CyberWire Daily - No rest for the patched.
Episode Date: February 20, 2025The CISA and FBI warn that Ghost ransomware has breached organizations in over 70 countries. President Trump announces his pick to lead the DOJ’s National Security Division. A new ransomware strain ...targets European healthcare organizations. Researchers uncover four critical vulnerabilities in Ivanti Endpoint Manager. Microsoft has patched a critical improper access control vulnerability in Power Pages. The NSA updates its Ghidra reverse engineering tool. A former U.S. Army soldier admits to leaking private call records. Our guest is Stephen Hilt, senior threat researcher at Trend Micro, sharing the current state of the English cyber underground market. The pentesters’ breach was simulated — their arrest was not. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Stephen Hilt, senior threat researcher at Trend Micro, sharing the current state of the English cyber underground market. Learn more in the report. Selected Reading CISA and FBI: Ghost ransomware breached orgs in 70 countries (Bleeping Computer) Trump to nominate White House insider from first term to lead DOJ’s National Security Division (The Record) New NailaoLocker ransomware used against EU healthcare orgs (Bleeping Computer) PoC Exploit Published for Critical Ivanti EPM Vulnerabilities (SecurityWeek) Microsoft Patches Exploited Power Pages Vulnerability (SecurityWeek) NSA Added New Features to Supercharge Ghidra 11.3 (Cyber Security News) Army soldier linked to Snowflake extortion to plead guilty (The Register) Katie Arrington Returns to Pentagon as DoD CISO (GovInfo Security) Penetration Testers Arrested by Police During Authorized Physical Penetration Testing (Cyber Security News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Your business needs AI solutions that are not only ambitious, but also practical and
adaptable.
That's where Domo's AI and Data Products Platform comes in.
With Domo, you can channel AI and data into innovative
uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your
data workflows, helping you gain insights, receive alerts, and act with ease through
guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
CISA and the FBI warn that ghost ransomware
has breached organizations in over 70 countries.
President Trump announces his pick to lead the DOJ's National Security Division.
A new ransomware strain targets European health care organizations.
Researchers uncover four critical vulnerabilities in Avanti Endpoint Manager.
Microsoft has patched a critical Improper access control vulnerability in PowerPages. The NSA updates its Ghidra reverse engineering tool. A former US
Army soldier admits to leaking private call records. Our guest is Stephen Hilt,
senior threat researcher at Trend Micro, sharing the current state of the English
cyber underground market. And the pen tester's breach was simulated. Their
arrest was not.
It's Thursday, February 20, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today. Our CyberWire team is at the ThreatLocker Zero Trust World 25 conference in Orlando,
Florida.
CISA and the FBI warn that Ghost Ransomware has breached organizations in over 70 countries,
targeting critical infrastructure, healthcare, government, education, technology, and manufacturing.
Active since 2021, Ghost exploits outdated software vulnerabilities, including Fortinet,
ColdFusion, and Exchange flaws.
Ghost ransomware operators frequently change their malware, ransom notes, and email contacts,
making attribution difficult.
The group, also known as Kring, Cryptor, Phantom, and others, uses publicly available exploits to
infiltrate systems.
Defensive measures include regular backups, prompt patching, network segmentation, and
phishing-resistant MFA.
Ghost attackers have previously used Mimikatz, Cobalt Strike, and CertUtil to evade detection.
The advisory provides indicators of compromise
and tactics to help defenders mitigate threats.
Fortinet users were repeatedly warned to patch vulnerabilities, but Ghost continues to exploit
them.
Former Trump White House legal adviser John Eisenberg is set to be nominated to lead the DOJ's National Security Division, which
oversees terrorism, cyber espionage, and FISA surveillance. Eisenberg was a key figure in
Trump's first impeachment, handling the Ukraine phone call that sparked the inquiry. He reportedly
ordered the call's recording into a classified system, though he denied it. Eisenberg's nomination is highly relevant to cyber security,
as he would oversee cybercrime investigations
and foreign cyber threats.
The division plays a crucial role
in combating nation-state hackers,
ransomware groups, and espionage operations.
He's also expected to face scrutiny over FISA's Section 702,
a critical foreign surveillance
tool under debate for renewal.
With recent leadership shakeups in the division, Eisenberg's appointment signals Trump's intent
to install loyalists in key national security roles ahead of potential cyber policy shifts.
Meanwhile, Kate Errington, a Trump ally and former DOD cybersecurity official, has been
appointed as the Department of Defense Chief Information Security Officer.
Her return to the Pentagon is unexpected, given her 2021 suspension over allegations
of disclosing classified information, claims she disputes, arguing that Biden appointees
forced her out due to her Trump ties.
Errington, previously a champion of the Cybersecurity Maturity Model Certification Program, now
faces major budget cuts that could hinder cyber defense initiatives.
With an 8% defense budget reduction, concerns grow that cybersecurity programs may be deprioritized.
Experts warn that staff cuts could threaten the implementation of CMMC, crucial for securing
defense contractors.
Her role is critical in advancing zero-trust security and ensuring stronger cyber hygiene
practices, but funding and personnel shortages could limit progress.
A new ransomware strain, Nell-AO Locker, has been used in attacks against European health
care organizations between June and October of last year.
The attackers exploited a Checkpoint Security Gateway vulnerability to gain access and deploy
malware linked to Chinese state-sponsored groups.
Though relatively unsophisticated, Nell-AO Locker encrypts files with AES-256-CTR and
drops a ransom note without mentioning data theft.
Analysts suggest this could be a false flag, a mix of espionage and extortion, or state-backed
hackers moonlighting for profit, a shift in
Chinese cyber tactics.
Horizon 3.ai has disclosed four critical vulnerabilities in Avanti Endpoint Manager.
These path traversal flaws, patched in January, can be exploited by unauthenticated attackers
to coerce machine account credentials,
enabling relay attacks that could lead to server compromise.
Attackers can use these flaws to gain domain admin privileges
and compromise all connected EPM clients.
Avanti initially released a patch that caused issues,
followed by a second update.
Organizations should install the latest fix to mitigate the risk.
Microsoft has patched a critical improper access control vulnerability in PowerPages,
its low-code software-as-a-service platform for business websites. The flaw, already exploited in
attacks, allows attackers to elevate privileges and bypass user registration controls.
Microsoft automatically mitigated the issue and notified affected customers, advising
them to review their sites for signs of compromise.
No additional patch installation is needed.
The company has not disclosed details on the attacks.
This follows recent research on misconfigured power pages exposing sensitive data.
The NSA has released GIDRA 11.3, a major update to its open-source software reverse engineering
framework, introducing advanced debugging, faster emulation, and improved integrations
for cybersecurity professionals. Key enhancements include kernel-level analysis tools,
cross-platform debugging, and collaborative workflows,
making GIDRA even more effective
for analyzing malware and vulnerabilities.
The update enhances low-level debugging
with TraceRMI connectors,
supports macOS kernel debugging via LLDB,
and improves Windows kernel analysis using Microsoft's
EXDI framework.
This is crucial for reverse engineering advanced persistent threats that manipulate the kernel
to evade detection.
Gidra 11.3 also replaces Eclipse-based tooling with Visual Studio Code integration, accelerates p-code emulation via JIT compilation, and
improves binary visualization and processor support. Security teams can now analyze modern
cryptographic algorithms, IoT firmware, and complex malware more efficiently.
U.S. Army Soldier Cameron John Wagenius has admitted to leaking private call records from
AT&T and Verizon.
He intends to plead guilty to two counts of unlawfully transferring confidential phone
records without a plea deal.
Prosecutors suspect Wagenius is Kiber Phantom, a hacker who allegedly compromised at least
15 telecom firms and threatened to leak U.S.
government call logs.
Authorities also link Wiginius to a major extortion scheme involving stolen data from
150 Snowflake cloud accounts.
He was allegedly recruited by Alexander Conner Mocha and John Binns, who extorted $2 million from AT&T, Ticketmaster,
and others.
After Binns' arrest, Kyber Phantom threatened further leaks unless AT&T negotiated.
Wagenius faces up to 20 years in prison.
Mocha and Binns, arrested in Canada and Turkey, await extradition on multiple fraud and hacking
charges.
Coming up after the break, my conversation with Stephen Hilt from Trend Micro
were discussing the current state of the English cyber underground market.
And the pen tester's breach was simulated.
Their arrest was not.
Stay with us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge, it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit threatlocker.com today to see how a default deny approach can keep your
company safe and compliant.
Hey, everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from
hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been
done. Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when
you go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
The only way to get 20% off is to go to joindeleteeme.com slash n2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Steven Hilt is Senior Threat Researcher at Trend Micro.
I recently caught up with him to discuss the current state of the English cyber underground market.
So Trend Micro actually since 2011 have now published 49 branches into where we
look into the underground marketplaces. The last one, this one would have been
the 48th
publication. Since then, there's been one more on the Spanish underground. But we just
like to keep tabs on where the cyber criminal underground is going. And, you know, everything
just around the underground so we can help protect our customers and the internet at
large just kind of get a gauge
of where everything is and what cybercriminals are trying to do.
Well, let's dig into some of the details here.
I mean, in terms of operations and offerings, what are some of the significant changes you
all have tracked?
Yeah, since 2015 was the first English underground, there actually has been a notable decline
in the sales of drugs and weapons, specifically on English speaking forums, while access as
a service is dominating, like over 50% of the threads that we observe are about access
as a service.
And crimeware is pretty stable there,
where people are trying to buy malware,
counter AV solutions, things like that as well.
What about the activity of law enforcement?
Is that had a significant influence
on what you're tracking here?
Yeah, so I think that's one of the big reasons
why you see drugs and weapons decline,
is there has been a lot of action against
forums that are selling those types of things specifically.
And law enforcement action obviously has helped hinder those operations.
However, with that said, every time there's a forum takeown, just this week or last week, there was cracked and null have
been taken down or disrupted in some way.
And even then, something's going to come in as replacement.
But it's the trust factor that guides the criminals to where they're going and whether
they use it and adopt it en masse.
I mean, we constantly see this after takedowns is there's a shift in migration of which one's
going to become the next big underground marketplace or underground forum for criminals to converse
that.
Yeah.
So I guess age-old game of whack-a-mole.
Pretty much, yes.
Yeah.
What about technological advancements I mean
obviously everybody's talking about AI these days it has that as the dynamic of
that had an effect on these cyber criminal communities absolutely cyber
criminals are using AI technologies to help create phishing content but and to
help bypass security measures,
as well as other things where there's been talk about criminal AI itself,
which are AI technologies that criminals are trying to train to be more on
the malicious sides that gets around the walls of information that they're trying not to prevent
or prevent from people to get.
Like you can't go to major AI platforms and ask it to create you malware.
However, the criminal ones would allow you to do that just off, you know, without any of those
hand breaks or anything like that involved.
So yeah, AI is definitely something we're seeing an uptake in. However,
it's still kind of hyped out to where it's not what, you know, the media sometimes is
saying it is, but they are using it and you can see it as specifically when they're talking
about how we're using it for for fishing attempts to make a better use
of English speaking in the cases of that.
So it doesn't matter where you came from.
You can do a pretty good English translation with AI.
One of the things that caught my eye in the report was this idea that some of these English-speaking forums will converge with
the non-English-speaking ones.
Can you explain that to us?
Yeah.
So the idea is that as we do more disruptions and more takedowns, we are seeing people move
into other forums that become more multilingual. And that's definitely due to the intensified law enforcement actions that migrated into
jurisdictions with more lenient regulations.
The shift is led to blending English-speaking forums with other languages.
You'll see on what used to be typically a Russian forum. Sometimes you'll see English threads
with what appears to be a native English speaker,
not a trying to converse and create,
by doing that they're trying to converse more broadly
and creating a more diverse and interconnected
cyber criminal ecosystem. Yeah.
What are the predominant goods and services that you're seeing these days on these forums?
As we mentioned earlier, Dave, access as a service is dominating for sure.
And we're seeing a lot of, you know, a little bit of ransomware here and there, but cryptocurrency money laundering services,
cash outs to convert your services, to convert illicit gains into legitimate currencies as
example.
That's a lot of what we're seeing is in the English English forums everyone wants their money
and how to get it out from being a stolen
or acquired cryptocurrency,
how can I make that into real money?
One of the things the report touches on
is the use of various platforms,
you know, things like Telegram.
How has that changed the way that these folks communicate since the last time you tracked
it almost a decade ago?
Yeah, so Telegram is definitely a new and rising platform of communication for the underground
from 2015 when we originally released this English-speaking underground research.
Yeah, it's grown significantly.
That's a large part of it.
There was a little shift last year.
People are using other services such as talks and have migrated to signal channels as well.
But Telegram is a very important piece to track of where people are communicating.
And that's one of the big reasons why cybercriminals are utilizing Telegram is because it's a little
harder to take down that communication, easier for them to just move it into new channels.
And also, they're moving into more secure communication channels, which then reduces
the exposure of sensitive information, such as if they're talking about their Bitcoin
addresses or emails or anything like that.
Before, if you put that in an open forum, somebody could grab that where in these more
private chats, you may go under the radar for a little bit longer.
Yeah, I guess it makes it a little more challenging for law enforcement.
Yeah, that's kind of the, as we mentioned earlier, the whack-a-mole approach.
Every time you hit the mole, the mole gets a little bit better at hiding itself.
Right, right.
What about globalization?
I mean, these are English-speaking forums, but it seems to me like, you know, when we
see takedowns, they are international efforts.
Is the globalization of these groups a growing concern?
Yeah, the globalization of groups does provide more of a concern.
You'll actually see some of this in cybercrime forums where they're actually trying to find English-speaking people,
and they're well known that they're out of that country.
They're trying to get somebody who speaks English to do the crime for them in that jurisdiction.
They actually sometimes will go after teenagers trying to get them because they know that
their crime is more leniently punished.
And then once they hit 18, you know, then crimes become real, especially in the United States.
Not real, but more penalized.
So cybercriminals are increasingly operating in jurisdictions with more lenient regulations.
And then they create a diverse interconnected network of criminals. This tends to underscore the need for global approach to combat cybercrime and have more
standardized regulations.
It's very hard for people to go after known criminals that are orchestrating these crimes that are in areas where their regulations
are a lot more lenient towards cybercrime.
What are the take homes for you from this report?
What do you hope that folks get out of it from reading?
It's an evolving market.
The marketplace is ever evolving.
Cybercrime is changing, especially with technology changing.
And what was relevant 15 years ago or 10 years ago, from 2011 to today, things have evolved,
except for the one thing that hasn't really evolved, is cybercrime itself is something
that criminals are going to do.
It has evolved to the point where cybercrime has been more, you know, you have these different
factions of it and it's grown from, you know, just some people on the internet and, you
know, little tiny groups here and there causing problems to very large cyber criminal organizations
that are best compared to being a corporation.
They'll have, you know, in ransomware groups, they have employee of the month and HR groups
and, you know, how to handle with onboarding and offboarding.
And it's not just people just out there trying to make a little bit of money, it's people
trying to make a mass amount of money trying to do crime and trying to harm people for
their own personal gains.
That's Stephen Hilt from Trend Micro. We'll have a link to their research in our show notes. And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors more easily than ever with AI
tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Wealthsimple's Big Winter Bundle is our best match offer yet.
Get a 2% match when you transfer over an eligible RRSP. For a $50,000 transfer, that's a $1,000 cash
bonus. Enough to buy a fancy parka, a ticket to somewhere you don't need a
fancy parka, or just be responsible and top up your retirement fund. Plus, move
any other eligible account and we'll give you a 1% match. Minimum $15,000
transfer.
Register by March 15th.
Additional terms apply.
Learn more at wealthsimple.com slash match.
And finally, two penetration testers from Threat Spike Labs learned the hard way that
miscommunication can be more dangerous than actual hacking.
During a simulated breach at a corporate office in Malta, the duo successfully gained unauthorized
access, stole a master keycard, and retrieved sensitive data, all part of an approved security
assessment.
But then things took a turn.
The general manager who authorized the test panicked and called the police, convinced
that real criminals were at work.
Despite waving their authorization documents like a backstage pass at a concert, the testers
were arrested and hauled in for questioning.
Later Kurt Hems reflected on the experience, saying,
Penetration tests don't always end with a report.
Sometimes they end with flashing lights and handcuffs.
Lesson learned?
Tell law enforcement about security tests before they happen.
Ironically, the security test worked.
The company's response was swift,
even if it resulted in unnecessary arrests.
And that's the Cyber Wire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our CyberWire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thanks for watching!