CyberWire Daily - Bear in the network.

Episode Date: May 21, 2025

A joint advisory warns of Fancy Bear targeting Western logistics and technology firms. A nonprofit hospital network in Ohio suffers a disruptive ransomware attack. The Consumer Financial Protection Bu...reau (CFPB) drops plans to subject data brokers to tighter regulations. KrebsOnSecurity and Google block a record breaking DDoS attack. A phishing campaign rerouted employee paychecks. Atlassian patches multiple high-severity vulnerabilities. A Wisconsin telecom provider confirms a cyberattack caused a week-long outage.  VMware issues a Security Advisory addressing multiple high-risk vulnerabilities.  Prosecutors say a 19-year-old student from Massachusetts will plead guilty to hacking PowerSchool. Our guest is Rob Allen, Chief Product Officer at ThreatLocker, discussing deliberate simplicity of fundamental controls around zero trust. Oversharing your call location data. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, today we are joined by Rob Allen, Chief Product Officer at ThreatLocker from RSAC 2025. Rob is discussing the deliberate simplicity of fundamental controls around zero trust. Token theft and phishing attacks bypass traditional MFA protections, letting attackers impersonate users and access critical SaaS platforms — without needing passwords. Listen to Rob’s interview here. Learn more from the ThreatLocker team here. Selected Reading Russian GRU Targeting Western Logistics Entities and Technology Companies ( CISA) Ransomware attack disrupts Kettering Health Network in Ohio (Beyond Machines) America’s CFPB bins proposed data broker crackdown (The Register) Krebs on Security hit by 'test run' DDoS attack that peaked at 6.3 terabits of data per second (Metacurity) SEO poisoning campaign swipes direct deposits from employees (SC Media) Atlassian Warns of Multiple High-Severity Vulnerabilities Hits Data Center Server (Cybersecurity News) Cellcom Service Disruption Caused by Cyberattack (SecurityWeek) VMware releases patches for security flaws in multiple virtualization products (Beyond Machines) Massachusetts man will plead guilty in PowerSchool hack case (CyberScoop) O2 VoLTE: locating any customer with a phone call  (Mast Database) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the CyberWire Network, powered by N2K. And now a word from our sponsor, Spy Cloud. Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware, and phishing to neutralize identity-based threats like account takeover, fraud, and ransomware.
Starting point is 00:00:40 Don't let invisible threats compromise your business. Get your free corporate dark net exposure report at spycloud.com slash cyberwire and see what attackers already know. That's spycloud.com slash cyberwire. A joint advisory warns of Fancy Bear targeting Western logistics and technology firms. A nonprofit hospital network in Ohio suffers a disruptive ransomware attack. The Consumer Financial Protection Bureau drops plans to subject data brokers to tighter regulations. Krebs on security and Google block a record-breaking DDoS attack. A phishing campaign rerouted employee paychecks.
Starting point is 00:01:33 Atlassian patches multiple high-severity vulnerabilities. A Wisconsin telecom provider confirms a cyber attack caused a week-long outage. VMware issues a security advisory addressing multiple high-risk vulnerabilities. Prosecutors say a 19-year-old student from Massachusetts will plead guilty to hacking Power School. Our guest is Rob Allen, Chief Product Officer at ThreatLocker, discussing deliberate simplicity
Starting point is 00:01:58 of fundamental controls around zero trust and oversharing your call location data. It's Wednesday May 21st 2025. I'm Dave Bittner and this is your CyberWire Intel briefing. Thanks for joining us here today. It's great as always to have you with us. A joint cybersecurity advisory from the US and allied agencies warns of ongoing cyberespionage by Russia's GRU Unit 26165, also known as APT-28 or Fancy Bear, targeting Western logistics
Starting point is 00:02:57 and technology firms, especially those supporting Ukraine. Active since 2022, the campaign employs tactics like password spraying, spearfishing, and exploiting vulnerabilities in Microsoft Exchange and WinRAR. Targets include transportation hubs, defense contractors, IT services, and air traffic systems across NATO countries. The GRU has also compromised IP cameras near Ukrainian borders to monitor aid deliveries. Organizations are urged to enhance monitoring, threat hunting, and network defenses against these persistent threats. Kettering Group, a nonprofit hospital network in Ohio, suffered a ransomware attack attributed
Starting point is 00:03:43 to the Interlock Group. The incident caused a system-wide technology outage, disrupting access to electronic health records and patient care systems across its 14 hospitals and over 120 outpatient facilities. All elective procedures were canceled, and the call center was rendered inaccessible. Emergency services remained operational, but ambulances were diverted to other facilities, prompting neighboring Premier Health to declare a code yellow due to increased patient volumes. The attackers threaten to leak stolen data unless a ransom is paid. Kettering Health is collaborating with cybersecurity experts to investigate and restore systems. Additionally, reports emerged of scammers impersonating Kettering staff to solicit payments.
Starting point is 00:04:33 The organization has suspended all payment-related calls and advises patients to report suspicious contacts to law enforcement. The Consumer Financial Protection Bureau has dropped plans to classify certain data brokers as credit bureaus, a move that would have subjected them to tighter regulations. Proposed in December of 2023, the rules aim to curb the sale of American-sensitive data by requiring accuracy, transparency, and limiting data sales to legitimate uses, like credit or employment checks. But the CFPB has now deemed further rulemaking not necessary or appropriate. Critics warn this leaves Americans vulnerable, as brokers often collect data from apps or
Starting point is 00:05:21 telcos, sometimes exposing users at protests or clinics. Several data breaches have highlighted the risks, with billions of records stolen from poorly secured brokers. While the U.S. backs off regulation, the UK is still evaluating stricter oversight. CFPB's future remains uncertain amid political pressure. Krebson Security was targeted on May 12 by a record-breaking DDoS attack peaking at 6.3 terabits per second, ten times larger than the infamous 2016 Mirai botnet assault. The attack, mitigated by Google's Project Shield, lasted less than a minute but marked
Starting point is 00:06:06 the biggest attack Google has ever handled. Security experts link the attack to the Asuru botnet, a network of hijacked IoT devices like routers and DVRs. Asuru's operators exploit weak passwords and software flaws, selling attack services on Telegram under the handle Forky for up to $600 per week. This botnet has been rented out since at least August 2024. Law enforcement has seized some of its related domains, but the threat remains active, with major web services still struggling to counter such powerful assaults. A phishing campaign rerouted employee paychecks by tricking users into entering credentials on fake mobile-specific payroll sites, according to ReliaQuest. Attackers used Google Ads and SEO
Starting point is 00:06:59 poisoning to lure victims searching for HR portals on mobile devices. Clicking these ads led to fake Microsoft login pages designed to harvest credentials. Once compromised, attackers accessed SAP SuccessFactor accounts and changed direct deposit details, diverting paychecks to their own accounts. The attack used a proxy network of hijacked home routers to mask the attacker's locations and evade detection. Real-time monitoring tools helped attackers act before credentials could be reset. ReliaQuest recommends using multi-factor authentication, alerts for deposit changes, employee education,
Starting point is 00:07:42 and proactive threat intelligence to combat these mobile-targeted phishing campaigns that bypass corporate network defenses. Atlassian's May 2025 Security Bulletin reveals eight high-severity vulnerabilities impacting several data center and server products. The flaws, found through bug bounties, testing, and library scans could lead to denial of service attacks and privilege escalation if left unpatched. Notably, Bamboo and Confluence data center are exposed to a Tomcat Coyote bug causing memory leaks and crashes from malformed HTTP2 headers. Confluence also faces a stack overflow risk via the
Starting point is 00:08:27 Xtreme library. FishEye Crucible is vulnerable to a denial-of-service flaw in JSON Smart, while Jira software and service management are at risk from Nettie's SSL handler bug. Additionally, a privilege escalation issue threatens JIRA products, enabling attackers to gain unauthorized access. Users are urged to patch immediately to secure enterprise environments. Wisconsin telecom provider Cellcom confirmed a cyberattack caused a week-long outage affecting voice and text services in Wisconsin and upper Michigan.
Starting point is 00:09:07 While some services have been restored, full recovery is expected by week's end. The company's CEO assured customers they had protocols in place and they're working with cybersecurity experts and authorities to resolve the issue. Cellcom stated no sensitive customer data appears compromised as the breach impacted a network segment without personal information. Though the company has not disclosed the attack type, the scope suggests ransomware may be involved, though no group has claimed responsibility.
Starting point is 00:09:40 Cellcom emphasized its cautious, deliberate approach to recovery and pledged to provide updates on restoration efforts and the ongoing investigation. VMware has issued a security advisory urging immediate action on multiple high-risk vulnerabilities across its virtualization products. Top priority is a critical vCenter server flaw that allows unauthenticated attackers to execute arbitrary commands and take control of the host. Admin interfaces should be restricted to trusted networks. Other notable flaws affect VMware cloud foundation, including a directory
Starting point is 00:10:19 transversal issue and information disclosure risks, both exploitable via simple network access to port 443. Additional vulnerabilities impact ESXi, Workstation, and Fusion, including denial of service bugs and a cross-site scripting flaw. VMware has released patches for all affected systems and recommends organizations review and apply updates promptly to minimize risk of exploitation. Federal authorities say Matthew Lane, a 19-year-old student from Massachusetts, will plead guilty to Hacking Power School, a major education software firm serving over 60 million students. Lane used stolen credentials from a contractor to access Power School systems, stealing sensitive
Starting point is 00:11:11 data on students and teachers. He then issued a ransom demand in December, threatening to leak the data unless paid nearly $2.9 million in Bitcoin. Power School confirmed it paid, though the amount remains undisclosed. Lane, linked to the Shiny Hunters hacking group, is also accused of trying to extort a telecom company. He will plead guilty to charges including unauthorized access to protected computers and aggravated identity theft.
Starting point is 00:11:43 Federal prosecutors call it a significant win in what may be the largest breach of U.S. schoolchildren's data to date. Coming up after the break, my conversation with Rob Allen from ThreatLocker, we're discussing deliberate simplicity of fundamental controls around zero trust and over sharing your call location data. Stick around. Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Starting point is 00:12:35 Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or wrangling manual processes just to keep your GRC program on track? You're not alone. But let's be clear, there is a better way. Banta's Trust Management Platform takes the headache out of governance, risk, and compliance. It automates the essentials, from internal and third-party risk to consumer trust, making your security posture stronger, yes, even helping to drive revenue.
Starting point is 00:13:10 And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta. GRC. How much easier trust can be. Get started at Vanta.com slash cyber. Worried about cyber attacks? Cyber care from Storm Guidance is a comprehensive cyber incident
Starting point is 00:13:52 response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leadingleading experts. So if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors, and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at cyber.care slash cyberwire. Rob Allen is Chief Product Officer at Threatlocker. I recently caught up with him at the RSAC conference for a sponsored industry voices segment discussing deliberate simplicity of fundamental controls around zero trust.
Starting point is 00:14:58 We are continuing with our conversations here at RSAC 2025 and I am pleased to be joined by Rob Allen. He is Chief Product Officer at ThreatLocker. Rob, welcome. Thank you. It's good to be here. For folks who may not be familiar with the company, give us the brief description of what ThreatLocker is. ThreatLocker is awesome. Is that brief enough? Thanks for joining us here today. Thank you. Thank you. No, so ThreatLocker is a, it's an endpoint protection platform. Zero thrust focus, so denied by default, basically. So it's a slightly different approach
Starting point is 00:15:30 to most cybersecurity, which is typically reactive. So it's waiting for something bad to happen, basically, or some indication of bad things happening. We are more proactive, so we're more about stopping it happening than responding to it happening. A lot of different ways we do that. So we start with allow listing,
Starting point is 00:15:46 so just allowing what needs to run to run, and we've got ring fencing, and lots of really cool stuff. But it's all based around that principle of deny by default, permit by exception. So rather than letting everything happen, except what we know to be bad, we only allow what's required. Can we talk about the challenge with endpoint protection
Starting point is 00:16:06 of lateral movement and protecting against that? Sure, well I mean there's a couple of different types of lateral movement. There's lateral movement between programs on an endpoint because very often a lot of these breaches start with for example something like Outlook calling something like PowerShell. Now in reality in most environments,
Starting point is 00:16:24 there's no reason for Outlook to call PowerShell, but someone in their infinite knowledge and wisdom in Microsoft decided one day, hey, it'd be really cool if we'd make this possible. Now it's being exploited, so we can control that lateral movement between applications, but we can also control lateral movement across the network, because that's another huge problem.
Starting point is 00:16:42 So once one machine gets compromised, typically it doesn't take them very long to move to another machine or to another machine or to another machine, and eventually they get to something that's really important. So controlling network access, same principles and I by default permit by exception, but only allowing trusted devices
Starting point is 00:17:00 connect to other trusted devices, and basically just limiting access to the network will stop, as I said, that lateral movement as well. Help me understand, how much of this is, say, signature-based, how much of it is behavioral? Is there a blend? None and none. Okay.
Starting point is 00:17:18 Generally speaking. So what we're talking about, I actually have a really interesting example to give you about this, but basically what we're talking about is fundamentally controls. a really interesting example to give you about this, but basically what we're talking about is fundamentally controls. So it's about applying controls to your environment. So the control over what can run and what can't run,
Starting point is 00:17:31 the control over what things can do, controls around the network. So it's not about detecting or recognizing bad behavior per se, it's about saying, well look, we're going to control the environment in such a way that that bad behavior can take place. I'll give you an example, if you don't mind. So we did a podcast some time ago to control the environment in such a way that that bad behavior can take place. I'll give you an example, if you don't mind.
Starting point is 00:17:46 So we did a podcast some time ago with a guy called Jacoby, David Bombal, and Jacoby. And Jacoby is an absolute genius. He was Hack 5's Hacker of the Year number of years. He came up with something that is unbelievably cool, which is basically API-based polymorphic PowerShell reverse shell. So basically, he reaches out to an API using PowerShell. It gives him code, PowerShell code, basically.
Starting point is 00:18:15 But it's polymorphic, so it changes every time. So signature-based detections just don't find it. So he tested that against every major EDR, every tool that he could find, he tested that against every major EDR, every tool that he could find, he tested that against, and none of them recognized it as what it was. He tried it against ThreatLocker, and ThreatLocker immediately blocked it. Now, he was convinced that we were doing
Starting point is 00:18:36 some behavioral-based recognition of what he was up to, and what we were actually doing was just blocking PowerShell from accessing the internet. So it was a really simple basic control that solved a very advanced complex, quite frankly brilliant exploit. So that might explain somewhat better. So we're not about behavior. We don't care what the behavior is. We care about applying controls to the environment in such a way that it can't be.
Starting point is 00:19:07 So is it fair to say that a deliberate simplicity to the approach? Absolutely. The beauty about that simple approach is that you don't need to know everything that's bad, because if you block everything, then you're going to block all the bad stuff. You're also going to block good stuff that could be misused,
Starting point is 00:19:27 and that's something else that people need to consider, is things like WinRAR, for example. I mean, WinRAR has all of the characteristics of ransomware. You can encrypt data, you can transfer data, and you can delete data, all with one convenient program that is not in itself malicious. Things like PuTTY, we've seen PuTTY being used for data exfiltration. Now again, PuTTY is not a itself malicious. Things like PuTTY, we've seen PuTTY being used for data exfiltration.
Starting point is 00:19:46 Now again, PuTTY is not a bad program, it's not a bad application, but can it be used for bad purposes? Absolutely it can. So the beauty about the Deny by Default approach is you don't need to know all of the bad things, you don't need to know all of the exploitable things, you just need to allow what's required
Starting point is 00:20:02 and block everything else. It's so simple. But once you actually get your head around it, it's like, why isn't everybody doing this? Well, so how do you do the things you need to do and at the same time not introduce undue friction? Because in reality, the vast majority of users do the same things in the same way with the same software
Starting point is 00:20:24 every single day. And fundamentally, all we're doing is setting guardrails around that. I'm saying, look, you operate within these guardrails, you're not going to even know we're here. Now, if you step outside of those guardrails and try and download that coupon clipper from China or run a remote access tool,
Starting point is 00:20:39 absolutely we're going to step in and stop that. But that's what organizations need. That's what they need to keep them safe. What about things like token theft? You know, that sort of thing. How do you come at that? So token theft is an interesting one. So we've recently started expanding.
Starting point is 00:20:55 We were typically endpoint based, or exclusively endpoint based for many years. Now the reason for that was basically most of the action was taking place in the endpoints. Most breaches started at the end point. But we realized that customers also have challenges with the cloud, specifically controlling access to cloud resources.
Starting point is 00:21:15 So what we did for that is we have, and it comes back to this idea of deny by default, permit by exception. So Microsoft actually have some quite advanced conditional access functionality in Office 365, for example. So you can have some quite advanced conditional access functionality in Office 365 for example. So you can have what are called name locations, you can have a bunch of IP addresses in a name location
Starting point is 00:21:31 and say look, allow these IP addresses to connect to my Office 365 and block everything else. That's fine until somebody has an event like this. My IP address has probably changed five times today. So it's not, it's fine static, but dynamic presented a challenge. So what we did is we've got obviously ThreatLocker agent installing people's machines,
Starting point is 00:21:52 it's checking in reporting its IP address. We have an app on our phone, which basically is checking in reporting my phone's IP address. We take all those IP addresses, we upload them to a named location in Office 365, and those IP addresses are allowed to connect while the entire rest of the internet is not.
Starting point is 00:22:08 So the way a lot of people have approached this is, fundamentally, a lot of people will do countries. So they're going to say, look, allow the United States and block the rest of the world, which is fine until your CEO goes on holidays to the Bahamas and all of a sudden he can't access his resources. So this is why the dynamic nature of what we do is so effective, because it doesn't matter
Starting point is 00:22:26 if I go to the Bahamas or Timbuktu, quite frankly. I'll have an IP address, it's going to check in, register, upload, and be added to the main location. So it doesn't matter if somebody steals my credentials. It doesn't matter if somebody's got, even gets my token. The fact is they won't be allowed to connect because of those conditional access policies. When someone decides that they want to take this approach,
Starting point is 00:22:49 that they're all in on going at the problem this way, what does the onboarding look like? Surprisingly smooth is the answer to that question because basically when we deploy ThreatLocker, when a customer deploys ThreatLocker, it's not blocking anything. It's not stopping anything. It's not getting in their way. Fundamentally all it's doing is it's logging data. It's not stopping anything, it's not getting in their way.
Starting point is 00:23:05 Fundamentally all it's doing is it's logging data. It's basically building a set of policies based on what's present in the environment. So it takes a lot of the heavy lift out of this process. So there's an analysis... Correct. A learning sequence. Okay.
Starting point is 00:23:19 Absolutely. So the learning period basically, what it's doing is it's logging all of the software that's on your machine and saying, look, all of the software is required we're going to fundamentally allow this this or create a lot of our policies to allow this to run after which point you know a couple of weeks in the future we can say okay well you've got policies for all you need all the things you need and we're going to lock it down and then all of those things are going to be allowed and
Starting point is 00:23:39 then nothing new is going to be allowed to run on your machine. Are there company-wide policies, but then individual policies as well? You can do it at various different levels. You can do it company-wide, you can do it global. Teams, you know. Exactly, in particular, again. My salespeople travel, they need. Correct, exactly, and your IT team
Starting point is 00:24:00 probably need a little bit more leeway in terms of the tools they're going to run. So they might need to run a tool like PuTTY. Whereas your finance department probably aren't, your marketing people definitely aren't, your marketing people might need Creative Cloud, but your IT team don't. So it's not a question of applying the same rules
Starting point is 00:24:16 to everybody. You can pick and choose, you can adjust and tweak as necessary. Again, the idea being to allow people to do what they need to do, but no more. As a provider of the type of tool that you provide, as you're looking toward the horizon and you're seeing the evolution of the threats, how do you stay nimble?
Starting point is 00:24:41 How do you anticipate and know that your own roadmap is going to be able to respond to those things? Well, to some extent, I mean, obviously, we're constantly striving to improve what we do. We're trying to make it as seamless as possible, both for the administrators and also for the users. That's something that's really important to us. I mean, one of the beauties of the approach that we take,
Starting point is 00:25:03 because it's denied by default, we're not constantly responding to new threats, to new techniques, to new tactics. I mean, obviously we tweak and adjust our policies from time to time, we make them more secure, we can absolutely always improve things, but generally speaking, the denied by default approach means that it doesn't matter if a new piece of malware
Starting point is 00:25:23 appears tomorrow, a zero day appears tomorrow, or even a particular piece of software is vulnerable. You know what I mean? There's, application vulnerabilities are a major, major issue. But you have to consider with the likes of application vulnerabilities is, well, what's the next thing that will typically happen if a vulnerable application is exploited?
Starting point is 00:25:41 Well, generally speaking, something's going to run, or something's going to reach out to the internet. You know, somebody's going to call PowerShell to try and download a payload. Well, if you can stop all of those interactions, then you basically stop that vulnerability from being exploitable. So as I said, it's the beauty of default and I is you don't, you're not constantly trying to play catch-up. And again, that's one of the problems with cybersecurity as a whole is the industry is constantly playing catch up. The bad guys are nimble, the bad guys are really,
Starting point is 00:26:10 really clever and they're constantly one step ahead. And if your approach requires you to keep up with them, then you're never going to win. I mean, the sad reality, the sad fact is nobody knows all of the bad things. I mean, if somebody knew all of the bad things, there would be no need for solutions like ours. There would be no need for any other solution.
Starting point is 00:26:32 But the fact is, nobody does. I mean, there's 160,000 new pieces of malware come out every single day. I mean, how do you possibly keep up with that? I mean, the sad reality is you can't. So that's why a different approach, one like the default denial one that we expose is so important.
Starting point is 00:26:48 There's been a lot of talk, I think, particularly this year about consolidation. And we hear from CISOs all the time that how do I keep track of all these different tools? What I really want is to bring me a platform, one platform that'll do everything. From your point of view as a platform, one platform that'll do everything. From your point of view as a provider, how do you approach playing well with others?
Starting point is 00:27:13 Well, one of the ways that we try and solve that problem for people is we try and solve as many of the problems as we can within one portal, one agent, one product, one thing to understand, one bill to pay fundamentally. So as well as the allow listing, ring fencing, network control stuff I mentioned, we do have detection capabilities, this is another product we do. We've also got, and we've recently introduced web control.
Starting point is 00:27:37 So basically web filtering. We've introduced patch management, a very unique take, a unique approach to patch management. So these are all boxes that we can tick for organizations without them having to go out and buy third party tools or have another portal to manage or another agent to install in the machine. Because it is one thing that we hear loud and clear,
Starting point is 00:27:57 is I've got too many agents on my machine. I've got my antivirus, I've got my EDR, I've got my this thing, I've got my patch management, I've got that thing, I've got web control, I've got eight different-virus, I've got my EDR, I've got my this thing, I've got my patch management, I've got that thing, I've got web control, I've got eight different agents running my computer. The fan is almost spitting. to manage all of these other tools. So that is something we're acutely aware of and trying to solve in that fashion
Starting point is 00:28:26 by building solutions ourselves. Yeah. As you're walking around here at RSAC 2025, what are some of the things that have caught your eye? Are there things that lift your spirits, that give you hope, you know, what clever people we are, you know, those sorts of things? A lot of very impressive boots.
Starting point is 00:28:47 That's for sure. There are some very, very shiny boots, and very big and fancy. There are puppies and baby goats. There's puppies? There are puppies. I saw a picture of the baby goats. I did not, where are the puppies?
Starting point is 00:29:00 There is, they're over there. There's a booth full of puppies. Okay, I'm going to have to go and find the puppies. I actually chastised our marketing department yesterday because when we saw there was goats, I was like, how come we haven't thought about bringing farm animals to these things? Yeah, missed opportunity.
Starting point is 00:29:13 So yeah, I didn't realize somebody brought puppies. That's kind of one-upping. But no, I mean, the beauty of events like this from our perspective is twofold. I mean, first of all, it's an opportunity to meet existing customers. The great thing that I've seen seen even over the last couple of years of coming here is that you know a few years ago we would have had not going to
Starting point is 00:29:30 say a handful of customers so it wouldn't be a huge amount of customers. Every year there's more and more and more. They come up they say hello you know tell us about their experience and it's phenomenal feedback I mean face to face like that it's just it's a brilliant opportunity to connect with existing customers. But obviously it's also an opportunity to tell people about what we do. Tell people about why we do it, explain.
Starting point is 00:29:54 I mean, I had somebody come up to me yesterday and they were talking about, talking about allow listing. And they're saying, we're looking at this other allow listing solution, tell me why you're better. And we have, and I actually don't have it here, I'd love to show you, but we've got rubber duckies that do data exfiltration, we've got rubber duckies that do screen captures and upload them to a C2 server.
Starting point is 00:30:12 We've got a whole pile of different stuff. So I was able to show them in person, three different attacks, all perpetrated using PowerShell, none of which were detected as being bad, all of which were extremely scary. And that's a fantastic opportunity. I mean, you just don't get that talking to somebody over Zoom.
Starting point is 00:30:28 For example, you can explain it to somebody, but you can't show them. And there's a huge amount of value in that for us. Yeah. All right. Well, Rob Allen is Chief Product Officer with ThreatLocker. Rob, thanks so much for joining us. No worries. Pleasure. Thank you very much. That's Rob Allen, Chief Product Officer at ThreatLocker.
Starting point is 00:31:04 And finally, security researcher and O2 customer Daniel Williams uncovered a glaring privacy leak in O2 UK's 4G calling system. For context, O2 is one of the UK's largest mobile carriers, part of the Virgin Media O2 group serving millions of customers across the country. And apparently it's been serving up more than just phone service. While poking around voiceover LTE call data using a rooted Pixel 8 and some digital elbow grease, Williams found that O2's IP multimedia subsystem implementation was a little too chatty.
Starting point is 00:31:46 Calls were accompanied by SIP messages containing not just debug logs, but also both parties' IMSIs, IMIEs, and cell tower IDs. In short, every call was a potential geolocation treasure map. Williams concluded that O2's IMS implementation poses a significant privacy risk as it exposes sensitive metadata during every 4G or Wi-Fi call. This data can be exploited to geolocate call recipients with surprising accuracy even when they're abroad or not currently connected to the network. The researcher emphasized that this vulnerability affects all O2 customers using IMS-based calling and cannot be mitigated by users themselves, as disabling 4G calling does not stop the
Starting point is 00:32:36 data from being shared. He called on O2 to remove these unnecessary SIP headers and debug messages from call signaling and criticize the company for lacking a clear path to responsibly disclose such findings. Since then, O2 says they have resolved the issue. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at theCyberWire.com. N2K's senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Starting point is 00:33:29 Our executive producer is Jennifer Iben. Peter Kilpey is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. So Hey everybody, Dave here. I've talked about DeleteMe before, and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up.
Starting point is 00:34:22 DeleteMe keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved knowing my privacy isn't something I have to worry about every day. The DeleteMe team handles everything. It's the set it and forget it piece of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses helping
Starting point is 00:34:49 companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now our listeners get a special deal 20% off your DeleteMe plan. Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout. That's joindeleteeme.com slash n2k, code n2k.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.