CyberWire Daily - Get to patching: Patch Tuesday updates.

Episode Date: May 14, 2025

A busy Patch Tuesday. Investigators discover undocumented communications devices inside Chinese-made power inverters. A newly discovered Branch Privilege Injection flaw affects Intel CPUs. A UK retail...er may claim up to £100mn from its cyber insurers after a major cyberattack.  A Kosovo national has been extradited to the U.S. for allegedly running an illegal online marketplace. CISA will continue alerts on its website following industry backlash. On our Industry Voices segment, Neil Hare-Brown, CEO at STORM Guidance, discusses Cyber Incident Response (CIR) retainer service provision. Shoring up the future of the CVE program. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices segment, we are joined by Neil Hare-Brown, CEO at STORM Guidance, discussing Cyber Incident Response (CIR) retainer service provision. You can learn more here.  Selected Reading Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days (Security Affairs) SAP patches second zero-day flaw exploited in recent attacks (Bleeping Computer)  Ivanti fixes EPMM zero-days chained in code execution attacks (Bleeping Computer)  Fortinet fixes critical zero-day exploited in FortiVoice attacks (Bleeping Computer)  Vulnerabilities Patched by Juniper, VMware and Zoom (SecurityWeek) ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Phoenix Contact (SecurityWeek) Adobe Patches Big Batch of Critical-Severity Software Flaws (SecurityWeek) Ghost in the machine? Rogue communication devices found in Chinese inverters (Reuters) New Intel CPU flaws leak sensitive data from privileged memory (Bleeping Computer)  M&S cyber insurance payout to be worth up to £100mn (Financial Times) US extradites Kosovo national charged in operating illegal online marketplace (The Record) CISA Planned to Kill .Gov Alerts. Then It Reversed Course. (Data BreachToday) CVE Foundation eyes year-end launch following 11th-hour rescue of MITRE program (CyberScoop) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the CyberWire Network, powered by N2K. Hey everybody, Dave here. I've talked about DeleteMe before, and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. DeleteMe keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved knowing my privacy isn't something I have to worry about every
Starting point is 00:00:40 day. The DeleteMe team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Delete Me also offers solutions for businesses, helping companies protect their employees' personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal, 20% off your Delete Me plan.
Starting point is 00:01:05 Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout. That's joindeleteeme.com slash n2k, code n2k. It was a busy patch Tuesday. Investigators discover undocumented communications devices inside Chinese-made power inverters. A newly discovered branch privilege injection flaw affects Intel CPUs. A UK retailer may claim up to 100 million pounds from its cyber insurers after a major cyber attack. A Kosovo national has been extradited to the US
Starting point is 00:01:56 for allegedly running an illegal online marketplace. CISA will continue alerts on its website following industry backlash. Our guest is Neil Hare Brown, CEO at Storm Guidance, discussing cyber incident response retainer service provision and shoring up the future of the CVE program. It's Wednesday, May 14, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great as always to have you with us. Yesterday marked May's Patch Tuesday and Microsoft took center stage by addressing 78 vulnerabilities,
Starting point is 00:03:03 including five zero days actively exploited in the wild. These critical flaws span across Windows, Office, Azure, and Microsoft Defender. Notably, one of the zero days carries a perfect CVSS score of 10, impacting Azure DevOps server. Additionally, six vulnerabilities are rated as critical, with five being remote code execution flaws and one an information disclosure bug. SAP has released patches for a second zero-day vulnerability in its NetWeaver servers. This flaw was discovered during investigations into previous zero-day attacks involving another
Starting point is 00:03:41 vulnerability fixed back in April. Both vulnerabilities have been exploited in the wild, emphasizing the need for immediate patching. Avanti has patched two vulnerabilities in its endpoint manager mobile software that attackers have chained together to achieve unauthenticated remote code execution. The first is an authentication bypass,
Starting point is 00:04:02 and the second allows arbitrary code execution via crafted API requests. Avanti urges customers to update to the latest versions to mitigate these threats. Fortinet has addressed a critical remote code execution vulnerability in its Fortivoice Enterprise phone system. This stack-based overflow flaw has been actively exploited, allowing unauthenticated attackers to execute arbitrary code through malicious HTTP requests. The vulnerability also affects FortiMail, FortiNDR, FortiRecorder, and FortiCamera.
Starting point is 00:04:39 Juniper Networks, VMware, and Zoom have released patches for numerous vulnerabilities across their products. Juniper addressed nearly 90 bugs in its secure analytics platform, some dating back several years. Vmware fixed a high-severity cross-site scripting flaw in its ARIA automation appliance and a medium severity issue in Vmware tools. Zoom resolved nine security defects in its workplace apps, including a high severity privilege escalation vulnerability. Industrial control system Giants Siemens,
Starting point is 00:05:15 Schneider Electric and Phoenix Contact have issued security advisories addressing vulnerabilities in their products. While most flaws have been patched, some only have mitigations or workarounds available. These advisories are crucial for organizations relying on ICS infrastructure. Adobe's Patch Tuesday rollout includes fixes for at least 39 vulnerabilities across various
Starting point is 00:05:39 products. A significant update addresses seven critical flaws in Adobe Cold Fusion, which could lead to arbitrary file system reads, code execution, and privilege escalation. These vulnerabilities carry a CVSS score of 9.1 out of 10, highlighting their severity. Overall, this month's Patch Tuesday highlights the importance of timely updates across a broad spectrum of software and hardware. Organizations are urged to prioritize patching these vulnerabilities to safeguard against active threats. U.S. energy officials are investigating Chinese-made inverters and batteries after discovering
Starting point is 00:06:20 undocumented communication devices inside them, Reuters reports. These components, used widely in solar panels, batteries, and EV chargers, could bypass firewalls and pose risks to the power grid. Experts warn they could enable remote disruptions or even destruction of infrastructure. While such devices are built for remote maintenance, some found had hidden capabilities not listed in manuals. The U.S. Department of Energy is working to tighten transparency and supply chain security. As tensions with China grow, utilities and lawmakers are pushing to limit reliance on Chinese technology in critical infrastructure. Some nations, like Lithuania and Estonia, are already taking steps to ban or restrict Chinese inverters to protect energy systems from foreign control.
Starting point is 00:07:15 A newly discovered branch privilege injection flaw affects all Intel CPUs from the ninth generation onward, researchers at ETH Zurich found that speculative execution on Intel's branch predictors can leak sensitive kernel data to user-level attackers by exploiting race conditions during privileged switches. Their exploit bypasses Spectre version 2 mitigations and successfully reads protected data like hashed passwords. Non-Intel CPUs tested, including AMD and ARM, are not vulnerable. Intel CPUs before 9th gen may still be at risk from older Spectre variants.
Starting point is 00:07:59 UK retailer Marks & Spencer may claim up to £100 million from its cyber insurers after a major cyber attack compromised some customer data and disrupted operations for nearly three weeks, the Financial Times reports. Allianz is expected to cover at least the first £10 million, with Beasley also potentially liable. While M&S confirmed that no payment details or passwords are exposed, personal data like contact info and order history may have been. The attack halted online sales and caused supply issues in food stores,
Starting point is 00:08:37 with estimated losses exceeding £60 million. Since disclosing the breach on April 27th, M&S shares have dropped 16 percent, wiping 1.3 billion pounds off its market value. The company's insurance policies, arranged by WTW, is expected to cover both direct and third-party losses. Experts warn premiums could rise if M&S fails to show stronger risk management in future renewals.
Starting point is 00:09:09 Liradon Masurika, a 33-year-old Kosovo national, has been extradited to the U.S. for allegedly running BlackDB.cc, an illegal online marketplace selling stolen account data and personal information. Known online as BlackDB, Masurika is accused of enabling fraud schemes including tax fraud and identity theft. Arrested in December, he appeared in a Tampa court and remains in custody. Kosovo authorities seized digital devices and cryptocurrency during the arrest. If convicted, Maserika faces up to 55 years in prison. CISA reversed its decision to scale back cybersecurity alerts on its website, following backlash and confusion from the cyber community.
Starting point is 00:09:59 Initially, CISA announced it would prioritize social media, particularly ex-Twitter, for updates, claiming it would enhance user experience. Critics argued this shift could limit access to critical information, including threat alerts and vulnerability disclosures. CISA's website has long been a trusted source for urgent cyber threat guidance, especially as the agency faces budget cuts and staffing shortages. The move raised concerns about transparency and reliance on private platforms for public
Starting point is 00:10:32 safety information. Under scrutiny from Congress and amid potential $500 million in budget reductions, CISA has paused changes to reassess how to best communicate with stakeholders, while maintaining its commitment to.gov platforms for verified alerts. Coming up after the break, my conversation with Neil Hare Brown, CEO at Guidance we're discussing cyber incident response retainer service provision and shoring up the future of the CVE program stay with us And now, a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software
Starting point is 00:11:43 can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com. Let's be real. Navigating security compliance can feel like assembling IKEA furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right.
Starting point is 00:12:22 That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SOC 2, ISO 27001, and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer, or managing IT and security for the first time, Vanta helps you prove your security posture
Starting point is 00:12:44 without taking over your life. More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times. And the ROI? A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time, you can get $1,000 off Vanta at vanta.com slash cyber. That's vanta.com slash cyber. Neil Hare Brown is CEO at Storm Guidance, and in today's sponsored industry voices discussion,
Starting point is 00:13:39 we're talking about cyber incident response retainer service provision. Many organizations are approaching incident response, well, many organizations are not approaching incident response planning, unfortunately. But those that are approaching incident response planning are tending to look to the standards. There have been some pretty good standards in cyber incident response for a number of years now. I've been in cyber for 40 years now,
Starting point is 00:14:14 and I started cyber incident investigations in 96. And even back then, the first computer emergency response team out of Carnegie Mellon had published their initial thoughts on what makes good cyber incident response. And so that's been developed over the years. One of the areas which I think is largely missing from the standards is the appreciation that cyber incidents or cyber incident response is actually a lot more
Starting point is 00:14:53 than just the technical aspects. So, and this is something which for the last 12 years now we've been managing or responding to incidents on behalf of cyber insurers, over a thousand incidents in the last decade. And there really is a large amount of work that has to be done with those organizations that are suffering from incidents in the non-technical areas, such as the legal side of things, the crisis PR side of things, trauma counseling, ransom negotiation. These are all things which
Starting point is 00:15:31 are, if you like, outside of the scope of technical. When it comes to planning, that's something which many organizations need to embrace as part of their cyber incident response plans. Those organizations that are a little bit more mature, I would say, certainly those that have got well-developed business continuity plans, they are very well-advised to, if you like, adapt those business continuity plans to incorporate cyber incidents as well.
Starting point is 00:16:04 Inherent in the name, incident response, I think, is that folks come at this in a reactive way. I guess that's understandable, but how does that approach affect the outcomes here? When it comes to actually dealing with incidents on the fly. So when incidents actually occur, we tend to find that many organizations are, they have not prepared, certainly they've not prepared adequately enough for cyber incidents. And so oftentimes that will be the point at which they will call in the specialists
Starting point is 00:16:40 or certainly seek to call in the specialists. Those specialists may be provided if they have cyber insurance, or they might be seeking to acquire that expertise just commercially from cyber incident response teams such as ourselves. And so that, if you like, I think, as you've already alluded to, is not the ideal situation. Certainly, we deal with many incidents where the senior management That, if you like, I think, as you've already alluded to, is not the ideal situation. Certainly, we deal with many incidents where the senior management is the first time that they've ever met the IT or operational folks in their own organization. And so that really underlines the
Starting point is 00:17:20 need to prepare for cyber incidents and to prepare for the reactive state. Certainly if you want to have a good outcome, organizations that are not prepared, even if they are using highly experienced professional cyber incident responders, they're still not going to have anywhere near the effectiveness of, you know, the good outcomes
Starting point is 00:17:48 that they would have if they had actually been much more prepared. What does that preparation look like and how should the security team make the case to the executives that that preparation is a worthwhile investment? So when it comes to the preparation side of things, again it really is important to think outside the box. So having a written plan is a great thing, but making sure that it's going to survive first contact is the second thing. So ensuring that you've actually had an exercise of your plan is very important. Also ensuring that the plan caters for both the strategic senior management aspects
Starting point is 00:18:36 of managing a cyber incident and the operational sort of technical aspects as well. And we find that most organizations work more effectively if they actually separate those two groups of folks when they have an incident or when they're actually having an exercise. Because that's actually the most efficient way of managing things. You tend to find that you might have senior management that
Starting point is 00:19:02 want to get involved or understand some of the technicalities and generally in being when you're in the middle of a cyber incident that isn't the right time to do that and similarly sometimes you get some of the technical folks wanting to become legal experts and that equally is not the right time so it's always best to actually keep those two groups apart but have a coordinator that is working with those two groups to make sure that the requirements of the strategic group are properly conveyed to the operational group,
Starting point is 00:19:34 and the results are passed back so they can make some informed decisions. This is all part of the actual preparedness. Then you can also have some specific preparedness workshops. For instance, actual preparedness. And then you can also have some specific preparedness workshops. So for instance, forensic preparedness. So having a good idea of the various technologies that you're using, what the tech stack looks like, and what the ability for those technologies
Starting point is 00:20:02 is to actually record evidential items and to make sure that that evidence, whether it's in the format, whether it's in logs or whether it's in other forensic artifacts that could be produced during an incident, and to make sure those are preserved. So this is something which is very important to actually talk through ahead of times so that you can make sure that you have a really effective response when an incident occurs. You mentioned that many organizations come at this
Starting point is 00:20:34 as a technical challenge and that certainly makes sense, but you also mentioned that there are a lot of other things at play here and one thing that caught my ear was this notion of helping people deal with the trauma of an event like this. Explain the importance of that. That's one of the major losses that we see organizations suffering from, and it's a loss which is not immediately felt by the organization or indeed the individuals that are tasked
Starting point is 00:21:06 with the response. Bearing in mind the response isn't just purely technical so we're not just talking about just the IT folks here, we can be talking about management as well and even senior executives. But the post-traumatic stress that those participants feel, those responders feel, once the incident has been dealt with, can sometimes be quite significant. We've dealt with a number of incidents, for instance, where members of staff have been deceived into giving up credentials or into actually making payments, that kind of thing. And that kind of, you know, that sits very heavily with them.
Starting point is 00:21:49 And it's generally the case that unless an organization does something to recognize that and to offer them the support that they will need, that they could be looking at those staff leaving, you know, within a relatively short period of time after the incident has taken place. In this world where so many organizations have moved their operations to the cloud or they're relying on managed service providers, I can imagine that they are looking to rely on those organizations if there is an incident to help with the recovery. Is that a sensible plan? Does that make sense? How reliable are they as a support network?
Starting point is 00:22:36 Very good question. I think it does need, and this again kind of underlines the need for preparation, because it really needs some thought as to what roles an organization would want their service providers to play in the event of an incident. There's no doubt that if systems or data have to be recovered then it may well be that the expertise that their MSPs are offering and the familiarity that they have with the client systems and data is such that they will be the ideal person to help with that recovery. When it comes to the investigation aspects though, some very careful thought has to be
Starting point is 00:23:17 given there as to whether or not their providers would be conflicted if they were to help with the investigation. Consider, for instance, if a managed security services provider or a straight MSP that's providing some kind of security services as part of their overall package would actually, if they were then tasked to actually perform an investigation, and it happened that the very controls that those organizations should have been putting in place had failed in some way. Perhaps an MSSP that should have been monitoring systems failed in their ability to do that
Starting point is 00:24:03 properly. Are they going to actually reveal that? Are they truly independent when it comes to that investigation? Are they going to give the organization that kind of clarity on the initial point of compromise, et cetera? So it's very important to give that some consideration. And certainly we've come across many cases now where MSPs who are appointed to do the investigation part of the incident response are indeed conflicted and they They are rather opaque with helping the organization to understand How what went wrong and how it went wrong?
Starting point is 00:24:42 You know, there's there's kind of this old and how it went wrong. You know, there's kind of this old joke in cybersecurity about the security professionals standing in front of the board of directors and saying, okay, we spent all this money and congratulations, nothing happened. And the board scratches their head and said, well, why are we spending all this money?
Starting point is 00:25:03 If people are investing in a retainer with an organization like yours, how do they leverage that investment proactively? So certainly, I would say all good retainer services should provide a range of onboarding services. So this is separate from the actual incident response time that is set aside in case an incident does occur. Those onboarding activities should include,
Starting point is 00:25:37 as we've already discussed, some preparatory support. We perform something called assimilation where we sort of take a lot of time to understand a client's tech stack, what their points of contact are, which regulations apply, what their legal obligations are, etc. etc. Lots and lots of points. And so I would say a good retainer service should have some onboarding activities, maybe a risk assessment, maybe some attack surface scanning, that kind of stuff. Then there is the investment itself into the time that may be required should an incident occur.
Starting point is 00:26:16 And that time would be used at different rates, depending on the skills that would be needed should an incident occur. So you may have a different rate for a senior legal advisor, for instance, than you would for a forensic investigator. So having a way to actually make sure that that is all dealt with as part of the process. And then thirdly, and very importantly, as you've already said, if an incident does not occur, then how is a client going to maximize their investment?
Starting point is 00:26:47 And so the best process is that they should be able to see 100% of their investment, and that should be converted into the ability to undertake proactive activities. So for instance, staff awareness training, penetration testing, maybe cyber incident exercise, all of these things can actually be a way for clients to get a maximum out of their investment.
Starting point is 00:27:16 That's Neil Hare Brown, CEO at Storm Guidance. For more information about cyber incident response Response Retainer Service Provision, you can find a link in our show notes. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets. With bad directory hygiene and years of technical debt, identity attack paths are easy targets for threat actors to exploit but hard for defenders to detect. This poses risk in Active Directory, Entra ID, and Hybrid configurations.
Starting point is 00:28:10 Identity leaders are reducing such risks with Attack Path Management. You can learn how Attack Path Management is connecting identity and security teams while reducing risk with Bloodhound Enterprise, powered by SpectorOps. Head to SpectorOps.io today to learn more. SpectorOps – see your attack paths the way adversaries do. And finally, in late March, MITRE marked the 25th anniversary of the CVE program, the cornerstone of global vulnerability tracking and every security pro's favorite database to grumble about while secretly relying on it daily. For a brief jittery moment in April, it looked like this quarter-century run might come to
Starting point is 00:29:06 an abrupt awkward end. A leaked memo revealed that the Cybersecurity and Infrastructure Security Agency had not renewed MITRE's funding contract. The memo gave everyone a very specific countdown, about 36 hours until the lights went out. Analysts, vendors, and researchers, all highly trained to manage risk, suddenly found themselves in a digital doomsday scenario. One expert said it was the eleventh hour, 59th minute, it gave a doomsday feel. Then, just 17 hours later, CISA reversed course and issued an 11-month contract extension. Crisis averted.
Starting point is 00:29:48 Mostly. The near miss did more than rattle nerves. It kicked off a rapid rethink of who should control, fund, and future-proof one of the Internet's most essential public services. Enter a cast of new players. Europe, Beta launched its own EU vulnerability database. Luxembourg's Circle debuted the global CVE allocation system, and several CVE board members introduced plans for a new CVE foundation, a privately funded alternative aimed at global
Starting point is 00:30:20 resilience and governance beyond a single U.S. agency. That last move stirred controversy. Former CISA Director Jen Easterly publicly criticized CVE Foundation board members for secretly building a rival while still overseeing the current program, calling it a conflict of interest. Meanwhile, supporters argue that relying on a single funder, especially one with a volatile budget and shifting political winds, is just bad business. You want resilience, said one expert, not a cliffhanger every fiscal year. As for MITRE, they're staying the course, grateful for the overwhelming support and
Starting point is 00:31:00 committed to keeping CVE running smoothly, contract drama notwithstanding. Still, the takeaway was clear. The CVE program may be a public good, but it's not immune to bureaucratic entropy. Whether it evolves into a broader, more distributed model, or continues under its current stewardship, one thing is certain. No one wants to live in a world without it. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the CyberWire.com. We'd love to know what you think of this podcast. Your feedback ensures
Starting point is 00:31:53 we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltsman. Our executive producer is Jennifer Ivan. Peter Kilpey is our publisher and I'm Dave Bittner. Thanks for listening.
Starting point is 00:32:27 We'll see you back here tomorrow. And now a word from our sponsor, Spy Cloud. Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware, and phishing
Starting point is 00:33:22 to neutralize identity-based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what attackers already know. That's spycloud.com slash cyberwire.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.