Cyber Security Headlines Podcast Summary

Title: Cyber Security Headlines
Host: Rich Stroffelino, CISO Series
Release Date: May 20, 2025
Episode Focus: Legal Aid Breach, NHS Cyberattacks, 23andMe Acquisition, Federal Cyber Workforce Bill, Ransomware Trends, Arla Foods Attack, Printer Software Malware, Pwn2Own Aftermath, Mozilla Security Patches

1. UK Legal Aid Agency Breached

At the beginning of the episode (00:00), host Rich Stroffelino reports a significant cybersecurity incident involving the UK's legal aid agency, a subdivision of the Ministry of Justice. On April 23, the agency identified a breach by a threat actor. Jane Harbottle, CEO of the agency, stated:

"We immediately coordinated with the National Crime Agency to bolster the security of our systems." (00:30)

Further investigation revealed on May 16 that the breach was more extensive than initially thought, with attackers accessing sensitive data such as criminal records, addresses, national ID numbers, and financial information of legal aid applicants. In response, the agency temporarily took its services offline to secure the systems, emphasizing the necessity for radical action to protect user data. The Ministry of Justice assured the public that contingency plans are in place to support those requiring legal aid. The identity of the attackers and their method of infiltration remain undisclosed.

2. NHS Patients at Risk from Cyberattacks

Rich moves on to discuss cybersecurity within the healthcare sector. Data obtained through a Freedom of Information Act request revealed that two cyberattacks on Britain's National Health Service (NHS) last year resulted in "potential clinical harm" to over 50 patients. This classification is just below the most severe categories of "excess fatalities" and "excess casualties." Although specific attacks were not named, it is likely linked to the Synovus pathology services provider breach, which led to delays and cancellations of medical appointments, thereby impacting patient care.

3. 23andMe Acquisition by Regeneron Pharmaceuticals

A major corporate development was highlighted regarding 23andMe, the popular DNA testing company. After declaring bankruptcy amid privacy concerns over genetic data, Regeneron Pharmaceuticals stepped in to acquire the company for $256 million. Rich explains:

"With the acquisition expected to close in Q, 23andMe services will continue uninterrupted, and Regeneron will need to tell a court-appointed ombudsman how it plans to use the genetic data, as well as detail security and privacy controls."

Regeneron has committed to maintaining 23andMe's existing privacy policies post-acquisition, aiming to address the raised privacy concerns and ensure the continuity of services.

4. Bipartisan Bill for Federal Cyber Workforce Training

The episode covers legislative efforts to bolster the federal cybersecurity workforce. Representatives Pat Fallon and Marcy Kaptor introduced the Federal Cyber Workforce Training Act in the House. This bipartisan bill proposes:

• Establishing a centralized training center focused on federal cyber workforce development.
• Setting cybersecurity standards for new federal employees, particularly entry-level positions.
• Developing role-specific training in collaboration with relevant federal agencies.
• Introducing specialized training for federal HR officials to enhance recruitment for cybersecurity roles.

The bill aims to create a robust and well-trained federal cyber workforce to address evolving cybersecurity challenges.

5. Ransomware Operators Turning to Skitnet

Rich delves into emerging trends in ransomware operations, specifically the adoption of Skitnet (also known as Boss Net) by cybercriminals. Researchers at Prodaft have identified that Skitnet is increasingly favored in ransomware attacks due to its sophisticated features:

• Automated Installation: Skitnet offers a lightweight package with fully automated installation processes.
• Programming Languages: Initial executables are crafted in Rust, decrypting and running payloads compiled in Nim.
• Communication: Establishes reverse shell connections to C2 servers via DNS.
• Persistence: Utilizes PowerShell-based commands to achieve persistence at system startup.
• Legitimate Tools: Deploys tools like AnyDesk and RutService for remote access.

Skitnet first appeared on underground forums in April 2024 and was notably used by the Black Basta group last month, illustrating its growing prevalence in the ransomware landscape.

6. Arla Foods Confirms Cyberattack

The Danish food cooperative giant, Arla Foods, confirmed experiencing a cyberattack that disrupted production at its dairy facility in Uppal, Germany. Key points include:

• Impact: Anticipated product delays or order cancellations in the near future.
• Response: Arla aims to restore production by the end of the week.
• Details: The company has not confirmed whether the attack was ransomware-related, and no threat actor has claimed responsibility.
• Global Reach: Arla's products are integrated into brands across 140 countries, including Starbucks, Costello, Puck, and Lorpak.

7. Malware Found in ProColored Printer Software

An alarming development involves malware infiltrating software downloads from the printer company ProColored. Following a tip from tech writer Cameron Coward, security firm GDATA discovered that:

• Infected Downloads: 39 software downloads hosted on Mega.nz were compromised with cryptostealer and wormable backdoor Xred malware.
• Capabilities: The malware can log keystrokes, download payloads, and exfiltrate cryptocurrency wallet information.
• Company Response: Initially dismissed the findings as false positives, ProColored eventually removed the infected software after recognizing that the malware was likely introduced via a flash drive during software transfer.

8. Pwn2Own Aftermath

Rich reviews the outcomes of the recent Pwn2Own Berlin competition:

• Bounties Awarded: Security researchers collectively earned $1,078,000 by exploiting various system vulnerabilities over 290 days.
• Top Earners: Star Labs' Security Group secured the largest portion with $320,000.
• Vendor Responsibilities: Participants have 90 days post-competition to patch the identified vulnerabilities before Trend Micro's Zero Day initiative publishes the technical details.
• Immediate Patches: Over the weekend, Mozilla addressed two critical JavaScript vulnerabilities in Firefox, enhancing browser security.

9. Mozilla Patches Critical JavaScript Issues

In continuation of the Pwn2Own discussion, Mozilla swiftly patched two severe out-of-bound read/write vulnerabilities in JavaScript for Firefox. This proactive measure underscores the importance of timely responses to identified security flaws to protect users from potential exploits.

10. Closing Reflections on Cybersecurity Fundamentals

In his concluding remarks, Rich emphasizes the enduring importance of foundational cybersecurity principles. He reflects on a 1995 talk by cryptocurrency pioneer Adi Shamir, highlighting timeless advice:

"Don't aim to be perfect for cybersecurity, don't trust systems, don't trust people, and don't rely on a single line of defense."

Rich poses a thought-provoking question:

"So why are we still struggling to understand that?"

He encourages listeners to revisit and uphold these fundamental principles amidst the rapidly evolving cybersecurity landscape, advocating for a balanced approach between foundational knowledge and innovative defenses.

Notable Quotes:

• Jane Harbottle, CEO of UK's Legal Aid Agency:
  "We immediately coordinated with the National Crime Agency to bolster the security of our systems." (00:30)

• Rich Stroffelino on Cybersecurity Principles:
  "Don't aim to be perfect for cybersecurity, don't trust systems, don't trust people, and don't rely on a single line of defense."

For an in-depth exploration of each headline and more cybersecurity insights, visit CISO Series.