Is it cyber peace or just a buffer? - CyberWire Daily

Summary

CyberWire Daily: “Is it Cyber Peace or Just a Buffer?” – March 3, 2025

Host: Maria Varmazes
Produced by: N2K Networks

Introduction

On the March 3rd, 2025 episode of CyberWire Daily, host Maria Varmazes delves into a series of pressing cybersecurity issues shaping the global landscape. The episode, titled “Is it Cyber Peace or Just a Buffer?”, offers in-depth analysis and expert insights into recent developments, including strategic shifts in cyber operations, emerging threats, and regulatory actions. Additionally, the episode features a compelling interview with Igor Cygansky, Microsoft’s Global Chief Information Security Officer, shedding light on the significance of partnerships in cyber defense.

Key News Stories

U.S. Cyber Command Halts Offensive Operations Against Russia
- Overview: U.S. Defense Secretary Pete Hegath has directed Cyber Command to cease offensive cyber activities targeting Russia amid ongoing negotiations over the Ukraine conflict. This directive excludes the NSA and its signals intelligence operations.
- Implications: The pause aims to create a conducive environment for diplomatic talks but represents a significant strategic gamble. Former officials highlight that such pauses are standard during sensitive negotiations to prevent escalation.
- Quotes:
  - “The retreat from offensive cyber operations against Russian targets represents a huge gamble,” explains a senior defender [02:45].
- Analysis: Experts debate whether this pause will lead to reciprocal de-escalation from Russian cyber operations, considering the persistent "shadow war" tactics employed by Russia against the U.S. and its allies.
Ransomware Actors Exploit Paragon Partition Manager Vulnerabilities
- Overview: Microsoft researchers have identified five vulnerabilities in the Paragon Partition Manager driver, with at least one being actively exploited by ransomware groups to gain system-level privileges.
- Technical Details: The exploited flaw allows attackers with local access to escalate privileges or cause denial-of-service conditions. Notably, the attack leverages a Microsoft-signed driver, enabling exploitation even without Paragon Partition Manager installed.
- Recommendations: Paragon Software has released patches, and users are urged to update to the latest version to mitigate the risks.
- Quotes:
  - “Data is hard. Domo is easy,” emphasizes Ann Johnson during the ad segment preceding the news [00:11], highlighting the complexity of data security addressed by such vulnerabilities.
Amnesty International’s Analysis of Celebrate Exploit Chain
- Overview: Building on their December 2024 report, Amnesty International has unveiled a new case involving the misuse of Celebrate’s cell phone data extraction tool by the Serbian government to infiltrate the phones of youth activists.
- Technical Insights: The report details a sophisticated zero-day exploit targeting Android USB drivers within the Linux kernel, allowing unauthorized bypass of lock screens and elevated access.
- Broader Impact: The vulnerabilities have far-reaching implications beyond Android devices, potentially affecting a wide array of Linux-powered systems and embedded devices.
- Response: Following the report, Celebrate has suspended its services in Serbia, acknowledging the serious nature of the misuse.
- Quotes:
  - “Attackers don’t think about managerial boundaries,” reflects Igor Cygansky during the Cyber Tea segment, underscoring the need for holistic defense strategies [10:37].
California Orders Data Broker Shutdown for Delete Act Violations
- Overview: The California Privacy Protection Agency (CPPA) has mandated that data broker Background Alert cease operations for three years due to non-compliance with the California Delete Act.
- Regulatory Context: Enacted in January 2024, the Delete Act requires data brokers to register with the CPPA and provide mechanisms for consumers to request data deletion.
- Significance: This enforcement action is unprecedented, setting a strong precedent for regulatory oversight of data brokers.
- Quotes:
  - “Data is hard. Domo is easy,” reiterated by Ann Johnson in early ad segments, highlighting the complexities faced by data brokers under stringent regulations [00:11].
Common Crawl Database Exposes Nearly 12,000 API Keys and Passwords
- Overview: Researchers at Truffle Security discovered close to 12,000 valid API keys and passwords within the Common Crawl database, an extensive open-source repository used for training AI models.
- Cause: The exposure resulted from developers hardcoding sensitive credentials into front-end HTML and JavaScript, which were then archived by Common Crawl.
- Impact: Included sensitive data such as AWS root keys, Slack webhooks, and Mailchimp API keys, posing significant security risks.
- Advice: Developers are urged to employ best practices for credential management to prevent such inadvertent exposures.
Unauthorized Intrusion at Poland’s Space Agency IT Infrastructure
- Overview: Poland’s Minister for Digitalization reported an unauthorized breach of the Polish Space Agency’s IT infrastructure, leading to the disconnection of their network from the internet pending investigation.
- Nature of Attack: The Register indicates the incident may involve an internal email compromise, although specifics remain unclear.
- Current Status: Staff are advised to use phones instead of potentially compromised email systems as the investigation continues.

Afternoon Cyber Tea Segment: Partnership in Cyber Defense

Host: Ann Johnson
Guest: Igor Cygansky, Microsoft Global Chief Information Security Officer
Timestamp Highlight: [10:37]

In the Afternoon Cyber Tea segment, Ann Johnson engages in a thought-provoking discussion with Igor Cygansky about the pivotal role of partnerships in strengthening cyber defenses.

Holistic Defense Strategies: Cygansky emphasizes that effective cyber defense transcends organizational and geographical boundaries. “It takes a village,” he asserts, stressing that attackers operate without regard to such divisions, necessitating a unified defensive approach [10:37].
Risk Framework and Cost of Attacks: Cygansky outlines Microsoft's risk framework, aiming to elevate the cost of cyberattacks for adversaries. “There’s a very big difference if that attack costs a $10, a million dollars, $100 million, or a billion dollars,” he notes, highlighting the importance of joint defense initiatives to amplify defensive measures [11:20].
Evolving Cybersecurity Practices: He discusses the necessity for cybersecurity practices to evolve in tandem with operational strategies, given the dynamic nature of both technological advancements and adversarial tactics. “Our industry is ever evolving,” Cygansky remarks, underlining the continuous growth and adaptation required in cybersecurity [11:50].
Community and Empathy: Cygansky places significant emphasis on empathy within the cybersecurity community. He advocates for understanding the diverse challenges faced by different teams and fostering collaborative efforts to protect against unified threats. “Understanding that landscape, having empathy for all the players involved, including our attackers, is paramount,” he states [12:54].

Key Takeaways and Conclusions

Strategic Pauses in Cyber Operations: The temporary halt of offensive cyber activities against Russia reflects the intricate balance between strategic defense and diplomatic negotiations.
Emerging Threats Exploiting Vulnerabilities: The exploitation of Paragon Partition Manager and Celebrate’s tools underscores the persistent vulnerability of software systems and the need for timely patching and robust security measures.
Regulatory Oversight Intensifies: California’s stringent enforcement actions against data brokers signal a growing trend of regulatory scrutiny aimed at protecting consumer data privacy.
Importance of Secure Credential Management: The Common Crawl incident highlights the critical importance of secure coding practices to prevent inadvertent exposure of sensitive credentials.
Unified Defense Through Partnerships: Igor Cygansky’s insights reinforce the necessity of collaborative and empathetic approaches within the cybersecurity community to effectively counter sophisticated and boundary-less cyber threats.

Notable Quotes with Timestamps

“The retreat from offensive cyber operations against Russian targets represents a huge gamble,” – Senior Defense Official [02:45]
“Attackers don’t think about managerial boundaries,” – Igor Cygansky [10:37]
“There’s a very big difference if that attack costs a $10, a million dollars, $100 million, or a billion dollars,” – Igor Cygansky [11:20]
“Our industry is ever evolving,” – Igor Cygansky [11:50]
“Understanding that landscape, having empathy for all the players involved, including our attackers, is paramount,” – Igor Cygansky [12:54]

Conclusion

The March 3rd episode of CyberWire Daily provides a comprehensive overview of significant cybersecurity developments, from strategic shifts in national cyber operations to emerging threats exploiting software vulnerabilities. The insightful interview with Igor Cygansky underscores the critical importance of partnerships and holistic defense strategies in combating sophisticated cyber threats. As the cybersecurity landscape continues to evolve, the episode reinforces the necessity for adaptive, collaborative, and empathetic approaches to ensure robust and effective defense mechanisms.

For more detailed information on today's stories, listeners are encouraged to visit thecyberwire.com. Stay informed and stay secure.

Transcript

Maria Varmazes (0:02)

You're listening to the Cyberwire Network, powered by N2K.

Ann Johnson (0:11)

Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect. Prepare and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more@AI.domo.com that's AI.domo.com.

Maria Varmazes (1:01)

Cyber Command ordered to halt offensive operations against Russia during Ukraine negotiations Ransomware actors Exploit Paragon Partition Manager vulnerability Amnesty International publishes analysis of Celebrate Exploit Chain California orders data broker to shut down for violating the delete act on our afternoon Cyber Tea segment with host Ann Johnson of Microsoft Security, Anne speaks with Igor Cygansky, Microsoft's global chief information security officer, about the power of partnership in cyber defense. Today is Monday, March 3, 2025. I'm Maria Varmazes, host of the T Minus Space Daily, in for Dave Buettner, and this is your Cyber Wire Intel Brief. Foreign thanks for joining us on this first Monday in March. Onto today's stories, the record reports that U.S. defense Secretary Pete Hegath has ordered Cyber Command to halt offensive cyber operations against Russia. The full scope of the directive is unclear, but it doesn't include the NSA or its signals intelligence operations targeting Russia. The Washington Post cites a current US Official familiar with the order as saying that the pause is meant to last only as long as negotiations over the war in Ukraine continue. The Post says that the operations being halted could include exposing or disabling malware found in Russian networks before it can be used against the United States, blocking Russian hackers from servers that they may be preparing to use for their own offensive operations, or disrupting a site promoting anti US Propaganda. The New York Times observes that former officials said it was common for civilian leaders to order pauses in military operations during sensitive diplomatic negotiations to avoid derailing them. Still, for President Trump and Mr. Hegseth, the retreat from offensive cyber operations against Russian targets represents a huge gamble. It essentially counts on Mr. Putin to reciprocate by letting up on what many call the shadow war underway against the United States and its traditional allies in Europe. The Pentagon, on its part, declined to comment on the report. A senior defense official told the Record, due to operational security concerns, we do not comment nor discuss cyber intelligence plans or operations. There is no greater priority to Secretary Hegseth than the safety of the warfighter in all operations to include the cyber domain. Researchers at Microsoft discovered five vulnerabilities affecting a driver used by Paragon Partition Manager, one of which is being exploited by ransomware actors, reports Bleeping Computer. Microsoft has observed ransomware attackers using the flaw to achieve system level privilege escalation before executing additional malware. An advisory from the CERT Coordination center explains an attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial of service scenario on the victim's machines. Additionally, as the attack involves a Microsoft signed driver, an attacker can leverage a bring your own vulnerable driver technique to exploit systems even if Paragon Partition Manager is not installed. Paragon Software has issued patches for the flaws and users of Partition Manager should upgrade to the latest version and now a follow up story to something that we covered last week. Amnesty International has published a follow up to its December 2024 report on the Serbian government's alleged misuse of Cellebrite's cell phone data extraction tool. Amnesty's latest report, published on Friday, outlines a new case of misuse of a Celebrate product to break into the phone of a youth activist in Serbia. The report shares technical details on a sophisticated zero day exploit chain targeting Android USB drivers developed by Celebrate. Amnesty explains that the exploit, which targeted Linux kernel USB drivers, enabled Celebrate customers with physical access to a locked Android device to bypass an Android phone's lock screen and gain privileged access on the device. As the exploit targets core Linux kernel USB drivers, the impact is not limited to a particular device or vendor and could affect a very wide range of devices. The same vulnerabilities could also expose Linux computers and Linux powered embedded devices to physical attacks, although there is no evidence that this exploit chain has been designed to target non Android Linux devices. Last week, Celebrate announced that it would suspend its services in Serbia, citing Amnesty's December report. The State of California's Privacy Protection Agency, or cppa, last Thursday ordered a data broker to cease operations for three years for failing to register with the state, according to a report from the Record. The California Delete act, which took effect in January 2024, requires data brokers to register with the CPPA in order to provide a mechanism through which consumers can request to have their data deleted. The broker, in this case called Background Alert, has agreed to the settlement terms. The record notes that such a ruling against a data broker is unprecedented. Researchers at Truffle Security found just under 12,000 valid API keys and passwords in the Common Crawl database, which is an enormous open source repository of web data used for training AI models. The secrets included an AWS root key, live Slack webhooks, and nearly 1,500 unique Mailchimp API keys. The researchers stressed that Common Crawl isn't to blame. The keys were publicly exposed because web developers hard coded them into front end HTML and JavaScript, and the web pages were then archived by Common Crawl. Poland's Minister for Digitalization said yesterday that the Polish space Agency's IT infrastructure sustained an unauthorized intrusion and the agency has disconnected its network from the Internet while it investigates the incident. We should note that the nature of the attack is unclear. The Register cites a source inside the agency as saying that the incident was related to an internal email compromise, and staff have been told to rely on phones instead. Stay tuned for further developments here and on our T Minus Space Daily podcast. Coming up after our break, Ann Johnson from Microsoft Security joins us for her monthly afternoon Cyber Tea segment. And we click and call with an old friend.