CyberWire Daily: Microsoft Squashes Windows Server Bug

Release Date: April 17, 2025
Host: Dave Bittner
Publisher: N2K Networks

Introduction

In the April 17, 2025, episode of CyberWire Daily, host Dave Bittner delivers an in-depth analysis of the latest cybersecurity developments, encompassing emergency patches, significant breaches, and expert insights into evolving security strategies. This summary encapsulates the key discussions, expert interviews, and critical updates presented in the episode.

Major Security Updates

Microsoft Issues Emergency Updates for Windows Server

Microsoft has released urgent updates to address a critical bug affecting Windows Server. This vulnerability prevented Windows containers from initiating when utilizing Hyper-V Isolation. The issue stemmed from mismatched system file versions between the container and the host, leading to startup failures. The newly deployed fix ensures containers correctly access host files, thereby enhancing system stability and compatibility. Notably, these updates are not available through the standard Windows Update mechanism and must be manually obtained from the Microsoft Update catalog. Microsoft has provided detailed instructions for applying the fix using DISM tools on live systems or installation media.

Apple Releases Emergency Security Updates for Two Zero-Day Vulnerabilities

Apple has proactively released security patches to mitigate two zero-day vulnerabilities actively exploited in targeted iPhone attacks. These flaws impact a broad range of Apple devices, including iPhones (iOS), MacBooks (macOS), iPads (iPadOS), Apple TVs (tvOS), and Vision Pro devices (VISION OS). One of the vulnerabilities permits remote code execution via malicious audio files, while the other circumvents pointer authentication, a critical memory protection mechanism. Apple characterized the attack as "extremely sophisticated" but did not disclose further specifics. Despite the targeted nature of these attacks, users are strongly advised to update their devices promptly. This update brings Apple's zero-day vulnerability count for 2025 to five.

CISA Extends MITRE's Contract to Manage CVE and CWE Programs

The Cybersecurity and Infrastructure Security Agency (CISA) has extended MITRE’s contract for managing the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs by 11 months. This extension prevents a potential disruption to the global vulnerability tracking system amidst concerns that arose when MITRE's contract was set to expire on April 16. MITRE has overseen these critical programs for 25 years, providing essential support to cybersecurity operations worldwide. The extension follows MITRE's announcement of staff layoffs due to broader budget cuts. Additionally, the CVE Foundation has been established to transition CVE oversight away from exclusive U.S. government control, introducing initiatives like the Global CVE System and the EU's vulnerability database to diversify global vulnerability management.

Research and Vulnerability Insights

Enviso Research Uncovers Windows Versions of the Brickstorm Backdoor

Research conducted by Enviso has identified Windows variants of the Brickstorm backdoor, associated with the Chinese Advanced Persistent Threat (APT) group UNC 5221. Active since at least 2022, these variants primarily target European organizations, employing stealthy file manipulation and network tunneling through DNS over HTTPS protocols written in Go. The malware maintains persistence via scheduled tasks and leverages stolen credentials to exploit Remote Desktop Protocol (RDP) and Server Message Block (SMB) vulnerabilities. Additionally, the malware obscures its infrastructure by utilizing public cloud services and evades detection through encrypted multiplexed Command and Control (C2) connections.

Atlassian and Cisco Patch High-Severity Vulnerabilities

Both Atlassian and Cisco have released patches addressing multiple high-severity vulnerabilities. Atlassian's updates cover longstanding flaws in Bamboo, Confluence, and Jira, including denial of service (DoS) bugs and XML external entity (XXE) issues. Cisco's patches address security defects in WebEx App Secure Network Analytics and Nexus Dashboard, with one WebEx vulnerability allowing remote code execution through crafted meeting invites. Although neither company has reported active exploitation of these vulnerabilities, users are strongly encouraged to apply updates promptly to safeguard their systems.

Notable Breaches and Incidents

Oklahoma Cybersecurity CEO Charged with Hacking a Local Hospital

Jeffrey Bowie, CEO of a cybersecurity firm based in Edmond, Oklahoma, has been charged with infiltrating St. Anthony Hospital. Authorities allege that Bowie installed malware to covertly capture and transmit screenshots every 20 minutes. Surveillance footage from August 6th of the previous year depicted Bowie accessing restricted areas and attempting to gain entry to a staff-only computer. Upon confrontation, Bowie claimed he had a family member undergoing surgery. Alias Cybersecurity, Bowie's former employer, stated that he was terminated years earlier due to ethical concerns. Alias CEO Donovan Farrow expressed disappointment, describing Bowie’s actions as a "stain on the cybersecurity field." The hospital confirmed that no patient data was compromised. Bowie was apprehended after a forensic investigation revealed unsuccessful attempts to communicate with his company via the deployed malware. This incident highlights the fine line between ethical hacking and illegal activities within the cybersecurity industry.

Ameriprise Financial Insider Data Breach

Ameriprise Financial, a Fortune 500 company with $17 billion in revenue last year, has notified over 4,600 customers that their personal data was improperly shared by a former advisor who transitioned to LPL Financial between 2018 and 2020. The breach, discovered in January, involved the ex-employee sharing customer information beyond permitted limits during the transition, including names, addresses, emails, and phone numbers. While Ameriprise has not disclosed whether more sensitive data was exposed, it is offering free credit monitoring to affected customers. The company has implemented new measures to prevent similar incidents, underscoring the potential risks posed by internal lapses even in the absence of external hacking attempts.

Researchers Unmask IP Addresses Behind Medusa Ransomware Group

Security experts at Covsec have successfully identified the real IP addresses of the Medusa Ransomware Group, a notorious operation previously concealed within the Tor network. Leveraging a severe vulnerability in Medusa's blog platform used for posting stolen data, Covsec exploited a server-side request forgery (SSRF) attack to reveal the server's public IP address. The compromised server, hosted by Selectel in Russia, runs Ubuntu and exposes insecure services, including OpenSSH with password authentication enabled. Active since 2019, Medusa Locker targets sectors such as healthcare, education, and manufacturing, employing double extortion tactics. This breakthrough demonstrates how inadequate server security can compromise even the most clandestine cybercriminal operations, providing unprecedented visibility into the group's infrastructure.

CISA Issues Warning Following Oracle Data Breach

Federal cybersecurity authorities have issued a warning after Oracle experienced a data breach where hackers accessed credentials from legacy systems. Although Oracle privately informed customers in January, the breach became public when a hacker began selling stolen data from Oracle Cloud's Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems online. Cybersecurity firms have verified that approximately six million records were compromised, affecting over 140,000 tenants. The stolen data includes encrypted passwords, keys, and other sensitive information. The hacker reportedly sought assistance to decrypt the data and attempted to extort Oracle customers. In response, CISA has advised organizations to reset passwords, monitor system logs, review code, and report any suspicious activities. Oracle has not publicly commented on the federal advisory.

Industry Insights: Layered Approach to Zero Trust

In the Industry Voices segment, Dave Bittner interviews Rob Allen, Chief Product Officer at ThreatLocker, to discuss the importance of a layered approach to zero trust in modern cybersecurity strategies.

Rob Allen on Layered Zero Trust Security

[12:53] Rob Allen: "It's more about a layered approach to security in general than specifically the zero trust. And by layered approach, broadly speaking, what we mean is using different strategies or different approaches simultaneously."

Rob Allen emphasizes that while many organizations implement similar security layers—such as antivirus (AV), endpoint detection and response (EDR), and extended detection and response (XDR)—these often rely heavily on detection mechanisms. However, because attackers constantly evolve, relying solely on detection is insufficient. Instead, Allen advocates for incorporating control layers that proactively manage what can and cannot run within an organization’s environment.

[14:19] Rob Allen: "That's probably the biggest misconception is to think that you can go out and buy yourself some zero trust. Because realistically, zero trust is not a single product. It is a way of looking at things. It is an approach, it's a strategy."

Allen debunks common misconceptions about zero trust, clarifying that it is not a product but a comprehensive strategy aimed at continuously verifying and limiting access based on the principle of "assume breach." This mindset ensures that even if an attacker gains entry, their ability to navigate and exploit the network is severely restricted.

[15:07] Rob Allen: "Probably the biggest misconception is to think that you can go out and buy yourself some zero trust. [...] Another misconception is it's going to be difficult, it's going to be hard, it's going to get in the way, it's going to affect our business. It doesn't need to."

He reassures organizations that implementing zero trust does not have to hinder business operations. On the contrary, a properly executed zero trust framework can enhance security without disrupting workflows.

[16:13] Rob Allen: "Well, there's a few different aspects to this. [...] organizations can use common applications maliciously, what's called living off the land."

Allen further explains the necessity of zero trust in combating sophisticated threat actors who exploit legitimate applications for malicious purposes. By controlling and limiting application permissions, organizations can prevent abuse even if attackers gain initial access.

[17:41] Rob Allen: "Well, obviously it very much reduces it. [...] zero trust is very much something that they will take into consideration. It may be the difference between a company getting cyber insurance and not getting cyber insurance."

He highlights the role of zero trust in risk management and cyber insurance. Implementing zero trust can significantly reduce organizational risk, making it easier to obtain cyber insurance and potentially lowering premiums.

[19:29] Rob Allen: "Yeah, absolutely, absolutely. Realistically, anything you can do to risk, to limit your exposure, anything you can do to reduce your risk is a good thing."

Allen underscores the importance of proactive measures in cybersecurity, noting that reducing exposure and risk is universally beneficial.

[21:37] Rob Allen: "Absolutely. [...] you will always be able to do more and you should always strive to do more."

Discussing the balance between compliance and comprehensive security, Allen advises organizations to go beyond mere checkbox compliance. Implementing zero trust is an ongoing journey that requires continuous improvement and adaptation.

[22:52] Rob Allen: "Well, look, things like token theft are a constant, constant concern. [...] securing cloud infrastructure easier and attainable for organizations."

Addressing challenges in cloud environments, Allen mentions ThreatLocker’s new "Cloud Control" product, which enhances security measures by integrating with Microsoft's Azure conditional access tools to dynamically manage cloud resources and protect against token theft and business email compromises.

[24:05] Rob Allen: "Well, I mean, I suppose the first recommendation that suggests is to start somewhere. [...] you can start making decisions about are these things needed or not."

For organizations seeking to implement zero trust without feeling overwhelmed, Allen recommends starting with a comprehensive audit of existing software and remote access tools. By identifying and eliminating unnecessary applications, organizations can reduce potential entry points for attackers.

Leadership Changes

Chris Krebs Steps Down from SentinelOne

Chris Krebs, a respected figure in cybersecurity and former director of CISA, has resigned from his position as SentinelOne's Chief Intelligence and Public Policy Officer. This decision follows the revocation of his security clearance and a presidential directive to review CISA's conduct during his tenure. In a personal statement, Krebs clarified that the resignation is his own decision, emphasizing his commitment to defending democracy, free speech, and the rule of law. Recognized for his integrity, Krebs led CISA from its inception in 2018 until his dismissal in 2020, which occurred after he publicly affirmed the security of the 2020 U.S. election. Post-government, Krebs co-founded the Krebs Stamos Group, later acquired by SentinelOne. As he departs from SentinelOne, the company commends his ongoing dedication to truth and integrity.

Conclusion

The April 17, 2025, episode of CyberWire Daily provides a comprehensive overview of critical cybersecurity updates, significant breaches, and expert strategies for enhancing organizational security. From emergency patches by industry giants like Microsoft and Apple to groundbreaking research uncovering sophisticated malware operations, the episode underscores the dynamic and ever-evolving nature of cybersecurity threats. Additionally, insights from Rob Allen highlight the essential role of a layered zero trust approach in mitigating risks and fortifying defenses. Leadership shifts, such as Chris Krebs's departure from SentinelOne, reflect the broader challenges and commitments within the cybersecurity community to uphold integrity and secure digital infrastructure.

For more detailed insights and updates, listeners are encouraged to subscribe to the CyberWire Daily podcast and stay informed on the latest developments in the cybersecurity landscape.