CyberWire Daily - CVE program gets last-minute lifeline.
Episode Date: April 16, 2025The CVE program gets a last-minute reprieve. A federal whistleblower alleges a security breach at the NLRB. Texas votes to spin up their very own Cyber Command. BreachForums suffers another takedown. ...A watchdog group sues the federal government over SignalGate allegations. The SEC Chair reveals a 2016 hack. ResolverRAT targets the healthcare and pharmaceutical sectors worldwide. Microsoft warns of blue screen crashes following recent updates. On our CertByte segment, Chris Hare is joined by Troy McMillan to break down a question targeting the EC-Council® Certified Ethical Hacker (CEH) exam. 4chan gets Soyjacked. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CertByte Segment Welcome to CertByte! On this bi-weekly segment hosted by Chris Hare, a content developer and project management specialist at N2K. In each segment, Chris is joined by an N2K Content Developer to help illustrate the learning. This week, Chris is joined by Troy McMillan to break down a question targeting the EC-Council® Certified Ethical Hacker (CEH) exam. Today’s question comes from N2K’s EC-Council Certified Ethical Hacker CEH (312-50) Practice Test. Have a question that you’d like to see covered? Email us at certbyte@n2k.com. If you're studying for a certification exam, check out N2K’s full exam prep library of certification practice tests, practice labs, and training courses by visiting our website at n2k.com/certify.To get the full news to knowledge experience, learn more about our N2K Pro subscription at https://thecyberwire.com/pro. Please note: The questions and answers provided here, and on our site, are not actual current or prior questions and answers from these certification publishers or providers. Selected Reading Funding Expires for Key Cyber Vulnerability Database (Krebs on Security) CISA extends funding to ensure 'no lapse in critical CVE services' (Bleeping Computer) CVE Foundation (CVE Foundation) NoVa govcon firm Mitre to lay off 442 employees after DOGE cuts contracts (Virginia Business) Federal employee alleges DOGE activity resulted in data breach at labor board (NBC News) Whistleblower claims DOGE took sensitive data - now he’s being hounded by threatening notes (CNN via YouTube) New state agency to deal with cyber threats advances in Texas House (Texarkana Gazette) BreachForums taken down by the FBI? Dark Storm hackers say they did it “for fun” (Cybernews) Here’s What Happened to Those SignalGate Messages (WIRED) After breach, SEC says hackers used stolen data to buy stocks (CNET) New ResolverRAT malware targets pharma and healthcare orgs worldwide (Bleeping Computer) Microsoft warns of blue screen crashes caused by April updates (Bleeping Computer) Infamous message board 4chan taken down following major hack (Bleeping Computer) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
The CVE program gets a last-minute reprieve. A federal whistleblower alleges a security breach at the NLRB.
Texas votes to spin up their very own cyber command.
Breach forums suffers another takedown.
A watchdog group sues the federal government over signal gate allegations.
The SEC chair reveals a 2016 hack.
Resolver Rat targets the healthcare and pharmaceutical sectors worldwide.
Microsoft warns of blue screen crashes following recent updates.
On our CertBite segment, Chris Hare is joined by Troy McMillan to break down a question
targeting the EC Council Certified Ethical Hacker exam.
And 4chan gets soy jacked.
It's Wednesday, April 16, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today on what is a busy news day.
We're glad to have you with us. a busy news day. The CVE program, short for Common Vulnerabilities and Exposures, is a publicly available list
of known cybersecurity vulnerabilities.
Each vulnerability gets a unique ID that helps security professionals, software vendors,
and researchers talk about the same issue using the same name, kind of like a universal
language for bugs.
Managed by MITRE Corporation and funded by the U.S. government, the program plays a critical
role in threat intelligence, patch management, and security automation.
It's the backbone for many tools and databases, including the National Vulnerability Database,
and it helps defenders prioritize which issues to fix first.
Think of it as a Dewey Decimal system of cybersecurity flaws.
In a critical development for global cybersecurity, the U.S. Cybersecurity and Infrastructure Security Agency
has extended funding for the Common Vulnerabilities and Exposures Program, reportedly for 11 months, preventing an
imminent lapse in this essential service. The funding extension comes just hours
before the program's contract was set to expire. MITRE had warned that a break in
service could lead to significant disruptions, including the deterioration
of national vulnerability databases, challenges for tool vendors, and impediments
to incident response operations.
Amid these developments, a group of CVE board members announced the formation of the CVE
Foundation, a non-profit organization aimed at ensuring the long-term stability and independence
of the CVE program.
The Foundation seeks to mitigate the risks associated with reliance on a single government
sponsor by establishing a dedicated entity focused on maintaining the integrity and availability
of CVE data for defenders worldwide.
Concurrently, Mitre Corporation is facing significant organizational changes, announcing plans to lay off 442 employees
at its McLean, Virginia location by June 3.
These layoffs are attributed to the cancellation of contracts by the Department of Energy,
reflecting broader challenges to the federal contracting landscape.
The swift action by CISA to extend funding underscores the critical importance of the
CVE program in maintaining national and global cybersecurity infrastructure.
The establishment of the CVE Foundation represents a proactive step toward ensuring the program's
resilience and independence in the face of funding uncertainties. A federal cybersecurity specialist, Daniel Berulis, has filed a whistleblower complaint
alleging that the Department of Government Efficiency, DOJ, under President Trump, caused
a security breach at the National Labor Relations Board and may have illegally extracted sensitive
data.
In a sworn statement sent to Congress and a
federal whistleblower office, Baroulis claimed Doge staff disabled security
protocols like multi-factor authentication and internal alerts
shortly after arriving at NLRB in March. He reported detecting a data transfer of
over 10 gigabytes, including personal and confidential business information.
He also cited login attempts from foreign locations, including a Russian IP using Doge-created
credentials.
Berulis, who holds a top-secret clearance, provided screenshots as evidence.
The White House stated Doge was transparent in its activities.
Daniel Barulis appeared on CNN yesterday where he had this to say.
So I spent a lot of time in the private sector and you start to see these indicators of compromise sometimes
and they kind of raise red flags. And so when you start seeing those, you put together the puzzle
and more likely than not that's how you flush out a breach.
And I saw those same indicators in my agency and started raising the flag.
So in your complaint that you shared with Congress, you include this screenshot we're
going to show.
It shows a large spike in data leaving the National Labor Relations Board.
You say that's extremely unusual because data almost never directly leaves the databases.
How do you know what was being removed
and is it possible you saw something
that has a plausible explanation behind it?
I definitely would prefer that actually.
I've tried to prove the negatives multiple times.
It correlates directly with data
that was exiting the database at the same time.
There's a lot of corroborating evidence that points to it.
That was the first thing I tried to do, is just rule out every other solution before I went this route.
Again, that clip is courtesy of CNN. We'll have a link in the show notes.
The Trump administration has voiced its intentions to shift responsibilities from the federal government to the states. The Texas House has passed legislation to create a new state cybersecurity agency, the
Texas Cyber Command, aimed at defending against growing cyber threats.
Backed by $135 million over two years, the command would operate through the University
of Texas system based at UT San Antonio.
It will focus on cyber threat response, forensics,
and training while centralizing efforts previously handled by the Department of Information Resources.
Governor Abbott has called the bill an emergency priority amid rising cyber attacks on Texas
infrastructure.
Breach forums, the well-known hacker marketplace, was reportedly taken down, again, this time
by pro-Palestinian hacktivist group Dark Storm Team, which claimed responsibility for a DDoS
attack.
The takedown comes amid unverified rumors of the arrest of Intel broker, a prominent
figure linked to past major cyber attacks. Though some speculate
an FBI seizure, no official signs support that claim. Dark Storm, known for targeting
NATO nations and Musk's ex-Twitter platform, promotes itself as a cybercrime-as-a-service
group with both political and commercial motives. Attorneys for watchdog group American Oversight
allege the US government deliberately
used encrypted disappearing signal messages
to evade transparency laws during military operations
in Yemen, Wired reports.
They claim newly filed court documents
reveal inconsistent and inadequate efforts
by agencies like the
CIA to preserve these communications violating the Federal Records Act. The
controversy, dubbed Signalgate, involves high-level Trump-era officials including
Secretary of Defense Pete Hegseth and Vice President JD Vance. Although some
messages were partially recovered, most were likely deleted before preservation
efforts began.
The Justice Department argues there's no enforceable public right to challenge the
deletion of records.
American Oversight plans to expand its lawsuit, citing the broader systemic use of signal
by national security officials as a threat to Democratic accountability and record-keeping laws.
SEC Chairman John Clayton released a lengthy cybersecurity statement yesterday,
revealing that the agency was hacked in 2016.
Buried deep in the statement was the disclosure that attackers exploited a vulnerability
in the SEC's Edgar system, which stores financial
records of public companies.
The breach may have enabled illicit stock trading and involved fake filings meant to
sway markets.
Clayton said no personal data was compromised, but noted other lapses, like unsecured emails
and missing laptops.
He pledged to boost cybersecurity efforts.
A new remote access Trojan called Resolver Rat
is targeting organizations worldwide,
especially in the healthcare and pharmaceutical sectors.
Discovered by Morphosec,
Resolver Rat is spreading through phishing emails
posing as legal or copyright violations
with language tailored
to the target's region.
The malware runs entirely in memory using.NET tricks to avoid detection.
It secures persistence via the registry and system folders and exfiltrates large files
in small chunks to blend in with normal traffic.
Resolver RAT has been seen in multiple languages, signaling global reach.
Microsoft has warned that recent Windows 11 updates may trigger a secure kernel error
blue screen crash on devices running version 24H2.
The issue stems from March and April updates.
Microsoft is addressing the bug using known issue rollback,
which automatically reverts problematic updates on home and unmanaged business
PCs within 24 hours.
For enterprise systems, IT admins must manually deploy a group policy fix.
Microsoft also issued emergency updates this week for other Windows issues, including domain controller outages.
Coming up after the break on our CertBike segment, Chris Hare is joined by Troy McMillan to break down a question targeting the EC Council Certified
Ethical Hacker Exam, and 4chan gets Soy Jacked.
Stick around.
And I'll see you next time. your data at scale. Across LAS, SAS, and hybrid cloud environments, join thousands of organizations who trust Veronis to keep their data safe. Get a free data risk assessment at Veronis.com. What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, identity attack paths are easy targets
for threat actors to exploit, but hard for defenders
to detect.
This poses risk in active directory, Entra ID and hybrid configurations.
Identity leaders are reducing such risks with attack path management.
You can learn how attack path management is connecting identity and security teams while
reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to SpectorOps.io today to learn more.
SpectorOps – see your attack paths the way adversaries do. On today's CertBytes segment, host Chris Hare is joined by Troy McMillan to break down
a question targeting the EC Council Certified Ethical Hacker exam.
Today's question comes from N2K's EC Council Certified Ethical Hacker Practice Test.
Hi, everyone.
It's Chris. Certified Ethical Hacker Practice Test. Hi, everyone.
It's Chris.
I'm a content developer and project management specialist here at N2CAVE Networks.
Today's question targets the EC Council Certified Ethical Hacker CEH Version 5 exam, which is
ID 31250, which was updated on September 23rd of 2024.
This exam is targeted to cybersecurity professionals,
government and military professionals, and educators.
I've enlisted Troy as our new guest host today.
He's a specialist in all things Cisco, ISACA,
and EC Council.
Welcome, Troy.
How are you today?
I'm doing great, Chris.
Thank you for having me.
Absolutely.
And before we get into it,
be sure to stick around after our question for
our special study bit for this test, as well as for the latest news on upcoming N2K practice
tests.
Okay, we're going to be turning the tables and Troy, you're going to be asking me today's
question.
Hit me.
Okay, Chris, here's your question.
It's multiple choice, but only one answer is correct. What kind of computer-based social engineering technique
attempts to redirect web traffic
to malicious versions of websites through DNS poisoning?
Your choices are A, farming,
D, spearfishing,
C, whaling,
or D, spinning.
All right.
So before I answer, Troy, I understand this is under the network and perimeter hacking
objective and the sniffing sub-objective, correct?
That is correct.
Okay.
And as I have sparse familiarity with these terms, and I'm going to assume DNS poisoning
is something really bad, I'm going to go through them one by one.
So let's start with the terms I'm familiar with first.
So I know spearfishing means targeting a specific person within an organization,
so what you're describing does not sound like the correct scenario,
so I'm going to first rule that answer choice out.
The other term I'm familiar with is whaling as this is akin to spearfishing,
but instead it targets higher-ups in an organization, as far as I'm aware. And again,
this does not reflect the question you're posing, so I'm going to strike that one out next.
As for farming and spinning, I'm not familiar with these terms, so I'm going to leverage a tool used
in many industries, including cyber security,
called morphological analysis, which basically means I'm going to break down the terms to see
if I can root out their meaning and guess the correct answer. So first, farming. This could be
a combination of fishing and farming. I mentioned spearfishing earlier, so I know fishing is a
broader level social engineering attack, and the farming part I
would think is data farming, so that could be the answer.
So let's put a pin in that one.
Spimming is a term I've not heard of either, and if we break it down, it could be a combination
of spamming and maybe messaging or text messaging.
So given that, I'm going to say that this is not the likely choice either.
So I'm rolling out Spimming.
And by process of elimination, I declare the correct answer to be A, Farming.
Am I right?
Yes, Chris, you're correct.
So your technique worked there.
Farming is the act of redirecting web traffic to malicious versions of websites.
And it can be done by modifying the host file
on an individual computer or attacking the DNS server
and poisoning its cache through some DNS poisoning techniques.
After that, when a user enters a valid domain name,
the DNS server will lead them to a different website than what they're
expecting, which will be a fraudulent version of that website. Then when the user logs into the
website, the attacker gains his credentials and now can perform any operation that requires those credentials.
The spirit fishing is a form of fishing that directs targets to specific targets in an organization.
So rather than a standard mass email fishing campaign,
spirit fishing directly targets an organization
and usually specific individuals in that organization.
So they might get emails, phone calls, et cetera,
from someone claiming to be a trusted entity
that they're familiar with.
And due to the sense of familiarity,
they might fall victim to these attacks.
Wailing, as you mentioned, is a form of spirit fishing
that targets important or powerful people in the organization,
what we might call the big fish, the whales, the CEO, the CFO, some high-ranking official.
You got close with sussing out the word origin of spinning, as it's a combination of spanning and
instant messaging, and is a kind of phishing that relies
on text messages or instant message applications as their main vector for attack. These might
also fall into other categories such as spirit phishing or whaling campaigns that are directed
at individuals. So the attack may claim to be from your bank, the insurance company you
do business with, or it could
be the Microsoft support desk claiming you have a virus on your computer.
This will likely result in a request for you to call them now you've fallen into their
trap.
Hmm.
Now, this was a really good foundational question, and it makes me wonder what question types
are included in the CEH that candidates should prepare for.
Well, on the CEH exam, the good news is that all of the items are multiple choice.
Well, that is good news, and that's good to know. So Troy, apparently, according to the EC Council,
the certification is a career game changer for whoever takes it, as they state that 92% of employers prefer
CEH graduates for ethical hacking jobs, and one in every two professionals received promotions
after earning their CEH certification.
What impact have you seen from people having this cert?
Well, getting this cert can be somewhat of a game changer because it typically leads
to either a new job or promotion.
But I've seen a lot of folks get this certification and go into business for themselves
as a certified ethical hacker and hire themselves out to companies to perform
ethical hacking, which is sometimes also called a pin test as well.
So it does lead to better and new jobs.
It also leads to the potential for entrepreneurship.
Wow, that's really great insight.
All right, so now it's time to discuss the study bit for this test.
What do you have for us, Troy?
Well one of the tools that certified ethical hackers use
to learn information about a network before they attack it
is a command-based tool called NMAP.
It stands for Network Mapper.
You need to know all of those NMAP commands
and the switches.
You will see a number of items on which NMAP command
would do X.
So make sure that you're familiar with those.
Awesome tip.
Thanks so much for being here with me today, Troy.
Thank you for having me, Chris.
Of course.
And as we wrap up today's episode,
are there any upcoming practice tests
you'd like to promote here?
Yes, we just released the Contia Tech Plus exam,
the AWS Certified A AI Practitioner exam,
and the Azure AI Engineer Associate Practice Test. And we will also have more coming up for CompTIA,
Microsoft, and Oracle in the next month.
Awesome. Thanks so much, Troy. And thank you for joining me for this week's CertFight.
If you're actively studying for this certification and have any questions about study tips or
even future certification questions you'd like to see, please feel free to email me
at certfight at n2k.com.
That's C-E-R-T-V-Y-T-E at n number 2k.com.
If you'd like to learn more about N2K's practice tests, visit our website at n2k.com
board slash certify.
For sources and citations for this question, please check out our show notes.
Happy certifying.
And of course, we'll have a link to N2K's EC Council Certified Ethical Hacker practice
test in our show notes. Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into
their controls with Vanta.
Here's the gist, Vanta brings automation to evidence collection across 30 frameworks
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1, dollars off.
And finally, 4chan, the online forum which
security researcher Kevin Beaumont smartly described as the
Internet's litter box, was
knocked offline after what appears to be a major breach.
The culprits are allegedly users from Soyjack.party, proudly taking credit for Operation Soyclips,
a long-brewing plan allegedly executed by a hacker who claims to have lurked inside
4channel systems for over a year. Using the handle Chud, because of course, the group leaked screenshots of
admin panels, staff emails, and hinted at full access to the site's backend, including
IP tracking and board controls. Their weapon of choice was apparently 4chan's outdated PHP setup from 2016, which
might as well have been a digital welcome mat. To contain the fallout, 4chan's admins
pulled the plug, but not before pieces of the site's code showed up on Kiwi Farms.
As of now, the site's flickering online presence suggests damage control is still in progress.
4chan's been a digital cockroach for 20 years, but apparently even cockroaches can get stomped
if their firewall is made of chewing gum and nostalgia. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Ivan.
Peter Kiltney is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thanks for watching! Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions. Whether you're passionate about AI, cybersecurity,
or cloud computing, Vanguard offers a dynamic and collaborative environment
where your ideas drive change. With career growth opportunities and a focus
on work-life balance, you'll have the flexibility to thrive both professionally
and personally. Explore open cybersecurity and technology roles today at VanguardJobs.com