CyberWire Daily - When retaliation turns digital.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for DeleteMe.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code N2K at checkout. That's joindeleteme.com slash N2K, code N2K. New details emerge about Chinese hackers breaching the U.S. Treasury Department. The Supreme Court considers the TikTok ban. Chinese hackers exploit a zero-day flaw in Avanti Connect Secure VPN. A new credit card skimmer malware targets WordPress checkout pages.

Starting point is 00:02:18 The Banshee macOS infostealer has been updated. A California health services organization reports a data breach. A Florida firm pays a $337,000 HIPAA settlement following a 2018 breach. Samsung patches Android devices. A ProtonMail outage hits users worldwide. A popular e-card site recovers from malware. CertByte segment host Chris Hare interviews our guest Casey Marks, ISC2's chief qualifications officer, about the future of certifications. And that's a feature, not a hack. It's Friday, January 10th, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.

Starting point is 00:03:21 Happy Friday, and thanks for joining us here today. It is great to have you with us. New details have emerged about Chinese hackers breaching the U.S. Treasury Department's unclassified systems, revealing they targeted its sanctions office in addition to the previously reported hack of other Treasury systems, CNN reports. The sanctions office had recently penalized a Chinese company for cyberattacks, raising questions about whether the hack was retaliatory. The breach also affected the Committee on Foreign Investment in the U.S., which oversees foreign investments for national security risks.

Starting point is 00:03:59 This comes as the committee gained new authority over real estate deals near military bases, an area of growing concern for potential Chinese espionage. While no classified information was accessed, officials worry that the stolen unclassified data could still provide useful intelligence for Beijing. Treasury Secretary Janet Yellen called the breach a blow to U.S.-China relations, emphasizing the need for stronger cybersecurity measures. The Supreme Court is considering whether to block a law that could ban TikTok in the U.S.

Starting point is 00:04:35 if its China-based owner, ByteDance, doesn't divest by January 19th. The law, enacted with bipartisan support, aims to address national security concerns over potential Chinese government influence on the platform. TikTok and users argue the ban violates First Amendment rights. During oral arguments, TikTok's attorney denied direct Chinese control and compared the divestment to shutting down a U.S. newspaper under foreign pressure. Mandiant reports that Chinese hackers have exploited a zero-day flaw in Avanti Connect Secure VPN appliances since December, deploying malware such as Spawn, PhaseJam, and Dryhook to steal credentials, API keys, and VPN session data.

Starting point is 00:05:26 CISA has mandated remediation by January 15. Researchers warn of widespread exploitation targeting credentials and deploying web shells for future access. The attacks, linked to Chinese Silk Typhoon hackers, follow recent breaches of the Treasury Department systems. hackers follow recent breaches of the Treasury Department systems. A new credit card skimmer malware targets WordPress checkout pages, injecting malicious JavaScript into the database's WP options table to steal sensitive payment details. This approach evades detection by bypassing theme files and plugins,

Starting point is 00:06:03 enabling covert operation. The malware dynamically creates fake payment forms or intercepts real ones, capturing credit card information in real time. Data is encrypted and sent to attacker-controlled domains. To mitigate risks, experts recommend checking HTML widgets for malicious scripts, applying security updates, and using firewalls and two-factor authentication. The Banshee macOS InfoStealer has been updated to target systems using the Russian language, according to Checkpoint.

Starting point is 00:06:40 Initially launched in 2024 and sold for $3,000 a month, the malware collects data such as passwords, browser information, and cryptocurrency wallets. After its source code leaked in November of 2024, antivirus detection improved, but concerns grew over new variants. Recent updates removed restrictions on targeting Russian systems, and Banshee is still spread via phishing websites and fake GitHub repositories, likely by former customers or new actors. California's Baymark Health Services reported a data breach affecting patients' personal information, including names, social security numbers, insurance details,

Starting point is 00:07:26 and treatment information. The breach, linked to a cyberattack between September 24 and October 14, 2024, was discovered on October 11. Baymark secured systems, launched an investigation with forensic experts, and notified law enforcement. Impacted individuals received formal notifications and one year of free credit monitoring. Baymark says they've since enhanced their security measures to prevent future incidents. Florida-based USR Holdings has paid a $337,000 HIPAA settlement following a 2018 breach exposing the personal information of nearly

Starting point is 00:08:08 3,000 patients. The breach occurred after a firewall misconfiguration allowed unauthorized access, resulting in data deletion. HHS found multiple HIPAA violations, including insufficient risk analysis and backup procedures. USR agreed to implement a corrective action plan and will be monitored for compliance. Experts emphasize robust data backup, disaster recovery plans, and proactive monitoring to prevent similar incidents. This marks HHS's largest HIPAA fine in 2025 so far. Samsung Mobile has released its January 2025 security maintenance release, addressing critical vulnerabilities in Android and Samsung devices.

Starting point is 00:08:55 The update resolves five high-priority common vulnerabilities and exposures that could allow attackers to execute arbitrary code, risking sensitive data and device control. It also includes 22 Samsung-specific patches. Samsung urges users to update promptly for improved safety, device performance, and longevity. Proton experienced a major worldwide outage yesterday, disrupting services like ProtonMail, Calendar, VPN, Drive, Pass, and Wallet due to network issues. The outage began at 10 a.m. ET, leaving many users unable to access their accounts. Just after 12.30 p.m., ProtonMail was restored, with all services back online right around 1.30 p.m. Proton apologized for the disruption and continues to investigate the issue.

Starting point is 00:09:52 Users initially reported error messages when attempting to access affected services during the outage. Malwarebytes uncovered a cyberattack dubbed the ZQXQ campaign targeting GroupGreeting.com, a popular e-card site used by major enterprises like Airbnb and Coca-Cola. Exploiting seasonal traffic spikes, attackers injected obfuscated JavaScript to redirect users to phishing sites or malware. The campaign shares traits with the NDSW-NDSX and TDS-PERET malware, known for large-scale infections and traffic distribution system tactics. Over 2,800 websites have been affected. A group greeting quickly resolved the breach. greeting quickly resolved the breach. Adam Gaudiak, CEO of AG Security Research, has exposed vulnerabilities in Microsoft's PlayReady DRM technology, enabling unauthorized access to streaming content keys. His research highlights flaws in Microsoft's protected media

Starting point is 00:11:01 path and Warbird compiler, raising concerns about unauthorized downloads from services like Netflix and HBO Max. While Microsoft initially dismissed the findings as implementation issues, Gaudiac advocated for compensation outside the bug bounty program, citing extensive effort and intellectual property concerns. When no agreement was reached, Gaudiac provided technical details to Microsoft in November of last year without seeking payment, later disclosing limited public details to raise awareness. Critics argue this case underscores flaws in bug bounty programs

Starting point is 00:11:40 and responsible disclosure practices. Casey Ellis of BugCrowd stressed the need for standardized terms and coordinated disclosure, warning against tactics resembling extortion. The incident highlights ongoing challenges in balancing researcher incentives, corporate responses, and public accountability. Elsewhere, Facebook awarded a $100,000 bug bounty to researcher Ben Sadagimpour for discovering a critical vulnerability in its ad platform. The flaw, linked to an unpatched Chrome bug, allowed Sadagimpour to execute commands on Facebook's internal server, granting extensive access to its infrastructure. extensive access to its infrastructure. Working with Alex Chapman, he reported the issue in October of last year, prompting Meta to address it within an hour. Coming up after the break, Chris Hare interviews our guest Casey Marks,

Starting point is 00:12:43 ISC2's Chief Qualifications Officer, about the future of certifications. And that's a feature, not a hack. Stay with us. Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility

Starting point is 00:13:27 into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.

Starting point is 00:14:37 Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Chris Hare is host of our recurring CertByte segments. And today, she sits down with Casey Marks, ISC2's Chief Qualifications Officer, to discuss the future of certifications. So I love your title, by the way,

Starting point is 00:15:15 Chief Qualifications Officer. Can you tell me a little bit about your role? So in my role at ISC2, what I'm responsible for is the maintenance and the development of our certification portfolio, our certification portfolio, our certification schemes, the examinations, the prerequisites, the CPE requirements. In addition to that, some of the foundational elements that ISE2 with regard to our definition of practice through our certified bodies of knowledge, and then, of course, how we engage in practice and through our code of professional conduct and our ethical canons.

Starting point is 00:15:47 So all of the elements that require a member to be able to demonstrate their knowledge, skills, and ability kind of roll up into the qualifications area. Great. And you also have a background as a psychometrician, which involves test design and analysis, correct? That is correct. Yes, I am not a psychologist and I don't prescribe to drugs or conduct therapy, but what I do is question a lot of numbers. And I've been doing it for almost 30 years and across a number of different disciplines, including nursing and language testing and what have you. And so psychometricians are a slightly rare breed, but what we do is we ensure that exams are fair, reliable, and valid, which really means that every candidate who takes the exam has an equal opportunity to pass. The exam does what it's supposed to do, and we can prove it, and it does it repeatedly.

Starting point is 00:16:38 And so that's exactly what a candidate expects 10 years ago and 10 years hence. And so we just keep doing that to ensure that we have fairness for all who participate. So what are you seeing in terms of trends and shifts in certification growth? Right now, we're seeing a tremendous amount of uptake. We're seeing a lot of interest across the spectrum, whether it be in industry, academia, or from a government perspective.

Starting point is 00:17:04 And I would say that in particular, governmental interest with regard to professional qualifications is growing quite rapidly within the cyberspace. And so traditionally, security issues around cyber has been thought of more from an industry standpoint as a product issue, and certainly privacy issues around that. But the actual qualifications and standards for individuals who engage in security activities within cyber has become important, growing in a number of different areas, not just here within the United States with things like 8140 at the DoD, but in the European Union, attestation schemes for certified professionals, licensure schemes in the United Kingdom, and an emerging interest with regard to professional

Starting point is 00:17:54 qualifications and professionalization in Singapore. And so you're seeing a very global shift towards ensuring that the people who apply this trade have demonstrated their qualifications in a robust and valid way. Are there any specific ISC2 certs that you see a particular uptick in currently? Yeah, so I think everyone and anyone who knows about ISC2 certainly knows about CISSP, which is as strong as ever, continues to grow, and day by day continues to become the defining gold standard for the cybersecurity professional. But we have a couple other certs that certainly have been growing in popularity and probably the most notable over the last few years has been our CCSP, which is our cloud certification. Cloud obviously has been important, continues to be important, and will continue to be important as the demand grows. We have our new certified in cybersecurity and CC certification,

Starting point is 00:18:52 which has just exploded on the scene. And so that needs to grow. But across the entire portfolio, we're seeing a tremendous amount of interest in growth. And we don't see signs of that slowing down anytime soon. So you don't see any signs of that slowing down anytime soon. So you don't see any signs of it slowing down. Does that mean it's going to stay pretty steady throughout 2025? We expect that it will. ISC2 does a number of research studies, including our annual workforce study, which is a survey of professionals in the field and assessing their opinions with regard to readiness and availability and the ability for their workplace to be able to respond. And there's definitely an interest and an expressed preference among professionals that they need help. They need more people. They need more people. Their teams need to be bigger. They need more tooling. They need more resources.

Starting point is 00:19:46 The threats don't slow down. They only increase. Today's world with ever-increasing mechanization and automation, whether it be through AI or otherwise, is only increasing the amount of activity that professionals have to deal with. And so there's definitely an expressed preference and expressed understanding that we need more people. And so more people, we can't just throw anybody at this problem. Cyber is an identified profession. We need certified people and we need good people who have already demonstrated that they know how to do the job before they get there. And your ISE2 team has also undertaken a BHAG

Starting point is 00:20:25 with your 1 million certified in cybersecurity program that you mentioned with the free certification in cybersecurity or CC, which I'm happy to say I am a holder. How did that goal come about and how is it coming along? Yeah, the CC has been a tremendous, maybe one of the most significant things that this ISE2 has done in a number of years.

Starting point is 00:20:43 So we identified a pretty significant problem in the field, and that was, so how do you get a job without experience? How do you get an experience without a job? Classic, classic conundrum. What we did is we developed an entry-level certification. It's a real professional certification that allows individuals who are starting off, the novice practitioner,

Starting point is 00:21:11 to be able to demonstrate to a third party their seriousness with the pursuit of the profession. And so the certification, we have a program around it, the 1 million CC program, that allows people to get free education and a free examination voucher to become professionally certified. And so what we're trying to do is provide that base, the future generation of cyber professionals, and giving it a good starting off point. And so Casey, you mentioned continuing professional education credits. So what are some of the best ways you recommend members can earn CPEs? Excellent. Yes, thank you. So CPE being a core requirement of all of our certification schemes, every single member of ISC2 that holds one of our certifications is required to be able to do this, like many certification programs. And the best ways, oh boy, I mean, the good news is, yes, there's a lot of CPEs required. Yes,

Starting point is 00:22:03 it's an annual requirement. Yes, it's on your three-year cycle. However, the amount of opportunities are tremendous. You can take courses. You can take certifications. You can take training. At ISC2 alone, there are events to be able to attend. There are webinars. There are volunteer opportunities, of which there are many. I don't have time to go into all of them today, but I can tell you for the certified member, you have a right and I would hope a responsibility to give back. And as I said before, in terms of developing these certifications, we need experts. We need subject matter experts of all types. Please consider giving back. You

Starting point is 00:22:40 get CPE credits for that. We also have a couple of initiatives I can talk about at a very high level. We are right now endeavoring in an activity in terms of taking our individual certification bodies of knowledge and creating a unified body of knowledge, which requires expertise from the field. Volunteer opportunities are available there. And we are engaging on a review of a code of professional conduct. And so we have a call for experts and volunteers in the field, again, for which you get volunteer credits and CPEs. And I'd say lastly, if I was to promote a little bit at ISC2, ISC2 does have a charitable arm, our Center for Cyber Safety and Security,

Starting point is 00:23:24 also has a number of different volunteer opportunities, which are always a really good way to give back. CPEs at ISC2, we have a couple different schedules of CPEs. So I would suggest that anyone who is interested in these opportunities, take a look at the handbook that's available on the website at isc2.org. And you can see a multitude of opportunities and a super number of free, freely available CPE opportunities. So there's a lot to go after. That's great. Well, I have to promote my, I have a segment called CertByte that I host. And what I do is I break down a single practice test question from our base certification offerings. And ISE2 is featured in some of our upcoming episodes in January.

Starting point is 00:24:06 So I look forward to hearing what you think of them when they come out. Excellent. So on the website right now. Oh, okay, great. Thank you for sharing that. And thanks so much for taking the time with us today, Casey. I hope you come back. Yes, thank you.

Starting point is 00:24:19 I appreciate your time. That's N2K's Chris Hare speaking with Casey Marks from ISC2. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach

Starting point is 00:25:12 can keep your company safe and compliant. Clear your schedule for you time with a handcrafted espresso beverage from Starbucks. Savor the new small and mighty Cortado. Cozy up with the familiar flavors of pistachio. Or shake up your mood with an iced brown sugar oat shaken espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks. And finally, the register describes Mac, a developer for a sassy business management suite catering to non-English-speaking European markets.

Starting point is 00:25:59 One uneventful Wednesday, Mac's day took a twist when a user reported the app mysteriously displaying English, a language the app didn't even support. Cue the panic. Logs and deployment history were combed for signs of sabotage. Had the app been kidnapped by rogue translators? After much sleuthing, the culprit emerged. Chrome's overly helpful Translate to English feature accidentally triggered by the user. The fix? Explaining how to disable the translation. The takeaway? Helpful features can cause chaos, too. Mac and his team chuckled and sighed as they filed this one under crisis averted.

Starting point is 00:26:44 Glad it wasn't a hack, just Chrome being a bit too helpful. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Kyla Cardona and Aurora Johnson from SpyCloud. We're discussing their research, China's surveillance state is selling citizen data as a side hustle. That's Research Saturday. Check it out. We'd love to know what you think of this podcast.

Starting point is 00:27:31 Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpie is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Bye.

CyberWire Daily - When retaliation turns digital.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.