CyberWire Daily: Can the U.S. Keep Up in Cyberspace?
Release Date: February 24, 2025
Host: Dave Buettner, N2K Networks
Overview
In this episode of CyberWire Daily, host Dave Buettner delves into pressing cybersecurity challenges facing the United States, exploring whether the nation can maintain its competitive edge in the rapidly evolving digital battleground. The discussion encompasses warnings from retired military leaders, international cybersecurity measures, significant cyberattacks, emerging vulnerabilities, legislative efforts on data privacy, and real-world implications of cyber threats on critical infrastructure.
Retired General Paul Nakasone's Warning: The U.S. Falling Behind
[02:30] Retired General Paul Nakasone, now at Vanderbilt University, issued a stark warning about the United States lagging in cyberspace. Speaking at DistrictCon in Washington D.C., Nakasone highlighted the expanding capabilities of adversaries, notably citing “Chinese-backed breaches and ransomware attacks” as indicators of the nation’s weakened cybersecurity posture.
General Paul Nakasone: “The U.S. is falling behind in cyberspace with adversaries expanding their capabilities.” ([02:45])
He expressed concerns over the potential for cyber operations to cause physical damage, predicting future attacks could “disable platforms through digital means”. Nakasone emphasized the increasing role of Artificial Intelligence in cyber offense, including autonomous AI-powered drones, questioning the safeguards against “AI-driven cyberweapons” that might bypass traditional defenses.
Advocating for a more aggressive U.S. cyber strategy, Nakasone referenced past cyber command operations targeting Russian and Iranian hackers, advocating for “persistent engagement” to keep cyber adversaries in check. He also pointed out the urgent need for top cyber talent, lamenting the recruitment challenges posed by past government actions.
Australia Bans Kaspersky Products for Government Use
[05:10] Australia has taken a significant step by mandating that all government entities “remove and ban Kaspersky products” due to security concerns linked to potential Russian government influence. The Department of Home Affairs issued an order requiring the elimination of Kaspersky software from federal systems by April 1, aligning with the U.S. ban initiated in 2017 and expanded in 2024.
This decision follows similar actions by several European nations that have long barred Kaspersky, prompting the company to exit the U.S. market by selling its customer base to Ultra AV. However, the transition has encountered challenges, including operational issues for new customers.
The Australian government’s move underscores growing international mistrust towards Kaspersky, although the company has yet to formally respond to the ban.
Fatal RAT Targets Industrial Organizations in APAC Region
[08:25] Researchers from Kaspersky ICS CERT have identified a sophisticated cyber espionage campaign utilizing the Fatal Remote Access Trojan (RAT) to target industrial organizations across the Asia-Pacific (APAC) region. This campaign, attributed to Chinese-speaking hackers, exploits legitimate cloud services like Udial Cloud Notes and Tencent Cloud to evade detection.
The targeted sectors include manufacturing, energy, IT, and logistics in countries such as Taiwan, China, Japan, Thailand, and Singapore. Attackers employ phishing emails and messaging platforms like WeChat and Telegram, disguising malware as tax documents. The Infection process involves advanced evasion techniques, including DLL sideloading and anti-virtual machine checks, enabling the RAT to “log keystrokes, exfiltrate data, and execute destructive commands” like MBR corruption.
Kaspersky ICS CERT: “Fatal RAT poses significant risks to operational technology systems. We advise network segmentation and rigorous monitoring to mitigate these threats.” ([08:50])
Preventative measures recommended include network segmentation, monitoring for known indicators of compromise, and blocking malicious DLLs to protect against such targeted attacks.
Bybit Cryptocurrency Exchange Faces $1.5 Billion Theft
[11:15] Bybit, a major cryptocurrency exchange, reported a devastating cyberattack resulting in the theft of $1.5 billion in digital assets. Hackers exploited a vulnerability in Bybit's smart contract logic, gaining unauthorized access to an ETH cold wallet and transferring over 400,000 ETH and Steth tokens.
The attack likely involved exploiting flaws in the Safe Global platform's user interface. Despite the massive withdrawal requests, Bybit reassured users that their funds remain secure, with CEO Ben Zhao stating, “The exchange is solvent and can cover the loss with its $20 billion in assets if needed.”
This incident occurs amid a surge in crypto-related cybercrime, with Chainalysis reporting a 20% increase in stolen funds in 2024 compared to the previous year.
Apple Removes End-to-End Encryption for iCloud in the UK
[14:00] In a controversial move, Apple has removed end-to-end encryption (E2E) for iCloud services in the United Kingdom following demands under the Investigatory Powers Act, commonly known as the Snoopers’ Charter. Security and consumer rights advocates have criticized the decision, arguing it compromises user privacy and could weaken the UK’s data security reputation.
Apple Representative: “Creating an E2E backdoor would compromise all users' security. Instead, we've removed the advanced data protection feature for UK customers.” ([14:15])
Privacy experts warn that weakening encryption could lead to compliance issues for businesses and jeopardize data sharing agreements with the EU and the U.S. Apple defends its stance by emphasizing the balance between user security and lawful access, but the decision has sparked significant debate over government oversight versus individual privacy rights.
Lockbit Ransomware Exploits Windows Confluence Server
[16:40] Security researchers at DFIR Uncovered a Lockbit ransomware attack exploiting a vulnerability in Windows Confluence servers. The attackers initiated the breach through a remote code execution vulnerability, swiftly deploying tools like Mimikatz, Metasploit, and AnyDesk to escalate privileges and move laterally across the network via RDP.
Data was exfiltrated using rclone to Mega.IO before the ransomware was deployed, encrypting critical systems within just two hours. The attackers leveraged PDQ Deploy to automate the spread of Lockbit, ensuring widespread encryption.
Researchers highlighted the necessity of “patching Confluence vulnerabilities, monitoring network activity, and restricting remote access” to prevent similar intrusions, underscoring the increasing sophistication and speed of ransomware operations targeting unpatched enterprise applications.
Zero Day Vulnerabilities in Cloud Logging Utility Fluentbit
[19:05] Tenable researchers have discovered zero-day vulnerabilities in Fluentbit, a widely used logging utility embedded in cloud platforms such as AWS, Google Cloud, and Microsoft Azure. These vulnerabilities exploit null pointer dereference weaknesses in the Prometheus remote write and OpenTelemetry plugins, potentially exposing billions of production environments to cyber threats.
Attackers can exploit these flaws through simple HTTP requests to crash Fluentbit servers or leak sensitive data. The affected systems include Kubernetes deployments, enterprise logging systems, and compliance workflows used by major organizations like Cisco, Splunk, and VMware.
Tenable Researcher: “Immediate updates and stringent API access restrictions are crucial to prevent widespread service disruptions and data leaks.” ([19:30])
While patches are available, many systems remain vulnerable due to delayed updates, prompting experts to urge organizations to prioritize applying these fixes and conducting comprehensive security audits.
PayPal Email Scam Tricking Users into Calling Scammers
[21:00] A new email scam exploiting PayPal’s legitimate email infrastructure has emerged, tricking users into contacting scammers directly. The scam involves sending fake purchase confirmations from serviceaypal.com, leveraging PayPal’s address settings to insert fraudulent messages into the “from” field.
Recipients receive emails stating that their shipping address for a MacBook purchase has changed, urging them to call a fake PayPal support number. Once on the call, scammers persuade victims to install remote access software, leading to the theft of funds, data, or malware deployment.
Cybersecurity Expert: “These fraudulent emails bypass traditional security filters by originating directly from PayPal’s servers. Users must verify their accounts directly through PayPal and avoid calling suspicious numbers.” ([21:20])
Experts recommend that PayPal limit character input in address fields to prevent abuse and advise users to remain vigilant against such scams by verifying account activities through official channels.
House Republicans Seek Public Input on National Data Privacy Standards
[23:45] Republican leaders on the House Energy and Commerce Committee, including Brett Guthrie (Kentucky) and John Joyce (Pennsylvania), have initiated a request for public input to shape national data privacy and security standards. The aim is to craft legislation that safeguards Americans' digital data across various services, addressing challenges posed by rapid technological advancements and fragmented state and federal laws.
Their request seeks insights on:
- Data Collection Practices
- Transparency Measures
- User Consent Mechanisms
- Lessons from International Privacy Laws
Additionally, they are exploring how a federal privacy law would interact with existing regulations like HIPAA, FCRA, and COPPA. The public is invited to submit responses by April 7, with the hope of establishing baseline privacy protections akin to those in other Western nations.
This marks a significant step towards unified data privacy legislation, aiming to reconcile diverse regulations and provide comprehensive protection for consumers in the digital age.
Michigan Man Charged for Utilizing Genesis Cybercrime Marketplace
[25:10] The U.S. Department of Justice has charged Andrew Szenkovsky, 29, for his involvement with the Genesis Cybercrime Marketplace. Szenkovsky reportedly purchased 2,500 stolen login credentials from the marketplace in 2020, using them to illicitly transfer funds from a bank account and attempting to sell data on RAIDforums, a now-dismantled cybercrime platform.
He faces multiple charges, including wire fraud and identity theft, with his arraignment scheduled for the week. The Genesis Market, seized by the FBI in April 2023, had previously facilitated access to stolen credentials, leading to the arrest of 120 individuals, though its administrators remain at large.
This case underscores the persistent threat posed by cybercrime marketplaces and the ongoing efforts by law enforcement to dismantle these illicit operations.
In-Depth Conversation: The Domino Effect of a Cyber Attack on the Power Grid
[17:01] Host Dave Buettner engages in a comprehensive discussion with Carl Sigler, Senior Security Research Manager at Trustwave Spider Labs, focusing on the domino effect of cyberattacks on the power grid.
Rising Ransomware Threats
[17:32] Buettner highlights a staggering 80% increase in ransomware attacks in the past year, indicating that threat actors are intensifying their focus on ransomware exploitation.
Carl Sigler: “Ransomware actors are not giving up; they're actively increasing their efforts and sophistication.” ([17:53])
Impact on Utilities Sector
Sigler explains that the utilities sector is particularly attractive to hackers due to its interdependence with all other industries. An attack on utilities like gas or electricity can disrupt hospitals, transportation, and essential services, exerting immense pressure on these organizations to resolve issues swiftly.
Sigler: “Attackers know that targeting utilities creates massive pressure because it affects everything from hospitals to transportation.” ([19:46])
Techniques and Tactics
The conversation delves into the prevalent use of phishing as the primary attack vector, responsible for 84% of compromises in the energy and utility sector.
Sigler: “Phishing remains the number one method for initial breaches, especially as AI makes these attacks harder to detect.” ([22:01])
Defense Capabilities and Challenges
Despite the critical nature of their operations, many utility companies struggle with outdated infrastructure and stringent regulatory requirements that hinder timely updates and security enhancements.
Sigler: “Forty percent of the U.S. power grid is over 50 years old, making it a vulnerable target due to aging technology and resistance to change.” ([23:15])
Recommendations for Protection
To mitigate risks, Sigler advocates for:
- Comprehensive Asset Identification: Maintaining an up-to-date inventory of all network assets to understand and manage risks effectively.
- Proactive Threat Hunting: Actively searching for Indicators of Compromise (IOCs) relevant to the sector to reduce the dwell time of threat actors.
- Robust Incident Response Plans: Establishing well-defined processes to respond swiftly and effectively to breaches.
Sigler: “Asset identification and proactive threat hunting are essential. Additionally, having a formalized incident response plan can make the difference between containment and catastrophe.” ([24:28])
The discussion underscores the urgent need for the utilities sector to modernize infrastructure, enhance cybersecurity measures, and develop resilient response strategies to withstand and mitigate the impact of sophisticated cyberattacks.
Meta Sues Instagram Extortionist Idris Kiba
[26:45] In a recent high-profile case, Meta (formerly Facebook) has filed a lawsuit against Idris Kiba, accused of running an extortion ring named Unlocked for Life on Instagram. Kiba manipulated Instagram’s reporting system to ban and unban accounts for profit, boasting over 200 subscribers and generating $600,000 monthly.
Victims were coerced through threats, racial slurs, and even graphic images, with Kiba demanding up to $20,000 to cease harassment. By gaming the platform's automated moderation, he ensured swift account disables, offering restoration services to paying victims while continuing to exploit those who refused.
Meta Statement: “Idris Kiba weaponized our enforcement system, turning a security feature into a lucrative extortion racket.” ([26:50])
Meta responded to his actions by issuing a cease and desist order in February 2024, which led to Kiba creating new accounts to continue his scheme. The lawsuit aims to hold him accountable and prevent future exploitation of the platform’s security mechanisms.
Conclusion
This episode of CyberWire Daily provides a comprehensive overview of the multifaceted cybersecurity landscape, highlighting the critical areas where the United States faces significant challenges in keeping pace with global adversaries. From warnings by military experts and international cybersecurity policies to real-world cyberattacks and legislative efforts, the discussion underscores the urgent need for robust strategies, advanced technological defenses, and cohesive policy frameworks to safeguard national and economic security in the digital age.
For those seeking to delve deeper into these topics, Carl Sigler’s insights from Trustwave Spider Labs offer valuable perspectives on defending critical infrastructure against sophisticated cyber threats.
Stay informed and secure by tuning into CyberWire Daily, your essential source for the latest in cybersecurity news and analysis.