CyberWire Daily - Targeting schools is not cool.
Episode Date: May 8, 2025The LockBit ransomware gang has been hacked. Google researchers identify a new infostealer called Lostkeys. SonicWall is urging customers to patch three critical device vulnerabilities. Apple patches ...a critical remote code execution flaw. Cisco patches 35 vulnerabilities across multiple products. Iranian hackers cloned a German modeling agency’s website to spy on Iranian dissidents. Researchers bypass SentinelOne’s EDR protection. Education tech firm PowerSchool faces renewed extortion. CrowdStrike leans into AI amidst layoffs. Our guest is Caleb Barlow, CEO of Cyberbit, discussing the mixed messages of the cyber skills gaps. Honoring the legacy of Joseph Nye. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Caleb Barlow, CEO of Cyberbit, who is discussing the mixed messages of the cyber skills gaps. Selected Reading LockBit ransomware gang hacked, victim negotiations exposed (Bleeping Computer) Russian state-linked Coldriver spies add new malware to operation (The Record) Fake AI Tools Push New Noodlophile Stealer Through Facebook Ads (Hackread) SonicWall urges admins to patch VPN flaw exploited in attacks (Bleeping Computer) Researchers Details macOS Remote Code Execution Vulnerability - CVE-2024-44236 (Cyber Security News) Cisco IOS XE Wireless Controllers Vulnerability Enables Full Device Control for Attackers (Cyber Security News) Cisco Patches 35 Vulnerabilities Across Several Products (SecurityWeek) Iranian Hackers Impersonate as Model Agency to Attack Victims (Cyber Security News) Hacker Finds New Technique to Bypass SentinelOne EDR Solution (Infosecurity Magazine) CrowdStrike trims workforce by 5 percent, aims to rely on AI (The Register) Despite ransom payment, PowerSchool hacker now extorting individual school districts (The Record) Joseph Nye, Harvard professor, developer of “soft power” theory, and an architect of modern international relations, dies at 88 (Harvard University) Nye Lauded for Cybersecurity Leadership (The Belfer Center for Science and International Affairs at Harvard University) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. The Lockbit ransomware gang has been hacked.
Google researchers identify a new infostealer called Lost Keys.
SonicWall is urging customers to patch three critical device vulnerabilities.
Apple patches a critical remote code execution flaw.
And Cisco patches
35 vulnerabilities across multiple products, Iranian hackers cloned a German modeling agency's
website to spy on Iranian dissidents, researchers bypassed Sentinel-1's EDR protection, education
tech firm Power School faces renewed extortion, CrowdStrike leans into AI amidst layoffs, our guest is
Kayla Barlow, CEO of CyberBit, discussing the mixed messages of the cyber skills gap,
and honoring the legacy of Joseph Nye. It's Thursday, May 8th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It's great to have you with us.
The LockBit ransomware gang has been hacked, leading to a major leak of its internal data.
Yesterday, LockBit's dark web affiliate panels were defaced with a message stating, Don't do crime.
Crime is bad.
Xoxo from Prague.
And including a link to download a MySQL database dump.
The leaked database contains 20 tables including nearly 60,000 unique bitcoin addresses,
detailed ransomware build configurations, and over 4,400 chat logs from
victim negotiations between December 2024 and April of this year.
This breach exposes the inner workings of LockBit's ransomware-as-a-service operation,
revealing how affiliates customized attacks and communicated with victims.
The incident follows previous law enforcement actions against LockBit, including infrastructure
seizures and arrests, further destabilizing the group.
Google researchers have identified a new malware called Lost Keys, used by the Russian state-backed
hacking group Cold River, also known as Star Blizzard, UNC 4057,
and Callisto.
This group, known for phishing, now uses lost keys to steal files and system data via a
fake CAPTCHA site that tricks victims into running malicious PowerShell code.
Cold River, active since 2022, targets diplomats, journalists, and NATO-linked groups.
Lost Keys, like earlier malware Spika, is used in selective espionage operations tied to Russian intelligence services.
Elsewhere, scammers are spreading a new malware called Noodlephile Stealer, using fake AI tools and Facebook ads. The campaign targets users with a multi-stage attack that begins on phony AI websites offering
free image or video generation.
Victims download a zip file disguised as a video editing tool which installs malware
that steals browser credentials, crypto wallets, and can deploy remote access tools like XWorm.
The malware uses Telegram for data exfiltration and evades detection by running payloads in
memory.
SonicWall is urging customers to patch three critical vulnerabilities in its SMA-100 series
devices, one of which is being actively exploited. Discovered by Rapid7, the flaws can be chained to allow remote code execution as root.
Multiple devices are affected.
Patches are available in recent firmware versions.
SonicWall advises enabling MFA, checking logs for unauthorized access, and using the web
application firewall for
added protection.
A critical remote execution flaw in macOS allows attackers to run arbitrary code if
a user opens a malicious ICC profile.
Found by Trend Micro's Zero Day Initiative, the bug stems from improper bounds checking
in macOS's SIPs utility.
Apple has patched it in recent OS versions. No active exploitation has been
seen, but users should update immediately due to the risk and technical details
now being public. Cisco has released patches addressing 35 vulnerabilities across multiple products, including critical
flaws in iOS XE wireless LAN controllers and Identity Services Engine.
One significant vulnerability in iOS XE wireless controllers allows unauthenticated attackers
to upload arbitrary files via crafted HTTPS requests, potentially
leading to full device compromise.
In ISE, two critical vulnerabilities enable remote attackers with read-only access to
execute arbitrary commands and alter configurations due to insecure deserialization and improper
input validation. Additionally, Cisco addressed high-severity SNMP flaws in iOS, iOS XC, and iOS XR that
could cause denial of service conditions.
Users are strongly advised to update affected systems promptly, as no workarounds are available
for these vulnerabilities.
Iranian state-linked hackers tied to APT-35 Charming Kitten cloned a German modeling agency's
website to spy on Iranian dissidents.
The fake site, discovered this month, mimics Hamburg's mega model agency and features a
fake model profile with a dormant private album link, likely
a phishing lure. Obfuscated JavaScript collects detailed visitor data, including browser and
device fingerprints, IP addresses, and plug-in info. The data is sent to a disguised analytics
endpoint, aiding in stealthy surveillance and future targeted cyberattacks.
Researchers at Aon's Stras-Friedberg discovered a technique called Bring Your Own Installer that can bypass Sentinel-1's EDR protection.
By exploiting the upgrade-downgrade process of the Sentinel-1 agent,
attackers can briefly disable its defenses, leaving endpoints exposed.
One threat actor used this method to gain admin access and deploy Babuk ransomware.
Sentinel-1 responded with mitigations, including enabling local upgrade authorization by default.
While no current EDRs are confirmed vulnerable when properly configured, other vendors were
privately notified
of the risk.
Despite paying a ransom after a December 2024 breach, education tech firm PowerSchool now
faces renewed extortion as the hacker targets individual school districts with stolen data.
The breach affected over 60 million students and 9 million teachers. Power School
had believed the incident was contained after the hacker shared a deletion video. However,
recent threats prove otherwise. At least four school boards have been contacted and the
reused data matches that from the initial attack. Power School has alerted law enforcement
and is assisting affected districts.
CrowdStrike is laying off about 500 employees, 5% of its workforce, in a move aimed at boosting
efficiency. CEO George Kurtz framed the decision around the growing role of AI,
which he says will streamline operations and fuel growth toward $10 billion in annual revenue.
While the company highlights AI as a force multiplier, its own regulatory filings caution
about AI risks, including potential errors and legal liabilities. Despite increasing revenue,
CrowdStrike posted a $92.3 million loss in its latest quarter.
The layoffs are a harsh blow to affected employees, and the company acknowledged the pain caused.
Layoff-related costs are expected to total up to $53 million.
CrowdStrike joins other tech firms turning to automation while cutting staff amid economic uncertainty.
Coming up after the break, my conversation with Caleb Barlow from Cyberbit on the mixed and honoring the legacy of Joseph Nye.
Traditional pen testing is resource intensive, slow and expensive, providing only a point-in-time
snapshot of your application's security, leaving it vulnerable between development
cycles.
Automated scanners alone are unreliable in detecting faults within application logic
and critical vulnerabilities.
Outpost 24's continuous pen testing as a service solution offers year-round protection, with recurring manual
penetration testing conducted by Crest-certified pen testers, allowing you to stay ahead of
threats and ensure your web applications are always secure.
We've all been there. You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results
so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications
than non-sponsored ones.
One of the things I love about Indeed
is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K CyberWire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you,
23 hires were made on Indeed, according to Indeed data worldwide.
There's no need to wait any longer. Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get your job's more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber wire right
now and support our show by saying you heard about indeed on this podcast indeed.com slash
cyber wire terms and conditions apply hiring indeed is all you need. It is always my pleasure to welcome back to the show Caleb Barlow.
He is the CEO at Cyberbit.
Caleb, welcome back.
It's always a pleasure to be here with the voice of the cybersecurity industry.
Dave, how are you today? I feel a little teased.
I feel a little teased.
You should feel loved.
You should feel loved.
It's all loved.
OK, I will take that.
I will take that.
So just a few days ago on our CyberWire Daily,
I was talking about the skills gap
and questioning whether it is actually a thing. Because you see lots of news stories about the skills gap and questioning whether it is actually a thing because you see lots of news stories
about the skills gap, but then you see lots of people
pushing back and saying, no, it's not really a thing.
What's your take on this, Caleb?
Well, I mean, look, I think, and I'll actually credit
Simone Petrella and I were having this dialogue
and she said to me, you know, is it really a skills gap or is it an experience gap?
And I thought about this a lot.
I'm becoming more and more convinced it's an experience gap.
And here's where you really see it.
There's what, roughly speaking,
if you look at CyberSeek any given day,
it's about 450,000 open unfilled security jobs
in the United States, right?
That's what they say.
I don't think that number is totally off.
Now maybe some of those aren't real jobs, but we can probably agree there's definitely
a few hundred thousand open unfilled jobs.
Okay.
Sure.
Now the other thing is like we're also at a time in an industry where, and I don't know
what this number is, but there are definitely tens of thousands of people that have been
laid off in the security industry that are looking and I get those resumes every day and you know in the US we
graduate somewhere between 20 and 30,000 people a year that kind of are looking
for a cybersecurity degree a career they can't really find that first job that
they really want they're getting jobs but they're not necessarily getting jobs
that they wanted to sock and you need to look no farther than what's happening with recruiting to understand why.
So what do you think the reality of the gap is?
Where's the disconnect here?
Well, I think the disconnect, believe it or not, is the usage of commercial tools.
And if we look at most cybersecurity education, right, it often starts with red teaming, penetration
testing, and you're going to go through some
sort of an exercise, maybe using a Cali Linux platform, a lot of common open source tools.
You're learning the basics of how to do manual penetration testing, manual red teaming, and
then you switch over to the defensive side.
But the reality when a recruiter goes out and looks for a job and how that dialogue goes is, hey, I'd really love to get somebody maybe on the younger side.
It's an entry level job, but it'd be great if they had a couple years of experience using
Splunk or QRadar or Google Chronicle and extra bonus points if they've maybe configured a
firewall.
Okay? So a recruiter hears that.
They don't write entry-level job.
They go program their search and AI agent to search on Splunk,
Chronicle, Palo Alto firewalls because those are the easy things to find.
So the reality is if you don't have these commercial tools on your resume
and frankly have that experience,
you're gonna get filtered out and never even looked at
by the recruiter.
You know, I think back to my own experience in college,
you know, I was studying radio, television and film
and was looking to a broadcast career when I got out,
which I did for 20 years,
but it was the time I spent working in the TV station on campus and to your point,
using the equipment in the TV station, the video tape machines, the cameras, the cables,
all that kind of stuff, that's what got me work right out of college,
being able to say to people, yes, I know how this machine works.
What's the equivalent of that TV station on campus
for folks who are looking to get their hands
on the real security tools?
I think you're spot on.
So, you know, my experience was very similar.
I was starting to be electrical engineer.
I went to the Rochester Institute of Technology
where they require you to go there for five years
for an engineering degree,
and one of which is for co-op rotations.
So when I graduated, I had all of this commercial experience at times with companies that were
hot at the time that nobody's probably ever heard of anymore.
But the point is, like, you're walking out the door with all this commercial experience,
someone takes a look at your resume and it's like, okay, well, which job do you want?
I think the same is true, whether it's through an internship,
whether it's through, and full disclosure,
I'm pitching my own deck here, right?
Cyber range training, like where you're gonna get
hands-on with these commercial tools,
or some other experience where you're gonna get,
and the term I always use is eyes on glass,
hands on keyboard, using the things
you're gonna use in industry.
Now, this takes
on two forms, right? One, it's the responsibility of the student to go find these opportunities
and to go find these internships. But also, I think we have to look at higher education
and say, look, if we're not training on the exact same tools and platforms that someone
is going to be using in the real world job, then we're doing these students a disservice.
And that's the other side of this
we've really got to think about is,
as vendors in the vendor community,
are you offering licenses to your product
for educational use, maybe at no or low charge?
Because that's the other thing
that's going to make the difference.
And these schools go out there and look at
the price of buying a lot of these tools and go,
look, these things are hundreds of thousands of dollars
for a student.
What's not going to happen, right?
But truth of the matter is most of the vendors, if approached by a university and asking for
classroom use, most of them have programs where it's free or very low cost to use these
commercial tools.
What about, I guess maybe we'll call it the third leg of the stool, which
is the companies that aren't training people in-house, right? They're there,
they want people to come in fully baked, you know, ready to go with the experience
and they don't have those in-house programs or even just, you know, the
funding to get people up to speed.
Where's the guilt there?
Well, there should be a lot there.
And look, I think for whatever reason,
the cybersecurity industry has gotten a little drunk
on just going out and hiring for the next level
versus trying to build those people, right?
And I think here's the way you have to look at it, right?
When you go out and hire someone
that is an experienced professional on the tools you want,
first of all, they're gonna cost more.
You're gonna pay a third of their annual salary
or more to a recruiter.
So let's say you're recruiting for a job that's $100,000,
right, just to use round numbers.
You're gonna pay $33,000 for the recruiter.
You're gonna get them on board.
The reality in today's world, particularly
in emerging geographies, is some reasonable percentage, maybe 20, 30 percent, have lied on
their resume about their experience. It's an unfortunate reality. You're going to find out
three months in that actually this person doesn't have 10 years of experience on Splunk. They've
never touched it before. Now you've got to get rid of them. And I'm only being a little bit sarcastic here. And you've got to start
that whole process over again with a recruiter again, versus if you had taken an existing
top performer, skilled them up on that next tool set, you're only going to pay maybe 10%
more in the bonus and the raise that you're going to give them.
They're going to be a happy employee and you're going to have a known entity moving into that
job where because you trained them, you know they're performant, right?
And that is, I'm finally starting to see a lot of the forward leading CISOs start really
change this say, okay, I need to take every year a certain percentage of
my level one analysts and I need to turn them into level two.
I need to take a certain percentage of my level two and I need to turn them into threat
hunters.
I think those are the CISOs that are going to dramatically reduce their overall labor
costs, dramatically reduce their retention, and really be paying a whole lot less out
to recruiters.
Yeah, I was going to mention the retention aspect of it
because I think in an industry
where people are hopping around a lot,
that kind of nurturing can really pay dividends
and having people feel a little connection to the company.
Well, I mean, how many times have we seen
security professionals that are bouncing around jobs
every year or two, every year or two getting a higher salary because they're, you know, we're
recruiting from a finite group of people. There aren't enough people in the pool.
So we all show up wanting the same skills and basically just drive the
cost up artificially versus if we took the time to train people. I mean, yes, it
might take you six months for somebody working
at a level one to get them ready to go to level two. Now they haven't stopped working
the whole time. They're just training a little bit in the off time, let's say over six months.
But how is that really any worse than spending three months with a recruiter trying to find
the right person, two months of them onboarding and training, and a month
of them being performant, you're really only losing maybe a month and saving a fortune
in the process.
Right.
And training them for exactly what you need.
Exactly.
And the, what gets really interesting is I'm seeing CISOs now that have a curriculum that
they want to mandate down for this to happen.
So they're looking at what do I need to do?
Because like a lot of people, for example, are moving off of Qradar as that kind of winds
down and moving to maybe Microsoft or Palo or Google Chronicle.
Well, okay, I need to train up my team.
So they lay out a curriculum, hey, over the next year, I want to train everybody up,
we're going to deploy these new tools, and we'll actually be able to measure when people
are ready to switch. That's pretty cool in my mind.
Let's switch over just a bit and talk about the students themselves, the folks training.
You mentioned cyber ranges. You know, here at N2K, we have practice tests, those kinds
of things. I mean, what's the mindset of someone who is in this mode
of getting up to speed?
Is it a situation where they're putting a lot of pressure
on themselves?
Where do we stand there?
Well, there's a lot of challenge of breaking
into this industry.
And I think we've done a little bit of a disservice
to ourselves, assuming that certificate collection
is the answer.
And don't get me wrong, industry certificates are valuable,
particularly if you're going into consulting
or a government job.
Because those are the two areas that really look at them.
The reality is I don't think most CISOs care
if you have a certificate or not.
What they care about is do you know the technology
and can you do the job? And this really comes down to kind of the brain science of this
of how do I train under pressure? Because it's not just about getting the book knowledge.
It's not about passing the exam. I mean, don't get me wrong, passing the exam is important,
right? But I need to do that. And I need to have the time in the seat seat because this is much more analogous to a sport.
I'm up against a human adversary. I need, just like I'm training for sport, I need that pattern
recognition of, wait a minute, this is a little odd. I need to dig in here more. What is this
adversary's likely next move? What is their worst move? And that's only learned through time in the
seat. It needs to be reflexive. It needs to be reflexive.
It needs to be reflexive and that training needs to occur repetitive.
So again, let's use a sports analogy, right?
You don't get good at soccer or football.
I guess in some areas, geography is football or soccer, the same thing, but follow me through,
right?
I'm with you, Kevin.
You don't get good at this if you don't go out on the field every week and practice. Hard stop, right?
You also don't get any good at, you know, if you go out and train to be a lineman by
reading a bunch of books, it's not going to end well in your first, you know, if I throw
you on a D1 field, it's not going to end well, right?
Right.
Right.
The same is true in a sock, right?
Training has to be a regimented part of something you do every
single week, which means it's got to be asynchronous. It's got to be easy to do. It's got to be
measured and it's going to be practicing. You got to push yourself, right? If I only,
if, if, if we were playing football and we only ever played against easy teams, we're
not going to get any better. We've got to simulate playing against really hard adversaries
so we know how to build up that muscle memory
and when the really hard adversary,
actually it's just, we're like bring it on baby
because we're ready.
Yeah, absolutely.
I'm the true believer that the best way to get better
at something is to do it with someone
who's better at it than you are.
Yeah.
Yeah, absolutely.
All right, well, Caleb Barlow is CEO at
Cyberbit. Caleb, thanks so much for taking the time for us. Thanks Dave.
Let's be real, navigating security compliance can feel like assembling IKEA furniture without
the instructions. You know you need it, but it takes forever and you're never quite sure
if you've done it right. That's where Vanta comes in. Vanta is a trust management platform
that automates up to 90% of the work for frameworks like SOC 2, ISO 27001, and HIPAA,
getting you audit ready in weeks, not months. Whether you're a founder, an
engineer, or managing IT and security for the first time, Vanta helps you prove
your security posture without taking over your life. More than 10,000
companies, including names like Atlassian and Quora, trust Vanta to monitor compliance,
streamline risk, and speed up security reviews by up to five times.
And the ROI?
A recent IDC report found Vanta saves businesses over half a million dollars a year and pays
for itself in just three months.
For a limited time, you can get $1 thousand dollars off Vanta at Vanta.com
slash cyber that's vanta.com slash cyber. And finally, we pause to remember Joseph Nye, who passed away on May 6 at the age of 88,
leaving behind a profound legacy in international relations and cybersecurity, renowned for coining the
term soft power, Nye's insights into the dynamics of global influence reshaped diplomatic
strategies worldwide.
Beyond his theoretical contributions, Nye was instrumental in integrating cybersecurity
into the realm of international policy.
As a founding member of the Global Commission on the Stability
of Cyberspace, he championed the development of norms to govern state behavior in cyberspace,
emphasizing the importance of protecting civilian infrastructure from cyber threats.
Nye's tenure as Dean of Harvard's Kennedy School from 1995 to 2004 was marked by his
commitment to preparing future leaders for
the complexities of the digital age. He fostered interdisciplinary approaches, blending political
science with emerging technological considerations, ensuring that the next generation of policymakers
was equipped to navigate the challenges of cybersecurity and digital diplomacy. His dedication to public service, including roles as Assistant Secretary of Defense
for International Security Affairs and Chair of the National Intelligence Council,
underscored his belief in bridging academic theory with practical policy solutions.
Joseph Nye's vision and leadership have indelibly shaped our understanding of power, diplomacy,
and the critical importance of cybersecurity in maintaining global stability.
His contributions continue to inspire and guide scholars and practitioners in the ever-evolving
landscape of international relations.
To all who knew and loved him, may his memory be a blessing. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please
also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Pelsman.
Our executive producer is Jennifer Iben. Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, identity attack paths are easy targets
for threat actors to exploit but hard for defenders to detect.
This poses risk in active directory,
Entra ID and hybrid configurations. Identity leaders are reducing such risks with
Attack Path Management. You can learn how Attack Path Management is connecting identity and
security teams while reducing risk with Bloodhound Enterprise, powered by SpectorOps. Head to spectorops.io today to learn more.
SpectorOps, see your attack paths the way adversaries do.