CyberWire Daily - Get to patching: Patch Tuesday updates.
Episode Date: May 14, 2025A busy Patch Tuesday. Investigators discover undocumented communications devices inside Chinese-made power inverters. A newly discovered Branch Privilege Injection flaw affects Intel CPUs. A UK retail...er may claim up to £100mn from its cyber insurers after a major cyberattack. A Kosovo national has been extradited to the U.S. for allegedly running an illegal online marketplace. CISA will continue alerts on its website following industry backlash. On our Industry Voices segment, Neil Hare-Brown, CEO at STORM Guidance, discusses Cyber Incident Response (CIR) retainer service provision. Shoring up the future of the CVE program. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices segment, we are joined by Neil Hare-Brown, CEO at STORM Guidance, discussing Cyber Incident Response (CIR) retainer service provision. You can learn more here. Selected Reading Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days (Security Affairs) SAP patches second zero-day flaw exploited in recent attacks (Bleeping Computer) Ivanti fixes EPMM zero-days chained in code execution attacks (Bleeping Computer) Fortinet fixes critical zero-day exploited in FortiVoice attacks (Bleeping Computer) Vulnerabilities Patched by Juniper, VMware and Zoom (SecurityWeek) ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Phoenix Contact (SecurityWeek) Adobe Patches Big Batch of Critical-Severity Software Flaws (SecurityWeek) Ghost in the machine? Rogue communication devices found in Chinese inverters (Reuters) New Intel CPU flaws leak sensitive data from privileged memory (Bleeping Computer) M&S cyber insurance payout to be worth up to £100mn (Financial Times) US extradites Kosovo national charged in operating illegal online marketplace (The Record) CISA Planned to Kill .Gov Alerts. Then It Reversed Course. (Data BreachToday) CVE Foundation eyes year-end launch following 11th-hour rescue of MITRE program (CyberScoop) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it
peace of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k. It was a busy patch Tuesday.
Investigators discover undocumented communications devices inside Chinese-made power inverters.
A newly discovered branch privilege injection flaw
affects Intel CPUs.
A UK retailer may claim up to 100 million pounds
from its cyber insurers after a major cyber attack.
A Kosovo national has been extradited to the US
for allegedly running an illegal online marketplace.
CISA will continue alerts on its website
following industry backlash.
Our guest is Neil Hare Brown, CEO at Storm Guidance, discussing cyber incident response
retainer service provision and shoring up the future of the CVE program. It's Wednesday, May 14, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It is great as always to have you with us.
Yesterday marked May's Patch Tuesday and Microsoft took center stage by addressing 78 vulnerabilities,
including five zero days actively
exploited in the wild. These critical flaws span across Windows, Office, Azure,
and Microsoft Defender. Notably, one of the zero days carries a perfect CVSS
score of 10, impacting Azure DevOps server. Additionally, six vulnerabilities
are rated as critical, with five being remote code execution
flaws and one an information disclosure bug.
SAP has released patches for a second zero-day vulnerability in its NetWeaver servers.
This flaw was discovered during investigations into previous zero-day attacks involving another
vulnerability fixed back in April.
Both vulnerabilities have been exploited in the wild,
emphasizing the need for immediate patching.
Avanti has patched two vulnerabilities
in its endpoint manager mobile software
that attackers have chained together
to achieve unauthenticated remote code execution.
The first is an authentication bypass,
and the second allows arbitrary code execution
via crafted API requests.
Avanti urges customers to update to the latest versions to mitigate these threats.
Fortinet has addressed a critical remote code execution vulnerability in its Fortivoice
Enterprise phone system.
This stack-based overflow flaw has been actively exploited, allowing unauthenticated attackers
to execute arbitrary code through malicious HTTP requests.
The vulnerability also affects FortiMail, FortiNDR, FortiRecorder, and FortiCamera.
Juniper Networks, VMware, and Zoom have released patches for numerous vulnerabilities across their products.
Juniper addressed nearly 90 bugs in its secure analytics platform, some dating back several
years.
Vmware fixed a high-severity cross-site scripting flaw in its ARIA automation appliance and a
medium severity issue in Vmware tools.
Zoom resolved nine security defects in its workplace apps,
including a high severity privilege escalation vulnerability.
Industrial control system Giants Siemens,
Schneider Electric and Phoenix Contact
have issued security advisories
addressing vulnerabilities in their products.
While most flaws have been patched,
some only have mitigations
or workarounds available. These advisories are crucial for organizations relying on ICS
infrastructure.
Adobe's Patch Tuesday rollout includes fixes for at least 39 vulnerabilities across various
products. A significant update addresses seven critical flaws in Adobe Cold Fusion, which could lead
to arbitrary file system reads, code execution, and privilege escalation.
These vulnerabilities carry a CVSS score of 9.1 out of 10, highlighting their severity.
Overall, this month's Patch Tuesday highlights the importance of timely updates across a
broad spectrum of software and hardware.
Organizations are urged to prioritize patching these vulnerabilities to safeguard against
active threats.
U.S. energy officials are investigating Chinese-made inverters and batteries after discovering
undocumented communication devices inside them, Reuters reports.
These components, used widely in solar panels, batteries, and EV chargers, could bypass firewalls
and pose risks to the power grid.
Experts warn they could enable remote disruptions or even destruction of infrastructure.
While such devices are built for remote maintenance, some found had hidden capabilities not listed in manuals.
The U.S. Department of Energy is working to tighten transparency and supply chain security.
As tensions with China grow, utilities and lawmakers are pushing to limit reliance on Chinese technology in critical infrastructure. Some nations, like Lithuania and Estonia, are already taking steps to ban or restrict
Chinese inverters to protect energy systems from foreign control.
A newly discovered branch privilege injection flaw affects all Intel CPUs from the ninth
generation onward, researchers at ETH Zurich found that speculative execution
on Intel's branch predictors can leak sensitive kernel data to user-level attackers by exploiting
race conditions during privileged switches.
Their exploit bypasses Spectre version 2 mitigations and successfully reads protected data like
hashed passwords.
Non-Intel CPUs tested, including AMD and ARM, are not vulnerable.
Intel CPUs before 9th gen may still be at risk from older Spectre variants.
UK retailer Marks & Spencer may claim up to £100 million from its cyber insurers after
a major cyber attack compromised some customer data and disrupted operations for nearly three
weeks, the Financial Times reports.
Allianz is expected to cover at least the first £10 million, with Beasley also potentially
liable.
While M&S confirmed that no payment details or passwords are exposed,
personal data like contact info and order history may have been.
The attack halted online sales and caused supply issues in food stores,
with estimated losses exceeding £60 million.
Since disclosing the breach on April 27th,
M&S shares have dropped 16 percent, wiping
1.3 billion pounds off its market value.
The company's insurance policies, arranged by WTW, is expected to cover both direct and
third-party losses.
Experts warn premiums could rise if M&S fails to show stronger risk management in future
renewals.
Liradon Masurika, a 33-year-old Kosovo national, has been extradited to the U.S. for allegedly
running BlackDB.cc, an illegal online marketplace selling stolen account data and personal information.
Known online as BlackDB, Masurika is accused of enabling fraud schemes including tax fraud
and identity theft.
Arrested in December, he appeared in a Tampa court and remains in custody.
Kosovo authorities seized digital devices and cryptocurrency during the arrest. If convicted, Maserika faces up to 55 years in prison.
CISA reversed its decision to scale back cybersecurity alerts on its website, following backlash
and confusion from the cyber community.
Initially, CISA announced it would prioritize social media, particularly ex-Twitter, for
updates, claiming it would enhance user experience.
Critics argued this shift could limit access to critical information, including threat
alerts and vulnerability disclosures.
CISA's website has long been a trusted source for urgent cyber threat guidance, especially
as the agency faces budget cuts and staffing
shortages.
The move raised concerns about transparency and reliance on private platforms for public
safety information.
Under scrutiny from Congress and amid potential $500 million in budget reductions, CISA has
paused changes to reassess how to best communicate with stakeholders,
while maintaining its commitment to.gov platforms for verified alerts.
Coming up after the break, my conversation with Neil Hare Brown, CEO at Guidance we're discussing cyber incident response retainer service provision and
shoring up the future of the CVE program stay with us And now, a word from our sponsor, ThreatLocker.
Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software
can run in your environment.
If it's not approved, it doesn't run. Simple as that.
It's a way to stop ransomware and other attacks before they start without adding
extra complexity to your day. See how ThreatLocker can help you lock down your
environment at www.threatlocker.com. Let's be real.
Navigating security compliance can feel like assembling IKEA furniture without the instructions.
You know you need it, but it takes forever and you're never quite sure if you've done
it right.
That's where Vanta comes in.
Vanta is a trust management platform
that automates up to 90% of the work for frameworks
like SOC 2, ISO 27001, and HIPAA,
getting you audit ready in weeks, not months.
Whether you're a founder, an engineer,
or managing IT and security for the first time,
Vanta helps you prove your security posture
without taking
over your life. More than 10,000 companies, including names like Atlassian and Quora,
trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up
to five times. And the ROI? A recent IDC report found Vanta saves businesses over half a million
dollars a year and pays
for itself in just three months.
For a limited time, you can get $1,000 off Vanta at vanta.com slash cyber.
That's vanta.com slash cyber. Neil Hare Brown is CEO at Storm Guidance, and in today's sponsored industry voices discussion,
we're talking about cyber incident response retainer service provision.
Many organizations are approaching incident response, well,
many organizations are not approaching incident response planning, unfortunately.
But those that are approaching incident response planning
are tending to look to the standards.
There have been some pretty good standards
in cyber incident response for a number of years now.
I've been in cyber for 40 years now,
and I started cyber incident investigations in 96.
And even back then, the first computer emergency response
team out of Carnegie Mellon had published
their initial thoughts on what makes good cyber incident response.
And so that's been developed over the years.
One of the areas which I think is largely missing from the standards
is the appreciation that cyber incidents
or cyber incident response is actually a lot more
than just the technical aspects.
So, and this is something which for the last 12 years now
we've been managing or responding to incidents
on behalf of cyber insurers,
over a thousand incidents in the last decade.
And there really is a large amount of work that has to be done with those organizations
that are suffering from incidents in the non-technical areas, such as the legal side of things, the
crisis PR side of things, trauma counseling, ransom negotiation. These are all things which
are, if you like, outside of the scope of technical.
When it comes to planning, that's something which many organizations need to embrace as
part of their cyber incident response plans. Those organizations that are a little bit more mature,
I would say, certainly those that have got
well-developed business continuity plans,
they are very well-advised to, if you like,
adapt those business continuity plans
to incorporate cyber incidents as well.
Inherent in the name, incident response, I think, is that folks come at this in a reactive way.
I guess that's understandable, but how does that approach affect the outcomes here?
When it comes to actually dealing with incidents on the fly. So when incidents actually occur,
we tend to find that many organizations are,
they have not prepared, certainly they've not prepared
adequately enough for cyber incidents.
And so oftentimes that will be the point
at which they will call in the specialists
or certainly seek to call in the specialists.
Those specialists may be provided if they have cyber insurance,
or they might be seeking to acquire that expertise
just commercially from cyber incident response teams such as ourselves.
And so that, if you like, I think, as you've already alluded to,
is not the ideal situation.
Certainly, we deal with many incidents where the senior management That, if you like, I think, as you've already alluded to, is not the ideal situation.
Certainly, we deal with many incidents where the senior management is the first time that they've ever met the IT or operational folks in their own organization. And so that really underlines the
need to prepare for cyber incidents
and to prepare for the reactive state.
Certainly if you want to have a good outcome,
organizations that are not prepared,
even if they are using highly experienced
professional cyber incident responders,
they're still not going to have anywhere near
the effectiveness of, you know, the good outcomes
that they would have if they had actually been much more prepared.
What does that preparation look like and how should the security team make the case to
the executives that that preparation is a worthwhile investment?
So when it comes to the preparation side of things, again it really is
important to think outside the box. So having a written plan is a great thing,
but making sure that it's going to survive first contact is the second
thing. So ensuring that you've actually had an exercise of your plan is very important.
Also ensuring that the plan caters for both the strategic senior management aspects
of managing a cyber incident and the operational sort of technical aspects as well.
And we find that most organizations work more
effectively if they actually separate those two groups
of folks when they have an incident
or when they're actually having an exercise.
Because that's actually the most efficient way
of managing things.
You tend to find that you might have senior management that
want to get involved or understand
some of the technicalities and generally in being when you're in the middle of a
cyber incident that isn't the right time to do that and similarly sometimes you
get some of the technical folks wanting to become legal experts and that equally
is not the right time so it's always best to actually keep those two groups
apart but have a coordinator that is working with
those two groups to make sure that the requirements of
the strategic group are properly conveyed to the operational group,
and the results are passed back so they can make some informed decisions.
This is all part of the actual preparedness.
Then you can also have some specific preparedness workshops. For instance, actual preparedness. And then you can also have some specific preparedness
workshops.
So for instance, forensic preparedness.
So having a good idea of the various technologies
that you're using, what the tech stack looks like,
and what the ability for those technologies
is to actually record evidential items and to make sure
that that evidence, whether it's in the format, whether it's in logs or whether
it's in other forensic artifacts that could be produced during an incident, and
to make sure those are preserved. So this is something which is very important to
actually talk through ahead of times
so that you can make sure that you have a really effective
response when an incident occurs.
You mentioned that many organizations come at this
as a technical challenge and that certainly makes sense,
but you also mentioned that there are a lot of other things
at play here and one thing that caught my ear was this notion
of helping people deal with the trauma of an event like this.
Explain the importance of that.
That's one of the major losses that we see organizations
suffering from, and it's a loss which is not immediately felt
by the organization or indeed the individuals that are tasked
with the response. Bearing in mind the response isn't just purely technical so
we're not just talking about just the IT folks here, we can be talking about
management as well and even senior executives. But the post-traumatic
stress that those participants feel, those responders feel, once the incident
has been dealt with, can sometimes be quite significant.
We've dealt with a number of incidents, for instance, where members of staff have been
deceived into giving up credentials or into actually making payments, that kind of thing.
And that kind of, you know, that sits very heavily with them.
And it's generally the case that unless an organization does something to recognize that
and to offer them the support that they will need, that they could be looking at those staff
leaving, you know, within a relatively short period of time after the incident has taken place.
In this world where so many organizations have moved their operations to the cloud or they're
relying on managed service providers, I can imagine that they are looking to rely on those organizations if there is an incident to help with the recovery.
Is that a sensible plan?
Does that make sense?
How reliable are they as a support network?
Very good question.
I think it does need, and this again kind of underlines the need for preparation, because
it really needs some thought as to what roles an organization
would want their service providers to play in the event of an incident. There's no doubt that if
systems or data have to be recovered then it may well be that the expertise that their MSPs
are offering and the familiarity that they have with the client systems and data is such
that they will be the ideal person to help with that recovery.
When it comes to the investigation aspects though, some very careful thought has to be
given there as to whether or not their providers would be conflicted if they were to help with
the investigation.
Consider, for instance, if a managed security services provider or a
straight MSP that's providing some kind of security services as part of their
overall package would actually, if they were then tasked to actually perform an investigation, and it
happened that the very controls that those organizations should have been putting in
place had failed in some way.
Perhaps an MSSP that should have been monitoring systems failed in their ability to do that
properly.
Are they going to actually reveal
that? Are they truly independent when it comes to that investigation? Are they going to give
the organization that kind of clarity on the initial point of compromise, et cetera?
So it's very important to give that some consideration. And certainly we've come across many cases now where
MSPs who are appointed to do the investigation part of the incident response are indeed conflicted and they
They are rather opaque with helping the organization to understand
How what went wrong and how it went wrong?
You know, there's there's kind of this old
and how it went wrong.
You know, there's kind of this old joke in cybersecurity about the security professionals standing in front
of the board of directors and saying,
okay, we spent all this money and congratulations,
nothing happened.
And the board scratches their head and said,
well, why are we spending all this money?
If people are investing in a retainer
with an organization like yours,
how do they leverage that investment proactively?
So certainly, I would say all good retainer services
should provide a range of onboarding services.
So this is separate from the actual incident response time
that is set aside in case an incident does occur.
Those onboarding activities should include,
as we've already discussed,
some preparatory support.
We perform something called assimilation where we sort of take a lot of time to understand
a client's tech stack, what their points of contact are, which regulations apply, what
their legal obligations are, etc. etc. Lots and lots of points. And so I would say a good
retainer service should have some onboarding activities, maybe a risk assessment, maybe some attack surface scanning, that kind of stuff.
Then there is the investment itself into the time
that may be required should an incident occur.
And that time would be used at different rates,
depending on the skills that would be needed
should an incident occur.
So you may have a different rate for a senior legal advisor, for instance, than you would
for a forensic investigator.
So having a way to actually make sure that that is all dealt with as part of the process.
And then thirdly, and very importantly, as you've already said, if an incident does not
occur, then how is a client going to maximize their investment?
And so the best process is that they should be able to see
100% of their investment,
and that should be converted into the ability
to undertake proactive activities.
So for instance, staff awareness training,
penetration testing, maybe cyber incident
exercise, all of these things can actually be a way for clients to get a maximum out
of their investment.
That's Neil Hare Brown, CEO at Storm Guidance.
For more information about cyber incident response Response Retainer Service Provision, you can
find a link in our show notes.
What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, identity attack paths are easy targets
for threat actors to exploit but hard for defenders to detect. This poses risk in Active Directory, Entra ID, and Hybrid configurations.
Identity leaders are reducing such risks with Attack Path Management.
You can learn how Attack Path Management is connecting identity and security teams while
reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to SpectorOps.io today to learn more.
SpectorOps – see your attack paths the way adversaries do. And finally, in late March, MITRE marked the 25th anniversary of the CVE program, the cornerstone
of global vulnerability tracking and every security pro's favorite database to grumble
about while secretly relying on it daily.
For a brief jittery moment in April, it looked like this quarter-century run might come to
an abrupt awkward end.
A leaked memo revealed that the Cybersecurity and Infrastructure Security Agency had not
renewed MITRE's funding contract.
The memo gave everyone a very specific countdown, about 36 hours until the lights went out. Analysts, vendors, and researchers, all highly trained to manage risk, suddenly found themselves
in a digital doomsday scenario.
One expert said it was the eleventh hour, 59th minute, it gave a doomsday feel.
Then, just 17 hours later, CISA reversed course and issued an 11-month contract extension.
Crisis averted.
Mostly.
The near miss did more than rattle nerves.
It kicked off a rapid rethink of who should control, fund, and future-proof one of the
Internet's most essential public services.
Enter a cast of new players.
Europe, Beta launched its own EU vulnerability database.
Luxembourg's Circle debuted the global CVE allocation system, and several CVE board members
introduced plans for a new CVE foundation, a privately funded alternative aimed at global
resilience and governance beyond a single U.S. agency. That last move stirred controversy.
Former CISA Director Jen Easterly publicly criticized CVE Foundation board members for
secretly building a rival while still overseeing the current program, calling it a conflict
of interest.
Meanwhile, supporters argue that relying on a single funder, especially one with a volatile
budget and shifting political winds, is just bad business.
You want resilience, said one expert, not a cliffhanger every fiscal year.
As for MITRE, they're staying the course, grateful for the overwhelming support and
committed to keeping CVE running smoothly, contract drama notwithstanding.
Still, the takeaway was clear.
The CVE program may be a public good, but it's not immune to bureaucratic entropy.
Whether it evolves into a broader, more distributed model, or continues under its current stewardship,
one thing is certain.
No one wants to live in a world without it.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing
at the CyberWire.com. We'd love to know what you think of this podcast. Your feedback ensures
we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Ivan.
Peter Kilpey is our publisher and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities
to infiltrate your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection
helps security teams uncover
and automatically remediate hidden exposures
across your users from breaches, malware, and phishing
to neutralize identity-based threats
like account takeover,
fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.