CyberWire Daily - CISA keeps watch on Russia.
Episode Date: March 4, 2025CISA says it will continue monitoring Russian cyber threats. Broadcom patches zero-days that can lead to VM escape. Google patches 43 Bugs, including two sneaky zero-days. CISA flags vulnerabilities e...xploited in the wild. Palau's health ministry recovers from ransomware attack. Lost and found or lost and leaked? On this week's Threat Vector segment, David Moulton previews an episode with Hollie Hennessy on IoT cybersecurity risk mitigation and next week’s special International Women's Day episode featuring trailblazing women from Palo Alto Networks sharing their cybersecurity journeys and leadership insights. And is that really you? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment On our Threat Vector Segment, host David Moulton shares previews of two upcoming episodes. On this Thursday’s episode, he speaks with Hollie Hennessy, Principal Analyst for IoT Cybersecurity at Omdia, to discuss how attackers exploit vulnerabilities in connected environments and the best approaches for risk mitigation. The next week On Thursday, March 13th, David shares four conversations with some of the trailblazing women at Palo Alto Networks in honor of International Women’s Day and Women’s History Month. They share their journeys into cybersecurity, discuss the challenges they faced and offer insights on leadership, innovation, and mentorship. Be sure to tune in for some inspiring stories. Don't miss the full episodes every Threat Vector Thursday, subscribe now to stay ahead. If you're in Austin, Texas for SXSW and want to meet up, email David at threatvector@Paloaltonetworks.com. Selected Reading DHS says CISA won’t stop looking at Russian cyber threats (CyberScoop) Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? (Zero Day) Broadcom Patches 3 VMware Zero-Days Exploited in the Wild (SecurityWeek) Google fixes Android zero-day exploited by Serbian authorities (Bleeping Computer) Several flaws added to CISA known exploited vulnerabilities catalog (SC Media) Palau health ministry on the mend after Qilin ransomware attack (The Record) Lost luggage data leak exposes nearly a million records (Cybernews) Lee Enterprises ransomware attack halts freelance and contractor payments (TechCrunch) TikTok Blasts Australia for YouTube Carveout in Social Media Ban (Bloomberg) Deepfake cyberattacks proliferated in 2024, iProov claims (The Register)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get
your jobs more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber
wire right now and support our show by saying you heard about indeed on this podcast. Indeed.com
slash cyber wire. Terms and conditions apply conditions apply hiring indeed is all
you need
Cisa says it'll continue monitoring Russian cyber threats. Broadcom patches zero days
that can lead to VM escape. Google patches 43 bugs, including two sneaky zero days. CISA
flags vulnerabilities exploited in the wild. Palau's health ministry recovers from a ransomware
attack. Lost and found or lost and leaked? On this week's Threat Vector segment,
David Moulton previews an episode with Holly Hennessy
on IoT cybersecurity risk mitigation
and next week's special International Women's Day episode
featuring the trailblazing women from Palo Alto networks
sharing their cybersecurity journeys and leadership insights.
And is that really you?
Today is Tuesday, March 4th, 2025.
I'm Maria Varmazes, host of T-Minus Space Daily in for Dave Bittner.
And this is your CyberWire Intel Briefing. Thanks for joining us on this lovely Tuesday.
Let's get into our Daily Intel Briefing.
The U.S. Department of Homeland Security says the Cybersecurity and Infrastructure Security
Agency, also known as CISA, will continue monitoring cyber threats from Russia, asserting
that media reports to the contrary are false.
The Guardian reported over the weekend that CISA staff received a memo directing them
to prioritize threats from China with no mention of Russia.
Trisha McLaughlin, Assistant Secretary for Public Affairs at DHS, told Cyberscoop that
such a memo was never sent, adding,
CISA remains committed to addressing all cyber threats to U.S. critical infrastructure, including
from Russia.
There has been no change in our posture or priority on this front.
The Guardian's story is separate from reports that Defense Secretary Pete Hegsgeth ordered
Cyber Command to halt offensive operations against Russia during negotiations over the
war in Ukraine.
The Pentagon hasn't officially commented on these reports.
But Bloomberg cites an anonymous senior defense official as saying that Hegsgeth has neither
canceled nor delayed any cyber operations directed against
malicious Russian targets,
and there has been no stand-down order
whatsoever from that priority.
Kim Zetter at Zero Day has written up a useful summary
that clarifies reporting on these two stories,
and we have a link to that piece in our show notes for you.
Broadcom has issued patches for three
actively exploited Zero Days affecting VMware ESX and
any products that contain ESX, including vSphere, Cloud Foundation, and Telco Cloud Platform,
according to a report from SecurityWeek.
Broadcom warns that the vulnerabilities can lead to a virtual machine escaping, stating
that this is a situation where an attacker who has already compromised a virtual machine's guest OS
and gained privileged access, administrator or root, could move into the hypervisor itself.
In March 2025, Google released security updates addressing 43 vulnerabilities in Android,
notably to Zero Days, actively exploited in targeted attacks.
One of them, identified as CVE-2024-50302, is a high severity information disclosure
flaw in the Linux kernel's human interface device driver.
This vulnerability was reportedly leveraged by Serbian authorities using an exploit chain
developed by Israeli firm Celebrite to unlock confiscated devices.
The exploit chain also included a USB video class zero day
and an ALSA USB sound driver zero day,
both discovered by Amnesty International Security Lab in mid 2024.
Google had previously provided fixes for these vulnerabilities to OEM partners in January.
The Cybersecurity and Infrastructure Security Agency has updated its known exploited vulnerabilities catalog to include several critical security flaws,
underscoring the importance of timely remediation to protect organizational
networks. And the newly added vulnerabilities are a critical path
traversal vulnerability in progress what's up gold which could allow
unauthenticated remote code execution, a medium severity command injection vulnerability
in Cisco small business RV series routers,
enabling arbitrary command execution
or authentication bypass.
Notably Cisco has stated it will not release a fix
for this issue.
A pair of vulnerabilities,
both affecting Hitachi Vantara Pentaho BA server,
which could involve special element injection
and authorization
bypass, and an improper resource shutdown or release flaw in Microsoft Windows Win32K,
which could be exploited to execute arbitrary code.
Federal agencies are mandated to address these vulnerabilities by March 24, 2025.
CISA strongly recommends that all organizations, regardless of sector, prioritize the remediation
of these vulnerabilities to mitigate potential exploitation risks. And we do have the CVEs
for all these vulnerabilities in our selected reading for you, should you need them.
The island nation of Palau's Ministry of Health and Human Services, or MHHS, is recovering
from a ransomware attack that it sustained on February 17th, according
to a report from the record.
The ministry attributed the attack to the Chilean ransomware gang, adding that the crooks
were able to exfiltrate data during the incident.
The MHHS stated that, based on the kind of information that's been stolen, MHHS and its
cyber advisors do not perceive any significant impact to the security of
individual Palauans.
However, MHHS recommends that all Palauans remain vigilant against potential fraud and
or phishing emails that may attempt to use this incident as a means of getting you to
release personal information.
The ministry added that the attack was a heinous crime by greedy cybercriminals that has put our ability to provide critical medical care and life-saving emergency services at risk.
A Defend4 team from U.S. Cyber Command is on site assisting with the investigation.
A recent security lapse exposed 14 unprotected databases containing approximately 820,750, but who's counting, sensitive records totaling
122 gigs from lost and found software, which is utilized by airports across the United
States, Canada, and Europe.
Discovered by cybersecurity researcher Jeremiah Fowler, the breach included detailed information
on lost items, such as medical devices, electronics, wallets, and bags,
and personally identifiable information of their owners. Notably, high-resolution
images of passports, driver's licenses, and other identification documents were
accessible, heightening risks of identity theft and fraud. Additionally, screenshots
of payment confirmations, shipping labels, and original receipts were exposed.
Upon notification, the company promptly, shipping labels, and original receipts were exposed.
Upon notification, the company promptly secured the databases, and this incident underscores
the critical need for robust data protection measures in handling sensitive customer information.
U.S. newspaper publisher Lee Enterprises is still grappling with a ransomware attack that
occurred on February 3, according to a report from TechCrunch. Freelancers and contractors who work for the company told TechCrunch that
they haven't been paid for their work since the attack took place. One contractor is owed
thousands of dollars and has no timeline for when Lee's payment system will be up and
running again. The enterprise itself has avoided using the term ransomware, but it mentioned
in an SEC filing
that the attackers encrypted critical applications and exfiltrated certain files.
The Cheelan ransomware gang last week claimed responsibility for the attack, and the filing
also noted that the incident disrupted distribution of products, billing, collections, and vendor
payments.
In response to Australia's recent legislation that bans social media access for children
under 16, TikTok has criticized the government's decision to exempt YouTube from this ban,
labeling it a sweetheart deal that is illogical, anti-competitive, and short-sighted.
This sentiment is echoed by other tech giants, including MetaPlatforms and Snapchat, who
argue that YouTube offers similar features
to those that led to the ban, such as algorithmic content recommendations, and exposure to potentially
harmful material.
Mental health experts have also raised concerns about YouTube's potential to expose children
to addictive and dangerous content, questioning the consistency and fairness of the exemption.
Coming up after our break, we've got our Threat Vector segment with host David Moulton from Palo Alto Networks. And even your Zoom calls might be catfishing you. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting
your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7-365 with Black Cloak. Learn more at blackcloak.io.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers. I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly
what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your Delete Me plan when
you go to JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K at checkout. That's joindeleteme.com slash N2K code N2K.
Our Threat Vector segment has host David Moulton sharing previews of two upcoming episodes.
On this Thursday's episode, he speaks with Holly Hennessey, who is the principal analyst for IoT cybersecurity at Omdia,
to discuss how attackers exploit vulnerabilities in connected environments
and the best approaches for risk mitigation. The next week, on Thursday,
March 13th, David shares four conversations with some of the trail-lazing
women at Palo Alto Networks in honor of International Women's Day
and Women's History Month.
On Thursday, March 6th, I'm chatting with Holly Hennessey,
principal analyst for IoT cybersecurity at Omnia,
to talk about OT security.
We'll discuss how attackers exploit vulnerabilities
in connected environments
and the best approaches for risk mitigation.
Holly also shares her insights on the evolving risk
posed by IoT devices, from industrial control systems
to consumer technology.
Plus she has a great security joke.
Where did the threat act to go?
I don't know.
You're not gonna wanna miss this episode.
Holly Hennessy, welcome to Threat Factor. I'm really excited to have you here today.
Hi, thank you so much for having me.
I was recently talking to a journalist about the underrated and the overrated,
the underreported and the overreported in our industry.
Do you look at OT as one of these areas that is underreported and the over-reported in our industry. Do you look at OT as one of these areas that is
under-reported, under-represented, over-represented,
over-reported, how would you position it
on that kind of quadrant?
Yeah, I think that's an interesting question.
I think if you're looking at cybersecurity,
IT security obviously gets all the kind of
glamour and the glory.
I would say OT security is way smaller a space, so it's a lot more niche.
I don't think everyone is as interested in it.
I don't think everyone understands it as much.
So in that sense, it's kind of under-focused on, I would say.
I obviously find it incredibly interesting.
I think it is super interesting for people
who are kind of perhaps wanting to learn more
about the space.
There's a lot that is different to IT,
but there's also a lot in the cyber security space
on the IT side in general that can kind of transfer over.
If you think of any of the large events,
you're way more likely to see IT security-focused talks.
Technology, there's way less on OT. So, yeah,
I would say it's perhaps underrepresented, but I think
those that are in the space do a good job at showing how
interesting it is and showing why it's so important to kind
of focus on.
Holly, your research highlights secure remote access or SRA as
this key feature in many OT security
platforms. Why has SRA become such a critical capability and how does it impact risk management
and operational resilience? Yeah, so secure access has a lot of promise,
I think. It's one of the fastest growing areas of the market.
So a lot of organizations are looking for this technology, but there's still relatively
decent sizeable gap in the market for vendors to be filling. So in the most recent report,
there's quite a few vendors that are offering this natively. It's much more so than a couple
of years ago. It was kind of a few and far between. this natively. It's much more so than a couple of years ago.
It was kind of a few and far between.
And now there's also a lot partnering
with specialists in this space,
because there are also more point products
that are kind of offering this
to meet that demand from customers.
And I think it really stands out in OT security,
given that these environments and how they're working,
how users are kind of connecting.
There's been a lot of discussion around zero trust in OT,
what that means, and how that translates or looks different to an IT sense.
I think crucially part of that is including users
and everything else that you shouldn't trust,
but secure access is really standing out in terms of that access. Also, the R in that, the remote, I think has kind of now kind of
expanded to access in general. So it's not necessarily remote users, but could be users
who are regularly accessing equipment as well. So being able to monitor that activity, I
think is really useful. Obviously, it enhances visibility, again, within the organization.
But it can be a really useful way to mitigate risk
and reduce that likelihood of a threat in the environment.
Adding that technology into the platform can be useful
because you've already got technology there,
it's already going to kind of factor into your monitoring
and your threat detection activities.
But there's, as I said,
there are a lot more integrations as well
with more of the point products in the space
for secure access.
So let's shift to look into the future a little bit.
The report discusses ongoing convergence
between IT and OT security.
Are we moving toward a fully unified security operation center or SOC?
And do you see IT and OT security remaining separate?
Or do you see IT and OT security remaining separate for the foreseeable future?
Yeah, so based on my research, it's a bit of a mix at this point in time.
So I would say there are more who have a converged SOC covering both IT and OT rather than a
separate IT and OT SOC.
But it's not the majority.
So there's around 40% that have it converged.
I would say 20% have OT only, and then you've got the rest that are doing it managed,
and then have a third party provider,
or they just have an IT SOC.
So I think something we do know
is that the vast amount of organizations,
whether you have got a separate SOC or not,
you're using OT or IIOT specific tooling rather than IT.
So, you know, they much prefer
to purchase specialist technology rather than IT and kind
of utilizing that in the space.
So I think integrations are really important, whether or not you're doing it separate or
converged.
What really stands out to me is that OT and an industrial internet of things have to be
included from an IT point of view.
I don't think you can be an industrial organization
or a critical infrastructure organization
and be looking at it from just IT.
If you're looking at kind of your risk management,
you need to be factoring in these devices.
So integrating with specialist tech,
regardless of who the kind of provider is,
is going to be really important for a SOC.
On the other hand, you know,
we know that many incidents originate in IT, and then they impact
OT in some roundabout way. So you also can't really silo OT and industrial Internet of
Things. So converging the SOC can alleviate some of those issues and some of the reasons
why more organizations are going down that route. The next week on Thursday, March 13th, I'm sharing four conversations with some of the trailblazing women here at Palo Alto Networks.
They'll share their journeys into cybersecurity.
They will share their journey into cybersecurity.
They'll share their journeys into cybersecurity,
discuss the challenges they faced and offer insights on leadership, innovation, and mentorship.
I cannot express how inspired I was by my peers,
and I am so eager to share those stories.
Christy Fredericks, Chief Partnerships Officer
at Palo Alto Networks.
Can we say I've pursued a career in cybersecurity
when it's been about 14 months out of my career?
I was inspired by a couple things.
I have always been drawn to mission-driven organizations.
When I was early in my career, I thought that meant nonprofits, and I spent a little bit
of time both in public education as well as in nonprofits, and I realized that I believed that I could have a better impact in the for-profit sector.
I started my career in consulting, having an impact on my clients and making sure their
businesses were operating effectively so that they could have strong careers and add value
to their customers.
I moved into technology.
My first operating role was in the observability space.
And the mission of that company was to help software run
and perform well.
And when you think about how much of our day-to-day life
is dependent on software,
that felt like an important mission.
But there's nothing that really beats
keeping the digital way of life safe.
So as I was working in observability
and making sure software runs properly,
you could see how much of an opportunity there was
for bad actors to attack software
and really impact people's livelihoods,
people's experiences,
and it just felt like a really important industry.
And what better company to pursue than Palo Alto Networks?
Tanya Shastri, Senior Vice President of Product Management at Polo.
I lead our network security platform and product operation.
In my early part of my career, I did a bunch of networking because I had studied telecommunications
and networking and so on.
I had also done some information theory in my masters and that course had always been
something I wanted to go back to.
So I was very intentional at one point in my career to move to more of a data analytics
insights, machine learning, AI, all those kinds of things.
And through that process, securing data became very important to understand.
And I started working on what we called malicious fault-tolerance systems, Byzantine fault-tolerance,
and so on.
And that kind of segued my interest into security and that's what actually brought me to Palo
Alto through that interest in security.
And it's been so interesting because when it all comes together, actually security is
a, there's a lot of analytics and AI, you know, as part of security.
My name is Salma Manjanda.
I'm a consultant at U of 42. I think my main inspiration when I came to cybersecurity
was the very first professor I actually had in cyber.
I took a two unit elective in cyber
and I just kind of didn't really know what to expect.
Lo and behold, a semester later, I was totally hooked.
I credit it all to that professor of mine, Joe, from USC.
He changed my outlook on so many different
ways. He challenged me to think a different way and opened me up to a whole new world
of possibilities. And when I decided that I wanted to pursue cybersecurity also, again,
he was my mentor also during college. He really just was very, very encouraging in terms of like helping
guide me through what classes to take, what kind of, you know, career
opportunities there were, and so that whole program just totally changed my
life in many different ways. My name is Stephanie Regan, principal consultant on
the IR team with Unit 42.
Generally, I have always had a mission-driven desire
to help others.
So everything that we do, day in, day out,
whether it's working a ransomware recovery case
or building a better way to respond during crises
or improving protections to prevent crises
from happening in the future, the work that we do, in and day out is impactful to the other people that are on
the other side of our services.
I was really attracted to cybersecurity and even just the tech field in general based
on the growth and opportunity that is presented in a rapidly evolving environment.
So tech is changing every single day.
We've seen the advent of AI.
We've seen, gosh, so many different implementations
of new technologies over the years
that the hunger and desire to just keep learning
and growing as the field evolves and change
and pivot to the next technology or the next big thing
is something that's really exciting.
And I just hate stagnation.
So I'm a person that gets very bored or upset
if I'm sitting still and not moving forward
in my career, in my life.
So I was really attracted to cyber and tech,
which in its nature is constantly evolving.
And I get to be a lifelong learner
and continue to grow as the field develops. and want to meet up, email me at threatvector at paloalto networks.com. I'm always looking for industry leaders
and fascinating guests for the show.
Don't miss the full episodes of Threat Vector every Thursday.
You can find the link to subscribe in our show notes. Deepfake technology is no longer a futuristic threat.
It's very much here, and it's already wreaking havoc.
Last year, deepfake attacks in video calls surged by a staggering 300%.
Cybercriminals are using AI to impersonate people in real time, bypassing facial recognition
systems and tricking even the savviest professionals.
Even more troubling, these powerful tools are no longer just in the hands of elite hackers.
They're now available in crime-as-a-service markets, making it easier than ever for anyone
to spoof an identity and launch a scam.
The old tricks like asking someone to look left to catch a distortion just aren't cutting it anymore.
This is a serious wake-up call for businesses. Traditional identity verification methods are
quickly becoming outdated. To keep up with these evolving threats, companies need to implement
multi-layer defenses, deploy advanced deepfake detection tools, and, most importantly, train employees to spot these
sophisticated scams.
As deepfake technology continues to evolve at lightning speed, it is essential to rethink
how we verify identities and stay one step ahead of cybercriminals.
So stay vigilant, because those video calls might not be as
real as they seem.
And that's the Cyber Wire. We'd love to know what you think of this podcast. Your feedback
ensures we deliver the insights that keep you a step ahead in the rapidly changing world
of cybersecurity. If you like the show, please share a rating and review in your podcast
app. Please also fill out the survey in the show notes or send an email to cyberwire at
n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the
world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at ntuk.com.
N2K's senior producer is
Alice Carruth. Our cyberwire producer is Liz Stokes. We're mixed by Trey Hester
with original music and sound design by Elliot Peltzman. Our executive producer
is Jennifer Iben. Peter Kilby is our publisher. And I'm Maria Varmasis in for
Dave Bittner. Thanks for listening. We'll see you tomorrow. And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by hiding
your attack surface, making apps and IPs invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire network, continuously
verifying every request based on identity and context, simplifying security management
with AI-powered automation, and detecting threats using AI to analyze over 500 billion
daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.