CyberWire Daily - Federal agencies in power struggle crossfire.
Episode Date: February 3, 2025Federal agencies become battlegrounds in an unprecedented power struggle. XE Group evolves from credit-card skimming to exploiting zero-day vulnerabilities. WhatsApp uncovers a zero-click spyware atta...ck linked to an Israeli firm.Texas expands its ban on Chinese-backed AI and social media apps. Data breaches expose the personal and medical information of over a million people.NVIDIA patches multiple critical vulnerabilities. Arm discloses critical vulnerabilities affecting its Mali GPU Kernel Drivers and firmware. The UK government aims to set the global standard for securing AI. Tim Starks from CyberScoop has the latest from Senate confirmation hearings. The National Cryptologic Museum rights a wrong. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Joining us today is Tim Starks, Senior Reporter from CyberScoop, to discuss two of his recent articles: FBI nominee Kash Patel getting questions on cybercrime investigations, Silk Road founder, surveillance powers Even the US government can fall victim to cryptojacking Selected Reading Top Security Officials at Aid Agency Put on Leave After Denying Access to Musk Team (New York Times) Exclusive: Musk aides lock workers out of OPM computer system (Reuters) Federal Workers Block Doors of Admin Building Over Elon Musk Data Breach (DC Media Group) Trump Broke the Federal Email System and Government Employees Got Blasted With Astonishingly Vulgar Messages (Futurism) CISA employees told they are exempt from federal worker resignation program (The Record) From credit card fraud to zero-day exploits: Xe Group expanding cybercriminal efforts (CyberScoop) Israeli Firm Paragon Attack WhatsApp With New Zero-Click Spyware (Cyber Security News) Texas Gov. Greg Abbott bans DeepSeek, RedNote and other Chinese-backed AI platforms (Statesman) Hundreds of Thousands Hit by Data Breaches at Healthcare Firms in Colorado, North Carolina (SecurityWeek) Insurance Company Globe Life Notifying 850,000 People of Data Breach (SecurityWeek) NVIDIA GPU Display Driver Vulnerability Lets Attackers Steal Files Remotely - Update Now (Cyber Security News) Arm Mali GPU Kernel Driver 0-Day Vulnerability Actively Exploited in the Wild (Cyber Security News) UK Announces “World-First” AI Security Standard (Infosecurity Magazine) Larry Pfeiffer on Bluesky (Bluesky) Possibly related to the Bluesky post: Trailblazers in U.S. Cryptologic History Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n two k and use promo code and two k at checkout the only way to
get twenty percent off is to go to join delete me dot com slash n two k and enter code and
two k at checkout that's join delete me dot com slash n two k code and two k. Federal agencies become battlegrounds in an unprecedented power struggle.
XE Group evolves from credit card skimming to exploiting zero days.
WhatsApp uncovers a zero-click spyware attack linked to an Israeli firm.
Texas expands its ban on Chinese-backed AI and social media apps.
Data breaches expose the personal and medical information of over a million people.
NVIDIA patches multiple critical vulnerabilities.
ARM discloses critical vulnerabilities affecting its Mali GPU kernel drivers and firmware.
The UK government aims to set the global standard for securing AI,
Kim Starks from CyberScoop has the latest from Senate confirmation hearings,
and the National Cryptologic Museum writes a wrong.
It's Monday, February 3rd, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Thank you all for joining us here today.
Great to have you with us as always.
This past weekend, chaos erupted within federal agencies as Elon Musk's task force moved swiftly
to seize control of critical government operations.
The U.S. Agency for International Development, USAID, is facing deep uncertainty as President
Trump continues his push to slash foreign aid and restructure federal agencies.
The agency's independence is at risk and sweeping layoffs are expected.
Two top security officials, John Voorhees and Brian McGill, were placed on administrative
leave after denying access to representatives from Elon Musk's team, who sought entry into
classified systems.
USAID's chief of staff, Matt Hobson, has also resigned.
Musk, appointed to lead a controversial government restructuring initiative, has publicly criticized
USAID calling it a criminal organization and pushing for its shutdown.
His influence extends to the Office of Personnel Management, where his appointees have locked
out career civil servants from critical personnel databases containing sensitive government
employee data.
Federal workers have raised cybersecurity concerns,
noting that Musk's team now controls systems without oversight.
The situation has sparked protests outside OPM,
where government employees accuse Musk's team of orchestrating a hostile takeover.
Meanwhile, an unsecured email system at OPM led to a massive spam attack targeting federal
employees, highlighting the vulnerabilities of the rushed transition.
Amid the turmoil, Musk's self-named Department of Government Efficiency, DOGE, is overseeing
a dramatic downsizing of the federal workforce, offering employees buyouts to resign.
Agencies like CISA have been excluded from these offers,
raising further concerns about the restructuring's
national security implications.
The events reflect a broader shift
in Trump's second term governance,
with Musk playing a central role
in reshaping federal institutions.
XE Group, a cyber-criminal organization active for over a decade,
has evolved from credit card skimming to exploiting zero-day vulnerabilities,
posing significant threats to global supply chains.
Originally known for targeting e-commerce platforms, the group has shifted to infiltrating manufacturing
and distribution sectors. By 2024, XeGroup exploited two vulnerabilities in VeraCore,
a supply chain management software, using an upload validation flaw and an SQL injection
vulnerability to exfiltrate data and maintain persistent access. The group demonstrated patience, reactivating a web shell planted in 2020.
Using customized web shells and PowerShell-based payloads, XeGroup has automated its attacks,
focusing on long-term infiltration.
Researchers believe the group operates from Vietnam but is likely not state-sponsored
due to minimal operational
security measures.
WhatsApp has uncovered a zero-click spyware attack linked to Israeli firm Paragon, targeting
nearly 100 journalists, activists, and civil society members worldwide.
The spyware required no user interaction, making it especially dangerous.
WhatsApp disrupted the attack, alerted affected users, and collaborated with Citizen Lab, which helped analyze the breach.
Victims, including Italian journalist Francesco Consolato, are investigating the extent of data exposure.
The spyware could access messages, activate microphones, and
steal passwords, raising major privacy concerns.
Paragon, which markets itself as an ethical alternative to NSO Group, had been seeking
entry into the U.S. market.
However, recent scrutiny and national security concerns have paused key contracts.
This incident underscores the urgent need for stronger regulations
on commercial spyware and government surveillance tools.
Texas Governor Greg Abbott has expanded
the state's ban on Chinese-backed AI and social media apps,
prohibiting six additional platforms, including DeepSeek,
Lemon 8, and RedNote,
on government-issued devices.
The order aims to prevent data harvesting and potential espionage by the Chinese Communist
Party.
This follows Abbott's 2022 ban on TikTok and a 2023 law granting him authority to block
apps posing security risks. The move comes amid heightened concerns over Chinese technology influence, especially as
platforms like RedNote gain popularity among US users.
Three separate data breaches have exposed the personal and medical information of over
a million people.
Asheville Eye Associates in North Carolina
confirmed a cyberattack affecting over 193,000 patients.
Stolen data includes medical treatment details
and insurance information,
but not social security or financial data.
The Dragon Force Ransomware Group
claimed responsibility last December.
Delta County Memorial Hospital reported a May 2024 breach
affecting over 148,000 individuals.
Hackers accessed social security numbers,
medical data, and financial records.
Victims will receive free identity theft protection.
Globe Life Insurance is notifying 850,000 individuals
of a data theft incident linked to an extortion attempt.
The compromised data includes insurance policy details and personal identifiers,
though the company states no business operations were disrupted.
Globe Life is working with regulators and offering credit monitoring services to affected customers.
offering credit monitoring services to affected customers. NVIDIA has released critical security updates to patch multiple vulnerabilities
in its GPU display driver and virtual GPU software.
These flaws, affecting both Windows and Linux platforms,
could lead to information disclosure, denial of service, data tampering, or code execution. Key issues include a buffer
overflow and a memory corruption flaw in vGPU. Affected products include GeForce, Nvidia RTX,
Quadro, NVS, and Tesla GPUs. Nvidia urges users to update immediately via the driver downloads page to mitigate security risks.
ARM has disclosed critical security vulnerabilities affecting its Mali GPU kernel drivers and
firmware, impacting Bifrost, Valhall, and 5th Gen GPU architectures. One flaw has been actively
exploited, allowing local attackers to access freed memory, potentially leading to further system compromise.
Nine additional vulnerabilities could cause system crashes, privilege escalation, or data leaks.
Affected users, especially those on smartphones and tablets, are urged to immediately update drivers and firmware to mitigate risks.
The UK government has introduced a new AI Code of Practice aiming to set a global standard
for securing AI through the European Telecommunications Standards Institute.
Developed with the National Cybersecurity Centre and industry stakeholders, the voluntary code outlines 13 principles
covering secure AI design, deployment, and maintenance.
The code applies to AI vendors and organizations using AI, but excludes vendors selling AI
models without deploying them.
These will be governed by separate cybersecurity regulations.
Key principles include threat modeling, secure infrastructure, software supply chain security,
and regular updates.
NCSC CTO Ollie Whitehouse emphasized its role in fortifying U.K. AI security while promoting
innovation.
The U.K. aims to lead globally in AI safety safety following recent efforts to criminalize deep
fake creation.
The government hopes this framework will enhance AI resilience and protect digital ecosystems
from security threats.
Coming up after the break, Tim Starks from CyberScoop has the latest from the Senate
confirmation hearings and the National Cryptologic Museum writes a wrong.
Stay with us. Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to
give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time
checks.
Look at this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a
thousand dollars off.
Joining me once again is Tim Starks he is a senior reporter at CyberScoop.
Tim, great to have you back.
Wonderful.
As always, it's like it's a real high of my week.
Well, I appreciate that.
A couple of stories that you did over for CyberScoop that I want to touch on today.
Let's start off with your story about Cash Patel, a nominee for the FBI, of course, and
the degree to which he was questioned about cybersecurity.
Yeah, it was a minor amount, but it was not insignificant, or else we wouldn't have written
a story, of course.
He's a nominee who has a lot of things that lawmakers were concerned about.
Democrats, of course, not Republicans.
But there was an interesting thing that happened.
We wrote the story and then CNN published some details
that were related to it.
Not because of my story, but it was interesting
the way that happened timing-wise.
Senator Klobuchar said, hey, look,
you're talking about closing down the FBI headquarters.
This is the place where people
that run our cyber crime investigations work.
There was a little bit of jousting over that and she didn't get a real answer to the question
about his previous remarks about having said this, that turning it into a museum of the
deep state on day one.
There was a couple other things that came up.
One was Ross Ulbricht, the pardon of the man who operated the Silk Road marketplace, sold drugs and
he was charged with computer hacking. He was pardoned. They asked Cash Patel, what do you
think of that? He's like, not my place to weigh in on the pardons.
I think probably the, maybe the most significant policy thing they discussed that was cyber
related was his view on section 702, which of course is the law that is warrantless
vacuuming up of communications targeting foreigners.
But if you just so happen to have been a U.S. citizen
talking to that person, there is a way for the FBI
to seek that data about you.
And there was a big debate in the last couple of years,
you'll recall, and it's actually pretty long-running one at this point
But but before they reauthorized that there was a big debate that should be at a warrant requirement
Do you need to get a reward requirement to go in and get information about US citizens? Right and cash Patel's view was
That's that's not something that's good. That would actually harm investigate
It was a pretty traditional view of the hawkish side of that debate
As opposed to the the side of the
debate that was really focused on privacy and Fourth Amendment and those kinds of concerns.
Yeah.
Tulsi Gabbard also made an appearance in front of the senators here.
What came of that?
Yeah.
She got asked about a similar thing.
She got asked about, my colleague Derek Johnson wrote about the hearing.
She got asked about whether Edward Snowden was a traitor, which was something that she
didn't seem eager to answer all that directly.
She's had some changes on her position on Section 702.
That was something that the committee hearing delved into.
Obviously, if she's going to be the director of national intelligence, that's going to
be something where her agency is going to have a lot of oversight about that kind of
activity.
She had once upon a time called this section 702 an overreach, but she has turned around and said actually it's a very
direct quote vital national security tool. And that's something that depending on where you were
at, where you were at on the debate when it was happening, whether you were happy that she said
that or unhappy that she said that. I want to switch gears and touch on another article that
I believe you co-wrote here and this was about the government falling victim to some crypto jacking.
Very rare when that happens.
We did find several instances beforehand of it happening.
But the cyber pros we talked to just were like, no, this isn't something I've really
heard of.
So it's exceedingly rare that the government is crypto jacked.
And it just so happens that USAID was in the fall.
And me and my colleague, Rebecca Albert Fedscoop, broke this story and explained, you know,
it costs the company, it costs the agency half a million dollars to deal with this.
Basically, the crypto jackers just come in,
they use up your electricity to mine crypto,
and then they leave.
And that seems to be what has happened here.
I think I was looking at the numbers to get a sense of like,
what is a half a million dollars to USAID?
It may not sound like that much money
if you're talking about a multi-billion dollar agency, but that is the amount equivalent to how much they spent
in 2023 on notifying children of tuberculosis.
So we're talking about real money that could make a difference and that essentially was
lost as a result of this hacking.
And it could have been worse because these cryptojackjackers, crypto-jacking is a real threat,
but it's a lower level threat than say ransomware.
Right.
There's not just monetary damage,
there could be other damage as well.
So these hackers could have used this access
to do something much worse than they actually did.
And what they did was pretty bad already.
Yeah, I have to say,
I was sort of scratching my head over this one.
It's to whether or not
you know crypto jacking the federal government is poking the bear.
Yeah, I mean you know one of the things that I can't remember if we've included this in the
story but certainly one of the things that I talked about people is like why would you do this?
Like what's why would you crypto jack up the federal government? What do you what do you
you know there's so many there's so many people you could target and they,
they do target lots, they target the private sector,
the private sector loses tens of millions of dollars
to this every year according to the people he's talked to.
So there's a chance that it was, that they just didn't know
who they were targeting, that they just were, you know,
searching the web for vulnerable targets and found this,
found this, found USAID.
The other thing though was that,
and this is the part that I started
to say, they, this is a relatively low amount of money such that this isn't going to be
like calling a pipeline where the federal government is suddenly going to be coming
for you because you shut down, you know, Eastern seaboard, you didn't really shut it down,
but it caused a panic.
Right.
And, and, and suddenly people can't, are having trouble buying gasoline.
So it's a relatively low enough amount of money that it probably wasn't going to, it's
low risk and it's low reward.
But it does see, it did strike us as very odd because why would you want to, why a federal
agency?
And we didn't entirely get to the bottom of it, but it's entirely possible that they just
didn't know who they were going at.
They actually figured it out.
They would have had to have known something about who they were crypto-jacking after they
started doing it.
But when they found them, this may have just been very much a target of opportunity.
Did you get any response from any of the agencies involved here as to either how this happened or what they planned
to do in the future to prevent it?
No, we did not get that response.
I would have loved at least,
we were hit by a sophisticated attack.
You always want that one.
Right, at this point it's a given.
The good news is that we didn't need them
to say that much about it
because of the internal documents we had
where they said, we've seen this, we've responded, we're implementing
these additional defenses, multi-factor authentication is key for this kind of thing.
So we know how they responded or were going to respond.
What we don't know is how much of what they said they were going to do, they actually
ended up doing.
I mean, we're talking about something that happened in November.
It's possible that they haven't finished implementing all the defenses that they talked about doing.
So that's the one thing that would have been nice there from them on.
I'll joke aside about the sophisticated campaign.
It would have been nice to know if they have fixed these things instead of
just here's what we say we're going to fix.
That would have been something that would have been nice to know for the story,
frankly, and CISA,
which it would certainly have been involved in some way and shape or form in
evaluating what happened here, did not comment.
They referred us back to USAID, and USAID didn't want to say anything more.
So that's where we were left.
Yeah.
All right.
Well, Tim Starks is senior reporter at CyberScoop.
Tim, thanks so much for taking the time for us.
Yeah, thanks for having me.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not
the entire network, continuously verifying every request based on identity
and context. Simplifying security management with AI-powered automation. And detecting
threats using AI to analyze over 500 billion daily transactions. Hackers can't attack
what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Hit pause on whatever you're listening to
and hit play on your next adventure.
Stay two nights and get a $50 Best Western gift card.
Life's the trip.
Make the most of it at Best Western.
Visit bestwestern.com for complete terms and conditions.
And finally, in a recent Blue Sky post, Larry Pfeiffer, former CIA Chief of Staff
and current director of the Hayden Center, highlighted a concerning action taken in response to President Trump's
Anti-Diversity Directive. He noted that at the National Cryptologic Museum at NSA,
images of notable figures such as Elizabeth Friedman and Anne Karakriste from the Women
in American Cryptology Hall of Honor, as well as Wash Wong and Ralph Adams
from the People of Color in Cryptologic History honorees,
were covered over with brown paper.
This act has sparked discussions about the implications
of the administration's stance on diversity
and its impact on recognizing the contributions
of marginalized groups in national security history.
The museum responded to an inquiry from Mr. Pfeiffer stating,
We are dedicated to presenting the public with historically accurate exhibits, and we
have corrected a mistake that covered an exhibit.
We look forward to visitors exploring the museum and its rich history.
The decision to obscure the images of trailblazing cryptologists at the museum, whether intentional
or out of misplaced caution, reflects the deep fear and uncertainty gripping government
employees under the Trump administration's crackdown on diversity initiatives.
This act, seemingly preemptive, underscores how agencies are scrambling to avoid political
backlash, even at the cost of erasing historical contributions.
It's a troubling sign of how policies rooted in ideology rather than merit can lead to
self-censorship and a chilling effect on truthful storytelling in public institutions. And that's the Cyber Wire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. N2K's senior producer is Alice Carruth, our Cyberwire producer is Liz Stokes.
We're mixed by Elliot Peltsman and Trey Hester. Our executive producer is Jennifer Iben,
Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening,
we'll see you back here, tomorrow. Thanks for watching!