CyberWire Daily - Apple’s race to secure your iPhone.
Episode Date: February 11, 2025Apple releases emergency security updates to patch a zero-day vulnerability. CISA places election security workers on leave. Elon Musk leads a group of investors making an unsolicited bid to acquire O...penAI. The man accused of hacking the SEC’s XTwitter account pleads guilty. Law enforcement seizes the leak site of the 8Base ransomware gang. Researchers track a massive increase in brute-force attacks targeting edge devices. Experts question the U.K. government’s demand for an encryption backdoor in Apple devices. Today’s guest is John Fokker, Head of Threat Intelligence at Trellix, joining us to discuss their work on "Blurring the Lines: How Nation-States and Organized Cybercriminals Are Becoming Alike." And it’s international day for women and girls in science. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest is John Fokker, Head of Threat Intelligence at Trellix, joining us to discuss their work on "Blurring the Lines: How Nation-States and Organized Cybercriminals Are Becoming Alike." Selected Reading Apple fixes zero-day exploited in 'extremely sophisticated' attacks (BleepingComputer) US cyber agency puts election security staffers who worked with the states on leave (AP News) Elon Musk-led group makes $97.4 billion bid for OpenAI, CEO refuses and offers to "buy Twitter for $9.74 billion" (TechSpot) OpenAI Finds No Evidence of Breach After Hacker Offers to Sell 20 Million Credentials (SecurityWeek) Hacker who hijacked SEC’s X account pleads guilty, faces maximum five-year sentence (The Record) 8Base ransomware site taken down as Thai authorities arrest 4 connected to operation (The Record) Edge Devices Face Surge in Mass Brute-Force Password Attacks (Data Breach Today) U.K. Kicks Apple’s Door Open for China (Wall Street Journal) International Day of Women and Girls in Science- United Nations (United Nations) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n2k and use promo code n2k at checkout.
The only way to get 20 percent off is to go to join delete me dot com slash n2k and enter
code n2k at checkout.
That's join delete me dot com slash n2k code n2k. Apple releases emergency security updates to patch a zero-day vulnerability.
CISA places election security workers on leave.
Elon Musk leads a group of investors making an unsolicited bid to require open AI.
The man accused of hacking the SEC's ex-Twitter account pleads guilty.
Law enforcement seizes the leaked site of the eight-base ransomware gang.
Researchers track a massive increase in brute force attacks targeting edge devices.
Experts question the UK government's demand for an encryption backdoor on Apple's devices.
Today's guest is John Fokker, head of threat intelligence at Trellix, joining us to discuss question the UK government's demand for an encryption backdoor on Apple's devices.
Today's guest is John Fokker, head of threat intelligence at Trellix, joining us to discuss
their work blurring the lines, how nation states and organized cyber criminals are becoming
alike.
And it's International Day for Women and Girls in Science. It's Tuesday, February 11, 2025.
I'm Dave Fittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It's great to have you with us.
Apple has released emergency security updates to patch a zero-day vulnerability that was
exploited in highly sophisticated targeted attacks. The flaw reported by Citizen Labs' Bill Markzak affects USB restricted mode, a security feature
designed to block unauthorized data extraction from locked iPhones and iPads.
Attackers could bypass this protection through a physical exploit, potentially using forensic
tools like GreyKey or Celebrite.
Apple addressed the issue with improved state management.
The vulnerability affects various iPhone and iPad models,
including iPhone XS and later.
Though the attack was limited to specific targets,
users are urged to update immediately.
The U.S. Cybersecurity and Infrastructure Security Agency has placed 17 staffers on
administrative leave, raising concerns about election security support.
These employees, including 10 regional election security specialists, provided cybersecurity
and physical security training to state and local election officials. The internal review reportedly examines efforts to counter foreign interference and misinformation.
Both Republican and Democratic election officials have defended CISA's work, highlighting its
crucial role in securing elections.
The move comes amid political pressure, with Trump administration figures criticizing CISA's
past efforts to
counter misinformation.
The agency remains without a permanent director, and its leadership was absent from recent
election security meetings.
Despite the suspensions, CISA has assured states that cybersecurity and physical security
services will continue to be available. Elon Musk and a group of investors have made a $97.4 billion unsolicited bid to acquire
OpenAI, escalating Musk's ongoing feud with CEO Sam Altman.
Altman dismissed the offer on ex-Twitter, jokingly offering to buy Twitter for $9.74 billion, to which Musk
responded,
Swindler.
Musk's consortium, which includes Baron Capital and Valor Management, seeks to restore OpenAI's
original open source mission.
Musk argues that OpenAI has strayed from its founding principles, while his own X.A.I. follows the values he was promised.
The bid complicates Altman's efforts to take OpenAI private, as the for-profit arm must fairly value the nonprofit's assets.
Musk also urged California's Attorney General to open competitive bidding. Musk co-founded OpenAI in 2015 but left in 2018.
His ongoing legal battles against OpenAI focus on its shift toward profit-driven AI.
In other OpenAI news, a hacker named Immerking claimed on breach forums
to be selling 20 million OpenAI credentials, but experts
believe the data originates from InfoStealer malware, not an OpenAI breach.
OpenAI says they investigated and found no evidence of a compromise.
Threat intelligence firm Kila analyzed the data and confirmed it matches InfoStealer
logs likely collected from malware like Redline, Rise Pro, and Vidar.
The hacker's post was later deleted, reinforcing suspicions that the claim was exaggerated.
Breach forums is known for hosting misleading data breach claims.
Eric Council Jr., age 25, pleaded guilty to conspiracy to commit identity theft and fraud after hacking
the U.S. Securities and Exchange Commission's ex-Twitter account in January of last year.
His actions caused wild swings in Bitcoin's price by falsely announcing SEC approval of
crypto-based ETFs.
He faces a maximum sentence of five years with sentencing set for May 16th.
Mr. Council used SIM swapping techniques to take over the SEC account, posing as an FBI employee
to obtain a victim's phone number. He then used it to reset security codes and hijack the SECGov
account. Prosecutors say he was paid in Bitcoin for the hack,
which aimed to manipulate the crypto market.
Law enforcement agencies seized the leak site
of the eight-base ransomware gang,
replacing it with a takedown notice.
The action coincided with the arrest
of four suspects in Thailand,
accused of stealing $16 million from over
1,000 victims worldwide.
Authorities from Switzerland and the US had issued warrants for the suspects, two men
and two women, who now face wire fraud and conspiracy charges.
Europol, the FBI, and other agencies supported the operation, named Phobos ATOR.
ATBase emerged in 2023, targeting manufacturing firms and entities like the United Nations
Development Program.
It has ties to Ransom House and Phobos Ransomware.
The takedown follows similar law enforcement crackdowns on ransomware groups like Lockbit and Black Cat, contributing to a 35% drop
in ransom payments in 2024.
Security researchers have observed a massive increase in brute-force attacks targeting
edge devices, often launched from malware-infected routers and firewalls.
The Shadow Server Foundation reports that 2.8 million unique IP addresses daily have been used in these attacks,
with the highest concentrations coming from Brazil, Turkey, Russia, and Argentina.
The attacks primarily target devices from Palo Alto Networks, Ivanti, and SonicWall,
with over 100,000 micro TIC devices implicated. The cause of these infections remains unclear,
though some speculate malware may be bundled with popular software in Brazil.
Hackers, including state-sponsored groups like China's Salt Typhoon,
often exploit unpatched vulnerabilities in edge devices.
The surge highlights ongoing cybersecurity risks for firewalls, VPN gateways,
and email security appliances, which remain prime targets for cyberattacks.
A Wall Street Journal editorial from Johns Hopkins cryptographer Matthew Green and Sentinel
One CISO Alex Stamos warns that the UK government's demand for an encryption backdoor in Apple's
devices poses a grave risk to global security.
The order would allow British authorities to access any iPhone users' private data
worldwide, setting a dangerous precedent that could weaken security for billions.
The editorial argues that Congress must act immediately to prohibit U.S. tech companies
from complying with such demands, creating a legal conflict that Apple could fight in
U.K. courts.
The authors highlight the growing cyber threats from Russia and China, pointing to recent
hacks targeting U.S. telecoms, the Treasury, and political figures.
Even the FBI now supports encryption to protect Americans from cyber threats.
If Britain succeeds, China and other nations will surely follow, undermining security for
all.
The editorial urges lawmakers to ensure strong encryption remains unbreakable by any foreign
government, safeguarding American privacy and national security.
Coming up after the break, my conversation with John Fokker from Trellix.
We're discussing their work blurring the lines, how nation states and organized cybercriminals are becoming alike and celebrating International Day for Women and Girls in Science.
Stay with us. Cyber threats are evolving every second and staying ahead is more than just a
challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a
full suite of solutions designed to give you total control, stopping unauthorized
applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit threatlocker.com today
to see how a default deny approach
can keep your company safe and compliant.
Do you know the status of your compliance controls right now? Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off
John Fokker is head of threat intelligence at trellis I recently sat down with him to discuss their work blur Blurring the Lines, How Nation, States,
and Organized Cybercriminals are Becoming Alike.
For years now, we've seen a convergence.
And if you look at our customer base from governments, financial institutions, all across
the board, there used to be a lot of like, oh, but we're not at risk of an APT, like a nation state,
or we're more inclined to cyber criminal and all these things.
And what we've been seeing in the course of several years now is that it's becoming such
a gray area.
Even for our customers, you cannot say like, well, we're more at risk of an APT versus
a cyber criminal because, yeah, they're working together, working as proxies.
So our researcher, Tomer, in the team was very, very talented.
He took it upon himself to lay this down and explain it that the time of attribution that
you had in the past that could be very easily done is becoming harder and harder and
It might actually be that you're attacked by a cyber criminal
but the ulterior motive is that it's state-directed or
It actually is a state actor going after your financials
So it's it's not as easy as it or it's clear as it as it looks used to look
Can we dig into some of the details here?
I mean, what are some of the ways that we're seeing
a lot of this crossover?
Can you share some specifics?
Oh, totally, totally.
Things that we've seen very much being adopted
on both sides is living off the land.
We noticed that, and that makes attribution harder, right?
You're using the tools that are either non-malicious
or they're actually present on the victim system
or in the network, so you kind of go under the radar,
but it also makes it harder for a lot of
your security tools to distinguish,
because it's not necessarily you're using a malicious binary,
you're just using something which was designed for good,
but with bad intent.
And we see that being used by as well as cyber criminals,
as well as APT actors.
So on the cyber criminal side, a lot of the ransomware gangs
using a lot of the living off the land
just because they don't want to be detected.
And it's very useful.
You don't have to smuggle anything in.
And you can exfiltrate data out or you can just elevate or you can work your way for the network.
At the same time, if we look at a group, let's say full Typhoon, is very, very competent
in using living off the land as well to get to their objective. They often attack like
edge routers, but then they move for the network laterally and they use a lot of living off
the lands. And this is just the tools.
Obviously, I have a background in law enforcement before I joined the private sector.
It's funny, I'm from the Netherlands and we have a very, I would like to say, competent
cybercrime teams that work a lot with the FBI.
The Netherlands is known for bad hosting.
I can recall many times I had to go to a hosting provider which
was considered a bulletproof holster and they would comply eventually. But
it could have been of a request of an intelligence agency that there is
actually a system being used by a state-sponsored actor or it was a
cybercriminal system or was a C2 server for a cyberc criminal team. So for me that says like,
hey, they're using the same infrastructure
because it was the same hosting provider.
It was, so we're coming to the same area,
the same registration,
but it was just a different group.
So they're using infrastructure as well.
Well, despite this convergence here,
are there still differences that are apparent
or are there different skill
levels? What are some of the things that when you're looking at the techniques here that
differentiate between the two to this day?
Yeah, that's a good question. If I say skill level, if we take the the LoBIN stuff, I think
if you compare, let's say, a ransomware group with
an APT group, and the APT group is not aimed to disrupt, but they're doing classic espionage,
we would see that they stay low and slow, and they take their time, whereas the ransomware
teams are up against the clock.
So they are allowing themselves to make a little bit more noise
in order to get to their objective because their goal is essentially different. What
we also see is a lot of the more refined exploit discovery development, the self-runnability
discovery and then exploit development is usually done by the nation state groups, the state sponsor groups.
They're far more skilled at that.
And like the Midnight Blizzard,
how they've been using these cloud-based attacks,
that's something that we have yet to see at that scale
and sophistication by cyber criminal actors.
And yeah, we almost cannot talk any podcast
without mentioning AI.
So we see on both sides of the spectrum,
they're adopting to AI,
whereas I can see that cyber criminals are adopting it
for code base and solving problems they have
and speeding up their operation.
However, you know, just as well as as I do that cyber criminal activity is not operating in
a vacuum.
They're always dependent on key services that are in the kill chain left or right of them.
Whereas APT actors have a lot of that stuff in-house.
So you would see more refined usage of AI in their attacks
by state actors versus cyber criminals.
You know, John, I've seen folks
when they're looking at this blurring of lines
say that attribution doesn't really matter anymore.
Do you go along with that statement
or is there still value there?
Well, depends on who you talk to.
Like I would yet have to see a CEO that is not interested in like, okay, who stole my
wallet type of analogy.
But at the same time, the people that we interact with and they use like our software and they use our solutions
and the actual people in the trenches, very often, yeah, attribution can help speed things
up but it is the outcome of the process you go through.
That's the way I see it.
So it's an important factor but when you get breached or you're dealing with an incident, it's not always the most
pressing at hand.
Because yeah, you have to kick off threat hunting.
You have to find patient zero.
You're going in a full IR cycle.
And by doing so, and you're using threat intelligence, and you might have hypotheses forming.
And I think that's a very healthy thing to do for every every security
practitioner to say like, okay, what kind of
Adversary are we dealing with and what can we expect from such an adversary of other tools that they might use or other or their
Intent and then you could you could base your hunting off of that. I think that's very helpful. But
And then you could base your hunting off of that. I think that's very helpful.
But while you're doing this, you kind of fill in the blanks and eventually the outcome of
your full investigation would probably lead to an attribution of an actor of such kind.
And yeah, with ransomware, it's very obvious when you, if you wait long enough, they'll
make themselves known and you get an, as our friends
at Google say, a third party notification from the threat actor in their state of the
union talk.
I love that statement by the way.
And yeah, they make themselves known and you know who you're dealing with.
Well, given this reality of this blending, this blurring,
as you all describe it, what are your recommendations then
for folks who are tasked with defending their organizations
given that this is the reality?
Yeah, that's some good advice I would give is like,
and you can use this, you can do this in multiple ways,
but it is to do a threat modeling exercise.
Yes, you need to study the threat actors that
are prevalent in your sector.
That's healthy.
You need to do that.
But don't have that blind bias that you only think like, OK,
we're only dealing with APT and no ransomware.
Because let's be honest, if you have a vulnerability somewhere
and somebody can get in, yeah, you
don't know who's in until they're in.
And then they can wreak havoc.
And that could be a cyber criminal actor,
it could be even a hacker.
But looking at the threat landscape,
looking at all the different threats that might attack you
and then overlaying those TTPs,
looking at, okay, what are the commonalities?
What are some of the overlap points
that they all have to do? They all have to
escalate privileges. They all have to maybe use certain credentials. They all have to do X, Y,
or Z. And when you identify those points, you can actually look at your security controls and see,
okay, are we protected against this? Or are there controls missing missing or can we adjust our current controls to have coverage or if we're blind is there anything we can do with
threat hunting so can we kick off some proactive hunting in our environment
just to get better eyes on to study to see and maybe there's evidence of a
breach so there's all these things we would say like okay study all and
nowadays that's luckily that's a lot easier than it is to do than it was a couple of years
back.
So even with some AI, you can create some pretty elaborate stuff and you can drill down
and see how your security posture is scaling up towards a multitude on actors.
But every actor, initial actors or whatever,
they move on your network.
So I always say or often say,
like your chance to detect them is really on that period
when they first enter to their final objective.
And that doesn't matter if it's a ransomware actor
or an APT actor, they have to move for your network.
So knowing your network and knowing what the anomalies are,
that's key.
That's John Fokker, head of threat intelligence at Trellix.
We'll have a link to their publication in our show notes. And now, a message from our sponsor Zscaler, a leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in
2024, these traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not
the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation, and detecting threats using AI to analyze
over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
This episode is brought to you by Samsung Galaxy.
Ever captured a great night video only for it to be ruined by that one noisy talker?
With audio erase on the new Samsung Galaxy S25 Ultra, you can reduce or remove unwanted
noise and relive your favorite moments without the distractions.
And that's not all.
New Galaxy AI features like NowBrief will give you personalized insights
based on your day schedule
so that you're prepared no matter what.
Buy the Samsung Galaxy S25 Ultra now at Samsung.com.
And finally, it is the United Nations International Day
for Women and Girls in Science.
It's a day worth celebrating.
Here's N2K's Maria Vermazes with more.
Today, February 11th, is the International Day of Women and Girls in Science.
This one's personal.
I grew up in a house where science and engineering were revered and encouraged at every turn.
My peer group in high school were other science-minded girls like me.
There's a photo in my high school yearbook of our computer club that always makes me chuckle,
because there I am off to the side, the only girl.
It's a dynamic that you get used to.
Even at engineering school and college, not unlike high school,
it wasn't unusual to be the only young woman in a lab,
or maybe one of a handful in a large seminar.
It was easy for us to remember each other.
Us engineering school women would often become friends,
toiling away at problem sets and study rooms for hours every day,
sharing notes, helping each other prep for exams, rotating who would go to office hours.
And it's funny, outside of engineering, many of us probably wouldn't have been friends.
We really didn't have all that much in common interest-wise, but we knew what we were all up against,
so we banded together for survival.
I'll skip to the chase.
We were the class of 2005, so it's been 20 years.
Many of the women I knew from those days went into their chosen fields after graduating.
But now these decades on, of the dozens of women that I knew starting their careers in
science and engineering, maybe four are still working in them.
Now career changes happen for all sorts of reasons, like in my case where it simply is
just not the right field for you.
It happens.
But sometimes it's the result of a slow fade, where over the years you have to keep fighting
an invisible war and sometimes you simply get tired of it.
Whatever you want to call it, a retention problem, a cultural problem, it goes way beyond
any federal mandate or national border.
And there are conversations happening, said and unsaid, especially right now, about whose
stories are celebrated, whose competence and credibility is celebrated, who rises in the ranks with like-minded peers, whose accomplishments are worth a
damn, who is a merited hire. In other words, in science and engineering, who
belongs? Well, women do. This is only the tenth anniversary of International Girls
and Women in Science Day, so all you trailblazers toiling long hours over problem sets, labs, trials, reams and reams of data,
connecting with that spark of joy that ignited that love of science, ladies, I see you.
Our world needs your perspective and your expertise more than ever.
Keep fighting out of spite for the haters if nothing else.
And please remember, even if you are the only one in the room, you belong.
That's N2K's Maria Vermazes, host of the N2K T-minus Daily Space Podcast.
We'll have a link with more information about the International Day of Women and Girls in
Science celebration. You can find that in our show notes. information about the International Day of Women and Girls in Science Celebration, you
can find that in our show notes.
And that's the CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed
by Trey Hester with original music and sound design by Elliot Peltsman. Our executive producer
is Jennifer Iben. Peter Kielpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Hey everyone, grab your favorite bug and put the kettle back on the stove, because afternoon
cyber tea is coming back.
This season I am joined by an all-star team of thought leaders and industry experts to dive into the critical trends that are shaping the future of cybersecurity.
We will explore how these technologies are revolutionizing the way we work, the way we live, and the way we interact with the world around us.
And as always, we will be bringing you thought-provoking discussions and fresh perspectives of what is driving the future of cybersecurity and what leaders can do now to protect their teams tomorrow.
New episodes will be coming in February, every other Tuesday, so subscribe now wherever you get your favorite podcasts.