CyberWire Daily: "No Rest for the Patched" – February 20, 2025

Introduction

In the February 20, 2025 episode of CyberWire Daily titled "No Rest for the Patched," host Dave Bittner delivers a comprehensive overview of the latest developments in the cybersecurity landscape. The episode delves into significant threats like the Ghost ransomware, notable industry and governmental shifts, critical software vulnerabilities, and insightful discussions with Stephen Hilt, Senior Threat Researcher at Trend Micro. This summary encapsulates the key points, discussions, insights, and conclusions presented throughout the episode.

Key Cybersecurity News

1. Ghost Ransomware Breaches Over 70 Countries

   Timestamp: [00:02]

   CISA and the FBI have issued warnings about the Ghost ransomware, which has compromised organizations across more than 70 countries. This sophisticated ransomware targets sectors critical to infrastructure, including healthcare, government, education, technology, and manufacturing.

   Key Details:

   • Active Since 2021: Ghost exploits outdated vulnerabilities in software such as Fortinet, ColdFusion, and Exchange.
   • Adaptive Tactics: The ransomware operators frequently modify their malware, ransom notes, and email contacts, complicating attribution efforts.
   • Access Methods: Utilizes publicly available exploits to infiltrate systems.
   • Defense Strategies: Emphasize regular backups, prompt patching, network segmentation, and phishing-resistant multi-factor authentication (MFA).

   Notable Quote:

   "Ghost ransomware operators frequently change their malware, ransom notes, and email contacts, making attribution difficult." – Dave Bittner [00:02]

2. Nomination of John Eisenberg to DOJ's National Security Division

   Timestamp: [02:01]

   Former Trump White House legal adviser John Eisenberg is slated to lead the Department of Justice's National Security Division. Eisenberg's role is pivotal in overseeing efforts against terrorism, cyber espionage, and foreign surveillance under FISA.

   Key Points:

   • Impeachment Role: Eisenberg was instrumental during Trump's first impeachment, managing the controversial Ukraine phone call.
   • Cybersecurity Oversight: His leadership is expected to steer cybercrime investigations and address foreign cyber threats effectively.
   • Policy Implications: His appointment signals potential shifts in cyber policy, with possible favoritism towards loyalists in national security roles.
   • FISA Scrutiny: Eisenberg will likely navigate debates surrounding the renewal of FISA's Section 702, a crucial tool for foreign surveillance.

3. Appointment of Kate Arrington as DoD's Chief Information Security Officer

   Timestamp: [08:16]

   Kate Arrington, a Trump ally and former Department of Defense (DoD) cybersecurity official, has been named the new Chief Information Security Officer (CISO) at the Pentagon. Her return comes amidst unexpected circumstances, including prior suspensions and significant budget cuts.

   Key Insights:

   • Past Controversies: Arrington faced suspension in 2021 over disputed allegations of disclosing classified information.
   • Budget Constraints: Current budget cuts threaten the advancement of cybersecurity initiatives like the Cybersecurity Maturity Model Certification (CMMC).
   • Zero Trust Implementation: Her role is crucial in promoting Zero Trust security frameworks and enhancing cyber hygiene practices within the DoD.

   Expert Opinion:

   "Her role is critical in advancing Zero Trust security and ensuring stronger cyber hygiene practices, but funding and personnel shortages could limit progress." – Dave Bittner [08:16]

4. Emergence of Nalao Locker Ransomware Strain

   Timestamp: [08:16]

   A new ransomware variant, Nalao Locker, has emerged, specifically targeting European healthcare organizations. Active between June and October of the previous year, it exploited a Checkpoint security gateway vulnerability.

   Key Characteristics:

   • Encryption Method: Utilizes AES256CTRL for file encryption.
   • Ransom Notes: Notably omits mentions of data theft, raising suspicions of potential false flags or state-sponsored activities.
   • Attribution Speculations: Analysts consider possibilities ranging from espionage mixes to state-backed hackers seeking profit.

5. Critical Vulnerabilities in Ivanti Endpoint Manager

   Timestamp: [12:49]

   Horizon 3 AI discovered four critical vulnerabilities in Ivanti Endpoint Manager. Initially patched in January, these path traversal flaws allow unauthenticated attackers to compromise machine account credentials and perform relay attacks, potentially leading to server compromises.

   Recommendations:

   • Patch Installation: Organizations must apply the latest patches to mitigate these risks.
   • Operational Impact: Attackers could gain domain admin privileges, compromising all connected EPM clients.

6. Microsoft Patches Power Pages Vulnerability

   Timestamp: [12:49]

   Microsoft has addressed a critical improper access control vulnerability in Power Pages, its low-code platform for business websites. This flaw, already exploited in attacks, enabled attackers to elevate privileges and bypass user registration controls.

   Mitigation Measures:

   • Automatic Mitigation: Microsoft has neutralized the issue without necessitating additional patch installations.
   • Advisory Actions: Affected customers are advised to review their sites for signs of compromise.
   • Recent Research: This patch follows studies revealing misconfigured Power Pages that exposed sensitive data.

7. NSA Updates Ghidra Reverse Engineering Tool

   Timestamp: [12:49]

   The NSA has released Ghidra 11.3, a significant update to its open-source software reverse engineering framework. Enhancements include advanced debugging features, faster emulation, and improved integrations tailored for cybersecurity professionals.

   Key Enhancements:

   • Kernel-Level Analysis Tools: Facilitates the analysis of sophisticated threats manipulating the kernel.
   • Cross-Platform Debugging: Supports macOS via LLDB and improves Windows kernel analysis using Microsoft's EXDI framework.
   • Collaborative Workflows: Enhances team-based malware and vulnerability analysis.
   • Performance Upgrades: Replaces Eclipse-based tooling with Visual Studio Code integration and accelerates P-code emulation through JIT compilation.

8. US Army Soldier Admits to Leaking Private Call Records

   Timestamp: [12:49]

   Cameron John Waginius, a former U.S. Army soldier, has confessed to leaking private call records from AT&T and Verizon. Planning to plead guilty to two counts of unlawfully transferring confidential phone records without a plea deal, Waginius is suspected of operating under the alias Khyber Phantom.

   Criminal Activities:

   • Data Compromise: Allegedly breached at least 15 telecom firms, threatening to release U.S. government call logs.
   • Extortion Scheme: Collaborated with Alexander Connor Mocha and John Bins to extort $2 million from companies like AT&T and Ticketmaster.
   • Legal Consequences: Faces up to 20 years in prison, while co-conspirators await extradition on multiple fraud and hacking charges.

Interview with Stephen Hilt from Trend Micro

Timestamp: [12:49 - 24:04]

In an in-depth conversation, Stephen Hilt, Senior Threat Researcher at Trend Micro, explores the evolving dynamics of the English cyber underground market and recent trends in penetration testing.

Market Evolution and Trends:

• Shift in Marketplace Goods: Since 2015, there's been a decline in the sale of drugs and weapons on English-speaking forums. Instead, "access as a service" now dominates, accounting for over 50% of observed threads.

• Stable Crimeware: Demand for malware and counter-anti-virus (AV) solutions remains steady.

• Influence of Law Enforcement: Increased actions against forums selling illicit goods have pushed criminals towards more resilient and multilingual platforms, often blending English with other languages to create interconnected ecosystems.

  Notable Insight:

  "Cybercriminals are using AI technologies to help create phishing content and to help bypass security measures..." – Kurt Hems [15:35]

Technological Advancements:

• AI Utilization: Cybercriminals are integrating AI to enhance phishing efforts and evade detection. While media hype may exaggerate the role of AI, its application in crafting sophisticated phishing attacks is evident.
• Communication Platforms: Platforms like Telegram have become pivotal for underground communications, offering more secure and harder-to-take-down channels compared to traditional forums.

Globalization of Cybercrime:

• International Operations: Cybercriminal groups are increasingly global, seeking English-speaking individuals in jurisdictions with lenient cybercrime regulations.
• Impact on Law Enforcement: The international nature of these groups complicates enforcement, necessitating a more standardized global approach to combat cyber threats effectively.

Predominant Goods and Services:

• Access as a Service: The primary offering, enabling criminals to gain unauthorized access to systems.
• Ransomware and Cryptocurrency Services: Including money laundering and converting illicit cryptocurrency gains into legitimate currency.

Takeaways:

• Evolving Market: Cybercrime has transformed from scattered individual actors to organized, corporate-like entities with structured operations.
• Need for Global Cooperation: Addressing cybercrime's international scope requires unified regulations and collaborative enforcement efforts.

Concluding Quote:

"Cybercrime is changing, especially with technology changing... from some people on the Internet to very large cyber criminal organizations best compared to being a corporation." – Kurt Hems [24:04]

Concluding Remarks

The episode "No Rest for the Patched" underscores the relentless evolution of cyber threats and the adaptive strategies of both attackers and defenders. From the pervasive Ghost ransomware to the intricate dynamics of the cyber underground, the discussions highlight the necessity for continuous vigilance, robust security measures, and international collaboration in combating cybercrime. Insights from experts like Stephen Hilt provide a deeper understanding of the shifting landscape, emphasizing that cyber threats remain a persistent and growing challenge for organizations worldwide.

Notable Quotes:

• Dave Bittner on Ghost Ransomware:

  "Ghost ransomware has breached organizations in over 70 countries targeting critical infrastructure..." [01:57]

• Stephen Hilt on Cybercrime Evolution:

  "Cybercrime has been more, you know, you have these different factions of it and it's grown from... to very large cyber criminal organizations that are best compared to being a corporation." [24:04]

For more detailed insights and the full transcript, listeners are encouraged to visit the CyberWire Daily show notes.

Credits

• Host: Dave Bittner
• Guest: Stephen Hilt, Senior Threat Researcher at Trend Micro
• Producers: Alice Carruth (Senior Producer), Liz Stokes (Cyberwire Producer)
• Executive Producer: Jennifer Ivan
• Publisher: Peter Kilby
• Mixed By: Trey Hester
• Music and Sound Design: Elliot Peltzman

This summary was crafted to provide a comprehensive overview of the CyberWire Daily episode "No Rest for the Patched." For more information and updates, subscribe to the CyberWire Daily podcast.