CyberWire Daily - Is it cyber peace or just a buffer?
Episode Date: March 3, 2025Cyber Command ordered to halt offensive operations against Russia during Ukraine negotiations. Ransomware actors exploit Paragon Partition Manager vulnerability. Amnesty International publishes analys...is of Cellebrite exploit chain. California orders data broker to shut down for violating the Delete Act. On our Afternoon Cyber Tea segment with host Ann Johnson of Microsoft Security, Ann speaks with Igor Tsyganskiy, Microsoft's Global Chief Information Security Officer, about "The Power of Partnership in Cyber Defense." And it’s the end of an era. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Afternoon Cyber Tea segment. On our monthly Afternoon Cyber Tea segment with host Ann Johnson of Microsoft Security, Ann speaks with Igor Tsyganskiy, Microsoft's Global Chief Information Security Officer, about "The Power of Partnership in Cyber Defense." Ann and Igor share an engaging conversation on the challenges and optimism driving the fight against cyber threats. To hear the full conversation on Ann’s show, check out the episode here. You can catch new episodes of Afternoon Cyber Tea every other Tuesday on N2K CyberWire network and on your favorite podcast app. Selected Reading Exclusive: Hegseth orders Cyber Command to stand down on Russia planning (The Record) As Trump warms to Putin, U.S. halts offensive cyber operations against Moscow (The Washington Post) Hegseth Orders Pentagon to Stop Offensive Cyberoperations Against Russia (The New York Times) Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks (Bleeping Computer) VU#726882 - Paragon Partition Manager contains five memory vulnerabilities within its BioNTdrv.sys driver that allow for privilege escalation and denial-of-service (DoS) attacks (Carnegie Mellon University Software Engineering Institute CERT Coordination Center) Cellebrite zero-day exploit used to target phone of Serbian student activist (Amnesty International Security Lab) California shuts down data broker for failing to register (The Record) Research finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek's Training Data (Truffle Security) Cyberattack detected at Polish space agency, minister says (Reuters) Polish space agency confirms cyberattack (The Register) As Skype shuts down, its legacy is end-to-end encryption for the masses (TechCrunch) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Your business needs AI solutions that are not only ambitious, but also practical and
adaptable.
That's where Domo's AI and Data Products Platform comes in.
With Domo, you can channel AI and data into innovative
uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your
data workflows, helping you gain insights, receive alerts, and act with ease through
guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Cyber Command ordered to halt offensive operations
against Russia during Ukraine negotiations.
Ransomware actors exploit Paragon partition manager vulnerability.
Amnesty International publishes analysis of Celebrate exploit chain.
California orders data broker to shut down for violating the Delete Act.
On our afternoon Cyber Tea segment with host Anne Johnson of Microsoft Security, Anne speaks
with Igor Sygansky, Microsoft's global chief information security officer,
about the power of partnership in cyber defense.
Today is Monday, March 3rd, 2025.
I'm Maria Varmazes, host of the T-minus Space Daily, in for Dave Bittner.
And this is your CyberWire intel briefing.
Thanks for joining us on this first Monday in March.
On to today's stories.
The record reports that U.S. Defense Secretary Pete Hegsgeth has ordered Cyber Command to
halt offensive cyber operations against Russia.
The full scope of the directive is unclear, but it doesn't include the NSA or its signals
intelligence operations targeting Russia.
The Washington Post cites a current U.S US official familiar with the order as saying that the
pause is meant to last only as long as negotiations over the war in Ukraine continue.
The Post says that the operations being halted could include exposing or disabling malware
found in Russian networks before it can be used against the United States, blocking Russian hackers from servers that they may be preparing to use for
their own offensive operations, or disrupting a site promoting anti-U.S.
propaganda. The New York Times observes that former officials said it was common
for civilian leaders to order pauses in military operations during sensitive
diplomatic negotiations to avoid derailing them.
Still for President Trump and Mr. Hegseth, the retreat from offensive cyber operations
against Russian targets represents a huge gamble.
It essentially counts on Mr. Putin to reciprocate by letting up on what many call the shadow
war underway against the United States and its traditional allies in Europe.
The Pentagon on its part declined to comment on the report.
A senior defense official told The Record,
"...due to operational security concerns, we do not comment nor discuss cyber intelligence
plans or operations.
There is no greater priority to Secretary Hegseth than the safety of the warfighter
in all operations, to include the cyber domain."
Researchers at Microsoft discovered five vulnerabilities affecting a driver used by Paragon Partition
Manager, one of which is being exploited by ransomware actors, reports Bleeping Computer.
Microsoft has observed ransomware attackers using the flaw to achieve system-level privilege
escalation before executing additional malware.
An advisory from the Cert Coordination Center explains, an attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial of service scenario on the victim's machines.
Additionally, as the attack involves a Microsoft Signed Driver,
an attacker can leverage a bring-your-own-vulnerable-driver technique to exploit systems even if Paragon Partition Manager is not installed. Paragon software has issued patches for the flaws and users of
Partition Manager should upgrade to the latest version.
And now a follow up story to something that we covered last week.
Amnesty International has published a follow up to its December 2024 report on
the Serbian government's alleged misuse of Celebrite's cell phone data
extraction tool.
Amnesty's latest report published on Friday outlines a new case of misuse of a Celebrite
product to break into the phone of a youth activist in Serbia.
The report shares technical details on a sophisticated zero-day exploit chain targeting Android USB
drivers developed by Celebrite.
Amnesty explains that the exploit, which targeted Linux kernel USB drivers,
enabled Celebrate customers with physical access
to a locked Android device
to bypass an Android phone's lock screen
and gain privileged access on the device.
As the exploit targets core Linux kernel USB drivers,
the impact is not limited to a particular device or vendor
and could affect a very wide range of devices.
The same vulnerabilities could also expose Linux computers particular device or vendor and could affect a very wide range of devices.
The same vulnerabilities could also expose Linux computers and Linux-powered embedded
devices to physical attacks, although there is no evidence that this exploit chain has
been designed to target non-Android Linux devices.
Last week, Celebrite announced that it would suspend its services in Serbia, citing Amnesty's
December report. The state of California's Privacy Protection Agency, or CPPA, last Thursday ordered a data
broker to cease operations for three years for failing to register with the state, according
to a report from The Record.
The California Delete Act, which took effect in January 2024, requires data brokers to
register with the CPPA in order
to provide a mechanism through which consumers can request to have their data deleted.
The broker in this case, called Background Alert, has agreed to the settlement terms.
The record notes that such a ruling against a data broker is unprecedented.
Researchers at Truffle Security found just under 12,000 valid API keys and passwords in the Common Crawl database,
which is an enormous open-source repository of web data used for training AI models.
The secrets included an AWS root key, live Slack webhooks, and nearly 1,500 unique MailChimp API keys.
The researchers stressed that Common Crawl isn't to blame. The keys were publicly exposed because web developers hard-coded them into
front-end HTML and JavaScript, and the web pages were then archived by Common Crawl.
Poland's Minister for Digitalization said yesterday that the Polish space
agency's IT infrastructure sustained an unauthorized intrusion, and the agency
has disconnected its network from the internet while it investigates the incident.
We should note that the nature of the attack is unclear.
The register cites a source inside the agency as saying that the incident was related to
an internal email compromise, and staff have been told to rely on phones instead.
Stay tuned for further developments here and on our T-minus Space Daily podcast.
Coming up after our break, Anne Johnson from Microsoft Security joins us for her
monthly afternoon Cyber Tea segment and we click and call with an old friend.
Cyber threats are more sophisticated than ever.
Passwords?
They're outdated and can be cracked in a minute.
Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login.
Ubico believes the future is passwordless.
Ubiquis offer unparalleled protection against phishing for individuals, SMBs and enterprises.
They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers a limited buy one get one offer.
Visit ubico.com slash N2K to unlock this deal.
That's Y-U-B-I-C-O.
Say no to modern cyber threats upgrade your security today
Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Next up is our monthly afternoon CyberT podcast segment with host Anne Johnson of Microsoft Security.
Today, Anne speaks with Igor Sygansky, Microsoft's global chief information security officer,
about the power of partnership in cyber defense.
Anne and Igor discuss the challenges and optimism driving the fight against cyber threats.
Today, we are excited to welcome Igor Syganski, Microsoft Chief Information Security
Officer with a remarkable career in technology, cybersecurity, and enterprise defense. Welcome
to afternoon cyber tea, Igor. Glad to be here. You know, I talk frequently that cybersecurity
is a big data problem. You talk about complex signal processing. I've also heard you say
many times that attackers think in graphs and we think in lists. Can you just talk about
how all that comes together to build a better defense for not just Microsoft, but for the
community?
Yeah. Well, first of all, I think it takes a village, right? So at the end of the day,
when one attacks and you have to think about it as an attacker,
they don't think about managerial boundaries, organizational boundaries, corporate boundaries.
All they want to do is get to target whatever the target is to achieve success.
And it's very hard when you are on the defense side to think about defense than just as my
department or as my company
and not some other company,
you kind of have to think holistically
to defend holistic attacks require holistic defense.
But when you're thinking about what we prioritize next,
can you talk a little bit about risk?
How do you think about it in terms of a risk framework?
The way I think about risk framework
is we want to elevate the cost of an attack
for any attackers at Microsoft, right? So at the end of the day, there's a very big difference if the attack costs
a dollar, $10, a million dollars, $100 million or a billion dollars. One of the ways to increase the
cost is to do joint defense, because then you can defend on behalf of everyone and therefore you have
more opportunities to increase the cost.
I work with all the leaders across the company.
I would say that for every leader in the company, the notion that their product needs to be
trustworthy and secure is the number one priority because it's just common sense.
And so basically, from that standpoint of view, I would say it's more of a partnership
and collaboration versus I need to check on someone. Not only one securely, but evolve securely.
There are industries where a product that they sell does not change for decades.
You know, a bottle of water, a plastic bottle of water that about 10 years ago,
maybe the same plastic bottle of water that I have today.
This is not our industry.
Our industry is ever evolving.
Our industry is rapidly changing.
Our industry is constantly growing,
both on the good side,
meaning the side where we add value to the world,
but also on the adverse side.
And so nothing is static.
So you have to evolve cybersecurity practices as you evolve operational practices.
How do you think about your community
and how you tap into CSOs and what's important to you?
Well, first thing is empathy.
I have a huge development job, right?
Have lots of developers working for me.
They just don't do cybersecurity,
they do security software, parts to secure Microsoft.
We have an R&D arm.
We have a research arm.
Many of the folks that I work with don't have that benefit.
And yet, they have to protect their states.
And so having empathy, what their circumstances are,
understanding what their circumstances are,
and helping them is extremely
important.
Now, the Internet itself and adversaries are a great equalizer.
So they won't care that one company or one division is in, let's say, Europe with one
set of regulatory requirements, another one is in the United States, and the third one
is somewhere in Asia. And that company deals with a bunch of other companies
who have a different set of regulatory requirements.
What they'll do is they'll just take advantage of that.
But at the end of the day, everyone is partnering to do one thing,
which is protect ourselves from the bad guys.
And just understanding that landscape, having empathy for all the players involved,
including our attackers, is paramount.
Well thank you, Igor, and many thanks to our audience for listening.
Join us next time on Afternoon Cyber Tea.
You can catch new episodes of Afternoon Cyber Tea every other Tuesday on the N2K CyberWire
Network and on your favorite podcast app. [♪ Music playing.
[♪ Music playing.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting
your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at
blackcloak.io. Oh, that is such a nostalgic sound, isn't it?
Last week, Microsoft announced that it's officially pulling the plug on Skype, with the service
shutting down on May 5th officially.
At this point, Skype has become more of a niche app.
Back in 2023, Microsoft said it still had 36 million users, which is a huge drop
from its peak of 300 million, including me and our own Dave Bittner, who, by the way,
conducted all of his CyberWire interviews for this podcast via Skype back in the day.
Fun fact there.
Even though Skype is fading out, its impact is still everywhere.
The technology behind it helped shape the security and privacy features that protect
today's most popular messaging apps.
In many ways, the world is just a little bit more safe and more free because Skype's original
developers pioneered ideas that set the foundation for modern encrypted communication.
Ending call. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like the show,
please share a rating and review in your podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire
is part of the daily routine
of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the
world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams, while making your teams smarter.
Learn how at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester, with original music and sound design by Elliot Heltzman.
Our executive producer is Jennifer Iben.
Peter Kilby is our publisher, and I am your host, Maria Varmazas.
Thanks for listening. We'll see you tomorrow. And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024, these traditional security
tools expand your attack surface with public-facing IPs that are exploited by bad actors more
easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating
lateral movement, connecting users only to specific apps, not the entire network, continuously
verifying every request based on identity and context, simplifying security management
with AI-powered automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.