CyberWire Daily: "Brute Force and Broken Trust" Summary

Release Date: March 21, 2025
Host/Author: N2K Networks

The March 21, 2025 episode of CyberWire Daily, hosted by Dave Bittner and featuring insights from Brendan Karpf and guest Maria Vermazes, delves into pressing cybersecurity issues ranging from government data vulnerabilities to the evolving landscape of ransomware threats. This comprehensive summary captures the episode's key discussions, expert analyses, and critical revelations.

1. Exposed Government Databases: A Looming Cybersecurity Crisis

The episode opens with a concerning revelation about the security posture of U.S. government data. Over 150 government database servers, managed by agencies such as the Departments of Agriculture, Education, and Energy, are found to be dangerously exposed to the Internet. These databases, hosted on Microsoft's Azure GovCloud, have open ports susceptible to brute force attacks and known exploits.

Key Points:

• Unauthorized Access Attempts: The investigation highlighted over 655 unauthorized access attempts, indicating persistent threats targeting these databases.
• Data Replications: More than 200 real-time data replications were detected, suggesting significant flaws in both authentication mechanisms and data protection protocols.
• Root Cause: Analysts attribute the exposure to a hastened federal data centralization effort, which compromised standard security protocols in favor of rapid deployment.

Expert Insight: Dave Bittner emphasizes the severity:
"These databases have open ports vulnerable to brute force attacks and known exploits. The report highlights over 655 unauthorized access attempts and more than 200 real time data replications, suggesting serious flaws in authentication and data protection."
[00:12:30]

2. Decentralizing Cybersecurity: Federal Shift to States and Local Governments

In response to the escalating cyber threats, the White House is transitioning cybersecurity responsibilities from federal agencies to state and local governments through a new executive order introduced by President Trump. This order is part of a broader national resilience strategy aimed at empowering local entities to defend critical infrastructure and elections against cyber threats.

Key Points:

• Autonomy Granted: States will gain greater control over their cybersecurity measures, potentially allowing for more tailored and rapid responses.
• Resource Challenges: However, this shift coincides with cuts to federal cybersecurity teams, depriving states of essential support services like vulnerability alerts and free risk assessments.
• Risks of Fragmentation: Experts warn that decentralization may lead to fragmented defenses, exacerbating vulnerabilities, especially in underfunded sectors such as schools and small municipalities.

Critical Commentary: Brendan Karpf highlights the implications:
"Experts warn this decentralization could lead to fragmented defenses, especially as many states lack the resources and intelligence centers to fill the gap."
[13:31]

3. Exploiting Antivirus Vulnerabilities: The Check Point Zone Alarm Incident

A noteworthy vulnerability in Check Point's Zone Alarm antivirus software has been exploited by threat actors to bypass Windows Security. Security researcher Nima Bagheri explains a sophisticated "Bring Your Own Vulnerable Driver" attack that leverages an old signed driver with kernel-level privileges.

Mechanism of Attack:

• Evading Detection: Attackers exploit the vulnerability to evade antivirus detection and bypass Windows memory integrity protections.
• System Compromise: Once inside, they steal user credentials and establish remote access, posing significant risks to system integrity.

Security Recommendations: Users are urged to update to the latest non-vulnerable versions of the software to mitigate these threats.

4. Ransomware Evolution: Albabat and Van Helsing Threats

The episode discusses the alarming evolution of ransomware, highlighting two primary threats: Albabat and Van Helsing.

Albatbat Ransomware: Cross-Platform Extension

• Multi-OS Targeting: Initially a Windows threat, Albabat has expanded to target Linux and macOS systems.
• GitHub Integration: Utilizing GitHub for configuration management allows remote updates without redeploying malware, enhancing its adaptability.
• Payment Diversification: The ransomware accepts various cryptocurrencies, including Bitcoin, Ethereum, Solana, and BNB, facilitating broader financial attacks.

Van Helsing Ransomware: Targeting Critical Sectors

• Advanced Tactics: Van Helsing employs sophisticated encryption and evasion techniques, appending its name to affected files and demanding ransom through a Tor-based chat site.
• Double Extortion: Beyond encryption, it exfiltrates sensitive data, increasing pressure on victims to comply with ransom demands.
• Persistence Mechanisms: The use of rootkits, registry changes, and bootkits complicates detection and eradication efforts.

Defense Strategies: Security experts advocate for robust backups, timely system patching, multi-factor authentication (MFA), and Zero Trust architectures to defend against these formidable ransomware threats.

5. Operation Fish Medley: Chinese Cyber Espionage Campaign

ESET reports on Operation Fish Medley, a cyber espionage campaign conducted by Isun, a Chinese cybersecurity contractor linked to Beijing's Ministry of Public Security. The campaign targeted seven organizations across Taiwan, Hungary, Turkey, Thailand, the U.S., and France.

Operational Tactics:

• Toolkit Utilization: Attackers employed tools such as ShadowPad, Spider, and the newly identified RPIPE Commander to gain deep network access.
• Data Exfiltration: The campaign focused on credential harvesting and data extraction, compromising sensitive information from targeted organizations.
• Strategic Timing: The campaign coincided with significant geopolitical events, including document leaks and U.S. indictments of ISOON staff involved in hacking activities.

Implications: The sustained nature of Operation Fish Medley underscores the persistent threat posed by state-sponsored cyber espionage activities, necessitating heightened vigilance and advanced defensive measures.

6. Critical Infrastructure Vulnerabilities: CISA Advisories

The Cybersecurity and Infrastructure Security Agency (CISA) issued five Industrial Control Systems (ICS) advisories addressing high-severity vulnerabilities across critical infrastructure sectors:

1. Schneider Electric's EcoStruxure: Multiple input validation issues.
2. Enerlinxife Components: Susceptible to exploitation via input validation flaws.
3. Siemens SimCenter Femap: Contains a memory buffer overflow vulnerability.
4. SMA's Sunny Portal: Prone to a file upload flaw.
5. Santasoft's DICOM Viewer Pro: Experiences an out-of-bounds write issue.

Urgent Action Required: CISA urges immediate updates to these systems to mitigate exploitation risks, emphasizing the vital nature of these infrastructures and their role in supporting essential services.

7. Cybercrime in Athletics: Indictment of Former NFL Coach

A former NFL and University of Michigan assistant coach, Matt Weiss, has been indicted on 14 counts of unauthorized computer access and 10 counts of identity theft. Weiss allegedly hacked into the accounts of over 150,000 college athletes across more than 100 schools between 2015 and 2023.

Modus Operandi:

• Target Selection: Weiss focused on female athletes, accessing their social media, cloud, and email accounts to obtain private photos and videos.
• Encryption Cracking: He reportedly cracked encryption using online resources and meticulously documented stolen content.
• Employment Consequences: Weiss was terminated by Michigan in 2023 after refusing to cooperate with an internal investigation and previously worked for the Baltimore Ravens.

Prosecutorial Stance: Federal prosecutors remain committed to aggressively pursuing the case to uphold the privacy and security of the victims.

8. Expert Conversation: Cyberspace in Space

Brandon Karpf engages in an insightful discussion with Maria Vermazes from the T Minus podcast, exploring the intersection of cyberspace and space infrastructure.

Key Highlights:

• DoD Software Acquisition Reform: The Department of Defense (DoD) is adopting agile processes for software acquisitions to accelerate the deployment of new software, reducing the traditional 12-year timeline to six years.

  "They're going to accept more risk upfront by rapidly implementing new software, understanding that allows software to be iterated upon and improved."
  [12:30]

• Impact on Space Telecommunications: The conversation emphasizes leveraging space infrastructure to enhance cybersecurity. By implementing moving target defenses through satellite communications, the defense systems can obscure points of presence, making it harder for adversaries to conduct reconnaissance and target critical network infrastructures.

  "If we can obfuscate your point of presence to get into networks as a user of telecoms infrastructure and leverage the space segment to create moving target defense, essentially maneuver warfare in the telecommunications network layer, that immediately makes it more difficult for the adversaries to target because they can't do reconnaissance as well."
  [21:04]

• Opportunities for Enhanced Security: The agile software development lifecycle proposed by the DoD can be harnessed to build more secure and resilient telecommunications infrastructures, mitigating the risks posed by persistent cyber threats.

Strategic Implications: The integration of space-based solutions into cybersecurity strategies represents a novel approach to defending against increasingly sophisticated cyber adversaries, particularly those targeting global telecommunications networks.

9. Fraud Detection Firm Shutdown

The episode also covers a significant incident in the cybersecurity industry: the shutdown of a fraud detection firm due to fraudulent activities. Former CEO Paul Roberts of an adtech company fabricated detection services, orchestrating a $1.3 million phony service swap with another company. This deception included generating fake reports from nonexistent data, misleading stakeholders and falsely inflating company revenues.

Consequences:

• Legal Repercussions: Roberts pled guilty after the Securities and Exchange Commission (SEC) uncovered the fraudulent transactions.
• Company Fallout: The embellished Kai Power merger dissolved, leading to the company's delisting and eventual closure.

Industry Impact: This case underscores the critical importance of due diligence and robust verification mechanisms within cybersecurity firms to maintain trust and integrity in the industry.

Conclusion and Future Outlook

The CyberWire Daily episode "Brute Force and Broken Trust" delivers a thorough examination of current cybersecurity challenges, highlighting vulnerabilities in government databases, evolving ransomware threats, and the shifting landscape of cybersecurity responsibilities. Expert conversations shed light on innovative strategies to bolster defenses using space-based technologies, while real-world incidents like the indictment of Matt Weiss and the fraudulent shutdown of a fraud detection firm underscore the multifaceted nature of cyber threats.

As cyber adversaries continue to advance, the insights and analyses provided in this episode serve as essential guidance for cybersecurity professionals, policymakers, and organizations striving to navigate and mitigate the complex threat environment.

Notable Quotes:

• Dave Bittner on Government Data Exposure:
  "Over 150 government database servers used by agencies like the Departments of Agriculture, Education and Energy are exposed to the Internet, violating basic security protocols."
  [00:12:30]

• Brendan Karpf on Decentralization Risks:
  "Experts warn this decentralization could lead to fragmented defenses, especially as many states lack the resources and intelligence centers to fill the gap."
  [13:31]

• Dave Bittner on Agile Software Acquisition:
  "They're going to accept more risk upfront by rapidly implementing new software, by trying to implement this agile process with software acquisitions."
  [17:15]

• Brandon Karp on Moving Target Defense:
  "If we can obfuscate your point of presence to get into networks as a user of telecoms infrastructure and leverage the space segment to create moving target defense, essentially maneuver warfare in the telecommunications network layer, that immediately makes it more difficult for the adversaries to target because they can't do reconnaissance as well."
  [21:04]

This summary encapsulates the critical discussions and expert insights presented in the "Brute Force and Broken Trust" episode of CyberWire Daily, providing listeners and non-listeners alike with a comprehensive understanding of the current cybersecurity landscape and emerging strategies to counteract evolving threats.