CyberWire Daily Podcast Summary: "Bear in the Network"

Release Date: May 21, 2025
Host: Dave Bittner, N2K Networks

Introduction

In the episode titled "Bear in the Network," hosted by Dave Bittner, CyberWire Daily delves into a series of critical cybersecurity incidents and developments. The episode provides in-depth analysis of cyber espionage activities, ransomware attacks, regulatory changes, massive DDoS assaults, and significant security advisories from leading tech companies. Additionally, the podcast features an insightful interview with Rob Allen, Chief Product Officer at ThreatLocker, discussing the principles of Zero Trust and effective endpoint protection.

Key Cybersecurity News

1. Joint Advisory on Fancy Bear (APT28) Targeting Western Firms

Timestamp: 00:02 – 02:28

A joint cybersecurity advisory from the U.S. and allied agencies has highlighted ongoing cyber espionage activities by Russia’s GRU unit 26165, also known as Fancy Bear or APT28. This group has been actively targeting Western logistics and technology firms, particularly those supporting Ukraine, since 2022. The campaign employs techniques such as password spraying, spear phishing, and exploiting vulnerabilities in Microsoft Exchange and WinRAR. Key targets include transportation hubs, defense contractors, IT service providers, and air traffic systems across NATO countries. Additionally, the GRU has compromised IP cameras near Ukrainian borders to monitor aid deliveries. Organizations are advised to bolster their monitoring, threat hunting, and network defenses to mitigate these persistent threats.

2. Ransomware Attack on Kettering Group’s Hospital Network

Timestamp: 02:28 – 04:35

Kettering Group, a non-profit hospital network in Ohio, experienced a severe ransomware attack attributed to the Interlock Group. This breach resulted in a system-wide technology outage affecting 14 hospitals and over 120 outpatient facilities. The disruption led to the cancellation of all elective procedures and rendered the call center inaccessible. Emergency services remained operational, but ambulances were diverted to other facilities, prompting neighboring Premier Health to declare a code Yellow due to increased patient volumes. The attackers demanded a ransom, threatening to leak stolen data if their demands were not met. Kettering Health is collaborating with cybersecurity experts to investigate and restore systems. Furthermore, scammers have been impersonating Kettering staff to solicit payments, leading the organization to suspend all payment-related calls and advise patients to report suspicious activities to law enforcement.

3. CFPB Abandons Stricter Regulations for Data Brokers

Timestamp: 04:35 – 06:15

The Consumer Financial Protection Bureau (CFPB) has decided to drop plans to classify certain data brokers as credit bureaus, a move that would have subjected them to tighter regulations. Initially proposed in December 2023, the rules aimed to limit the sale of sensitive American data by requiring accuracy, transparency, and restricting data sales to legitimate uses such as credit or employment checks. The CFPB’s reversal has drawn criticism, as data brokers often collect information from apps and telecommunications companies, potentially exposing users at protests or clinics. High-profile data breaches, involving billions of records from poorly secured brokers, underscore the risks. While the U.S. steps back from regulating data brokers, the UK continues to evaluate stricter oversight. The future of the CFPB remains uncertain amidst political pressures.

4. Massive DDoS Attack on Krebs on Security

Timestamp: 06:15 – 08:28

Krebson Security faced a record-breaking Distributed Denial of Service (DDoS) attack on May 12, peaking at 6.3 terabits per second, surpassing the infamous 2016 Mirai botnet assault by tenfold. The attack was mitigated by Google's Project Shield within less than a minute, marking the largest attack Google has ever handled. Experts attribute the assault to the Asuru botnet, which comprises hijacked IoT devices like routers and DVRs. The operators of Asuru exploit weak passwords and software vulnerabilities, offering attack services on Telegram under the handle Forky for up to $600 per week. Despite law enforcement actions, including the seizure of some related domains, the threat remains active. This incident highlights the challenges major web services face in countering increasingly powerful cyber assaults.

5. Phishing Campaign Reroutes Employee Paychecks

Timestamp: 08:28 – 10:00

A sophisticated phishing campaign has been identified, which adeptly rerouted employee paychecks by deceiving users into entering credentials on counterfeit mobile-specific payroll sites. As reported by ReliaQuest, attackers utilized Google Ads and SEO poisoning to lure victims searching for HR portals on mobile devices. Upon clicking these ads, users were directed to fake Microsoft login pages designed to harvest credentials. Once compromised, attackers accessed SAP SuccessFactors accounts and altered direct deposit details, diverting paychecks to their accounts. The attack employed a proxy network of hijacked home routers to obscure the attackers’ locations and evade detection. ReliaQuest recommends implementing multi-factor authentication alerts for deposit changes, educating employees, and utilizing proactive threat intelligence to defend against such mobile-targeted phishing campaigns that bypass traditional corporate network defenses.

6. Atlassian Patches Multiple High Severity Vulnerabilities

Timestamp: 10:00 – 12:28

Atlassian’s May 2025 Security Bulletin disclosed eight high-severity vulnerabilities affecting several data center and server products. Discovered through bug bounties, testing, and library scans, these flaws could enable denial of service attacks and privilege escalation if unpatched. Notable vulnerabilities include:

• Bamboo and Confluence Data Center: Susceptible to a Tomcat Coyote bug leading to memory leaks and crashes via malformed HTTP/2 headers.
• Confluence: Faces a stack overflow risk through the XStream library.
• Fisheye Crucible: Vulnerable to a denial of service flaw in JSON Smart.
• JIRA Software and Service Management: Exposed to Netty’s SSL handler bug and a privilege escalation issue allowing unauthorized access.

Users are strongly urged to apply the available patches immediately to secure their enterprise environments.

7. Cyber Attack Causes Wisconsin Telecom Outage

Timestamp: 12:28 – 14:55

Cellcom, a Wisconsin telecom provider, confirmed that a cyber attack led to a week-long outage affecting voice and text services in Wisconsin and Upper Michigan. While partial services have been restored, full recovery is expected by the end of the week. The company’s CEO assured customers that no sensitive personal data appears to have been compromised, as the breach impacted a network segment devoid of personal information. Although Cellcom has not disclosed the specific type of attack, the scope suggests ransomware involvement, though no group has claimed responsibility. The company emphasized its methodical approach to recovery, collaborating with cybersecurity experts and authorities to resolve the issue and pledged to provide ongoing updates.

8. VMware Issues Security Advisory on High-Risk Vulnerabilities

Timestamp: 14:55 – 16:15

VMware has released a security advisory addressing multiple high-risk vulnerabilities across its virtualization products. The most critical is a flaw in the VCenter server that allows unauthenticated attackers to execute arbitrary commands and take control of the host. VMware recommends restricting admin interfaces to trusted networks. Other significant vulnerabilities include:

• VMware Cloud Foundation: Faces a directory traversal issue and information disclosure risks exploitable via simple network access to port 443.
• ESXi Workstation and Fusion: Affected by denial of service bugs and a cross-site scripting flaw.

VMware has released patches for all identified vulnerabilities and urges organizations to promptly apply these updates to minimize exploitation risks.

9. 19-Year-Old Pleads Guilty to Hacking PowerSchool

Timestamp: 16:15 – 18:28

Matthew Lane, a 19-year-old student from Massachusetts, has agreed to plead guilty to hacking PowerSchool, a major education software company serving over 60 million students. Utilizing stolen credentials from a contractor, Lane accessed PowerSchool’s systems and exfiltrated sensitive data on students and teachers. He then issued a ransom demand in December, threatening to release the data unless paid. PowerSchool confirmed paying nearly $2.9 million in Bitcoin, although the exact amount remains undisclosed. Lane, associated with the Shiny Hunters hacking group, is also accused of attempting to extort a telecom company. He faces charges including unauthorized access to protected computers and aggravated identity theft. Federal prosecutors deem this a significant victory, potentially representing the largest breach of U.S. school children’s data to date.

Interview: Rob Allen on Zero Trust and Endpoint Protection

Deliberate Simplicity in Zero Trust

Timestamp: 12:28 – 30:43

The episode features Rob Allen, Chief Product Officer at ThreatLocker, who discusses the philosophy and implementation of Zero Trust in cybersecurity. The conversation, recorded at the RSAC 2025 conference, centers on ThreatLocker’s proactive approach to endpoint protection and the principle of "deny by default, permit by exception."

Key Insights:

• Proactive Security Measures: Rob Allen emphasizes that ThreatLocker focuses on preventing cyber incidents rather than reacting to them. “We are more proactive, so we're more about stopping it happening than responding to it happening” ([15:21]).

• Allow Listing and Ring Fencing: The company employs allow listing to permit only necessary applications to run, thereby minimizing potential attack vectors. This method contrasts with traditional reactive approaches that often allow everything by default except known threats.

• Controlling Lateral Movement: ThreatLocker implements controls to prevent lateral movement both between programs on an endpoint and across the network. “Once one machine gets compromised, typically it doesn't take them very long to move to another machine,” Rob explains ([16:09]).

• Non-Behavioral Approach: Unlike many security solutions that rely on behavioral analysis or signature-based detections, ThreatLocker focuses on applying strict controls to the environment to inherently block malicious activities. Rob narrates an example where his system blocked a sophisticated, polymorphic PowerShell exploit simply by restricting PowerShell’s internet access, without employing behavioral detection ([17:16]).

• Deliberate Simplicity: The simplicity of ThreatLocker’s approach lies in its effectiveness without the complexity of constantly updating defenses against new threats. “The deny by default approach means that if a new piece of malware appears tomorrow... if you can stop all of those interactions, then you basically stop that vulnerability from being exploitable” ([19:07]).

• Minimal User Friction: By setting guardrails around users' regular activities, ThreatLocker ensures security without hindering productivity. “The vast majority of users do the same things in the same way with the same software every single day” ([20:18]).

• Dynamic Access Control: Addressing challenges like token theft, ThreatLocker employs dynamic IP-based controls to ensure that access to cloud resources remains secure, regardless of the user’s location. This adaptability prevents unauthorized access even if credentials are compromised ([22:21]).

• Seamless Onboarding: ThreatLocker offers a smooth onboarding process by initially logging all necessary software without blocking anything, then gradually enforcing strict policies based on observed legitimate activities. “It's about applying controls to your environment in such a way that it can't be [exploited]” ([23:14]).

• Consolidated Security Solutions: To address the complexity of managing multiple security tools, ThreatLocker integrates various functionalities—such as allow listing, ring fencing, web control, and patch management—into a single platform with one agent and one portal. “One portal, one agent, one product, one thing to understand, one bill to pay” ([27:13]).

• Future-Proofing Security: Rob Allen underscores that the deny-by-default strategy reduces the need for constant updates in response to evolving threats, as it inherently blocks new and unknown malicious activities without requiring prior knowledge of specific threats ([24:48]).

Notable Quotes:

• “We are more proactive, so we're more about stopping it happening than responding to it happening.” ([15:21])
• “It's about applying controls to your environment in such a way that that bad behavior can't take place.” ([17:18])
• “You don't need to know all of the bad things because if you block everything, then you're going to block all the bad stuff.” ([19:14])
• “Because in reality, the vast majority of users do the same things in the same way with the same software every single day.” ([20:18])
• “If you can stop all of those interactions, then you basically stop that vulnerability from being exploitable.” ([20:46])

Closing Stories

Privacy Leak in O2 UK's 4G Calling System

Timestamp: 30:43 – End

Security researcher Daniel Williams uncovered a significant privacy vulnerability in O2 UK's 4G calling system. Using a rooted Pixel 8, Williams discovered that O2’s IP Multimedia Subsystem (IMS) implementation was excessively verbose, sharing SIP messages that included debug logs, IMSIs, IMEIs, and cell tower IDs. This exposed sensitive metadata for every call, allowing precise geolocation of call recipients even when abroad or disconnected. Williams criticized O2 for failing to responsibly disclose these findings and urged the removal of unnecessary SIP headers and debug messages. O2 has since resolved the issue.

Conclusion

The "Bear in the Network" episode of CyberWire Daily offers a comprehensive overview of recent cybersecurity threats and developments, highlighting the evolving landscape of cyber espionage, ransomware, regulatory challenges, and innovative defense strategies. The insightful interview with Rob Allen underscores the importance of proactive, simplified security measures in combating sophisticated threats. As cyber threats continue to grow in complexity and scale, the strategies and solutions discussed in this episode provide valuable guidance for organizations aiming to bolster their cybersecurity posture.

Credits:
Senior Producer: Alice Carruth
Producer: Liz Stokes
Mixing: Trey Hester
Original Music and Sound Design: Elliot Peltzman
Executive Producer: Jennifer Ibin
Publisher: Peter Kilpe
Host: Dave Bittner

Notable Advertisements:

• SpyCloud Identity Protection: Protect your organization from stolen identities and automated remediation of hidden exposures. spycloud.com/cyberwire

• Vanta's Trust Management Platform: Automate governance, risk, and compliance to enhance security posture and productivity. vanta.com

• Cyber Care by Storm Guidance: Comprehensive cyber incident response and resilience services. CyberCare.com

• DeleteMe: Remove personal information from data broker sites with ongoing protection. Special offer: 20% off at JoinDeleteMe.com using promo code N2K.