CyberWire Daily - PAN-ic mode: The race to secure PAN-OS.
Episode Date: February 18, 2025Palo Alto Networks confirms a recently patched firewall vulnerability is being actively exploited. CISA warns of an actively exploited iOS vulnerability. Juniper Networks has issued a critical securit...y advisory for an API authentication bypass vulnerability. The acting commissioner of the Social Security Administration (SSA) resigns after Elon Musk’s team sought access to sensitive personal data of millions of Americans. The EagerBee malware framework is actively targeting government agencies and ISPs across the Middle East. Proofpoint researchers document a new macOS infostealer. A new phishing kit uses timesheet notification emails to steal credentials and two-factor authentication codes. JPMorgan Chase will begin blocking Zelle payments to social media contacts to combat online scams. Our guest is Tim Starks from CyberScoop discussing his interview with former National Cyber Director Harry Coker. Transferring your digital legacy. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Tim Starks from CyberScoop discussing his interview with former National Cyber Director Harry Coker. You can read more about Tim’s interview “National Cyber Director Harry Coker looks back (and ahead) on the Cyber Director office” and companion piece “Trump picks Sean Cairncross for national cyber director” on CyberScoop. Selected Reading Palo Alto Networks Confirms Exploitation of Firewall Vulnerability (SecurityWeek) CISA Warns of Apple iOS Vulnerability Exploited in Wild (Cyber Security News) Juniper Warns of Critical Authentication Bypass Vulnerability Affecting Multiple Products (Cyber Security News) Top Social Security Official Leaves After Musk Team Seeks Data Access (New York Times) EagerBee Malware Attacking Government Entities & ISPs To Deploy Backdoor (Cyber Security News) Proofpoint Uncovers FrigidStealer, A New MacOS Infostealer (Infosecurity Magazine) Microsoft Warns of Improved XCSSET macOS Malware (SecurityWeek) Fake Timesheet Report Emails Linked to Tycoon 2FA Phishing Kit (GB Hackers) Chase will soon block Zelle payments to sellers on social media (Bleeping Computer) Digital Estate Planning: How to Prepare Your Social Media Accounts (New York Times) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Your business needs AI solutions that are not only ambitious, but also practical and
adaptable.
That's where Domo's AI and Data Products Platform comes in.
With Domo, you can channel AI and data into innovative
uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your
data workflows, helping you gain insights, receive alerts, and act with ease through
guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Palo Alto Networks confirms a recently patched firewall vulnerability is being actively exploited.
CISA warns of an actively exploited iOS vulnerability.
Juniper Networks has issued a critical security advisory for an API authentication bypass
vulnerability.
The acting commissioner of the Social Security Administration resigns after Elon Musk's
team sought access to sensitive personal data
of millions of Americans. The Eager Bee malware framework is actively targeting government
agencies and ISPs across the Middle East. Proof point researchers document a new Mac
OS info stealer. A new phishing kit uses timesheet notification emails to steal credentials
and two-factor authentication codes. JP Morgan Chase will begin blocking Zelle payments to social media contacts
to combat online scams.
Our guest is Tim Starks from CyberScoop discussing his interview
with former National Cyber Director Harry Coker
and transferring your digital legacy. It's Tuesday, February 18th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It is great to have you with us.
Palo Alto Networks has confirmed that a recently patched firewall vulnerability is being actively
exploited.
The flaw, disclosed on February 12, allows unauthenticated attackers to bypass authentication
and execute PHP scripts via the PANOS management interface.
Threat intelligence firm Gray Noise detected exploit attempts starting February 13, with
attacks originating from nearly 30 unique
IPs.
The vulnerability can be chained with another vulnerability for remote code execution, posing
a serious risk to unpatched systems.
A proof-of-concept exploit is publicly available, and researchers warn that roughly 3,500 PAN-OS
management interfaces remain exposed.
Palo Alto urges immediate patching, emphasizing that securing external-facing management
interfaces is critical.
AssetNote, which discovered the flaw, coordinated disclosure with Palo Alto, arguing transparency
helps defenders track attacks rather than leaving
organizations vulnerable and in the dark.
CISA has issued an urgent warning about a zero-day vulnerability in Apple iOS and iPad
OS actively exploited in targeted attacks.
The flaw, an authorization bypass in Apple's USB restricted mode, allows attackers with physical access to disable security protections on locked devices, potentially exposing sensitive data.
Apple confirmed the exploit has been used in highly sophisticated attacks against high-value individuals, possibly by state-sponsored groups. The vulnerability affects a wide range of Apple devices, including iPhone XS and later
models.
Emergency patches were released on February 10th, and CISA urges users to update before
March 5th.
While no specific surveillance vendors are named, the attack methods resemble those used
by firms
like NSO Group. Users should update immediately and enforce physical security measures.
Juniper Networks has issued a critical security advisory for an API authentication bypass
vulnerability affecting Session Smart Router, Session Smart Conductor, and WAN Assurance
Managed Router products.
The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to gain full administrative
control by injecting spoofed JWTs, bypassing authentication checks.
Attackers can exploit this flaw to modify routing policies, intercept encrypted traffic,
and move laterally across networks.
The vulnerability affects multiple software versions and requires network adjacency but
no user interaction.
Juniper discovered the issue through internal testing, with no known exploitation as of
February 18.
Patches are available and cloud-managed WAN assurance routers received automatic fixes.
Organizations should apply updates immediately, audit configurations, monitor API requests,
and implement network segmentation to mitigate risks. Unpatched systems pose serious threats to SD-WAN
and 5G infrastructure.
Turning to Washington, Michelle King,
the acting commissioner of the Social Security
Administration resigned after Elon Musk's team sought access
to sensitive personal data of millions of Americans.
Musk's Department of Government Efficiency
has been embedding in federal agencies, claiming to root out fraud and waste. The Social Security
Administration, which manages $1.5 trillion in benefits, reported $71.8 billion in improper payments from 2015 through 2022, less than 1% of total disbursements.
Musk's team sought access to an internal database containing financial, employment,
and medical records, raising serious privacy concerns.
Former Social Security Administration Commissioner Martin O'Malley refuted Musk's claims of
mass fraudulent payments, calling them baseless.
Amid controversy, Trump's nominee for Social Security Administration leadership Frank Bisognano awaits Senate confirmation.
The White House backs Musk's broader data access initiatives. The Eager-B malware framework is actively targeting government
agencies and ISPs across the Middle East, including Saudi Arabia, the UAE, and Qatar.
Linked to the Chinese-aligned APT-27, the malware employs advanced backdoor
capabilities through DLL hijacking and process hollowing. The UAE Cybersecurity Council urges organizations to patch
exchange servers, monitor modified DLLs,
and review service configurations.
Immediate memory analysis is recommended as EagerBe
leaves minimal disk traces.
A new macOS malware campaign has emerged. On February 18th, Proofpoint
reported the discovery of Frigid Stealer, a new macOS info stealer linked to the
TA569 threat group, also known as Mustard Tempest and Purple Valhund. TA569,
previously known for fake updates and sock-golish attacks, now collaborates with
two new groups, TA2726 and TA2727.
TA2727 recently deployed Frigid Stealer alongside Windows and Android malware, while TA2726
functions as a traffic distribution service.
In early 2025, Proofpoint observed TA2726 redirecting traffic North American users to
TA569 and others to TA2727, which distributed malware like LumaStealer, DeerStealer, and
Marcher. The FrigidStealer campaign, detected in January of this year, tricked Mac users into downloading
malware through fake update pages.
Security experts warned that evolving collaboration among threat actors makes these campaigns
increasingly sophisticated and harder to track. Meanwhile, a new XCS set malware variant is targeting Mac OS users, Microsoft reports.
Originally discovered in 2020, XCS set spreads through Apple Xcode, infecting systems when
compromised projects are executed.
It steals data from chat apps, injects JavaScript, takes screenshots, and encrypts files.
The latest variant employs new obfuscation techniques, enhanced persistence, and novel
infection methods.
It randomizes payload generation, drops payloads into shell launch files, and manipulates LaunchPAD's
dock path to execute malware. Microsoft also observed new payload injection techniques
using target, rule, and forced strategy methods
in Xcode projects.
The malware continues to target digital wallets,
notes, app data, and system files.
With these upgrades, XCS set remains a stealthy
and evolving macOS threat.
Cybersecurity researchers have uncovered a phishing campaign using the Tycoon 2FA phishing
kit disguised as timesheet notification emails to steal credentials and two-factor authentication
codes.
Attackers abuse Pinterest's redirect service to bypass security filters before leading victims to a malicious Russian-hosted site.
Tycoon 2FA is evolving, now featuring obfuscated JavaScript, geofencing, and adaptive phishing forms mimicking Microsoft 365, Salesforce, and banking portals.
This multi-platform credential theft suggests collaboration with ransomware groups.
Threat actors increasingly exploit trusted platforms like Pinterest to evade detection,
rendering traditional perimeter defenses ineffective.
Experts recommend organizations implement behavior-based detection systems and strict
access controls to counter these
evolving threats.
JPMorgan Chase will begin blocking Zelle payments to social media contacts starting March 23
to combat a rise in online scams.
Nearly 50% of reported fraud cases involving Zelle or wire transfers between June and December of last
year originated on social media. Zelle, a widely used digital payment service, offers
fast bank-to-bank transfers but lacks purchase protection, making it a prime target for scammers.
Chase's updated policy warns that Zelle should only be used to pay trusted individuals, not social media sellers.
This change follows a Consumer Financial Protection Bureau lawsuit against Zelle's operator,
early warning services, and three major banks, including Chase,
accusing them of rushing Zelle to market without proper consumer protections.
The lawsuit claims hundreds of thousands of users lost over $870 million.
Chase may delay, decline, or block payments deemed high-risk and request additional transaction
details to mitigate fraud risks.
Coming up after the break, Tim Starks from CyberScoop discusses his interview with former
National Cyber Director Harry Coker and transferring your digital legacy.
Stay with us. Cyber threats are evolving every second, and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly
what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to JoinDeleteMe.com
slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash n2k, code n2k. It is always my pleasure to welcome back to the show Tim Starks.
He is senior cybersecurity reporter at Cyber Scoop.
Tim, welcome back.
Hey, how are you doing, Dave?
I am doing well, thanks.
I wanted to take this opportunity to kind of key off of two recent articles that you wrote for Cyberscoop,
one of the more recent than others, but I wanted to start with an interview that you did not too long ago
with Harry Coker, who is the outgoing national cyber Director. And I thought there were some really interesting insights
that came from that interview.
I was hoping you could kind of fill us in
on some of the things you learned.
Yeah, thanks.
I talked to him just as he was about to leave office
and we really covered a huge waterfront.
I think one of the things that if you talk to enough government officials and ask them,
does your office have enough authorities?
They will always say, yes, we have enough.
But I think, you know, the fact that he was on the way out
maybe made him say, hmm, actually, maybe we probably
do need to have a little bit more of an active role.
You know, at the, there's a, it's an organization
that is a White House organization, essentially, but there's
also the National Security Council, and they have their own prerogatives and their own
powers.
And he was making the case that, hey, we're ready to take more of a lead, is what he was
saying.
He wasn't bad mouthing the NSC.
That was just one point he made.
He's like, we can take a stronger role on certain things. And one example that he gave of something he wishes he could have take a stronger role on certain things.
And one example that he gave of something he wishes
he could have had a stronger role in was the legislation
that would have said, listen,
office of national cyber director,
you will have a leading role
in deconflicting cybersecurity regulations
and making them harmonize a little bit more closely
from agency to agency, sector to sector.
So that was an example of like a concrete way
in which I could change.
We talked about everything under the Senate
felt like everything that his office does,
and what he still thinks are the biggest outgoing threats,
what hasn't been solved, and still has to be solved more.
We could go almost anywhere with this Dave.
Well, I mean, it's a remarkable interview,
which is why I wanted to highlight it.
It's an interesting moment in time that you captured.
As you say, it's an opportunity for him
to both look back and look forward.
We touched a little bit about on the looking back,
but I'd love to dig into that a little more.
I mean, what are some of the things
that he expressed as being achievements and were there more areas
that he felt like they just sort of ran out of time
or maybe they could have done better?
Yeah, I think he was, there was a speech he gave
that kind of coincided with this.
And I think on the side of things that he thinks
that going forward still needs to happen,
and this is not
necessarily just an ONCD thing, just using the acronym for his office, there's just not enough
money going out on funds to help state, local, tribal, territorial governments. That was an area
that just, he just doesn't think there's quite enough money. And so it's not just money, but
it's also capability and personnel, all those things, of course, relate to money.
He liked the idea of OECD teaming up
with the Office of Management and Budget
to give not just budget guidance, but guidance
direction, something a little bit more concrete to say, hey,
this is something, if you look at what we do now, that's great, but we need to be having
a more muscular role in that.
As far as stuff that he thought that they did good or that they were doing well and
could count as an accomplishment, he was of the mind that the writing of the National
Cyber Security Strategy and then implementing it, that was, you and I have talked about
that strategy numerous times and how remarkable
it was compared to other strategies.
There's a lot of work that they've done on trying to get agencies to improve secure internet
routing, trying to get memory safe coding language out there, trying to make everything
secure by design, which is something that the office,
the CISA office has done a lot of work on as well.
So there's a number of areas where he thought
they had made some concrete difference
and essentially said, yes, this office is worth having.
Beyond that, I mean, sitting across from him,
what was your impression of his state of mind?
How he was feeling about the legacy
that he leaves behind with the agency.
Yeah, he's an interesting guy that I,
I don't know how much you had talked to him before he ever,
or anybody much really had talked to him
before he took this role.
So it was a little bit of a mystery box
about what we were gonna get out of him.
I think he had a very interesting approach to things.
And his idea was we to tackle the hard problems.
And when you tackle the hard problems,
you're not always going to win.
You're not always going to get everything you want.
And he had said that repeatedly.
I want to tackle the hard problems.
I want to tackle the hard problems.
The quote at the end of the story where he talks about what
was fun in the job, he said, it was getting beaten up
with friends and colleagues trying to do the right thing.
So it's just a fascinating approach to thinking,
oh, I'm going to go through the wringer.
It's going to be a bad thing that's going to happen to me,
but it's going to be fun
because we're going to be working on it.
It's going to matter.
And I think he, you know,
I think he had a certain amount of peace of mind,
even under those circumstances.
He says, yes, I didn't win everything, but he knew he wasn't going to win everything. And I think that made it so he was a little amount of peace of mind, even under those circumstances. He says, yes, I didn't win everything,
but he knew he wasn't gonna win everything.
And I think that made it so he was a little bit at peace
with whatever he got done.
Well, I'm pivoting to a article you published recently.
This is about President Trump making his choice
for national cyber director.
Who's in line here, Tim?
This is another interesting pick.
You might recall that at the time when they picked Harry Coker, he was a little bit out
of the blue.
I mean, I'd been hearing his name for a few weeks and eventually broke the story that
he was going to be the pick.
But what was interesting is that when he got picked, a lot of people said, this guy doesn't
have very much celebrity experience.
And if you look at Sean Cairncross, the pick for Trump, he has almost none.
Coker had some for sure. And he worked at the NSA. He's a lifelong national security guy.
Sean had a little bit of time in the White House where he intersected with national security.
And other than that, there's just not a lot of cyber in his background.
And even national security is not necessarily cyber security.
So we don't really know the degree
to which he has cyber experience.
He worked at a, he did sort of a foundation,
he kind of fellowship job where he talked about emerging tech
and he has been an advisor to companies
that are in the tech space.
He was the chief operating officer, I think twice, at the RNC.
I'm not making this up, Dave, but when I typed his name in to the internet,
just doing basic Google foo, I then also typed his name in and cyber,
and I got one link, one, one link.
When does that ever happen?
No, I know.
I was then saying in 2016
that a Republican congressman saying
that the RNC had been hacked was incorrect.
That's it.
So he's an interesting pick for that reason.
And if you wanna be more generous minded
about what that could mean,
I made this comparison
to my editor recently.
My editor right now, Greg Otto, is someone who has covered cybersecurity for a long time
and gets it.
But I've had editors who don't know much about cybersecurity and don't think much about it.
And they bring a different perspective.
They bring a different way of approaching the problem and approaching the way you write
stories about it. So the fact that he is an attorney by training, you can
look at that as a positive for how people go after problems. The fact that he seems
to be someone who's trusted by the Trump administration based on the fact that when they made changes
at the RNC, this was one of the guys they brought in to make those changes. And the
fact that he's going to be maybe looking at it a little bit more fresh eyes than people
who have been looking at it for a long time and are seasoned vets like me and
you, there's a potential that that could be an interesting thing. But it is noteworthy how little
cyber experience there is. And the person who's going to have what Congress intended, I almost hate
saying this phrase, but they use it a lot. One throat to choke on cyber.
The one person to go to when something was going on on cyber.
So it's fascinating that someone has
so little experience on this.
Yeah, like you said, I mean, I suppose charitably,
you could say that he has a good amount
of leadership experience that he brings to the job.
So that, and as you say, loyalty are, I think,
are priorities for this administration.
Definitely, definitely.
I, you know, if you were looking to pick somebody
with cyber experience who had loyalty,
you could find that, but they picked this man.
And I'm not denigrating or judging
or saying anything nice about the pick for that matter.
It's just, it is a fascinating dynamic
that if you look at the number of people
who served in this administration last time,
who would like to serve in this administration this time,
that do you have cyber experience
who could have taken this job on?
That exists, but instead they chose someone who,
and by the way, who also are Trump adherents,
people who like Trump and want to work for Trump.
Right.
They nonetheless pick someone here who has less experience
and you could wonder whether this means
that they're gonna de-emphasize the office.
That's another potential way to interpret this.
There's a lot of ways to interpret it.
It's one of those kind of like, you know,
Trump, kind of classic Trump curve balls of like,
okay, where did this come from?
What's this gonna lead to?
Right. And we're far
ways off from finding out what the actual goal of this was and what the outcome will
be to say the least.
Yeah. Well, as we so often like-
He's got the nomination. He's got to be Senate confirmed. There's probably going to be months
away or a month or two at minimum. So it's going to be a long ways away for us to find
out what would really go on here, I think.
Yeah. Well, as we so often like to say, time will tell.
Yes.
Alright, Tim Starks is Senior Reporter at Cyberscoop.
Tim, thanks so much for joining us.
Thank you, Dave. And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million
record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not
the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI powered automation, and detecting threats
using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security. And finally, let's be honest, most of us spend more time online than in real life.
But what happens to all that digital baggage when we log off for good.
Estate planning usually focuses on money, property, and who gets Grandma's antique
clock.
But what about your social media, emails, and cloud-stored cat photos?
If you don't leave instructions, your loved ones might be stuck navigating a bureaucratic
nightmare of forgotten passwords and locked accounts.
A handy guide from the New York Times suggests you start by creating a digital directive,
a simple document outlining who gets access to your online accounts and what should happen
to them. Keep your credentials in a secure password manager or an old school notebook,
just don't tape it to your monitor.
And don't forget to assign
a legacy contact for Apple, Google, and Facebook.
Because if you don't, your profile could end up as
a haunting reminder or worse, a playground for hackers.
So plan ahead and save your loved ones the headache.
And that's the CyberWire. We'd love to know what you think of this podcast. Your
feedback ensures we deliver the insights that keep us step ahead in the rapidly changing
world of cybersecurity.
If you liked our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Pelsman.
Our executive producer is Jennifer Ivan, Peter Kilpe as our publisher, and I, Dave Bittner.
Thanks for listening.
We'll see you back here, tomorrow. Thanks for watching!