Deadlines in the cloud.

Dave Bittner

You're listening to the Cyberwire network powered by N2K.

Advertisement Voice

Abercrombie's viral denim sale is back and Spotify listeners get an extra 15% off with code Spotify AF. Abercrombie is known for their denim with 30 to 50% off all jeans. Find out how denim should fit. Shop the viral Denim sale in the Abercrombie app online or in stores. Valid in stores and online through August 11, 2025 in US and Canada. Excludes clear price reflects discount code. Valid in US and Canada through August 11, 2025. Exclusions apply. See details online.

Steve Dietz

CISA issues an emergency directive to urgently patch a critical vulnerability in Microsoft Exchange hybrid configurations Soup dealer malware proves highly evasive Google patches a Gemini calendar Flawless A North Korean espionage group pivots to financial crime Russia's ROM com exploits a Winrar zero day Researchers turn Linux based webcams into persistent threats the Franklin Project enlists volunteer hackers to strengthen Cybersecurity at US water utilities. The DoD announces the winners of DARPA's two year AI cyber challenge. The US extradites Ghanaian nationals for their roles in a massive fraud ring. Our guest is Steve Dietz, president of mantech's Federal Civilian Sector, with a look at cell based security, oper centers and AI advice turns dinner into a medical mystery. It's Monday, August 11th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief. Foreign thanks for joining us here today. Happy Monday. It's great to have you with us. On August 7, CISA issued an emergency directive requiring federal agencies to urgently patch a critical vulnerability in Microsoft Exchange hybrid configurations. The flaw allows attackers with existing admin access to on premises Exchange servers to escalate into Microsoft 365 cloud environments. Agencies must act by August 11, including assessing servers with Microsoft's Health Checkers script, disconnecting unsupported systems and updating Exchange 2019 or Exchange 2016. They must apply the April 2025 hotfix transition from legacy shared service principles to dedicated hybrid applications in Entra ID and clean credentials. Agencies must also prepare for Microsoft Graph API adoption as EWS deprecation begins in October. Compliance reports are due to CISA today and the directive remains active until all security measures are verified. Soup Dealer is a highly evasive malware that bypasses most public sandboxes, antivirus tools and EDR or XDR systems or while targeting Windows systems in Turkey via a geospecific phishing campaign distributed through malicious JAR files. It uses a three stage loader with heavy obfuscation, AES and RC4 encryption and Tor based command and control to hide its activity. The malware checks language and location settings to ensure it only runs in Turkey, then exfiltrates data, grants remote access and spreads via victims email accounts capable of privilege escalation, antivirus evasion, file management, screenshot capture, DDoS attacks and worm like propagation. Soup dealer underscores the weakness of cloud sandboxes. Researchers stress the need for on premises local dynamic analysis to protect critical infrastructure against such advanced region targeted threats. Google has patched a flaw in Gemini, its AI assistant integrated into Android, Automotive Workspace and Google Web Services that allowed malicious Google Calendar invites to trigger remote takeover and data theft. The attack used prompt injection hidden in event titles, which Gemini read when summarizing a user's schedule. This gave attackers access to Gmail, Calendar, Google Home and device controls, enabling actions like wiping events, extracting emails, tracking location, controlling smart devices and even joining zoom calls. The exploit required no special model access, bypassed prompt filtering and could be staged with up to six invites to stay hidden. Discovered by safe breach researchers, the bug was fixed before exploitation. Google credited responsible disclosure for accelerating new defenses against such adversarial AI attacks. North Korean hacking group scarcruft, known for espionage, is now deploying VCD ransomware in attacks targeting South Korea, marking a shift toward financial motives. In July, its Chinopunk subgroup used phishing emails disguised as postal code updates to deliver over nine types of malware, including Chile Chino variants, Data stealers and the NubSpy backdoor, which hides traffic via Pubnub. The campaign combined spying tools with ransomware, reflecting a growing trend of nation state actors blending espionage and cybercrime to generate revenue under economic sanctions. Russian threat group Romcom, also known as Storm 0978, exploited a WinRAR zero day in cyber espionage attacks on organizations in Europe and Canada. The path traversal flaw involving alternate data streams let attackers craft archives that extract files to attacker defined locations. Discovered by ESET. The bug was patched on July 30 with a Betafix released July 25, first seen July 18. The campaign used spear phishing emails with malicious archives posing as resumes targeting financial, defense, manufacturing and logistics firms. No compromises occurred, but intended payloads included Snipbot, Rustyclaw and Mythic agent backdoors. Researchers at Eclipsium have demonstrated how Linux based webcams can be turned into persistent threats using a technique dubbed Badcam, a variant of the well known BadUSB attack tested on Lenovo 510 FHD and Lenovo Performance FHD web cameras. The method exploits a missing firmware signature validation flaw to reflash the webcam's firmware. Unlike traditional BadUSB, Bad Cam doesn't require physical access. Attackers with remote code execution on a host can weaponize an attached webcam to reinfect the system, even after a full OS reinstall. The flaw can be paired with a Linux kernel vulnerability for host compromise. Lenovo patched the issue in a recent firmware update. Eclipsium warns other Linux based cameras and USB peripherals may also be at risk. The Franklin Project, Launched at Defcon 2023, enlists volunteer hackers to strengthen cybersecurity at US water utilities, especially small resource strapped ones. Founded by Jake Braun, the initiative drew overwhelming interest, with 350 volunteers aiding five utilities in Indiana, Oregon, Utah and Vermont at no cost. Tasks included changing default passwords, enabling MFA asset inventories, OT assessments and network mapping. Volunteers also educate utilities on nation state threats, noting incidents like China's Volt typhoon breaching small systems tied to critical infrastructure. With 50,000 U.S. water utilities and rising attacks from China and Iran, the project is rapidly scaling with partners like Dragos and funding from Craig Newmark Philanthropies to deploy free cybersecurity tools nationwide. In many cases, it's the only protection these utilities have. Last week at DEFCON, the U.S. defense Department announced Team Atlanta, a collaboration between Georgia tech, Samsung Research, Kaist and Posttech, as the winners of DARPA's two year AI Cyber Challenge. The competition tasked dozens of teams with building AI systems to automatically detect and patch vulnerabilities in massive codebases, with finalists working on 54 million lines of synthetic code. Team Atlanta earned $4 million for excelling at finding and fixing bugs. Blending traditional threat hunting tools with AI trails of bits and theori placed second and third overall. Competitors patched 77% of synthetic vulnerabilities, a significant improvement from last year's 37%. DARPA will release most winning tools publicly, with HHS aiming to use them to protect healthcare systems from ransomware. Officials believe these AI powered methods could transform vulnerability management across critical infrastructure. Three Ghanaian nationals have been extradited to the US and charged for their role in a massive fraud ring that stole over $100 million through romance scams and business email compromise attacks from 2016 through May of 2023. Operating as high ranking members of a Ghana based network, they targeted vulnerable older Americans and U.S. businesses laundering stolen funds through stateside middlemen. Romance scams involved posing as romantic partners to solicit money while BEC schemes spoofed company emails to authorize fraudulent wire transfers. Two of the men allegedly acted as chairmen overseeing operations. Charges include conspiracy to commit wire fraud, wire fraud, money laundering, and receiving stolen money, with potential sentences of up to 20 years per major count. Coming up after the break, my conversation with Steve Dietz, president of mantech's Federal civilian sector we're taking a look at cell based security operations centers and AI advice turns dinner into a medical mystery. Stay with us. Foreign.

Ben Yellen

I'm Ben Yellen, co host of the Caveat Podcast. Each Thursday we sit down and talk about the biggest legal and policy developments affecting technology that are shaping our world. Whether it be sitting down with experts or government officials, or breaking down the latest political developments, we talk about the stories that will have tangible impacts on businesses and people around the world. If you are looking to stay informed on what is happening and how it can impact you, and make sure to listen to the Caveat podcast.

Steve Dietz

Compliance regulations, third party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's V A n T a dot com CYBER.

Ben Yellen

This episode is brought to you by. Indeed, when your computer breaks, you don't wait for it to magically start working again. You fixed the problem. So why wait to hire the people your company desperately needs? Use indeed sponsored jobs to hire top talent fast. And even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast terms and conditions app.

Steve Dietz

Steve Dietz is president of ManTech's federal civilian sector. And in today's sponsored Industry insights segment, we take a look at cell based security operations centers.

The cyber landscape is rapidly evolving these days and most federal government agencies are requiring more scalable, resilient and secure digital environments that can support mission delivery and withstand persistent cyber threats. You know, SOCs are one of those things that are necessary in the government. They are the front line to defending against cyber threats and a really key part of national security. And so in mantech, we're always looking to advance and innovating and investing in new approaches in cybersecurity because at our core is a company and the people, the patriots that Support us within ManTech, we are committed to securing our nation and securing the future. You alluded to it. We're going to be talking about our security operations center and how we operate in this model. And the expertise in cybersecurity that we have is fundamentally driving some really good outcomes for our federal clients and their missions.

Well, before we get to the details of this notion of cell based SOCs, can you explain for us, like what are some of the challenges that the folks who are running the sox, who are working in the sox, what are the day to day pain points for them?

Basically a SOC is an operations center. So they are monitoring the network activity and the data is enormous. The data that they have to analyze real time dec, what is a threat, what is not a threat, what is a false positive? It's managing that vast amount of data that these SOC folks that we'll get into a little bit later. These SOC folks have to deal with every day. And missing one could, could mean, you know, the, the impact of finding a threat, finding somebody in a network, giving them a day in the network versus giving them an hour in the network. It's very key that these SOC analysts are on their toes and identifying these threats as quickly as possible so that they can isolate them, sometimes study them to find out how they got in and what we can do to better prevent those types of activities.

Is it fair to say it's a combination of high pressure situation, potentially, but also a lot of signal to noise issues with, as you say, that kind of fire hose of data that constantly comes in?

It absolutely is. And a lot of that kind of turning down the fire hose is really figuring out those tools to identify the data. Every environment's different, every situation is different. And finding those right tools to make sure that that information is being culled out appropriately.

So you and your colleagues at Mantec have taken a look at this and come up with some ways that you believe you can improve the operations of a security operations center. What can you share with us?

So the traditional SOC is set up as you might expect. It comprises of a tiered system. So tier one, tier two, tier three. Tier one is typically made up of junior employees, those front lines who are taking the tickets, monitoring the activity, escalating issues to tier two. That second tier typically would have a few more years of experience and are mainly focused on incident response. And then tier three is made up of mostly those very experienced and advanced cyber professionals. There are a few issues with this setup that we have identified, specifically the significant delays in handoff between tiers. So wait for tier two to pick it up next. The least experienced people are making critical decisions. So that frontline tier one analyst is making some very critical decisions. Also because of that handoff delay, there are typically case backlogs, so not processing things as quickly. And then obviously in most high stress, high tempo jobs, there's high turnover. Mantech's approach to this is what we call cell based sox. And what it does is it functionally aligns tier one, two and three into what we call a cell together so that they can work cohesively and more efficiently and effectively on those issues. Each cell is responsible for delivering an outcome of measurable value, rather than simply a piece of that outcome. What this looks like practically is a single detection cell responsible for real time responses. This team is responsible for seeing the tickets through the entire life cycle to resolution instead of handing it off as it's typically done. As we talked about in the tiered system, this cell based model creates a more efficient workflow, increases situational awareness, enhances learning and career development for those SOC analysts, and ultimately minimizes resolution times, which is critical in a soc, ultimately helping agencies become more secure.

Well, help me understand here. So let's say that I have experience in a traditional sock and our group decides that we're going to adopt this cell based approach here. What's going to change for me and.

My team so operationally? First of all, we have a whole process that we go through because this is a, this is almost a cultural change within a soc. It is not an overnight flip the switch. Ah, you're magically. In a cell based soc, we have a process of retraining people, of setting expectations, of organizing, finding the talent, and also evaluating the tools within the soc and making sure that we have the tools aligned appropriately with the various cells that we set up and this, this really creates a more, a more value add job for the employees in the soc, because they aren't just surrounded by tier one people, they're now surrounded by tier two and tier three people. And actually training and learning becomes even quicker to get to those next levels.

So is it a situation where, for example, if I'm a tier one person and I think that something requires the attention of the tier 2 and tier 3 people in a normal sock, I would flag that it would go on its way and I might never see it again.

That's correct.

And in this case you're saying that I would have more of a view of that through its entire life cycle.

That's right. That's right. The whole cell would have a view through its entire life cycle.

I see. Is there any particular scaling of the cells themselves that you all have so far found to be effective? Like how many people in a group seems to be work or does that vary with every organization?

It varies with the types of cells we set up in every organization depending on the environments.

What are the outcomes here? You've experimented with this and you've decided that you're getting good results. What are those good results look like?

So first and foremost the model is designed to unlock, as we've talked about, the full potential of our human capital and empower and align our people to the outcomes that we want them to see and enable them to unleash their ingenuity. The cell based model itself is much more radically, was radically more efficient than the traditional tiered model. We've proven this over and over again. I mean, we've been running cell based SOCs for 8 to 10 years now in various customer agencies. So we have hard data to show that this is the right way to run a soc. This is the next generation of SOC operations. We've driven costs down for our customers, for, for running a soc and we've improved the actual security outcomes, minimizing false positives. And you know, in the, in the age of serious budget pressures, it's simply not sustainable to continue to throw more and more people at the tier one, Tier two, at the, at the problem. You know, instead we're helping our employees move up the value chain by providing focus, empowerment and accountability. You know, the cell based SOC is transformational for federal agencies. We've seen this over and over in an example of how ManTech is always advancing our clients mission by increasing our nation's security posture. With models like this, cell based SOC mantec's providing more efficient, reliable federal cybersecurity and enabling federal employees to focus on their core mission, maximizing the business value and lowering long term operational costs.

Can you explain for us what the transition looks like? If we're running a traditional soc and we decide this is what we want to adopt, what are we in for to make this switch over?

Again, it varies, I'm going to say that again, depending on the environment, but it would typically begin with us taking over the sock as is, and then it would be a assessment period where we would send our cell based SOC SMEs into the environment, working with the, working with the government folks and working with our team to understand how the SOC works and what types of things that they are looking for in that environment. Then we would provide some recommendations, a ton of training to the staff, likely a reorganization of how the SOC is structured, and then we implement. And that process could take a month, could take six months, depending on how complex the environment is.

Steve, we know how much everybody loves change. What about the employees themselves? I mean, how do you shepherd them through the process so that they're not afraid? Because ultimately we want them to see that it's going to be a good outcome. But those transitional periods can be hard.

Exactly. So we have stories to tell them and also once we tell them these stories of how we've implemented this and done this very effectively and actually we can bring in people that have done this to talk to the employees. And once we get through that initial, oh my gosh, we got a big change coming. They start to see the real value and not only the real value to the mission that they're supposed to, but the real value to them. Because we do focus on, as I mentioned, developing that whole employee and get them up the value chain so that they become more valuable.

That's Steve Dietz, president of mantech's Federal civilian sector.

Advertisement Voice

This episode is brought to you by State Farm. Checking off the boxes on your to do list is a great feeling. And when it comes to checking off coverage, a State Farm agent can help you choose an option that's right for you. Whether you prefer talking in person, on the phone or using the award winning app, it's nice knowing you have help finding coverage that best fits your needs. Like a good neighbor, State Farm is there.

Dave Bittner

Running a business comes with a lot of what ifs, but luckily there's a simple answer to them. Shopify. It's the commerce platform behind millions of businesses including Thrive Cosmetics and Momofuku. And it'll help you with everything you need, from website design and marketing to boosting sales and expanding operations. Shopify can get the job done and make your dream a reality. Turn those what ifs into Sign up for your $1 per month trial@shopify.com specialoffer.

Steve Dietz

And finally, in a medical misadventure equal parts tragic and absurd, a 60 year old man landed in the ER with hallucinations, convinced his neighbor was poisoning him. The culprit was himself, courtesy of dietary advice he'd half understood from ChatGPT. Determined to eliminate chloride from his diet, he swapped table salt for sodium bromide, a fine choice if you're an epileptic dog or a swimming pool, but less so for humans. Three months later he had full blown bromism, a disorder so vintage it peaked in the 1800s. The AI had technically suggested bromide as a replacement for, but failed to say, don't eat this. The man recovered after three hospital bound weeks and OpenAI now promises safe completions to prevent such culinary chemistry experiences from ending in 19th century diseases. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian Show. Every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.