CyberWire Daily - Bear in the network.
Episode Date: May 21, 2025A joint advisory warns of Fancy Bear targeting Western logistics and technology firms. A nonprofit hospital network in Ohio suffers a disruptive ransomware attack. The Consumer Financial Protection Bu...reau (CFPB) drops plans to subject data brokers to tighter regulations. KrebsOnSecurity and Google block a record breaking DDoS attack. A phishing campaign rerouted employee paychecks. Atlassian patches multiple high-severity vulnerabilities. A Wisconsin telecom provider confirms a cyberattack caused a week-long outage. VMware issues a Security Advisory addressing multiple high-risk vulnerabilities. Prosecutors say a 19-year-old student from Massachusetts will plead guilty to hacking PowerSchool. Our guest is Rob Allen, Chief Product Officer at ThreatLocker, discussing deliberate simplicity of fundamental controls around zero trust. Oversharing your call location data. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, today we are joined by Rob Allen, Chief Product Officer at ThreatLocker from RSAC 2025. Rob is discussing the deliberate simplicity of fundamental controls around zero trust. Token theft and phishing attacks bypass traditional MFA protections, letting attackers impersonate users and access critical SaaS platforms — without needing passwords. Listen to Rob’s interview here. Learn more from the ThreatLocker team here. Selected Reading Russian GRU Targeting Western Logistics Entities and Technology Companies ( CISA) Ransomware attack disrupts Kettering Health Network in Ohio (Beyond Machines) America’s CFPB bins proposed data broker crackdown (The Register) Krebs on Security hit by 'test run' DDoS attack that peaked at 6.3 terabits of data per second (Metacurity) SEO poisoning campaign swipes direct deposits from employees (SC Media) Atlassian Warns of Multiple High-Severity Vulnerabilities Hits Data Center Server (Cybersecurity News) Cellcom Service Disruption Caused by Cyberattack (SecurityWeek) VMware releases patches for security flaws in multiple virtualization products (Beyond Machines) Massachusetts man will plead guilty in PowerSchool hack case (CyberScoop) O2 VoLTE: locating any customer with a phone call (Mast Database) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. A joint advisory warns of Fancy Bear targeting Western logistics and technology firms.
A nonprofit hospital network in Ohio suffers a disruptive ransomware attack.
The Consumer Financial Protection Bureau drops plans to subject data brokers to tighter regulations.
Krebs on security and Google block a record-breaking DDoS attack.
A phishing campaign rerouted employee paychecks.
Atlassian patches multiple high-severity vulnerabilities.
A Wisconsin telecom provider confirms a cyber attack caused a week-long outage.
VMware issues a security advisory addressing multiple high-risk vulnerabilities.
Prosecutors say a 19-year-old student from Massachusetts
will plead guilty to hacking Power School.
Our guest is Rob Allen,
Chief Product Officer at ThreatLocker,
discussing deliberate simplicity
of fundamental controls around zero trust
and oversharing your call location data.
It's Wednesday May 21st 2025. I'm Dave Bittner and this is your CyberWire
Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
A joint cybersecurity advisory from the US and allied agencies warns of ongoing cyberespionage
by Russia's GRU Unit 26165, also known as APT-28 or Fancy Bear, targeting Western logistics
and technology firms, especially those supporting Ukraine.
Active since 2022, the campaign employs tactics like password spraying, spearfishing,
and exploiting vulnerabilities in Microsoft Exchange and WinRAR. Targets include transportation
hubs, defense contractors, IT services, and air traffic systems across NATO countries.
The GRU has also compromised IP cameras near Ukrainian borders to monitor
aid deliveries. Organizations are urged to enhance monitoring, threat hunting, and network
defenses against these persistent threats.
Kettering Group, a nonprofit hospital network in Ohio, suffered a ransomware attack attributed
to the Interlock Group.
The incident caused a system-wide technology outage, disrupting access to electronic health
records and patient care systems across its 14 hospitals and over 120 outpatient facilities.
All elective procedures were canceled, and the call center was rendered inaccessible. Emergency services remained operational, but ambulances were diverted to other facilities,
prompting neighboring Premier Health to declare a code yellow due to increased patient volumes.
The attackers threaten to leak stolen data unless a ransom is paid.
Kettering Health is collaborating with cybersecurity experts to investigate and restore
systems. Additionally, reports emerged of scammers impersonating Kettering staff to solicit payments.
The organization has suspended all payment-related calls and advises patients to report suspicious
contacts to law enforcement. The Consumer Financial Protection Bureau has dropped plans to classify certain data brokers
as credit bureaus, a move that would have subjected them to tighter regulations.
Proposed in December of 2023, the rules aim to curb the sale of American-sensitive data
by requiring accuracy, transparency, and limiting data sales to legitimate uses,
like credit or employment checks.
But the CFPB has now deemed further rulemaking not necessary or appropriate.
Critics warn this leaves Americans vulnerable, as brokers often collect data from apps or
telcos, sometimes exposing users at protests or clinics.
Several data breaches have highlighted the risks, with billions of records stolen from
poorly secured brokers.
While the U.S. backs off regulation, the UK is still evaluating stricter oversight.
CFPB's future remains uncertain amid political pressure.
Krebson Security was targeted on May 12 by a record-breaking DDoS attack peaking at 6.3
terabits per second, ten times larger than the infamous 2016 Mirai botnet assault. The
attack, mitigated by Google's Project Shield, lasted less than a minute but marked
the biggest attack Google has ever handled.
Security experts link the attack to the Asuru botnet, a network of hijacked IoT devices
like routers and DVRs.
Asuru's operators exploit weak passwords and software flaws, selling attack services on Telegram under the handle
Forky for up to $600 per week. This botnet has been rented out since at least August
2024. Law enforcement has seized some of its related domains, but the threat remains active,
with major web services still struggling to counter such powerful assaults.
A phishing campaign rerouted employee paychecks by tricking users into entering credentials on fake mobile-specific payroll sites, according to ReliaQuest. Attackers used Google Ads and SEO
poisoning to lure victims searching for HR portals on mobile devices.
Clicking these ads led to fake Microsoft login pages designed to harvest credentials.
Once compromised, attackers accessed SAP SuccessFactor accounts and changed direct deposit details,
diverting paychecks to their own accounts.
The attack used a proxy network of hijacked home routers to mask the attacker's locations
and evade detection.
Real-time monitoring tools helped attackers act before credentials could be reset.
ReliaQuest recommends using multi-factor authentication, alerts for deposit changes, employee education,
and proactive threat intelligence to combat these mobile-targeted
phishing campaigns that bypass corporate network defenses.
Atlassian's May 2025 Security Bulletin reveals eight high-severity vulnerabilities impacting
several data center and server products.
The flaws, found through bug bounties, testing, and library scans could
lead to denial of service attacks and privilege escalation if left unpatched. Notably, Bamboo
and Confluence data center are exposed to a Tomcat Coyote bug causing memory leaks and
crashes from malformed HTTP2 headers. Confluence also faces a stack overflow risk via the
Xtreme library. FishEye Crucible is vulnerable to a denial-of-service flaw
in JSON Smart, while Jira software and service management are at risk from
Nettie's SSL handler bug. Additionally, a privilege escalation issue threatens JIRA products,
enabling attackers to gain unauthorized access. Users are urged to patch immediately to secure
enterprise environments.
Wisconsin telecom provider Cellcom confirmed a cyberattack caused a week-long outage affecting
voice and text services in Wisconsin and upper
Michigan.
While some services have been restored, full recovery is expected by week's end.
The company's CEO assured customers they had protocols in place and they're working
with cybersecurity experts and authorities to resolve the issue.
Cellcom stated no sensitive customer data appears compromised as the breach impacted a network
segment without personal information.
Though the company has not disclosed the attack type,
the scope suggests ransomware may be involved,
though no group has claimed responsibility.
Cellcom emphasized its cautious, deliberate approach to recovery
and pledged to provide
updates on restoration efforts and the ongoing investigation.
VMware has issued a security advisory urging immediate action on multiple high-risk vulnerabilities
across its virtualization products.
Top priority is a critical vCenter server flaw that allows unauthenticated attackers
to execute arbitrary commands and take control of the host. Admin interfaces should be restricted
to trusted networks. Other notable flaws affect VMware cloud foundation, including a directory
transversal issue and information disclosure risks, both exploitable via simple network
access to port 443. Additional vulnerabilities impact ESXi, Workstation, and Fusion, including
denial of service bugs and a cross-site scripting flaw.
VMware has released patches for all affected systems and recommends organizations review
and apply updates promptly to minimize risk of exploitation.
Federal authorities say Matthew Lane, a 19-year-old student from Massachusetts, will plead guilty
to Hacking Power School, a major education software firm serving over 60 million students.
Lane used stolen credentials from a contractor to access Power School systems, stealing sensitive
data on students and teachers.
He then issued a ransom demand in December, threatening to leak the data unless paid nearly
$2.9 million in Bitcoin.
Power School confirmed it paid, though the amount remains undisclosed.
Lane, linked to the Shiny Hunters hacking group, is also accused of trying to extort
a telecom company.
He will plead guilty to charges including unauthorized access to protected computers
and aggravated identity theft.
Federal prosecutors call it a significant win
in what may be the largest breach
of U.S. schoolchildren's data to date.
Coming up after the break,
my conversation with Rob Allen from ThreatLocker,
we're discussing deliberate simplicity of fundamental controls around zero trust
and over sharing your call location data. Stick around.
Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or wrangling manual
processes just to keep your GRC program on track?
You're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making your security
posture stronger, yes, even helping to drive revenue.
And this isn't just nice to have. According to a recent analysis from IDC, teams using
Vanta saw a 129% boost in productivity. That's not a typo, that's real impact.
So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious
efficiency to your GRC game.
Vanta.
GRC.
How much easier trust can be.
Get started at Vanta.com slash cyber. Worried about cyber attacks? Cyber care from Storm Guidance is a comprehensive cyber incident
response and resilience service that helps you stay prepared and protected. A unique
onboarding process integrates your team with industry leadingleading experts. So if an incident occurs, your response is optimal.
Get priority access to deeply experienced responders, digital investigators, legal and
crisis PR experts, ransom negotiators, trauma counselors, and much more. The best part? 100%
of unused response time can be repurposed for a range of proactive resilience activities.
Find out more at cyber.care slash cyberwire.
Rob Allen is Chief Product Officer at Threatlocker. I recently caught up with him at the RSAC conference for a sponsored industry voices
segment discussing deliberate simplicity of fundamental controls around zero trust.
We are continuing with our conversations here at RSAC 2025 and I am pleased to be joined
by Rob Allen. He is Chief Product
Officer at ThreatLocker. Rob, welcome. Thank you. It's good to be here. For folks who may not be
familiar with the company, give us the brief description of what ThreatLocker
is. ThreatLocker is awesome. Is that brief enough? Thanks for joining us here today.
Thank you. Thank you. No, so ThreatLocker is a, it's an endpoint protection platform.
Zero thrust focus, so denied by default, basically.
So it's a slightly different approach
to most cybersecurity, which is typically reactive.
So it's waiting for something bad to happen, basically,
or some indication of bad things happening.
We are more proactive,
so we're more about stopping it happening
than responding to it happening.
A lot of different ways we do that.
So we start with allow listing,
so just allowing what needs to run to run,
and we've got ring fencing, and lots of really cool stuff.
But it's all based around that principle
of deny by default, permit by exception.
So rather than letting everything happen,
except what we know to be bad,
we only allow what's required.
Can we talk about the challenge with endpoint protection
of lateral movement and protecting against that?
Sure, well I mean there's a couple of different types
of lateral movement.
There's lateral movement between programs on an endpoint
because very often a lot of these breaches start
with for example something like Outlook
calling something like PowerShell.
Now in reality in most environments,
there's no reason for Outlook to call PowerShell,
but someone in their infinite knowledge and wisdom
in Microsoft decided one day,
hey, it'd be really cool if we'd make this possible.
Now it's being exploited, so we can control
that lateral movement between applications,
but we can also control lateral movement
across the network, because that's another huge problem.
So once one machine gets compromised,
typically it doesn't take them very long
to move to another machine or to another machine
or to another machine, and eventually they get
to something that's really important.
So controlling network access,
same principles and I by default permit by exception,
but only allowing trusted devices
connect to other trusted devices,
and basically just limiting access to the network
will stop, as I said, that lateral movement as well.
Help me understand, how much of this is, say, signature-based,
how much of it is behavioral?
Is there a blend?
None and none.
Okay.
Generally speaking.
So what we're talking about,
I actually have a really interesting example
to give you about this,
but basically what we're talking about is fundamentally controls. a really interesting example to give you about this, but basically what we're talking about
is fundamentally controls.
So it's about applying controls to your environment.
So the control over what can run and what can't run,
the control over what things can do,
controls around the network.
So it's not about detecting or recognizing
bad behavior per se, it's about saying,
well look, we're going to control the environment
in such a way that that bad behavior can take place.
I'll give you an example, if you don't mind. So we did a podcast some time ago to control the environment in such a way that that bad behavior can take place.
I'll give you an example, if you don't mind.
So we did a podcast some time ago
with a guy called Jacoby, David Bombal, and Jacoby.
And Jacoby is an absolute genius.
He was Hack 5's Hacker of the Year number of years.
He came up with something that is unbelievably cool,
which is basically API-based polymorphic PowerShell reverse shell.
So basically, he reaches out to an API using PowerShell.
It gives him code, PowerShell code, basically.
But it's polymorphic, so it changes every time.
So signature-based detections just don't find it.
So he tested that against every major EDR,
every tool that he could find, he tested that against every major EDR, every tool that he could find, he tested that against,
and none of them recognized it as what it was.
He tried it against ThreatLocker,
and ThreatLocker immediately blocked it.
Now, he was convinced that we were doing
some behavioral-based recognition of what he was up to,
and what we were actually doing was just blocking
PowerShell from accessing the internet.
So it was a really simple basic control that solved
a very advanced complex, quite frankly brilliant exploit. So that might explain
somewhat better. So we're not about behavior. We don't care what the
behavior is. We care about applying controls to the environment
in such a way that it can't be.
So is it fair to say that a deliberate simplicity
to the approach?
Absolutely.
The beauty about that simple approach
is that you don't need to know everything that's bad,
because if you block everything,
then you're going to block all the bad stuff.
You're also going to block good stuff that could be misused,
and that's something else that people need to consider,
is things like WinRAR, for example.
I mean, WinRAR has all of the characteristics of ransomware.
You can encrypt data, you can transfer data,
and you can delete data, all with one convenient program
that is not in itself malicious.
Things like PuTTY, we've seen PuTTY being used
for data exfiltration. Now again, PuTTY is not a itself malicious. Things like PuTTY, we've seen PuTTY being used for data exfiltration.
Now again, PuTTY is not a bad program,
it's not a bad application,
but can it be used for bad purposes?
Absolutely it can.
So the beauty about the Deny by Default approach
is you don't need to know all of the bad things,
you don't need to know all of the exploitable things,
you just need to allow what's required
and block everything else.
It's so simple.
But once you actually get your head around it,
it's like, why isn't everybody doing this?
Well, so how do you do the things you need to do
and at the same time not introduce undue friction?
Because in reality, the vast majority of users
do the same things in the same way with the same software
every single day.
And fundamentally, all we're doing
is setting guardrails around that.
I'm saying, look, you operate within these guardrails,
you're not going to even know we're here.
Now, if you step outside of those guardrails
and try and download that coupon clipper from China
or run a remote access tool,
absolutely we're going to step in and stop that.
But that's what organizations need.
That's what they need to keep them safe.
What about things like token theft?
You know, that sort of thing.
How do you come at that?
So token theft is an interesting one.
So we've recently started expanding.
We were typically endpoint based,
or exclusively endpoint based for many years.
Now the reason for that was basically most of the action
was taking place in the endpoints.
Most breaches started at the end point.
But we realized that customers also have challenges
with the cloud,
specifically controlling access to cloud resources.
So what we did for that is we have,
and it comes back to this idea of deny by default,
permit by exception.
So Microsoft actually have some quite advanced
conditional access functionality in Office 365, for example. So you can have some quite advanced conditional access functionality
in Office 365 for example.
So you can have what are called name locations,
you can have a bunch of IP addresses in a name location
and say look, allow these IP addresses
to connect to my Office 365 and block everything else.
That's fine until somebody has an event like this.
My IP address has probably changed five times today.
So it's not, it's fine static,
but dynamic presented a challenge.
So what we did is we've got obviously ThreatLocker agent
installing people's machines,
it's checking in reporting its IP address.
We have an app on our phone,
which basically is checking in
reporting my phone's IP address.
We take all those IP addresses,
we upload them to a named location in Office 365,
and those IP addresses are allowed to connect
while the entire rest of the internet is not.
So the way a lot of people have approached this is,
fundamentally, a lot of people will do countries.
So they're going to say, look, allow the United States
and block the rest of the world,
which is fine until your CEO goes on holidays to the Bahamas
and all of a sudden he can't access his resources.
So this is why the dynamic nature of what we do
is so effective, because it doesn't matter
if I go to the Bahamas or Timbuktu, quite frankly.
I'll have an IP address, it's going to check in,
register, upload, and be added to the main location.
So it doesn't matter if somebody steals my credentials.
It doesn't matter if somebody's got, even gets my token.
The fact is they won't be allowed to connect
because of those conditional access policies.
When someone decides that they want to take this approach,
that they're all in on going at the problem this way,
what does the onboarding look like?
Surprisingly smooth is the answer to that question
because basically when we deploy ThreatLocker,
when a customer deploys ThreatLocker,
it's not blocking anything.
It's not stopping anything.
It's not getting in their way. Fundamentally all it's doing is it's logging data. It's not stopping anything, it's not getting in their way.
Fundamentally all it's doing is it's logging data.
It's basically building a set of policies based on what's
present in the environment.
So it takes a lot of the heavy lift out of this process.
So there's an analysis...
Correct.
A learning sequence.
Okay.
Absolutely.
So the learning period basically, what it's doing is it's
logging all of the software that's on your machine and
saying, look, all of the software is required we're going to
fundamentally allow this this or create a lot of our policies to allow this to
run after which point you know a couple of weeks in the future we can say okay
well you've got policies for all you need all the things you need and we're
going to lock it down and then all of those things are going to be allowed and
then nothing new is going to be allowed to run on your machine. Are there company-wide policies,
but then individual policies as well?
You can do it at various different levels.
You can do it company-wide, you can do it global.
Teams, you know.
Exactly, in particular, again.
My salespeople travel, they need.
Correct, exactly, and your IT team
probably need a little bit more leeway
in terms of the tools they're going to run.
So they might need to run a tool like PuTTY.
Whereas your finance department probably aren't,
your marketing people definitely aren't,
your marketing people might need Creative Cloud,
but your IT team don't.
So it's not a question of applying the same rules
to everybody.
You can pick and choose, you can adjust
and tweak as necessary.
Again, the idea being to allow people
to do what they need to do, but no more.
As a provider of the type of tool that you provide,
as you're looking toward the horizon and you're seeing the evolution of the threats,
how do you stay nimble?
How do you anticipate and know that your own roadmap
is going to be able to respond to those things?
Well, to some extent, I mean, obviously,
we're constantly striving to improve what we do.
We're trying to make it as seamless as possible,
both for the administrators and also for the users.
That's something that's really important to us.
I mean, one of the beauties of the approach that we take,
because it's denied by default,
we're not constantly responding to new threats,
to new techniques, to new tactics.
I mean, obviously we tweak and adjust our policies
from time to time, we make them more secure,
we can absolutely always improve things,
but generally speaking, the denied by default approach
means that it doesn't matter if a new piece of malware
appears tomorrow, a zero day appears tomorrow,
or even a particular piece of software is vulnerable.
You know what I mean?
There's, application vulnerabilities are a major, major issue.
But you have to consider
with the likes of application vulnerabilities is,
well, what's the next thing that will typically happen
if a vulnerable application is exploited?
Well, generally speaking, something's going to run,
or something's going to reach out to the internet. You know, somebody's going to
call PowerShell to try and download a payload. Well, if you can stop all of
those interactions, then you basically stop that vulnerability from being
exploitable. So as I said, it's the beauty of default and I is you don't,
you're not constantly trying to play catch-up. And again, that's one of the
problems with cybersecurity as a whole is the industry is constantly playing catch up.
The bad guys are nimble, the bad guys are really,
really clever and they're constantly one step ahead.
And if your approach requires you to keep up with them,
then you're never going to win.
I mean, the sad reality, the sad fact is nobody knows
all of the bad things.
I mean, if somebody knew all of the bad things,
there would be no need for solutions like ours.
There would be no need for any other solution.
But the fact is, nobody does.
I mean, there's 160,000 new pieces of malware
come out every single day.
I mean, how do you possibly keep up with that?
I mean, the sad reality is you can't.
So that's why a different approach,
one like the default denial one that we expose
is so important.
There's been a lot of talk, I think,
particularly this year about consolidation.
And we hear from CISOs all the time
that how do I keep track of all these different tools?
What I really want is to bring me a platform,
one platform that'll do everything. From your point of view as a platform, one platform that'll do everything.
From your point of view as a provider,
how do you approach playing well with others?
Well, one of the ways that we try and solve that problem for people
is we try and solve as many of the problems as we can
within one portal, one agent, one product, one thing to understand, one bill to pay fundamentally.
So as well as the allow listing, ring fencing,
network control stuff I mentioned,
we do have detection capabilities,
this is another product we do.
We've also got, and we've recently introduced web control.
So basically web filtering.
We've introduced patch management,
a very unique take, a unique approach to patch management.
So these are all boxes that we can tick for organizations
without them having to go out and buy third party tools
or have another portal to manage
or another agent to install in the machine.
Because it is one thing that we hear loud and clear,
is I've got too many agents on my machine.
I've got my antivirus, I've got my EDR,
I've got my this thing, I've got my patch management,
I've got that thing, I've got web control, I've got eight different-virus, I've got my EDR,
I've got my this thing, I've got my patch management,
I've got that thing, I've got web control,
I've got eight different agents running my computer.
The fan is almost spitting. to manage all of these other tools. So that is something we're acutely aware of and trying to solve in that fashion
by building solutions ourselves.
Yeah.
As you're walking around here at RSAC 2025,
what are some of the things that have caught your eye?
Are there things that lift your spirits,
that give you hope, you know,
what clever people we are, you know, those sorts of things?
A lot of very impressive boots.
That's for sure.
There are some very, very shiny boots,
and very big and fancy.
There are puppies and baby goats.
There's puppies?
There are puppies.
I saw a picture of the baby goats.
I did not, where are the puppies?
There is, they're over there.
There's a booth full of puppies.
Okay, I'm going to have to go and find the puppies.
I actually chastised our marketing department
yesterday because when we saw there was goats,
I was like, how come we haven't thought about
bringing farm animals to these things?
Yeah, missed opportunity.
So yeah, I didn't realize somebody brought puppies.
That's kind of one-upping.
But no, I mean, the beauty of events like this
from our perspective is twofold.
I mean, first of all, it's an opportunity
to meet existing customers.
The great thing that I've seen seen even over the last couple of years
of coming here is that you know a few years ago we would have had not going to
say a handful of customers so it wouldn't be a huge amount of customers. Every year
there's more and more and more. They come up they say hello you know tell us about
their experience and it's phenomenal feedback I mean face to face like that
it's just it's a brilliant opportunity
to connect with existing customers.
But obviously it's also an opportunity
to tell people about what we do.
Tell people about why we do it, explain.
I mean, I had somebody come up to me yesterday
and they were talking about, talking about allow listing.
And they're saying, we're looking at this other
allow listing solution, tell me why you're better.
And we have, and I actually don't have it here,
I'd love to show you, but we've got rubber duckies
that do data exfiltration, we've got rubber duckies
that do screen captures and upload them to a C2 server.
We've got a whole pile of different stuff.
So I was able to show them in person,
three different attacks, all perpetrated using PowerShell,
none of which were detected as being bad,
all of which were extremely scary.
And that's a fantastic opportunity.
I mean, you just don't get that
talking to somebody over Zoom.
For example, you can explain it to somebody,
but you can't show them.
And there's a huge amount of value in that for us.
Yeah. All right.
Well, Rob Allen is Chief Product Officer with ThreatLocker.
Rob, thanks so much for joining us.
No worries. Pleasure. Thank you very much.
That's Rob Allen, Chief Product Officer at ThreatLocker.
And finally, security researcher and O2 customer Daniel Williams uncovered a glaring privacy
leak in O2 UK's 4G calling system.
For context, O2 is one of the UK's largest mobile carriers, part of the Virgin Media
O2 group serving millions of customers across the country.
And apparently it's been serving up more than just phone service.
While poking around voiceover LTE call data using a rooted Pixel 8 and some digital elbow
grease, Williams found that O2's IP multimedia subsystem implementation was a little too
chatty.
Calls were accompanied by SIP messages containing not just debug logs, but also both parties'
IMSIs, IMIEs, and cell tower IDs.
In short, every call was a potential geolocation treasure map.
Williams concluded that O2's IMS implementation poses
a significant privacy risk as it exposes sensitive metadata during every 4G or Wi-Fi call. This
data can be exploited to geolocate call recipients with surprising accuracy even when they're
abroad or not currently connected to the network. The researcher emphasized that this vulnerability affects all O2 customers using IMS-based calling
and cannot be mitigated by users themselves, as disabling 4G calling does not stop the
data from being shared.
He called on O2 to remove these unnecessary SIP headers and debug messages from call signaling and criticize the company
for lacking a clear path to responsibly disclose such findings.
Since then, O2 says they have resolved the issue. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at theCyberWire.com.
N2K's senior producer is Alice Carruth.
Our CyberWire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. So Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for
individuals. DeleteMe also offers solutions for businesses helping
companies protect their employees personal information and reduce
exposure to social engineering and phishing threats. And right now our
listeners get a special deal 20% off your DeleteMe plan. Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k.