CyberWire Daily - Salt in the wound.
Episode Date: February 13, 2025Salt Typhoon is still at it. Russian cyber-actor Seashell Blizzard expands its reach. The EFF sues DOGE to protect federal workers’ data. House Republicans pursue a comprehensive data privacy bill. ...Fortinet patches a critical vulnerability. Google views cybercrime as a national security threat. Palo Alto Networks issues 10 new security advisories. Symantec suspects a Chinese APT sidehustle. Guest Jason Baker, Principal Security Consultant at GuidePoint Security, joins us to share an update on the state of ransomware. A massive IoT data breach exposes 2.7 billion records. Here come the AI agents. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest, Jason Baker, Principal Security Consultant at GuidePoint Security, joins us to share an update on the state of ransomware. Selected Reading China’s Salt Typhoon Spies Are Still Hacking Telecoms—Now by Exploiting Cisco Routers (WIRED) Russian Seashell Blizzard Enlists Specialist Initial Access Subgroup to Expand Ops (Infosecurity Magazine) EFF Leads Fight Against DOGE and Musk's Access to US Federal Workers' Data (Infosecurity Magazine) Elon Musk and the Right Are Recasting Reporting as ‘Doxxing’ (New York Times) FortiOS Vulnerability Allows Super-Admin Privilege Escalation – Patch Now! (Hackread) Cybercrime evolving into national security threat: Google (The Record) House Republicans launch group for comprehensive data privacy legislation (The Record) Palo Alto Networks Patches Potentially Serious Firewall Vulnerability (SecurityWeek) Chinese Cyberspy Possibly Launching Ransomware Attacks as Side Job (SecurityWeek) Massive IoT Data Breach Exposes 2.7 Billion Records, Including Wi-Fi Passwords (Cyber Security News) Are You Ready to Let an AI Agent Use Your Computer? (IEEE Spectrum) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n2k and use promo code n2k at checkout.
The only way to get 20 percent off is to go to join delete me dot com slash n2k and enter
code n2k at checkout.
That's join delete me dot com slash n2k code n2k. Salt Typhoon is still at it. Russian cyber actor Sea Shell Blizzard expands its reach.
The EFF sues Doge to protect federal workers' data. House Republicans pursue a comprehensive data privacy bill.
Fortinet patches a critical vulnerability.
Google views cybercrime as a national security threat.
Palo Alto Networks issues 10 new security advisories.
Symantec suspects a Chinese APT side hustle.
Our guest, Jason Baker,
Principal Security Consultant at GuidePoint Security,
joins us to share an update on the state of ransomware.
A massive IoT data breach exposes 2.7 billion records, and here come the AI agents. It's Thursday, February 13, 2025.
I'm Dave Fittner and this is your CyberWire Intel Briefing. Thank you for joining us here today.
It is great to have you with us.
Salt Typhoon, the Chinese hacker group, has continued breaching global telecom networks
despite exposure last fall.
Cybersecurity firm Recorded Future reports that between December and January, the group
hacked five telecoms, an ISP, and over a dozen universities across multiple countries, including
the U.S.
The hackers exploited vulnerabilities in Cisco's iOS software, targeting routers and switches
to gain full control of network infrastructure. Even after U.S. government warnings, media reports, and Treasury sanctions,
Salt Typhoon remains highly active.
They're using compromised Cisco devices to establish covert communication channels and exfiltrate data.
The hackers have expanded beyond telecoms targeting universities in the U.S., Argentina, Indonesia,
and more.
Experts warn that China's cyberespionage is more aggressive than widely recognized.
Despite government efforts, the attacks persist, prompting officials to urge Americans to use
encrypted messaging apps.
Recorded Future believes the scale of Salt Typhoon's operations
is likely even larger than currently detected.
Microsoft has reported that Russian cyber actor Sea Shell Blizzard has enlisted a special
initial access subgroup to enhance its ability to compromise high-value global targets. This
long-running operation has expanded the
group's reach, securing persistent access to critical sectors like energy, telecom,
shipping, arms manufacturing, and government networks. Initially focused on Ukraine and
Eastern Europe, Seashell Blizzard has now extended operations to the U, UK, Canada, and Australia.
The subgroup exploits published vulnerabilities in remote access software, including ConnectWise
ScreenConnect and Fortinet Forticlient.
Using scanning tools and exploit kits, they breach network perimeters, then deploy RMM
software, web shells, and malicious modifications to maintain long-term access.
These techniques align with Russia's strategic cyber objectives.
Microsoft warns the group will continue innovating scalable attack methods
to support Russia's geopolitical agenda.
The Electronic Frontier Foundation is leading a lawsuit against Elon Musk's Department of
Government Efficiency, DOGE, to block its access to millions of U.S. government workers'
data. Alongside federal employee unions, the EFF filed the lawsuit on February 11 against
DOGE and the Office of Personnel Management, arguing that Doge's access violates the Privacy Act of
1974.
Doge, created in January to cut federal spending, allegedly gained unauthorized access to OPM's
vast employee database, which includes PII, financial, health, and classified information.
The plaintiffs demand Doge be blocked from further access and delete any collected data.
The EFF warns that misuse of this data could lead to privacy violations, cyber threats, and political abuse.
This follows a federal ruling limiting Doge's access to Treasury data.
Meanwhile, Elon Musk and allies are accusing journalists of doxing after reports identified
employees in his government efficiency program, DOGE.
Critics argue Musk is misusing the term to silence legitimate reporting on public officials.
The EFF and legal experts stress that government employees are not protected from public scrutiny
under the First Amendment.
Interim U.S. Attorney Ed Martin hinted at criminal charges against reporters, though
no federal anti-doxing law exists.
Wired and The Wall Street Journal reported on Doge hires, including an official with
a history of racist posts. In response, Musk attacked reporters online while
supporters targeted them with harassment. Experts say the backlash exposes hypocrisy
as Musk and Trump allies have previously doxed federal employees. Free speech groups are
demanding clarification on legal threats against the press.
House Republicans have launched a working group to draft a comprehensive data privacy
bill led by Representative John Joyce, Republican from Pennsylvania.
The group, composed of nine Republicans and no Democrats, aims to create legislation that
can pass Congress following years of failed efforts due to disagreements
over consumer protections. With 13 states enacting their own privacy laws,
Republicans argue that a national standard is necessary to protect
Americans' rights and maintain the US's leadership in digital tech, including AI.
Industry groups have pushed for a federal law that preempts stricter state
regulations.
Fortinet has patched a critical vulnerability in its FortiOS security fabric,
which could allow attackers to escalate privileges to superadmin.
Affecting multiple FortiOS versions, the flaw stems from improper privilege assignment, making it possible for a compromised
upstream FortiGate device to grant an attacker full system control.
This could lead to widespread breaches and data theft.
Fortinet urges immediate updates, releasing patches for affected versions.
The issue was internally discovered by Fortinet's Justin Loam.
Google's latest cybersecurity report warns that cybercrime has become a national security threat,
increasingly exploited by state-backed groups like those from Russia, China, Iran, and North Korea.
The report, released ahead of the Munich Security Conference,
reveals that while financially
motivated attacks outnumbered state-sponsored ones, the two are now deeply intertwined.
Governments leverage cybercriminals for tools, talent, and even full-scale operations.
Ransomware gangs have shifted focus to Ukraine, and Chinese and Iranian espionage groups supplement
their activities with cybercrime.
North Korea is notorious for cryptocurrency theft and covert IT worker schemes.
Despite growing threats, cybercrime gets less attention than state-backed hacking.
Google stresses international cooperation is needed to combat it.
Healthcare is especially vulnerable, with ransomware attacks worsening patient outcomes
and data leaks in the sector doubling in three years.
Palo Alto Networks has issued 10 new security advisories, including a high severity vulnerability
in PAN OS that allows unauthenticated attackers to bypass authentication via the firewall's
management interface.
While it doesn't enable remote code execution, it could impact system integrity and confidentiality.
Patches and mitigations are available, with risk reduced by restricting access to trusted
IPs.
Another high-severity flaw involves command injection but requires admin privileges.
Additional advisories address Cortex XDR agent and PAN OS vulnerabilities, none of which
have been exploited in the wild.
A ransomware attack using tools typically linked to Chinese cyber-espionage groups was
likely carried out by an individual
hacker, according to Symantec.
The attack leveraged a Toshiba executable to sideload a malicious DLL, deploying a PlugX
backdoor, previously used only by Mustang Panda, a Chinese APT group.
From July 2024 through January of this year, PlugX was used in espionage attacks targeting
governments in southeastern Europe and Southeast Asia.
However, in November of 2024, the same toolset was used in an extortion attack against a
South Asian software firm.
The attacker exploited a Palo Alto Network's firewall vulnerability for access, stole Amazon
S3 credentials, and deployed RA World ransomware. Symantec suggests the attacker was an insider
monetizing espionage tools, though they may have ties to Bronze Starlight, also known as Emperor Dragonfly, a Chinese-based APT known for using ransomware
as a decoy.
A massive IoT data breach exposed 2.7 billion records containing Wi-Fi passwords, IP addresses,
and device identifiers linked to Mars Hydro, a China-based growlite manufacturer, and LG LED Solutions
Limited, a California-registered firm.
Discovered by cybersecurity researcher Jeremiah Fowler and reported to VPN Mentor, the 1.17
terabyte unprotected database was publicly accessible without encryption or authentication.
It contains plaintext, Wi-Fi SSIDs and passwords, device MAC addresses, API tokens, and error
logs.
The data appears tied to Mars Hydro's Mars Pro app, which controls IoT grow lights, despite
its privacy policy claiming no user data collection.
Fowler alerted LG LED and Mars Hydro, leading to rapid restriction of access, but it remains
unclear how long the data was exposed or if it was accessed maliciously. Coming up after the break, Jason Baker from GuidePoint Security joins us to share an update
on the state of ransomware, and here come the AI agents.
Stick around. Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Do you know the status of your compliance controls right now? Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Jason Baker is principal security consultant at GuidePoint Security.
I caught up with him for an update on the state of ransomware.
Yeah, I think coming into 2025, we're riding the tail end of 2024's disruption to the ransomware
space between international law enforcement disruption efforts
and some internal strife, we saw a lot of realignment in the primary ransomware groups
responsible for the bulk of observed victims in the space. For those less familiar, we
saw early on in the year a disruption of Lockbit as part of Operation Chronos, a UK national
crime agency-led disruption effort, which
took some time to catch up, but eventually saw the long term head or largest ransomware
group gradually tapering off to barely any impact in the space.
And a little bit further into the year, we saw the second largest group, Alpha, also
known as Black Cat, disappearing entirely in what was called an exit scam
following their alleged attack on change healthcare.
So you take out the two largest
and most impactful ransomware groups,
you suddenly have affiliates that have to reorganize
and find new sources of income.
So we've seen a lot of new groups popping up,
a lot of newer groups really quickly gaining ground
as they absorb those new affiliates.
At the same time, we've seen the impact of some of that very public, very large law enforcement
disruption.
And I'm hopeful that we're going to continue seeing more of that here in 2025.
Can you help us understand how much of a difference these takedowns really make?
To what degree have we really moved the needle here?
Yeah, it's an interesting question
and there's varying answers to what the disruption affects.
So on one hand you have, let's say the least effective,
just for point of comparison,
and that's takedowns of commodity malware,
let's say information stealing malware or crypto
mixers or anything like that, things that support the cybercrime economy.
Unfortunately, there's so much waiting in the wings and so many different alternatives
so that we haven't really seen a substantial downstream effect when those have been taken
down.
It might be an annoyance and I'm sure it does impose costs on the people running that infrastructure
and those tools, but the actual cybercrime actors are still able to continue their operations.
Now conversely on the other end of things, we have the sanctions that were imposed on
LockBit's administrator, LockBit's sub, which was sanctioned by the Australian, UK, and US governments
in the wake of Operation Cronus.
Now, because of the way that ransomware as a service is structured, you don't really
have a way, if you've been hit by LockBit and you choose to make a payment, you don't
have any way of guaranteeing that the payment you make isn't going to end up at least in
part in the hands of that administrator. So even though LockBit as an entire organization wasn't necessarily sanctioned,
it effectively ruled any payment from organizations in those three countries as illegal.
And in the process, that was very disruptive. They tried to keep things going and create the illusion
that they were running it at full capacity.
But we've seen otherwise.
We've seen them drop off.
So on that other end, very, very effective at rendering the group essentially inoperable
or not profitable, driving away all of their affiliates.
And then there's everything in between, right, from other arrests and the like.
Unfortunately, with ransomware as a service, decapitation operations for taking out a specific leader doesn't necessarily handle the
underlying affiliates which still continue to operate and just find a new
home. Yeah I mean that's my next question is you do when we take out the
we cut off the head as it were do you know is it like you know the old myth
where you know three heads pop up to replace it, the old myth where, you know, three heads pop up to
replace it?
I don't know if I'd say three heads so much as the body remains intact.
Now, you can make the argument that in the long term, this increases the perceived risk
of operating in the ransomware space, right?
It increases the perceived risk of continuing to operate
that you're likely to be doxed or publicly disclosed
what your identity is, or that you might be extradited,
or you might be indicted, or anything like that.
And that likely has some long-term psychological impact
on the affiliates and administrators supporting this.
But again, those folks are still able to realign
with new organizations.
So it's not the quickest turnaround as far as impacts that you would expect to see.
And it does give other groups opportunities to benefit from the experience of those affiliates
that have had to find a new home.
And that's primarily what we've seen with Ransom Hub.
Its roots are in the Knight and Cyclops ransomware,
and they came onto the scene in about February,
just in time for Operation Chronos and for Alpha's exit scan,
and they really quickly shot to the number one spot
by victim volume, just because they were able to benefit
from all of that available experience,
and for lack of a better term,
talent.
Is there any sense that these ransomware operators are looking over their shoulder more than
they used to and perhaps not feeling as invulnerable?
I don't know that I've seen indications of that.
I know that there is frequent discussion in the space about mistakes
that have been made, about operational security mistakes. The community is very quick to call
those out as rookie errors or unforced errors. But I don't know that I've seen a decrease in
operations or people mentioning that they're hanging up their hat or anything like that
just yet. That's not to say those conversations aren't happening
or those thoughts aren't occurring,
just not something that I've personally seen.
What about on the regulatory side of things?
I mean, we recently saw there was some discussion in the UK
about outlawing ransomware payments,
particularly from public organizations
like schools and critical infrastructure.
Are we seeing traction with that sort of approach?
The United States has always been a little bit different
from Europe in terms of their regulatory approach to things.
For Europe, you have GDPR and other regulations
that are focused on privacy and fallout from cyber incidents
that just don't have the same traction in the US,
in large part because of cultural differences
and how we perceive policy and regulation impacts
on private industry.
I will say it has been easier to impose regulatory
and notification requirements on the public sector
in the United States, as well as critical infrastructure
or organizations which have a heavy public component.
That's been reflected in regulatory requirements
from, I believe it's Sersha,
I forget the full name of the law,
that requires reporting from critical infrastructure.
Now that's not unusual.
Where we see more pushback,
especially in the United States, is in private industry,
just because there's always to be an aversion to
undue reporting requirements, administrative requirements,
and that it's just a very cultural difference
in the United States.
What's your outlook for the coming year then
when it comes to ransomware?
Any expectations for what we're likely to see?
In the new year, we've discussed this as this concept of a rising middle class in ransomware,
which is to say that in the past, a lot of ransomware victims were heavily and densely
concentrated within those top two groups, that lockbit and that alpha.
And I think we're seeing a greater number of what we would previously call mid-tier
groups, your black Bostas, your Yanliyan, your Play, your Akira, absorbing more of the operational load that we're seeing
in ransomware.
So more victims spread out across a greater number of operating groups.
We've also seen an increase in the number of distinct named groups.
And I pick my wording carefully there just because there may be some overlap between some
of these groups of redundancy.
But we're seeing more of these pop up
and more of them stay around for longer,
which is suggesting that the barriers to entry
in ransomware continue to be reduced.
And that continues to welcome in new players into the space
and new groups, new teams of ransomware operators
that see a profit to be made.
And tangentially and related to that,
this is more anecdotal.
We've seen a number of,
I'll call them fabricators or exaggerators or deceivers,
although these are all criminals,
they're all liars and deceivers, right?
But we're seeing more where it's almost embarrassingly obvious that they're completely fabricating
claims.
So as opposed to going out attacking a company and claiming this as their victim trying to
extort them, they're recycling old breaches and packaging it as a new one when no new
intrusion occurred, or they're developing a ostensible ransomware as a service group,
but they've developed no malware or ransomware
to go along with that.
It's, they're very much chasing the clout
in the cyber crime economy, either with the goal
of making money off of it or just burnishing a reputation
in the cyber crime community.
Anecdotally, we've seen a couple of cases of that
in the last year in what appears to
be an uptick.
And it really does speak to how much easier it is to fake the funk to get into the space
now.
That's Jason Baker, Principal Security Consultant at GuidePoint Security. And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust plus AI stops
attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire network, continuously
verifying every request based on identity and context, simplifying security management with AI-powered
automation and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security
And finally our how 9000 desk tells us that AI assistants are getting an upgrade and this time they're not just answering questions,
they're taking action.
OpenAI, Anthropic, and Google DeepMind are rolling out AI agents that can browse the
web, fill out forms, and even book your dinner reservations.
Sounds convenient, right?
Well, what happens when things go sideways? Imagine waking up to find your AI assistant accidentally ordered 100 pounds of onions
or booked you a surprise trip to Siberia.
These bots still need human oversight, they can't log in, agree to terms of service,
or enter credit card details.
But once they can, what's stopping a glitchy AI from signing you up for 50 streaming services
or accepting sketchy terms on your behalf?
Experts warn that hackers could manipulate AI agents, turning them into digital puppets
for cybercriminals.
The first person whose AI buys a fleet of cars?
That's going to be a story. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the CyberWire.com.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at
n2k.com. N2K's senior producer is Alice Carruth. Our
Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound
design by Elliot Peltsman. Our executive producer is Jennifer Iben. Peter Kilpey is our publisher
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Hey everyone, grab your favorite bug and put the kettle back on the stove, because afternoon
cyber tea is coming back.
This season I am joined by an all-star team of thought leaders and industry experts to
dive into the critical trends that are shaping the future of cybersecurity.
We will explore how these technologies are revolutionizing the way we work, the way we
live and the way we interact with the world around us.
And as always, we will be bringing you thought-provoking discussions and fresh perspectives on what
is driving the future of cybersecurity and what leaders can do now to protect their teams tomorrow. New episodes will
be coming to you in February, every other Tuesday, so subscribe now wherever you get
your favorite podcasts.