CyberWire Daily - Pennies for access.
Episode Date: February 19, 2025Credential theft puts sensitive corporate and military networks at risk. A federal judge refuses to block DOGE from accessing sensitive federal data. New York-based Insight Partners confirms a cyber-a...ttack. BlackLock ransomware group is on the rise. OpenSSH patches a pair of vulnerabilities. Russian threat actors are exploiting Signal’s “Linked Devices” feature. Over 12,000 GFI KerioControl firewalls remain exposed to a critical remote code execution (RCE) vulnerability.CISA issued two ICS security advisories. Federal contractors pay $11 million in cybersecurity noncompliance fines. In our CertByte segment, Chris Hare is joined by Steven Burnley to break down a question targeting the ISC2® SSCP - Systems Security Certified Practitioner exam.Sweeping cybercrime reforms are unveiled by…Russia? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CertByte Segment Welcome to CertByte! On this bi-weekly segment hosted by Chris Hare, a content developer and project management specialist at N2K, we share practice questions from N2K’s suite of industry-leading certification resources, for the past 25 years, N2K's practice tests have helped more than half a million IT and cyber security professionals reach certification success. Have a question that you’d like to see covered? Email us at certbyte@n2k.com. If you're studying for a certification exam, check out N2K’s full exam prep library of certification practice tests, practice labs, and training courses by visiting our website at n2k.com/certify. Please note: The questions and answers provided here, and on our site, are not actual current or prior questions and answers from these certification publishers or providers. Additional source: https://www.isc2.org/certifications/sscp Selected Reading Hundreds of US Military and Defense Credentials Compromised (Infosecurity Magazine) DOGE Team Wins Legal Battle, Retains Access to Federal Data (GovInfo Security) Musk Ally Demands Admin Access to System That Lets Government Text the Public (404 Media) Cyber Investor Insight Partners Suffers Security Breach (Infosecurity Magazine) BlackLock On Track to Be 2025’s Most Prolific Ransomware Group (Infosecurity Magazine) Qualys reports two flaws in OpenSSH, one critical DDoS (Beyond Machines) Russian phishing campaigns exploit Signal's device-linking feature (Bleeping Computer) Over 12,000 KerioControl firewalls exposed to exploited RCE flaw (Bleeping Computer) CISA Releases Two New ICS Advisories Exploits Following Vulnerabilities (Cyber Security News) Managed healthcare defense contractor to pay $11 million over alleged cyber failings (The Record) Russian Government Proposes Stricter Penalties to Tackle Cybercrime (GB Hackers) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Your business needs AI solutions that are not only ambitious, but also practical and
adaptable.
That's where Domo's AI and Data Products Platform comes in.
With Domo, you can channel AI and data into innovative
uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your
data workflows, helping you gain insights, receive alerts, and act with ease through
guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.
Credential theft puts sensitive corporate and military networks at risk.
A federal judge refuses to block DOJ from accessing sensitive federal data.
New York-based Insight Partners confirms a cyber attack.
Black Lock Ransomware Group is on the rise.
Open SSH patches a pair of vulnerabilities.
Russian threat actors are exploiting Signal's linked devices feature, over 12,000 GFI
Karyo control firewalls remain exposed to a critical remote code execution
vulnerability. CISA issues two ICS security advisories. Federal contractors
pay 11 million dollars in cybersecurity non-compliance fines. In our certified
segment, Chris Hare is joined by Stephen Burnley to break down a question targeting the
ISC2 SSCP system security certified practitioner exam. And sweeping cybercrime reforms are unveiled
by Russia? It's Wednesday, February 19th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
Our CyberWire team is on location in Orlando this week at ThreatLocker's Zero Trust World
25 conference.
Sensitive corporate and military networks in the U.S. could be at risk due to widespread
credential theft from InfoStealer malware.
Research from Hudson Rock reveals cybercrime marketplaces
are selling credentials from major defense contractors
like Lockheed Martin and Boeing,
as well as U.S. military and government agencies,
sometimes for as little as $10 per log.
These logs often include active session cookies,
allowing attackers to bypass multi-factor authentication.
Even organizations not directly infected could be compromised through their partners or vendors.
Stolen credentials may expose classified systems, procurement details, and mission-critical
intelligence.
Experts warn this poses a major national security threat, urging immediate password resets and
forensic investigations.
Info Stealer infections stem from phishing, malware-laden downloads, and fake apps
with over 30 million compromised computers identified in recent years.
A federal judge refused to block Elon Musk and his Department of Government Efficiency
from accessing sensitive federal data, despite
concerns over privacy and oversight.
The lawsuit, filed by 14 state attorneys general, failed to prove imminent irreparable harm.
The White House shifted its legal stance, arguing that Musk is merely a senior adviser
to President Trump and not Doge's leader.
Doge retains access to key agencies including commerce, energy, and health and human services
and has reportedly fed financial data into AI software via Microsoft Azure.
The task force has also been granted unchecked system access to young, unvetted employees. The controversy centers on Musk's influence over federal workforce reductions and AI-driven
efficiency efforts, despite lacking Senate confirmation.
The White House calls Musk a special government employee, while Judge Chutkin acknowledged
Doge's unpredictability but found no immediate legal basis for intervention. The White House declined for their comment. Meanwhile a general
services administration worker resigned in protest after Thomas Shedd, a Musk
ally and head of technology transformation services, requested admin
access to the Notify.gov system. This platform sends mass government texts
and contains personally identifiable information
like phone numbers and Medicaid participation status.
Shedd's request would grant him unilateral access
to this sensitive data without oversight.
The resigning worker warned that bypassing the authorization
to operate process violates
federal security policies.
Other employees fear unchecked power over public data and the risk of government systems
being misused for AI-driven workforce reductions.
Shedd previously suggested using login.gov for fraud tracking and replacing federal workers
with AI coding agents.
Employees say his actions are scary and concerns grow that no one will stop him.
GSA has not responded to requests for comment.
New York-based Insight Partners confirmed a cyberattack in January 2025 caused by what
they say is a sophisticated
social engineering attack. The breach was detected on January 16th and the firm swiftly
contained and remediated it. The attack did not impact operations or pose risks to portfolio
companies including major IT and cybersecurity firms like SentinelOne, Wiz, and Recorded Future.
Insight has informed law enforcement and partners and is investigating the breach
with cybersecurity experts. The firm manages 90 billion dollars in assets and
has backed over 800 companies. Security researchers warn of Black Lock, a
rapidly growing ransomware asas-a-service group
which saw a 1400% increase in data leak posts in late 2025.
Expected to be 2025's most active ransomware-as-a-service group, Blacklock distinguishes itself with
custom-built malware, making analysis difficult, and data leak site defenses that prevent victims from accessing stolen data,
increasing ransom pressure.
Blacklock operates heavily on the R.A.M.P. forum,
collaborating with affiliates, developers, and initial access brokers to accelerate attacks.
Unlike typical ransomware as-a-service groups,
it retains control over early attack stages by recruiting
trappers, individuals who steer victims to malicious content, while higher-level developers
are discreetly hired.
ReliaQuest warns that Blacklock may exploit Microsoft EntraConnect to target on-premises
environments.
Organizations are urged to harden synchronization rules, enforce
MFA, restrict RDP, and secure ESXi hosts to mitigate risks.
Qualys reported two open SSH vulnerabilities, both now patched in the latest version. The
first is a denial of service flaw, allowing attackers to overload
memory and CPU with small ping messages, potentially crashing systems. The second
is a man-in-the-middle attack, affecting clients with Verify Hostkey DNS enabled.
FreeBSD had this setting on by default from 2013 through 2023. Admins should update immediately,
disable Verify Hostkey DNS,
and monitor SSH traffic for anomalies.
Russian threat actors are exploiting
Signal's Linked Devices feature in phishing campaigns
to steal access to secure conversations.
Google Threat Intelligence Group reports that
state-aligned hackers, including Sandworm, have tricked victims into scanning malicious
QR codes, linking their signal accounts to attacker-controlled devices. Attackers disguised
phishing pages as legitimate signal group invites or device-pairing instructions. In
some cases, modified JavaScript on fake
invite pages redirected victims to link their accounts instead of joining a group. Ukrainian
military personnel were targeted via a phishing kit impersonating artillery software, while
wave sign and infamous chisel malware helped extract signal data from compromised devices.
Google's Threat Intelligence Group warns this device linking attack is hard to detect
and can persist unnoticed.
Users should update signal, check link devices, use strong passwords, be cautious with QR
codes, and enable two-factor authentication for better security.
Over 12,000 GFI Karyo control firewalls remain exposed
to a critical remote code execution vulnerability.
First discovered in December 2024, the flaw allows one-click RCE attacks
due to improper input sanitization, leading to HTTP response splitting
and cross-site scripting
exploits.
Despite a December security update, over 23,800 instances were still vulnerable weeks later.
Active exploitation attempts were detected early this year, targeting admin CSRF tokens. As of now, 12,229 firewalls remain exposed, mostly in Iran, the US, Italy, and
Germany. With a public proof of concept available, even low-skilled hackers can exploit the flaw.
Organizations should immediately update to the latest version, released on January 31st,
for enhanced security. CISA has issued two ICS security advisories addressing critical vulnerabilities in Delta
Electronics CNCsoft G2 and Rockwell Automation GuardLogix controllers, which are widely used
in manufacturing, energy, and critical infrastructure.
The one affecting Delta Electronics is a memory corruption flaw that could allow remote code
execution via malicious DPAX files.
Users should update and isolate networks.
The one affecting Rockwell Automation has a denial of service vulnerability in CIP message
processing requiring firmware updates and network restrictions. CISA
urges patching, segmentation, VPN use, and intrusion detection to secure OT
environments. Health Net Federal Services and Centene Corporation will pay 11
million dollars to settle allegations of cybersecurity non-compliance while
supporting the US military's TRICARE healthcare program. Prosecutors claim that between 2015 and
2018, HNFS falsely certified compliance with federal cybersecurity standards,
failing to patch vulnerabilities, enforce password policies, and secure outdated
hardware and software. The settlement is part of the DOJ's Civil Cyber Fraud Initiative
launched in 2021 under the False Claims Act,
which holds federal contractors accountable for cybersecurity failures.
Similar penalties include Guidehouse paying $11.3 million,
Penn State paying $1.25 million,
and a currently pending lawsuit with Georgia
Tech. DOJ officials stress that contractors handling sensitive government data must meet
security obligations. Acting Assistant AG Brett Schumate warned that the DOJ will continue
pursuing violations that protect national security and Americans' privacy.
Coming up after the break, Chris Hare and Stephen Burnley have our weekly CertBytes
segment and cybercrime reforms are unveiled by Russia. Stay with us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge, it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit threatlocker.com today to see how a default deny approach can keep your company
safe and compliant.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly
what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20%
off your DeleteMe plan when you go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
The only way to get 20% off is to go to joindeleteeme.com slash n2k and enter code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k. In our recurring CertBytes segment, Chris Hare is joined by Stephen Burnley to break down a question targeting the ISC2 SSCP System Security Certified Practitioner Exam.
Hi, everyone.
It's Chris.
I'm a content developer and project management specialist here at N2K Networks.
I'm also your host for this week's edition of CERT Byte, where I share a practice test
question from our suite of industry-leading content and a study tip to help you achieve the professional
certifications you need to fast-track your career growth in IT, cybersecurity, and project
management.
Today's question targets the ISE2 SSCP System Security Certified Practitioner Exam,
which was updated on September 15th, 2024.
This exam is targeted for IT admins, directors, managers,
and network security professionals
who have a hands-on role in operational security.
I've enlisted Steven once again to join us,
who is our resident ISC2 expert.
Welcome, Steven, how are you today? I'm doing great, Chris. Thanks for having me.
Absolutely. So, Stephen, I understand this cert requires only one year of work experience.
So does that make this exam easier when compared to the CISSP and CC?
Well, I would say actually a better description would be that it fits in between those two exams. The CC exam is an attempt by ISC2 to certify almost a million IT professionals in cybersecurity,
and that's meant for students, industry professionals, executives, not as technical as the other
two.
The exam we're talking about today, the SSCP exam, will have more practical knowledge on
it. today the SSCP exam will have more practical knowledge on it and the CISSP
we all know is a big capstone part of any one certification path.
All right great thank you for that so we are going to be turning the tables again
and Stephen you are asking me today's question but first while I gather up
some guts I understand you have a 10-second study bit for this test. What
do you have for us today?
Well, we just mentioned that this exam would have kind of a practical nature to it, which
means it is going to have a lot of terminology and acronyms to remember. So one of the aspects
of all of our study materials is a collection of flashcards. And flashcards are great for
times where you need to take exams that have heavy
terminology. You want to do memorization attempts on those. And also, we allow you to eventually
filter out the flashcards that you already know and just study the ones that are still
giving you trouble. So most of our exams include over 150 flashcards.
Excellent. That's a really awesome tip. So Stephen, hit me with today's question.
All right. Well, get ready. This is a long one. An IT security manager is struggling to keep the organization's computers in working order.
He's testing updates, configuring them to be installed onto systems, and making tweaks to configuration settings to various systems as business tasks require. However, you often discover systems which do not have the necessary updates or
which are using out of date settings.
This may be caused by systems being disconnected from the company network
when taken into the field or used for special offline projects.
Which technology should the IT security manager implement to help
handle this complex issue?
You don't have to have it memorized.
There are four choices.
Here you go.
Here's your four choices.
Okay.
IEEE 802.1x, NAC, NTP synchronization, or OCSP.
Wow, Steven, this is a toughie.
But I do know that this is part of Understand Network Attacks and Countermeasures that falls
under Network and Communications Security Objective, correct?
It does.
And I warned you about the acronym soup on this one.
Now you wish you'd studied those flashcards.
Absolutely.
Yes.
This is going to be a challenge.
So this is such a layered question with so many components.
Is this typical of an SSCP question, Stephen?
Do they all have this lengthy of a setup?
Yes, you can't expect this type of scenario based question.
It actually makes them more like real life scenarios.
All right.
Well, thank goodness you are here to help us through it today. Okay. So first,
it would help if I were familiar with these terms and I only have light familiarity, which
means the likelihood of me getting this wrong is almost 100% because this seems like a scenario
based question, as you mentioned, which is simply more than just matching a term with
its definition.
Am I correct in assuming that, Stephen?
Yes, exactly.
Alright, so right off the bat, the often qualifier is throwing me off.
Is it safe to say that there is potentially more than one correct answer out of your options,
but one is the slightly better answer?
Well, alright, let me give you some hints. All the options are
protocols, but three of them are security protocols. The IEEE has
to do with user authentication and access. NAC is a broad
security framework that includes quarantine features. NTP has to
do with clock synchronization for audits and logging, and OCSP has to do with validating digital signatures.
Maybe that'll help.
I think so.
That's really good context and also a great way for a student to isolate their answer choices.
So given what you said against the question,
which asks specifically about network systems being disconnected and not getting
the necessary updates, I'm going to rule out IEEE, which is isolated to user authentication
and access.
You said NAC is a broad security framework that includes quarantine features, and I think
you're trying to give me a hint there, so let's hold on to that one.
NTP is regarding syncing clocks, which does
not seem to be the issue here, and OSCP has to do with digital certs, which is
not the situation that you're describing either. So I am going to go with BNAC.
Am I right? That is correct. Excellent work. B NAC, the network access control,
should be implemented in this scenario.
When a system is determined by NAC
to lack the specific configuration settings
or missing a required update,
the system will be quarantined.
NAC quarantine is an isolation triggered
by a system being out of compliance.
It usually involves shifting IP address assignments
to place the system in a quarantine subnet
where that system is only able to access
the remediation server.
Quarantine remediation can be performed automatically
or it may require an administrator
to perform manual operations.
Once the system is brought into compliance,
then it's returned to the production network.
This technology ensures not only will systems have the current configuration, but also the
updates that they need to interact with the production environment. Now you're
right about that IEEE 8021X. That is a port-based network access control, which
is used to leverage authentication already present in a network to validate
clients connecting over hardware devices such as wireless access points or VPN connectors. The
purpose of the IEEE 8021X is to avoid the use of on-device static
password authentication which is a very weak form of authentication. The 8021X
standard allows existing multi-factor or otherwise robust network authentication
to be ported or proxied for use on various hardware or software connection options.
Online Certification Status Protocol, OCSP, is a communication query system employed by
modern certificate authorities to inform endpoints of the revocation status of digital certificates. OCSP enables endpoints to obtain real-time revocation status without
significant bandwidth consumption.
OCSP replaced an older concept known as the certificate
revocation list. And the network time protocol NTP synchronization is the means
by which clocks on various systems are brought into alignment.
It's essential that all internal systems have synchronized time.
The synchronized time is typically synchronized to some sort of world time source.
This helps to ensure that all logs and audit trails are in harmony in order to make investigations
or historical research into a chronologic order of events practical and easier.
Well, that is an awesome question. And thank you so much
for that detailed explanation. One thing's for sure, I would
have never gotten that one right without your help. So
appreciate your being here today, Steven. Are there any
upcoming ISC-2 or other practice tests you'd like to promote
here?
Actually, I do. There is an update to the CISSP exam coming in early 2025, and we
just updated the framework for the Cisco Certified Network Associate, or CCNA, exam just this
past September. We're also creating a ton of more updates for Microsoft, CompTIA, and
Amazon exams coming in the new year, so take a look at our website for those.
Great. Thank you so much, Stephen.
Thanks for having me, Chris.
And thank you for joining me for this week's CertBite. If you're actively studying for
this certification and have any questions about study tips or even future certification
questions you'd like to see, please feel free to email me at certbite at n2k.com. That's C-E-R-T-B-Y-T-E at n number 2k dot com.
If you'd like to learn more about N2K's practice tests, visit our website at n2k.com
forward slash certify.
For more resources, including our new N2K Pro offerings, check out the cyberwire dot
com forward slash pro.
For sources and citations for this question, please check out our show notes.
Happy certifying!
And don't forget to check out N2K's System Security Certified Practitioner Practice Test
on our website.
And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI
tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not
the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com
slash security.
This episode is brought to you by Samsung Galaxy. Ever captured a great night video
only for it to be ruined by that one noisy talker? With audio erase on the new Samsung
Galaxy S25 Ultra,
you can reduce or remove unwanted noise and relive your favorite moments without the distractions.
And that's not all. New Galaxy AI features like NowBrief will give you personalized insights
based on your day schedule so that you're prepared no matter what. Buy the Samsung Galaxy
S25 Ultra now at Samsung.com.
Samsung Galaxy S25 Ultra now at Samsung.com. And finally, Russia has unveiled sweeping cybercrime reforms, aiming to crack down on
hackers with harsher penalties, asset seizures, and even public trials.
Under the new laws, hackers could face up to 15 years in
prison, lose their crypto stashes, and be banned from IT jobs for a decade. Banks
can freeze cyber criminals accounts instantly, and government agencies gain
expanded surveillance powers to protect citizens. Totally not for spying, of
course. The plan includes public trials, which officials claim will deter crime, though critics worry
they could expose security weaknesses.
Meanwhile, Russia is demanding faster extraditions, a move that might strain diplomatic ties with
countries hesitant to send hackers back home.
Whether these measures actually reduce cybercrime or just increase state control remains to be seen, but the world is watching.
And that's the CyberWire. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at
n2k.com. N2K's senior producer is Alice Carruth. Our
cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound
design by Elliot Peltzman. Our executive producer is Jennifer Iben. Peter Kilpey is our publisher
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. you