Cybersecurity Today: Allegations Against Elon Musk, Microsoft Lockout Issues, Cozy Bear's New Malware, and Canada's Anti-Fraud Proposals - Cybersecurity Today

Summary6 min read

Cybersecurity Today: April 21, 2025

Host: David Shipley (Guest Host for Jim Love)

In this episode of Cybersecurity Today, host David Shipley addresses four major cybersecurity developments impacting businesses and governments worldwide. The discussions cover serious allegations against Elon Musk’s team, significant issues with Microsoft’s security features, the emergence of new malware from the Russian threat group Cozy Bear, and Canada’s proactive measures to combat online fraud targeting seniors. Below is a detailed summary of each segment, enriched with notable quotes and timestamps for deeper insight.

1. Allegations Against Elon Musk and DOGE-Involved Cyber Breach

David Shipley opens the episode with alarming accusations involving Elon Musk's team and a whistleblower organization pointing fingers at DOGE for causing a substantial cybersecurity breach at the National Labor Relations Board (NLRB).

David Shipley [00:00]: "A whistleblower complaint says that billionaire Elon Musk's team of technologists may have been responsible for a, quote significant cybersecurity breach, end quote."

Daniel Baroulis, an IT staffer at the NLRB, alleges that DOGE staffers were granted extraordinary access to the board's highly sensitive systems, which contain crucial case files and proprietary business information. He points out that in early March, the logging protocols intended to monitor system access were tampered with, resulting in the unauthorized removal of approximately 10 gigabytes of data.

Baroulis further claims that there were attempted logins from a Russian IP address following DOGE's access, which were blocked by location-based conditional access policies despite using correct credentials.

Daniel Baroulis [04:35]: "We're seeing data that is traditionally safeguarded with the highest standards in the United States government being taken. And the people that do try to stop it from happening, the people that are saying no, they're being removed one by one."

The whistleblower group has submitted these allegations to both Republican and Democratic Senate Intelligence Committee chairs, highlighting attempts by higher-ups to prevent formal investigations. Additionally, Baroulis shared that he received a threatening note at his home, accompanied by surveillance photographs, illustrating the severe reprisals whistleblowers may face.

Baroulis [07:50]: "Unlike any other time previously, there is this fear to speak out because of reprisal."

This segment underscores the vulnerability of governmental institutions to insider threats and the potential involvement of high-profile individuals in compromising sensitive data.

2. Microsoft Entra ID's "Mace" Feature Causes Widespread Account Lockouts

The podcast moves on to discuss significant disruptions caused by Microsoft’s rollout of a new Entra ID feature named Mace, designed to detect leaked credentials and revoke access to potentially compromised accounts.

David Shipley [12:30]: "Windows administrators from numerous organizations reported widespread account lockouts that were triggered by false positives in the rollout of a new Microsoft Entra ID feature called Mace."

Starting late Friday night, organizations began experiencing a surge of false-positive alerts indicating that credentials had been leaked on the Dark Web or other repositories. This led to mass account lockouts, severely impacting operations, especially as the issue coincided with the Easter holiday weekend.

A managed service provider reported that up to one-third of all accounts were affected, while a Managed Detection and Response (MDR) provider observed approximately 20,000 suspicious alerts across multiple clients. Huntress Labs indicated that around 1,500 tenants under their management faced similar disruptions.

David Shipley [16:45]: "If you received a flurry of alerts at once during this rollout, it is likely behind that. Microsoft has not officially posted on the issue and has yet to respond to media reports as of Sunday."

The timing of this malfunction is particularly problematic as holiday periods are often exploited by cyber attackers, leaving IT and security teams stretched thin and struggling to address the influx of false alarms.

David Shipley [18:10]: "If your firm's IT or security team is extra tired this week or flat out exhausted after this issue, consider being extra kind to them."

This incident highlights the delicate balance between enhancing security measures and ensuring their reliability to prevent operational paralysis.

3. Cozy Bear Deploys New "Grape Loader" Malware Against European Diplomats

David Shipley then discusses the latest cyber-espionage activities from Cozy Bear (APT29), a group linked to Russian intelligence agencies. Cozy Bear has evolved its tactics by introducing wine-themed phishing campaigns coupled with a new malware strain named Grape Loader.

David Shipley [21:15]: "The lesson here: Phishing works particularly well when you know your audience."

The group sends deceptive emails that appear to be wine tasting invitations, originating from domains like baconhoff.com and silre.com. These emails trick recipients into clicking malicious links embedded in zip archives named "wine.zip," which deploy the Grape Loader malware upon execution.

Cybersecurity firm Check Point has identified that Grape Loader serves as an initial-stage tool for fingerprinting, establishing persistence within the system, and delivering payloads. This campaign primarily targets European diplomats, especially those within ministries of foreign affairs and embassies, with indications of similar attempts against diplomats in the Middle East.

David Shipley [23:40]: "There are indications that diplomats based in the Middle East may have also been targeted."

The sophistication of these phishing attempts underscores the importance of tailored social engineering strategies in cyber-attacks, emphasizing the need for continuous vigilance and advanced protective measures within diplomatic channels.

4. Canada's Anti-Fraud Initiatives: The "Stop Scamming Seniors Act"

In the final segment, Shipley sheds light on Canada's legislative efforts to combat online fraud aimed at seniors, spearheaded by Conservative leader Pierre Poilievre. The proposed Stop Scamming Seniors Act seeks to impose strict obligations on financial institutions and telecommunications companies to proactively detect, report, and block suspected fraudulent activities in real time.

David Shipley [27:10]: "Pierre Poilievre is promising to protect seniors by making it mandatory for financial institutions and phone companies to stop digital scammers in their tracks."

Under this act, non-compliant companies could face substantial fines of up to $5 million per violation and new criminal charges designed to hold corporate executives accountable for failing to prevent fraud effectively.

David Shipley [29:25]: "Companies found to willfully neglected to have implemented scam prevention efforts could face fines of up to $5 million per violation."

The legislation also proposes minimum prison sentences for individuals committing large-scale fraud, setting a precedent for stringent punitive measures against cybercriminals.

David Shipley [30:50]: "This new charge would be added to the criminal code called willful profiteering from fraud. That would target corporate executives who, quote, ignore the red flags and knowingly allow scam traffic or activity, end quote."

Although social media platforms were not explicitly mentioned, the discussion suggests that similar standards could be extended to these entities to ensure comprehensive protection against fraud across all digital platforms.

Conclusion

In this comprehensive episode of Cybersecurity Today, David Shipley navigates through a series of significant cybersecurity challenges:

Allegations Against Elon Musk and DOGE: Highlighting potential insider threats and the vulnerabilities within government systems.
Microsoft Entra ID Lockout Issues: Demonstrating the unintended consequences of deploying new security features without adequate testing.
Cozy Bear's New Malware Campaign: Illustrating the evolving tactics of state-sponsored cyber-espionage groups.
Canada's Stop Scamming Seniors Act: Showcasing proactive legislative measures to protect vulnerable populations from digital fraud.

For businesses and cybersecurity professionals, these discussions emphasize the importance of robust security protocols, the need for responsive and resilient IT infrastructures, and the critical role of governmental policies in shaping the cybersecurity landscape. As the digital realm continues to expand, staying informed and adaptable remains paramount in safeguarding against emerging threats.

For more insights and updates, listeners are encouraged to subscribe to Cybersecurity Today and engage with the community through provided contact channels.

Contact Information:

Email: us@EditorialEchnewsDay.ca
YouTube Comments: Available under the episode video

This summary aims to provide a comprehensive overview of the podcast episode for those who have not listened, capturing all key points, discussions, insights, and conclusions presented by David Shipley.

Loading summary

Transcript1 lines

[00:00]
David Shipley
A whistleblower organization says that DOGE may have caused a significant cyber breach. At a US labor watchdog, a Microsoft security feature gives administrators heartburn right as the Easter holiday starts, a Russian Intel Agency linked group deploys special malware targeting European diplomats. And the Canadian conservative leader Pierre Poliev proposes new $5 million fines and criminal co defenses for companies that fail to address online fraud. This is Cybersecurity Today and I'm your host, David Shipley. A whistleblower complaint says that billionaire Elon Musk's team of technologists may have been responsible for a, quote, significant cybersecurity breach, end quote. At America's Federal labor watchdog. Daniel Baroulis, an information technology staffer at the National Labor Relations Board, or nlrb, says he has evidence that DOGE staffers were given extraordinary access to the NLRB's systems. These systems house sensitive case files as well as sensitive business information on firms. He said that at the beginning of March logging protocols created to audit users appears to have been tampered with and that he had detected the removal of up to 10 gigabytes worth of data from the NLRB's network sometime thereafter. The NLRB is tasked with protecting workers rights to organize and join unions. The agency created decades ago, has been a long time and frequent target of American corporate leaders like Musk. Baroulis alleged in an affidavit that there were attempted logins to NLRB systems from an IP address in Russia in the days after DOGE accessed the systems. He told Reuters Tuesday that the attempted logins apparently included correct usernames and passwords, but these logins were rejected by location related conditional access policies. Baroulis affidavit said that an effort by himself and his colleague to formally investigate and alert the Cybersecurity and Infrastructure Security Agency, or cisa, was disrupted by higher ups without explanation. Andrew Bakage, chief legal counsel for the whistleblower aid group, filed these allegations in a submission to Republican Senate Intelligence Committee Chairman Tom Cotton and his Democratic counterpart Mark Warner. The submission includes a statement that Baroulas and his colleagues were working to pass on this information to sisa. The submission includes a statement from Baroulas that as he and his colleagues were preparing to pass information they gathered on to sisa, he had received a threatening note taped to the door of his home with photographs of him walking in his neighborhood, taken via drone. Quote, unlike any other time previously, there is this fear to speak out because of reprisal, end quote. Baroulas told Reuters, quote, we're seeing data that is traditionally safeguarded with the highest standards in the United States government being taken. And the people that do try to stop it from happening, the people that are saying no, they're being removed one by one. End quote Windows administrators from numerous organizations reported this weekend widespread account lockouts that were triggered by false positives in the rollout of a new Microsoft Entra ID feature leak credentials detection app called Mace. Windows administrators from numerous organizations reported widespread account lockouts Saturday that were triggered by false positives in a new Microsoft Entra ID feature called Mace. Mace is a credential revocation app in Microsoft's Entra ID that's used to detect leaked credentials and lock potentially compromised accounts. Bleeping Computer reported that the issue began Friday night and initially administrators suspected a wave of false positives as some of the affected accounts had unique passwords that were not used on any other services. Microsoft Entra id, formerly Azure Active Directory, is a cloud based identity and access management service that helps organizations manage user identities and secure access to resources. On Saturday, Windows admins on Reddit shared they had received multiple alerts for some of their accounts and saying that those accounts had been found with credentials leaked on the Dark Web or other locations. These accounts were automatically locked out of the tenant, with numerous users impacted per organization. One managed service provider reported that up to a third of all accounts were impacted. A managed detection and Response or MDR provider posted that they had received 20,000 alerts from Microsoft about leaked credentials from numerous clients. Cybersecurity company Huntress Labs posted on Sunday on its website that 1,500 tenants that it was working with had been affected. While all alerts of leaked credentials should be investigated to confirm that an account was not compromised, if you received a flurry of alerts at once during this rollout, it is likely behind that. Microsoft has not officially posted on the issue and has yet to respond to media reports as of Sunday. Given that holiday weekends are often exploited by attackers, this particular issue was extraordinarily poorly timed. If your firm's IT or security team is extra tired this week or flat out exhausted after this issue, consider being extra kind to them. Losing a weekend to an incident is always hard. Losing one to a tool gone rogue is especially difficult. It appears the Russian hackers known as Cozy Bear may be in need of a new nickname, Cozy Bear or increasingly, Boozy Bear. The Russian intelligence linked APT29 has been using wine themed phishing lures and new malware to target European diplomats. The latest set of attacks entails sending email invites for wine tasting and impersonates an unspecified European Ministry of Foreign affairs agency. Now it coaxed them to try and click on a link that triggers the deployment of a new malware called Grape Loader by means of a malware laced zip archive wine zip. The emails were sent for domains baconhoff.com and silre.com the Hacker News reports Cybersecurity firm Check Point says Grape Loader is a newly observed initial stage tool used for fingerprinting, persistence and payload delivery. This campaign is said to have mainly singled out European countries with a specific focus on ministries of foreign affairs as well as other countries embassies in Europe. There are indications that diplomats based in the Middle east may have also been targeted. The lesson here Phishing works particularly well when you know your audience. For journalists and cybersecurity professionals, you should probably be on the lookout for whiskey tasting or similar hard liquor theme Phishing invites I kid well served Canadian Conservative leader Pierre Poilievre is promising to protect seniors by making it mandatory for financial institutions and phone companies to stop digital scammers in their tracks. The plan would require these companies to detect, report and block quote suspected fraud in real time, end quote, or face the prospect of massive fines and or being charged with a new crime under the criminal code. The Conservative leader who's campaigning ahead of the April 28 federal election, is proposing a Stop Scamming Seniors act say that three times fast. This new act would require banks and telecommunications firms to deploy state of the art technology to catch scams and stop them before they happen. The Conservative Party said in a statement last week that, quote, the institutions best positioned to prevent these crimes, banks and telecom companies are not legally required to act fast, transparently or decisively. Under this proposed plan, corporations would be required to employ the same kinds of AI tools they currently use to optimize marketing and sales initiatives to track possible instances of fraud. The party is also proposing adding minimum sentences of one year in jail for those committing over $1 million in fraud. A new charge would also be added to the criminal code called willful profiteering from fraud. That would target corporate executives who, quote, ignore the red flags and knowingly allow scam traffic or activity, end quote. Companies found to willfully neglected to have implemented scam prevention efforts could face fines of up to $5 million per violation. While social media companies were not called out in the announcement like banks and telecommunications firms were, hopefully they'll be held to the same standard. We are always interested in your opinion and you can contact us@EditorialEchnewsDay CA or leave a comment under the YouTube video. I've been your host, David Shipley, sitting in for Jim Love, who will be back in on Wednesday. Thank you for listening.