CyberWire Daily - All systems not go.
Episode Date: May 30, 2025SentinelOne suffers a global service outage. A major DDoS attack hits a Russian internet provider. U.S. banking groups urge the SEC to scrap cybersecurity disclosure rules. Australia mandates reportin...g of ransomware payments. Researchers uncover a new Browser-in-the-Middle (BitM) attack targeting Safari users. A Florida health system pays over $800,000 to settle insider breach concerns. CISA issues five urgent ICS advisories. Our guest is Matt Covington, VP of Product at BlackCloak, discussing the emergence of advanced impersonation techniques like deepfakes and the importance of digital executive protection. The feds are putting all our digital data in one basket. CyberWire Guest On our Industry Voices segment, at the 2025 RSA Conference, we were joined by Matt Covington, VP of Product at BlackCloak, discussing the emergence of advanced impersonation techniques like deepfakes and digital executive protection. Listen to Matt’s conversation here. Selected Reading Cybersecurity Firm SentinelOne Suffers Major Outage (Bank Infosecurity) DDoS incident disrupts internet for thousands in Moscow (The Record) Banks Want SEC to Rescind Cyberattack Disclosure Requirements (PYMNTS.com) Australian ransomware victims now must tell the government if they pay up (The Record) New BitM Attack Exploits Safari Vulnerability to Steal Login Credentials (Cyber Security News) Florida Health System Pays $800K for Insider Record Snooping (Bank Infosecurity) UTG-Q-015 Hackers Launched Large Scale Brute-Force Attacks Against Govt Web Servers (Cyber Security News) CISA Releases Five ICS Advisories Targeting Vulnerabilities and Exploits (Cyber Security News) Trump Taps Palantir to Compile Data on Americans (The New York Times) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it
peace of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k. Sentinel-1 suffers a global service outage.
A major DDoS attack hits a Russian Internet provider.
U.S. banking groups urge the SEC to scrap cybersecurity disclosure rules.
Australia mandates reporting of ransomware payments.
Researchers uncover a new browser in the middle attack targeting safari users.
A Florida health system pays over $800,000 to settle insider breach concerns.
CISA issues five urgent ICS advisories.
Our guest is Matt Covington, VP of Product at Black Cloak,
discussing the emergence of advanced impersonation techniques like deepfakes
and the importance of digital executive protection. And the feds are putting all
our digital data in one basket. It's Friday, May 30, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Happy Friday and thanks for joining us here today.
Cybersecurity firm SentinelOne experienced a global service outage on Thursday that disrupted
its extended detection and response platform, affecting security monitoring and
updates for nearly 13,000 customers.
The issue lasted about six hours with administrators reporting problems accessing the cloud-based
console.
Although customer endpoints remained protected, managed detection and response services were
offline and threat data reporting was delayed.
Sentinel-1 attributed the outage to an internal automation error, not a cyber attack.
Most of the company's services, including endpoint and cloud security, were listed as
unavailable.
Some admins speculated AWS or DNS issues, but evidence didn't support this. The outage interrupted star rule-based custom detections and impacted clients dependent
on real-time updates.
Sentinel-1 classified the incidents as SEV-0, the highest severity level, and later restored
service.
Experts viewed the response as effective, despite temporary loss of visibility and MDR functions.
A major DDoS attack hit Russian internet provider ASVT this week, knocking tens of thousands
offline in Moscow and nearby areas for several days.
The disruption began Tuesday and lasted into Friday, affecting ASVT's website, mobile app, and customer services.
Many residents couldn't work remotely, use card payments, or access buildings due to downed intercoms.
ASVT blamed the Ukrainian IT Army, though the group hasn't claimed responsibility. The incident follows a similar March attack on Lovit, another provider accused of monopolistic
practices and now under investigation.
Russia's Federal Anti-Monopoly Service is also probing ASVT.
The broader trend reflects rising cyberattacks on Russian telecoms, often politically motivated.
In 2023, over 30% of DDoS attacks in Russia targeted telecoms.
Previous attacks have included data theft and infrastructure damage
by groups like the Ukrainian Cyber Alliance and Silent Crow.
It's unclear if ASVT's enterprise or government clients were affected.
US banking groups are urging the Securities and Exchange
Commission to scrap its cybersecurity incident
disclosure rules, arguing they clash with confidential
protocols meant to protect critical infrastructure.
Led by the American Bankers Association, five major
industry groups say the SEC's cybersecurity risk management
rule, requiring rapid disclosure
of breaches, hinders law enforcement, creates confusion, and disrupts incident response.
They argue the rule, in effect since July 2023, has been flawed and difficult to implement.
A recent breach at Coinbase underscores the danger, with attackers impersonating support
staff to steal user assets.
This incident amplifies fears across the financial sector about centralized data risks as crypto
adoption expands.
Banking and crypto sectors alike now stress the need for better cybersecurity guardrails
without compromising critical operations.
Australia has become the first country to mandate reporting of ransomware payments.
Starting Friday, organizations earning over $3 million Australian annually or in critical
infrastructure must report any payments made to cybercriminals within 72 hours to the Australian Signals Directorate.
Non-compliance could lead to civil penalties.
The law aims to improve visibility into ransomware attacks,
which are largely under-reported, with only one in five victims currently coming forward.
Initially, enforcement will focus on severe violations,
but stricter oversight is planned
for 2025.
This move follows a wave of major cyber attacks in Australia and echoes similar proposals
in the UK.
Critics argue that while the law may help profile attackers, it won't stop ransomware.
Researchers from Square X have uncovered a new browser-in-the-middle attack targeting
Safari users by exploiting flaws in the browser's Fullscreen API.
This technique, revealed through the Year of Browser Bugs project, enables stealthy
phishing by tricking users into entering Fullscreen mode without warning.
Unlike Chrome or Firefox, Safari lacks clear visual indicators
when full screen mode is triggered,
making it easier for attackers to disguise malicious sites
as legitimate login pages.
Using noVNC, attackers can embed a remote session
inside the victim's browser, stealing credentials undetected.
Traditional endpoint detection and response tools can't see browser activity, making
this attack hard to detect.
Apple has acknowledged the issue, but considers Safari's behavior intentional, not a bug.
Experts urge enterprises to use browser-native security tools, as network-based defenses
can be bypassed.
BayCare Health System in Florida has agreed to pay $800,000 and implement a corrective action plan
to settle a federal HIPAA investigation over a 2018 insider breach.
The incident, reported by a patient at St. Joseph's Hospital in Tampa,
involved unauthorized access to her printed and electronic medical records.
The patient said she was later contacted by someone with photos and video of her records.
Federal investigators traced the access to credentials belonging to a former non-clinical staffer at a medical practice connected to BayCare.
The U.S. Department of Health and Human Services found multiple HIPAA violations, including
inadequate access controls and failure to monitor system activity.
Although BayCare admitted no wrongdoing, the case highlights the risk of insider threats
and the need for continuous monitoring and auditing of access to patient
data. Experts emphasize that software alone isn't enough. Effective compliance requires ongoing oversight.
A new malware campaign, UTGQ015, is targeting government web servers across multiple regions,
posing a threat to national infrastructure.
First detected earlier this month, it uses brute force, credential stuffing, and SQL
injection to breach defense and municipal systems.
The malware employs polymorphic code to evade detection and embeds itself via process hollowing,
replacing legitimate software with malicious code.
It maintains persistence through registry tweaks and scheduled tasks, enabling long-term
access and data theft.
Agencies report backdoors and service disruptions.
CISA issued five urgent advisories addressing severe vulnerabilities in critical industrial control systems used
across sectors like healthcare, construction, maritime safety, and infrastructure.
Affected systems include Siemens SciPass access control platforms, Concillium CS5000 fire
panels, Instantel Micromete environmental monitorsitors and SantaSoft Medical Imaging Software.
The flaws, ranging from firmware tampering and hard-coded passwords to missing authentication
and memory corruption, pose high risks of remote exploitation and system compromise.
CVSS scores for these vulnerabilities range from 8.2 to 9.3, highlighting their severity.
While Siemens and Santasoft have issued patches, Concilium urges hardware upgrades.
CISA advises organizations to immediately apply vendor mitigations, implement network
segmentation, use VPNs for remote access, and maintain up-to-date asset inventories.
Coming up after the break, my conversation with Matt Covington from Black Cloak.
We're discussing the emergence of advanced impersonation techniques like deepfakes.
And the feds are putting all our digital data in one basket.
Stay with us.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize identity-based
threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.
Compliance regulations, third-party risk, and customer security demands are all
growing and changing fast. Is your manual GRC program actually slowing you down? If
you've ever found yourself drowning in spreadsheets, chasing down screenshots, or fast. Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on track, you're not alone. But
let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and
compliance. It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact. teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So, if you're ready to trade in chaos for clarity,
check out Vanta and bring some serious efficiency to your GRC game.
Vanta. GRC. How much easier trust can be.
Get started at vanta.com slash cyber.
Matt Covington is VP of product at Black Cloak. I recently caught up with him at the RSAC
conference. In today's sponsored industry voices segment, we discuss the emergence of
advanced impersonation techniques
like deepfakes and the importance
of digital executive protection.
So Matt, here we are at RSAC 2025.
Before we dig into some of the specific topics,
what's your take on this year's show
and any sense for the general buzz around the show floor?
Yeah, absolutely.
So for me, it's felt like a high school reunion,
bumping into so many old colleagues,
getting to see what everyone's up to.
And so it's always an incredible pleasure to be here for that reason,
just build your networks, reconnect with people.
Everyone's talking about AI, obviously.
Agentsic AI, more specifically.
And so the buzz here is the buzz everywhere.
But it seems like there are a lot of folks about,
everyone's really interested,
the exhibit floor seemed like it was heaving
anytime you went down there.
We have had some excellent meetings here
with partners, with prospects, and with customers.
So no, overall it's been a great week.
Well, I mean, let's touch on the hot topic,
which as you mentioned is AI, and more specifically,
agentic AI.
Does that cross paths at all with the work you and your colleagues at Black Cloak do?
Yeah, it's really interesting.
So I think one of the things that we do ourselves, I'll sort of get into a little bit of one
of our core use cases.
And so fundamentally, our value proposition for our members is we will help you to reduce
your digital footprint to be as small as possible.
Given it will never be zero, there will always be some trace.
We can remove data from data broker sites, you know, images of your house from the street
view on Google Maps.
And so we do a lot of work around this.
And obviously, in doing that work, we're interacting with
web content all the time.
And so having an AI agent that's able to understand the context of the kind of page it's looking
at and to reason around the page to say, yes, I understand that this is an input field for
first name, last name, location, and this is an opt-out button, which can be the same
thing as a removal button.
And so I think for us, there's a lot of promise in the idea that we can be much more efficient
in how we are collecting data from these pages, how we're submitting opt-out requests on a
member's behalf.
And so, yes, in short, I think there's definitely an application here for the work that we're
engaged in.
And it's quite exciting to see how far and how fast things are traveling.
Well, I mean, speaking to the types of services and products that you all provide, you know,
in conversations with folks coming to the conference from all over the world, I have
spoken to multiple international travelers who've said that there is increased scrutiny at the borders.
And we're kind of in this place right now where I think people are figuring out how
far things are going to go and how much is this a new reality or a transitional thing.
But that plays into the types of things that you are all are helping with as well.
Yeah, I think so.
I mean, one of the services we provide, again,
you know, there are lots of things
you can do with automation.
There are many things you can't.
And so one of the concierge services we provide
is just advice on how to safely configure social media.
And a lot of times we'll give briefings
to families about safe use of social media,
what's appropriate to do, and what it isn't appropriate to do.
And so again, that sense of how I should be using social media in a safe way would inherently,
I think, make it much less of a risk if you were in one of those scenarios where suddenly
you have somebody looking over your device.
In other cases, as I said, when we have folks traveling overseas, a lot of times the best
recommendation is take a burner phone, right?
Take a phone, do what you need to do,
install the apps you need when you come back,
you can wipe it.
That's a really interesting insight, I think,
about the family, right?
Because I imagine, you know, a teenage child,
you know, mom is a high powered executive somewhere, the kids didn't sign up for this, you know, a teenage child, you know, mom is a high powered executive somewhere.
The kids didn't sign up for this, you know, maybe the spouse knew what
they were getting into, but, um, so there's kind of a nurturing aspect to it as well.
As part of that bubble, you try to put around the whole family.
100%.
And I think that is the hardest thing.
I think for a lot of executives is to have to acknowledge
that you are part of the brand, right?
If you're a top executive at financial services organization, particularly if you're public,
particularly if you are a figure of noteworthy figure who is in the news, you know, that
that does make you part of the corporate attack surface.
And so a lot of times when we're talking to grizzled, you know,
CISOs will talk in those terms and say, you know,
you can't just think about attack surface in terms of IP ranges, right?
You have to think about the people and their families as well.
And so I think really the founding principle of BlackLog was to be able to
almost have your cake and eat it too, right?
Because we are able to extend security protections to the home. We have a range of privacy and
security features for the executive, for their spouse, for adult children, teenagers living
in the home. But by the same token, it is not automatic that that information gets shared
back. And so let's say, for example, that an executive's information gets breached for a site they're a member of,
and they don't necessarily want their CISO to know
all of their social activities, all of their hobbies.
And so through Black Cloak, they're
able to come directly to us as that sort of trusted intermediary
to work on those issues without having to necessarily have
all of the details of their home life,
their children's home life, their spouse's home life, common knowledge for the IT team in the office.
And so we, in some respects, our SOC team act as an extension of the CISO.
So when there's an issue with a family device, they can call us rather than calling the CISO,
and we'll take care of that in a discreet way without necessarily
again having to pass all of that data back up the chain to the company.
Yeah, that's really interesting.
I never really thought about reputational protection flowing to the company itself.
Yes, it's really interesting.
Again, there's that two-way street.
Obviously, for, as I said, the individual is part of the brand, but also
actions the individual can, in some cases, reflect negatively on the brand as well.
So there's a really, the dynamic between the personal and the business, it is not a clean
line as much as we would like to believe that it is.
It's a gray area.
And the reality is that we may write a policy that says, we will respect privacy, we will separate these things.
An attacker doesn't care, right?
And in fact, if I'm looking at targeting an individual, right,
am I going to try and target a corporate resource
that is probably going to be very well defended
with enterprise-grade security,
or am I going to try and sneak in the back door, right?
I'm going to find, I can go to a data broker site
and I'm going to find an email address
or a phone number or a social media account and I can target my attack that way.
And so again, that's sort of the role the black cloak plays is expanding that secure
perimeter outside the four walls of the organization.
The other thing that strikes me is it's in a similar way, perhaps at a different scale to how we think of the cyber realm crosses
into the physical world with things like critical infrastructure, you know, keeping the lights
on and the trains running and the airplanes flying and that sort of thing.
But the work that you all do also crosses over into the physical world, protection of
people beyond just their zeros and ones. also crosses over into the physical world, protection of
people beyond just their zeros and ones.
Yeah, that's absolutely the case.
And, you know, so for example, one of the things we'll
typically do, every member gets like an individual one-on-one
Zoom onboarding call, and we cover things like, you know,
property addresses being online, right?
And again, that information from a data broker
could end up being very dangerous, right?
If you have, you know, the street address
and then potentially there's a Zillow home listing
from a couple years ago that has the property,
pictures of all the rooms, it's very important
that, you know, we take action to get those things removed
because there definitely is that sense
that the cyber always is a leading indicator in some respects of what's going to happen in the physical world.
I mean, in past lives, I've worked with security companies who are very about the policy of a given organization.
And the next thing you know, they're picketing outside the CEO's house or outside their
kid's school for the school run to try and generate embarrassment.
And so again, I think what it comes down to is that what we're able to do, again, no such
thing as perfection in this world, but you want to take every effort you can just to
remove as much information as you can.
And so, again, there's always that don't be the fish, right?
You don't want to be the easy person to target or attack and you hope that attacker gets
frustrated and moves on to an easier target.
How do you dial in an appropriate amount of respect for the risks without unnecessarily injecting paranoia or fear
into the people that you're working with?
That's a great question, and it's definitely a journey,
right, and I think we like to say
that we're perfectly happy to do a call walk run
with our members, and so the initial call,
we'll get some of the basic protections in place,
but maybe we won't go to the PC or the Mac and install software there.
And so it's definitely that sort of very kind of gentle approach.
And so we do, when we first have the onboarding call, we will give the member an indication
of what's out there, but it's always in the context of what the good news is, we're busy taking care of this for you. And so, for example, we'll have representative
data to say, look, you know, these email addresses have been in data breaches. We know those
data breaches have social security numbers. So we might consider as a next thing, you
can schedule a concierge call and we'll walk you through credit freeze and locks, for example.
And so it's always trying to frame the risk in the context of the action.
And so it's always that pivot to action, right?
We want all of the information we're putting in front of our members to feel like the solution
or the remediation is wrapped into the messaging.
It's not the scare tactic of a wall of red alerts with no indication
of what I'm supposed to do about
them.
And in fact, in a lot of cases, one of the things we'll do is we actually, so on a home
PC, we have an enterprise grade EDR solution running on those.
And if we detect malware, it actually signals back to the SOC.
And so they will then proactively reach out and say, hey, just so you know, we've seen
this, this is what we're going to do about it, rather than again, having a siren go off
and red lights flashing on the PC, which again can be legitimately terrifying for somebody
who isn't well versed in security.
That's one of the, for me, joining Black Club, joined about a year ago, it is that's the
nuance, right?
We sell to a CISO, but our responsibility is ultimately to the member themselves,
and it's not a technical audience.
You can't use technical language when you talk to them.
And Chris Pearson has a great philosophy,
which is, you know, anytime you put a new feature
or a new screen, would mom be able to understand it, right?
Could you show it to your mom?
Could she understand what we're saying
and what we're recommending to do?
And that's never a bad philosophy to have in what we're trying to do.
Yeah.
And coming back to the fact that here we are at RSAC and really a one-stop shopped for
a big high-level picture of everything going on in cybersecurity.
How do you define your place in the community, in the ecosystem?
What is the spot that you all fill?
Yeah, that's a really great question.
And so I think what we're doing is we're putting together maybe a little sub-slot, right?
And so in talking about digital executive protection, which is how we describe ourselves,
obviously one element of that is just simply sales and marketing motion for our products. We also recently put together a document called the Digital Executive Protection Framework,
which is really trying to kind of break out all of the different categories and all of the different
elements under those categories in almost a NIST-like framework, just so again you can hand
it over. And again, not all of these things are necessarily things that Black Cloak protects about,
but it's trying to take a holistic, you know, community center view of what we believe this space should be.
We think it's very important, we're very passionate about digital executive protection as a space and as a category.
And so it's sort of an opportunity to go out and talk about this.
And that's our little segment. of an opportunity to go out and talk about this,
and that's our little segment.
We sell to the enterprise, but again, it's really about that relationship with a member, the end user,
that is so incredibly important for what we do. And finally, the federal government's quiet expansion of data sharing efforts enabled
by President Trump's March executive order
has sparked growing concerns among privacy advocates, technologists, and
civil liberties groups. Central to the initiative is Palantir, a data analytics
firm now working across multiple federal agencies including DHS, HHS, and the IRS
to integrate vast stores of personal data.
While the stated goal is to improve efficiency and break down information silos, the move
raises serious questions about oversight, transparency, and the potential risks of centralizing
sensitive information.
Palantir's Foundry Platform can consolidate and analyze complex datasets, making it possible
to create detailed profiles of individuals using data originally collected for other
purposes.
Critics worry this level of integration, if not carefully governed, could erode public
trust and expose citizens to unintended consequences.
Even some Palantir employees have voiced discomfort with the direction of the company's government
work, highlighting the need for ongoing scrutiny and clear limits on how personal data is used.
Maybe the real efficiency was the friends' personal information we consolidated along
the way.
Just a thought.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with John Hammond, Principal Security Researcher at Huntress.
We're discussing their research, critical gladinette center stack and Trio Fox vulnerability exploited in the wild.
That's Research Saturday, check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Peter Kelpe is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. And now, a word from our sponsor, ThreatLocker.
Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment.
If it's not approved, it doesn't run. Simple as that.
It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day.
See how ThreatLocker can help you lock down your environment at www.threatlocker.com