CyberWire Daily - X marks the hack.
Episode Date: March 11, 2025X-Twitter had multiple waves of outages yesterday. Signal’s president warns against agentic AI. A new lawsuit alleges DOGE bypassed critical security safeguards. Is the Five Eyes Alliance fraying? T...he Minja attack poisons ai memory through user interaction. Researchers report increased activity from the SideWinder APT group. A critical Veritas vulnerability enables remote code execution. A Kansas healthcare provider breach exposes 220,000 patients’ data. New York sues Allstate over data exposure in insurance websites. CISA warns of critical Ivanti and VeraCode vulnerabilities. FTC to refund $25.5 million to victims of tech support scams. On our Industry Voices segment, we are joined by Gerald Beuchelt, CISO at Acronis, who is discussing how threat research and intelligence matter to MSPs. The UK celebrates a record-breaking CyberFirst Girls Competition. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we are joined by Gerald Beuchelt, CISO at Acronis, who is discussing how threat research and intelligence matter to MSPs. Selected Reading Hackers Take Credit for X Cyberattack (SecurityWeek) X users report login troubles as Dark Storm claims cyberattack (Malwarebytes) Signal President Meredith Whittaker calls out agentic AI as having 'profound' security and privacy issues (TechCrunch) Lawsuit Says DOGE Is Ignoring Key Social Security Data Rules (BankInfo Security) As Trump pivots to Russia, allies weigh sharing less intel with U.S. (NBC News) MINJA sneak attack poisons AI models for other chatbot users (The Register) SideWinder APT Group Attacking Military & Government Entities With New Tools (Cyber Security News) Critical Veritas Vulnerability Let Attackers Execute Malicious Code (Cyber Security News) Kansas healthcare provider says more than 220,000 impacted by cyberattack (The Record) Allstate sued for exposing personal info in plaintext (The Register) CISA Urges All Organizations to Patch Exploited Critical Ivanti Vulnerabilities (Infosecurity Magazine) FTC will send $25.5 million to victims of tech support scams (Bleeping Computer) Record Number of Girls Compete in CyberFirst Contest (Infosecurity Magazine) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get
your jobs more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber
wire right now and support our show by saying you heard about indeed on this podcast. Indeed.com
slash cyber wire. Terms and conditions apply. Hiring, indeed, is all you need.
Ex Twitter had multiple waves of outages yesterday.
Signals President warns against agentic AI.
A new lawsuit alleges Doge bypassed critical security safeguards.
Is the Five Eyes Alliance fraying?
The Minja attack poisons AI memory through user interaction.
Researchers report increased activity from the Sidewinder APT group.
A critical Veritas vulnerability enables remote code execution.
A Kansas health care provider breach exposes 220,000 patients' data.
New York sues Allstate over data exposure and insurance websites.
CISA warns of critical Avanti and Vericode vulnerabilities.
The FTC is going to refund $25.5 million to victims of tech support scams.
On our industry voices segment, we're joined by Gerald Buchelt, CISO at Acronis, who's
discussing how threat research and intelligence matter to MSPs.
And the UK celebrates a record-breaking Cyber First Girls competition.
It's Tuesday, March 11, 2025. Thanks for joining us here today.
It is great to have you with us.
A cyber attack caused outages on ex-Twitter on Monday with reports indicating multiple
attack waves.
While Elon Musk called it a massive cyberattack and suggested a coordinated group or nation-state
was involved, details remain unclear.
Musk later pointed to IP addresses from Ukraine, but sources say most attack traffic came from
the U.S., Vietnam, and Brazil.
The attack was likely a DDoS attack, where compromised devices overwhelm a system with
traffic.
The Dark Storm team, a pro-Palestine hacktivist group possibly linked to Russia, claimed responsibility.
Other groups, including anonymous affiliated hacktivists, also took credit, but verifying
these claims is difficult.
Cyber attacks like these often blur the lines between hacktivism, cybercrime, and state-sponsored
operations.
Ex-Twitter has been targeted before, including by Anonymous Sudan, a group whose members
were recently charged in the U.S. for offering DDoS services.
Investigations into this latest attack are ongoing.
Speaking at the South by Southwest conference, Signal President Meredith Whitaker warned that
agentic AI poses serious privacy and security risks.
She compared AI agents to putting your brain in a jar,
as they perform tasks on users' behalf,
such as booking tickets, managing calendars, and sending messages.
To function, these agents would need deep access to users' systems, including web browsing,
credit card details, messaging apps, and calendars, likely with root-level permissions.
She cautioned that processing such tasks would almost certainly happen on cloud servers,
exposing sensitive data.
Whitaker stressed that integrating AI agents with secure messaging apps like Signal would
compromise message privacy. She also criticized the AI industry's reliance on mass data collection,
arguing that prioritizing bigger-is-better AI risks further eroding privacy in exchange for convenience.
A new lawsuit alleges the Department of Government Efficiency, DOJ, bypassed critical security
safeguards at the Social Security Administration, risking exposure of sensitive data.
Former SSA Acting Chief of Staff Tiffany Flick warned that Doge operatives, led by Mike Russo,
pressured officials to grant system access to Akash Baba, despite unresolved security clearances.
Doge's push for unrestricted data access ignored federal protections designed to prevent financial
exploitation and unauthorized system breaches. Flick accused Doge of forcing staff to share highly sensitive information via potentially
unsecured email channels relying on AI tools to analyze data and determine federal job
cuts.
She resigned after security policies were disregarded and Leland Dudek, a mid-level
analyst, was elevated to acting commissioner.
The AFL-CIO-backed lawsuit warns that Doge's actions jeopardized national security,
with federal cybersecurity experts sounding alarms over mass government dismissals
and weakened data protection measures.
NBC News reports several U.S. allies are reconsidering their intelligence-sharing protocols, fearing
that President Trump's warming ties with Russia could compromise sensitive data.
Sources say concerns center on protecting foreign assets, as intelligence agencies are
bound by strict commitments to shield sources' identities. Members of the Five Eyes alliance—the UK, Canada, Australia, New Zealand, along with
Israel and Saudi Arabia—are evaluating whether to limit intelligence flow to Washington.
While publicly downplaying concerns, some officials privately question U.S. reliability
and the risk of intelligence leaks.
Trump's recent pauses in intelligence assistance to Ukraine and the reported halt of cyber
operations against Russia have heightened security worries.
Some fear a US-Russia cyber-detente, despite Russia's history of harboring cybercriminals.
Former intelligence officials warned that Moscow is an unreliable partner, and scaling
back intelligence sharing could undermine global security efforts.
Researchers from Michigan State University, University of Georgia, and Singapore Management
University have uncovered a new attack method that manipulates AI models with memory without requiring back-end access.
Dubbed MINJA for Memory Injection Attack, the technique allows a regular user to poison
an AI's memory simply by interacting with it.
The attack injects misleading prompts into the model's memory, altering future responses.
Tested on GTP4-powered AI agents,
Minja tricked a medical chatbot into swapping patient records,
a web shop AI into misdirecting purchases,
and a QA agent into answering questions incorrectly.
With over 95% injection success,
Minja bypasses traditional moderation filters
by disguising manipulations as legitimate
reasoning. The findings highlight serious security risks for AI systems with memory,
urging immediate improvements in AI memory safeguards. OpenAI has not yet commented on
the vulnerability.
Researchers at SecureList report increased activity from the Sidewinder APT Group in 2024,
with enhanced malware, expanded targets, and global reach.
Traditionally focused on military and government entities, the group now targets maritime, logistics, and nuclear sectors
across South Asia, Southeast Asia, the Middle East, and Africa. Using spear-phishing emails, Sidewinder exploits a vulnerability to deploy Steelerbot,
a post-exploitation toolkit.
Their malware, disguised as legitimate DLL files,
includes advanced evasion techniques like control flow flattening.
Sidewinder rapidly adapts, modifying malware within five hours of detection.
Their continued reliance on old vulnerabilities underscores the importance of patching outdated
systems to defend against sophisticated threats targeting critical infrastructure worldwide.
A severe remote code execution flaw in Veritas Arctera InfoScale exposes enterprise disaster
recovery infrastructure to attack.
The issue stems from insecure deserialization in the Windows plugin host service, allowing
attackers to execute arbitrary code via malicious.NET remoting messages. The flaw affects InfoScale version 7.0 and 8.0.2 on
Windows with system-level privilege risks.
Veritas advises disabling plugin host or
using manual DR configurations to mitigate exposure.
Security experts warn that outdated technologies like
.NET deserialization remain prime targets, requiring proactive
defense beyond patching. Organizations should audit DR workflows to prevent exploitation.
A December cyberattack on Sunflower Medical Group compromised 221,000 patients' sensitive
data, including Social Security numbers, medical records, and insurance
details. The breach, discovered January 7, revealed hackers had been inside the system
since mid-December, stealing files. While Sunflower has not confirmed a ransomware attack,
the Riceida ransomware gang claimed responsibility, demanding $800,000. The company notified regulators, offered credit monitoring, and stated no operational disruptions
occurred.
RICEDA has previously targeted health care and nonprofit organizations, heightening concerns
over medical data security.
New York State is suing Allstate Insurance for failing to secure personal data, allowing
criminals to steal thousands of driver's license numbers from poorly designed quote-generating
websites.
The issue stemmed from National General, an Allstate unit, which exposed driver's license
numbers in plain text during the quoting process.
Fraudsters exploited the system, harvesting at least 12,000 records for identity theft
and unemployment fraud.
The breach went undetected for over two months, with 9,100 New Yorkers affected, yet National
General failed to notify them, violating state laws.
Another 187,000 individuals' data was compromised due to weak access controls, including plaintext
passwords and no multi-factor authentication for insurance agents.
New York seeks penalties and an injunction against continued security failures.
Texas has also sued Allstate for allegedly collecting telematics data without user consent,
further raising privacy concerns.
CISA has added three critical Ivanti endpoint management vulnerabilities to its known exploited
vulnerabilities catalog.
These path traversal flaws allow unauthenticated attackers to leak sensitive information remotely.
CISA also flagged two veracode vulnerabilities, an unrestricted file upload flaw, and an SQL
injection vulnerability.
The agency urges all organizations to immediately patch these issues to prevent cyberattacks.
The Federal Trade Commission will begin distributing $25.5 million in refunds to over 736,000 consumers deceived by Restoro and Reimage, tech support
companies that used fake system warnings to trick users into paying for unnecessary computer
repairs.
These firms impersonated Windows pop-ups, falsely claiming devices had malware or performance
issues. Investigators found their software fabricated security threats
to push users into buying repair plans ranging from $58 to $499.
Fined $26 million in 2024, the companies are now banned from deceptive telemarketing.
The FTC continues to crack down on fraudulent tech
practices, previously targeting TurboTax, Avast, and data brokers. Refunds will be sent
via PayPal starting March 13th, with recipients needing to redeem them within 30 days. Coming up after the break, my conversation with Gerald Gushelff, CISO at Acronis, we're
discussing how threat research and intelligence matter to MSPs, and the UK celebrates a record-breaking
Cyber First Girls competition.
Stick around.
Cyber threats are more sophisticated than ever. Passwords? They're outdated and can be cracked in a minute.
Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login.
Ubico believes the future is passwordless.
Ubiquis offer unparalleled protection against phishing for individuals, SMBs and enterprises.
They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers a limited buy one get one offer.
Visit ubico.com slash n2k to unlock this deal.
That's Y-U-B-I-C-O.
Say no to modern cyber threats.
Upgrade your security today.
Do you know the status of your compliance controls right now?
Like right now?
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time
checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist, Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to Vanta.com slash cyber that's Vanta.com slash cyber for a thousand dollars off
Gerald Buschelt is chief information security officer at Acronis, and in today's sponsored
industry voices segment, we discuss how threat research and intelligence matter to MSPs.
The managed service provider industry has really been at the forefront of rolling out
technology for small and medium businesses and making it scalable and usable for those kind of businesses.
If we think back like 20 or 30 years,
it's like it was typical that each company had their own small IT department,
which typically consisted of a few administrators perhaps.
And we're trying to really keep things together.
With the increasingly complex IT environment that we are seeing today, whether it's laptop
management, endpoint management, or SaaS services, public cloud usage, etc., etc., these kind
of challenges become harder and harder, and it becomes prohibitively expensive for a small or even
a medium-sized business to operate those kind of technologies
completely on their own, which is why the managed service
provider really came into play.
It's like where the IT department as a service,
if you want, started to really take shape over those last,
I would say, 25 years, give or take.
And has been, overall, quite successful,
because it allows businesses to focus on their, actually,
core mission objectives instead of having
to invest fairly heavily into personnel and resources
around technology enablement.
And I think this trend is gonna continue
and actually gonna be accelerated over the next years
and decades because at the end of the day,
it's like we are in a labor sharing environment.
And I think these kind of technologies really make sense
to be managed by professionals that focus on that
instead of having everyone to try to do their own thing.
The scope of the managed service provider really started out,
obviously, in a fairly limited IT management fashion
around basic corporate IT enablement,
but has gone now really much deeper into
all aspects of the corporate environment,
including running back office systems,
but also in an increasing way focusing on security.
We have even specialized managed service providers,
managed security service providers,
which are focusing specifically on the security needs,
compliance needs for companies.
They're sometimes standalone entities,
sometimes they're part of managed
service providers. And they're really looking at defining the overall requirements for companies'
security posture and then ultimately risk exposure to the world.
Well, let's dig into threat research and threat intelligence specifically. I mean, why do
these matter to MSPs?
It's, I mean, at the end of the day,
it's like in order to set up
any kind of sensible security program,
you need to understand what you're actually dealing with.
If you just do security based on compliance checklists
or quote unquote by the numbers or what the book says,
then you end up creating environments that are not
necessarily addressing the actual threats that your
customers are facing.
You end up potentially overspending on the certain
types of controls that are really not necessary or can be
dealt with in different ways.
And you potentially underspend on absolutely critical
controls that are not
on your radar screen.
So it's like understanding threat intelligence is really important at multiple levels.
At the highest level, it really is needed in order to be able to fully understand the
risk and exposure of your customers, of your own business, actually, as well.
For that, you really need to know your customers.
But it's like understand that well in order to
define the right kind of controls that you want to put in place.
Then at a lower level, it's like you want to rely on
vendors such as Acronis to really leverage
telemetry and advanced threat information that we can
collect from our many workloads in order to be able to create an environment that is
proactively locking down things and proactively preventing issues.
One of the things that strikes me, and correct me if I'm
mistaken here, is that things like antivirus and anti-spam, you
can deploy those in a very automated kind of way.
But threat intelligence and threat research require more human intervention and more thoughtfulness.
And I suppose to that end, you know, more effort.
Is that an accurate perception?
Yeah, I would say that you can definitely see it this way.
If you have a simple antivirus
or anti-malware agent on your laptop,
you're obviously attempting to proactively
prevent certain issues to happen.
You can do all kinds of fun things,
signature-based detection, you can do heuristics,
you can integrate this with the overall network stack to see
what type of systems your laptop is communicating with and based on
that, perform certain automated action. But I think the
true magic comes into play when you start to take this
information and collect it at a central point in order to
better understand what is actually going on in your
environment and then potentially have even better and
more comprehensive controls in place that
do not necessarily only act on a single laptop but on the entire environment. And that's where we
really get into the EDR and ultimately XDR environment where you can integrate the kind of
capability, the kind of telemetry that comes from your respective laptops into centralized environment, just like alert and monitor based on that.
Do research through a pretty much interactive capability that allows you to
execute certain types of tasks through the agent that you have on those endpoints,
and ultimately get a much better sense in terms of what's going on.
As such, like I said,
it's like be much more proactive
about locking down certain aspects of your infrastructure.
It seems to me also that working with a third party
provider such as you and your team,
you get the benefit of all the other organizations
that you all are looking at.
Beyond my own moat around my organization,
you all have a view
into things that I otherwise wouldn't have any window into.
Very much so, yeah.
It's like that's, I mean, that is the strength that comes from working with an organization
such as ours that does not only push out a product, but it's like really also invests
back into leveraging the information
that we're getting.
And again, it's like, I think there's good means of, good kind of like approaches to
do this on multiple levels.
It's like both on improving the product itself, it's like improving the detection capabilities,
improving our signatures beyond what is generally
available through things like a total virus or so, and then really go out with augmented
and much more targeted things.
We see a lot of what's happening in the MSP space because we do have a lot of customers
and partners in that range.
So it's like it allows us to really leverage those things better and
that's all at the tactical level at the at the technical implementation level
the kind of reports and the kind of like updates that we provide outside of
that are really also very helpful for for our MSP partners and the community
are enlarged to understand what's actually happening in that space from a
from a more conceptual perspective.
What are your recommendations for an organization that wants to implement this,
wants to make threat research and threat intelligence more a factor in their day-to-day operations?
How would you recommend they proceed?
So at the simplest level, it would be really just picking a trusted vendor that implements this in their own products
and has a proven track record of hopefully many years
to really include advanced threat information
from their own systems as well as from others
in using that for protecting customers' endpoints.
But at the same time, I would also always say,
it's like you do want to have a function in your security
team that looks at this from a more 20,000 foot level
perspective and really tries to understand what
the company is doing, what the customers of the company are
doing, how this maps back to what's
going on in the overall digital underground.
Does this attract specific cyber criminals?
Does this attract only script kiddies?
Or do you perhaps even attract certain types of nation-state adversaries, which is not
super typical, but it does happen quite a bit as well.
Based on that information, you really then want to review what it is that you're doing,
and as such, then optimize your resources.
If you're not dealing with nation-state adversaries, then there are certain things that you may be able to get away with not doing with quite so much death,
versus if you are exposed to those kind of threats.
That's Gerald Guschelt, CISO at Acronis.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information
from hundreds of data brokers.
I finally have peace of mind
knowing my data privacy is protected.
DeleteMe's team does all the work for you
with detailed reports
so you know exactly what's been done.
Take control of your data
and keep your private life private
by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when
you go to joindeleteme.com slash n2k and use promo code n2k at checkout.
The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k
code n2k.
And finally, this year's Cyber First Girls competition in the UK has not only crowned
its winners, but also inspired the next generation of cybersecurity professionals.
In a record-breaking year, 14,500 girls across 4159 teams took on the challenge, showcasing
brilliant problem-solving teamwork and determination.
At a ceremony at JoJerrell Bank, Hillcrest School in Birmingham was named Top Scoring
State Newcomer, while Henrietta Barnett School in North London took Top Scoring Team.
With regional champions and special award winners also honored honored the event coincided perfectly with International
Women's Day, highlighting the industry's need for more female representation.
Chris Ensor of the NCSC expressed gratitude to teachers, sponsors, and participants, emphasizing
the importance of encouraging young women into cyber careers.
With just 17% of cybersecurity roles filled by women, competitions like CyberFirst are
critical in closing the industry's skills gap and shaping a more diverse future. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Perout.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024, these traditional
security tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI
stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, simplifying security
management with AI-powered automation, and detecting threats using AI to analyze over
500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.