Podcast Summary: Cyber Security Headlines – Week in Review

Title: Cyber Security Headlines
Host: CISO Series
Episode: Week in Review: Microsoft Trust Abuse, 23andMe Bankruptcy Risks, NIST’s Growing Backlog
Release Date: March 28, 2025

Introduction

In this episode of Cyber Security Headlines, host Rich from the CISO Series delves into the most pressing cybersecurity stories of the week. Joined by returning guest Jonathan Waldrop, CISO at The Weather Company, the discussion spans a range of topics from malware abuse of Microsoft's Trust Signing Service to the potential risks surrounding 23andMe's bankruptcy. The conversation is enriched with expert insights, notable quotes, and actionable takeaways for cybersecurity professionals and enthusiasts alike.

1. Microsoft Trust Signing Service Abused to Code Sign Malware

Overview: Researchers at Bleepy Computer have identified a surge in threat actors leveraging Microsoft's Trust Signing Service to sign malware using short-lived, three-day code signing certificates. This tactic enhances the malware’s legitimacy, enabling it to bypass security filters more effectively. Extended Validation (EV) certificates are particularly prized by attackers for their higher trust levels and ability to evade smart screen alerts.

Key Points:

• Exploitation Tactics: Attackers prefer Microsoft's service for its convenience and the user confusion stemming from recent EV certificate changes.
• Impact on Security Measures: Traditional security tools like MFA and HTTPS are being circumvented, highlighting the evolving nature of cyber threats.

Notable Quotes:

• Rich: “[...] it's still an ongoing journey. Has it been that long ago? Okay, maybe it's been 10 years or so.” [00:54]
• Jonathan Waldrop: “There’s always something new and. Okay, we’ve got to go update our checklist again.” [03:36]

Insights: Jonathan emphasizes the necessity for continuous vigilance and proactive measures. He notes, “We gotta keep going because something is going to change and we're always playing catch up” [03:52], underscoring the dynamic landscape of cybersecurity.

2. Vulnerabilities Found in Numerous Solar Power Systems

Overview: Cybersecurity firm Forescout has uncovered multiple vulnerabilities in solar power systems from vendors such as Sungrow, Growatt, and SMA. These flaws present significant risks to electrical grids, allowing attackers to execute arbitrary code, steal data, or disrupt power distribution through compromised components.

Key Points:

• Affected Systems: Vulnerabilities exist in internet-connected components, cloud services for monitoring, and mobile apps interfacing with users.
• Broader Implications: The integration of IoT devices in renewable energy infrastructure expands the attack surface, necessitating enhanced security protocols.

Notable Quotes:

• Rich: “[...] it's no surprise we're hearing about this. I’m curious, do you feel that this will be a major stumbling block for this still kind of emerging, you know, renewable industry field...” [05:18]
• Jonathan Waldrop: “Anytime you're connecting to the Internet, you've got things to worry about.” [05:18]

Insights: Jonathan draws parallels between IoT security and critical infrastructure, stating, “They shouldn’t have to [secure the systems themselves].” [06:55]. He highlights the manufacturer's responsibility in ensuring the security of distributed systems, especially those integral to essential services.

3. NHS Software Supplier Receives Discount on Fine for Good Behavior

Overview: Advanced Health and Care Ltd., an IT provider for the UK's NHS, faced a reduced fine of £3.07 million from the Information Commissioner’s Office (ICO) following a ransomware attack by the LockBit gang in August 2022. The fine was halved due to the company’s cooperation with regulators and proactive risk mitigation efforts.

Key Points:

• Regulatory Response: The ICO recognized the company's efforts in mitigating risks post-incident, setting a precedent for future cybersecurity breaches.
• Industry Implications: This case raises questions about fairness and accountability for industry partners involved in high-profile breaches.

Notable Quotes:

• Jonathan Waldrop: “People that are doing the right thing, people that are, hey, you know what? We realize we made a mistake...” [08:06]
• Rich: “[...] it's maybe a win-win.” [09:34]

Insights: Jonathan reflects on the balance between accountability and acknowledging good behavior, suggesting that “there’s recognition of that good behavior” [08:06]. He advocates for continued accountability to ensure that organizations learn and improve from security incidents.

4. 23andMe Bankruptcy Puts Millions of DNA Records at Risk

Overview: 23andMe, a personal ancestry company, has filed for bankruptcy, raising alarms about the security of millions of DNA records. Concerns revolve around the potential sale of genetic data to the highest bidder, despite the company's assurances of maintaining privacy protections. California's Attorney General has urged users to delete their data, emphasizing the permanence of genetic information.

Key Points:

• Data Security Risks: Bankruptcy proceedings may expose DNA records to potential sale or misuse, heightening privacy concerns.
• Operational Challenges: Maintaining a secure posture during bankruptcy is challenging, especially with the evolving landscape of cybersecurity threats.

Notable Quotes:

• Rich: “[...] delete my data. I guess, does that matter given the scale of, of this potential privacy concern?” [12:19]
• Jonathan Waldrop: “If you haven't, if you, if you are 23andMe or you know somebody or you like somebody, please go tell them to help them delete that data.” [11:02]

Insights: Jonathan underscores the irreversibility of data once it's online, stating, “Once it's on the Internet, you can't remove it from the Internet” [11:07]. He highlights the broader implications for how courts and regulatory bodies will handle the sale and protection of sensitive genetic information in bankruptcy scenarios.

5. Troy Hunt Falls Victim to Spear Phishing Attack

Overview: Troy Hunt, founder of Have I Been Pwned?, recently experienced a spear phishing attack that led to the compromise of his Mailchimp account. Approximately 16,000 email addresses, including unsubscribed contacts, were exported by the attackers. Hunt attributes the breach to a momentary lapse caused by jet lag and emphasizes the need for continued vigilance in cybersecurity practices.

Key Points:

• Attack Vector: A deceptive email mimicking Mailchimp's legitimate communications tricked Hunt into divulging his credentials and a one-time password.
• Security Practices: The incident highlights the importance of tools like 1Password and awareness of phishing tactics.

Notable Quotes:

• Rich: “For mailchimp unsubscribe does not mean delete my name. I wouldn't have necessarily thought about that because I don't want receiver emails anymore.” [16:32]
• Jonathan Waldrop: “It's proof that this can happen to anybody. We're all vulnerable, even those of us that deal with this on a day to day basis.” [15:30]

Insights: Jonathan commends the transparent disclosure by Troy Hunt, noting it serves as a valuable lesson for the cybersecurity community: “The major win here is somebody with a big security profile that says hey look, it happened to me. It can happen to you too.” [15:30]. This incident reinforces the universal vulnerability to sophisticated phishing attacks, regardless of expertise.

6. NIST Struggles to Keep Up with Growing Backlog of CVEs

Overview: The National Institute of Standards and Technology (NIST) is grappling with a significant backlog in processing Common Vulnerabilities and Exposures (CVEs) within the National Vulnerability Database. With a 32% increase in submissions last year and expectations of further growth in 2025, NIST's delays are impacting organizations' ability to address vulnerabilities promptly.

Key Points:

• System Overload: The surge in CVE submissions overwhelms NIST's capacity, hindering timely access to critical vulnerability data.
• Potential Solutions: Discussions include expanding NIST's resources, automating processes with AI, and leveraging industry partnerships to manage the influx.

Notable Quotes:

• Jonathan Waldrop: “Adding more people sometimes solves a short term problem, but it rarely solves the long term problem.” [18:29]
• Rich: “[...] it's a big problem to solve and I look forward to seeing how they tackle it.” [19:37]

Insights: Jonathan advocates for innovative approaches beyond merely increasing manpower. He suggests, “Maybe there's some way we can automate some of these processes or work to... crowdsource some of the data.” [18:29]. This highlights the need for scalable solutions to manage the escalating volume of vulnerability data effectively.

Conclusion and Final Thoughts

As the episode wraps up, Rich extends gratitude to the show's contributors and highlights the importance of proactive cybersecurity measures. Jonathan Waldrop lauds Troy Hunt’s transparent handling of his phishing incident, viewing it as a positive example for the industry.

Notable Quotes:

• Jonathan Waldrop: “I think it's a great example of how we can embrace what we do and really take a lesson from that.” [21:37]
• Rich: “We're never going to be like, yeah, vulnerabilities went down 45%. Yeah, we're down. It's easy. We solve cybersecurity.” [20:42]

Key Takeaways:

• Continuous Vigilance: Cybersecurity is an ever-evolving field requiring persistent attention and adaptability.
• Collaborative Solutions: Addressing systemic issues like CVE backlogs necessitates innovative, collaborative approaches.
• Transparent Disclosure: Openly sharing security incidents fosters a culture of learning and resilience within the community.

Stay Connected:
For more detailed discussions and daily cybersecurity updates, visit CISOseries.com. Join the live conversations on YouTube and engage with experts like Jonathan Waldrop to stay ahead in the world of information security.