CyberWire Daily - Tomcat got your server?
Episode Date: March 18, 2025An Apache Tomcat vulnerability is under active exploitation. CISA rehires workers ousted by DOGE. Lawmakers look to protect rural water systems from cyber threats. Western Alliance Bank notifies 22,00...0 individuals of a data breach. A new cyberattack method called BitM allows hackers to bypass multi-factor authentication. A Chinese cyberespionage group targets Central European diplomats. A new cyberattack uses ChatGPT infrastructure to target the financial sector and U.S. government agencies. Australia sues a major securities firm over inadequate protection of customer data. Our Threat Vector segment examines how unifying security capabilities strengthens cyber resilience. Cybercriminals say, “Get me Edward Snowden on the line!” Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment Security platformization is transforming the way organizations defend against cyber threats. In this episode of Threat Vector, host David Moulton speaks with Carlos Rivera, Senior Analyst at Forrester, about how unifying security capabilities strengthens cyber resilience. To listen to the full discussion, please check out the episode here or on your favorite podcast app, and tune in to new episodes of Threat Vector by Palo Alto Networks every Thursday. Selected Reading Critical Apache Tomcat RCE Vulnerability Exploited in Just 30hrs of Public Exploit (Cyber Security News) CISA Rehires Fired Employees, Immediately Puts Them on Leave (GovInfo Security) Western Alliance Bank Discloses Data Breach Linked to Cleo Hack (SecurityWeek) New BitM Attack Lets Hackers Steal User Sessions Within Seconds (Cyber Security News) US Lawmakers Reintroduce Bill to Boost Rural Water Cybersecurity (SecurityWeek) Chinese Hackers Target European Diplomats with Malware (GovInfo Security) Hackers Exploit ChatGPT with CVE-2024-27564, 10,000+ Attacks in a Week (Hackread) Australia Sues FIIG Investment Firm in Cyber 'Wake-Up Call' (GovInfo Security) Extortion crew threatened to inform Edward Snowden (?!) if victim didn't pay up (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a brief message from our sponsor, DropZone AI.
Is your sock drowning in alerts, with legitimate threats sitting in queues for hours or even
days?
The latest SAN Sock Survey Report reveals alert fatigue and limited automation are SOC teams
greatest barriers.
Drop Zone AI, recognized by Gartner as a cool vendor, directly addresses these challenges
through autonomous recursive reasoning investigations, quickly eliminating false positives, enriching
context and enabling
analysts to prioritize real incidents faster.
Take control of your alerts and investigations with DropZone AI. An Apache Tomcat vulnerability is under active exploitation.
CISA rehires workers ousted by Doge.
Lawmakers look to protect rural water systems from cyber threats.
Western Alliance Bank notifies 22,000 individuals
of a data breach. A new cyber attack method called Bit-M allows hackers to
bypass multi-factor authentication. A Chinese cyber espionage group targets
Central European diplomats. A new cyber attack uses chat GPT infrastructure to
target the financial sector and US government agencies. Australia sues a
major securities firm
over inadequate protection of customer data.
Our threat vector segment examines
how unifying security capabilities
strengthen cyber resilience.
And cyber criminals say,
get me Edward Snowden on the line. It's Tuesday, March 18, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us once again here.
It is great to have you with us.
A critical remote code execution vulnerability in Apache Tomcat is being actively exploited.
The flaw, disclosed on March 10th, allows attackers to gain control of servers via a simple PUT request.
Exploits appeared on GitHub just 30 hours after disclosure.
Attackers upload Base64 encoded payloads via a PUT request,
then trigger execution with a GET request using a JsessionID cookie. Security tools struggle to detect
this due to encoded payloads and multi-step execution. Apache urges immediate updates.
Meanwhile, organizations should disable partial put support and restrict sensitive file storage.
The Cybersecurity and Infrastructure Security Agency is rehiring roughly 130 probationary
employees ousted under President Donald Trump's workforce purge, but is immediately placing
them on administrative leave.
The move follows a ruling by U.S. District Judge James Bridar, which the White House
vowed to fight.
Trump criticized the decision, calling it dangerous, while experts warn the mass firings
threaten national security.
CISA faces internal confusion over the ruling and is trying to contact impacted employees.
The agency has also defunded cybersecurity hubs and defended workforce cuts as eliminating
duplication. Critics,
including former NSA official Rob Joyce, say these actions weaken U.S. cybersecurity.
The White House and key agencies have not responded to requests for comment.
Elsewhere in Washington, lawmakers have reintroduced the Cybersecurity for Rural Water Systems Act of 2025, a bipartisan
bill aimed at protecting rural water systems from cyber threats. Sponsored by Representatives
Don Davis, Democrat from North Carolina, and Zachary Nunn, a Republican from Iowa, and
Senators Catherine Cortez Masto, Democrat from Nevada, and Mike Rounds, a Republican
from South Dakota, the bill expands the Circuit Rider program to include cybersecurity assistance
for small water utilities serving populations under 10,000.
The bill funds cybersecurity specialists known as Circuit Riders who will train rural utilities, assist in
cyber defense planning, and improve threat response. Only 20 percent of U.S. water systems
currently have cyber protections, making this legislation critical. Though initially introduced
in 2023, it failed to pass, but is now gaining renewed support this year.
Western Alliance Bank is notifying 22,000 individuals of a data breach involving a third-party
file transfer tool exploited in October 2024.
The breach exposed names, Social Security numbers, birth dates, and financial details.
The Klopp extortion group exploited Clio file transfer vulnerabilities, impacting dozens
of organizations.
Western Alliance confirmed the breach after stolen data appeared online in January of
this year.
Despite the incident, the bank says it won't affect its financial condition.
Affected individuals receive one year of identity protection.
A new cyberattack method called Browser in the Middle, or Bit.M, allows hackers to bypass
multi-factor authentication and steal user sessions in seconds.
This technique hijacks authenticated browser sessions, making it a major threat to organizations
relying on traditional security
measures. Bit.M attacks proxy victims through an attacker-controlled browser, mimicking
legitimate sites. Users unknowingly enter credentials and complete MFA challenges, allowing
attackers to steal session tokens. Tools like Evil Jinks 2 and Delusion enable real-time session hijacking and scalable phishing
campaigns.
Experts say hardware-based authentication, things like FIDO2 security keys, are one of
the best defenses because they tie authentication to a physical device.
No device, no access.
Behavioral monitoring and client certificates help, too. And of
course, good old-fashioned security awareness training can go a long way.
A Chinese cyber espionage group Mirrorface, also known as Earth Kasha, has
expanded beyond East Asia, targeting a Central European diplomatic institute in
August of last year. researchers from ESED found
the group used ANNEL or uppercut, a backdoor previously linked to APT-10, suggesting tool-sharing
among Chinese threat actors.
The attack began with a spearfishing campaign referencing Expo 2025 in Japan.
Once victims engaged, they received a malicious Word document, deploying Anel and Hiddenface
for persistence.
The hackers wiped logs, used async-rat in Windows sandbox, and abused Visual Studio
Code's remote tunnels to evade detection.
They also exfiltrated Chrome credentials, potentially compromising diplomatic communications. The attack highlights China's evolving cyber tactics and
collaboration between state-sponsored groups.
According to the latest research from Varity, a new cyber attack campaign is
actively exploiting a server-side request forgery vulnerability affecting OpenAI's chat GPT infrastructure,
but OpenAI itself has not been breached.
In just one week, over 10,000 attack attempts were recorded from a single malicious IP,
with the U.S. seeing the highest concentration, followed by Germany and Thailand.
35% of organizations are vulnerable due to misconfigured security
tools like IPS, web application firewalls, and firewalls. The financial sector and U.S.
government agencies are prime targets as attackers exploit AI-driven services to access internal
resources and sensitive data. Verity urges security teams to review firewall settings,
monitor attack logs, and reassess AI-related security risks,
emphasizing that even medium severity vulnerabilities
can become major attack vectors.
Australia's financial regulator is suing FIIG securities
over cybersecurity failures that led to a 2023 data breach affecting
18,000 customers. The Australian Securities and Investments Commission says FIIG lacked
basic security controls for four years, failing to update firewalls, patch software or train
employees, allowing threat actors to steal 385 gigabytes of sensitive
data.
FIIG, which manages $2.88 billion in funds, was unaware of the breach until Australia's
Cyber Security Centre alerted them.
It took six days to respond.
The Australian regulators allege FIIG violated the Corporations Act, which mandates financial
firms maintain adequate risk management.
This case follows a 2022 lawsuit against RI Advice for similar cybersecurity lapses.
Australian regulators warn that cyber risk management is a top priority, with tighter
regulatory actions coming for financial firms
failing to protect customer data.
Coming up after the break, our Threat Vector segment examines how unifying security capabilities
strengthen cyber resilience, and cyber criminals
say get me Edward Snowden on the line.
Stay with us. We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results
so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications
than non-sponsored ones.
One of the things I love about Indeed
is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get your job's more
visibility at indeed.com slash cyber wire just go
to indeed.com slash cyber wire right now and support our show by saying you heard
about indeed on this podcast indeed.com slash cyber wire terms and conditions
apply hiring indeed is all you need.
Do you know the status of your compliance controls right now?
Like right now?
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point in time checks.
Look at this, more than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist, Vanta brings automation
to evidence collection across 30 frameworks
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
It's time for our Threat Vector segment.
David Moulton sits down with Forrester senior analyst,
Carlos Rivera, to explore the concept of platformization,
how unifying security capabilities
strengthen cyber resilience.
Hi, I'm David Moulton, host of Threat Vector,
the podcast where we discuss pressing cybersecurity threats
and resilience and uncover insights into the latest industry trends.
Here's a preview of what's coming up next on Threat Vector.
In our next episode, I'm joined by Carlos Rivera,
senior analyst at Forrester, to talk about one of the most critical shifts
in security strategy, platformization.
Think network security is outdated in the cloud era?
Think again.
Carlos challenges a common misconception
that cloud adoption makes traditional network security
obsolete.
In this episode, we break down why firewalls,
segmentation and policy enforcement are still essential,
even in a cloud first world.
Don't miss this episode.
Carlos, it's been quite a while
since I've thought about micro segmentation.
I mean, we're talking probably five, six years ago
since I talked to somebody like yourself that's an expert.
I'm wondering what you would advise.
How should organizations rethink micro segmentation
within the zero trust model to maximize
that security effectiveness that they're looking for?
Yeah, so I think the trick here is that
what I'm trying not to do is tell everyone
that there's one solution that is better than the other.
What I typically try to articulate
when I get questions such as,
what's the best practice for microsubmutation?
In the past, organizations have typically struggled to implement microsubmutation effectively.
So there are various levels of microsubmutation that an enterprise can arguably achieve.
And with our own research efforts, we call out those levels, but specifically house level
or even microservice level, we view that as it being more complex and difficult to implement.
But organizations that actually pursued the micro-segmentation initiatives as the first initiative for their zero-trust journey,
they found this to be more complex, right?
So those same organizations either abandoned the initiative or delayed the initiative to focus on other tasks and other activities.
But now organizations are beginning to revisit
that conversation about micro segmentation initiatives.
Because they now have a better understanding, right?
They learn from them for a sake.
But now they have to have another setting about the approach.
So ultimately what organizations should really be doing
when they begin their zero trust micro segmentation journey understanding about the approach. So ultimately what organizations should really be doing
when they begin their zero trust or microsegmentation journey is identify where those critical assets are in their environment and then actually assess one of the tools and technology the
controls have already in place that they can actually leverage to achieve a level of maturity
that will be one acceptable based on risk tolerance and even risk appetite. So once they have that,
then it becomes more of a matter of what is needed to get to that next level of maturity.
Another thing I want to add is that,
while there will be a need to have guidance for organizations.
One of the biggest issues that I get in terms of client engagement is that now we're
implementing micro-semitation but we have firewalls, we have the VTNA,
we have micro-semitation specific tools
and solutions in our environment.
These are all various different enforcement points
that have policies.
So this organization might not be thinking it now,
but it might be worth exploring
or having conversations internally about
what should our guidance be about how we approach our policy and rule sets throughout our
architecture so that we have a better understanding of what's the most
effective and efficient way of approaching the rules and the clock of
architecture from meaning the broader we are the further out in our
environment from the edge perimeter that's going to be the broader policy
than the closer we are getting to critical assets in our environment
that's where the more granular policy should
exist. But it should not be conflicting with each other.
So Carlos, anyone that's been paying attention for the last
year or so knows that Palo Alto Networks has been a really
strong proponent of this idea of security platformization or,
you know, unifying security capabilities into like a single
AI driven platform.
What are the key advantages of a unified security approach,
and how does it compare to the traditional best-in-class security model?
I think the idea behind the unification of security control
is really just a simplifying deployment and management of those security controls.
So you're actually starting to break down those silos that might have impeded any kind of collaborative discussions within
your organizations with respect to security best practices. What types of controls are
going to be needed and how do you improve those outcomes and improve those operations.
There's also that potential for a cough-fading fit when you start exploring platformization or
unified solution. You start reducing the number of licenses you need to procure, maintain,
and manage. But you're also reducing complexity within your infrastructure
within the security stack. So it's often that ability to have a visibility and
management of all these various different tools with a more centralized
manner and that can actually lead to being more efficient and having a more holistic security architecture.
Security analytics can also aim to benefit from this in an indirect way because it's
improving internet response times because it's reducing that complexity
and friction that they might experience when it comes to investigations and analytics.
friction that they might experience when it comes to investigations and analytics.
Carlos, are there any recent security developments that have really personally surprised you?
Recent security developments that have surprised me? I mean we're seeing it kind of unfold now in terms of executive orders, you know, governments buying in and making more,
at least being more influential in how organizations
and how the industry should approach cybersecurity
and making our areas, our networks more sensible.
That is to me, it's not so much surprising as it is.
I would say it's a moment of surprise, I guess, because I do come from
the government side and I know what the DOD has done in the past. And, you know, they're
always kind of ahead of the game, ahead of the curve when it comes to those types of
implementations. But now it's kind of the influence. I think we're returning to this
norm of we look to the government to set precedence
on what we should do for cybersecurity and seeing that unfold today, or at least this day in age,
is a bit of rewarding.
If we piqued your interest, don't miss the full episodes every Threat Vector Thursday.
Subscribe now to stay ahead.
You can find a link to the full examination of platformization by David and Carlos in
our show notes.
And of course, don't forget to check out the entire Threat Vector podcast wherever
you get your favorite podcasts.
Tired of investigation tools that only do one thing at a time?
Spending more time juggling contracts with data vendors than actually investigating?
Maltigo changes that for good.
Get one investigation platform, one bill to pay, and all the data you need in one place.
It comes with curated data and a full suite of tools to handle any digital investigation. Connect the dots so fast, cybercriminals won't even have time to Google what Maltigo is.
See the platform in action at Maltigo.com. And finally, let's set the scene.
You're a cyber criminal trying to make an honest, dishonest living in the ransomware
world, but payments are down, negotiations are tougher, and victims just aren't coughing
up the cash like they used to.
What do you do?
Well, if you're Ox Thief, you get creative.
And by creative, I mean you threaten to call Edward Snowden.
That's right, this newly discovered extortion crew isn't just demanding ransom, they're
fast-tracking the consequences.
Don't pay?
They'll rat you out to a cybersecurity journalist like
Brian Krebs, privacy advocates, and even the Electronic Frontier Foundation.
They'll outline legal penalties, predict massive fines, and warn of a PR disaster.
The message? You're in trouble whether you pay or not. Analysts at Fortress say
this is a noteworthy escalation in ransomware tactics.
Instead of just encrypting files and waiting for a payday,
Oxthief is weaponizing legal liability and media scrutiny.
It's all part of a bigger trend.
Ransomware payments are dropping and attackers are getting desperate.
Case in point, Oxthief claims to have hacked broker educational sales and training, but
here's where it gets messy.
Another cybercrime gang, Medusa, also claims to have breached the same organization.
Did Ox Thief really do it?
Or are they recycling someone else's heist?
Either way, the alleged victims haven't commented, and the cybercriminal underworld just keeps
getting weirder.
So what's the takeaway?
Well, if you get hacked, maybe set up an outbound call blocker for Snowden.
Just in case. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Pelsman.
Our executive producer is Jennifer Ibane.
Peter Kilpey is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. So Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started
removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy
is protected.
DeleteMe's team does all the work for you
with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
Today, get 20% off your DeleteMe plan when you go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
The only way to get 20% off is to go to joindelete.me.com.n2k and enter code n2k at checkout. That's joindelete.me.com.n2k code n2k.