CyberWire Daily - Orange you glad you didn't fall for this?
Episode Date: February 25, 2025A hacker claims to have stolen internal documents from a major French telecommunications company. A security breach hits Russia’s financial sector. Cyberattacks targeting ICS and OT surged dramati...cally last year. Chinese group Silver Fox is spoofing medical software. The UK Home Office’s new vulnerability reporting policy risks prosecuting ethical hackers. Ransomware actors are shifting away from encryption. A sophisticated macOS malware campaign is distributing Poseidon Stealer. The LightSpy surveillance framework evolves into a cross-platform espionage tool. A Chinese botnet is targeting Microsoft 365 accounts using password spraying attacks. Our guest today is Lauren Buitta, Founder and CEO at Girl Security, discussing mentoring and intergenerational strategies. There may be a backdoor in your front door. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is Lauren Buitta, Founder and CEO at Girl Security, discussing mentoring and intergenerational strategies. Selected Reading Orange Group confirms breach after hacker leaks company documents (Bleeping Computer) Russia warns of breach of major IT service provider LANIT serving the financial sector (Beyond Machines) Dragos: Surge of new hacking groups enter ICS space as states collaborate with private actors (CyberScoop) China's Silver Fox spoofs medical imaging apps to hijack patients' computers (The Register) UK Home Office’s new vulnerability reporting mechanism leaves researchers open to prosecution (The Record) Only a Fifth of Ransomware Attacks Now Encrypt Data (Infosecurity Magazine) Poseidon Stealer Malware Attacking Mac Users via Fake DeepSeek Site (Cyber Security News) Exploits for unpatched Parallels Desktop flaw give root on Macs (Bleeping Computer) LightSpy Malware Expands with 100+ Commands to Target Users Across All Major OS Platforms (GB Hackers) Chinese Botnet Bypasses MFA in Microsoft 365 Attacks (Infosecurity Magazine) CISA Warns of Attacks Exploiting Oracle Agile PLM Vulnerability (SecurityWeek) A single default password exposes access to dozens of apartment buildings (TechCrunch) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n two k and use promo code and two k at checkout the only way to
get twenty percent off is to go to join delete me dot com slash n two k and enter code and
two k at checkout that's join delete me dot com slash n two k code and two k. A hacker claims to have stolen internal documents from a major French telecommunications company.
A security breach hits Russia's financial sector. Cyber attacks targeting ICS and OT
surged dramatically last year. Chinese group
Silver Fox is spoofing medical software. The UK's Home Office's new vulnerability reporting
policy risks prosecuting ethical hackers. Ransomware actors are shifting away from encryption.
A sophisticated macOS malware campaign is distributing Poseidon Stealer. The Light Spy
surveillance framework evolves into a cross-platform espionage tool.
A Chinese botnet is targeting Microsoft 365 accounts
using password spraying attacks.
Our guest today is Lauren Buetta,
founder and CEO at Girl Security,
discussing mentoring and intergenerational strategies.
And there may be a back door in your front door.
It's Tuesday, February 25, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here once again today. It is great as always to have you with us. A hacker going by the name Ray claims to have stolen 6.5 gigabytes of internal documents
from Orange Group, a major French telecommunications company and digital services provider, primarily
affecting its Romanian branch.
The breach exposed 380,000 unique email addresses, customer and employee data, invoices, contracts, and
partial payment card details.
Ray, a member of the Hellcat Ransomware Group, says they accessed Orange's systems for
over a month using compromised credentials and vulnerabilities in Jira software.
After exfiltrating data for three hours undetected, they attempted to extort
Orange but were ignored. Orange confirmed the breach affected a non-critical
back-office application stating that customer operations were unaffected. The
company is investigating and working with authorities. Ray denies that this
was a Hellcat operation, though the group has previously targeted Schneider Electric and Telefonica.
Russia's National Coordination Center for Computer Incidents has warned the country's financial sector
about a security breach at Lanit, a major IT service provider.
Lanit, Russia's largest system integrator, serves key government agencies, including
the Ministry of Defense and military-industrial complex firms like RosTech.
The attack, which occurred on February 21, affected two subsidiaries, both specializing
in banking technology, ATMs, and payment systems.
The breach could have serious implications for Russia's banking infrastructure.
Authorities have not disclosed the attack's origin, method, or impact, but the incident
suggests a potential supply chain compromise rather than a typical DDoS attack on banks.
Cyberattacks targeting industrial control systems and operational technology surged
dramatically by 87 percent in 2024,
according to cybersecurity firm Dragos, ransomware attacks on industrial infrastructure also
increased by 60 percent, reflecting heightened geopolitical tensions involving conflicts
like Russia-Ukraine and China-Taiwan.
Experts warn that state-sponsored groups such as China's Volt Typhoon are infiltrating critical infrastructure, preparing potential
future disruptions. Volt Typhoon has notably identified strategic US targets,
including power substations critical for military deployments. Alarmingly,
non-state cybercriminals are gaining ICS expertise through collaboration with state
actors, broadening attack capabilities and risks to critical infrastructure.
The shift threatens more frequent indiscriminate attacks, as cybercriminal groups increasingly
target industrial systems for financial or disruptive objectives.
A Chinese government-backed hacking group Silver Fox is spoofing medical software to
infect hospital patients' computers with backdoors, keyloggers, and crypto miners, according to
Forescout's Videre Labs.
The malware mimics Philips DICOM image viewers and other healthcare applications, tricking
victims into installing Valley Rat,
a remote access tool.
The attack uses PowerShell commands to evade detection
and downloads encrypted payloads from Alibaba Cloud.
While targeting individuals, the malware could spread
into hospital networks through infected patient devices,
posing a major cybersecurity risk
to healthcare organizations.
The UK Home Office's new vulnerability reporting policy risks prosecuting ethical hackers,
even if they follow its guidelines, due to the Computer Misuse Act of 1990.
Unlike the Ministry of Defence, which assures researchers they won't face prosecution,
the Home Office offers no such protections, leaving them vulnerable to legal action.
The Cyber Up campaign warns that the outdated CMA criminalizes all unauthorized access,
discouraging responsible disclosure.
While other countries have modernized laws to protect researchers,
critics worry the UK's delay is harming cybersecurity resilience.
Ransomware actors are shifting away from encryption, with 80% of attacks in 2024
focusing solely on data exfiltration, which is 34% faster,
according to Reliaquest's annual cyber threat report.
Attackers achieve lateral movement in as little as 27 minutes, leaving defenders little time
to respond.
Service accounts were compromised in 85% of breaches, often due to poor security management.
Insufficient logging was the top cause of breaches, while legitimate remote access tools
were used in two-thirds
of critical intrusions.
ReliaQuest advises AI-driven security, better monitoring, VPN security, and rapid vulnerability
patching.
Automation is now essential, they say, as attackers move faster than ever.
A sophisticated macOS malware campaign is distributing Poseidon Stealer via a fake DeepSeek
AI website, according to cybersecurity researchers.
The malware bypasses macOS Gatekeeper and harvests sensitive data, including browser
credentials, cryptocurrency wallets, and system keychains.
Attackers use malvertising to lure victims to a
counterfeit site delivering a malicious DMG file. Poseidon employs anti-analysis
techniques and exfiltrates stolen data via cURL post requests. Security experts
recommend restricting OSA script execution using next-generation
antivirus and educating users on terminal-based threats
to mitigate the risk.
Meanwhile, a privilege escalation vulnerability in Parallel's desktop remains unpatched,
with two exploits publicly disclosed, allowing attackers to gain root access on Macs.
Security researcher Mickey Jin bypassed Parallel's previous fix for a flaw stemming
from missing code signature verification. Despite seven months of warnings, Parallel's
has not addressed the issue, leaving all known versions vulnerable. Jin urges users to take
proactive security measures as attackers could exploit this in the wild.
The Light Spy Surveillance Framework has evolved into a cross-platform espionage tool,
now supporting over 100 commands to infiltrate Android, iOS, Windows, Mac OS, Linux, and routers,
according to new research.
Originally targeting messaging apps, it now focuses on stealing Facebook and Instagram database files,
exposing private messages, contacts, and metadata.
LightSpy also uses malicious plugins for keystroke logging, screen capture, and USB monitoring.
The framework's multi-OS reach and advanced evasion tactics pose a significant cyber-espionage
threat, requiring behavior-based detection strategies for effective defense.
A Chinese botnet with over 130,000 compromised devices
is targeting Microsoft 365 accounts using password spraying attacks
that bypass multi-factor authentication, according to Security Scorecard.
The botnet exploits non-interactive sign-ins, which often go unnoticed in security logs,
allowing attackers to access emails, documents, and collaboration tools.
The campaign, linked to Chinese infrastructure, poses a major threat to financial, healthcare,
government, and tech sectors.
Attackers also risk business disruption by triggering account lockouts.
Security teams should monitor non-interactive sign-in logs to detect this evolving attack.
CISA has added an Oracle Agile PLM flaw to its known Exploited Vulnerabilities catalog.
The High Severity Deserialerialization vulnerability, patched in
January, allows low privileged attackers to execute arbitrary code. While no public reports
confirm active exploitation, experts believe attackers likely use it post-initial access.
Oracle vulnerabilities, particularly WebLogic flaws, remain frequent attack targets.
Coming up after the break, my conversation with Lauren Buetta from Girl Security.
We're discussing mentoring and intergenerational strategies.
And there may be a back door in your front door.
Stay with us.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors more easily than ever with AI
tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to
specific apps, not the entire network, continuously verifying every request based on identity
and context, simplifying security management with AI-powered automation, and detecting
threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Cyber threats are more sophisticated than ever.
Passwords? They're outdated and can be cracked in a minute. Cyber threats are more sophisticated than ever.
Passwords are outdated and can be cracked in a minute.
Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login.
Ubico believes the future is passwordless.
Ubiquis offer unparalleled protection against
phishing for individuals, SMBs and enterprises. They deliver a fast
frictionless experience that users love. Yubico is offering N2K followers a
limited buy one get one offer. Visit yubico.com slash N2K to unlock this deal.
That's Y-U-B-I-C-O. Say no to modern cyber threats. Upgrade your security
today. Lauren Buetta is founder and CEO at Girl Security. I recently caught up with her for insights
on mentoring and intergenerational strategies. Girl Security is working to
advance girls and young women in the national security sector through
skills-based learning, mentorship, and professional advancement. Central to our
mission is an emphasis on educating girls about how technology is applied within the national security context.
And in addition to that work, we also create outcomes and products for the entire security sector that can uplift the entire community as well.
Well, can you give us some examples here? So for example, through an initiative that we launched about two years ago called the All Secure
Alliance, which is a group of industry leaders,
we've honed in on a number of gaps within the security
sector, specifically around building
an intergenerational workforce, where we
see an opportunity for action.
So for example, we created the first reverse mentorship
toolkit that can be used within the security sector, but really by any
industry. And the idea is to sort of flip the traditional
mentorship model where you have junior people sort of mentoring
up senior people. And we do that as a way to capture the sort of
informal knowledge transfer that occurs between among
professionals in an intergenerational workforce. It's
a really popular toolkit
that we've had a lot of really positive feedback on.
And then we're working on a second tool,
which is designed to capture knowledge,
primarily from senior security leaders
that can help shape new decision-making models
for early entry career people.
Well, help me understand the intergenerational thing
where you have mid-level folks informing folks
who may be higher up.
What are the sorts of knowledge
that they're looking to transfer there?
Yeah, it's a great question.
I mean, some of it, honestly, Dave,
is just the technical knowledge
that digital native generations bring into the workforce.
Obviously using AI within the workplace
is becoming increasingly popular.
So there is that technical exchange
of having younger people mentor up senior people on how
to use those technologies.
Also, younger people's educational experiences
are different, perhaps more robust in certain sectors,
certainly within cybersecurity, where
they have a lot more training available, a lot more
formalized training,
personalized training than other generations have had.
So there's that sort of knowledge transfer
that can occur as well between younger people
in the workplace mentoring up,
where they're actively sharing lessons around leadership,
project management, communications
that senior leaders just didn't have access to
or don't have the bandwidth to continuously
sort of upscale themselves in.
And it's a efficient way of sort of building an ecosystem
of mentorship and learning.
Well, give us a little status report here.
I mean, these are challenging times for an organization
such as yours, I would imagine.
How's it going?
I would say one of the benefits that we've really never
taken for granted at Girl Security
is that the demands for our programming
have always been high.
We have consistently held a wait list
over the last six years.
In theory, we would love to be an organization
that says like, we're going to reach X number of girls
by X year, but that's just not our model.
We're really focused on supporting targeted communities
of girls and young women and gender minority youth
and showing through impact that we're securing pathways,
opportunities for them.
And so the demand has always been high.
The capacity is, you know, we always want to be bigger.
We always want to be able to do more.
And I think given the current moment, we're just seeing a further influx in interest and
demand for the programs.
So I think from a nonprofit perspective, our challenge, which is not necessarily new, is
how do we leverage systems and the communities of people we serve to design for certain efficiencies
we may need to support as many people as we can.
And what is the on-ramp like for the young women
who are looking to take advantage of the program?
First of all, what age are you looking for?
Yeah, absolutely.
So our workforce training program
starts as early as 16, 17 years old.
We have two tracks.
We have high school-based,
after-school national security clinics, and we have two tracks. We have high school-based afterschool national
security clinics, and we have a virtual access option. And that is a very robust 15-week
workforce training program led by a diverse cohort of women and men in national security
that touches on things like structured analytics, economics and budgeting and finance, with a balance of professional development skills
around communications, networking, job searching, as well as basic things like building a LinkedIn
profile and resume. So that program supports about 300 fellows every year, and that's primarily
targeted with high school. We do have a small percentage of college students as well. And then our mentoring program is sort of what I describe as an overlay. It
should catch as many people as we can because it's our flagship program and it's a low,
like low operational output, high impact. And we're supporting about a thousand mentoring
relationships every year and that's ages 14 through 26.
And those programs sort of work in concert with each other because we want to see participants come into the workforce training program and complete it,
and then they can stay in the mentoring program until they're well into their career, and then if the model works as it has, they then pay back to the organization.
So it becomes this really dynamic, diffusive network of
girls and women in security. And how do you measure success?
Oh, through all sorts of different tools and tricks that we've created. We do a lot of surveying and analysis through all, across all of our programs. We're surveying people constantly.
We're always evaluating just the programs themselves
through, for the workforce program,
skills and core competencies, measuring levels of proficiency
before and after, getting dynamic feedback from employers
and other partners who end up supporting participants
in our program, retention and re-engagement rates,
which are very high.
We just had our annual survey. And both our satisfaction, referral, retention and re-engagement rates, which are very high. We just had our annual survey, and both our satisfaction, referral, retention, re-engagement
is all above 90%, actually probably closer to 97%.
And then in terms of placement into pathways for both programs, we're at about 87%, so
that means that someone who's gone through our program has secured an opportunity in
the security space.
I mean, we'd always love to get that up into the 90s as well, but, you know,
we're happy with those numbers. Yeah, so it's a passing grade, right?
Yes, I guess so. I don't know. My son tells me all kinds of things about grade score, you know,
scoring now and I'm, I feel like I'm in the dark on purpose.
No, I'm with you. In terms of the mentors themselves, I mean, what's an ideal
candidate for someone who wants to give back here?
Oh, I love that question because our mentors represent all ages. And in fact, we usually
try to pair the youngest mentees with a younger mentor just because their experiences in education
and culture will just be closer. You know, they'll identify more closely together.
But our mentors are across the public and private sectors,
academia, national labs, STEM, civil society.
We're really just looking for people who have an
understanding of what the security sector looks like,
believes in the power of engaging young people in the sector and the promise of their contributions,
and really someone who's a great listener,
because I feel like mentorship is oftentimes less
about talking and more about listening and trying
to give really targeted responses to questions
that young people encounter on a regular basis.
So we just have such a fantastic mentoring community
and we're very fortunate.
Well, before I let you go, forgive me for perhaps putting you on the spot here,
but is there a particular story that you'd like to share,
a success story about a young woman who came through the program
and has seen some success?
Yeah, I'd love to.
There's one young woman from one of our Chicago clinics,
a young woman by the of our Chicago clinics,
young woman by the name of Araya,
who overcame a lot of obstacles
and showed up at one of our summer fellowships,
or summer fellowships are sort of a multi-day,
sort of awareness raising
before the full-on intensive workforce fellowship program.
And Araya came one summer and then she came the next summer.
And then she ended up enrolling in our workforce training program and completed that 15-week
program.
And then she decided to specialize in cybersecurity and received a scholarship to the University
of Chicago where she is currently studying cybersecurity and is engaged in the program
still.
She helped us design and implement the first White House
global convening of girls and women in cyber.
She stays involved in the mentoring program as an alumni
and is just off doing remarkable things.
So she's a more recent, but really powerful success story.
Well, Lauren, best wishes for all of your efforts here.
My personal take is that the things that you're doing here are needed more than ever. Well, Lauren, best wishes for all of your efforts here.
My personal take is that the things that you're doing here are needed more than ever, and
I really appreciate you taking the time for us here today.
Thank you for having me and creating the space for this.
I appreciate it.
That's Lauren Buetta, founder and CEO at Girl Security. security.
Do you know the status of your compliance controls right now?
Like right now?
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist, Vanta brings automation to evidence collection across 30 frameworks
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And finally, imagine if the key to your front door was published in the installation manual,
and no one bothered to change it.
That's basically what's happening with Hersh's EnterPhone Mesh Door Access System.
A security researcher, Eric Daigle, discovered that dozens of buildings across the US and
Canada are still using the default Unchangeable by Design password.
And yes, it's right there in the manual for anyone to find.
Hirsch's response?
That's not a bug, it's a feature.
The company insists that customers should have read the instructions and changed the
password themselves.
Many didn't.
As a result, elevators, office doors, and even entire residential buildings are just
a log-in away from unauthorized access.
The flaw now officially has a CVE number, and it's a perfect 10 on the oh no scale,
but Hirsch says they're not going to fix it.
Instead, they emailed customers a polite reminder to read the manual.
RTFM, my friends. RTFM.
And that's the CyberWire. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Heltzman.
Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now, a message from Black Cloak.
Did you know the easiest way for cybercrimin criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.