CyberWire Daily - States struggle with cyber shift.
Episode Date: April 23, 2025The White House’s shift of cybersecurity responsibilities to the states is met with skepticism. Baltimore City Public Schools suffer a ransomware attack. Russian state-backed hackers target Dutch cr...itical infrastructure. Microsoft resolves multiple Remote Desktop issues. A new malware campaign is targeting Docker environments for cryptojacking. A new phishing campaign uses weaponized Word documents to steal Windows login credentials. Zyxel Networks issues critical patches for two high-severity vulnerabilities. CISA issues five advisories highlighting critical vulnerabilities in ICS systems. Our guest is Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division, sharing the findings of their latest IC3 report. So long, Privacy Sandbox. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division, as she is sharing the findings of their latest IC3 report. Selected Reading Trump is shifting cybersecurity to the states, but many aren’t prepared (Stateline) Baltimore City Public Schools report data breach (beyondmachines) Russia attempting cyber sabotage attacks against Dutch critical infrastructure (record) Microsoft fixes Remote Desktop freezes caused by Windows updates (bleepingcomputer) New Malware Hijacking Docker Images with Unique Obfuscation Technique (cybersecuritynews) Hackers Exploit Weaponized Word Docs to Steal Windows Login Credentials (gbhackers) Kelly Benefits Data Breach Impacts 260,000 People (SecurityWeek) Data Breach at Onsite Mammography Impacts 350,000 (SecurityWeek) Zyxel Patches Privilege Management Vulnerabilities in USG FLEX H Series Firewalls (cybersecuritynews) CISA Releases Five Advisories Covering ICS Vulnerabilities & Exploits (cybersecuritynews) RIP to the Google Privacy Sandbox (The Register) 2024 IC3 ANNUAL REPORT Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. The White House's shift of cybersecurity responsibilities to the states is met with
skepticism.
Baltimore City public schools suffer a ransomware attack.
Russian state-backed hackers target Dutch critical infrastructure.
Microsoft resolves multiple remote desktop
issues, a new malware campaign is targeting Docker environments for crypto jacking, a
new phishing campaign uses weaponized Word documents to steal Windows login credentials,
ZYZL Networks issues critical patches for too high severity vulnerabilities, CISA issues
five advisories highlighting critical vulnerabilities in ICS systems.
Our guest is Deputy Assistant Director Cynthia Kaiser from the FBI's cyber division sharing
the findings of their latest IC3 report.
And so long, Privacy Sandbox. It's Wednesday, April 23rd, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thank you for joining us here today.
It is great to have you with us.
President Trump's recent executive order shifts cybersecurity responsibility from the
federal government to states and localities.
However, many states are unprepared for this transition.
A 2023 National Cybersecurity Review revealed that only 22 of 48 participating states met
recommended security standards.
Compounding the issue, federal funding cuts have reduced resources for state and local
officials, including a cybersecurity grant program and a key cybersecurity agency.
This has left states grappling with increased cyber threats, such as ransomware attacks
and foreign interference, while facing shortages of IT experts and limited budgets.
Recent cyber attacks in Rhode Island, Virginia, and Massachusetts highlight the vulnerabilities
in state systems.
Experts warn that expecting states to manage cybersecurity independently without adequate
support is unrealistic and could compromise national security.
Just a quick program note, we discussed this issue on a recent episode of the Caveat podcast.
Do check that out wherever you get your favorite podcasts.
Baltimore City Public Schools suffered a ransomware attack on February 13th linked to the Cloak
Gang. The breach exposed sensitive personal data of about 25,000 people, including social
security numbers, student records, and employment documents. Those affected include current and former staff, volunteers, and over 1,100 students. The school system confirmed no ransom was
paid. Law enforcement and cybersecurity experts are investigating. Notification
letters were sent April 22nd with two years of free credit monitoring and a
call center provided for support.
Russian state-backed hackers have targeted Dutch critical infrastructure in cyber-sabotage
attempts during 2023 and 2024, according to the Dutch Military Intelligence and Security
Service, the MIVD.
Though the attacks had minimal immediate impact, they mark the first known sabotage of Dutch
control systems.
The MIVD warns such operations are rising across Europe, aiming to gain digital access
to critical systems for potential future disruption.
The Netherlands, home to Europe's largest port in Rotterdam and key NATO logistics hubs,
remains strategically vital.
Russian cyber activity, including prior infiltration attempts of global institutions
like The Hague, is escalating.
The Dutch government is boosting its military and cybersecurity investments,
sharing intelligence with Ukraine, and warning that Europe must act swiftly
to counter increasingly sophisticated Russian cyber threats amid global geopolitical instability.
Microsoft has resolved multiple issues affecting remote desktop on Windows Server 2025 and Windows 11.
A bug causing RDP sessions to freeze was fixed in February's update for Windows 11 and in April's
update for Windows Server.
Microsoft also used known-issue rollback to reverse bugs causing RDP disconnections.
Additionally, a long-standing bug triggering blue-screen errors on servers with over 256
logical processors was fixed. Other recent issues include login problems with Windows Hello and domain controller failures.
A new malware campaign is targeting Docker environments to hijack compute resources for
cryptojacking using highly layered obfuscation to evade detection.
Researchers from Darktrace and Kato Security Labs found the attackers deploying a Docker
image which runs a deeply obfuscated Python script, requiring 63 decode loops to reach
the final payload.
Instead of mining cryptocurrency directly, the malware connects to a Web3 platform to
simulate node activity and
earn private tokens. This low resource tactic avoids triggering alarms tied to
traditional mining. Docker's popularity and frequent misconfigurations make it
an attractive target. Experts warn organizations to secure Docker setups
with strong authentication, avoid unnecessary Internet exposure,
and vet images carefully.
This campaign signals a shift toward abusing
legitimate decentralized systems for stealthy profit.
A new phishing campaign uncovered by Fortinet's
FortiGuard Labs uses weaponized Word documents
to steal Windows login credentials.
Disguised as sales orders, the emails carry attachments exploiting a known vulnerability
in Microsoft Equation Editor.
This flaw enables remote code execution, leading to the deployment of a new Formbook malware
variant.
The attack chain involves a Word document embedding an obfuscated RTF file and DLL,
triggering buffer overflows and stealthily launching the malware via process hollowing.
The payload, downloaded as a disguised PNG file, decrypts into a fileless executable
injected into a legitimate Windows process.
The malware collects credentials, keystrokes, and screenshots while maintaining persistence
through registry edits.
Fortinet has flagged this campaign and urges users to update systems and remain alert to
phishing threats exploiting old vulnerabilities.
Two significant data breaches have recently impacted U.S. organizations compromising the
personal information of over 600,000 individuals.
On-site Mammography, a Massachusetts-based medical services provider, reported unauthorized
access to an employee's email account in October of last year.
The breach exposed sensitive data, including names, social security numbers,
dates of birth, driver's license, and credit card numbers, and medical
information affecting approximately 357,000 patients. The company asserts
that the intrusion was limited to the email account and is offering 12 months
of free credit monitoring to those affected. Kelly Benefits, a Maryland-based benefits and payroll solutions provider, disclosed
a breach affecting nearly 264,000 individuals.
Hackers accessed the company's systems between December 12 and 17 of last year, exfiltrating
files containing personal data such as names, dates of birth, social security
numbers, tax ID numbers, medical and health insurance information, and financial account
details.
While no ransomware group has claimed responsibility, the possibility of a ransomware attack has
not been ruled out.
Zizel Networks has issued critical patches for two high severity vulnerabilities affecting
USG Flex H series firewalls.
These flaws could allow unauthenticated users to escalate privileges and gain unauthorized
access.
The first vulnerability enables low-privileged users to reach admin-level access via PostgresQL
command issues, especially if an admin remains
logged in.
The second lets admins upload malicious configs to gain further control.
Discovered by security researchers, both bugs are fixed in a recent firmware update.
Immediate patching is urged.
CISA has issued five advisories highlighting critical vulnerabilities in ICS
systems from Siemens, Schneider Electric, and ABB with potential impacts on industrial
automation and infrastructure. Siemens' telecontrol server basic SQL suffers from
multiple high severity SQL injection flaws, enabling attackers to manipulate databases
and bypass controls.
Another Siemens advisory cites a lower risk vulnerability causing partial denial of service
in redundant server setups.
Schneider Electric's Wiser home controller contains a flaw allowing remote credential
exposure. ABB-MV drives are affected by code SIS vulnerabilities enabling memory-based attacks.
A previous advisory for Schneider's Moticon M580 PLCs was updated to address a buffer
size flaw that could cause denial of service.
CISA urges patching, network segmentation, and continuous monitoring to safeguard critical
infrastructure from these escalating threats.
Coming up after the break, my conversation with Deputy Assistant Director Cynthia Kaiser
from the FBI Cyber Division,
and so long, Privacy Sandbox. Stay with us. What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, identity attack paths are easy targets
for threat actors to exploit but hard for defenders to detect.
This poses risk in active directory, Entra ID, and hybrid configurations.
Identity leaders are reducing such risks with attack path management.
You can learn how attack path management is connecting identity and security teams
while reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to SpectorOps.io today to learn more.
SpectorOps, see your attack paths the way adversaries do.
Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their
controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
It is always my pleasure to welcome back to the show Deputy Assistant Director Cynthia
Kaiser from the FBI's cyber division.
D.A.D. Kaiser, welcome back.
I'm glad to be here.
So you and your colleagues there at the FBI have published the most recent version of
your IC3 report. A bit of extra celebration here. This is the 25th year of the annual
report, right?
It's the 25th year of IC3 overall.
Wow.
Which started in 2000.
Okay.
Well, time flies.
For folks who are not familiar with IC3 and the mission there, can you give us a brief
explanation?
It was created really to serve the law enforcement community and just public writ large as we started to see cyber enabled crime
pop up, you know, where a lot of the kind of physical crime that we'd seen in the
past had transferred into the digital realm. Now really though it's evolved to
become the primary destination for the public to report cyber enabled crimes
and fraud as well as a key source of information
where we can put out to the public information
on scams and cyber threats.
So to be clear here, I mean, this is where the FBI
encourages members of the public to report anything
that may have happened to them online,
with scams and fraud and all those sorts of things.
Absolutely.
Scams, fraud, cybercrime.
Actually, since its founding, IC3 has received over 9 million complaints of malicious activity.
And obviously, it's increased exponentially since we first began.
During its infancy, IC3 received roughly 2000 complaints a month.
For the past five years,
IC3 has averaged more than 2000 complaints a day.
Wow.
Okay.
Well, let's talk about the recent report here.
What are some of the things that caught your eye?
I think the, you know,
sheer number of crimes
that we have reported to us, and then to know that that's just
a snapshot, that this is a function of who
can report into us.
And we know that these numbers are obviously
going to be much larger.
But a few key highlights. In 2024, IC3 received a total of 859,532 complaints
with losses of more than 16.6 billion.
That's a 33% increase in losses from the previous year.
Wow. Can we dig into some specific areas here? I mean, what are you seeing in terms of things
like ransomware?
We saw an increase in the number of incidents that were reported to the FBI of ransomware.
Now that doesn't necessarily mean victims paid. In fact, there's a lot of leading industry trackers that have
noted an increased drop in ransomware payments overall, in part thanks to the
FBI and our other law enforcement partners' efforts to take down major
ransomware groups like Lockbit and Alfie. But still, as we were looking at the data,
who was attacking American networks,
really struck out is 67 new ransomware variants
were recognized by IC3 in 2024.
The top sectors that were targeted
include critical manufacturing and healthcare and public health.
We saw some of the same types of ransomware groups be in the top five of the incidents that were reported to the FBI and some different.
The top five variants reported to IC3 were Akira, Lockbit, Ransom Hub, Fog, and Play.
So really, we're looking at all of this.
We're getting these reports in.
There's an increase in reports.
We know from industry trackers, especially across the blockchain, there's a decrease in the amount of money that ransom reactors have actually received
from these incidents.
So it's hard to just make the numbers tell a story, but let me tell you what I actually
think is probably going on here.
The FBI has been able to provide decryptors to victims across the world that have prevented
over $800 million in ransoms paid since the middle of 2022.
Part of our ability to provide decryptors out to the public relies on the public reporting
in their ransomware incident.
Because we don't always know who the victim is
if we have information that would provide them
with decryptors.
So you have this increase in effort
by the ransomware actors to maximize their income,
probably because some of their traditional methods
aren't working.
And so you see this increase in maybe the overall incidence.
I just don't think that that's the whole story though.
It's such a complex ecosystem
and we're really proud of some of those efforts
that the FBI has been able to do to make a real difference.
Well, let's touch on critical infrastructure here.
That is something that the report digs into.
Can you share with us
some of the statistics that you gathered in that area?
Of course. IC3 received more than 4,800 complaints from organizations belonging to critical infrastructure
sectors that were affected by cyber threats. The most reported cyber threats among critical infrastructure
organizations were ransomware and data breaches.
Out of the, if you're looking going back into the ransomware,
so out of the total even ransomware complaints
that were filed in 2024, almost half
were related to critical infrastructure.
Now, the top five sectors were critical manufacturing,
healthcare, public health, government facilities,
financial services, and IT,
with really the vast majority up in the top two,
critical manufacturing and healthcare and public health.
And that's so important because targeting critical manufacturing can have cascading
impact across numerous industries like automotive, aviation, electronics, and targeting healthcare
facilities can actually become a threat to life matter with consequences that include hospitals being forced to be shut down or
negative effects against patients overall.
The data that you all are gathering here at the IC3, the Internet Crime Complaint Center,
can you give us some insights as to how does that data get distributed to your colleagues
at the FBI, the various field offices.
How does that work?
So we're getting in these just thousands of complaints a day.
And what that really translates to is
it doesn't automatically go to a field office.
We have a incredibly dedicated group of individuals
who go through every single complaint that
we receive and triage it, provide additional information, try to connect it to other cases
before they send that out to field offices to investigate further.
And really, the best benefit we get from the incidents that come into IC3 are when we can
tie them all together and say, this is a pattern. This is bigger than just even one victim. And we
can really seek to build a case, work to hold these actors accountable for the adverse intentions they have towards
US citizens.
It's such a big deal that we get all of these in.
And I think it's especially, and I want to highlight another aspect of the report here.
We're incorporating this year for the first time as one full report cryptocurrency fraud and
elder fraud and
What you see is that
Criminals are going after
The people who are over 60 in a huge amount
really trying to trick our family members
out of millions, billions of dollars.
And that's such a big deal.
And it's something we take so seriously here at the FBI,
being able to help the individual victims,
but then also, and I can't emphasize this enough,
the more reports we have that can pull them all together,
the more we can investigate,
and then the more we can warn others.
And that really bears out
from all of the public service announcements
that you can see on ic3.gov.
I think it's worth mentioning as well,
that as you say, that the huge number
of reports that you get every day, it's impractical for the folks who are collecting those to
respond personally to every single report, but it's worth noting that they do all get
read and they get logged.
So while, you know, it may not be gratifying if you don't hear back from the FBI right away,
do know that the reports are going somewhere.
They're not just getting lost in some big black hole, right?
What a great point, and that's exactly right. These reports are all read, they're all reviewed, and
they're all looked at for a wait for us to be able to enrich them and build out a case
from them so that we can provide American citizens the justice they deserve. Well,
Deputy Assistant Director Cynthia Kaiser is with the FBI's cyber division.D. Kaiser, thanks so much for taking the time for us. Thank you so much for having me.
Bad actors don't break in, they log in.
Attackers use stolen credentials in nearly 9 out of 10 data breaches.
Once inside, they're after one thing, your data.
Varonis' AI-powered data security platform secures your data at scale.
Across LAS, SAS, and hybrid cloud environments,
join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment at Veronis.com.
And finally, RIP Privacy Sandbox.
We hardly knew ye.
Google's ambitious plan to banish third-party cookies and reinvent online ads while championing
privacy has quietly collapsed into a pixelated puff of irony.
After six years of tinkering, Privacy Sandbox has been shelved with Google citing AI hopes,
mysterious privacy tech, and regulators breathing down its neck.
Originally pitched as a privacy-forward alternative to tracking cookies, the sandbox ran into
trouble from ad tech rivals and watchdogs who weren't convinced Google wouldn't just rule the ad world even
harder.
As it turns out, fighting global regulators and industry skeptics proved tougher than
debugging the sandbox APIs.
Now Chrome will keep third-party cookies, meaning your digital shadow lives on. While some sandbox remnants
like IP protection might survive, the dream of a Google-led privacy renaissance has fizzled.
When push came to shove, Chrome didn't clear your cookies, it just rearranged them on a
shinier tray. And that's the CyberWire. For links to all of today's stories, check out our daily briefing
at the cyberwire.com. We'd love to know what
you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity. If you like our show, please share a rating and
review in your favorite podcast app. Please also fill out the survey in the show notes or send an
email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music
and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting
your executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7-365 with Black Cloak.
Learn more at blackcloak.io.