CyberWire Daily - Can’t DOGE the inquiry.
Episode Date: June 17, 2025A House oversight committee requests DOGE documents from Microsoft. Predatory Sparrow claims a cyberattack on an Iranian bank. Microsoft says data that happens in Europe will stay in Europe. A complex... malware campaign is using heavily obfuscated Visual Basic files to deploy RATs. A widely used CMS platform suffers potential RCE bugs. North Korea’s Kimsuky targets academic institutions using password-protected research documents. Asus patches a high-severity vulnerability in its Armoury Crate software. CISA’s new leader remains in confirmation limbo. Our guest is Brian Downey, VP of Product Management from Barracuda, talking about how security sprawl increases risk. Operation Fluffy Narwhal thinks it’s time to rethink adversary naming. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined by Brian Downey, VP of Product Marketing and Product Management from Barracuda, talking about how security sprawl increases risk. You can find more information about what Brian discussed here. Selected Reading Following Whistleblower Reports, Acting Ranking Member Lynch Demands Microsoft Hand Over Information on DOGE’s Misconduct at NLRB | The Committee on Oversight and Accountability Democrats (House Committee on Oversight and Government Reform) Pro-Israel hackers claim breach of Iranian bank amid military escalation (The Record) Microsoft lays out data protection plans for European cloud customers (Reuters) New Sophisticated Multi-Stage Malware Campaign Weaponizes VBS Files to Execute PowerShell Script (Cyber Security News) Chained Flaws in Enterprise CMS Provider Sitecore Could Allow RCE (Infosecurity Magazine) Beware of Weaponized Research Papers That Delivers Malware Via Password-Protected Documents (Cyber Security News) Organizations Warned of Vulnerability Exploited Against Discontinued TP-Link Routers (SecurityWeek) Asus Armoury Crate Vulnerability Leads to Full System Compromise (SecurityWeek) Trump’s Pick to Lead CISA is Stuck in Confirmation Limbo (Gov Infosecurity) Call Them What They Are: Time to Fix Cyber Threat Actor Naming (Just Security) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. A House Oversight Committee requests Doge documents from Microsoft.
Predatory Sparrow claims a cyber attack on an Iranian bank.
Microsoft says data that happens in Europe will stay in Europe.
A complex malware campaign is using heavily obfuscated visual basic files
to deploy rats. A widely used CMS platform suffers potential RCE bugs. North Korea's
Kim Sook-hee targets academic institutions using password-protected research documents.
Asus patches a high severity vulnerability in its Armory Crate software. CIS's new
leader remains in confirmation limbo, our guest is Brian
Downey, VP of Product Management from Barracuda, talking about how security sprawl increases
risk, and Operation Fluffy Narwhal thinks it's time to rethink adversary naming. It's Tuesday, June 17, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It's great as always to have you with us.
Representative Stephen F. Lynch,
Democrat from Massachusetts and acting ranking member of
the Committee on Oversight and Government Reform,
has requested documents from
Microsoft CEO Satya Nadella regarding reports that individuals
linked to Elon Musk's Department of Government Efficiency, DOGE, tried to remove sensitive
data from the National Labor Relations Board.
According to NPR and Whistleblower reports, DOGE staff allegedly used high-level access
to exfiltrate data, possibly including union activities,
and hid their actions by deleting logs and installing backdoors.
A Doge engineer reportedly wrote code titled NXGenBDoorExtract and uploaded it to GitHub,
which is owned by Microsoft.
Lynch raised concerns over potential misconduct, privacy violations, and conflicts
of interest given Musk's history with the NLRB. In April and May of this year, Congressional
Democrats launched investigations into Musk and Doge's alleged interference and data
breaches at the NLRB.
A hacking group known as Predatory Sparrow, believed to be tied to Israeli intelligence,
claimed a cyberattack on an Iranian bank.
The group says the strike was in retaliation for the bank's alleged role in funding Iran's
military and nuclear programs.
The attack disrupted banking services and reportedly affected gas stations, delayed salaries and
closed some branches.
The group claims support from brave Iranians and vowed to target institutions backing the
dictator's terrorist fantasies.
The hack follows rising tensions, including Israeli strikes on Iranian facilities and cyber
retaliation by pro-Iranian groups.
Predatory Sparrow has previously hit Iran's steel and fuel sectors.
While Iran has not commented, experts see escalating cyber conflict between Iran and Israel,
with hacktivists warning regional allies of Israel they could be targeted to.
Microsoft announced that data from its European cloud
customers will remain in Europe, comply with EU laws,
and be managed by local staff.
This move addresses growing concerns about foreign access
to sensitive data.
Microsoft also confirmed that any remote access by its
engineers will be approved and monitored by European
personnel.
The company is expanding its cloud and AI operations
in the region and plans to launch a sovereign private cloud
now in preview by the end of the year.
Researchers at Census have uncovered
a complex malware campaign using heavily obfuscated
visual basic script files
to deploy remote access trojans.
Recently discovered, the attack unfolds in three stages, beginning with bloated VBS droppers
that decode Base64 payloads and launch PowerShell scripts.
These scripts fetch additional malware from platforms like Archive.org, where
payloads are hidden in JPEG images. The campaign delivers rats such as Remcos,
Async Rat, DC Rat, and Lime Rat. It uses resilient infrastructure via DuckDNS.org
to avoid takedowns. Though similar to attacks by the Blind Eagle group,
attribution is unconfirmed.
Researchers advise disabling macros, filtering emails, and monitoring power shell use to
reduce risk.
The campaign's advanced obfuscation and use of legitimate hosting services make detection
and response especially challenging. Watchtower has revealed seven serious vulnerabilities in SiteCore,
a widely used CMS platform powering major companies like HSBC, United Airlines, and
L'Oreal. Three of the flaws disclosed in a June 17th report enable unauthenticated
remote code execution on SiteCore experience platform 10.4.1.
A key issue is a hard-coded default password which, when combined with two post-auth RCE
bugs, creates a full pre-auth RCE chain.
Watchtower found over 22,000 exposed instances and warned the actual number is likely much
higher.
The vulnerabilities
were patched in May after Sitecore was notified in February. No CVEs have been
assigned yet. Watchtower urges immediate patching and credential rotation warning
of the high risk to enterprise environments. Four more flaws will be
detailed in a future report.
A new malware campaign by North Korea-linked Kim Sook-hee is targeting academic institutions
using password-protected research documents to deliver multi-stage malware.
Disguised as review requests from professors, phishing emails contain Hangul word processor
files with malicious OLE objects. These bypass
security tools and trick recipients into opening them, launching a sophisticated
infection chain. Upon activation, the malware installs six files, performs
system reconnaissance, and establishes remote access using any desk. The campaign
exploits academic trust and collaboration, making detection
harder and expanding risks to connected government and private networks. The malware uses obfuscation
techniques and disguises malicious actions under the appearance of legitimate documents.
Analysts warn this campaign marks an evolution in social engineering, blending technical precision with realistic
academic bait, and urge institutions to remain vigilant.
ASIS has patched a high severity vulnerability in its Armory Crate software, which could
allow attackers to gain full system access.
The flaw and authorization bypass caused by a time-of-check time-of-use issue was discovered
by Cisco Talos.
Attackers can exploit it by creating a hard link to bypass restrictions on a driver used
by Armory Crate.
The bug affects multiple versions, and users are urged to update immediately to avoid privilege
escalation risks.
Sean Planky, President Trump's nominee to lead CISA, remains in confirmation limbo due
to procedural delays and a Senate hold.
Planky, a former DOE and NSC cybersecurity official, missed his June hearing over an
incomplete FBI clearance, causing some confusion and postponements.
Despite bipartisan support for his qualifications, his nomination is blocked by Senator Ron Wyden,
who demands CISA release a 2022 report on telecom vulnerabilities linked to the salt
typhoon hack.
Wyden accuses CISA of covering up critical cybersecurity failures and says public release
of the report is vital.
The delay hampers a major overhaul at CISA, including proposed budget cuts and staff reductions.
With former acting director Bridget Beane gone, staff are concerned about leadership
gaps and the agency's uncertain future under incoming Trump appointees.
Coming up after the break, my conversation with Brian Downey from Barracuda.
We're talking about how security sprawl increases risk.
And Operation Fluffy Narwhal thinks it's time to rethink adversary
naming. Stay with us.
Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache
out of governance, risk, and compliance.
It automates the essentials, from internal
and third-party risk to consumer trust,
making your security posture stronger,
yes, even helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious
efficiency to your GRC game.
Vanta.
GRC.
How much easier trust can be.
Get started at vanta.com slash cyber.
And now a word from our sponsor, Cloudrange.
Cybersecurity isn't just a technology issue, it's a people challenge.
While tools can detect threats, it's the humans who decide how to respond.
That's why CloudRange uses immersive simulation-based training to build real-world instincts and
confidence.
This approach helps transform good security teams into great ones, ready to face today's
evolving threats.
Discover how CloudRange is empowering defenders at www.cloudrange.com.
Brian Downey is VP of Product Management at Barracuda.
I recently sat down and talked with him about how security sprawl increases risk.
We started talking to our customers and we started to hear the concerns they were having
around the management of multiple security tools and how that was impacting them, really
focusing on the operational inefficiencies.
But as we dove in, we started to see both the operational inefficiencies, but it started
to also start to highlight there was some security concerns with running multiple schools
as well.
Well, let's dig into some of the numbers here.
There's some really interesting stats in the report.
What are some of the things that rose to the top for you that really caught your attention?
Yeah, I'd say there was kind of three different angles
that really I thought were interesting.
First of all, it just seems like a ubiquitous problem.
You know, I've been telling a lot of people I entered
as I started getting into working with a lot
of managed service providers a couple years back.
I remember our goal was trying to figure out
how we could get them to start using security tools
and have those conversations with their clients.
There was almost a hesitancy to it.
And now when we looked at this report,
we saw almost two thirds, 65% of people that responded said,
our challenge is now pivoted.
They feel like we're juggling too many security tools.
So you're kind of seeing the tide change
where at first it was trying to get them
to start leveraging the tools they needed. Now they're saying, hey, wait a second, I need to
tap out. I'm having too many. I also thought it was interesting when we were looking at, we expected,
as you saw more security tools, you'd expect to see some impacts and cost and efficiency.
And that was confirmed, about 80% saying that this resulted in more time and cost they were
spending.
But the really surprising one for me was almost the same number, 77% said the number of tools
was hindering their ability to detect and mitigate threats.
And I thought that that was really surprising to see that number so high.
Hmm.
Well, what leads to this?
Why do organizations end up over provisioned when it comes to their security tools?
I think it's a necessary evil right now in security where the reality is, as you're seeing
that kind of expanding attack service, we are seeing
more and more customers requiring a lot of different tools to be able to support the
security needs that they have and their clients have.
So I think that there is a necessity to run it, but I think that what we're seeing now
is that the vendor landscape really hasn't provided enough assistance in helping people
run that kind of plethora of security tools that they're required to effectively secure them. And, you know, that's starting to
lead to all sorts of new challenges, like I said, both time and cost, but also, you
know, really simple things, you know, when you start looking at it, you know,
configuration issues, so having tools that are out there and having
misconfigurations in them, even when we saw
that in the most recent Verizon data breach report, they talked about about a third of
issues that are discovered in breaches that occur, occur from a poorly configured configuration
or poorly configured tool.
And you can see how that connects directly to this.
As you see more and more tools, how are you making sure as things change, as you add new
users that they're configured correctly?
That's where there's a real, we're starting to see some real challenges associated with
that.
And I think that's where the vendor community has to step up and help customers with that.
When I think about this problem, I can't help wondering if part of this is a hesitation
to get rid of something, to get rid of a tool because I think there's
a natural fear that if I get rid of a tool and then a breach occurs and that may have
been the tool that could have stopped the breach, boy am I in trouble now, right?
There's an emotional component there.
Do you think there's anything to that line of thinking or am I off base there?
No, I think there is.
I think we're definitely seeing more and more people that are holding on to maybe security
tools that aren't needed or they have duplicate of tools.
So I definitely think that that's a portion of it.
I think even as you get past that side of it, I think it's still the concepts of layered
security and what attackers can now do with AI.
I think that it does require a pretty solid stack of tools
right now to effectively secure even a small company,
let alone larger and mid-sized companies.
And I think that that's something
that is going to become a necessity as we move forward.
The companies really adjust their operations
to be able to support multiple tools in their environments.
Well, you mentioned AI.
What part, if any, does that play in people's ability
to dial down the number of tools that they have running?
I think it might help in some ways
because I think tools can get more powerful. I think that
you will see tools be able to expand to maybe areas that would have required two or three in the past,
but I really think where AI can help even more, and this is where we're focusing a little, is
trying to help with the management overhead of those tools. I think AI is really good at doing
things like identifying when you have a misconfiguration, for example.
You know, it can understand those anomalies and be able to help you react to them. And that's something that we've done with our Barracuda One platform. It's, if we look at it and stipulate to
the reality that you're going to need multiple tools, that might be able to be a little more
controlled than today, but it's probably going to be a reality we're going to live with that you're
going to have a lot of tools out there and you're going to have a lot of change in
your environment.
I think what we need to do is say, how do we simplify the management?
How do we make sure that those tools can learn off one another and provide more value as
you add tools rather than see that diminished value that the customers were saying in the
survey.
So what are your recommendations then for people to get on top of this?
I think it's really kind of,
I think you're right, I think the first one
is kind of the inventory of what do you really need?
What are you trying to protect against?
Security is at the end of the day, security's a how.
It's everything we're doing is a means to an end.
The end that we're trying to do is reduce risk.
So I do think you need to look at that lens and say,
how do all of these fit into my strategy
around reducing risk?
What value are they providing?
And are they really kind of additive to my environment?
Because I think that you don't want
to be the hoarder of security tools.
You want to have a lean relationship.
But then I think you want to then step back and say, OK,
now based on that, how do I want to manage these? How do I do this in a way that's going to be effective for my
environment? And I think that that's where there's a lot of platform oriented tools that can help you.
You know, Barracuda, you know, our platform focuses on that, but there's a lot of others
in the industry as well, where you can start to look at, you know, how can you actually take and
leverage technology
to be able to not only secure yourself,
but to be able to apply that security
in the right way that's effective for you.
Have you seen examples of folks
who are having success here,
who have put a system in place
where they're able to really dial it in effectively?
I mean, are there common elements for those organizations who seem to be doing well here? Yeah, I think I've seen a lot of customers that
we've worked with that have done that, and I'm sure there's others as well. I think the big thing is
being able to understand how they're answering certain questions, when I think about it, if you really make it very basic, it's,
what security do I have deployed where?
How do I need that configured and what's within those parameters and what's drifting?
You need to be able to answer those questions somehow.
I think there's a lot of tooling out there that can help you, but if you can't answer those,
you should realize that's a big risk for your environment.
And I think this problem's exacerbated when you look
at people like managed service providers,
where you have a single IT shop that's managing dozens
or even hundreds of customers, you can see how the problem
gets bigger and bigger and bigger at that level of scale
and differentiation between those accounts.
Can we touch on integration a bit here?
I mean, I think people want their tools to be able between those accounts. Can we touch on integration a bit here?
I mean, I think people want their tools to be able to talk to each other and,
you know, get a result that where the hole is greater than the sum of the parts.
How important is integration in selecting these tools?
Yeah, I think integration has to be kind of one of the foundational parameters you select
when you're selecting a tool or look at when you're selecting a tool.
And that's something that, you know, we saw even in this survey, we saw the majority of
people surveyed said their tools can't be integrated.
I think integration comes in multiple forms.
I think there's operational integration around being able to talk about some of the things
that we talked about, be able to manage them,
ensure that they're configured,
and all of those types of things in an effective way.
But then there's also the second side of it,
which is the alerts these tools are providing
back to the customer.
The security's always been something where
that the power is in correlation of information, being being able to understand i see something that looks suspicious of the network
i see something that looks suspicious new user behavior i see something that looks suspicious
end of the end point itself.
All three of those might just be seemingly a little bit suspicious but all three combined might be a massive risk. So I think customers need to look at both sides
of integration, they need to look at how am I integrating
the operational management of these tools,
as well as then how am I taking the data
that pours out of these tools and being able to correlate
that and integrate it together to be able to find
more advanced threats more easily.
When you look at this report as a whole,
what are the take-homes for
you? What do you hope security folks get out of it? I think security folks have to
start understanding kind of what is the hub and their hub and spoke
model of security. I think that as you look at the vendor landscape and as
you look at the tools that you're using, you need to start creating that consolidation point.
Again, that's both from an operational standpoint as well
as from a threat and threat analysis standpoint.
But you need to build off a core and then you need to
start continuing to add tools and they might be part of
that vendor's portfolio or third parties,
but they need to be able to integrate back to
that core and provide that consistency.
So that's the biggest thing I would encourage vendors, I mean customers, to really understand kind of
what is the core of their security? What is that haven't spoken?
Where do they go to as a source of truth when it comes to the risks that are in their environment?
That's Brian Downey from Barracuda.
And finally, when a Russian military unit hacks an election, but we call them Fancy
Bear, it's no wonder folks think cyber security is some elaborate comic book.
In a sharply wry op-ed for just security, Jen Easterly and Kieran Martin argue it's
time to stop branding our cyber adversaries like Pokemon and start naming them for what
they are, nation states and
criminals.
Microsoft and CrowdStrike's recent alliance to align threat actor names is a welcoming
baby step, but Easterly and Martin say it's not enough.
Until the cybersecurity world adopts a single, clear, vendor-neutral naming system, we'll
keep confusing defenders and glamorizing adversaries.
The idea that naming can't be standardized is, they argue, nonsense.
We do it in medicine, defense, and even for missiles.
So why not malware?
It's time to ditch the marketing mascots.
Let's trade charming kitten for Iranian espionage and call the cyber criminals what they are
without the flair. Hallelujah.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this summer.
There's a link in the show notes and we do hope you'll check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by
Trey Hester with original music and sound design by Elliot Peltsman. Our executive producer is
Jennifer Iben. Peter Kilpey is our publisher and I'm Dave Bithner. Thanks for listening. listening we'll see you back here tomorrow. Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
DeleteMe also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k code n2k.