Is it cyber peace or just a buffer? - CyberWire Daily

Summary6 min read

CyberWire Daily: “Is it Cyber Peace or Just a Buffer?” – March 3, 2025

Host: Maria Varmazes
Produced by: N2K Networks

Introduction

On the March 3rd, 2025 episode of CyberWire Daily, host Maria Varmazes delves into a series of pressing cybersecurity issues shaping the global landscape. The episode, titled “Is it Cyber Peace or Just a Buffer?”, offers in-depth analysis and expert insights into recent developments, including strategic shifts in cyber operations, emerging threats, and regulatory actions. Additionally, the episode features a compelling interview with Igor Cygansky, Microsoft’s Global Chief Information Security Officer, shedding light on the significance of partnerships in cyber defense.

Key News Stories

U.S. Cyber Command Halts Offensive Operations Against Russia
- Overview: U.S. Defense Secretary Pete Hegath has directed Cyber Command to cease offensive cyber activities targeting Russia amid ongoing negotiations over the Ukraine conflict. This directive excludes the NSA and its signals intelligence operations.
- Implications: The pause aims to create a conducive environment for diplomatic talks but represents a significant strategic gamble. Former officials highlight that such pauses are standard during sensitive negotiations to prevent escalation.
- Quotes:
  - “The retreat from offensive cyber operations against Russian targets represents a huge gamble,” explains a senior defender [02:45].
- Analysis: Experts debate whether this pause will lead to reciprocal de-escalation from Russian cyber operations, considering the persistent "shadow war" tactics employed by Russia against the U.S. and its allies.
Ransomware Actors Exploit Paragon Partition Manager Vulnerabilities
- Overview: Microsoft researchers have identified five vulnerabilities in the Paragon Partition Manager driver, with at least one being actively exploited by ransomware groups to gain system-level privileges.
- Technical Details: The exploited flaw allows attackers with local access to escalate privileges or cause denial-of-service conditions. Notably, the attack leverages a Microsoft-signed driver, enabling exploitation even without Paragon Partition Manager installed.
- Recommendations: Paragon Software has released patches, and users are urged to update to the latest version to mitigate the risks.
- Quotes:
  - “Data is hard. Domo is easy,” emphasizes Ann Johnson during the ad segment preceding the news [00:11], highlighting the complexity of data security addressed by such vulnerabilities.
Amnesty International’s Analysis of Celebrate Exploit Chain
- Overview: Building on their December 2024 report, Amnesty International has unveiled a new case involving the misuse of Celebrate’s cell phone data extraction tool by the Serbian government to infiltrate the phones of youth activists.
- Technical Insights: The report details a sophisticated zero-day exploit targeting Android USB drivers within the Linux kernel, allowing unauthorized bypass of lock screens and elevated access.
- Broader Impact: The vulnerabilities have far-reaching implications beyond Android devices, potentially affecting a wide array of Linux-powered systems and embedded devices.
- Response: Following the report, Celebrate has suspended its services in Serbia, acknowledging the serious nature of the misuse.
- Quotes:
  - “Attackers don’t think about managerial boundaries,” reflects Igor Cygansky during the Cyber Tea segment, underscoring the need for holistic defense strategies [10:37].
California Orders Data Broker Shutdown for Delete Act Violations
- Overview: The California Privacy Protection Agency (CPPA) has mandated that data broker Background Alert cease operations for three years due to non-compliance with the California Delete Act.
- Regulatory Context: Enacted in January 2024, the Delete Act requires data brokers to register with the CPPA and provide mechanisms for consumers to request data deletion.
- Significance: This enforcement action is unprecedented, setting a strong precedent for regulatory oversight of data brokers.
- Quotes:
  - “Data is hard. Domo is easy,” reiterated by Ann Johnson in early ad segments, highlighting the complexities faced by data brokers under stringent regulations [00:11].
Common Crawl Database Exposes Nearly 12,000 API Keys and Passwords
- Overview: Researchers at Truffle Security discovered close to 12,000 valid API keys and passwords within the Common Crawl database, an extensive open-source repository used for training AI models.
- Cause: The exposure resulted from developers hardcoding sensitive credentials into front-end HTML and JavaScript, which were then archived by Common Crawl.
- Impact: Included sensitive data such as AWS root keys, Slack webhooks, and Mailchimp API keys, posing significant security risks.
- Advice: Developers are urged to employ best practices for credential management to prevent such inadvertent exposures.
Unauthorized Intrusion at Poland’s Space Agency IT Infrastructure
- Overview: Poland’s Minister for Digitalization reported an unauthorized breach of the Polish Space Agency’s IT infrastructure, leading to the disconnection of their network from the internet pending investigation.
- Nature of Attack: The Register indicates the incident may involve an internal email compromise, although specifics remain unclear.
- Current Status: Staff are advised to use phones instead of potentially compromised email systems as the investigation continues.

Afternoon Cyber Tea Segment: Partnership in Cyber Defense

Host: Ann Johnson
Guest: Igor Cygansky, Microsoft Global Chief Information Security Officer
Timestamp Highlight: [10:37]

In the Afternoon Cyber Tea segment, Ann Johnson engages in a thought-provoking discussion with Igor Cygansky about the pivotal role of partnerships in strengthening cyber defenses.

Holistic Defense Strategies: Cygansky emphasizes that effective cyber defense transcends organizational and geographical boundaries. “It takes a village,” he asserts, stressing that attackers operate without regard to such divisions, necessitating a unified defensive approach [10:37].
Risk Framework and Cost of Attacks: Cygansky outlines Microsoft's risk framework, aiming to elevate the cost of cyberattacks for adversaries. “There’s a very big difference if that attack costs a $10, a million dollars, $100 million, or a billion dollars,” he notes, highlighting the importance of joint defense initiatives to amplify defensive measures [11:20].
Evolving Cybersecurity Practices: He discusses the necessity for cybersecurity practices to evolve in tandem with operational strategies, given the dynamic nature of both technological advancements and adversarial tactics. “Our industry is ever evolving,” Cygansky remarks, underlining the continuous growth and adaptation required in cybersecurity [11:50].
Community and Empathy: Cygansky places significant emphasis on empathy within the cybersecurity community. He advocates for understanding the diverse challenges faced by different teams and fostering collaborative efforts to protect against unified threats. “Understanding that landscape, having empathy for all the players involved, including our attackers, is paramount,” he states [12:54].

Key Takeaways and Conclusions

Strategic Pauses in Cyber Operations: The temporary halt of offensive cyber activities against Russia reflects the intricate balance between strategic defense and diplomatic negotiations.
Emerging Threats Exploiting Vulnerabilities: The exploitation of Paragon Partition Manager and Celebrate’s tools underscores the persistent vulnerability of software systems and the need for timely patching and robust security measures.
Regulatory Oversight Intensifies: California’s stringent enforcement actions against data brokers signal a growing trend of regulatory scrutiny aimed at protecting consumer data privacy.
Importance of Secure Credential Management: The Common Crawl incident highlights the critical importance of secure coding practices to prevent inadvertent exposure of sensitive credentials.
Unified Defense Through Partnerships: Igor Cygansky’s insights reinforce the necessity of collaborative and empathetic approaches within the cybersecurity community to effectively counter sophisticated and boundary-less cyber threats.

Notable Quotes with Timestamps

“The retreat from offensive cyber operations against Russian targets represents a huge gamble,” – Senior Defense Official [02:45]
“Attackers don’t think about managerial boundaries,” – Igor Cygansky [10:37]
“There’s a very big difference if that attack costs a $10, a million dollars, $100 million, or a billion dollars,” – Igor Cygansky [11:20]
“Our industry is ever evolving,” – Igor Cygansky [11:50]
“Understanding that landscape, having empathy for all the players involved, including our attackers, is paramount,” – Igor Cygansky [12:54]

Conclusion

The March 3rd episode of CyberWire Daily provides a comprehensive overview of significant cybersecurity developments, from strategic shifts in national cyber operations to emerging threats exploiting software vulnerabilities. The insightful interview with Igor Cygansky underscores the critical importance of partnerships and holistic defense strategies in combating sophisticated cyber threats. As the cybersecurity landscape continues to evolve, the episode reinforces the necessity for adaptive, collaborative, and empathetic approaches to ensure robust and effective defense mechanisms.

For more detailed information on today's stories, listeners are encouraged to visit thecyberwire.com. Stay informed and stay secure.

Loading summary

Transcript18 lines

[00:02]
Maria Varmazes
You're listening to the Cyberwire Network, powered by N2K.
[00:12]
Ann Johnson
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect. Prepare and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more@AI.domo.com that's AI.domo.com.
[01:02]
Maria Varmazes
Cyber Command ordered to halt offensive operations against Russia during Ukraine negotiations Ransomware actors Exploit Paragon Partition Manager vulnerability Amnesty International publishes analysis of Celebrate Exploit Chain California orders data broker to shut down for violating the delete act on our afternoon Cyber Tea segment with host Ann Johnson of Microsoft Security, Anne speaks with Igor Cygansky, Microsoft's global chief information security officer, about the power of partnership in cyber defense. Today is Monday, March 3, 2025. I'm Maria Varmazes, host of the T Minus Space Daily, in for Dave Buettner, and this is your Cyber Wire Intel Brief. Foreign thanks for joining us on this first Monday in March. Onto today's stories, the record reports that U.S. defense Secretary Pete Hegath has ordered Cyber Command to halt offensive cyber operations against Russia. The full scope of the directive is unclear, but it doesn't include the NSA or its signals intelligence operations targeting Russia. The Washington Post cites a current US Official familiar with the order as saying that the pause is meant to last only as long as negotiations over the war in Ukraine continue. The Post says that the operations being halted could include exposing or disabling malware found in Russian networks before it can be used against the United States, blocking Russian hackers from servers that they may be preparing to use for their own offensive operations, or disrupting a site promoting anti US Propaganda. The New York Times observes that former officials said it was common for civilian leaders to order pauses in military operations during sensitive diplomatic negotiations to avoid derailing them. Still, for President Trump and Mr. Hegseth, the retreat from offensive cyber operations against Russian targets represents a huge gamble. It essentially counts on Mr. Putin to reciprocate by letting up on what many call the shadow war underway against the United States and its traditional allies in Europe. The Pentagon, on its part, declined to comment on the report. A senior defense official told the Record, due to operational security concerns, we do not comment nor discuss cyber intelligence plans or operations. There is no greater priority to Secretary Hegseth than the safety of the warfighter in all operations to include the cyber domain. Researchers at Microsoft discovered five vulnerabilities affecting a driver used by Paragon Partition Manager, one of which is being exploited by ransomware actors, reports Bleeping Computer. Microsoft has observed ransomware attackers using the flaw to achieve system level privilege escalation before executing additional malware. An advisory from the CERT Coordination center explains an attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial of service scenario on the victim's machines. Additionally, as the attack involves a Microsoft signed driver, an attacker can leverage a bring your own vulnerable driver technique to exploit systems even if Paragon Partition Manager is not installed. Paragon Software has issued patches for the flaws and users of Partition Manager should upgrade to the latest version and now a follow up story to something that we covered last week. Amnesty International has published a follow up to its December 2024 report on the Serbian government's alleged misuse of Cellebrite's cell phone data extraction tool. Amnesty's latest report, published on Friday, outlines a new case of misuse of a Celebrate product to break into the phone of a youth activist in Serbia. The report shares technical details on a sophisticated zero day exploit chain targeting Android USB drivers developed by Celebrate. Amnesty explains that the exploit, which targeted Linux kernel USB drivers, enabled Celebrate customers with physical access to a locked Android device to bypass an Android phone's lock screen and gain privileged access on the device. As the exploit targets core Linux kernel USB drivers, the impact is not limited to a particular device or vendor and could affect a very wide range of devices. The same vulnerabilities could also expose Linux computers and Linux powered embedded devices to physical attacks, although there is no evidence that this exploit chain has been designed to target non Android Linux devices. Last week, Celebrate announced that it would suspend its services in Serbia, citing Amnesty's December report. The State of California's Privacy Protection Agency, or cppa, last Thursday ordered a data broker to cease operations for three years for failing to register with the state, according to a report from the Record. The California Delete act, which took effect in January 2024, requires data brokers to register with the CPPA in order to provide a mechanism through which consumers can request to have their data deleted. The broker, in this case called Background Alert, has agreed to the settlement terms. The record notes that such a ruling against a data broker is unprecedented. Researchers at Truffle Security found just under 12,000 valid API keys and passwords in the Common Crawl database, which is an enormous open source repository of web data used for training AI models. The secrets included an AWS root key, live Slack webhooks, and nearly 1,500 unique Mailchimp API keys. The researchers stressed that Common Crawl isn't to blame. The keys were publicly exposed because web developers hard coded them into front end HTML and JavaScript, and the web pages were then archived by Common Crawl. Poland's Minister for Digitalization said yesterday that the Polish space Agency's IT infrastructure sustained an unauthorized intrusion and the agency has disconnected its network from the Internet while it investigates the incident. We should note that the nature of the attack is unclear. The Register cites a source inside the agency as saying that the incident was related to an internal email compromise, and staff have been told to rely on phones instead. Stay tuned for further developments here and on our T Minus Space Daily podcast. Coming up after our break, Ann Johnson from Microsoft Security joins us for her monthly afternoon Cyber Tea segment. And we click and call with an old friend.
[08:00]
Ann Johnson
Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door, the login. Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today. Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.
[09:40]
Maria Varmazes
Next up is our monthly afternoon cybertea podcast segment with host Anne Johnson of Microsoft Security. Today, Ann speaks with Igor Cygansky, Microsoft's global chief information security officer, about the power of partnership in cyber defense. Ann and Igor discuss the challenges and optimism driving the fight against cyber threats.
[10:01]
Ann Johnson
Today, we are excited to welcome Igor Cygansky, Microsoft Chief Information Security Officer with a remarkable career in technology, cybersecurity and enterprise defense. Welcome to Afternoon, Cybertea. Igor.
[10:16]
Igor Cygansky
Glad to be here.
[10:17]
Ann Johnson
You know, I talk frequently that cybersecurity is a big data problem. You talk about complex signal processing. I've also heard you say many times that attackers think in graphs and we think in lists. Can you just talk about how all that comes together to build a better defense for not just Microsoft, but for the community?
[10:37]
Igor Cygansky
Yeah. Well, first of all, I think it takes a village, right? So at the end of the day, when one attacks and you have to think about it as an attacker, they don't think about managerial boundaries, organizational boundaries, corporate boundaries. All they want to do is get to target whatever the target is to achieve success. And it's very hard when you are on the defense side to think about defense than just as my department or as my company and not some other company. You kind of have to think holistically to defend. Holistic attacks require holistic defense.
[11:13]
Ann Johnson
But when you're thinking about what we prioritize, Nest, can you talk a little bit about risk? How do you think about it in terms of a risk framework?
[11:21]
Igor Cygansky
The way I think about risk framework is we want to elevate the cost of an attack for any attackers at Microsoft. Right. So at the end of the day, there's a very big difference if that attack costs a $10, a million dollars, $100 million, or a billion dollars. One of the ways to increase the cost is to do joint defense, because then you can defend on behalf of everyone, and therefore you have more opportunities to increase the cost. I work with all the leaders across the company. I would say that for every leader in the company, the notion that their product needs to be trustworthy, secure is the number one priority, because it's just common sense. And so basically, from that standpoint of view, I would say it's more of a partnership and collaboration versus I need to check on someone not only run securely, but evolve securely. And that's what no one. There are industries where a product that they sell does not change for decades. A bottle of water, plastic bottle of water that I bought 10 years ago, maybe the same plastic bottle of water that I have today. This is not our industry. Our industry is ever evolving. Our industry is rapidly changing. Our industry is constantly growing, both on the good side, meaning the side where we add value to the world, but also on the adversary side. And so nothing is static. So you have to evolve cybersecurity practices as you evolve operational practices.
[12:48]
Ann Johnson
How do you think about your community and how you tap into CISOs and what's important to you?
[12:54]
Igor Cygansky
Well, first thing is empathy. I have a huge development job, have lots of developers working for me. They just don't do cybersecurity. They do security software parts to secure Microsoft. We have an R and D arm, we have a research arm. Many of the folks that I work with don't have that benefit. And yet they have to protect their states. And so having empathy what their circumstances are, understanding what their circumstances are and helping them is extremely important. Now, Internet itself and adversaries are a great equalizer, so they won't care that one company or one division is in, let's say Europe with one set of regulatory requirements. Another one is in United States and third one is somewhere in Asia. And that company deals with a bunch of other companies who have a different set of regulatory requirements. What they'll do is they'll just take advantage of that. At the end of the day, everyone is partnering to do one thing, which is protect ourselves from the bad guys. And just understanding that landscape, having empathy for all the players involved, including our attackers, is paramount.
[14:07]
Ann Johnson
Well, thank you Igor, and many thanks to our audience for listening. Join us next time on Afternoon Cybertave.
[14:14]
Maria Varmazes
You can catch new episodes of Afternoon Afternoon Cybertea every other Tuesday on the N2K Cyberwire Network and on your favorite podcast app.
[14:37]
Ann Johnson
And now, a message from Blackcloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Blackcloak's award winning digital executive protection platform secures their personal devices, home networks and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 247365 with black cloak learn more at blackcloak IO.
[15:26]
Maria Varmazes
Oh, that is such a nostalgic sound, isn't it? Last week, Microsoft announced that it's officially pulling the plug on Skype, with the service shutting down on May 5th. Officially. At this point, Skype has become more of a niche app. Back in 2023, Microsoft said it still had 36 million users, which is a huge drop from its peak of 300 million, including me and our own Dave Bittner, who by the way conducted all of his Cyberwire interviews for this podcast via Skype back in the day. Fun fact there. Even though Skype is fading out, its impact is still everywhere. The technology behind it helped shape the security and privacy features that protect today's most popular messaging apps. In many ways, the world is just a little bit more safe and more free because Skype's original developers pioneered ideas that set the foundation for modern encrypted communication. Ending call and that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com N2K Senior Producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilby is our publisher and I am your host, Maria Varmazes. Thanks for listening. We'll see you tomorrow.
[18:06]
Ann Johnson
And now a message from our sponsor. Zscaler, the leader in cloud security enterprises have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security.