CyberWire Daily - Chalk one up for defenders.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. The DMV has established itself as a top-tier player in the global cyber industry. DMV rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping our field and experience firsthand why the Washington, D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. At TALIS, they know cybersecurity can be tough, and you can't protect every.

Starting point is 00:01:00 thing. But with TALIS, you can secure what matters most. With TALIS's industry leading platforms, you can protect critical applications, data and identities, anywhere and at scale with the highest ROI. That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most. Applications, data, and identity. That's TALIS. T-H-A-L-E-S. Learn more. at talusgroup.com slash cyber. The open source community heads off a major NPM supply chain attack. The Treasury Department sanctions cyber scam centers in Myanmar and Cambodia.

Starting point is 00:01:57 Scammers abuse iCloud calendar invites. to send callback fishing emails. Researchers discover a new malware variant exploiting exposed Docker APIs. Fishing attacks abuse the Axios user agent and Microsoft DirectSend feature. Plex warns users of a data breach. Researchers flag a surge in scans

Starting point is 00:02:16 targeting Cisco ASA devices. SISA delays finalizing its incident reporting rule. The GAO says federal cyber workforce figures are incomplete and unreliable. Our guest is Kevin McGee, Director of Cybersecurity Startups at Microsoft Security, discussing cybersecurity education and going back to school. And AI earns its own Darwin Awards. It's Tuesday, September 9, 2025.

Starting point is 00:02:57 I'm Dave Bittner, and this is your Cyberwild. Intel briefing. Thanks for joining us here. It is great to have you with us. A major supply chain attack targeting the NPM ecosystem was stopped thanks to the rapid response of the open source community. Attackers compromised the NPM account of well-known. developer Josh Junon, also known as Kix, publishing malicious versions of widely used packages

Starting point is 00:03:37 such as chalk and strip ANSI. The malware acted as a crypto-clipper, swapping wallet addresses or hijacking transactions to steal cryptocurrency. The malicious packages were live for only a few hours before NPM and maintainers removed them. Researchers noted that the attack chain was sophisticated, but losses were minimal, estimated at just $20 to $66, thanks to fast community detection. Reports showed developers flagged the threat within 15 minutes, with some packages taken down in under an hour. Experts stressed that while any compromise is serious, this was not the biggest supply chain

Starting point is 00:04:20 attack ever. Instead, it highlighted the strength of open-source collaboration in preventing widespread damage. The U.S. Treasury Department has sanctioned individuals and companies tied to cyber scam centers in Myanmar and Cambodia that have defrauded Americans of over $10 billion. The measures target Burmese, Cambodian, and Chinese nationals running forced labor compounds where victims are trafficked, abused, and forced to carry out scams. In Myanmar, sanctions focus on Shui Koko, a hub run by military leaders of the current and National Army, who profit by tracking workers and supporting scam operations.

Starting point is 00:05:04 In Cambodia, the crackdown hit casino-linked scam centers tied to Chinese gangs and billionaire tri-Philippe. Officials said these sanctions aim to disrupt industrial-scale fraud while combating human trafficking and modern slavery in the region. Apple has issued a warning after scammers were found abusing I-Cloud calendar invites to send call-back fishing emails disguised as purchase notifications. The scheme embeds fake payment alerts, such as a $599 PayPal charge, into the invites notes field. Since these messages come from Apple's legitimate servers, they bypass spam filters and appear authentic. Victims are urged to call fraudulent numbers, where attackers attempt to trick them into downloading malicious software.

Starting point is 00:05:53 Experts advise treating calendar invites with the same caution as suspicious emails. Researchers at Akamai have discovered a new malware variant exploiting exposed Docker APIs, evolving from a campaign first seen in June. Unlike the earlier strain that deployed a crypto miner, the updated version now blocks external API access, gains host level control, and installs persistence tools, indicating preparational. for larger operations. The malware uses a Go-based binary dropper, scans for other vulnerable servers, and spreads itself, suggesting early botnet development. It also removes competing crypto-minor containers to dominate infected systems. Notably, the code includes inactive routines for Telnet and Chrome's remote debugging, hinting at future

Starting point is 00:06:48 expansion. Akamai's HoneyPod analysis revealed indicators of compromise, tied to you. to Tor domains and webhook addresses. Security experts warn that attackers are shifting from quick profits toward infrastructure building, urging Docker users to secure APIs and monitor activity closely. Relya Quest has reported a sharp surge in fishing attacks of using the Axios user agent and Microsoft's direct send feature. Between June and August of this year, Axios-driven fishing activity jumped 241% accounting for nearly 24% of all malicious user agent traffic, 10 times higher than any

Starting point is 00:07:31 other agent. Axios-enabled campaigns had a 58% success rate compared to just 9% for other incidents, with success climbing to 70% when paired with direct send. Initially aimed at executives in finance, health care, and manufacturing, the attacks now target regular users. Axios, a lightweight HTTP client allows attackers to easily intercept, replay, and manipulate HTTP requests, bypassing MFA and hijacking session tokens. Its legitimacy helps it evade filters, unlike more suspicious tools. Rely a Quest urged organizations to disable direct send, if possible, tighten email security, and train users to recognize fishing red flags.

Starting point is 00:08:20 Popular streaming platform Plex has warned users of a data breach in which attackers accessed emails, usernames, hashed passwords, and authentication data from one of its databases. The company stressed that the breach was contained and the risk of cracked passwords is low, but urged users to reset their passwords immediately and sign out of all connected devices. Plex has blocked the attacker's access, launched a security review, and advised customers to watch for fishing attempts. The number of affected users remains undisclosed. Cybersecurity researchers have flagged a surge in scans

Starting point is 00:09:01 targeting Cisco ASA devices, raising concerns of a possible upcoming vulnerability. Gray noise observed two major spikes in August, with up to 25,000 IPs probing ASA login portals and Cisco iOS Telnet SSH. One wave, largely driven by a Brazilian botnet, used chrome-like user agents and focused on U.S. systems. Similar spikes often precede new flaw disclosures. Admins are urged to apply patches, enforce MFA, and restrict direct access.

Starting point is 00:09:39 SISA has delayed finalizing its rule requiring critical infrastructure operators to report major cyber incidents until May 26, seven months past the original deadline. The rule, mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, requires reporting cyber attacks within 72 hours and ransomware payments within 24. Officials say the delay allows more time to streamline requirements, reduce industry burden, and harmonize with other federal regulations. Lawmakers and industry groups welcomed the extension, if it ensures stakeholder input is incorporated,

Starting point is 00:10:21 though some criticized SISA's lack of progress. The law, inspired by attacks like the Colonial Pipeline hack, will have wide impact across sectors once implemented. The GAO says federal cyber workforce figures are incomplete and unreliable. Across 23 civilian agencies, DOD excluded, It counted at least 63,934 full-time cybersecurity employees, costing $9.3 billion annually, plus just over 4,000 contractors costing $5.2 billion, but most agencies lack quality data. 22 reported only partial or no contractor data.

Starting point is 00:11:07 19 had no data quality checks. 17 lacked standard criteria for who qualifies as a cyber employee. GAO faulted the ONCD and OMB for lacking plans to improve data, noting a key working group paused in February, and it's unclear if it resumed after Sean Cairncross's August confirmation. GAO recommended closing data gaps, standardizing roles, improving reporting quality, and assessing workforce effectiveness. While Biden-era initiatives began in 2023, their current priority is uncertain, hindering sound staffing and security decisions.

Starting point is 00:11:56 Coming up after the break, Kevin McGee, Global Director of Cybersecurity Startups at Microsoft Security, discusses cybersecurity education as we head back to school. And AI earns its own Darwin Awards. Stay with us. Compliance regulations, and third-party risks and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down?

Starting point is 00:12:39 If you're thinking there has to be something more efficient than spreadsheets, screenshots, screenshots, and all those manual processes, you're right. GRC can be so much easier, and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key areas, compliance, internal and third-party risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical.

Starting point is 00:13:22 A recent IDC analysis found that compliance teams using Vanta are 129% more productive. It's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta, G-R-C, just imagine how much easier trust can be. Visit Vanta.com slash cyber to sign up today for a free demo. That's V-A-N-T-A.com slash cyber.

Starting point is 00:14:03 With Amex Platinum, access to exclusive Amex pre-sale tickets can score you a spot track side. So being a fan for life turns into the future. trip of a lifetime. That's the powerful backing of Amex. Pre-sale tickets for future events subject to availability and varied by race. Terms and conditions apply. Learn more at mx.ca.org. slash Yanex.

Starting point is 00:14:27 It is always my pleasure to welcome back to the show. Kevin McGee. He is the director of cybersecurity for Microsoft for startups. Kevin, welcome back. Hi, Dave. Glad to be back. So it is that time of year, the most wonderful time of the year. when the kids go back to school. And so we thought today we would do a little Dave and Kevin back to school edition.

Starting point is 00:14:49 What do you got for us today, Kev? Well, we both have our kids off the school. It's the happiest day of the year for parents, which is great. But one of the things that we've explored over the years is just the skills gap. But from a different perspective of how do we really address the skills gap in a positive manner? And that's making sure that we're providing educational opportunities to bring in folks from outside the industry to provide opportunities for those within the industry to grow different skills. Because if you're super technical and you just go for another certification and

Starting point is 00:15:21 technical aspects of the industry, it's not preparing you for a leadership role. It's not preparing you to be a manager to recruit and motivate and mentor your staff. So I've always seen this leadership gap challenge and within our industry that I thought was really something we needed to address. And I've had an opportunity to work with a couple of universities to develop some programs over the last little while. And doing a survey of what's available in the U.S. And I'm Canadian, of course, in Canada. I'm very pleased to see sort of where we're headed with some of the educational opportunities available. Well, before we dig into some of the specifics, can we stay at a high level for a second? And let me just be put on my skeptical hat

Starting point is 00:16:02 for a minute and ask, are you convinced that the notion of a skills gap is a real thing? thing? Because not everybody is. I'm on record, I think, extensively on this podcast and say, no, I don't think there's a skills gap. I meet with students every day in my role and through my connections with universities and colleges that are desperately trying to get in the industry but can't find a job. And then I meet with employers who are trying to hire, they just can't hire. It's not a skills gap. It's a skills mismatch gap. We want someone with five years experience. We want someone with leadership experience.

Starting point is 00:16:39 And again, what are their options? A lot of the young people come to me and say, well, I've got five certifications, should I do another? It's hard to differentiate yourself. It's hard to demonstrate real world experience. It's hard to match up those two sides. And I think that's because we're just not a mature industry like plumbers. There's a very clear way to become a plumber. There's a very clear way to become an accountant.

Starting point is 00:17:01 There's a very clear way to become a doctor or a lawyer with an apprenticeship or an internship or an our clean process or whatnot, we're just not there yet, but we're headed in that direction. Well, let's talk about some of the specifics then. I mean, in terms of maturation, where does the industry stand? Well, I've had some first-hand experience with the University of Guelph, where I did my master's degree. We created a threat intel program, which was a combination of practical skills, but then also theoretical knowledge, which involved a capstone project, working with companies and cyber leaders to build something out in the real world. The university recruited a board of prominent cybersecurity professionals.

Starting point is 00:17:45 They could come in and provide guest lectures and really provide those real world experience. What was great for the students is they got to interact with people actually doing the jobs. And what was great for the employers is they got a firsthand look at some of those folks that are actually the brightest and up and coming. and we could give feedback then at the university for what could be changed to make the program better. A number of colleges in Canada, I'm not sure if it's the same in the U.S. have these advisory boards where they bring in the industry folks to help with curriculum. I'm on a number of them. So I really encourage anyone who wants to look at joining the board of directors or whatnot.

Starting point is 00:18:20 This is a good gateway to learn the skills to work with an educational facility in a board advisory manner. But to just go through the curriculum, provide feedback. back, real-world, real-world experience into those programs is really making a difference. Now, Guelph is actually launching a leadership program in combination with the business program to combine, you know, what are the leadership qualities and what are the management qualities that you need to learn to be a successful leader, but within the cyber range, which is completely different from managing in any other business context. What does that provide for the person new to the industry?

Starting point is 00:19:00 industry to walk in with classroom experience in leadership, classroom training in leadership, but still lacking that time with an organization, that five years of experience that everybody seems to want these days. I think it's going to be difficult to walk into maybe a sock and manage a sock without any sort of experience. But there's so many other roles that are popping up in our industry now that just didn't even exist maybe a year ago or whatnot that are going to have required. different skills. So managing risk from a compliance management or automating compliance. We have

Starting point is 00:19:36 teams now that are involved in creating basically SOAR for compliance solutions, completely different skill set than managing a SOC. But the fundamentals of leadership and management are universal. So there's an opportunity for experienced managers to come from other fields into our industry and maybe bring interesting things from what happens in those industry to ours. The great example I've always used. I sat on a hospital board for a number of years, and we started every board meeting with the chief nursing officer of doing a near-miss analysis, where we went over a potential, bad thing that could have happened, and what the organization learned from that. Now, that's something I've brought to my current cyber to say, let's not wait until something bad happens. Let's discuss

Starting point is 00:20:17 near-misses and how can we improve and get better. So I think it's a chance to bring other folks from other industries maybe into the fold and expand our talent pool, but then also give those technical people that maybe have a computer science degree with no management experience or skills, that opportunity to move up in the leader's positions and be successful. What's your advice for the folks who are actually heading back to school as we're recording this? I mean, to increase their odds of being the one who's selected when they graduate or when they decide they want to enter the market, what are your recommendations for the breadth of things they should have under their belt?

Starting point is 00:20:59 I think when we started out in our generation, you were the computer guy and you had to know everything about the computer, and that was fine. And our industry is really getting evolved to sort of niche specializations. So exploring different aspects of what is available in terms of career, is that forensics you're interested, and you're seeing a lot of cyber law programs that are evolving now, where you're not really training to be a lawyer,

Starting point is 00:21:26 but you're training to understand how to administer compliance and whatnot. I think thinking beyond the careers available in cybersecurity are just penetration testing and configuring firewalls to the greater depth and breadth of the careers that are available and explore those because there's fascinating opportunities in sort of privacy and consent management. The explosion of AI is going to create

Starting point is 00:21:50 all sorts of new challenges. and problems that we're going to have to address the security professionals as well, too. So interdisciplinary skills are fantastic, bringing like law or some other aspect to the cybersecurity space, but then also finding a niche that really resonates with you as well.

Starting point is 00:22:09 So you stand out, not a generalist now, a specialist. I think that's where we're headed. And the market for the educational offering seems to be headed in that direction as well. Let me flip it for you then. I mean, what about for the employers what part can they play in addressing this skills mismatch as you describe it?

Starting point is 00:22:30 Yeah, I think the Guelph example where we brought in 40 or 50 different companies to advise, great opportunity to engage directly with the students, provide feedback on the training. But also, the more you're engaged and involved in these programs, the first look of the best talent is yours. So you get to pick out that talent and maybe make that offer before anyone. else as well. So you can't just really wait around for someone to pop up on the radar that has all the skills that you're looking for and all the aspects. I think really, you know, we need to start looking at developing talent and taking responsibility for that. And I find that the organizations that are hiring the best talent and moving those talent through a process of promotion and whatnot

Starting point is 00:23:14 and getting them really engaged quicker are the ones that are very invested right from the very beginning of the pipeline. Kevin McGee is Director of Cybersecurity for Microsoft for Startups. Kevin, thanks so much for taking the time for us. Great. Thanks, Dave. Did you lock the front door? Check. Close the garage door?

Starting point is 00:23:46 Yep. Installed window sensors, smoke sensors, and HD cameras with nightfall. Vision? No. And you set up credit card transaction alerts, a secure VPN for a private connection, and continuous monitoring for our personal info on the dark web? I'm looking into it. Stress less about security.

Starting point is 00:24:02 Choose security solutions from TELUS for peace of mind at home and online. Visit tellus.com slash total security to learn more. Conditions apply. Wait, I didn't get charged for my donut. It was free with Tim's rewards points. I think I just

Starting point is 00:24:17 stole it. I'm a donut Steeler. Ooh. Earn points so fast, it'll seem too good to be true. Plus, join Tim's rewards today and get enough points for a free donut, drink, or timbits. With 800 points after registration, activation, and first purchase of a dollar or more. See the Tim's out for details at participating in restaurants in Canada for a limited time. And finally, it was perhaps only a matter of.

Starting point is 00:24:49 time before the Darwin Awards, a long monument to human misadventure, spawned an AI edition. The 2025 AI Darwin Awards honor not tragic self-removal from the gene pool, but the hubris of deploying machine intelligence where wisdom plainly did not follow. Consider Taco Bell's drive-through AI, whose grasp of natural language proved as tenuous as its tortillas. Or Riplet's vibe-co episode, in which an over-eager model dutifully ignored instructions and annihilated a production database, proof that do not touch is irresistible to algorithms and toddlers alike. McDonald's, meanwhile, entrusted 64 million job applicants' data to a chatbot felled by the Mighty Password 123456.

Starting point is 00:25:42 The awards remind us AI is merely a tool, although one with global reach, zero patience, and alarming enthusiasm. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the Cyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app.

Starting point is 00:26:29 Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Iben, Peter Kilpe, as our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

CyberWire Daily - Chalk one up for defenders.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.