
Loading summary
CISO Series Host
From the CISO series, it's Cybersecurity Headlines.
Steve Prentiss
These are the cybersecurity headlines for Thursday, March 6, 2025. I'm Steve Prentiss. Former Top NSA Cyber official protests probationary firings Rob Joyce, the NSA's former top cybersecurity official, told Congress on Wednesday that current administration led efforts to fire large numbers of probationary federal employees will be devastating for US Cybersecurity operations. Speaking at the House Select Committee on the Chinese Communist Party, Joyce, who retired last year, stated that countering Chinese hacking campaigns needs top level cybersecurity talent at the NSA and other government agencies. Probationary federal employees are those who have been in their current positions for less than a year, though in many cases those employees have worked other positions in the federal government over their careers. Differing Names for hackers hinders law enforcement says security agent According to an article in cyberscoop, an investigator who cannot be named stated during a speech that could not be quoted in the article that malicious hackers take full advantage of the lack of standardized names for their operations since the justice system was set up long ago and is not built for the sophistication of international criminal cyber gangs. One particular problem involves the fact that the groups make use of the Public Access to Court Electronic Records System, otherwise known as pacer. They use it to study affidavits and to learn how investigations are opened and conducted. In addition, the agent there are disincentives for law enforcement agencies and agents from different districts to work together. Everyone wants to get theirs and everyone wants their stats because that's what they're judged on. End quote. Google releases AI scam detection for Android to fight conversational fraud Conversational fraud, in which a threat actor involves a potential victim in a live text based conversation to help them part with their money, is now being addressed by this new AI app that can flag suspicious patterns and deliver real time warnings over the course of a conversation without sacrificing user privacy, end quote. This Android model runs completely on device and applies only to conversations with phone numbers that are not in the device's contact list. Google emphasized that conversations remain private and that if customers choose to report a chat as spam, then sender details and recent messages with that sender are shared with Google and carriers. This feature is launching in English first in the us, the UK and Canada, with broader expansion planned for a later date. CISA adds Linux kernel and VMware ESXi and workstation flaws to Kev. These latest additions to the known Exploited Vulnerabilities catalog involve a Linux kernel use of uninitialized resource vulnerability and three vulnerabilities in VMware ESXi specifically, an arbitrary write vulnerability, a time of check time of use race condition vulnerability, and a fusion information disclosure vulnerability. Interestingly, Amnesty International stated that the Linux kernel vulnerability was likely used by cellebrite's mobile forensic tools to unlock the Android phone of a Serbian student activist. This is a story we reported on yesterday. Since these have been applied to the KEV, federal agencies are required to fix them by March 25th. Thanks to this week's episode's sponsor ThreatLocker ThreatLocker is a global leader in Zero Trust endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com that is thr eat locker.com US charges Chinese infrastructure Hackers as quoted in bleeping computer the U.S. justice Department has charged Chinese state security officers, along with APT27 and ISOON hackers for network breaches and cyber attacks that have targeted victims globally since 2011. ISOON is spelt lowercase I hyphen uppercase s and then lowercase oon isoon. The victims include US Federal and state government agencies, foreign ministries of multiple governments in Asia, U S based dissidents, as well as a prominent religious organization in the United States. Isoon also goes by the name ANJUN Information Technology, I.e. aNXUN Venezuelans arrested for ATM jackpotting Two individuals, both Venezuelan nationals, were arrested in Illinois for jackpotting ATMs in New York and possibly also in Massachusetts and Illinois. Jackpotting refers to the installation of malware on the hard drive of an ATM or replacing the drive entirely with an infected device. It is believed that these attacks netted the thieves approximately $187,000. They have now been charged with bank theft and conspiracy to commit bank theft and face up to 10 years in prison. Ransomware Group claims Tata attack following up on a story we covered last month, the cybercrime group Hunters International has now claimed responsibility for a cyber attack on Indian engineering firm Tata Technologies and is threatening to leak 1.4 terabytes of its data. This week, the group added Tata to their Tor based leak site and is threatening to make all the data public within the next six days. Silk Typhoon Evolves to exploit Common IT Solutions the Chinese espionage group Silk Typhoon, also known as Hafnium, has been identified by security researchers at Microsoft Threat Intelligence to be increasingly exploiting common IT solutions such as remote management tools and cloud applications to gain initial access. Silk Typhoon is one of the best resourced and technically adept state sponsored threat actors targeting IT services, healthcare, government agencies and higher education institutions globally. Recent activity by the group includes abusing stolen API keys and credentials from privileged access management systems, cloud application providers and cloud data management companies. These activities allow the group to infiltrate downstream customer environments, conduct reconnaissance, and exfiltrate Data related to U.S. government policy, legal processes and other areas of strategic interest. Microsoft says the group also uses password spray attacks, scanning public repositories like GitHub for leaked corporate passwords. We've seen a wave of attempts at platform consolidation across the Security Operations center, but will the unique challenges of the SOC ultimately favor a more modular approach? That's what we're digging into on this week's episode of Defence In Depth. Look for the episode Is there an increasing consolidation of vendors in the SoC? Wherever you get your podcasts, I'm Steve Prentiss reporting for the CISO series.
CISO Series Host
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.
Steve Prentiss
It.
Host: Steve Prentiss
Podcast: CISO Series - Cyber Security Headlines
Release Date: March 6, 2025
Former NSA cybersecurity chief, Rob Joyce, has raised alarms about the current administration's initiatives to terminate a significant number of probationary federal employees. Speaking before the House Select Committee on the Chinese Communist Party, Joyce emphasized the dire implications for U.S. cybersecurity.
"Current administration-led efforts to fire large numbers of probationary federal employees will be devastating for US Cybersecurity operations."
— Rob Joyce (Timestamp: 00:25)
Joyce, who retired last year, highlighted the critical need for top-tier cybersecurity talent within the NSA and other government bodies to effectively counter Chinese hacking initiatives. He pointed out that probationary employees, typically in their roles for less than a year, often bring diverse experiences from various federal positions, making their retention essential for robust cybersecurity defenses.
An unnamed security investigator revealed significant challenges law enforcement faces due to the lack of standardized nomenclature for hacker groups. Addressing an audience, the investigator underscored how malicious actors exploit this ambiguity to their advantage.
"Malicious hackers take full advantage of the lack of standardized names for their operations since the justice system was set up long ago and is not built for the sophistication of international criminal cyber gangs."
— Unnamed Security Agent (Timestamp: 02:10)
Key issues include hackers leveraging the Public Access to Court Electronic Records (PACER) system to study legal procedures, thereby enhancing their evasion strategies. Additionally, internal disincentives within law enforcement discourage inter-district collaboration, as agents prioritize individual metrics over collective security goals.
Google has launched a groundbreaking AI application designed to detect and warn users about conversational fraud in real-time, without compromising user privacy.
"Conversational fraud involves a threat actor engaging a potential victim in live text-based conversations to deceive them into parting with money. Our new AI app flags suspicious patterns and delivers real-time warnings throughout the conversation."
— Google Representative (Timestamp: 03:45)
This feature operates entirely on-device, targeting conversations with unknown numbers not stored in the user's contacts. While user privacy remains paramount, reports of spam can prompt the sharing of sender details and recent message history with Google and carriers. Initially available in English across the U.S., UK, and Canada, Google plans a broader rollout in the future.
The Cybersecurity and Infrastructure Security Agency (CISA) has added new vulnerabilities to its KEV catalog, mandating federal agencies to address them by March 25th.
Amnesty International has linked the Linux kernel vulnerability to Cellebrite's mobile forensic tools, used to unlock an Android device belonging to a Serbian student activist—a development previously reported by the CISO Series.
The U.S. Justice Department has indicted Chinese state security officers alongside hacker groups APT27 and ISOON for persistent cyber intrusions targeting various sectors worldwide since 2011.
"The victims include US federal and state government agencies, foreign ministries of multiple governments in Asia, U.S.-based dissidents, as well as a prominent religious organization in the United States."
— Bleeping Computer Report (Timestamp: 05:20)
ISOON, also known as ANJUN Information Technology (aNXUN), has been implicated in numerous network breaches and cyber assaults, demonstrating the extensive reach and impact of these state-sponsored activities.
Two Venezuelan individuals have been apprehended in Illinois for orchestrating ATM jackpotting schemes across New York, Massachusetts, and Illinois, resulting in approximately $187,000 in illicit gains.
"Jackpotting refers to the installation of malware on the hard drive of an ATM or replacing the drive entirely with an infected device."
— CISO Series Host (Timestamp: 06:15)
Charged with bank theft and conspiracy to commit bank theft, the suspects face potential imprisonment of up to 10 years, underscoring the severe legal repercussions of such cyber-enabled financial crimes.
Building on previous coverage, the cybercrime faction Hunters International has asserted responsibility for breaching Indian engineering firm Tata Technologies. The group threatens to release 1.4 terabytes of sensitive data unless demands are met.
"We added Tata to our Tor-based leak site and are threatening to make all the data public within the next six days."
— Hunters International Representative (Timestamp: 06:50)
This escalation highlights the increasing boldness and operational capabilities of ransomware groups, posing significant risks to corporate and national security.
Microsoft Threat Intelligence has observed that the state-sponsored Chinese espionage group Silk Typhoon (also known as Hafnium) is intensifying its exploitation of widely used IT solutions, including remote management tools and cloud applications, to facilitate initial access.
"Silk Typhoon is one of the best-resourced and technically adept state-sponsored threat actors targeting IT services, healthcare, government agencies, and higher education institutions globally."
— Microsoft Threat Intelligence Analyst (Timestamp: 07:30)
Recent tactics involve the misuse of stolen API keys, credentials from privileged access management systems, and data from cloud service providers. These methods enable Silk Typhoon to infiltrate customer environments, perform reconnaissance, and exfiltrate data related to U.S. government policies and strategic interests. Additionally, the group utilizes password spray attacks and scans public repositories like GitHub to obtain leaked corporate passwords, further amplifying their threat vector.
In the next episode of the CISO Series, titled "Is There an Increasing Consolidation of Vendors in the SoC?", Steve Prentiss explores the trend of platform consolidation within Security Operations Centers (SOC). The discussion delves into whether the unique challenges faced by SOCs will ultimately favor a more modular approach to security infrastructure.
Stay tuned to gain deeper insights into the evolving landscape of cybersecurity operations.
For more detailed stories and daily updates, visit CISOseries.com.