CyberWire Daily - Deadlines in the cloud.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. Get to Toronto's main venues like Budweiser Stage and the new Roger Stadium with Go Transit. Thanks to Go Transit's special online e-ticket fairs, a $10 one-day weekend pass offers unlimited travel on any weekend day or holiday anywhere along the Go Network. And the weekday group passes offer the same weekday travel flexibility across the network. Starting at $30 for two people and up to $60 for a group of five. Buy your online go pass ahead of the show at go-transit.com slash tickets. SSA issues an emergency directive to urgently patch a critical vulnerability in Microsoft Exchange hybrid configurations. Soup dealer malware proves highly evasive.

Starting point is 00:00:58 Google patches a Gemini. calendar flaw. A North Korean espionage group pivots to financial crime. Russia's rom-com exploits a Wynr Zero Day. Researchers turn Linux-based webcams into persistent threats. The Franklin Project enlists volunteer hackers to strengthen cybersecurity at U.S. water utilities. The DOD announces the winners of DARPA's two-year AI Cyber Challenge. The U.S. extradites Ghanaian nationals for their roles in a massive fraud ring. Our guest is Steve Dietz, president of Mantec's federal civilian sector with a look at cell-based security operation centers. And AI advice turns dinner into a medical mystery. It's Monday, August 11, 2025. I'm Dave Bittner, and this is your

Starting point is 00:01:54 Cyberwire Intel briefing. Thanks for joining us here today. It's great to have you with us. On August 7th, SISA issued an emergency directive requiring federal agencies to urgently patch a critical vulnerability in Microsoft Exchange hybrid configurations. The flaw allows attackers with existing admin access to on-premises exchange servers to escalate into Microsoft 365 cloud environments. Agencies must act by August 11th, that's today, including assessing servers with Microsoft's

Starting point is 00:02:43 Health Checker script, disconnecting unsupported systems, and updating Exchange 2019 or Exchange 2016. They must apply the April 2025 Hot Fix, transition from legacy shared service principles to dedicated hybrid applications in ENTRI.D. and clean credentials. Agencies must also prepare for Microsoft Graph API adoption as EWS deprecation begins in October. Compliance reports are due to SISA today, and the directive remains active until all security measures are verified. Soup Dealer is a highly evasive malware that bypasses most public sandboxes, anti-virus tools and EDR or XDR systems, while targeting Windows systems in Turkey via a geospecific fishing

Starting point is 00:03:35 campaign. Distributed through malicious jar files, it uses a three-stage loader with heavy obfuscation, AES, and RC4 encryption, and Tor-based command and control to hide its activity. The malware checks language and location settings to ensure it only runs in Turkey, then exfiltrates data, grants remote access, and spreads via victim's email accounts. Capable of privilege escalation, anti-virus evasion, file management, screenshot capture, DDoS attacks, and worm-like propagation, soup dealer underscores the weakness of cloud sandboxes.

Starting point is 00:04:14 Researchers stress the need for on-premises, local dynamic analysis to protect critical infrastructure against such advanced region-targeted threats. Google has patched a flaw in Gemini, its AI assistant integrated into Android, workspace, and Google web services that allowed malicious Google Calendar invites to trigger remote takeover and data theft. The attack used prompt injection hidden in event titles, which Gemini read when summarizing a user's schedule. This gave attackers access to Gmail, calendar, Google Home, and device controls, enabling actions like, wiping events, extracting emails, tracking location, controlling smart devices, and even joining Zoom calls. The exploit required no special model access, bypassed prompt filtering, and could be staged

Starting point is 00:05:07 with up to six invites to stay hidden. Discovered by Safe Breach researchers, the bug was fixed before exploitation. Google credited responsible disclosure for accelerating new defenses against such adversarial AI attacks. North Korean hacking group Scarcroft, known for espionage, is now deploying VCD ransomware in attacks targeting South Korea, marking a shift toward financial motives. In July, its chinopunk subgroup used fishing emails disguised as postal code updates to deliver over nine types of malware,

Starting point is 00:05:46 including Chile-Chino variants, data stealers, and the nub spy backdoor, which hides traffic via pub nub. The campaign combined spying tools with ransomware, reflecting a growing trend of nation-state actors blending espionage and cybercrime to generate revenue under economic sanctions. Russian threat group Romcom, also known as Storm 0978, exploited a WynRar Zero Day in cyber espionage attacks

Starting point is 00:06:17 on organizations in Europe and Canada. The path traversal flaw involving alternate data streams led attackers craft archives that extract files to attacker-defined locations. Discovered by ESET, the bug was patched on July 30th with a beta fix released July 25th. First seen July 18th, the campaign used spearfishing emails with malicious archives

Starting point is 00:06:42 posing as resumes, targeting financial, defense, manufacturing and logistics firms. No compromises occurred, but intended payloads included SnipBot, Rusty Claw, and Mythic Agent Backdoors. Researchers at Eclipseum have demonstrated how Linux-based webcams can be turned into persistent threats using a technique dubbed bad cam, a variant of the well-known bad USB attack. Tested on Lenovo 510 FHD and Lenovo Performance FHD web cameras, the method exploits a missing firmware signature validation flaw to reflash the webcam's firmware. Unlike traditional bad USB, bad cam doesn't require physical access. Attackers with remote code execution on a host can weaponize an attached webcam to

Starting point is 00:07:35 reinfect the system even after a full OS reinstall. The flaw can be paired with a Linux kernel vulnerability for host compromise. Lenovo patched the issue in a a recent firmware update. Eclipse warns other Linux-based cameras and USB peripherals may also be at risk. The Franklin Project, launched at DefCon 2023, enlists volunteer hackers to strengthen cybersecurity at U.S. water utilities, especially small resource-strapped ones. Founded by Jake Braun, the initiative drew overwhelming interest, with 350 volunteers aiding five utilities in Indiana, Oregon, Utah, and Vermont at no cost.

Starting point is 00:08:20 Tasks included changing default passwords, enabling MFA, asset inventories, O.T. assessments, and network mapping. Volunteers also educate utilities on nation-state threats, noting incidents like China's Volt Typhoon breaching small systems tied to critical infrastructure. With 50,000 U.S. water utilities and rising attacks from China and Iran, The project is rapidly scaling with partners like Dragos and funding from Craig Newmark Philanthropies to deploy free cybersecurity tools nationwide. In many cases, it's the only protection these utilities have.

Starting point is 00:09:00 Last week at DefCon, the U.S. Defense Department announced Team Atlanta, a collaboration between Georgia Tech, Samsung Research, Kist, and Post-Tech, as the winners of DARPA's two-year AI Cyber Challenge. The competition tasked dozens of teams with building AI systems to automatically detect and patch vulnerabilities in massive codebases, with finalists working on 54 million lines of synthetic code. Team Atlanta earned $4 million for excelling at finding and fixing bugs, blending traditional threat hunting tools with AI.

Starting point is 00:09:37 Trails of bits and Theori placed second and third. Overall, competitors patched 77% of synthetic vulnerabilities, a significant improvement from last year's 37%. DARPA will release most winning tools publicly, with HHS aiming to use them to protect health care systems from ransomware. Officials believe these AI-powered methods could transform vulnerability management across critical infrastructure. Three Ghanaian nationals have been extradited to the U.S. and charged for their role in a massive fraud ring that stole over $100 million through romance scams and business email compromise attacks from 2016 through May of 2023. Operating as high-ranking members of a Ghana-based network, they targeted vulnerable older Americans and U.S. businesses, laundering stolen funds through stateside middlemen.

Starting point is 00:10:37 Romance scams involved posing as romantic partners to solicit money, while BEC schemes spoofed company emails to authorize fraudulent wire transfers. Two of the men allegedly acted as chairman overseeing operations. Charges include conspiracy to commit wire fraud, money laundering, and receiving stolen money with potential sentences of up to 20 years per major count. Coming up after the break, my conversation with Steve Dietz, president of Mantec's federal civilian sector, we're taking a look at cell-based security operations centers. And AI advice turns dinner into a medical mystery.

Starting point is 00:11:27 Stay with us. co-host of the caveat podcast. Each Thursday, we sit down and talk about the biggest legal and policy developments affecting technology that are shaping our world. Whether it be sitting down with experts or government officials or breaking down the latest political developments,

Starting point is 00:11:52 we talk about the stories that will have tangible impacts on businesses and people around the world. If you are looking to stay informed on what is happening and how it can impact you, make sure to listen to the caveat podcast. Compliance regulations, third-party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down?

Starting point is 00:12:25 If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier. and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key areas, compliance, internal and third-party risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta

Starting point is 00:13:13 are 129% more productive. It's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta, GRC, just imagine how much easier trust can be. Visit vanta.com slash cyber to sign up today for a free demo. That's V-A-N-T-A-com slash cyber. Hey, so what did you want to talk about? Well, I want to tell you about Wagovi.

Starting point is 00:13:55 Wagovi? Yeah, Wagovi. What about it? On second thought, I might not be the right person to tell you. Oh, you're not? No, just ask your doctor. about Wachovee. Yeah.

Starting point is 00:14:06 Ask for it by name. Okay. So why did you bring me to the circus? Oh, I'm really into lion tamers. You know, with the chair and everything? Ask your doctor for Wagovi by name. Visit wagovi.ca for savings. Exclusions may apply.

Starting point is 00:14:27 Steve Dietz is president of Mantec's federal civilian sector, and in today's sponsored industry insight section, we take a look at cell-based security operations centers. The cyber landscape is rapidly evolving these days. And most federal government agencies are requiring more scalable, resilient, and secure digital environments that can support mission delivery and withstand persistent cyber threats. You know, SOX are one of those things that are necessary in the government.

Starting point is 00:15:02 They are the front-line. to defending against cyber threats and a really key part of national security. And so in Mantec, we're always looking to advance and innovating and investing in new approaches in cybersecurity because at our core is a company and the people, the patriots that support us within Mantec, we are committed to securing our nation and securing the future. alluded to it, we're going to be talking about our security operations center and how we operate in this model. And the expertise in cybersecurity that we have is fundamentally driving some really good outcomes for our federal clients and their missions. Well, before we get to the details of

Starting point is 00:15:53 this notion of cell-based socks, can you explain for us, what are some of the challenges the folks who are running the socks, who are working in the socks. But what are the day-to-day pain points for them? Basically, a sock is an operation center, so they are monitoring the network activity, and the data is enormous. The data that they have to analyze real-time, decide what is a threat, what is not a threat, what is a false positive, it's managing that vast amount of data. that these SOC folks, that we'll get into a little bit later,

Starting point is 00:16:34 these SOC folks have to deal with every day. And missing one could mean, you know, the impact of finding a threat, finding somebody in a network, giving them, you know, a day in the network versus giving them an hour in the network. It's very key that these SOC analysts are on their toes in identifying these threats as quickly as possible so that they can isolate them, sometimes study them to find out how they got in

Starting point is 00:17:07 and what we can do to better prevent those types of activities. Is it fair to say it's a combination of high pressure situation potentially but also a lot of signal-to-noise issues with, as you say, that kind of fire hose of data that constantly comes in? It absolutely is. And a lot of that kind of turning down the fire hose is really figuring out those tools to identify the data. Every environment's different. Every situation is different.

Starting point is 00:17:38 And finding those right tools to make sure that that information is being called out appropriately. So you and your colleagues at Mantec have taken a look at this and come up with some ways that you believe you can improve the operations of a security. Security Operations Center. What can you share with this? So the traditional SOC is set up, as you might expect, it comprises of a tiered system. So Tier 1, Tier 2, Tier 3. Tier 1 is typically made up of junior employees, those front lines that are taking the tickets, monitoring the activity, escalating issues to Tier 2. That second tier typically would have a few more years of experience and are mainly focused on incident response. And then tier three is made up of mostly those very experienced and advanced cyber professionals. There are a few issues with this setup that we have identified,

Starting point is 00:18:41 specifically the significant delays and handoff between tiers. So wait for Tier 2 to pick it up. Next, the least experienced people are making critical decisions. So that front line Tier 1 analyst is making some very critical decisions. Also, because of that handoff delay, there are typically case backlogs, so not processing things as quickly. And then obviously, in most high stress, high tempo jobs, there's high turn-up. Mantec's approach to this is what we call cell-based socks. And what it does is it functionally aligns tier 1, 2, and 3.

Starting point is 00:19:26 into what we call a cell together so that they can work cohesively and more efficiently and effectively on those issues. Each cell is responsible for delivering an outcome of measurable value rather than simply a piece of that outcome. What this looks like practically is a single detection cell responsible for real-time responses. This team is responsible for C.E.E.E.E.E. the tickets through the entire life cycle to resolution, instead of handing it off as it's typically done, as we talked about in the tiered system. This cell-based model creates a more efficient workflow, increases situational awareness, enhances learning, and career development for those SOC analysts, and ultimately minimizes resolution times, which is critical in a SOC,

Starting point is 00:20:24 ultimately helping agencies become more secure. Well, help me understand here. So let's say that I have experience in a traditional sock and our group decides that we're going to adopt this cell-based approach here. What's going to change for me and my team? So operationally, first of all, we have a whole process that we go through because this is almost a cultural change within, a sock. It is not an overnight flip the switch. Ah, you're magically in a cell-based sock. We have a

Starting point is 00:21:00 process of retraining people, of setting expectations of organizing, finding the talent, and also evaluating the tools within the sock and making sure that we have the tools aligned appropriately with the various cells that we set up. And this really creates a more value add job for the employees in the sock because they aren't just surrounded by Tier 1 people. They're now surrounded by Tier 2 and Tier 3 people, and actually training and learning becomes even quicker to get to those next levels. So is it a situation where, for example, if I'm a Tier 1 person and I think that something requires the attention of the Tier 2 and Tier 3 people, in a normal sock, I would flag that,

Starting point is 00:21:52 it would go on its way, and I might never see it again. That's correct. And in this case, you're saying that I would have more of a view of that through its entire life cycle? That's right. That's right. The whole cell would have a view through its entire life cycle. I see.

Starting point is 00:22:05 Is there any particular scaling of the cells themselves that you all have so far found to be effective, like how many people in a group seems to be work, or does that vary with every organization? It varies with the types of cells we set up in every organization. Yeah, depending on the environments. What are the outcomes here? You've experimented with this and you've decided that you're getting good results. What are those good results look like? So first and foremost, the model is designed to unlock as we've talked about the full potential of our human capital

Starting point is 00:22:39 and empower and align our people to the outcomes that we want them to see and enable them to unleash their ingenuity. The cell-based model itself is much... more radically, was radically more efficient than the traditional tiered model. We've proven this over and over again. I mean, we've been running cell-based socks for eight to ten years now in various customer agencies. So we have hard data to show that this is the right way to run a sock. This is the next generation of sock operations. we've driven costs down for our customers for running a sock and we've improved the actual

Starting point is 00:23:24 security outcomes minimizing false positives and you know in the in the age of serious budget pressures it's simply not sustainable to continue to throw more and more people at the tier one tier two at the at the problem you know instead we're helping our our employees move up the value chain by providing focus, empowerment, and accountability. The cell-based sock is transformational for federal agencies. We've seen this over and over. In an example of how Mantec is always advancing our client's mission by increasing our nation's security posture with models like this cell-based sock,

Starting point is 00:24:14 Mantec's providing more efficient, reliable federal cybersecurity and enabling federal employees to focus on their core mission, maximizing the business value, and lowering long-term operational costs. Can you explain for us what the transition looks like if we're running a traditional sock and we decide this is what we want to adopt? What are we in for to make this switch over? Again, it varies. I'm going to say that again. Sure, very enough. Depending on the environment.

Starting point is 00:24:48 Right. But it would typically begin with us taking over the sock as is. And then it would be a assessment period where we would send our cell-based sock smeeze into the environment, working with the government folks and working with our team to understand how the SOC works and what types of things that they are looking for in that environment. Then we would provide some recommendations, a ton of training to the staff, likely a reorganization of how the SOC is structured. and then we'd implement.

Starting point is 00:25:36 And, you know, that process could take, you know, a month could take six months depending on how complex the environment is. Steve, we know how much everybody loves change. What about the employees themselves? I mean, how do you shepherd them through the process so that they're not afraid, you know, because ultimately we want them to see that it's going to be a good outcome, but those transitional periods can be hard. Exactly. So we have stories to tell them. And also, once we tell them these stories of how we've

Starting point is 00:26:12 implemented this and done this very effectively, and actually we can bring in people that have done this that have done this to talk to the employees. And once we get through that initial, oh, my gosh, we've got a big change coming. They start to see the real value. And not only the real value, to the mission that they're supporting, but the real value to them, because we do focus on, as I mentioned, developing that whole employee and get them up the value change so that they become more valuable. That's Steve Dietz, president of Mantec's federal civilian sector. And finally, in a medical misadventure, equal parts tragic and absurd,

Starting point is 00:27:15 a 60-year-old man landed in the ER with hallucinations, convinced his neighbor was poisoning him. The culprit was himself, courtesy of dietary advice he'd half understood from ChatGPT. determined to eliminate chloride from his diet, he swapped table salt for sodium bromide, a fine choice if you're an epileptic dog or a swimming pool, but less so for humans. Three months later, he had full-blown bromism, a disorder so vintage it peaked in the 1800s. The AI had technically suggested bromide as a replacement, but failed to say, don't eat this. The man recovered after three hospital-bound weeks and OpenAI now promises safe completions to prevent such culinary chemistry experiences from ending in 19th century diseases.

Starting point is 00:28:29 And that's The CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks where all the fine podcasts are listed.

Starting point is 00:28:47 We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.

Starting point is 00:29:03 We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you.

CyberWire Daily - Deadlines in the cloud.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.