CyberWire Daily - DOGE-eat-DOGE world.
Episode Date: February 7, 2025Security concerns grow over DOGE’s use of AI. The British government demands access to encrypted iCloud accounts. Researchers identify critical vulnerabilities in the DeepSeek iOS app. Microsoft Edg...e uses AI to block scareware. A phishing campaign targets Facebook users with fake copyright infringement notices. Researchers discover malicious machine learning models on Hugging Face. A major data broker faces yet-another data breach lawsuit. CISA warns of a critical Microsoft Outlook vulnerability under active exploitation. Guest John Anthony Smith, Founder and Chief Security Officer at Fenix24, shares insights into why backups are the most important security control. The UK’s cyber weather report says expect light phishing with a chance of ransomware. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today on our Industry Voices segment, guest John Anthony Smith, Founder and Chief Security Officer at Fenix24, shares insights into why backups are the most important security control. For additional details, please visit this resource: The Reality of Resilience, Recovery, and Repeat Cyberattacks (Infographic) Selected Reading Elon Musk’s DOGE feeds AI sensitive federal data to target cuts (The Washington Post) Will DOGE Access to CMS Data Lead to HIPAA Breaches? (GovInfo Security) Federal judge tightens DOGE leash over critical Treasury payment system access (The Register) UK reportedly demands secret ‘back door’ to Apple users’ iCloud accounts (The Record) NowSecure Uncovers Multiple Security and Privacy Flaws in DeepSeek iOS Mobile App (NowSecure) Microsoft Edge update adds AI-powered Scareware Blocker (Bleeping Computer) New Facebook Fake Copyright Notices Phishing Steals Your FB Credentials (Cyber Security News) Developers Beware! Malicious ML Models Detected on Hugging Face Platform (Cyber Security News) Coordinates of millions of smartphones feared stolen, sparking yet another lawsuit against data broker (The Register) Critical Microsoft Outlook Vulnerability (CVE-2024-21413) Actively Exploited in Attacks - CISA Warns (CISA) UK cyberattack severity to be scored by world-first group (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n two k and use promo code and two k at checkout the only way to
get twenty percent off is to go to join delete me dot com slash n two k and enter code and
two k at checkout that's join delete me dot com slash n two k code and two k. The security concerns grow over Doge's use of AI.
The British government demands access to encrypted iCloud accounts.
Researchers identify critical vulnerabilities in the DeepSeek iOS app.
Microsoft Edge uses AI to block scareware,
a phishing campaign targets Facebook users with fake copyright infringement notices,
researchers discover malicious machine learning models on hugging face,
a major data broker faces yet another data breach lawsuit,
CISA warns of a critical Microsoft Outlook vulnerability under active exploitation.
Our guest is John Anthony Smith, founder and chief security officer at Phoenix24, sharing
his insights into why backups could be your most important security control.
And the UK's Cyber Weather Report says expect light fishing with a chance of ransomware.
It's Friday, February 7th, 2025. I'm Dave Bittner and this is your
CyberWire Intel Briefing. Happy Friday and thanks for joining us here today.
It is great to have you with us.
Elon Musk's Department of Government Efficiency, DOGE, has been using AI software to analyze
financial data at the U.S. Education Department, including
personally identifiable information related to grants and internal financial records.
The team, which includes former Musk employees, is leveraging Microsoft's Azure cloud services
to scrutinize every dollar spent by the government with the goal of significantly cutting costs
and potentially eliminating
the department altogether," the Washington Post reports.
Doge's actions align with the Trump administration's broader agenda to shrink federal agencies.
The group plans to extend its AI-driven auditing across multiple government departments, including
the Department of Health and Human Services, the Treasury, and the Centers for Disease Control and Prevention, seeking to
optimize government spending. Their access to Medicare and Medicaid payment
systems has raised concerns about potential privacy violations and data
breaches. Critics warn that Doge's approach lacks oversight and could lead
to security risks,
particularly as AI systems are prone to errors and may expose sensitive data.
The rapid implementation of Doge's strategies has already led to significant workforce reductions,
including placing 100 Education Department employees on administrative leave
based on their participation in diversity training.
In response to growing concerns, a federal judge temporarily restricted Doge's access to Treasury
payment systems after advocacy groups filed a lawsuit. While Musk's team claims they're
rooting out inefficiencies and fraud, privacy experts worry about the unchecked power Doge has gained, the potential
for misuse of personal data, and the broader implications of AI-driven government restructuring.
The British government has reportedly issued a secret legal demand to Apple requiring access
to encrypted iCloud accounts under the Investigatory Powers Act technical
capability notice, according to the Washington Post.
While reporting on the existence of a TCN is legal, disclosing its details is prohibited.
The demand could create a backdoor for authorities to access global iCloud data, though officials
claim it only ensures compliance
with legal warrants.
Apple introduced optional end-to-end encryption for iCloud in 2022, despite law enforcement
concerns about crime prevention.
Similar encryption debates continue, with UK officials criticizing Meta's end-to-end
encrypted messaging. Tech companies argue alternative security measures suffice,
while law enforcement insists metadata alone is insufficient
for serious investigations.
Neither Apple nor the UK government has commented on the report.
Research from security firm NowSecure has identified
critical vulnerabilities in the DeepSeek iOS
app, urging enterprises and governments to ban its use due to severe privacy and security
risks.
Since its rise to the top of the App Store on January 25, DeepSeek has been downloaded
on millions of devices, including those used by government employees, prompting swift bans
from multiple agencies and the U.S. military.
Key risks include unencrypted data transmission, weak encryption,
insecure data storage, extensive data collection,
and data transmission to China under PRC laws.
These issues pose significant threats, including surveillance,
data breaches, and compliance
violations. NowSecure recommends organizations immediately remove DeepSeq, seek secure AI
alternatives, and continuously monitor mobile applications for emerging risks.
The latest version of Microsoft Edge is rolling out globally with key improvements, including
an AI-powered Scareware blocker and a revamped Downloads UI.
The Scareware blocker, now available in Edge's settings, detects tech support scams in real
time using computer vision without sending data to the cloud.
Unlike Defender SmartScreen, it analyzes web page content to block scams more effectively.
A phishing campaign is targeting Facebook users with fake copyright infringement notices
aiming to steal login credentials. The scam, sent to over 12,000 email addresses, primarily
affects enterprises in the EU, US, and Australia.
Attackers use Salesforce's email service to make phishing emails appear legitimate.
The emails, claiming violations under the DMCA, reference major companies like Universal
Music Group and create urgency by threatening account restrictions.
Victims clicking the Appeal link are directed to fake Facebook support page designed to capture their credentials.
Attackers can then hijack accounts, alter content, and manipulate messaging, posing risks for businesses relying on Facebook.
Researchers at Reversing Labs have discovered malicious machine learning models on Hugging Face,
exploiting vulnerabilities
in Python's pickle serialization format.
These models contain embedded payloads
capable of executing arbitrary code,
posing serious security risks.
Pickle is widely used in ML,
but allows attackers to embed harmful commands
with seemingly legitimate models.
The researchers identified two PyTorch-based malicious models, dubbed NullifAI, that bypassed
Hugging Face's security tools by executing payloads early in the pickle stream.
The incident highlights the risks of collaborative AI platforms, where productivity often outweighs
security. Hugging Face is enhancing its protections, but developers should remain cautious, avoid
unverified models, and consider safer serialization alternatives.
Security experts recommend monitoring for suspicious activity linked to pickle vulnerabilities
to prevent potential cyber threats. Gravy Analytics is facing yet another lawsuit over a massive data breach that allegedly
exposed 17 terabytes of personal data, including the precise locations of millions of smartphones.
This is the fourth lawsuit since January, following claims that hackers stole sensitive
data from the company's AWS S3 storage buckets
and posted evidence on a cybercrime forum.
The stolen data reportedly includes geo-coordinates collected from popular apps like Tinder, Grindr, Candy Crush,
MyFitnessPal, and VPN services affecting users in the US, Europe, and Russia. Gravy, now part of Unicast, has already been banned by the FTC from selling sensitive location data.
The lawsuit alleges negligence, breach of contract, and unfair competition.
While Gravy denies direct collection of location data,
critics argue the company failed to secure its licensed datasets, leading to serious privacy risks.
CISA has issued an urgent warning about active exploitation of a critical Microsoft Outlook vulnerability.
Dubbed MonikerLink, this remote codec execution flaw allows attackers to bypass Office Protected View,
making malicious office files open in editing mode instead
of read-only. The vulnerability affects multiple Microsoft Office products and can be exploited
via zero-click attacks, leading to NTLM credential theft, remote code execution, and full system
compromise. CISA has added this flaw to its known exploited vulnerabilities catalog
requiring federal agencies to patch by February 27th.
Coming up after the break, John Anthony Smith from Phoenix24 shares insights into why backups
could be your most important
security control, and the UK's Cyber Weather Report says expect light fishing with a chance
of ransomware.
Stay with us. Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit threatlocker.com today to see how a default deny approach can keep your company
safe and compliant.
Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for a thousand dollars off.
John Anthony Smith is founder and chief security officer at Phoenix 24.
In today's sponsored industry voices segment,
we discuss why backups are your most important security control.
Well, what's top of mind for me is I believe that what we've seen in the past will actually
continue into this current year and it will only get worse. What we see threat actors commonly doing is having an increasing willingness to not
only target backups, but also target production systems, both for mass encryption and mass
deletion. And so I believe that what's going to dominate 2025 is frankly more of the same, but in
an amplified fashion. What we also see is threat actors are now commonly willing
to even target what I would say more sensitive industries
like nonprofits and healthcare organizations,
organizations providing very critical
life saving infrastructure.
I believe that we will continue to see
a heightened willingness of threat actor groups
to even target these industries with destructive acts.
Can we do a little level setting together here?
I mean, when it comes to cyber resiliency
and recovery strategies,
what is the current state of things?
What is considered sort of the baseline standard
that people should achieve?
Yeah, that's an interesting question actually.
In working breaches, which is what Phoenix 24 does,
we help organizations recover
from their worst day in their career.
What we see is that most companies,
while they commonly do believe
that their backup and recovery mechanisms
will hold in the event of threat actor destructive acts, they commonly do not.
Matter of fact, depending on when we look at our recovery sample of clients, 80 to 92
percent of the time, the recovery capabilities that organizations believe will allow them
to timely recover simply do not survive.
And so what I believe will continue to dominate,
what we'll continue to see bluntly is that organizations
simply aren't orchestrating their backups in a
survivable fashion, despite what they believe to be true.
Not only that, not only are backups not commonly survivable, they're also, when they do survive,
they commonly cannot provide a timely recovery.
This is for a variety of reasons.
Obviously, recovery from a mass destruction or mass encryption event is complex, but things
like DR mechanisms, business continuity, disaster recovery
systems, things that organizations depend on for our act of God type recoveries, commonly
or believe that these things will work in the event of a mass destruction event.
But this simply isn't true.
Most of these systems, these secondary environments, these replicated systems, they too get destroyed
by threat actor behaviors. And so
survival and timely recoverability, I believe, are essential and what we see is most orgs simply aren't prepared.
That gap that you described really fascinates me. Can you help me understand that? I mean, to me, it's not like people are trying
to fool themselves when it comes to their backup strategies.
I mean, they believe that the things that they've done
are going to be effective,
and yet the data doesn't reflect that.
That's correct.
And the reason why it really boils down
to what we call breach context.
The fact of the matter is most of the technical details of breach
largely get locked up. They do not get publicly disclosed. And so defenders, in essence,
are making guesses about how to orchestrate bluntly their most important security control, which
is their backups in our opinion.
Therefore they don't commonly orchestrate these things aligned to the realities of breach.
Breach context to us are what are threat actors able and willing to do?
And unfortunately this data is not commonly made public, and therefore, most defenders, most organizations,
are not orchestrating their backups in a survivable manner,
because bluntly, they don't have the data to do so.
Nor do the manufacturers that actually
make the underlying backup tooling
that the organizations have come to depend on.
Actually, you can follow some of the most prominent backup
tooling providers' direct
guidance on how to orchestrate immutable backups, and it will be wrong from a breach context
perspective.
Threat actors will still commonly be able to delete organizations' ability to recover,
even when aligned to the best practices of the vendor.
Are there any high-profile incidents that folks would know about where there's some
take home lessons that you can share from them, things that folks in your line of work
had some good takeaways from?
Yeah.
I mean, so there are many high profile breaches, some of which have had some of their technical
details disclosed.
I would say key takeaways are, and obviously is what we started the conversation on, is
that most orgs simply are not orchestrating their recovery capabilities well.
And so what I would say is number one key takeaway is, is that you should be absolutely confident, assured, if you will,
that your recovery capabilities will hold in the event of modern threat actor behaviors.
And so you cannot and should not be depending upon your backup tooling manufacturer's guidance
solely in this regard because they will steer you incorrectly.
You need experts in recovery to advise on the survivability
of your backup and recovery facility, period.
So that's learning number one.
Learning number two is that the organization
should be ready for mass recovery and they
should be rigorously testing it.
So not only should you have a survivable capability facility that you're confident in, you should
also have confidence in your rehydration time.
Essentially, you should know how long it's going to take your org to get your tier zero and tier one
data rehydrated and you should have absolute confidence in that technical rehydration time
through rigorous and regular testing.
And I will say in practice, literally no one is doing this.
At least that's what we see in our assessments.
That was going to be my next question.
It seems to me like that is the easiest can in the world to kick down the road.
Yes.
And essentially, it's funny actually, Dave, many orcs are very focused on their act of
God protection, right?
Fire, flood, earthquake.
But in many cases, you know, again, it probably depends on where you are on the planet but in many cases that your lowest risk right it is highly more likely.
That a threat group will gain initial access into some point of entry into your org attend lateral movement.
And therefore then attempt some form of destruction that is a much likely risk, yet largely no one is prepared for it.
What's your advice in terms of kind of steering folks toward particular technologies or solutions
when we're talking about best bang for their buck, you know, being most effective in achieving
these optimal outcomes?
Yeah, that's a great question.
And so this is not product decisioning.
I commonly say that it's a three-part orchestration problem and a one-part product decision problem.
Orchestration, in other words, how you orchestrate your tools, how you configure your tools, the processes you wrapped around them,
the testing you do with rigor,
those things are what is leading to destruction.
And here's the fundamental problem,
which is why our company has been so successful.
If you're going to do this with absolute assurance
that your backup facility, your recovery facility will hold.
You need breach context.
You need someone who can technically guide you on the orchestration of those controls
such that they can and will survive and provide a timely recovery with confidence.
So you need a partner. Most orgs simply do not have the data, have no path to the data,
and therefore cannot ever achieve success in this regard without a partner.
And that's really where our organization comes in for many, many companies in the world is,
and which is why we've had so much success,
is because we work breach.
We have breach context,
therefore we know how to orchestrate recovery
in a survivable and timely recoverable fashion.
You mentioned earlier that the bad guys
are broadening their scope of the folks that they go after here.
I'm curious what you're tracking in terms of the threat landscape, cyber resiliency, when it comes to different industries.
To what degree are there haves and have-nots out there?
Generally speaking, from what we see both from recovery and from assessment, because
we do assess organizations against breach context, it seems to be consistently true
across all industries that they are not prepared for mass recovery.
I don't know that there's any delineation, if you will, between industries that are less
prepared versus more prepared. It seems to be all industries, all scales, all revenue
sizes. Largely, every industry is getting this wrong. I wish I could name one that's going to have positive outcomes from the recovery capability.
I believe in my career I have only assessed one organization to date out of hundreds that
I would argue will have a survivable backup or does have a survivable backup facility and therefore will likely have
a survivable recovery, only one. Most organizations who have some form of a survivable backup,
it's got some significant risks imposed upon it because the orchestration that surrounds the immutability algorithm being
employed is in some way significantly flawed.
Is there a risk though of the perfect being the enemy of the good?
I mean, people have to dial in their appetite for risk, right?
They do.
But here's what I would say.
Actually a breach counselor recently said this quote to us.
He said, essentially every organization within the United States has leadership responsibility
or fiduciary responsibility of cyber resiliency.
He said to us, cyber resiliency essentially can be summed up with two pillars, resistance
to a breach or prevention, as many
call it, and recovery.
He said essentially all organizations are over investing in resistance and largely ignoring
recovery.
So to your point, your question is perfectly the enemy of the good.
What I would say to you is this is one security control
you can't get wrong.
We need to be investing more in recovery
and less in resistance.
Essentially, Dave, you've probably heard
many security professionals say
you can't prevent all breaches.
It's essentially a matter of when, not if. All organizations will have
a breach. If we truly believe this statement, then we would be doubling down on our investments
in recovery and spending maybe a little less time on resistance. I'm not saying all those
things aren't important. I'm just saying we need to be investing in an assured recovery.
And yes, I do believe it is possible to have confidence in your ability to recover.
I do fervently believe it.
Matter of fact, we have a model for this that works.
We call it Secure to Summa, where recovery can be assured.
It absolutely can be assured. It absolutely can be assured.
That's John Anthony Smith, Founder and Chief Security Officer at Phoenix 24. And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI
tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire network, continuously
verifying every request based on identity and context, simplifying security management
with AI-powered automation, and detecting threats using AI to analyze over 500 billion
daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Are you crushing your bills?
Defeating your monthly payments.
Sounds like you're at the top of your financial game.
Rise to it with the BMO Eclipse Rise Visa Card.
The credit card that rewards your good financial habits.
Earn points for paying your credit card bill in full and on time every month.
Level up from bill payer to reward slayer.
Terms and conditions apply.
And finally, our London Fog Desk reports the UK just launched the Cyber Monitoring Centre
– CMC, a first-of-its-kind system that ranks cyber incidents like hurricanes, from category
1, annoying drizzle, to category 5, cyber-apocalypse.
Led by former NCSC chief Kieran Martin, the CMC's job is to determine whether a cyber
attack is a systemic event, one so massive it ripples across industries like Notpecha
or CrowdStrike's recent meltdown.
The scale is based on financial losses and the number of affected organizations.
Test runs? Well, MoveIt barely registered.
Sanovis's NHS fiasco hit category 2 and CrowdStrike's self-inflicted chaos landed at category 3.
CrowdStrike's self-inflicted chaos landed at Category 3, while initially designed for cyber insurers, the CMC hoped to inform policymakers, businesses, and even the UK government.
Skeptics question its long-term impact, but as Martin put it, if this was easy, somebody
would have done it already.
And that's the Cyberwire.
Be sure to check out this weekend's research Saturday and my conversation with Mark Manglickmont
from Arctic Wolf.
The research is titled Cleopatra's Shadow, a mass exploitation campaign deploying a Java
backdoor through zero-day exploitation of Clio MFT software.
That's Research Saturday.
Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Ivan.
Peter Kilpe is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thanks for watching!