CyberWire Daily - PHP flaw sparks global attack wave.
Episode Date: March 10, 2025PHP exploits are active in the wild. Security researchers discover undocumented commands in a popular Wi-Fi and Bluetooth-enabled microcontroller. The ONCD could gain influence in this second Trump ad...ministration. The Akira ransomware gang leverages an unsecured webcam. Mission, Texas declares a state of emergency following a cyberattack. The FBI and Secret Service confirm crypto-heists are linked to the 2022 LastPass breach. A popular home appliance manufacturer suffers a cyberattack. Switzerland updates reporting requirements for critical infrastructure operators. Our guest is Errol Weiss, Chief Security Officer at the Health-ISAC, who warns “the cavalry isn’t coming—why the private sector must take the lead in critical infrastructure cybersecurity.” A termination kill switch leads to potential jail time. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we have Errol Weiss, Chief Security Officer at the Health-ISAC, sharing his take “the cavalry isn’t coming—why the private sector must take the lead in critical infrastructure cybersecurity.” Selected Reading Mass Exploitation of Critical PHP Vulnerability Begins (SecurityWeek) Undocumented commands found in Bluetooth chip used by a billion devices (Bleeping Computer) White House cyber director’s office set for more power under Trump, experts say (The Record) Ransomware gang encrypted network from a webcam to bypass EDR (Bleeping Computer) Texas border city declares state of emergency after cyberattack on government systems (The Record) Feds Link $150M Cyberheist to 2022 LastPass Hacks (Krebs on Security) Home appliance company Presto says cyberattack causing delivery delays (The Record) Switzerland Mandates Cyber-Attack Reporting for Critical Infrastructure (Infosecurity Magazine) Developer sabotaged ex-employer IT systems with kill switch (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get
your jobs more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber
wire right now and support our show by saying you heard about indeed on this podcast. Indeed.com
slash cyber wire. Terms and conditions apply. H hiring indeed is all you need.
PHP exploits are active in the wild. Security researchers discover undocumented commands
in a popular Wi-Fi and Bluetooth-enabled microcontroller. The ONCD could gain influence in this second
Trump administration. The Akira Ransomware gang leverages an unsecured webcam. Mission
Texas declares a state of emergency following a cyber attack. The FBI and Secret Service confirmed crypto heists
are linked to the 2022 LastPass breach.
A popular home appliance manufacturer suffers a cyber attack.
Switzerland updates reporting requirements
for critical infrastructure operators.
Our guest is Errol Weiss,
Chief Security Officer at the Health ISAC,
who warns the cavalry isn't coming
and why the private sector must
take the lead in critical infrastructure cybersecurity and a termination kill switch leads to potential
jail time. It's Monday, March 10th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Happy Monday, everyone.
It is great to be back from a restful family vacation.
Thanks to Maria Vermazes for filling in on the mic for me and to our entire production
team for making it possible for me to be away without skipping a beat.
Threat actors are actively exploiting a critical PHP vulnerability to execute remote code on
Windows servers running Apache and PHP CGI with specific code page settings.
The flaw arises from PHP's failure to handle Unicode best-fit conversion properly, allowing
attackers to manipulate character sequences into PHP options.
The vulnerability was publicly disclosed in June of last year, with ransomware groups
launching attacks within days.
Cisco later reported targeted attacks on Japanese organizations across multiple sectors, using
cobalt strike-based tools for persistence and privilege escalation.
Now, Grey Noise warns that exploitation has gone global, with spikes in the US, UK, Singapore,
India and others.
In January of this year alone, over a thousand unique IPs attempted attacks.
Germany and China account for over 43% of malicious IPs.
All PHP versions on Windows are affected, but fixes have been released,
and users should update immediately to mitigate risks.
Security researchers have discovered undocumented commands in the ESP32 microchip,
a popular Wi-Fi and Bluetooth enabled microcontroller
used in over 1 billion devices.
These hidden commands, found by Tarlogic Security, could allow attackers to spoof trusted devices,
access unauthorized data, pivot to other devices, and establish long-term persistence. The issue stems from 29 vendor-specific Bluetooth commands that enable memory manipulation,
MAC address spoofing, and packet injection.
These could be exploited for malicious firmware, supply chain attacks, or advanced Bluetooth-based
threats.
Expressif, the chip's manufacturer, has not publicly documented these commands, leaving
questions about whether they were intentional or an oversight.
While remote exploitation is possible, physical access poses a greater risk.
Researchers warn that compromised ESP32 chips could serve as a launch pad for persistent
cyber attacks on IoT devices, mobile phones, and even medical equipment.
Expressif has yet to comment.
The Office of the National Cyber Director is expected to gain significant influence in a second Trump administration,
fulfilling the leadership role Congress envisioned when it was created in 2021. Sean Cairncross, a Trump loyalist with no cybersecurity background, is expected to lead
the office, bringing strong political ties that could enhance its authority over cyber
policy across the executive branch.
Experts say ONCD will take a central role, guiding both offensive cyber efforts and domestic
defense.
The NSC's cyber team, now focused on offensive cyber operations, will complement ONCD's
leadership in cyber-crisis management.
Analysts predict deregulation will be a key ONCD initiative.
With reduced cyber staffing at NSC and no Ann Neuberger-like figure,
ONCD may finally become the executive branch's primary cyber authority,
a role it struggled to achieve under Biden's administration.
The Akira ransomware gang leveraged an unsecured webcam to encrypt a victim's network,
bypassing endpoint detection and response, which had blocked their Windows encrypt a victim's network, bypassing endpoint detection and response,
which had blocked their Windows encryptor.
Cybersecurity firm SRM discovered this unconventional method during an incident response.
Akira initially gained access through an exposed remote access solution, likely via stolen
credentials or brute force attacks.
They installed any desk, stole data for double
extortion and used remote desktop protocol to spread before deploying ransomware. When
EDR blocked their payload, they scanned for alternative attack vectors and found a vulnerable
Linux-based webcam. Since the webcam lacked EDR protection, they used it to mount Windows SMB network
shares and launch their Linux encryptor, successfully encrypting network files. This attack highlights
the security risks of IoT devices, emphasizing the need for network segmentation, regular
firmware updates, and stronger monitoring of non-traditional endpoints to prevent exploitation.
The City of Mission, Texas declared a state of emergency after a cyberattack exposed all city government data and forced systems offline.
Officials assured that emergency services remained operational, but reports suggest police lost access to state databases for license and ID checks
Mayor Norrie Gonzalez Garza urged governor Greg Abbott to declare a statewide emergency to unlock disaster funds
The attack which began February 28th is under law enforcement investigation
Texas cities have faced multiple ransomware attacks
in recent months, disrupting hospitals, utilities,
and local governments.
Mission joins Matagorda County, McKinney,
Coppell, and Richardson in suffering cyber incidents.
Krebs on Security first reported in September 2023
that a wave of high-value crypto heists
stemmed from the 2022 LastPass breach.
Now, U.S. federal investigators confirm that a $150 million cyber heist in January 2024,
targeting Ripple co-founder Chris Larson, was executed using stolen LastPass master
passwords.
The FBI and Secret Service support Krebs' findings, stating attackers cracked poorly
secured vaults to steal victims' cryptocurrency seed phrases stored in LastPass secure notes.
$24 million in stolen funds have been seized, but thefts continue globally.
Despite mounting evidence, LastPass denies definitive links to the thefts.
Experts criticize LastPass for failing to warn users and enforce better security.
Cybersecurity experts stress that these attacks could have been prevented, and new thefts
show the threat remains active more than two years after the breach.
National Presto Industries, maker of popular home appliances like air fryers,
reported a cyberattack disrupting shipping, manufacturing, and back office functions since March 1st.
The Wisconsin-based company disclosed the incident in an SEC filing,
stating it is working to restore
operations and has notified law enforcement.
The attack's impact on Presto's military contracting division is unclear, forensic
analysis is ongoing, and no cyber criminal group has claimed responsibility.
The company warned that the breach could affect its financial performance, but has implemented temporary measures to maintain critical functions.
Starting April 1, Switzerland will require critical infrastructure operators
to report cyberattacks to the National Cybersecurity Center within 24 hours.
This mandate, part of an amendment to the Information Security Act,
applies to energy, water, transport, and government entities if an attack disrupts operations, leaks data, or involves blackmail.
Reports must be completed within 14 days, and fines may apply for non-compliance.
A grace period lasts until October 1st. Similar laws exist worldwide, including in the US, UK, EU, and Australia.
Coming up after the break, Errol Weiss from the Health ISAC warns that the cavalry isn't
coming, and a termination
kill switch leads to potential jail time.
Stay with us.
Cyber threats are more sophisticated than ever. Passwords? They're outdated and can be cracked in a minute.
Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login.
Ubico believes the future is passwordless. Ubiquis offer unparalleled protection against phishing for individuals, SMBs and enterprises.
They deliver a fast, frictionless experience that users love.
Ubiqui is offering N2K followers a limited buy one get one offer.
Visit ubiqui.com slash N2K to unlock this deal.
That's Y-U-B-I-C-O.2k to unlock this deal. That's why you be ICO
Say no to modern cyber threats upgrade your security today
Do you know the status of your compliance controls right now like right now
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist, Vanta brings automation
to evidence collection across
30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to Errol Weiss is Chief Security Officer at the Health ISAC.
I recently sat down with him to discuss why the cavalry is not coming and why the private
sector must take the lead in critical infrastructure cybersecurity.
Ten years after 9-11, the then New York Police Department
Commissioner Ray Kelly was doing an interview with 60
Minutes.
They posed a question to him basically asking,
how could you spend billions of dollars
to protect New York City?
And they were showcasing all of the efforts
that New York City had gone through post-9-11
to protect the city, including building up a threat intelligence capability with New York police
staff deployed globally, collecting intelligence in all parts of the world.
That was just amazing. And just thinking about the money that they were spending to do that.
When the reporter asked Ray Kelly, why did you do that? His answer was basically,
I'm not relying on the federal government to protect me. I've got to do this myself.
And that really struck a chord with me back in 2011. Even after, again, I've been in a part of
this ISAC world for quite some time, going back to 1999 and the financial services ISAC, and really
seeing the onus put on the private sector,
you know, back in the mid 1990s,
through some of the history with the federal government
in terms of protecting critical infrastructure.
And I think really that quote from Ray Kelly
just cemented it for me then,
just realizing that, you know,
we cannot rely on the federal government.
And especially as administrations change,
and of course we've seen everything that's
happened already this year, we need to take proactive measures to protect critical infrastructure.
You know, and we can look back at some of the original reporting that was done
in the mid-1990s, this presidential commission on critical infrastructure where they realized that
much of the critical infrastructure was owned and operated by the private sector and so
that we needed to encourage the private sector to do something to protect it.
So what is the background and history of why this is so? I mean why do we find
ourselves with this situation where the private sector is primarily responsible
for this and is it this way where the private sector is primarily responsible for this?
And is it this way around the world?
I don't necessarily think it's that way around the world, but again, I'll go back to the
mid-1990s when the internet was just starting to become a thing, e-commerce was starting
to explode, banks were starting to be online and providing services online to their customers.
And this again is the exact same timing when this Presidential
Commission report on critical infrastructure protection happened.
And then we see that report coming out in 1997.
And then the next year was this thing called Presidential Decision
Directive 63, 1998.
It encouraged the private sector to create these things called ISACs, Information
Sharing Analysis Centers.
And the whole idea was to encourage each critical infrastructure to create a forum where members
or companies inside that sector, inside each of those critical infrastructures, could work
with each other to share information, work to make sure that they were sharing,
collaborating with each other when it came to new threats,
new vulnerabilities, and helping each other stay safe online.
Well, as the Chief Security Officer for the Health ISAC,
let me ask you, how's it going?
So here we are like 30 years later,
almost 30 years later now, and how is it going?
Well, we've made a lot of strides since the beginning.
I remember the early days of the financial services ISAC.
It's sort of that classic comedic scene where you've turned the service on and you're sitting
back and waiting for all the action to happen, and then nothing happens.
So how do you get people to start to contribute, collaborate with each other? And there's been a lot of growing pains, a lot of lessons learned, some advances in terms of defining a way for
people to protect the information that's being shared with them. And so a few years after the
invention of the ISACs came along this thing called Traffic Light Protocol,
and it became an easy way for people to
understand what could they do
with the information that's being shared with them.
Do I have to keep it within my own company?
Can I tell anybody else?
Can I share it publicly?
So that Traffic Light Protocol helps with all of that.
That was one of the reasons why we started to see
a sudden explosion in the amount of information
that was being shared.
And then automation, when things like sticks and taxi,
the underlying protocols about how to automatically share
threat indicators with each other,
that also helped contribute to the automated sharing.
And ultimately, I would say it's still personality driven.
It's still driven by people who understand,
who get the benefits of information sharing,
the fact that they can not only help protect their company,
but that they can also get something personally out of it, learn,
understand the technology better,
understand the vulnerabilities better,
and benefit at a personal level by learning new capability,
new threats, new ways to protect their company,
and benefit just from a professional development standpoint.
With your role at the Health ISAC,
how do you and your colleagues measure success?
Well, we're very metrics driven.
We're constantly looking at
the number of indicators that are shared,
the number of members that are sharing,
multi-way, so it's not just that we're broadcasting out all the time, that people are contributing back.
The growth in the organization,
the benefits that members are getting from us,
it's tough to measure, right?
It's tough to measure what you've prevented from happening.
Right? So it's definitely a challenge when it comes to showing positive KPIs, for example.
And I think a lot of the ways, one of the reasons why ISACs are growing and gaining in popularity
is that people can understand the non-tangible benefits that they get out of it. There's this conventional wisdom that says,
gee, from all the information that I've gleaned from this,
the crowdsourcing of information,
the better access to understand new threats,
new vulnerabilities, or even
understanding what the best practices are in the industry today, new vulnerabilities or even understanding
what the best practices are in the industry today.
By learning all of that from my peers and being able to
quickly gather all that and
implement that in your own environment,
I think people understand there's
some tangible value that they're getting out of it.
It's hard to put a number on it,
but I think they understand there's value.
As you look towards the future,
what are some of the aspirational goals
that you have for the organization
and where do you see ISACs going?
Yeah, I think some of the challenges that we have
is that there's still a perception
that the ISACs are a US thing,
or even I'll say worse yet,
an extension of the US government.
I mean, we're not.
Most of the ISACs are nonprofit organizations that are funded entirely by member organization
fees and other revenue and not reliant on federal government.
And I think especially this year, it becomes even more important to understand that because
of budget cuts and staff cuts that are happening.
We're not impacted by that.
We're still providing services to our members,
despite what we see happening
in the administration here today.
And I think the challenges that we see internationally
is that we also see other sovereign nations
wanting to set up their own high sacs. I think it's commendable to see activity like that to be able to replicate that model.
But I think it's a disservice to the sectors individually because cyber threats, they don't respect international borders, right?
And so if we're seeing something happening here in the US, for example, it's probably happening in
Europe, it's probably happening in Asia Pacific as well, Australia, et cetera. They're seeing the
same cyber threats that we are, and we need to be able to quickly broadcast that information and
share it across the globe without having to have these manual steps to share it from one ISAC to another, for
example.
So, I think my goals would be to have better cross-border international information sharing
and collaboration happening on a global basis. I mean, Health ISAC, we've got members in 140 countries around the world,
but it could always be better.
And I think that if we're able to encourage those country ISACs that are being set up
to be able to connect with the infrastructure ISAC socks in a much smoother, transitional, transparent way, that would be a better service
for ultimately for their members that they're trying to serve.
You brought up a really interesting point, which is that,
you know, we're seeing a lot of transition and I think some
would say even, you know, chaos in Washington, DC right now. And it's challenging for a lot of folks in a lot of transition and I think some would say even, you know, chaos in Washington DC right now.
And it's challenging for a lot of folks
in a lot of different positions.
And, but as you look at the partnerships
that organizations have with the federal government,
it seems to me like this informs,
is it safe to say that organizations like the Health ISAC,
they welcome participation and partnership
with federal government organizations,
but it seems to me like things like this
reinforce the fact that you can't always rely on them.
You need to have your own autonomy
because you never know what's around the next corner.
That's exactly right.
We're really well said.
I mean, I think in so many ways, the ISACs
were established as this apolitical trusted resource.
So the ISACs have been set up as this apolitical trusted
resource that's created, operated, funded
by the private sector and not necessarily
subject to the whims of one administration to the next.
And it's really so important to be able to maintain some of that
consistency, especially in times like this that we see today where, you know, to your point,
Health ISAC, we work very closely with Health and Human Services, HHS, and
CISA, for example, and who knows what's
happening in this environment right now where we've even heard that they can't talk to us,
they can't attend meetings that they normally would have attended in the past, and so we're
kind of waiting to see what happens, see what those next steps are.
So I think there's going to be a bit of a loss there when it comes to some of the collaboration and sharing that's happening between public and private sector.
But safe to say things like Health ISAC and the other ISACs will continue to operate as we normally do,
just with some of the less participation from our federal partners, unfortunately, at this time.
All right. Well, Errol, I think I have everything I need for our story here.
Is there anything I missed?
Anything I haven't asked you
that you think it's important to share?
Yeah, I think just the last thing I would just point out,
again, it just happened, has,
the last thing that I would point out again,
and it just happens to do with sort of
that international sharing that I mentioned before.
And I worry that because of what's happening
in the administration right now,
that our foreign partners, foreign nations
are sort of losing trust in the US
and based on what's been happening
and some of the posturing that's been happening
early in this administration.
And I think ultimately it may even impact
what's happening in the cybersecurity information sharing worlds that
nations outside the US may be less inclined to participate in some of these ice acts because of
the lack of trust or the lack of
assurance that
we're gonna can that we
The lack of assurance that we're going to continue to work together in
a very cooperative fashion as we've done in the past.
So I'm a bit concerned about that,
but I will continue to beat the drum that we are still here operating business as
usual and looking for partners where we can
partner internationally to help our members globally.
That's Errol Weiss, Chief Security Officer at the Health ISAP.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers. I finally have peace
of mind knowing my data privacy is protected. DeleteMe's team does all the work for you with
detailed reports so you know exactly what's been done. Take control of your data and keep your
private life private by signing up for DeleteMe. Now at a special discount for our listeners. Today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com slash N2K and use
promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
And finally, the story of Davis Liu, a 55-year-old software developer who took rage-quitting to a whole new level.
After working for Eaton Corporation for 12 years, Liu was demoted in 2019.
Apparently, instead of updating his resume like the rest of us, he wrote a Java-based
malware program to grind his employer's systems to a halt. His masterpiece? An infinite
loop that kept spawning threads until the system collapsed. But he didn't stop
there. Lew also coded a kill switch, charmingly named is DL enabled in AD
presumably is Davis Lew enabled in Active Directory, which locked thousands of employees out of
their accounts if he was ever fired. And he was. The feds weren't amused. After failing
to delete evidence and admitting guilt in an interview, Lew still pleaded not guilty
and lost. Now he faces up to ten years in prison, proving that revenge is best served...not
at all. And that's the CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com
N2K's senior producer is Alice Carruth. Our cyberwire producer is Liz Stokes
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman. Our executive producer is Jennifer Ivan
Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI
tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not
the entire network, continuously verifying every request based
on identity and context. Simplifying security management with AI-powered automation. And
detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't
attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.