DISA breach, Swedish backdoors, Dems looking into system access - Cybersecurity Headlines

Summary

Cyber Security Headlines - Episode Summary

Hosted by CISO Series, released on February 26, 2025.

In this episode of Cyber Security Headlines, Rich Straffolino delves into several pressing issues in the information security landscape. Covering significant breaches, legislative developments, emerging threats, and sophisticated cyberattacks, Rich provides listeners with a comprehensive overview of the current cybersecurity environment. Below is a detailed summary of the key topics discussed:

1. Disa Global Solutions Confirms Data Breach

Rich begins the episode by addressing the recent cyber incident involving Disa Global Solutions, a prominent U.S. employee screening firm providing services to a third of the Fortune 500 companies.

Incident Timeline and Impact:
- The breach was initially detected on April 22, 2024, but investigations revealed illicit network access commencing as early as February 9, 2024.
- Sensitive information compromised includes Social Security numbers, credit card details, financial information, and scanned ID documents of screened individuals.
Disclosure Concerns:
- Despite the severity, Disa delayed disclosing the breach by almost a year, raising questions about transparency and the potential implications for affected individuals.
Unidentified Perpetrators:
- The company has not identified the attackers or their motives, leaving stakeholders uncertain about the breach's origins.

Rich Straffolino [02:15]: "It's concerning that Disa could not definitively conclude the specific data procured, making it impossible to name specific victims."

2. Swedish Law Enforcement Pushes for Messaging App Backdoors

The discussion shifts to Sweden, where law enforcement and security agencies are advocating for legislative measures requiring encrypted messaging apps to incorporate technical backdoors.

Legislative Process:
- Proposed bills must pass through relevant committees before reaching Sweden's Parliament next year.
Support and Opposition:
- Minister of Justice Gunnar Stromer supports the initiative, emphasizing the need for accessible data in criminal investigations.
- Conversely, the Swedish Armed Forces oppose the bill, citing their reliance on secure applications like Signal for confidential communications.
Industry Response:
- Signal Foundation President Meredith Whitaker has warned that Signal would exit the Swedish market if such legislation is enacted, highlighting the potential impact on privacy and security tools.

Rich Straffolino [04:30]: "Minister of Justice Gunnar Stromer came out in favor of the backdoors for these apps, but the Swedish armed forces opposes the bill as they regularly use things like Signal."

3. Democrats Highlight Vulnerabilities in Government Systems

Rich addresses concerns raised by Democrats regarding exposed entry points within U.S. government systems, particularly under the oversight of the Department of Government Efficiency (Doge).

Key Concerns:
- Democrats on the House Oversight Committee have signaled that multiple government agencies are susceptible to cyberattacks by foreign and malicious actors.
Areas of Exposure:
- Notable exposed systems include the Treasury's Secure Payment System, the Office of the Comptroller of the Currency, and several national laboratories responsible for managing U.S. nuclear stockpiles.
Transparency and Accountability:
- The letter to President Trump underscores a lack of transparency regarding which departments officials have access to and seeks detailed information on new technology deployments and data exports.

Rich Straffolino [06:50]: "The letter points to publicly exposed systems with the Treasury's Secure Payment System, the Office of the Comptroller of the Currency, and several national laboratories, including ones that manage US Nuclear stockpiles."

4. Discovery of Autocolor: An Undocumented Linux Backdoor

The episode highlights the emergence of a new Linux backdoor named Autocolor, identified by researchers at Palo Alto Networks Unit 42.

Technical Insights:
- Autocolor operates by installing a malicious library implant, copying itself to the system directory, and modifying files to ensure execution before legitimate system libraries.
- Even without root access, the malware facilitates remote access to threat actors, although it lacks persistence once running.
- It employs a custom encryption algorithm for communication with Command and Control (C2) servers.
Usage and Targets:
- The backdoor has been active against government and university targets across North America and Asia between November and December 2024.
- The initial attack vector remains unknown, complicating prevention efforts.

Rich Straffolino [09:10]: "If it runs with root privileges, it installs a malicious library implant, copies itself to the system directory and modifies files to ensure that it executes before any other system libraries."

5. LightSpy Spyware Suite Evolves with New Capabilities

Next, Rich discusses advancements in the LightSpy spyware suite, originally identified in Hong Kong in 2020.

Development Progress:
- LightSpy has expanded its plugin support and introduced new destructive capabilities on mobile platforms.
Sophistication Enhancements:
- Recent findings by Hunt IO indicate that LightSpy now offers over 100 commands, enhancing its interaction with C2 servers.
- New functionalities include version tracking, transmission management, and targeting specific applications like Facebook and Instagram on Android for database extraction.

Rich Straffolino [12:45]: "Researchers at Hunt IO have found signs of increasing sophistication with how LightSpy interacts with C2 servers, now offering over 100 commands."

6. Exploitation Campaign Targeting TrueSight Sys Driver

Rich sheds light on a widespread exploitation campaign targeting the TrueSight sys driver, a component of Adlais's cybersecurity product suite.

Campaign Mechanics:
- Over 2,500 variants of the vulnerable driver are being exploited by attackers to bypass Windows driver signing policies.
- Phishing lures are commonly used to infiltrate systems, where attackers install modules that disable Endpoint Detection and Response (EDR) tools before deploying a second-stage payload.
RAT Deployment:
- A variant of Ghost RAT is utilized, with 75% of victims located in China and their public clouds serving as C2 infrastructure.
Mitigation Efforts:
- Following the discovery, Microsoft updated its driver block list to address the vulnerability, enhancing protection against such exploits.

Rich Straffolino [14:30]: "Attackers use the driver to exploit an exception with the Windows driver signing policy and get it to load."

7. Lockbit Ransomware Targets Siberian Dairy Plant

The episode covers a targeted ransomware attack by a Lockbit variant on a dairy plant in southern Siberia.

Attack Details:
- The FSB security service's regional office announced that the ransomware attack led to all printers at the Semyonishna dairy plant producing leaflets condemning the Russian military.
- AnyDesk remote desktop software was exploited to gain network access, though production continued uninterrupted. However, food labeling processes were halted.
Historical Context:
- This incident marks the second cyberattack on the plant within a year, with a previous July attack disrupting cheese production for a month.

Rich Straffolino [16:55]: "The plant manager said the attack caused all printers in the facility to print out leaflets condemning the Russian military."

8. Orange Group Data Breach Linked to Hellcat Ransomware

Finally, Rich reports on a data breach involving the French telco Orange Group, allegedly connected to the Hellcat ransomware group.

Breach Specifics:
- Orange confirmed a breach on a non-critical application after a member of Hellcat, known as Ray, leaked thousands of internal documents—including source code, invoices, and employee information from Romanian operations.
Ransom Demands and Response:
- Ray claimed responsibility, stating that they maintained access to Orange systems for over a month and issued a ransom note. However, Orange opted not to negotiate.
Data Integrity:
- Investigations by Bleeping Computer revealed that some leaked documents were at least five years old, leaving the extent of newly obtained data unclear.

Rich Straffolino [18:40]: "Ray maintains this wasn't a Hellcat operation in and of itself and that they maintained access to Orange systems for over a month."

Conclusion

Rich Straffolino provides listeners with an in-depth analysis of the latest cybersecurity threats and incidents, emphasizing the evolving nature of cyberattacks and the critical need for robust security measures. From significant data breaches and sophisticated malware to legislative challenges and ransomware assaults, this episode underscores the multifaceted challenges facing the cybersecurity community today.

For those interested in exploring these topics further, additional details and full stories are available at CISOseries.com.

Reporting for the CISO Series, Rich Straffolino encourages listeners to stay informed and proactive in their cybersecurity endeavors.

Transcript

A (0:00)

From the CISO series. It's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Wednesday, February 26, 2025. I'm Rich Straffolino. U.S. employee screening firm confirms breach Disa Global Solutions provides employment screenings and background checks to a third of the Fortune 500. This week, it submitted a filing with Maine's Attorney General confirming it detected a cyber incident on April 22, 2024. After investigation, it was found the illicit network access began back on February 9th. In a filing with the Massachusetts attorney general, it was confirmed that attackers obtained Social Security numbers, credit cards and other financial information, as well as scanned ID documents from some screened individuals. The filing also states that Disa could not definitively conclude the specific data procured, so it can't name specific victims. No word on who orchestrated the attack or why it waited almost a year to disclose it. Swedish law enforcement seeking messaging app backdoors Swedish news outlet SVT Neheter reported that law enforcement and security agencies in the country are pushing legislation requiring encrypted messaging apps to create technical backdoors in their infrastructure. The agencies would need to get the proposed bill before relevant committees before it could be taken up by Sweden's Parliament next year. Minister of Justice Gunnar Stromer came out in favor of the backdoors for these apps, but the Swedish armed forces opposes the bill as they regularly use things like Signal. Signal Foundation President Meredith Whitaker said Signal would leave the market if such a bill passed. Dems warned of exposed entry points on government systems Democrats on the House Oversight Committee sent a letter to President Trump warning that the Department of Government Efficiency, or doge, has left multiple government agencies vulnerable to cyber attacks by foreign agents and malicious actors. With no transparency on which department officials have access. The letter points to publicly exposed systems with the Treasury's Secure Payment System, the Office of the Comptroller of the Currency, and several national laboratories, including ones that manage US Nuclear stockpiles. The letter asks where new technology was deployed, what data has been exported by Doge staff to third party servers and and information on cyber incidents under the new administration. Linux backdoor used in the wild Researchers at Palo Alto Networks Unit 42 discovered an undocumented Linux backdoor called Autocolor, used by threat actors against government and university targets in North America and Asia from November to December 2024. Researchers don't know the initial attack vector. If it runs with root privileges, it installs a malicious library implant, copies itself to the system directory and modifies files to ensure that it executes before any other system libraries. Even without root access, the malware can still provide remote access to threat actors, but lacks persistence once running, it uses a custom encryption algorithm to talk to C2 servers. And now, thanks to today's episode sponsor Conveyor Ever wish you had a teammate that could handle the most annoying parts of customer security reviews? You know, chasing down SMEs for answers, updating systems, coordinating across teams, all the grunt work nobody wants to do, plus having to finish the dang questionnaire itself. While that teammate exists, Conveyor just launched sue, the first AI agent for customer trust. Sue really is the dream teammate. She never misses a deadline, answers every customer request from sales, completes every questionnaire, and knocks out all the coordination in between. Sue Conveyor's AI agent handles it all so you don't have to learn more@conveyor.com that's C O N V E-Y-O-R.com LightSpy learns new tricks LiteSpy is a modular spyware suite first seen in use in Hong Kong back in 2020. Researchers have previously seen active development on LightSpy. ThreatFabric documented that it expanded plugin support last year and and added new destructive capabilities on mobile. Now, Researchers at Hunt IO have found signs of increasing sophistication with how LightSpy interacts with C2 servers, now offering over 100 commands. These new commands expand beyond direct data transfers and allow for version tracking and transmission management. The new commands also add the ability to target Facebook and Instagram apps on Android for database extraction. Large scale legacy driver Exploitation campaign discovered A new report from Check Point Research documented this campaign using over 2,500 variants of the vulnerable TrueSight sys driver, part of a product suite from the cybersecurity firm Adlais. Attackers use the driver to exploit an exception with the Windows driver signing policy and get it to load. Attackers generally use phishing lures to get them on machines where they install EDR killing modules and Prepare for a second stage payload. Using a variant of Ghost RAT, 75% of victims in the campaign were located in China, with Chinese public clouds used for the C2 infrastructure. After reporting the issue, Microsoft updated its vulnerable driver block list to remove the exception. Lockbit variant makes Siberian dairy plant go sour A regional office for Russia's FSB security service announced that a version of Lockbit ransomware was used in an attack on a Semyonishna dairy plant in southern Siberia. The plant manager said the attack caused all printers in the facility to print out leaflets condemning the Russian military. The attackers reportedly used AnyDesk remote desk software to access the plant's network. The attack did not disrupt dairy production, but did prevent any food labeling. This is the second cyberattack on the plant in the last year. A July attack took down cheese production for a month. Orange confirms breach after leaks the French telco Orange group confirmed a bleeping computer it suffered a data breach on a non critical application. This came after a member of the Hellcat ransomware group known as Ray published thousands of internal documents from the company, including source code, invoices and employee information from its Romanian operations. Ray maintains this wasn't a Hellcat operation in and of itself and that they maintained access to Orange systems for over a month. Ray said that they dropped a ransom note, but Orange did not negotiate. It's unclear how much data was obtained. A review by bleeping computer found some leaked documents at least five years old. Remember to subscribe to the ciso series on YouTube. You can join us there for our Week in Review show every Friday at 3:30pm Eastern and also see original clips, demos and industry interviews. Just search for ciso series on YouTube and give us a follow. Reporting for the CISO series, I'm Rich Stroffolino, reminding you to have a super sparkly day.