
Issues that are going on in this great city of ours. Yes. Is that is that a fair description? Yeah, that's very accurate
alright, so
How you keeping track of all of it these days?
What's going on? I feel like you know, like you must be in a bit of a whirlwind.
Yeah, you sit down to say, oh, I'm going to really dive into this subject, right?
As a reporter, you're like, I'm really going to dive into this.
And then the next moment, something comes along that's, if not as important, more important.
So it's been tough, honestly.
Well, let's talk about some of the things that I think have been top of mind, certainly important, more important. So it's been tough, honestly.
Well, let's talk about some of the things that I think have been top of mind,
certainly to folks tuned into DC. I mean, we have the whole situation with former
CISA director Chris Krebs, and what in my opinion can only be, or perhaps is
most easily labeled as retaliation from the Trump White House
for Krebs's statement that the 2020 election was fair and that President Trump did indeed
lose that election.
But the White House coming after not just Chris and his security clearance, but also
the company that he works for.
Yeah, it's, it's, it's, I, I, there was, there was somebody who was, who was talking, saying
on one of the social media sites, not surprised, but still shocked, is a kind of constant state
of mind.
It feels like in the Trump administration, the idea that you can just know somebody that
the president doesn't like and suddenly find your business being threatened is the kind
of thing that you think just can't happen in America until it does.
I would say that one of the things that's interesting about this administration versus
the previous administration is I think for the most part, I say this for better or worse because I was covering cybersecurity in the
first Trump administration and I was like, there's so much wild stuff happening in all
these other agencies and all these other parts of the government.
But cybersecurity was pretty tame in the Trump administration until the very end, of course,
with Krebs.
When Krebs, the election results were pretty much already known, but when Krebs got, you know,
not pretty much, but they were, you know, they were known essentially when Krebs was
fired. He was already on his way out when he was saying, you know, doing things like
the rumor control, you know, there were some discussions, he was doing the rumor control
thing when the election was still happening, but when he got fired, it was entirely predictable and well known that
he wasn't going to be around much longer because of the Trump administration was going to be
ending.
So that was about the most dramatic thing that happened in the cyber world in the first
Trump administration was corruption related.
Now there's so much dramatic stuff happening in every area of the government, including
cyber security.
They fired the cyber command director.
They fired a bunch of people at CISA.
They've done so much.
The Krebs shoot is just the latest to drop.
The domino is the latest to fall.
And it is entirely disturbing that he essentially
said something that the president didn't like four,
how many years ago?
Five years ago?
Yeah.
And now he has the president saying,
we're going to bring the weight of the government
to bear on you and your company and the people you work with.
It's really, really, really, really upsetting that this is happening in our country.
Well, let's dig into some of the goings on at CISA itself.
I saw a recent report that I think the number I saw was 1,300 people probably going to be eliminated from CISA, both full-time employees and contractors as well.
It's about half of their workforce, I believe,
and can't imagine that's not gonna put a dent
in our defensive posture.
Yeah, I mean, I think, you know, there was an early sign
that they were going to be,
so, or it can be because of CISA, but I think they only cut about 130 people.
Now, I'm not saying that's not a significant number. It is. But, you know, looking at some
of the things that are happening, like, you know, HHS were cutting 10,000 people, that seemed mild
by comparison. At the time, you know, there were still concerns that there were going to be
more cuts at CISA when the 130 people were fired. But I don't think anybody thought that half.
I mean, that's a huge number. I was just talking to Andrew Garbarino, the congressman
who is the chair of the cybersecurity subcommittee of the House Homeland Security Committee.
who is the chair of the cyber security subcommittee of the House Homeland Security Committee,
and he thought, you know, people now, Republicans now get that this is important.
But cutting half of the workforce is going to have a huge impact. I mean, there are people who thought the agency was not near as big as it should have been.
You know, people in the cyber world have thought that it needs to be a five billion dollar agency
or something like that. And that's Republicans too.
I mean, it was John Katko, I think, who first said,
we need this agency to have a $5 billion budget.
So if we're going to cut half of the people,
it's definitely going to affect the cyber work it does.
It is an agency that is largely about,
and this is another thing that's interesting about it.
If you're a Republican, you're thinking,
oh, we're concerned about the size of government.
We don't want overregulation.
CISA doesn't really have regulatory power.
It's just an agency that just sort of helps.
That's a weird way to boil it down, but it just sort of helps the businesses.
It helps the government.
It gives them advice.
It creates guidelines.
It doesn't do anything regulatory.
And here it is being cut just because it seems like.
I mean, there's not one of these things where people have said, oh, we're going to cut it
this much because we think it's doing too much or it's not doing what it should be doing
and therefore it needs to be cut back because it's not useful.
There's nobody saying that.
So the idea of it being cut in half essentially
is it just baffles the mind really.
You're looking for, if you're a reporter,
you're looking for a reason, why?
Why is this happening?
Right, why half?
Yeah.
Is it arbitrary?
Just because.
Yeah.
Well, you mentioned, you know,
speaking with Republican Congress members.
This notion, the sort of original sin of CISA
as described by the Trump White House
is that they were censoring Republican voices.
How much does that argument still carrying water?
When you're talking to Republicans, are they leading with
that? Are they acknowledging that? How seriously are they taking that either publicly or behind
the scenes?
I think they certainly at least were taking it seriously. I think in 2023, there was a
vote from House Republicans, the majority of whom said, we're going to cut CISA's budget by 25% because of this kind of thing. But that's a very small percentage of
the work it did. And I'm not saying the work equals censoring Republican voices. I mean,
work on disinformation was a very small percentage of what it did. I think Brandon
Wales testified before Congress, Brandon Wales being a former top CISA official,
that it was less than 1% of CISA's budget.
So yes, I think for some Republicans, and among them, Senator Rand Paul, who was the
chair of the Homeland Security Committee on the Senate side, that is a reason that CISA
is a bad agency, that singling out that part of the things. But it did feel like this would be a moment if you were concerned about CISA as a Republican
to say, well, now we're in charge of it.
And if there's some amount of that, we can get rid of it.
And there's a nominee to lead CISA that is someone who could hope to say, hey, we need
you to change these things. It seemed like this would be a moment where you could stop and say, hey, we need you to change these things.
It seems like this would be a moment where you could stop
and say, let's reevaluate.
Instead, it seems like from the top,
it's just chop it, just cut it.
And I do think that yes,
there are things that Republicans can point to
and say, we don't like this about the agency.
And Trump obviously didn't like that Chris Krabs had said that these
things that he was saying about the election were misinformation. But I don't think that
quite gets to the point where you say, Oh, yeah, we're not going to cut this agency in
half. It just doesn't quite get there.
Well, speaking of the nominee to lead CISA, Senator Wyden has pledged to put a hold on the confirmation there. What was going
on with that story? Yeah this is a little similar to what he did with Chris Krebs
believe it or not. Everything kind of comes and goes. A big full circle.
Just related to concerns about telecom vulnerabilities and you know
surveillance is what Senator Wyden is concerned about. He got what he wanted in order to lift
the hold from last time. This time it seems like he wants more. So we'll see how much
that holds things up. I think it's one of those kinds of things where I'm not saying
it's not meaningful, but it is somewhat symbolic. It's nothing to do with concern about the
nominee himself. It's very little to do with the agency itself. It's not it's nothing to do with concern about the nominee himself. It's something it's very little to do with the agency itself. It's an
opportunity for Senator Wyden to bring up a concern he's had and and execute
that concern using a nominee that is only vaguely related to what he's
concerned about. Right. It's a it's a point of leverage that he has so
he's taking advantage of it. Exactly.
Yeah, yeah.
All right, well, Tim Starks is senior reporter
at CyberScoop.
Tim, thank you so much for sharing your knowledge,
expertise and experience with us.
And I look forward to catching up with you soon.
I don't, Dave, I don't look forward, I'm kidding.
It's a wild world.
I do appreciate talking to you.
Thanks again. All's a wild world. I do appreciate talking to you. Thanks again. All right.
See you.
Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And finally, if AI coding assistants were chefs, they'd be whipping up recipes on the fly, sometimes tossing in a mystery spice that no one remembers buying. Welcome to the world of
slop squatting, where attackers scoop up the hallucinated ingredients, fake
packages, that your friendly LLM invented and serve them back as malware.
Coined by developer Seth Larson and popularized by Andrew Nesbitt, slop
squatting targets the packages AIs like Copilot and
ChatGPT DreamUp, but that don't actually exist.
Yet.
Attackers register these ghost packages, waiting for some unwitting dev to copy-paste them
into their project.
A recent study found that nearly 20% of packages recommended by 16 code-generating LLMs are
pure fiction.
Worse, these hallucinations are often weirdly consistent and suspiciously plausible.
With vibe coding on the rise, devs are more likely to install first and question later.
The moral of the story? Don't trust that suspiciously
convenient import. Your AI might be freelancing for the bad guys.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that
keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show,
please share a rating and review in your favorite podcast app. Please also fill out the survey in
the show notes or send an email to cyberwire at n2k.com. N2K's senior producer is Alice Carruth,
our Cyberwire producer is Liz Stokes, who are mixed by Trey Hester with original music
and sound design by Elliot Heltzman. Our executive producer is Jennifer Ivan, Peter Kilpea is
our publisher, and I'm Dave Bittner. Thanks for listening, and we'll see you back here
tomorrow. Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity, or cloud computing, Vanguard
offers a dynamic and collaborative environment where your ideas drive change. With career
growth opportunities and a focus on work-life balance, you'll have the flexibility to thrive
both professionally and personally. Explore open cybersecurity and technology roles today
at Vanguardjobs.com