CyberWire Daily - Brute force and broken trust.
Episode Date: March 21, 2025Over 150 government database servers are dangerously exposed to the internet. Threat actors are exploiting a vulnerability in CheckPoint’s ZoneAlarm antivirus software. Albabat ransomware goes cross...-platform. ESET reports on the Chinese Operation FishMedley campaign. VanHelsing ransomware targets Windows systems in the U.S. and France. CISA issues five ICS advisories warning of high-severity vulnerabilities across critical infrastructure systems. A former NFL coach is indicted for allegedly hacking into the accounts of thousands of college athletes. Brandon Karpf joins us with a look at cyberspace in space. A fraud detection firm gets shut down for fraud. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Brandon Karpf, friend of N2K CyberWire, joins T-Minus Space Daily host Maria Varmazis for the Space and Cyber March segment. Selected Reading Over 150 US Government Database Servers Vulnerable to Internet Exposure (GB Hackers) White House Shifting Cyber Risk to State and Local Agencies (Data Breach Today) Cybercriminals Exploit CheckPoint Driver Flaws in Malicious Campaign (Infosecurity Magazine) Albabat Ransomware Attacking Windows, Linux & macOS by Leveraging GitHub (Cyber Security News) Chinese I-Soon Hackers Hit 7 Organizations in Operation FishMedley (SecurityWeek) VanHelsing Ransomware Attacking Windows Systems With New Evasion Technique & File Extension (Cyber Security News) CISA Releases Five Industrial Control Systems Advisories Covering Vulnerabilities & Exploits (Cyber Security News) Former NFL, Michigan Assistant Coach Matt Weiss Charged With Hacking for Athletes' Intimate Photos (SecurityWeek) AdTech CEO whose products detected ad fraud jailed for fraud (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Cyber threats are more sophisticated than ever.
Passwords?
They're outdated and can be cracked in a minute.
Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login.
Ubico believes the future is passwordless.
Ubiquis offer unparalleled protection against phishing for individuals, SMBs, and enterprises.
They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers a limited buy one
get one offer. Visit ubico.com slash N2K to unlock this deal. That's Y-U-B-I-C-O.
Say no to modern cyber threats. Upgrade your security today. Over 150 government database servers are dangerously exposed to the internet.
Threat actors are exploiting a vulnerability in Checkpoint's Zone Alarm antivirus software.
Albabat Ransomware goes cross-platform, ESET reports on the Chinese
operation Fishmedley campaign, Van Helsing Ransomware targets Windows systems in the
US and France, CISA issues five ICS advisories warning of high severity vulnerabilities across
critical infrastructure systems, a former NFL coach is indicted for allegedly hacking into the accounts of thousands of
college athletes.
Brendan Karpf joins us with a look at cyberspace in space, and a fraud detection firm gets
shut down for fraud. It's Friday, March 21, 2025. Thanks for joining us and happy Friday.
It is great to have you with us.
A recent investigation has revealed a major cybersecurity threat to U.S. government data.
Over 150 government database servers used by agencies like the Departments
of Agriculture, Education, and Energy are exposed to the Internet, violating basic security
protocols. These databases, hosted on Microsoft's Azure GovCloud, have open ports vulnerable
to brute force attacks and known exploits. The report highlights over 655 unauthorized access attempts and more than 200 real-time
data replications, suggesting serious flaws in authentication and data protection.
Analysts believe the exposure stems from a rushed federal data centralization effort.
Experts are calling for urgent action, including congressional hearings and audits, to address
what has the potential to become a catastrophic breach.
The White House is shifting cybersecurity responsibilities from federal agencies to
states and local governments.
A new executive order from President Trump introduces a national resilience strategy
aiming to give local entities more control over defending infrastructure and elections
from cyber threats.
This move follows cuts to federal cybersecurity teams and programs, leaving states without
vital support like vulnerability alerts and free-risk assessments.
Experts warn this decentralization could lead to
fragmented defenses, especially as many states lack the
resources and intelligence centers to fill the gap.
Cybersecurity professionals say the burden will hit
underfunded sectors like schools and small
municipalities hardest.
Critics argue the shift, combined with federal workforce
reductions, undermines national security and leaves states to manage growing
cyber risks largely on their own. A new report reveals that threat actors are
exploiting a vulnerability in Checkpoint's zone alarm antivirus software
to bypass Windows security.
Security researcher Neema Bagheri detailed a bring-your-own-vulnerable-driver attack using
an old, signed driver with kernel-level privileges.
This allows attackers to evade antivirus detection, bypass Windows memory integrity protections,
and gain full system access.
Once in, they steal
credentials and establish remote access. Users are urged to update to the latest
non-vulnerable version.
Alba-Bat ransomware has evolved into a cross-platform threat, now targeting
Windows, Linux, and Mac OS systems, Trend Micro researchers found multiple versions
using GitHub for configuration management, allowing remote updates without redeploying
malware.
The ransomware retrieves settings via the GitHub REST API and avoids encrypting key
system files while targeting user data.
It terminates processes to ensure encryption success and collects
detailed system info. Payment details in its config suggest preparation for expanded attacks
using Bitcoin, Ethereum, Solana, and BNB.
ESET reports that Ai Sun, a Chinese cybersecurity contractor linked to Beijing's Ministry of Public Security,
ran a 2022 cyber-espionage campaign called Operation Fishmedley.
Its operational unit, Fishmonger, targeted seven organizations across Taiwan, Hungary,
Turkey, Thailand, the U.S., and France.
Using tools like ShadowPad, Spyder, and the newly identified R-Pipe Commander, attackers
gained deep network access, extracted credentials, and exfiltrated data.
The campaign followed a document leak and US indictments of ISUN staff for hacking US
agencies, activists, and dissidents.
A new ransomware called Van Helsing is targeting Windows systems in the US and France, focusing
on government, manufacturing, and pharmaceutical sectors.
First spotted in March 2025, it uses advanced encryption and evasion tactics, appending
.vanhelsing to files and demanding ransom via a Tor-based
chat site.
Van Helsing employs double extortion by encrypting and exfiltrating sensitive data.
It uses rootkits, registry changes, and bootkits for persistence, making detection difficult.
Security experts urge strong backups, system patching, MFA, and zero-trust strategies for defense.
CISA issued five ICS advisories warning of high-severity vulnerabilities across critical infrastructure systems.
These include flaws in Schneider Electric's EcoStruxure software and Enterlin X iFEE components with multiple input validation issues.
Siemens' Simcenter FEMAP also contains a memory buffer flow vulnerability,
while SMA's Sunny Portal has a file upload flaw.
Finally, Santasoft's DICOM Viewer Pro suffers from an out-of-bounds write issue.
CISA urges immediate updates to reduce exploitation risks, especially as these systems often support
vital infrastructure.
Former NFL and University of Michigan assistant coach Matt Weiss has been indicted on 14 counts
of unauthorized computer access and 10 counts of identity theft for hacking into the accounts
of thousands of college athletes.
From 2015 through 2023, Weiss allegedly breached databases managed by Keffer Development Services
targeting over 150,000 athletes across more than 100 schools.
The indictment says he focused on female athletes, seeking private photos and
videos by accessing their social media, cloud, and email accounts. Weiss allegedly cracked
encryption using online research and kept detailed notes on stolen content. Fired by Michigan in
2023 after refusing to cooperate with an internal investigation, Weiss had
previously worked for the Baltimore Ravens. Federal prosecutors say they will aggressively
pursue the case to defend victims' privacy.
Coming up after the break, my conversation with Brandon Karp with a look at cyberspace,
in space, and a fraud detection firm gets shut down for fraud.
Stick around. We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need. Stop struggling
to get your job post noticed. Indeed's Sponsored Jobs helps you stand out and
hire fast. Your post jumps to the top of search results so the right candidates
see it first. And it works. Sponsored jobs on Indeed get 45% more applications
than non-sponsored ones. One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get your job's more
visibility at Indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now and support our show by saying you heard
about indeed on this podcast.
Indeed.com slash cyberwire.
Terms and conditions apply. Apply. Hiring. Indeed is all you need.
Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity,
or cloud computing, Vanguard offers a dynamic
and collaborative environment where your ideas drive change.
With career growth opportunities
and a focus on work-life balance,
you'll have the flexibility to thrive
both professionally and personally.
Explore open cybersecurity and technology roles today at
Vanguard jobs calm
My former and 2k colleague and current friend of the show Brandon carp
Recently sat down with Maria vermases over on the T-minus podcast to talk about cyberspace in space.
DoD released a memo and policies around modern software acquisition reform, where they identified
this pathway called the software acquisition pathways,
which is really meant to implement agile processes
in how the DoD acquires, implements, fields software.
Okay.
Traditionally, software has been seen,
just like every other DoD program,
regardless if it's an aircraft or a ship
or a ground system for a satellite communications network
has all been approached exactly the same.
Obviously that doesn't work well for software.
Software you have to test, you have to iterate,
you have to move quickly.
And so this memo that just came out last week
is directing the acquisitions community
to come up with an implementation plan
for this much more rapid, iterative,
agile approach to software acquisitions.
So when we say rapid, how rapid were we talking?
Right, well, so similarly, and actually the same day
that this memo came out,
Space Systems Command released a case study
around satellite communications.
And I think this was intentionally timed. It was literally the same day. And this case study around satellite communications. And I think this was intentionally timed.
It was literally the same day.
And this case study is fantastic.
It's about the Evolve Strategic
Satellite Communications Program.
And specifically their implementation
of a new agile software acquisitions technique
for this program and specifically for the ground segment,
the ground segment software for this program. Now before this program they admitted,
and I cannot believe they publicly admitted this, they admitted that it
historically takes them 12 years to field new software. To field, not even to
get it up and running, just to approve, just to sign the contract.
Right, 12 years, which is insane.
Under this program that they implemented,
their new time horizon is six years.
Doesn't sound a lot better, but I mean,
they literally cut it in half.
I think that's proof of concept as they move forward.
It's what they're calling
the Griffin program, G-R-I-F-F-O-N.
It seems like they'll get faster and faster.
And basically the pressie here is they implemented the agile process.
They started with customer discovery, they product in a bake-off.
The Air Force, their Space Systems Command,
selected the winner from that bake-off,
and that allowed the winner to implement
their own software development process
and iterate on that and get it to the point
where they could start deploying and testing
this new ground resilient system for
the satellite communications network.
Sounds great.
I'm asking a question I know the answer to admittedly, but the cyber angle to this.
Let's walk that in because there's a big one here.
Right.
And so, you know, as we're kind of moving into this brave new world of software defined
warfare and, and my claim has always been the government, especially DOD is the primary You know, as we're kind of moving into this brave new world of software-defined warfare,
and my claim has always been the government, especially DoD, is the primary buyer for pretty
much the entire space economy, has been mostly on telecoms, you know, certainly Earth observation
as well.
But to me, those are the two legitimate viable markets for this industry.
They are all vulnerable to cyber attack and all those systems are
cyber enabled, software enabled.
So we're moving to a point of software defined warfare.
Software defined warfare being where that's where the threats are, that's where the opportunities
are.
We've certainly in this industry heard about the Viasat attack in early Ukraine. What most people haven't talked about is since then there's been 124 more validated cyber
attacks against space systems in Eastern Europe since Viasat.
So obviously a huge threat vector and a huge target.
What we haven't talked about so much is the opportunities of how the space segment can
actually, especially software-defined space segment, could improve security.
And especially when we're talking about telecommunication.
So what I kind of want to pitch to this community and talk about is how this more rapid software
development lifecycle, software acquisitions reform,
could help the space industry implement
highly effective secure telecommunications infrastructure
leveraging the space segment.
Yeah, I was gonna say, yes, let's get into that.
So, I mean, admittedly, if you're not in the umbrella
that may be directly affected by this, you
might be going, well, how does this apply?
But I think there are a lot of lessons here.
So okay, so that is the pitch that it'll that's the opportunity.
What does that look like on the ground?
Right.
So, you know, on the ground, step number one, what the DOD is doing is saying that they're
going to do is they're going to accept more risk upfront. By rapidly implementing new software,
by trying to implement this agile process
with software acquisitions, they're basically saying,
we are going to accept early risk,
understanding that that allows software
to be iterated upon, to be improved,
and to be developed in a way that ultimately
will decrease risk and cost in the long run.
And so certainly there are initial risks implemented
there by accepting minimum viable software products.
So that's kind of an interesting framing of them saying,
we're gonna accept,
historically they've said we're gonna accept zero risk,
which is why it takes 12 years to test and field anything.
But what that ends up doing is it ends up locking them in
to these old systems.
So now how does this industry implement this?
I'm going to specifically talk about telecom
because that's where I think the biggest opportunities are
for improving the cyber posture
and cyber defense of the West.
Certainly it's the largest perimeter too, right?
And if you want to think of it that way.
Exactly, largest perimeter.
It's also globally targetable.
So let's think about the space segment of the telecom infrastructure as providing backbone
services.
Now we have, you know, Leo constellations, we have geo constellations that can provide
backbone connectivity for packetized networks, for data networks, for internet, etc.
Those systems are globally targeted.
You can reach those from anywhere in the globe.
So any adversary, whether it's Volt Typhoon, who proved that they're interested
in the telecom infrastructure in the US and Canada,
and has found their way into those systems, they're going to be targeting those systems.
However, when you think about the space architecture, it actually can be a little harder to target.
So when you think about the kill chain, the first step of the kill chain is reconnaissance.
First step of reconnaissance is figuring out where your target's infrastructure is, where their target points are,
where their selectors like IP addresses, servers, et cetera, are located,
and maneuvering through a network to find them,
and finding your way onto hot points.
If we are leveraging intelligently,
I'm not saying that you can necessarily do this
off the bat, but think about how we can implement
this rapid software implementation for the network layer,
for the network and transport layer of the internet,
and use the space segment
to obfuscate our points of presence.
So what does it mean by that?
Think about each satellite as a point of presence,
an adversary, I don't even as a user know which satellite
my data's directly going to, because they're moving.
They're rapidly moving, it's a moving target defense.
So if we can obfuscate your point of presence to get into networks as a user of telecoms
infrastructure and leverage the space segment to create moving target defense, essentially maneuver
warfare in the telecommunications network layer, that immediately makes it more difficult for the
adversaries to target because they can't do reconnaissance as well.
So it's like the okay, so I'm thinking in the classic
on the defender side, you wanted to know what all your assets are so you can defend them because there's always
assets that get forgotten or lost. In this case, we're saying security through obscurity. We want the moving target.
That's a fascinating opportunity that really only space provides.
Exactly.
Yeah, pretty much space or high altitude balloons
or drones potentially for creating these relays
for communications.
But if you think about how you can leverage
and my call is to the DOD and any users
of globalized telecom infrastructure.
Think about how you can use the space segment
to obfuscate your communications,
relay your points of presence in a rapid fashion to essentially make them ephemeral. So when
volt typhoons going after your telecom infrastructure, they have a hard time finding where you even
are and where your network even is.
That's Brandon Karpf speaking with Maria Vermazes from the T-Minus podcast. Be sure
to check out T-minus
wherever you get your favorite podcasts.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast.
T-minus podcast. T-minus podcast. T-minus podcast. T-minus podcast. T-minus podcast. Tired of investigation tools that only do one thing at a time?
Spending more time juggling contracts with data vendors than actually investigating?
Maltigo changes that for good.
Get one investigation platform, one bill to pay, and all the data you need in one place.
It comes with curated data and a full suite of tools to handle any digital investigation.
Connect the dots so fast, cybercriminals won't even have time to google what Maltigo is.
See the platform in action at Maltigo.com.
And finally, in a plot twist worthy of a Silicon Valley satire, former CEO of an ad tech company has been sentenced to a year and a day in prison for faking pretty much everything.
Paul Roberts, whose ad tech company claimed to detect fraudulent ads with its cloudy software
KAI, decided to fraud his way to the top.
In a bold bid of corporate make-believe, he orchestrated a $1.3 million phony service
swap with another company, complete with fake reports generated from non-existent
data. Both firms recorded the made-up transaction as real revenue, like a business version of
kids trading monopoly money and calling it profit. It worked. For a while. The company
even went public, raising $33 million, but the SEC noticed the imaginary math and Roberts pled guilty.
By late 2024, the much-hyped KAI power merger vanished.
The company delisted itself and quietly folded.
You have to admire the commitment.
It takes real effort to fake that much effort.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing
at the cyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation
with Tom Hagel from Sentinel Labs. The research we're discussing is titled Ghostwriter. New
campaign targets Ukrainian government and Belarusian opposition. That's Research Saturday. Check
it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Fill out the survey in the show notes or send an email to cyberwire at n2k dot com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester, with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Ivan.
Peter Kilpey is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe. I have to say DeleteMe is a game changer. Within days of signing up,
they started removing my personal information from hundreds of data brokers. I finally have
peace of mind knowing my data privacy is protected. DeleteMe's team does all the work for you with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when
you go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code n2k.