CyberWire Daily - All systems not go.

Episode Date: May 30, 2025

SentinelOne suffers a global service outage. A major DDoS attack hits a Russian internet provider. U.S. banking groups urge the SEC to scrap cybersecurity disclosure rules. Australia mandates reportin...g of ransomware payments. Researchers uncover a new Browser-in-the-Middle (BitM) attack targeting Safari users. A Florida health system pays over $800,000 to settle insider breach concerns. CISA issues five urgent ICS advisories. Our guest is  Matt Covington, VP of Product at BlackCloak, discussing the emergence of advanced impersonation techniques like deepfakes and the importance of digital executive protection. The feds are putting all our digital data in one basket. CyberWire Guest On our Industry Voices segment, at the 2025 RSA Conference, we were joined by Matt Covington, VP of Product at BlackCloak, discussing the emergence of advanced impersonation techniques like deepfakes and digital executive protection. Listen to Matt’s conversation here. Selected Reading Cybersecurity Firm SentinelOne Suffers Major Outage (Bank Infosecurity) DDoS incident disrupts internet for thousands in Moscow (The Record) Banks Want SEC to Rescind Cyberattack Disclosure Requirements (PYMNTS.com) Australian ransomware victims now must tell the government if they pay up (The Record) New BitM Attack Exploits Safari Vulnerability to Steal Login Credentials (Cyber Security News) Florida Health System Pays $800K for Insider Record Snooping (Bank Infosecurity) UTG-Q-015 Hackers Launched Large Scale Brute-Force Attacks Against Govt Web Servers (Cyber Security News) CISA Releases Five ICS Advisories Targeting Vulnerabilities and Exploits (Cyber Security News) Trump Taps Palantir to Compile Data on Americans (The New York Times) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the CyberWire Network, powered by N2K. Hey everybody, Dave here. I've talked about DeleteMe before, and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. DeleteMe keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved knowing my privacy isn't something I have to worry about every
Starting point is 00:00:40 day. The DeleteMe team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Delete Me also offers solutions for businesses, helping companies protect their employees' personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal, 20% off your Delete Me plan.
Starting point is 00:01:05 Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout. That's joindeleteeme.com slash n2k, code n2k. Sentinel-1 suffers a global service outage. A major DDoS attack hits a Russian Internet provider. U.S. banking groups urge the SEC to scrap cybersecurity disclosure rules. Australia mandates reporting of ransomware payments. Researchers uncover a new browser in the middle attack targeting safari users. A Florida health system pays over $800,000 to settle insider breach concerns. CISA issues five urgent ICS advisories.
Starting point is 00:02:02 Our guest is Matt Covington, VP of Product at Black Cloak, discussing the emergence of advanced impersonation techniques like deepfakes and the importance of digital executive protection. And the feds are putting all our digital data in one basket. It's Friday, May 30, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Happy Friday and thanks for joining us here today. Cybersecurity firm SentinelOne experienced a global service outage on Thursday that disrupted its extended detection and response platform, affecting security monitoring and updates for nearly 13,000 customers.
Starting point is 00:03:09 The issue lasted about six hours with administrators reporting problems accessing the cloud-based console. Although customer endpoints remained protected, managed detection and response services were offline and threat data reporting was delayed. Sentinel-1 attributed the outage to an internal automation error, not a cyber attack. Most of the company's services, including endpoint and cloud security, were listed as unavailable. Some admins speculated AWS or DNS issues, but evidence didn't support this. The outage interrupted star rule-based custom detections and impacted clients dependent
Starting point is 00:03:50 on real-time updates. Sentinel-1 classified the incidents as SEV-0, the highest severity level, and later restored service. Experts viewed the response as effective, despite temporary loss of visibility and MDR functions. A major DDoS attack hit Russian internet provider ASVT this week, knocking tens of thousands offline in Moscow and nearby areas for several days. The disruption began Tuesday and lasted into Friday, affecting ASVT's website, mobile app, and customer services. Many residents couldn't work remotely, use card payments, or access buildings due to downed intercoms.
Starting point is 00:04:35 ASVT blamed the Ukrainian IT Army, though the group hasn't claimed responsibility. The incident follows a similar March attack on Lovit, another provider accused of monopolistic practices and now under investigation. Russia's Federal Anti-Monopoly Service is also probing ASVT. The broader trend reflects rising cyberattacks on Russian telecoms, often politically motivated. In 2023, over 30% of DDoS attacks in Russia targeted telecoms. Previous attacks have included data theft and infrastructure damage by groups like the Ukrainian Cyber Alliance and Silent Crow. It's unclear if ASVT's enterprise or government clients were affected.
Starting point is 00:05:21 US banking groups are urging the Securities and Exchange Commission to scrap its cybersecurity incident disclosure rules, arguing they clash with confidential protocols meant to protect critical infrastructure. Led by the American Bankers Association, five major industry groups say the SEC's cybersecurity risk management rule, requiring rapid disclosure of breaches, hinders law enforcement, creates confusion, and disrupts incident response.
Starting point is 00:05:53 They argue the rule, in effect since July 2023, has been flawed and difficult to implement. A recent breach at Coinbase underscores the danger, with attackers impersonating support staff to steal user assets. This incident amplifies fears across the financial sector about centralized data risks as crypto adoption expands. Banking and crypto sectors alike now stress the need for better cybersecurity guardrails without compromising critical operations. Australia has become the first country to mandate reporting of ransomware payments.
Starting point is 00:06:32 Starting Friday, organizations earning over $3 million Australian annually or in critical infrastructure must report any payments made to cybercriminals within 72 hours to the Australian Signals Directorate. Non-compliance could lead to civil penalties. The law aims to improve visibility into ransomware attacks, which are largely under-reported, with only one in five victims currently coming forward. Initially, enforcement will focus on severe violations, but stricter oversight is planned for 2025.
Starting point is 00:07:08 This move follows a wave of major cyber attacks in Australia and echoes similar proposals in the UK. Critics argue that while the law may help profile attackers, it won't stop ransomware. Researchers from Square X have uncovered a new browser-in-the-middle attack targeting Safari users by exploiting flaws in the browser's Fullscreen API. This technique, revealed through the Year of Browser Bugs project, enables stealthy phishing by tricking users into entering Fullscreen mode without warning. Unlike Chrome or Firefox, Safari lacks clear visual indicators
Starting point is 00:07:48 when full screen mode is triggered, making it easier for attackers to disguise malicious sites as legitimate login pages. Using noVNC, attackers can embed a remote session inside the victim's browser, stealing credentials undetected. Traditional endpoint detection and response tools can't see browser activity, making this attack hard to detect. Apple has acknowledged the issue, but considers Safari's behavior intentional, not a bug.
Starting point is 00:08:18 Experts urge enterprises to use browser-native security tools, as network-based defenses can be bypassed. BayCare Health System in Florida has agreed to pay $800,000 and implement a corrective action plan to settle a federal HIPAA investigation over a 2018 insider breach. The incident, reported by a patient at St. Joseph's Hospital in Tampa, involved unauthorized access to her printed and electronic medical records. The patient said she was later contacted by someone with photos and video of her records. Federal investigators traced the access to credentials belonging to a former non-clinical staffer at a medical practice connected to BayCare.
Starting point is 00:09:06 The U.S. Department of Health and Human Services found multiple HIPAA violations, including inadequate access controls and failure to monitor system activity. Although BayCare admitted no wrongdoing, the case highlights the risk of insider threats and the need for continuous monitoring and auditing of access to patient data. Experts emphasize that software alone isn't enough. Effective compliance requires ongoing oversight. A new malware campaign, UTGQ015, is targeting government web servers across multiple regions, posing a threat to national infrastructure. First detected earlier this month, it uses brute force, credential stuffing, and SQL
Starting point is 00:09:52 injection to breach defense and municipal systems. The malware employs polymorphic code to evade detection and embeds itself via process hollowing, replacing legitimate software with malicious code. It maintains persistence through registry tweaks and scheduled tasks, enabling long-term access and data theft. Agencies report backdoors and service disruptions. CISA issued five urgent advisories addressing severe vulnerabilities in critical industrial control systems used across sectors like healthcare, construction, maritime safety, and infrastructure.
Starting point is 00:10:32 Affected systems include Siemens SciPass access control platforms, Concillium CS5000 fire panels, Instantel Micromete environmental monitorsitors and SantaSoft Medical Imaging Software. The flaws, ranging from firmware tampering and hard-coded passwords to missing authentication and memory corruption, pose high risks of remote exploitation and system compromise. CVSS scores for these vulnerabilities range from 8.2 to 9.3, highlighting their severity. While Siemens and Santasoft have issued patches, Concilium urges hardware upgrades. CISA advises organizations to immediately apply vendor mitigations, implement network segmentation, use VPNs for remote access, and maintain up-to-date asset inventories.
Starting point is 00:11:34 Coming up after the break, my conversation with Matt Covington from Black Cloak. We're discussing the emergence of advanced impersonation techniques like deepfakes. And the feds are putting all our digital data in one basket. Stay with us. And now a word from our sponsor, Spy Cloud. Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up.
Starting point is 00:12:13 Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware, and phishing to neutralize identity-based threats like account takeover, fraud, and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what attackers already know. That's spycloud.com slash cyberwire. Compliance regulations, third-party risk, and customer security demands are all
Starting point is 00:12:58 growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear, there is a better way. Banta's Trust Management Platform takes the headache out of governance, risk, and compliance. It automates the essentials, from internal and third-party risk to consumer trust, making your security posture stronger, yes, even helping to drive revenue.
Starting point is 00:13:35 And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So, if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta. GRC. How much easier trust can be. Get started at vanta.com slash cyber.
Starting point is 00:14:07 Matt Covington is VP of product at Black Cloak. I recently caught up with him at the RSAC conference. In today's sponsored industry voices segment, we discuss the emergence of advanced impersonation techniques like deepfakes and the importance of digital executive protection. So Matt, here we are at RSAC 2025. Before we dig into some of the specific topics, what's your take on this year's show
Starting point is 00:14:39 and any sense for the general buzz around the show floor? Yeah, absolutely. So for me, it's felt like a high school reunion, bumping into so many old colleagues, getting to see what everyone's up to. And so it's always an incredible pleasure to be here for that reason, just build your networks, reconnect with people. Everyone's talking about AI, obviously.
Starting point is 00:14:59 Agentsic AI, more specifically. And so the buzz here is the buzz everywhere. But it seems like there are a lot of folks about, everyone's really interested, the exhibit floor seemed like it was heaving anytime you went down there. We have had some excellent meetings here with partners, with prospects, and with customers.
Starting point is 00:15:19 So no, overall it's been a great week. Well, I mean, let's touch on the hot topic, which as you mentioned is AI, and more specifically, agentic AI. Does that cross paths at all with the work you and your colleagues at Black Cloak do? Yeah, it's really interesting. So I think one of the things that we do ourselves, I'll sort of get into a little bit of one of our core use cases.
Starting point is 00:15:39 And so fundamentally, our value proposition for our members is we will help you to reduce your digital footprint to be as small as possible. Given it will never be zero, there will always be some trace. We can remove data from data broker sites, you know, images of your house from the street view on Google Maps. And so we do a lot of work around this. And obviously, in doing that work, we're interacting with web content all the time.
Starting point is 00:16:06 And so having an AI agent that's able to understand the context of the kind of page it's looking at and to reason around the page to say, yes, I understand that this is an input field for first name, last name, location, and this is an opt-out button, which can be the same thing as a removal button. And so I think for us, there's a lot of promise in the idea that we can be much more efficient in how we are collecting data from these pages, how we're submitting opt-out requests on a member's behalf. And so, yes, in short, I think there's definitely an application here for the work that we're
Starting point is 00:16:41 engaged in. And it's quite exciting to see how far and how fast things are traveling. Well, I mean, speaking to the types of services and products that you all provide, you know, in conversations with folks coming to the conference from all over the world, I have spoken to multiple international travelers who've said that there is increased scrutiny at the borders. And we're kind of in this place right now where I think people are figuring out how far things are going to go and how much is this a new reality or a transitional thing. But that plays into the types of things that you are all are helping with as well.
Starting point is 00:17:22 Yeah, I think so. I mean, one of the services we provide, again, you know, there are lots of things you can do with automation. There are many things you can't. And so one of the concierge services we provide is just advice on how to safely configure social media. And a lot of times we'll give briefings
Starting point is 00:17:39 to families about safe use of social media, what's appropriate to do, and what it isn't appropriate to do. And so again, that sense of how I should be using social media in a safe way would inherently, I think, make it much less of a risk if you were in one of those scenarios where suddenly you have somebody looking over your device. In other cases, as I said, when we have folks traveling overseas, a lot of times the best recommendation is take a burner phone, right? Take a phone, do what you need to do,
Starting point is 00:18:07 install the apps you need when you come back, you can wipe it. That's a really interesting insight, I think, about the family, right? Because I imagine, you know, a teenage child, you know, mom is a high powered executive somewhere, the kids didn't sign up for this, you know, a teenage child, you know, mom is a high powered executive somewhere. The kids didn't sign up for this, you know, maybe the spouse knew what they were getting into, but, um, so there's kind of a nurturing aspect to it as well.
Starting point is 00:18:34 As part of that bubble, you try to put around the whole family. 100%. And I think that is the hardest thing. I think for a lot of executives is to have to acknowledge that you are part of the brand, right? If you're a top executive at financial services organization, particularly if you're public, particularly if you are a figure of noteworthy figure who is in the news, you know, that that does make you part of the corporate attack surface.
Starting point is 00:19:03 And so a lot of times when we're talking to grizzled, you know, CISOs will talk in those terms and say, you know, you can't just think about attack surface in terms of IP ranges, right? You have to think about the people and their families as well. And so I think really the founding principle of BlackLog was to be able to almost have your cake and eat it too, right? Because we are able to extend security protections to the home. We have a range of privacy and security features for the executive, for their spouse, for adult children, teenagers living
Starting point is 00:19:36 in the home. But by the same token, it is not automatic that that information gets shared back. And so let's say, for example, that an executive's information gets breached for a site they're a member of, and they don't necessarily want their CISO to know all of their social activities, all of their hobbies. And so through Black Cloak, they're able to come directly to us as that sort of trusted intermediary to work on those issues without having to necessarily have all of the details of their home life,
Starting point is 00:20:06 their children's home life, their spouse's home life, common knowledge for the IT team in the office. And so we, in some respects, our SOC team act as an extension of the CISO. So when there's an issue with a family device, they can call us rather than calling the CISO, and we'll take care of that in a discreet way without necessarily again having to pass all of that data back up the chain to the company. Yeah, that's really interesting. I never really thought about reputational protection flowing to the company itself. Yes, it's really interesting.
Starting point is 00:20:40 Again, there's that two-way street. Obviously, for, as I said, the individual is part of the brand, but also actions the individual can, in some cases, reflect negatively on the brand as well. So there's a really, the dynamic between the personal and the business, it is not a clean line as much as we would like to believe that it is. It's a gray area. And the reality is that we may write a policy that says, we will respect privacy, we will separate these things. An attacker doesn't care, right?
Starting point is 00:21:09 And in fact, if I'm looking at targeting an individual, right, am I going to try and target a corporate resource that is probably going to be very well defended with enterprise-grade security, or am I going to try and sneak in the back door, right? I'm going to find, I can go to a data broker site and I'm going to find an email address or a phone number or a social media account and I can target my attack that way.
Starting point is 00:21:30 And so again, that's sort of the role the black cloak plays is expanding that secure perimeter outside the four walls of the organization. The other thing that strikes me is it's in a similar way, perhaps at a different scale to how we think of the cyber realm crosses into the physical world with things like critical infrastructure, you know, keeping the lights on and the trains running and the airplanes flying and that sort of thing. But the work that you all do also crosses over into the physical world, protection of people beyond just their zeros and ones. also crosses over into the physical world, protection of people beyond just their zeros and ones.
Starting point is 00:22:09 Yeah, that's absolutely the case. And, you know, so for example, one of the things we'll typically do, every member gets like an individual one-on-one Zoom onboarding call, and we cover things like, you know, property addresses being online, right? And again, that information from a data broker could end up being very dangerous, right? If you have, you know, the street address
Starting point is 00:22:31 and then potentially there's a Zillow home listing from a couple years ago that has the property, pictures of all the rooms, it's very important that, you know, we take action to get those things removed because there definitely is that sense that the cyber always is a leading indicator in some respects of what's going to happen in the physical world. I mean, in past lives, I've worked with security companies who are very about the policy of a given organization. And the next thing you know, they're picketing outside the CEO's house or outside their
Starting point is 00:23:08 kid's school for the school run to try and generate embarrassment. And so again, I think what it comes down to is that what we're able to do, again, no such thing as perfection in this world, but you want to take every effort you can just to remove as much information as you can. And so, again, there's always that don't be the fish, right? You don't want to be the easy person to target or attack and you hope that attacker gets frustrated and moves on to an easier target. How do you dial in an appropriate amount of respect for the risks without unnecessarily injecting paranoia or fear
Starting point is 00:23:50 into the people that you're working with? That's a great question, and it's definitely a journey, right, and I think we like to say that we're perfectly happy to do a call walk run with our members, and so the initial call, we'll get some of the basic protections in place, but maybe we won't go to the PC or the Mac and install software there. And so it's definitely that sort of very kind of gentle approach.
Starting point is 00:24:16 And so we do, when we first have the onboarding call, we will give the member an indication of what's out there, but it's always in the context of what the good news is, we're busy taking care of this for you. And so, for example, we'll have representative data to say, look, you know, these email addresses have been in data breaches. We know those data breaches have social security numbers. So we might consider as a next thing, you can schedule a concierge call and we'll walk you through credit freeze and locks, for example. And so it's always trying to frame the risk in the context of the action. And so it's always that pivot to action, right? We want all of the information we're putting in front of our members to feel like the solution
Starting point is 00:24:56 or the remediation is wrapped into the messaging. It's not the scare tactic of a wall of red alerts with no indication of what I'm supposed to do about them. And in fact, in a lot of cases, one of the things we'll do is we actually, so on a home PC, we have an enterprise grade EDR solution running on those. And if we detect malware, it actually signals back to the SOC. And so they will then proactively reach out and say, hey, just so you know, we've seen
Starting point is 00:25:24 this, this is what we're going to do about it, rather than again, having a siren go off and red lights flashing on the PC, which again can be legitimately terrifying for somebody who isn't well versed in security. That's one of the, for me, joining Black Club, joined about a year ago, it is that's the nuance, right? We sell to a CISO, but our responsibility is ultimately to the member themselves, and it's not a technical audience. You can't use technical language when you talk to them.
Starting point is 00:25:51 And Chris Pearson has a great philosophy, which is, you know, anytime you put a new feature or a new screen, would mom be able to understand it, right? Could you show it to your mom? Could she understand what we're saying and what we're recommending to do? And that's never a bad philosophy to have in what we're trying to do. Yeah.
Starting point is 00:26:09 And coming back to the fact that here we are at RSAC and really a one-stop shopped for a big high-level picture of everything going on in cybersecurity. How do you define your place in the community, in the ecosystem? What is the spot that you all fill? Yeah, that's a really great question. And so I think what we're doing is we're putting together maybe a little sub-slot, right? And so in talking about digital executive protection, which is how we describe ourselves, obviously one element of that is just simply sales and marketing motion for our products. We also recently put together a document called the Digital Executive Protection Framework,
Starting point is 00:26:50 which is really trying to kind of break out all of the different categories and all of the different elements under those categories in almost a NIST-like framework, just so again you can hand it over. And again, not all of these things are necessarily things that Black Cloak protects about, but it's trying to take a holistic, you know, community center view of what we believe this space should be. We think it's very important, we're very passionate about digital executive protection as a space and as a category. And so it's sort of an opportunity to go out and talk about this. And that's our little segment. of an opportunity to go out and talk about this, and that's our little segment.
Starting point is 00:27:30 We sell to the enterprise, but again, it's really about that relationship with a member, the end user, that is so incredibly important for what we do. And finally, the federal government's quiet expansion of data sharing efforts enabled by President Trump's March executive order has sparked growing concerns among privacy advocates, technologists, and civil liberties groups. Central to the initiative is Palantir, a data analytics firm now working across multiple federal agencies including DHS, HHS, and the IRS to integrate vast stores of personal data. While the stated goal is to improve efficiency and break down information silos, the move
Starting point is 00:28:32 raises serious questions about oversight, transparency, and the potential risks of centralizing sensitive information. Palantir's Foundry Platform can consolidate and analyze complex datasets, making it possible to create detailed profiles of individuals using data originally collected for other purposes. Critics worry this level of integration, if not carefully governed, could erode public trust and expose citizens to unintended consequences. Even some Palantir employees have voiced discomfort with the direction of the company's government
Starting point is 00:29:08 work, highlighting the need for ongoing scrutiny and clear limits on how personal data is used. Maybe the real efficiency was the friends' personal information we consolidated along the way. Just a thought. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with John Hammond, Principal Security Researcher at Huntress. We're discussing their research, critical gladinette center stack and Trio Fox vulnerability exploited in the wild.
Starting point is 00:30:02 That's Research Saturday, check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Peter Kelpe is our publisher. And I'm Dave Bittner. Thanks for listening.
Starting point is 00:30:22 We'll see you back here next week. And now, a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.