A

You're listening to the Cyberwire network. Powered by N2K, the DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. Think your Certificate security is covered by March 2026 TLS, certificate lifespans will be cut in half, meaning double today' renewals. And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy, Cyberark Proven in Identity Security is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk Scan for vulnerabilities, streamline operations scale security visit cyberark.com 47day that's cyberark.com the numbers 47day A new self replicating malware infects the NPM repository Microsoft and cloudflare disrupt the phishing as a service platform. Researchers uncover a new Fancy Bear backdoor campaign. The Void proxy platform targets Microsoft 365 and Google accounts. A British telecom says its ransomware recovery may stretch into November. A new Rowhammer attack variant targets DDR5 memory. Democrats warn proposed budget cuts could slash the FBI's cyber division staff by half. At a heated Senate Judiciary Committee hearing on our Industry Voices segment, we're joined by Abhishek Agrawal from Material Security discussing challenges of securing the Google workspace and Pompompuram heads to prison. It's Wednesday, September 17, 2020. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. A new self replicating malware called Shai Hulud has infected at least 187 packages in the JavaScript repository npm. Named after the sandworms in Dune, the worm steals developer credentials and publishes them in public GitHub repositories. Security firm Aikido reports the malware spreads by hijacking NPM tokens, injecting itself into the 20 most popular packages linked to a victim's account and releasing altered versions. The attack briefly compromised CrowdStrike managed packages, but they were quickly removed. Unlike past NPM breaches, Shai Hulud self propagates using tools like Truffle Hog to harvest secrets and spread further, researchers warn the worm mimics a living virus capable of lying dormant before flaring up again. Experts say stronger two factor authentication for publishing packages is needed to prevent future outbreaks. Microsoft and Cloudflare have disrupted raccoon O365, a phishing as a service plant platform that sold subscription kits to steal Microsoft 365 credentials. With a court order, Microsoft seized 338 websites tied to the operation, cutting off attackers infrastructure. Raccoon O365, also known as Storm 2246, enabled low skilled criminals to impersonate brands like DocuSign and SharePoint, creating fake Microsoft login pages. The kit used adversary in the middle tactics to capture passwords and session cookies, bypassing MFA protections. Investigators tracked cryptocurrency payments after discovering the group's leaked wallet, identifying Nigerian programmer Joshua Ogudipe as the ringleader. He marketed the service on Telegram and along with associates, sold tiered subscription plans ranging from $355. The group made at least $100,000. Microsoft has filed suit and referred Ogundipe to international law enforcement. Researchers at Sequoia IO have discovered a new APT28 Fancy Bear campaign dubbed Operation Phantom. Net Voxel that uses malicious Microsoft Office documents to deliver advance backdoors. The attack, aimed at Ukrainian military officials via signal spear Phishing, tricks victims into enabling macros. These drop a DLL and a PNG image that hides shellcode, which then loads an HTTP grunt stager from the open source Covenant framework. This establishes command and control through the cloud service Kufer, where attackers use folders named tansfering and Keeping to manage tasks and exfiltrated data. A second backdoor, Beardshell, uses IceDrive for C2 and executes PowerShell commands. Researchers also linked APT28 to slim agent spyware, enabling key logging and screenshots. At least 42 hosts may be compromised since late 2024, highlighting Fancy Bear's growing reliance on blended open source and legitimate cloud services for stealth and persistence, researchers at Okta have uncovered Void Proxy, a phishing as a service platform targeting Microsoft 365 and Google accounts. The operation uses adversary in the middle techniques to intercept logins, capturing credentials, MFA codes and session tokens for use in business email compromise, fraud and data theft, experts warn Void Proxy is part of a growing wave of attacker in the middle driven phishing as a service tools. Following kits like Evil Jinx Security leaders stress an identity first approach, reducing excessive privileges and monitoring identity interactions. Since identity based attacks are harder to detect and exploit user trust directly. British Telecom Colt Technology Services says recovery from its August ransomware attack may not finish until late November, marking over three months of disruption. The Warlock group claimed responsibility, allegedly exfiltrating Colt's data. While core network infrastructure remains operational. Customer portals hosting APIs, billing and some voice services are still affected. Colt has engaged external experts, filed reports with authorities in 27 countries and continues phased system restoration. Investigators suggest the attack may have exploited SharePoint vulnerabilities, followed by data theft and extortion attempts. Researchers from Google and ETH Zurich have discovered a new Rowhammer attack variant dubbed Phoenix that targets DDR5 memory. Rowhammer exploits memory's tendency to leak electrical charges, allowing attackers to corrupt adjacent cells, degrade performance or escalate privileges by repeatedly access specific rows. While DDR5 was thought resistant, researchers found SK Hynix DDR5 vulnerable when tested on an AMD Zen 4 system. The attack is complex and resource intensive but effective. Phoenix, with a 7.1 CVSS score, highlights gaps in DDR5 protections, particularly the absence of JDEX per row activation counting defense. ETH Zurich responsibly disclosed the flaw to memory and CPU vendors in June. AMD has since released a BIOS update and cloud providers were notified to mitigate risks. Yesterday, at a heated Senate Judiciary Committee hearing, Democrats warned that proposed Trump era cuts could slash the FBI's cyber division staff by half, undermining defenses against foreign threats and ransomware. Sen. Dick Durbin cited a proposed $500 million FBI budget cut, while Senator Alex Padilla argued shifting resources to immigration and politically motivated probes hurt core cyber missions. FBI Director Kash Patel countered that arrests rose 42%, with 409 arrests and 169 convictions in the past year, and insisted no resources were diverted from election security or counterterrorism. Patel highlighted ongoing efforts against Chinese hacking groups like Salt Typhoon and Volt Typhoon, as well as ransomware. Senator Amy Klobuchar raised concerns about AI driven election interference, which Patel attributed to loosely organized overseas actors. Meanwhile, House lawmakers introduced a short term funding bill to extend two key cyber programs, the 2015 Cybersecurity Information Sharing act and the State and local cybersecurity grant program until Nov. 21. Both were set to expire Sept. 30. The extension gives Congress more time to negotiate long term renewals, with the house proposing a 10 year extension and the Senate, led by Senator Rand Paul expected to push for a shorter timeline with fewer safeguards for private entities sharing threat data. Uncertainty remains over bipartisan support. Coming up after the break, my conversation with Abhishek Agrawal from Material Security. We're discussing challenges of securing the Google Workspace and Pompompuram heads to prison. Stay with us. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed. When it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been talking to you. 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed. On this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Abhishek Agrawal is CEO and co founder of Material Security and in today's Sponsored Industry Voices segment, we discuss the challenges of securing the Google Workspace.

B

The way I like to describe it is that if you think about a company's office suite or productivity suite, whether it's Google Workspace or Office365, they're kind of not a company until they have a Google Workspace or Office 365. Right. It's like one of the first things you set up when you get started literally as a company because you're giving email to employees and like where they do their work. But from like a security context, it just is such a mission critical surface because it's where kind of a lot of the institutional knowledge of the company exists. It serves as identity. It's obviously where a lot of sensitive content resides and kind of the first app you get and the last one that gets taken away when you leave. So it's a critical piece of infrastructure.

A

Well, being so mission critical, where does it stand in terms of the security that it provides out of the box?

B

So the infrastructure is actually fairly secure out of the box. There's a lot of things that they do well. I think the challenge becomes when as an organization and as a security team, you're looking for additional controls or customization or granularity. Those are the types of areas in which as an organization scales, they might start hitting roadblocks with some of the out of box tooling. So it's less about security coming out of at the infrastructure level, and it's more about tooling that a security operations team might need or a detection and response team might need when they're doing investigations or when they're thinking about specific threats that are relevant to their organization.

A

You know, we often hear folks say that identity is the new perimeter. How does that play out with Google Workspace?

B

Yeah, I mean, I think that statement is very true and has been for a long time. And the way it plays out in Google Workspaces, often Google Workspace is acting as identity. So, you know, if you think about your Google account, it's how you log into things, it's how you prove you are who you are. In many cases, even if you're using a third party IDP like an Okta, you're still often connecting that as a source of truth to your Google directory. So it absolutely serves as identity. If you think about oauth applications and signing into them with like a Google account. And the way we like to talk about it is that if you're thinking about an account in Google Workspace, it actually is consolidating a lot of different pieces of context. Right? Who that person is in the Org, what files they have access to, what their function is, what messages they send out. And at the end of the day, that's kind of what identity means.

A

Well, help me understand here. Once an attacker gets Inside, what does it look like? What does lateral movement look like within workspace?

B

Yeah, there are so many different opportunities to move laterally. So backing up for a second. There may be many different ways that an attacker gets in in the first place. From an initial access perspective, for example, by far one of the most common is some type of credential theft, whether it's phishing or looking for stolen credentials. But the point is that once they are in, there's actually just not really any additional controls to stop them from moving laterally. So for example, if I compromise an email account, nothing stops me from using that same session to go, now look at Google Drive and understand what files are in there, or pivot over to other applications that might be using that Google account for identity. There are lots of different paths that one can take. The other thing is, attackers often are very interested in establishing some persistence. It's not just about the initial access or lateral movement. It's about making sure that they can continue having their presence. So for example, the kinds of things that we see very often are an account gets compromised, the attacker will start setting up things like mail rules for forwarding all email that's coming into that account. They might go try to change the MFA settings, they might assign delegate accounts. So these are all different methods for establishing some sort of long, long term persistence.

A

Well, let's talk about data sprawl. You know, I think about my own experience with Google Drive and I think there's an impulse to be a bit of a pack rat.

B

Yeah, absolutely, yeah. It's not just in Google Drive. I think with email it's the same thing, but basically the cost of storage has gotten so low that all of us many, many, many years ago at this point stopped deleting things for the most part. Right. Certainly in our consumer lives, probably at work as well, where you may as well hold onto something, there's a chance you might need it and there's not really any incentive to delete it. Unfortunately, what that means is, yeah, one, you are collecting a sort of ever growing treasure trove of data which you may not even need, but poses a lot of risk. But secondly, for something like Google Drive in particular, often that data is shared, right. So it's shared internally inside the organization, but it might be shared externally. It might have very wide sharing permissions, like any being publicly accessible. And when you put these two things together, the vast amount of data sprawl that you kind of don't really have a handle on anymore. And then also the fact that a lot of it might be shared in a way that at the time was fine, but with time you've kind of forgotten about it leads to this kind of pretty large exposure surface, right, that can be exploited and often it's just very hard to get a handle on.

A

Well, in terms of the built in tools that the Google suite comes with, in what ways do they fall short?

B

Right. As I was saying earlier, there are built in tools that kind of will do some of the basics, but the minute that you really need to configure them to be more granular or take more specific actions that are appropriate for the context of your organization, that's where that flexibility is often not there. So to take an example for Google Drive, you know, Google has a built in DLP offering that will actually help you identify certain types of sensitive data in Drive files and then take some sort of remediation action on files that have that data. Both the detection and the remediation is very, very blunt. Right. Security is never as simple as black and white. So by the time you need a lot of these controls, what we see is that customers end up not being able to use the built in tools and instead are kind of trying to hack things together either through third party tools or by trying to use the APIs themselves. The general point is just a lack of flexibility and a lack of granularity. And I think there's also a sense that a lot of things are sort of incomplete. You know, the out of the box tools, they get to kind of an 80%, but when you try to use them in real world scenarios, there's kind of obvious gaps that you run into.

A

Well, I know an analogy that you like to use is to look back at sort of the history of security when it comes to email and some of the lessons we can take from that. Can you unpack that for us?

B

Yeah. I think the way we think about email security at Material is very related to how the company actually got started. And that was that we got started after some very high profile email accounts were compromised in the 2016 US election cycle. And that led us to think about a very basic question, which is that why is it that all of email security is so focused on the perimeter, which is essentially blocking malicious emails from getting in. That's really, really important. But it's not really the only way that someone can get into an email account. And when someone gets into an email account, there's actually a lot of things that they can do that sort of are unrelated to how they got in. So whether I did a phishing email, whether I stole credentials some other way, maybe I did an OAuth grant. The point is, if I'm inside a mailbox, there's actually a lot of additional damage I can do. And the email security industry didn't really focus on that problem. As we thought about this problem, what we realized is that there's actually a perfect analogy to how the antivirus market evolved into edr. Right. So back in the day, the AV market was really about signature based malware detection on the endpoint. And it was very black and white. It was like either you try to catch the malware or you don't. And if you kind of missed, if you actually there was some malware that wasn't in your kind of signature directory, there wasn't really anything else that that product was trying to do after that fact. Right. It was very much like a hit or miss. What we sort of learned by that is that nothing's ever going to be 100%. It's not really going to be the case that you're going to detect every single malware ever. And so you need to have a plan for other types of detection and response capabilities that you can do on the endpoint. That's what led to edr. I think there's a very similar evolution happening with email. You know, the sort of marginal benefit of catching one more phishing email is going down. Just simply thinking about catch rate as the only metric is sort of not that useful anymore because no product is claiming that they will catch all malicious emails ever. So we kind of need to take an EDR mentality, which is how can we broaden to thinking about not just the perimeter, but some of the sort of adjacent use cases? Right. So how can we add controls that work even in the event of an account compromise? How can we add controls that actually help us harden processes within our companies that might rely on email in an unsecure way? And when you kind of put these things together, it's sort of leading to a view on email security that goes way beyond simply blocking the initial delivery of malicious emails and actually prioritizing things like visibility, context, joining with other signals throughout the workspace, helping you remediate things not just by blocking emails, but taking more granular controls within the mailbox. And so, yeah, I think there's a very necessary evolution that has to take place.

A

Yeah, we mentioned Google Drive and I think a lot of people will call Google Drive a gold mine for attackers. Can we dig into some of the specific risks here that people face there's.

B

Kind of maybe two large categories of risk. So the one is more from kind of an insider perspective. You might end up in a scenario where employees have access to a lot of information. And as you scale, you have to think about, okay, what does that mean from an insider perspective? Right. The first kind of class of risks is really about your own employees and what information they have access to and whether they can either maliciously or accidentally access information that they're not supposed to. The second class of risk is really about attackers and adversaries. So if someone does compromise a mailbox or does compromise a Google identity, obviously one of the first stores of content that they're going to go after is Google Drive, just because of the nature of data that ends up there. You know, legal documents, financial reports, pii, pci, regulated data of all sorts. And that is information that can be monetized. It's information that can be ransomware. In that scenario, there's also kind of a risk not just from an account compromise, but from an account compromise that is external. Right. So those are kind of like the two big buckets I would put the risk in.

A

Yeah. Well, I mean, given everything that we've talked about here, what are your recommendations? I mean, how do you and your colleagues there at material come at these specific issues?

B

One of the best things about Google Workspace is that they have very, very powerful APIs. And so even though there are some shortcomings in the security products that are out of the box, the APIs make it so that a lot of this information is available. Now, the difficulty is that to consume these APIs on your own can be challenging. You have to stand up services. There's an infrastructure, there's many different APIs that can be hard to understand. The kind of approach that the top security teams that we work with use is that they're using these APIs to consolidate a lot of the data in one place and then building their own kind of detections and response capabilities on top of that data and leveraging the APIs for that. Now, the problem is that the average company simply doesn't have the bandwidth to take on a project like that. They don't have the headcount necessary to do that.

A

If I'm a CISO and I decide that this is something that I want to take on, that my Google Workspace needs these extra levels of protection, what does that transition look like for me and my team?

B

So I think the first piece of advice is narrowing the problem and really starting to prioritize what aspects of workspace, Are we going to kind of start getting our arms around first from there? Again, what these APIs do let you do is in a fairly low impact to users way, start experimenting with getting some visibility and getting some basic controls in place over the risks. The key is to sort of take it one step at a time and again start with kind of a prioritized view on what the highest levels of risks in your workspace are.

A

What does it look like on the other side? Once I'm fully up and running with something like this as a security leader in my organization, the goal with something.

B

Like Material is to free up resources for the security team so that they can go spend their time on more impactful things. And what that looks like is really two things. One, it's having confidence that you sort of have visibility into what's going on. The second and more important thing is that you've set up a lot of auto remediations. So when things do happen, instead of your team having to ingest some alert and now spend hours investigating it and then eventually taking some remediative action. Whether it's a phishing email that automatically gets blocked or a externally shared file where the permissions automatically get revoked after confirming with the user, these are the kind of automated workflows that you really want to enable. Because at that point what the sort of like dream is that you're living in a world where a lot of this security is kind of taking care of itself and when there are problems they're sort of self healing.

A

That's Abhishek Agrawal, CEO and Co Founder of Material Security Foreign they know cybersecurity can be tough and you can't protect everything. But with Thales you can secure what matters most. With Thales industry leading platforms you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S learn more@talasgroup.com Cyber I'm Christian McCaffrey, pro running back and Abercrombie is an official fashion partner of the NFL. I'm not kidding when I say NFL by Abercrombie broke the NFL Internet last year and I think this season's lineup is even cooler. And so does my wife who keeps stealing all my hoodies. Stay fit for the season and Abercrombie's newest arrivals shop NFL by Abercrombie in the app, online and in store. And finally, Connor Bryan Fitzpatrick, better known to the underworld as Pompompurin, has finally discovered that running the Internet's largest English language data breach Bazaar doesn't come with frequent flier miles. It comes with prison time. The 22 year old breach forum's founder originally got off with 17 days served, a sentence so light an appeals court labeled it substantively unreasonable, which is judge speak for are you kidding me? Now he'll serve three years, far short of the 15 prosecutors wanted, but a notable upgrade from a long weekend behind bars. During BreachForum's year long reign, Fitzpatrick facilitated the sale of 14 billion stolen records and made nearly $700,000 proving crime pays, just not sustainably. He'll surrender his domains, devices and crypto stash while the FBI reminds cybercriminals if your business model depends on VPNs and stolen identities, the retirement plan is usually an extended stay at Club Fed. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Attention security startups. There's less than a week left to apply for the 2025 Data Tribe Challenge. This unique program accelerates early stage cyber companies. Refine your messaging with startup veterans, then pitch to top venture firms. Shaping the future of cyber the live pitch competition takes center stage at Cyber Innovation Day, November 4th in Washington, DC. Applying is easy. Go to challenge.datatribe.com Share your company info and upload your pitch. Submissions close September 19th. Submit your entries today. And now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from threat locker.