CyberWire Daily - Can the U.S. keep up in cyberspace?
Episode Date: February 24, 2025Retired Gen. Paul Nakasone warns the U.S. is falling behind in cyberspace. Australia orders government entities to remove and ban Kaspersky products. FatalRAT targets industrial organizations in the A...PAC region. A major cryptocurrency exchange reports the theft of $1.5 billion in digital assets. Apple removes end-to-end encryption (E2EE) for iCloud in the UK. Researchers uncover a LockBit ransomware attack exploiting a Windows Confluence server. Researchers uncover zero-day vulnerabilities in a widely used cloud logging utility.A PayPal email scam is tricking users into calling scammers. Republican leaders in the House request public input on national data privacy standards. A Michigan man faces charges for his use of the Genesis cybercrime marketplace. Our guest is Karl Sigler, Senior Security Research Manager from Trustwave SpiderLabs, explaining the domino effect of a cyberattack on the power grid. Meta sues an Insta Extortionist. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, Dave speaks with Karl Sigler, Senior Security Research Manager from Trustwave SpiderLabs, about the domino effect of a cyberattack on the power grid. You can dig into the details in their report. Selected Reading Former NSA, Cyber Command chief Paul Nakasone says U.S. falling behind its enemies in cyberspace (CyberScoop) Kaspersky Banned on Australian Government Systems (SecurityWeek) Chinese Hackers Attacking Industrial Organizations With Sophisticated FatalRAT (Cyber Security News) Bybit Hack Drains $1.5 Billion From Cryptocurrency Exchange (SecurityWeek) Experts Slam Government After “Disastrous” Apple Encryption Move (Infosecurity Magazine) Confluence Exploit Leads to LockBit Ransomware (The DFIR Report) Fluent Bit 0-day Vulnerabilities Exposes Billions of Production Environments to Cyber Attacks (Cyber Security News) Beware: PayPal "New Address" feature abused to send phishing emails (Bleeping Computer) Top House E&C Republicans query public for ideas on data privacy law (CyberScoop) US Charges Genesis Market User (SecurityWeek) Meta Sues Alleged Instagram Extortionist (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
Retired General Paul Nakasone warns the US is falling behind in cyberspace. Australia
orders government entities to remove and ban Kaspersky products. Fatal Rat targets industrial
organizations in the APAC region. A major cryptocurrency exchange reports the theft
of $1.5 billion in digital assets. Apple removes end-to-end encryption for iCloud in the UK.
Apple removes end-to-end encryption for iCloud in the UK. Researchers uncover a lock-bit ransomware attack exploiting a Windows Confluence server. Researchers
uncover zero-day vulnerabilities in a widely used cloud logging utility. A
PayPal email scam is tricking users into calling scammers. Republican leaders in
the House request public input on national data privacy standards. A
Michigan man faces charges for his use of the Genesis cybercrime marketplace.
Our guest is Carl Sigler, senior security research manager from Trustwave's Spider
Labs explaining the domino effect of a cyberattack on the power grid.
And Meta sues an Instaxtortionist.
It's Monday, February 24th, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Happy Monday and thanks for joining us.
It is great to have you here with us.
Retired General Paul Nakasone warned that the U.S. is falling behind in cyberspace,
with adversaries expanding their capabilities.
Speaking over the weekend at DistrictCon in Washington, D.C., he cited Chinese-backed
breaches and ransomware attacks as evidence of weak cybersecurity.
He also expressed concern about cyber operations causing physical damage, predicting future
attacks could disable platforms through digital means. Nakasony, now at Vanderbilt University, highlighted AI's role in cyber offense, including autonomous
targeting by AI-powered drones.
He questioned the limits of AI-driven cyber weapons and their ability to bypass defenses.
He endorses a more aggressive U.S. cyber strategy, citing past cyber command operations
against Russian and Iranian hackers.
He emphasized persistent engagement to keep cyber enemies in check.
Nakasony stressed the need for top cyber talent, warning of recruitment challenges
due to past government actions.
He acknowledged ongoing cyber command reforms, but avoided direct
criticism of political leadership changes, stating that presidents choose their own advisers.
Australia has ordered government entities to remove and ban Kaspersky products, citing
security risks. The order issued by the Department of Home Affairs requires all federal systems to eliminate Kaspersky software by April 1st.
Though no specifics were provided, the move aligns with concerns over Russian government influence on the company.
The decision follows a similar U.S. ban, which began in 2017 and expanded in 2024, leading Kaspersky to exit the U.S. market.
The company sold its U.S. customer base to UltraAV, though the transition faced issues.
While Australia previously monitored U.S. actions without immediate restrictions, it
has now joined other countries in barring Kaspersky from government networks.
Several European nations have already blocked the company's product for years.
Kaspersky has yet to comment on Australia's decision.
Meanwhile, according to researchers with Kaspersky ICS-CERT, Chinese-speaking hackers are targeting
industrial organizations across the Asia-Pacific region with the fatal rat remote access trojan.
The cyberespionage campaign exploits legitimate Chinese cloud services, including Youdao cloud
nodes and Tencent cloud, to evade detection.
The attack focuses on manufacturing, energy, IT, and logistics sectors in Taiwan, China,
Japan, Thailand, and Singapore.
Hackers distribute phishing emails and WeChat or Telegram messages disguised as tax documents
to deliver malware.
The infection process involves multiple evasion techniques, including DLL sideloading and
anti-virtual machine checks.
Fatal Rat logs keystrokes, exfiltrates data, and allows remote execution of destructive commands like MBR corruption.
Kaspersky warns of risks to operational technology systems and advises network segmentation, DLL side-loading monitoring, and blocking known indicators of compromise. Bybit, a major cryptocurrency exchange, reported a cyberattack that led to the theft of $1.5
billion in digital assets.
Hackers exploited a vulnerability in the smart contract logic, gaining control of an ETH
cold wallet and transferring over 400,000 ETH and STETH.
The attack may have involved a flaw in the Safe.Global Platform's user interface.
Despite a surge in withdrawal requests, Bybit assured users their funds remain secure.
CEO Ben Zhao stated the exchange is solvent and can cover the loss with its $20 billion in assets
if needed.
The attack comes amid rising crypto-related cybercrime, with Chainalysis reporting $2.2
billion stolen in 2024, a 20% increase from the previous year.
Apple has removed end-to-end encryption for iCloud in the UK, following secret data access
demands from the government under the Investigatory Powers Act, sometimes referred to as the SNOOPERS
Charter.
Security and consumer rights experts are calling for lawmakers to hold the government accountable.
Apple argues that creating an E2E backdoor for the government would compromise all users' security.
Instead, it removed the advanced data protection feature for UK customers, disappointing privacy advocates.
Experts warn this decision could weaken the UK's data security reputation and impact data flows with the EU.
Critics say the move sets a dangerous precedent, emboldening other
governments to demand similar access. Some warn it could lead to compliance issues for businesses
operating in Europe and even threaten the UK's data sharing agreement with the US.
Security researchers at the DFIR report have uncovered a lockbit ransomware attack that exploited
a Windows Confluence server.
The attackers gained initial access through a remote code execution vulnerability, quickly
deploying Mimikatz, Metasploit, and AnyDesk to escalate privileges and move laterally
across the network via RDP.
They used RClone to exfiltrate data to Mega.io before executing the ransomware.
PDQ Deploy was leveraged to automate the spread of LockBit across critical systems, ensuring
widespread encryption. The entire attack, from initial compromise to ransomware deployment,
was completed in just two hours. The researchers emphasized the importance of patching confluence vulnerabilities, monitoring
network activity, and restricting remote access to prevent similar intrusions.
This case underscores the growing sophistication and speed of ransomware operations targeting
unpatched enterprise applications.
Security researchers at Tenable
uncovered zero-day vulnerabilities in FluentBit,
a widely used logging utility embedded in cloud platforms
like AWS, Google Cloud, and Microsoft Azure.
The flaws exploit null-pointer dereference weaknesses
in the Prometheus remote write and open telemetry plugins,
exposing billions of production environments to cyber threats.
Attackers can crash fluent bit servers or leak sensitive data
using simple HTTP requests.
These vulnerabilities affect Kubernetes deployments,
enterprise logging systems, and compliance workflows
with major users including Cisco, Splunk, and VMware.
Patches are available, but unpatched systems remain at high risk.
Experts urge immediate updates, API access restrictions, and security audits
to prevent widespread service disruptions and data leaks.
A PayPal email scam is tricking users into calling scammers by sending fake purchase
confirmations from PayPal's legitimate email address, service.paypal.com.
The scam exploits PayPal's address settings, allowing attackers to insert fraudulent messages
into the address to field.
Victims receive an email stating that their shipping address has changed for a MacBook purchase
and are urged to call a fake PayPal support number.
Once on the call, scammers convince victims to install remote access software,
enabling theft of funds, data, or malware deployment.
The emails bypass security filters because they originate directly from
PayPal's servers. Users are advised to ignore the email, verify their account directly via
PayPal, and not call the provided number. Experts recommend PayPal limit character input in address
fields to prevent abuse. Republican leaders on the House Energy and Commerce Committee, Brett Guthrie from Kentucky
and John Joyce from Pennsylvania, are requesting public input on how to develop national data
privacy and security standards.
They issued a Request for Information to Guide legislation that would protect Americans'
digital data across various services.
The lawmakers acknowledge the challenges posed by rapid technological advancements and conflicting
state and federal laws.
Their request seeks insights on data collection transparency, user consent, and lessons from
international privacy laws.
They also want input on how a federal privacy law would interact with existing regulations
like HIPAA, FCRA, and COPPA. Congress has long debated digital privacy legislation,
but past efforts have failed due to political disagreements. The public can submit responses
by April 7. Lawmakers hope to finally establish baseline privacy protections similar to those
in other Western nations.
The U.S. Justice Department has charged Andrew Shenkovsky, age 29, for purchasing 2,500 stolen
login credentials from the Genesis Market cybercrime marketplace in 2020.
Authorities say he used stolen credentials to steal money from a bank account and attempted
to sell data on RaidForums, a now-dismantled cybercrime site.
Shinkoski faces charges including wire fraud and identity theft.
His arraignment hearing is this week.
The Genesis market, seized by the FBI in April 2023, had provided cyber criminals access
to stolen credentials.
While 120 people were arrested, the site's administrators remained at large and its dark
web presence later disappeared.
The Justice Department previously charged a Buffalo police detective for buying stolen
credentials from the site.
Coming up after the break, my conversation with Carl Sigler from Trustwave's Spider
Labs.
He's explaining the domino effect of a cyber attack on the power grid.
And Meta sues an Insta extortionist.
Stay with us. attack on the power grid, and Meta sues an Insta extortionist.
Stay with us.
And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent
billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year
increase in ransomware attacks and a $75 million record payout in 2024. These traditional security
tools expand your attack surface with public-facing IPs that are exploited by bad actors more
easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously
verifying every request based on identity and context, simplifying security management
with AI-powered automation, and detecting threats using AI to analyze over 500 billion
daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Cyber threats are more sophisticated than ever.
Passwords? They're outdated and can be cracked in a minute.
Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login.
Ubico believes the future is passwordless.
Ubiquis offer unparalleled protection against phishing for individuals, SMBs and enterprises.
They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers a limited buy one get one offer.
Visit ubico.com slash n2k to unlock this deal.
That's Y-U-B-I-C-O.
Say no to modern cyber threats.
Upgrade your security today.
Carl Sigler is Senior Security Research Manager at Trustwave's Spider Labs.
I recently sat down with him to discuss the domino effect of a cyber attack on the power
grid.
We've been focusing on the security issues, the risks taken on, the threats that are affecting
specific industry sectors.
So we do healthcare, we do hospitality, retail, and right now we're currently focused on energy
and utilities.
Well, let's dig into some of the details here. retail, and right now we're currently focused on energy and utilities.
Well let's dig into some of the details here.
You all were tracking ransomware incidents and some of the changes that you've seen in
the past couple years there?
Yeah, and it's actually a little bit surprising just how much ransomware has increased over
the years.
Just this past year, it was up 80% over 2023.
So yeah, these threat actors are not giving up on ransomware at all.
They're doubling, tripling, quadrupling down on the use of ransomware.
One of the things that the research points out is the potential domino effect, as you
put it, of a cyber attack on the power grid.
Can you describe to us what that could entail?
Sure. I mean, we have direct examples of how that cascade, how that domino effect works.
We saw it with the Colonial Pipeline breakdown, if you will.
Ransomware, the threat actors from Darkseid, encrypted the colonial pipeline system,
and that basically prevented gas from getting
to the East Coast of the United States.
That outage, which lasted, I think,
a little bit over 18 days, that affected airports,
for instance.
I'm in the land of Georgia, and the Hartsfield Airport
had fueling problems.
Some flights had to be redirected to refuel in new cities.
Some flights were canceled.
That has a direct cascading effect to business meetings, right?
If I can't fly to get to that conference in time, I might lose a business deal.
Same thing for just driving.
This affected the South to a large extent.
And there are a lot of people
that their business is driving around.
It could be delivery, it could be long haul trucking,
things like that.
But if you don't have gas, that business shuts down.
This had a huge economic impact.
Prices of gasoline went up to the highest
it had been in over six years and that is absolutely going to cascade that economic impact
on cascade through the entire nation. So yeah one single little attack can have
real widespread repercussions. One of the things your research tracks here is
that there's been a real rise in cyber attacks targeting the utilities sector.
Can you add some insight to that? I mean what makes them an attractive target? that there's been a real rise in cyber attacks targeting the utilities sector.
Can you add some insight to that?
I mean, what makes them an attractive target?
A lot of things make the utility sector
a very juicy target for these hackers
and criminals out there.
One, it's interdependence with everything, right?
We just talked about the domino effect, the cascade effect.
When you attack gas, water, electricity, you are affecting all kinds of industries and
businesses.
You're basically taking over the supply chain for those critical utilities that we need
to go through our day-to-day activities, whether it's gasoline, whether it's electricity.
And you think of how that might affect a hospital,
for instance.
There was a ransomware attack on a hospital
that required redirecting critically ill,
emergency room-type patients to other hospitals.
There is at least one death associated with that.
So these threat actors, these criminals
know that if they can take a hold of a utility
company, the pressure on that utility company to resolve that issue is massive because of
that cascade effect, because sometimes human lives are on the line.
Colonial Pipeline, they ended up paying the $4 million ransom in that case, which is something
we don't want to get to.
We don't want to have a situation where we're actually funding the criminal underground.
So, yeah, these are really important organizations.
By leveraging attacks against them, you can really twist their arm and get that payout.
And we also see this in just a destructive way.
We see this with the Russia-Ukraine conflict right now where Russia and Ukraine are targeting each other's infrastructures, utility, energy,
gas, you name it. And they don't care about trying to get any sort of economic result
out of that. They're just looking to crash those systems, to cause chaos and to eliminate
resources for the other country.
So there's all kinds of reasons why the energy and utility sector is directly targeted, but
it's just a often vulnerable and very juicy target for a lot of reasons for these criminals.
And what are the techniques and the tactics that you're seeing them use here?
Oh, primarily fishing.
I know every single security talk always talks about fishing, and there's a good reason why
we do it because fishing, especially in this case, was the initial first compromise, that
initial first breach of 84% of the compromises in the energy and utility
sector based on our own research.
And phishing has gotten a lot more difficult to identify.
The days of being able to identify red flags like poor grammar, poor punctuation, not really
knowing the industry that well, especially when it comes to business email compromise.
Those red flags are going away.
A lot of these threat actors are using artificial intelligence to craft their phishing emails
and make them more alluring to their potential victims.
So phishing is absolutely the number one thing that gets them in there and it's probably
should be the number one concern for protection controls that you put
in place.
Where does the utility sector stand in terms of their capabilities for defending themselves?
Are they well resourced to do this or is that an ongoing struggle?
It's absolutely an ongoing struggle. We saw that, let me see that statistic,
yeah, 40% of the US power grid is over 50 years old.
That infrastructure is aging quickly.
And when it comes to technology, things age quicker
than, say, the just old pipelines that used to have.
So that's definitely a huge issue.
And a lot of times it's because they're change-inverse.
They're being held to specific regulations,
specific auditing, and they need to make sure
that they are going to pass those audits
every single year or every single month.
So they're not gonna change anything unless it's broken.
You'll find operating systems that have been abandoned,
no longer getting security patches.
All these things make the utility sector a lot more,
they take on a lot more risks than they probably should.
I'll put it that way.
Well, based on the information
that you all have gathered here, what are your recommendations
then? I mean, how should these folks go about best protecting themselves?
You know, a lot of the advice that we've been giving for decades sometimes is still the best
advice. I will say from a mitigation standpoint, just knowing where your assets are,
just doing an inventory, not relying on a network diagram
that somebody put together three years ago,
but know exactly what you have on your networks,
then you can start to get a feel for what risk
those assets may be at.
But if you don't know what you have,
you don't know what risk you're undertaking.
So asset identification is going to help you quite a bit.
Proactive threat hunting, sometimes you
can't wait for these alerts to just pop up on your console.
You have to go searching for this activity.
So ingesting current IOCs for current campaigns
that apply to your business sector,
apply to your organization, and actively looking
for those indicators like malware hashes,
registry keys, things like that,
can help you identify things,
limit the dwell time of those threat actors.
I'd also say that something that's often missing,
I've seen a lot of organizations is
the incident response process.
I see a lot of organizations that are so focused on
proactive prevention of attacks, that once they actually do get attacked, once they've
been compromised in some fashion, they're not sure what to do at that point. They
don't have a good formalized incident response plan in place. That's Carl
Sigler from TrustWave's Spider Labs. We will have a link to their report in our
show notes.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist, Vanta brings automation
to evidence collection across
30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to And finally, imagine paying rent on your own Instagram account.
That's basically what Idris Kiba was making people do until Meta decided enough was enough.
The company is suing Kiba, accusing him of running an extortion ring called Unlocked
for Life, where he banned and unbanned Instagram accounts for profit.
And he wasn't shy about it.
He bragged on the No Jumper podcast that he had over 200 subscribers and raked in $600,000
a month.
But Kiba wasn't just scamming influencers. He allegedly sent death threats, racial slurs, and even pictures of bloodied victims to those
who didn't comply.
He even demanded $20,000 from one victim to stop harassing them.
Kiba's Unlocked for Life scheme worked by gaming Instagram's reporting system to ban
and unban accounts at will.
Here's how he allegedly did it.
Kiba would submit false reports claiming that a target's Instagram account violated the
platform's rules.
Things like impersonation, hate speech, nudity, or other violations.
Instagram's automated moderation system often acted swiftly, disabling accounts the same
day based
on these reports.
After getting an account banned, Kiba would offer to help restore it for a price.
Victims who paid his fee would see their accounts reinstated, while those who refused faced
threats, harassment, and continued account takedowns. Meta hit back in February 2024 with a cease
and desist, banning his accounts, but Kiba, ever the entrepreneur, just made new ones.
Essentially, Kiba weaponized Instagram's own enforcement system against its users,
turning a security feature into an extortion racket. Now, Meta is suing him.
Let's hope Meta's legal team proves harder to evade than their AI moderators. And that's the CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the
world's preeminent intelligence and law enforcement agencies.
N2K's senior producer is Alice Carruth, our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester, with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Ivan, Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening, we'll see you back here tomorrow. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting
your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.