CyberWire Daily - Using AI to sniff out opposition.
Episode Date: April 8, 2025Is DOGE using AI to monitor federal employees? Google’s latest Android update addresses two zero-days. Scattered Spider continues its phishing and malware campaigns. Ransomware’s grip is slipping.... ToddyCat exploits a critical flaw in ESET products. Oracle privately confirms a legacy system breach. Over 5,000 Ivanti Connect Secure appliances remain exposed online to a critical remote code execution vulnerability. CISA confirms active exploitation of a critical vulnerability in CrushFTP. In our Industry Voices segment, we are joined by Matt Radolec, VP of Incident Response at Varonis, on turning to gamers to to Build Resilient Cyber Teams. AI outphishes human red teams. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest In our Industry Voices segment, we are joined by Matt Radolec, VP of Incident Response, Cloud Operations & SE EU from Varonis, as he is discussing research on “From Gamer to Leader: How to Build Resilient Cyber Teams.” Catch Matt’s keynote at RSAC 2025 on April 30th. Selected Reading Exclusive: Musk's DOGE using AI to snoop on U.S. federal workers, sources say (Reuters) Tariff Wars: The Technology Impact (BankInfo Security) Google Patched Android 0-Day Vulnerability Exploited in the Wild (Cyber Security News) Scattered Spider adds new phishing kit, malware to its web (The Register) Ransomware Underground Faces Declining Relevance (BankInfo Security) ESET Vulnerability Exploited for Stealthy Malware Execution (SecurityWeek) Oracle Confirms that Hackers Broke Systems & Stole Client Login Credentials (Cyber Security News) Exploited Vulnerability Puts 5,000 Ivanti VPN Appliances at Risk (SecurityWeek) CISA Warns of CrushFTP Vulnerability Exploitation in the Wild (Infosecurity Magazine) AI Outsmarts Human Red Teams in Phishing Tests (GovInfo Security) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Secure access is crucial for U.S. public sector missions.
Ensuring that only authorized users can access certain systems, networks, or data.
Are your defenses ready?
Cisco's Security Service Edge delivers comprehensive protection for your network and users.
Experience the power of Zero Trust and secure your workforce wherever they are.
Elevate your security strategy by visiting Cisco.com slash Go.SSE.
That's C-I-com slash GO slash SSE.
Is Doze using AI to monitor federal employees?
Google's latest Android update addresses two zero days.
Scattered Spider continues its phishing and malware campaigns.
Ransomware's grip is slipping.
Toddy Cat exploits a critical flaw in ESET products.
Oracle privately confirms a legacy system breach.
Over 5,000 Avanti Connect secure
appliances remain exposed online to a critical remote code execution vulnerability. CISA confirms
active exploitation of a critical vulnerability in crush FTP. In our industry voices segment,
we're joined by Matt Rataleck, VP of Incident Response at Varonaronis on turning to gamers to build resilient cyber teams.
And AI outfishes human red teams.
It's Tuesday, April 8th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It's great to have you with us.
The Trump administration's use of Elon Musk's Doge team continues to raise serious cybersecurity
and transparency concerns.
According to a Reuters exclusive, Doge is reportedly using AI to monitor federal employee
communications for perceived disloyalty to Trump or Musk,
including scanning platforms like Microsoft Teams. Sources say the team communicates using
Signal, a disappearing messages app that may violate federal records laws. Ethics experts
warn this could be an abuse of power and a breach of federal data retention rules.
Doge has also restricted access to key government systems such as the Office of Personnel Management's
cloud locking out over 100 staffers.
Only two people now control sensitive personnel data for millions of federal workers.
Critics say this level of secrecy and control over federal IT infrastructure could enable
political targeting and undermines democratic accountability.
Lawsuits and a federal court order are now pushing Doge to release documents, but watchdogs
say transparency remains dangerously low.
Meanwhile, President Trump's declared national emergency and sweeping tariffs have launched
a global trade war that itself poses major cybersecurity risks.
Starting April 9, a 10 percent baseline tariff will hit all imports, with harsher rates for
China, the EU, and India.
Enterprise tech and cybersecurity leaders face soaring hardware costs,
delays, and increased reliance on outdated systems, raising the risk of cyberattacks.
Compliance challenges, end-of-life vulnerabilities, and shrinking budgets will force leaders to
rethink strategies, lean into cloud options, and prioritize core security investments.
Google's April 2025 Android Security Bulletin addresses multiple critical vulnerabilities,
including two zero days actively exploited in targeted attacks. Both impact the Linux
kernel's ALSA USB audio driver and pose serious risks to Android devices
running multiple versions. The first vulnerability allows information
disclosure via an out-of-bounds read, while the second enables privilege
escalation through memory corruption triggered by malicious USB devices. These
flaws may bypass standard device locks and resemble methods used by surveillance
firms. Google and Samsung have released urgent patches with fixes included in the 2025-04-05
security level. The continued targeting of Android underscores the ecosystem's security
challenges with Google reporting a significant rise in zero-day attacks.
Users are urged to update devices immediately to avoid exploitation.
Despite multiple arrests, Scattered Spider continues its phishing and malware campaigns
in 2025, targeting major firms like T-Mobile, Pure Storage, and Louis Vuitton.
The cybercrime group has ditched its rickrolling antics, focusing instead on advanced tools
like an updated Spectre Rat, which now features new obfuscation and command capabilities.
Researchers at Silent Push detailed five phishing kits used by the group, noting the latest
integrates
multiple brands and is hosted on Cloudflare.
The criminals exploit SMS phishing to steal credentials, bypass MFA, and deploy malware
for persistent access and data theft.
Notably, Scattered Spider is now using publicly rentable subdomains, making their operations
harder to track.
Silent Push has released a Spectre Rat Decoder and Command and Control emulator to help defenders.
Despite a law enforcement crackdown, the group's evolving tactics remain a serious threat to
organizations worldwide.
Ransomware attacks surged in early 2025, hitting a record 2,040 victims in three months, with
schools and health care providers especially affected.
Yet, despite the chaos, ransomware's grip is slipping.
As Alan Lisca, a threat intelligence analyst at Recorded Future, outlined in a blog post, profits dropped from $1.25 billion in 2023 to $818 million
in 2024, as fewer victims pay ransoms, and when they do, they pay less.
Cybercriminals now favor data theft over encryption, hoping to extort payment for deletion.
Still, organizations are resisting, and law enforcement crackdowns are fracturing major
ransomware groups.
Newer, lesser-known gangs like Arcana and Babuk 2.0 are stepping in, often recycling
old code and tactics under fresh branding.
Meanwhile, global crises, from cyberespionage to trade wars, are pulling attention away
from ransomware threats.
Russia's tighter control over hackers may also be curbing major attacks.
While ransomware isn't disappearing, its dominance and profitability are clearly being
tested.
A critical flaw in multiple ESET products has been exploited by the Chinese-linked APT
group Toddycat to display stealthing malware, Kaspersky reports.
The vulnerability, a DLL search order hijack, requires administrative access and enables
arbitrary code execution.
Toddycat used this flaw to load TCESB, a sophisticated C++ tool that bypasses security monitoring
and manipulates kernel structures.
ESET patched the issue in January and urges users to update.
The group has targeted military and government entities across Europe and Asia since 2020.
Oracle has privately confirmed a breach in a legacy system contradicting earlier public
denials.
Hackers accessed old client login credentials, including encrypted passwords and exfiltrated
data, some of which dates to 2024.
The threat actor, Rose87168, demanded $20 million and deployed malware targeting Oracle's
identity manager.
Oracle insists Oracle Cloud wasn't affected, calling the breached system Oracle Classic.
However, experts criticize this as misleading rebranding.
This is Oracle's second breach disclosure in months,
prompting an FBI investigation and a class-action lawsuit. Over 5,000
Ivanti Connect secure appliances remain exposed to a critical vulnerability
with a CVSS score of 9.0, allowing remote code execution. The flaw, a stack-based
buffer overflow,
is being actively exploited by a Chinese threat group
which deploys backdoors via Avanti VPNs.
Avanti issued a fix in February,
but initially misdiagnosed the issue,
enabling ongoing attacks.
Most vulnerable devices are outdated
Pulse Connect Secure 9 versions, no longer supported since December of last year.
Ivanti urges users to patch or upgrade to supported versions immediately.
CISA has confirmed that a critical vulnerability in crush FTP is being actively exploited. This authenticated bypass flaw with a CVSS score of 9.8 allows unauthenticated attackers
to fully compromise unpatched Crush FTP v10 and v11 systems.
CISA added it to its known exploited vulnerabilities catalog on April 7 and urges all organizations
to patch immediately. The flaw was initially discovered by Outpost 24 and disclosed under a 90-day embargo.
However, another group, Volncheck, released a separate CVE without coordination, leading
to public exposure and exploitation.
MITRE later rejected Volncheck's CVE, sparking debate over vulnerability disclosure ethics.
Shadow Server observed over 1,500 unpatched instances and noted in-the-wild exploitation
using proof-of-concept code.
While the flaw has been fixed in multiple crush-FTP versions, the disclosure conflict
highlights challenges in coordinated vulnerability reporting.
Coming up after the break, my conversation with Matt Ratalec from Voronis on turning
to gamers to build resilient cyber teams.
And AI outfes human red teams.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when
you go to Vanta.com slash cyber. That's Vanta.com slash cyber for $1,000 off. Are you frustrated with cyber risk scores backed by mysterious data, zero context and
cloudy reasoning?
Typical cyber ratings are ineffective and the true risk story is begging to be told.
It's time to cut the BS.
BlackKite believes in seeing the full
picture with more than a score, one where companies have complete clarity in their third
party cyber risk using reliable quantitative data. Make better decisions. Reduce your uncertainty.
Trust BlackKite. Matt Ratalec is VP of Incident Response, Cloud Operations, and SCEU at Varonis.
In today's sponsored industry voices segment, I sat down with him to discuss their research
from gamer to leader, how to build resilient cyber teams.
I'll say two things really.
One is a personal journey of mine.
I have an extensive background in video gaming,
whether from War of Warcraft competitive
or Fortnite or Halo, all these different games where I feel like I actually learned a lot
about teamwork, about being achievement oriented and about hustle.
And when I face with other leaders in the cybersecurity space, I often hear people talk
about how hard it is to find talent or how many times have you heard someone say, Dave,
nobody wants to work anymore?
Right.
Right. That old chestnut.
I mean, I just, it comes up all the time.
And I think you might be looking at the wrong places or you might not be giving people the
right quests in order to achieve.
And so I find that when you recruit gamers and you purposely recruit gamers and you give
them this quest line, this ability to achieve and level up their skills
that you can keep them motivated. So first you choose to recruit them, then you give them like
a path to stay motivated. And then if you arm them with some type of tools or weapons, right?
If you think of like, you know, all the different games where you can get like a cool sword or,
you know, a magical bow or a magical staff or something like that, or a better shield or a faster car.
That's the same kind of analogy can be used
for arming your teams and the people that work for you
with the tools that they need to do their job.
You could help them as a person level up,
but you could also give them a tool
that could help level up some of their skills.
And that really is the impetus of my talk,
that if you target gamers and you look at that community
and you nurture them and you arm them with the right tools that they can be a superpower
for you.
So you're not just speaking metaphorically here.
You actually do want to target folks who are avid gamers.
Absolutely.
Absolutely.
Like, personally, I mean, I feel like a lot of who I am as a person and my drive comes from, you know, playing
games and like being able to adapt to different strategies or to have to work well with others.
I want you to imagine, you know, as I sit with you today, I'm 36 years old. The first
time that I ever led a raid in World of Warcraft with 40 people in it was when I was 13. So I had to deal with teamwork and conflict
and personality resolution all those years ago.
Yeah, it's interesting.
I'm a good bit older than you,
and so my exposure to early games were things like,
well, Pong, Pac-Man, you know,
Missile Command, Asteroids.
But I did play up into and including the Halo games.
And I think you're really onto something here.
I mean, that level of teamwork, for certain scenarios,
you can't go at it alone.
You need to collaborate.
Yeah, and also think about like,
I don't know if you ever played like a role-playing game,
right, but in a lot of the role- playing games, you get a character and that character has
to level up in order to unlock new skills and new abilities. Well, that same thing could
be said about hiring a junior sock analyst, but someday them wanting to be a malware researcher.
Are you going to just let that be an unscripted adventure? Or are you as a leader gonna carve that path for someone
to go on some, let's call them quests or missions,
and gain experience and knowledge
that if they're able to match that with achievement,
get them to that point
where they can become a malware researcher.
Because if you can do that, you can recruit gamers,
you can keep them motivated,
and you can utilize this drive that they have to benefit your
organization and have a more resilient team.
Same thing can be thought about like, you know, let's kind of imagine we're assembling a group
of people to go and take down a particular actor.
Like I have a strong background in incident response.
The different threat actors have different tactics, techniques and protocols.
You're going to bring in different experts based on the threat actor that you think
you're going to encounter or that you
know you're encountering.
That's the same thing with getting together a group
of people to take down a dragon.
So how do you propose going about attracting these folks
to cybersecurity?
I think one, the most fundamental thing
is that it's our job as leaders to build that quest line and that sense of achievement.
You have to show people that that first job that they're getting, if it's junior, can
lead to something and that that more senior job that they have or that more senior position
can also help them to develop skills and level up.
In doing that, you're helping people that have that sense of achievement feel like they're
on a journey for something and
You know convincing your company to be able to support that as well
Like you know, hey if you spend a certain amount of time in a role and you know, your your metrics are good
You'll go from analyst one to analyst twos an example
It's just a great way to retain people and also to find and motivate talent
It strikes me that it also intersects with something
that you kind of alluded to,
which is the difficulty in finding cybersecurity talent.
This is kind of a sideways way to bring entry level people
in because you're looking for preexisting talents
that they have, that they learned and earned
from playing games, from a different mode but that they can then apply to their cyber skills.
Correct, correct. You know, again, especially when you think about these
entry-level security roles or security monitoring roles, you're thinking of
personality traits a lot more than technical knowledge, skills, and ability.
Now, you may have to put together some type of entrance exam. We have a technical
interview that even we at Verona's give to junior people, so they do need to have
some technology and networking, maybe a little bit of active directory and
identity-based experience that can't be totally and completely unknown to it, but
that's a much broader audience than those with cybersecurity experience.
And how do you get leadership at an organization to buy into this sort of strategy?
First you got to carve that path.
You got to show that it's working already.
Two, I think a lot of times it's about having goals from a retention standpoint and a promotion
standpoint.
You know, if you're able to have a high percentage of attainment and keep people,
especially at a cybersecurity company or even at a business,
that's great for business.
Turnover means you have to train people,
you're going to probably have to pay a recruiter's fee or a finder's fee,
and everybody wants employee loyalty,
that's still valued in the job place.
And so I think as a leader, if you propose,
hey, I'm gonna do these things,
I'm gonna increase retention,
I'm gonna be able to target and have more junior people
that can progress over time,
so that's gonna help us with cost control,
and it's gonna lead to higher employee satisfaction
and employee loyalty.
Like, Verona, for instance,
just named a great place to work yet again.
All these things contribute to the overall image and brand of the company.
And don't forget about the last thing I said, though, Dave.
It's also the job of a leader to find them tools.
So like, when I think about that in today's context, you know, is your sock AI-powered?
Are you using this, like, you know, for lack of a better word, this magical potion that
you can buy on the market to make everyone stronger
and faster and smarter?
Or are you still using legacy toolkits that aren't AI powered?
I think that's a very core question
for every security leader to answer.
And when you gamify it, when you put it in the lens
of a gamer, you can really excite gamers about it.
They're like, oh, that's why you're doing it.
It isn't so that we don't hire 10 more people.
It's so that I work 10 times as efficiently and I'm able to provide better customer service and for the company at a
better bottom line. How do you dial in the right amount of gamification and the core business
functions that you need to accomplish? I guess I'm wondering, is there a peril of making it just a little too cute?
Does that make sense?
Yeah, absolutely, absolutely.
So that's a great question.
I was asked that before.
A lot of companies have like core skills and core traits.
One of them might be accountability,
it might be adaptability or learning agility.
It might be achievement oriented.
You've heard all these terms before.
I'm sure if you've ever sat through a performance review,
and I'm sure many of your listeners have.
Well, don't come up with new ones.
Use your company's one and help people understand
how that leads to improvement.
That if they improve their learning agility
and they demonstrate that they can learn faster,
how the company benefits from that.
Or in the gamer's world, how if they go from a 70 in learning agility
to an 80 in learning agility, what that stands to do for them in their career.
Can you give us some examples of some of the kinds of things
that you've found success with?
Yeah, I think one of them is this idea of a career progression ladder.
So, you know, if you can start someone at a more junior role
but show them how in five years,
they could be in a completely different,
like they can go from sock analyst to incident handler.
And how if they're, you know, if they get really advanced,
they could even go down a management track
and start to lead people
and develop what are called power skills,
where they get to learn more about like giving feedback
and delegation
and some of the things that come with being a manager versus just being a technical achiever.
And that's a path that you could paint for someone in a transparent way when they sign up for your
company, even if it's three to five years down the road. It's okay to say that. I mean, you know,
a lot of promotions have to be earned from simply like leveling up and experience and time on the
job. But carving out that path is a great way to cease to let someone know they're on a journey.
They're not just in a role.
Right.
And just even letting them know that those possibilities are out there.
I mean, it gives people something to shoot for.
Yeah.
And those that want to overachieve will do it faster.
Yeah, absolutely.
They'll want to work harder and they'll want to move through that rank faster.
And that'll drive very healthy conversations between them and their manager about, hey, how do I get
to incident handler in three years instead of five?
That's a super healthy conversation for somebody to have with their supervisor.
And if it's within a guidelines or a framework, it's not so abstract either.
They could say, well, look, there is a way that could happen.
I can't promise that could happen,
but if you did these five things
and your metrics were good, you got good reviews,
I could see it happening in three years
instead of five years.
I suspect you probably have to be careful
that you're not too rigid about this as well.
I mean, there's gonna be some really good contributors
to your team who don't need this kind of motivation? A hundred percent, a hundred percent.
And then there are going to be people that I also have found are happy in the
role that they're in and they want to develop, but they don't want to develop
quite as fast as you might want them to develop and that's okay too.
No, that's a really, that's a really good insight.
Any words of wisdom in terms of lessons you've learned along the way of, you know,
harder lessons? You know, maybe you are, are there any things that didn't quite work out
the way you'd hoped that they would have?
I wish I would have done more automation and more AI faster.
Hmm.
The gains that we're seeing from having the AI analysts be the first ones to look at the alerts are incredible.
And if I really focused on one thing for your audience,
there are things out there now.
There are AI-powered solutions, AI-enabled SOC,
or for Verona's AI-enabled data security, that is going to not
just give you ROI from that software and that better
defense, but your people are going
to be so much better
because they have the help of this AI SOC assistant
or AI SOC helper, we call ours Athena AI of Verona.
With Athena's help, your analyst doesn't need to know
our technology, they can just use natural language
to interact with it.
With Athena's help, when our managed data detection
and response team gets an alert,
they already know lots
and lots that they otherwise would have had to do a manual investigation about that alert,
like the user, the device involved, the user agent, the data that they were touching, the
type of account that it is, the past history on that, that otherwise would take many, many
more queries.
We use that same type of technology to help find data. And I only wish I would
have given my team these types of tools sooner and faster. And now we put a lot of impetus
on making them better because of the efficiency gains and the accuracy gains we see it give
our people. So I, as a leader, feel like that's a big part of my job now is to give everyone
these weapons that they need to succeed. Again, metaphorically speaking, maybe I call them tools, but I give them all these superpowers
or these potions that come with a lot of these AI-enabled toolkits.
That's Matt Radelek from Voronis. We'll have a link to their report to lead her how to build resilient cyber teams in our show notes.
What's the common denominator in security incidents?
Escalations and lateral movement.
When a privileged account is compromised, attackers can seize control of critical assets.
With bad directory hygiene and years of technical debt, identity attack paths are easy targets
for threat actors to exploit but hard for defenders to detect.
This poses risk in active directory, Entra ID, and Hybrid configurations.
Identity leaders are reducing such risks with Attack Path Management.
You can learn how Attack Path Management is connecting identity and security teams
while reducing risk with Bloodhound Enterprise, powered by SpectorOps.
Head to spectorops.io today to learn more. SpectorOps, see your attack paths
the way adversaries do.
And finally, move over chess grandmasters. AI has now leveled up to out-hustle human red teams in the world of fishing.
According to cybersecurity firm Hawks Hunt, their AI fishing agent, codenamed JKR, Joker,
beat human-crafted fishing attempts by 24% in March.
That's a glow-up from last year when Joker lagged 31% behind.
Think of it as a Skynet meets email moment.
Joker adapts like a social engineering ninja, customizing bait with user-specific context
like job roles and locations.
It's not just fishing, it's precision fishing in bulk.
Hoxhunt says this could make mass fishing campaigns as effective as today's spearfishing
attempts.
The anti-fishing working group also reported a global spike in fishing sites and smishing
scams, including hilariously off-target toll collection texts. So while humans still bring creativity, AI brings scale, 24-7 hustle, and zero need
for coffee.
Experts say defending against AI-driven threats will still require one vital element—human
judgment.
We'd have more good judgment if it weren't constantly busy cleaning up after bad judgment.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben. Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services by solving complex
challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity, or cloud computing, Vanguard offers a dynamic
and collaborative environment where your ideas drive change. With career growth opportunities and a focus
on work-life balance, you'll have the flexibility to thrive both
professionally and personally. Explore open cybersecurity and technology roles
today at Vanguardjobs.com