CyberWire Daily - Microsoft squashes windows server bug.
Episode Date: April 17, 2025Microsoft issues emergency updates for Windows Server. Apple releases emergency security updates to patch two zero-days. CISA averts a CVE program disruption. Researchers uncover Windows versions of t...he BrickStorm backdoor. Atlassian and Cisco patch several high-severity vulnerabilities. An Oklahoma cybersecurity CEO is charged with hacking a local hospital. A Fortune 500 financial firm reports an insider data breach. Researchers unmask IP addresses behind the Medusa Ransomware Group. CISA issues a warning following an Oracle data breach. On our Industry Voices segment, we are joined by Rob Allen, Chief Product Officer at ThreatLocker, to discuss a layered approach to zero trust. Former CISA director Chris Krebs steps down from his role at SentinelOne. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Industry Voices On our Industry Voices segment, we are joined by Rob Allen, Chief Product Officer at ThreatLocker, to discuss a layered approach to zero trust. Selected Reading New Windows Server emergency updates fix container launch issue (Bleeping Computer) Apple fixes two zero-days exploited in targeted iPhone attacks (Bleeping Computer) CISA Throws Lifeline to CVE Program with Last-Minute Contract Extension (Infosecurity Magazine) MITRE Hackers' Backdoor Has Targeted Windows for Years (SecurityWeek) Vulnerabilities Patched in Atlassian, Cisco Products (SecurityWeek) Edmond cybersecurity CEO accused in major hack at hospital (KOCO News) Fortune 500 firm's ex-employee exposes thousands of clients (Cybernews) Researchers Deanonymized Medusa Ransomware Group's Onion Site (Cyber Security News) CISA warns of potential data breaches caused by legacy Oracle Cloud leak (The Record) Krebs Exits SentinelOne After Security Clearance Pulled (SecurityWeek) The top 10 ThreatLocker policies for 2025 (ThreatLocker) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
Microsoft issues emergency updates for Windows Server. Apple releases emergency security updates to patch 2.0 days.
CISA averts the CVE program disruption.
Researchers uncover Windows versions of the BrickStorm backdoor.
Atlassian and Cisco patch several high severity vulnerabilities.
An Oklahoma cybersecurity CEO is charged with hacking a local hospital.
A Fortune 500 financial firm reports an insider data breach. Researchers unmask IP addresses behind
the Medusa ransomware group. CISA issues a warning following an Oracle data
breach. On our industry voices segment we're joined by Rob Allen, chief product
officer at ThreatLocker, to discuss a layered approach to zero trust. And former CISA director Chris Krebs steps down
from his role at Sentinel One.
It's Thursday, April 17th, 2025.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It's great to have you with us.
Microsoft has issued emergency updates for Windows Server to fix a bug that prevented
Windows containers from starting when using Hyper-V isolation. The problem happened when
system file versions between the container and host didn't match. This mismatch caused startup
failures. The fix ensures containers now access
the correct files from the host, improving stability and compatibility. These updates
are not available via Windows Update and must be manually downloaded from the Microsoft
Update catalog. Microsoft also shared instructions for applying the fix using the DISM tools on live systems
or installation media.
Apple has released emergency security updates to patch two zero-day vulnerabilities actively
exploited in targeted iPhone attacks.
The bugs affect iOS, Mac OS, iPad OS, TV OS, and Vision OS. One flaw allows remote code execution via malicious audio files, while the other bypasses
pointer authentication, a key memory protection.
Apple says the attack was extremely sophisticated but offered no further details.
A wide range of devices are impacted.
Despite being targeted attacks, all users are urged to update.
This brings Apple's 2025 zero-day count to five.
CISA has extended MITRE's contract to manage the CVE and CWE programs by 11 months, averting
a disruption to the global vulnerability tracking system.
The extension followed concerns raised after MITRE disclosed the U.S. government wouldn't
renew the contract set to expire on April 16.
MITRE has managed the program for 25 years, offering critical support to cybersecurity
operations worldwide.
The abrupt funding uncertainty stemmed from broader cuts that led MITRE to
lay off hundreds of staff. In response, CISA identified emergency funding to keep operations
running.
Meanwhile, the CVE Foundation was formed to transition CVE oversight away from sole U.S.
government control. New initiatives like the Global CVE System and the EU's Vulnerability
Database aim to diversify and decentralize global vulnerability management going forward.
Research from ENVISO uncovers Windows versions of the BrickStorm backdoor linked to the Chinese APT-UNC5221 behind the MITRE attack in early 2024.
These variants, active since at least 2022, target European organizations and offer stealthy
file manipulation and network tunneling using DNS over HTTPS.
Written in Go, they use scheduled tasks for persistence and rely on stolen credentials
to abuse RDP and SMB.
The malware hides its infrastructure using public cloud services and evades detection
through encrypted, multiplexed CNC connections.
Atlassian and Cisco released patches for high severity vulnerabilities this week, some of
which could lead to remote code execution. Atlassian and Cisco released patches for high severity vulnerabilities this week, some of
which could lead to remote code execution.
Atlassian addressed long-standing flaws in Bamboo, Confluence, and Jira, including denial
of service bugs and XML external entity issues.
Cisco patched security defects in Webex app, Secure network analytics, and Nexus dashboard. One WebEx
flaw could allow remote code execution via a crafted meeting invite. Neither
company reported active exploitation of the vulnerabilities, but users are urged
to update promptly. Jeffrey Bowie, CEO of a cybersecurity firm in Edmond, Oklahoma,
has been charged with
hacking St. Anthony Hospital, where authorities say he installed malware to secretly take
and send screenshots every 20 minutes.
Surveillance footage showed Bowie roaming hospital halls on August 6 of last year, trying
doors before accessing a staff-only computer.
He claimed he had a family member in surgery when confronted.
Former employer Alias Cybersecurity said they let Bowie go years ago over ethics concerns.
Alias CEO Donovan Farrow expressed disappointment, calling the act a stain on the cybersecurity
field.
The hospital confirmed no patient data was compromised.
Bowie was arrested after a forensic review uncovered the malware. Attempts to reach his
company failed. Ethical hacking is common in the industry, but this case appears to have crossed
legal and ethical lines. Ameriprise Financial has notified over 4,600 customers that their personal data was improperly
shared by a former advisor who left for LPL Financial between 2018 and 2020.
The company discovered the breach in January.
The ex-employee shared more customer information than allowed during the transition, including
names, addresses, emails, and phone numbers.
Ameriprise hasn't detailed if more sensitive data was leaked,
but is offering free credit monitoring to those affected.
The firm, a Fortune 500 company founded in 1894 and formerly part of American Express,
reported $17 billion in revenue last year.
Ameriprise says it has since implemented new measures to prevent similar incidents.
While this breach wasn't the result of hacking, it underscores how internal lapses can still
jeopardize customer privacy.
Researchers have unmasked the real IP address behind the Medusa ransomware group, a notorious
operation long hidden on
the Tor network.
Kovseq security experts exploited a severe vulnerability in Medusa's blog platform, used
to post stolen data, bypassing Tor's anonymity protections.
Using a server-side request forgery attack, they ran a simple command that revealed the
server's public IP.
Hosted via Selectel in Russia, the server runs Ubuntu and exposes insecure services
including OpenSSH with password login.
Medusa Locker, active since 2019, has targeted healthcare, education, and manufacturing sectors
with double-extortion
tactics. This rare technical breakthrough into a Tor hidden ransomware group offers
unprecedented visibility into its infrastructure, demonstrating how poor server security can
undermine even the most elusive cyber-criminal operations.
Federal cybersecurity officials have issued a warning following a data breach involving
Oracle where hackers accessed credentials from legacy systems.
Oracle privately notified customers in January but didn't publicly confirm the breach.
The company claimed Oracle cloud infrastructure wasn't impacted, though hackers accessed
usernames from two outdated servers.
The breach became public when a hacker offered stolen data from Oracle Cloud's SSO and LDAP
systems for sale online.
Cybersecurity firms confirmed 6 million records were stolen, affecting over 140,000 tenants.
The data included encrypted passwords, keys, and other sensitive information.
The hacker allegedly solicited help to decrypt the data and extorted Oracle customers. CISA
urged organizations to reset passwords, monitor logs, review code, and report incidents. Oracle
has not commented on the federal advisory.
Coming up after the break, my conversation with Rob Allen from Threat Locker.
We're discussing a layered approach to Zero Trust.
And former CISA director Chris Krebs steps down from his role
at Sentinel-1.
Stay with us.
Bad actors don't break in, they log in.
Attackers use stolen credentials in nearly 9 out of 10 data breaches, and once inside,
they're after one thing, your data.
Varonis's AI-powered data security platform secures your data at scale.
Across LAS, SAS, and hybrid cloud environments, join thousands of organizations who trust
Veronis to keep their data safe. Get a free data risk assessment at Veronis.com.
What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, identity attack paths are easy targets
for threat actors to exploit but hard for defenders to detect.
This poses risk in Active Directory,
Entra ID, and Hybrid configurations.
Identity leaders are reducing such risks
with Attack Path Management.
You can learn how Attack Path Management
is connecting identity and security teams
while reducing risk with Bloodhound Enterprise,
powered by SpectorOps.
Head to spectorops.io today to learn more.
SpectorOps, see your attack paths the way adversaries do.
Rob Allen is Chief Product Officer at Threatlocker, and on today's sponsored industry voices
segment, we discuss a layered approach to zero trust.
It's more about a layered approach to security in general than specifically to zero trust.
And by layered approach, broadly speaking, what we mean is using different strategies
or different approaches simultaneously. So an example would be, we speak to a lot of
organizations who've got layers, but they tend to be similar layers. So they might,
for example, have AV and EDR and XDR and basically everything that ends with D and R and they
think they're
well protected but fundamentally they are dependent on detection.
They are dependent on something being recognized as being bad and the problem is that nobody
knows all of the bad things because if they did there would be no such thing as ransomware.
When we talk about layers, what we talk about is different type of layers.
So yes, detection is good, detection is important, you should have detection.
But you should ideally combine detection with controls, which is fundamentally what a Thrill
Locker is about.
It's about controlling what can run and what can't run, controlling what things can do,
controlling the network.
It's a different type of approach to detection, but it works very well alongside detection
and it gives you true layered security.
Are there common misconceptions out there?
When people decide, hey, we're going to go buy ourselves some Zero Trust, are there any
myths?
That's probably the biggest misconception is to think that you can go out and buy yourself
some Zero Trust because realistically Zero trust is not a single product.
It is a way of looking at things.
It's an approach.
It's a strategy.
So you can't just go out and buy yourself some zero trust.
So that's probably the biggest misconception.
The other biggest misconception is it's going to be difficult.
It's going to be hard.
It's going to get in the way. It's going to affect our business.
It doesn't need to.
One of the things we pride ourselves on is that we make this strategy,
this approach achievable, attainable to even, you know,
everything from small and medium businesses up to massive enterprises.
What about the name itself? I mean,
does zero trust actually mean no trust at all?
That's a really loaded question.
It means constantly limiting, constantly verifying.
I mean, it means allowing people to do what they need to do, but no more.
I mean, probably my favorite way of looking at it is to assume breach. So basically assume
that they're already in. They're on your network right now. They've got full, you know, administrative
privileges on one of your DCs. What can they do? Now, in the normal run of things and without
zero trust, the answer is probably going to be quite a lot. Whereas if you take that assumption, if you assume, okay,
they're in right now, what can they do? Fundamentally, everything that we do
makes sense. So, you know, blocking unknown software from running, you know,
stopping PowerShell from reaching out to the internet, that kind of stuff, it's
going to make their lives significantly more difficult.
Why is Zero Trust important at this moment,
where we find ourselves, the kinds of threat actors
that we're facing here?
What makes it an appropriate part of the toolbox?
Well, there's a few different aspects to this.
First and foremost, one thing that not just we see,
but everybody pretty much sees, is the misuse
of otherwise good applications.
So effectively what's called living off the land.
I mean, as an example, AnyDesk is a remote access tool of choice of many ransomware gangs
today.
I mean, in a lot of cases, they'll use a thing called Orclone for exfiltrating data.
Now Orclone and AnyDesk are not bad applications in themselves.
They're not malicious.
They're not malware.
So most detection is not going to pick them
up or block them.
Another example would be WinRAR or 7-Zip.
WinRAR and 7-Zip both have all of the characteristics of ransomware.
You can encrypt data with them, you can delete data with them, you can exfiltrate, you can
copy data with them.
Again, are they bad,
inherently bad applications? No, they're not. But can they be misused if a threat actor
is in your environment and has access to them? Absolutely. So that again brings us back to
why limiting things and controlling things and blocking things that are not, strictly
speaking, necessary is so important. I think most businesses are on board with the notion of assessing risk, aligning risk,
those sorts of things.
How does Zero Trust play into that?
As organizations assess their risk, as they look at their appetite for risk, how do you
dial in Zero Trust into that?
Well, obviously it very much reduces it.
I mean, I've had conversations, I've spoken to insurance companies and had fairly in-depth
conversations about, for example, things like cyber insurance and their appetite for giving
cyber insurance to companies.
And I mean, it's getting harder and harder to get things like cyber insurance today.
And it's because, I mean, I think one example they gave me was that
in, I think it was about two years ago in France, the entire cyber security, sorry,
the entire cyber insurance premium, so the number that they made or that they got paid
for cyber insurance premiums was wiped out by one cyber insurance breach.
What they had to pay out on one breach eclipsed everything they got in that year.
So it's not difficult to understand why they consider risk to be so important.
It's not difficult to understand why they're hesitant about giving things like cyber insurance
to anyone and everyone. And I did speak to them about, well, look, what can people do to make it easier to
effectively reduce the risk? And again, they basically said zero trust is very
much something that they will take into consideration. It may be the difference
between a company getting cyber insurance and not getting cyber insurance. It might
be the difference between a $10,000 premium premium and $100,000 premium. So it certainly helps and again that's not just my opinion
that is from speaking to those who would know. Yeah I mean it's an interesting you
know analogy I guess it's kind of like if you own a building and having the
insurance folks walking around to make sure that you have sprinklers and fire
extinguishers, right?
It's sort of a, it's a table stake sort of thing
these days, I suppose.
Yeah, no, absolutely, absolutely.
And realistically, anything you can do to risk,
to limit your exposure,
anything you can do to reduce your risk is a good thing.
What about the regulatory regimes
that folks are under these days?
I mean, we see that CISA, for example, they have their zero trust maturity model.
It seems like the feds are really on board with this.
Yeah, I mean, the executive order from a few years ago, I think it was 2021,
actually, where they basically mandated zero trust for anything to do with the federal
government was a real eye opener and something that people looked at and went, oh, oh, but maybe this is something we should be looking at too. One really interesting
example from our own perspective as to how governments and legislations can focus people's
minds is across the entire globe, our second biggest market is Australia and has been for
some time. Now, we've never
done any marketing in Australia. We don't do events in Australia. We don't do
advertising in Australia. Well, we do now, but we never did for a long time.
But the reason our second biggest market is Australia is they've got a
set of recommendations called the Essential Aid. The Essential Aid is
they've effectively narrowed down
all of the things you should do to keep yourself secure
as an organization to eight general recommendations.
And the situation is if you get hit in Australia,
if you have a data breach in Australia,
then your fine is going to be an order of magnitude bigger
if you haven't followed or don't adhere to the Essential 8.
Now, as I said, from our perspective, it's great because it means we've got lots of customers
who need to implement allow listing.
But again, it just shows that how government can assist and guide organizations in doing
what is best for them.
How do organizations avoid checkbox
Compliance though. I mean you if if you've got regulatory pressure for this
Obviously you want to check that box, but that's not all you want to do you want to you want to go beyond that right?
Absolutely. No look there is always always always more that you can do
I mean we had a we did a webinar a half an hour ago and one of the people on it basically, one of the
questions was about running ThreatLocker on servers.
One of the people said that, you know, I have ThreatLocker on my servers, it's great, it
helps me sleep at night.
Now while that very much makes me happy, and it's probably the best thing any customer
can say to me is that you help me sleep at night because it tells us that we're doing
a really good job.
But at the same time, in the back of my mind, I was wondering, are you doing everything
you could be doing to protect yourself?
Yes, you're running through a lock-on, so you're blocking unknown software from running,
but have you, for example, locked down your network?
So are you controlling what can connect to that server?
My guess would be maybe they're not.
There are always going to be other things that you can do. There are always going to be other things that you can do.
There are always going to be more steps that you can take. And again, it comes back to fundamentally
zero trust not being a destination, more being a journey. You will always be able to do more and
you should always strive to do more. You mentioned that person running ThreatLocker on their servers.
What about cloud environments?
What are some of the specific challenges that folks face there?
Well, look, things like token theft are a constant concern.
Obviously, business email compromise, that kind of stuff
has been going on for years.
It's one of the things that we've tried to deal with more
recently is we've recently released a new product which is
cloud control. Azure, but using Microsoft's conditional access
in a slightly more dynamic way.
So rather than just locking your cloud resources down
to an IP address, we basically made an agent.
It's installed on people's phones.
It checks in.
It gives the IP addresses.
And those IP addresses are uploaded to Office 365
automatically.
So that's one of the things that we've done to try and make
securing cloud infrastructure easier and, and again attainable for organizations.
Well, you know, you mentioned at the outset that one of the misconceptions that people have is that this is difficult.
What are your recommendations for organizations who are looking to get started here so they don't feel overwhelmed?
Well, I mean, I suppose the first recommendation is suggesting us to start somewhere.
I mean, probably the biggest thing that we have to battle against is people's sense of,
I suppose, being overwhelmed or we don't know where to start or what are we going to do.
I mean, probably step one is what is the problem? What does it look like within my environment?
What remote access tools am I running on my computers?
Is there anything there right now that needs to concern me?
You'd be amazed at how many organizations just
have no idea what's running on their machines.
It's one of the first things that we do,
is we do effectively a full audit.
So we'll see all of the software,
we'll see all of the remote access tools you're running,
we'll see all of the potential ways for data to be exfiltrated.
And then you can start making decisions about,
are these things needed or not?
So I can see TeamViewer is installed
on 25% of our computers.
We don't use TeamViewer.
Now, look, we all know how it happens,
which is at some point in the far distant past, some third party has said, well, look, I need TeamViewer. Now, look, we all know how it happens, which is at some point in the far distant past,
some third party has said, well, look, I need TeamViewer to get into your machine.
Can you install it, please?
But the problem is it gets installed and then it gets forgotten about.
So it sits there forever as a potential way into the network.
I mean, I know this is a terrible way to describe it as favorite, but one of my, in inverted
commas, favorite cyber attacks
over the last number of years was on a water treatment
facility here in Florida.
And it was described in the media as an advanced cyber
attack, and somebody got in and basically started playing
with the levels of chemicals in this water treatment
facility.
Now, as I said, it's a terrible way to, or thing to
describe as favorite, but the fact is it
was basically done, this advanced cyber attack via somebody having TeamViewer installed on
a machine in this water treatment facility.
That's Rob Allen, Chief Product Officer at ThreatLocker. Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we
rely on point in time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist, Vanta brings automation to evidence collection across 30 frameworks
like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting and helps you get
security questionnaires done five times faster with AI. Now that's a new way to
GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And finally, Chris Krebs, a respected voice in cybersecurity and former CISA director,
has stepped down from his role as Sentinel-1's chief intelligence and public policy officer.
This decision follows the revocation of his security clearance and a presidential order
to review CISA's conduct during his tenure. In a heartfelt message, Krebs made it clear the resignation was his alone, saying,
This is my fight, not the company's.
Committed to defending democracy, free speech, and the rule of law, Krebs said the challenge
ahead requires his full focus.
Recognized for his integrity, Krebs led CISA from its founding in 2018 until 2020,
when he was dismissed after publicly affirming the 2020 election's security. After leaving
government he co-founded the Krebs-Stamos Group, which was later acquired by Sentinel-1.
As he steps away from Sentinel-1, we commend his continued commitment to truth and integrity, and wish him well on the road ahead.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite
podcast app. Please also fill out the survey in the show notes or send an email to cyberwire
at n2k.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Pelsman. Our executive
producer is Jennifer Iben. Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening, we'll see you back here, tomorrow. Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services
by solving complex challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity, or cloud computing,
Vanguard offers a dynamic and collaborative environment where your ideas drive change.
With career growth opportunities and a focus on work-life balance,
you'll have the flexibility to thrive both professionally and personally.
Explore open cybersecurity and technology roles today at VanguardJobs.com.