CyberWire Daily - Major breach at the US Treasury’s OCC.
Episode Date: April 9, 2025Treasury’s OCC reports a major email breach. Patch Tuesday updates. A critical vulnerability in AWS Systems Manager (SSM) Agent allowed attackers to execute arbitrary code with root privileges. Ex...perts urge Congress to keep strict export controls to help slow China’s progress in AI. A critical bug in WhatsApp for Windows allows malicious code execution.CISA adds multiple advisories on actively exploited vulnerabilities. Insider threat allegations rock a major Maryland medical center. Microsoft’s Ann Johnson from Afternoon Cyber Tea is joined by Jack Rhysider, the creator and host of the acclaimed podcast Darknet Diaries. Feds Aim to Rewrite Social Security Code in Record Time. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest In this episode of Afternoon Cyber Tea, Ann Johnson is joined by Jack Rhysider, the creator and host of the acclaimed podcast Darknet Diaries. You can hear the full conversation here. Be sure to catch new episodes of Afternoon Cyber Tea every other Tuesday on N2K CyberWIre and your favorite podcast app. Selected Reading Treasury's OCC Says Hackers Had Access to 150,000 Emails (SecurityWeek) Microsoft Fixes Over 130 CVEs in April Patch Tuesday (Infosecurity Magazine) Vulnerabilities Patched by Ivanti, VMware, Zoom (SecurityWeek) Fortinet Patches Critical FortiSwitch Vulnerability (SecurityWeek) ICS Patch Tuesday: Vulnerabilities Addressed by Rockwell, ABB, Siemens, Schneider (SecurityWeek) AWS Systems Manager Plugin Vulnerability Let Attackers Execute Arbitrary Code (Cyber Security News) Tech experts recommend full steam ahead on US export controls for AI (CyberScoop) Don't open that file in WhatsApp for Windows just yet (The Register) CISA Warns of Microsoft Windows CLFS Vulnerability Exploited in Wild (Cyber Security News) CISA Urges Urgent Patching for Exploited CentreStack, Windows Zero-Days (SecurityWeek) Pharmacist accused of spying on women using work, home cams (The Register) DOGE Plans to Rebuild SSA Code Base in Months, Risking Benefits and System Collapse (WIRED) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Secure access is crucial for U.S. public sector missions.
Ensuring that only authorized users can access certain systems, networks, or data.
Are your defenses ready?
Cisco's Security Service Edge delivers comprehensive protection for your network and users.
Experience the power of Zero Trust and secure your workforce wherever they are.
Elevate your security strategy by visiting Cisco.com slash Go.SSE.
That's C-I-com slash GO slash SSE.
Treasury's OCC reports a major email breach.
We got some patch Tuesday updates.
A critical vulnerability in AWS systems manager agent allowed attackers to execute arbitrary
code with root privileges.
Experts urge Congress to keep strict export controls to help slow China's progress in
AI.
A critical bug in WhatsApp for Windows allows malicious code execution.
CISA adds multiple advisories
on actively exploited vulnerabilities.
Insider threat allegations rock
a major Maryland medical center.
Microsoft's Ann Johnson from Afternoon Cyber Tea
is joined by Jack Reciter,
the creator and host of the acclaimed podcast,
Darknet Diaries.
And Fed's aim to rewrite social security code in record time.
It's Wednesday, April 9, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here.
It's great to have you with us as always. The U.S. Treasury's Office of the Comptroller of the Currency, the OCC, reported a major
email breach discovered on February 12.
The incident involved unauthorized access to 103 email accounts, including those of
OCC executives and staff.
Hackers accessed around 150,000 emails dating back to May of 2023.
Some messages contained sensitive information on federally regulated banks used for oversight
and examinations.
The breach was initially flagged by Microsoft, which alerted the OCC.
While the OCC says there's no sign the wider financial sector was affected, the compromised
data is considered highly sensitive.
The attacker's identity remains unknown, but previous targeting of Treasury entities has
been linked to China-based group Silk Typhoon.
The OCC has since ended the unauthorized access and is continuing its investigation.
This month's Patch Tuesday was a heavyweight with Microsoft releasing fixes for 147 vulnerabilities,
five of them rated critical and one already being exploited in the wild.
That zero day involved a malicious proxy driver being used in targeted attacks.
Most of the bugs hit core components like Windows kernel,
Office, and Azure services. If your org runs Microsoft infrastructure,
this one's a must do. But the patch party didn't stop there.
Fortinet issued a fix for a critical bug in
Fortiswitch. It allows remote unauthenticated attackers
to reset admin passwords with a specially crafted request.
It's a serious threat to network integrity
and needs urgent patching.
Ivanti patched six vulnerabilities
in its endpoint manager.
One of them could let an unauthenticated user
execute a cross-site scripting attack
and gain administrative
access.
VMware also delivered updates for 47 issues in Tanzu, with 10 marked critical, and Zoom
resolved six bugs across its workplace suite.
In the industrial sector, Rockwell, Siemens, Schneider Electric, and ABB all patched ICS
vulnerabilities.
Siemens even recommended replacing a power monitoring device entirely due to security
flaws that couldn't be safely mitigated with software alone.
So don't delay and patch them if you got them.
A critical vulnerability in AWS' System Manager agent allowed attackers to execute arbitrary
code with root privileges by exploiting improper input validation in the validatePluginId function.
This flaw led attackers craft malicious plugin IDs using path traversal to create and execute
unauthorized scripts in system directories. Since the SSM agent is widely used to manage EC2 and on-prem servers,
the risk was significant.
AWS patched the issue on March 5th after responsible disclosure in February.
Security experts advise updating immediately, validating plugin IDs,
and using Safe safe path resolution methods
like build safe path.
This incident underscores that even mature cloud tools are vulnerable and highlights
the need for strict input validation and ongoing system monitoring in cloud environments.
Technology experts urged Congress to keep strict export controls on semiconductor chips
and other tech, arguing these restrictions are crucial for slowing China's progress
in AI and preserving U.S. leadership, Cyberscoop reports.
Although the U.S. has long limited China's access to advanced chips, the rise of generative
AI models from firms like DeepSeek and Alibaba
has raised doubts about the strategy's effectiveness.
Still, experts like Gregory Allen of the Center for Strategic and International Studies said
these restrictions have already limited China's AI advancement and should continue.
DeepSeek, despite its progress, still struggles with a lack of high-performance computing power,
something only US-made chips currently provide.
Experts argue that American technology
is still foundational to China's AI development,
giving the US vital leverage.
They also criticized the Biden administration's
export control rollout, saying advanced notice
allowed Chinese firms to stockpile parts.
They called for tighter, faster controls guided by deeper collaboration with tech and intelligence
sectors.
A critical bug in WhatsApp for Windows allows attackers to execute malicious code by tricking
users into opening rigged attachments. The flaw, fixed in a recent version, involves a mismatch
between MIME type and file extension. For example, an.exe file disguised as an
image could run if clicked. Though the exploit requires user interaction,
experts warn it's easy to deceive users.
Meta urges everyone to update WhatsApp and be cautious with attachments, even from familiar
contacts.
CISA has issued an urgent call for organizations to patch two actively exploited zero-day vulnerabilities.
The first is a critical flaw in Gladinet's center stack cloud
server which allows remote code execution via improper handling of
cryptographic keys. Exploited since March, it was recently patched. The second is a
Windows CLFS vulnerability, a use-after-free issue in Microsoft's common
log file system driver enables local privilege
escalation.
It's actively exploited by the Pipe Magic malware in ransomware attacks and it was addressed
on Patch Tuesday.
CISA mandates federal agencies apply these patches by April 29.
A chilling insider threat case has rocked the University of Maryland Medical Center,
where a now former pharmacist allegedly used his access to IT systems to spy on female
clinicians for nearly a decade.
Matthew Batchelor is accused of installing spyware on over 400 hospital and home devices,
enabling him to secretly watch coworkers
breastfeeding in intimate moments and interacting with their families.
He reportedly used keyloggers to steal passwords, gaining access to personal
accounts and cloud storage.
Despite alerts from IT staff and suspicions of hacking, UMMC allegedly
failed to identify or stop the breach.
Victims only learned of the voyeurism through FBI investigations.
A civil lawsuit claims UMMC was negligent, violating health care security laws.
The hospital has since fired Batchelor and pledged to improve its cybersecurity, but
the damage, both emotional and
reputational, is severe. This case is a stark reminder of how dangerous insider threats
can be when detection and oversight fail.
Coming up after the break, Microsoft's Ann Johnson from the afternoon CyberTea podcast
is joined by Jack Recider, creator and host of Darknet Diaries.
And the feds aim to rewrite social security code in record time.
Stay with us. Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist, Vanta brings automation to evidence collection across 30 frameworks
like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to Vanta.com slash cyber that's Vanta.com slash cyber for a
thousand dollars off
are you frustrated with cyber risk scores backed by mysterious data, zero context and
cloudy reasoning?
Typical cyber ratings are ineffective and the true risk story is begging to be told.
It's time to cut the BS.
BlackKite believes in seeing the full picture with more than a score, one where companies
have complete clarity in their third party cyber risk using reliable, quantitative data.
Make better decisions. Reduce your uncertainty. Trust BlackKite.
Microsoft's Ann Johnson is host of the afternoon CyberTea podcast right here on the N2K CyberWire network.
In a recent episode, she was joined by Jack Recider, the creator and host of the acclaimed
podcast, Darknet Diaries.
Today I'm excited to welcome Jack Recider, the creator and host of fellow cybersecurity
podcasts, The Darknet Diaries.
Welcome to afternoon cyber tea, Jack.
Thanks for having me.
I know you started on your own.
You had no background in podcasting.
What drove you to tell these stories and what drove you to a podcast for the medium to tell
the stories?
I wanted the show to exist and nobody really understood because I pitched it a few, a few podcasters.
They're like, I don't really understand
what you're talking about.
Why would anybody want old news?
We only do new news here.
And so I said, well, I guess this might be something
I have to make myself if I want to hear it
and it's not out there, I've got to make it myself.
It is maybe one of those, what is it like overnight success
but took 10 years to make, right? Of all the things that I tried to do, this one is maybe one of those, what is it, like overnight success, but took 10 years to make, right?
Of all the things that I tried to do,
this one is maybe one of the hardest
because with a podcast, you don't just like,
you're done and that's it, you can walk away and let it ride.
It's like every week, every day,
you've gotta go and make another one.
It's ridiculous how much work it is to just keep it going.
And I almost wish I just had like a basic SaaS app
that just generates money every month
without me having to do anything.
This is quite a lot of fun, the ride that this has taken me on.
It's a lot of work.
You know, and you're doing it on your own.
90 million downloads in less than eight years
is extraordinary.
And your humility that you're showing
is probably a lot of the reason why you're that successful,
right? I mean, I take a lot of the reason why you're that successful, right?
I mean, I take a lot of inspiration from people who have been successful before me.
I want to do that too.
Teach me how you got there.
And I want to join you.
I want to follow in your footsteps, right?
So that's kind of how I look at people who are more successful than me.
It's very inspiring and I want to get there as well.
So how do you go about your storytelling?
How do you make the stories relatable?
How do you decide which stories you're going to tell?
A lot of tricks that I think are interesting are
we start the story in a specific direction,
knowing that we're not going to end in that direction.
We're going to end somewhere else.
And so we have this strong, you know,
right turn or this left turn or something.
And these turns that are in the story are the critical parts.
And so there's a lot of people that just tell me a story of like, oh yeah, one day I hacked
into a company and I stole the assets that they wanted me to steal.
And I'm like, okay, great.
Where's the twist and turn?
Like, did you go to the wrong company first?
Did you hack the wrong thing first?
Did you fail the first 20 times?
That way, you know, I can pull those out in the story.
That's what I'm looking for in stories, stuff that has all these twists and turns that you
never expected us to have to switch into that or go there.
And that's what makes a good story for me.
Has a story ever challenged your perspective on the right and wrong in cybersecurity?
I think challenging my view is always interesting.
I like to pick stories that do challenge my view
because if I'm interviewing a hacker and he's like,
yeah, I hacked the police.
And I'm like, that's kind of a drug thing to do.
So I want to back up and I want to say,
okay, my first reaction is I don't like this.
My second reaction is probably similar to that.
So what's my third reaction?
Okay, my third reaction is,
I probably don't know enough about your backstory.
Tell me, what have the police done to you
as you were growing up?
Or what is your relationship with this?
Tell me about your teenage years.
And so then you start to get into this empathy situation
where you're understanding their situation
and you're like, oh, I see.
I might've done the same thing as them
if I was in this position.
And now you're practically cheering them on. Like, yeah, I feel for you, man.
Go get them.
Let's see what you got.
What happens next, right?
And so I have to kind of back up and put that context into place to give me their worldview.
Can we talk about human beings?
Human beings are a big part of cybersecurity.
They're both victims and they're also folks that perpetrate attacks.
What do you think about with the average person?
So, you know, if you can think about someone
who's not a cyber pro,
how should they be thinking about privacy
and given everything going on in the world?
I think there's this like an asymmetry here
of what we think our apps are doing
and our computers are doing versus what they are doing.
Like there's just a whole bunch of data collection whole bunch of, you know, data collection,
cookie collection, monitoring, app fingerprinting, all this kind of stuff
that I don't think the average person knows.
And I think the cards are almost stacked against them to be like, you just don't.
Like we don't even want you to know that we're collecting this data.
Right.
And so we're doing extra work to keep you in the dark.
And I think that asymmetry of just how much privacy
you're losing versus knowing you're losing,
like what you think is safe isn't safe,
and what you think is private isn't private,
and all this sort of thing is growing.
And I think that's a problem.
I guess some people would become hopeless,
like, oh, my data is always gonna be in a breach or whatever.
And maybe even turn to the dark side,
like, you know what, screw it,
I'm gonna start my own ransomware company.
I think what's changed in me over time is I've realized,
wait, I do have the ability to not be impacted
by these breaches.
Obviously the breaches are gonna continue to happen,
and my data's gonna be in there, whether I like it or not,
but could I do something about that?
And I think the answer is being more private, right?
So I try to use fake names everywhere I go,
fake email address or, you know,
burner email addresses, burner phone numbers,
burner credit cards, like everything that I can possibly do
so that, okay, my data got breached, well, that's fine.
That's Sam Walters and some other phone number and address
that's not even in my state.
And so even though your data's out there,
you can still cut it off and it still has,
it gives you a bigger advantage
to what your privacy is today.
Because if somebody knows every move you're going to do
every day, that is totally different than they knew
about a couple things about you 10 years ago
because it was in a breach.
So I think that there's still some value
in cutting
it off and not giving up entirely.
You can hear more of Anne's conversation with Jack Reciter on the afternoon Cyber Tea podcast.
You can find that right here on the N2K Cyberwire Network and wherever you get your favorite
podcasts. broadcasts.
What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, Identity attack paths are easy targets
for threat actors to exploit but hard for defenders to detect. This poses risk in active
directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with Attack Path Management.
You can learn how Attack Path Management is connecting identity and security teams
while reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to spectorops.io today to learn more.
SpectorOps. See your attack paths the way adversaries do.
And finally, what could possibly go wrong with a plan to rip out the foundation of the U.S. Social Security system in a matter
of months.
Wired looks at plans hatched by DOGE, the Department of Government Efficiency, led by
Elon Musk confidant Steve Davis.
Their mission?
Ditch COBOL, the 60-year-old programming language still powering payments to over 65 million
Americans and replace
it with something modern like Java.
Fast.
Experts are baffled.
COBOL runs the system's logic, payments, and even Social Security number assignments.
Migrating it all quickly risks unseen errors, like simply not paying people at all.
The Social Security Administration's own systems haven't been seriously updated since the
80s.
Add in a handful of young, untested engineers and a rumored AI translation plan, and you've
got a recipe for digital disaster.
Oh, and there's also a mysterious Are You Alive project rechecking beneficiaries.
So yes, massive system rewrite, AI code conversion, death audits, and benefits millions depend
on.
What could possibly go wrong? And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our CyberWire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity, or cloud computing,
Vanguard offers a dynamic and collaborative environment where your ideas drive change. With career growth opportunities
and a focus on work-life balance, you'll have the flexibility to thrive both professionally and personally.
Explore open cybersecurity and technology roles today at Vanguardjobs.com.