Open source, open target. - CyberWire Daily

Summary8 min read

CyberWire Daily: "Open Source, Open Target" – July 31, 2025

In this episode of CyberWire Daily, host Dave Buettner delves into a series of pressing cybersecurity issues, ranging from sophisticated malware campaigns to innovative incident response tools. The highlight of the episode is an in-depth conversation with Germaine Roebuck and Ann Galschute from the Cybersecurity and Infrastructure Security Agency (CISA) about their newly released open-source eviction strategy tool for cyber incident response.

1. Lazarus Group's Targeted Malware Campaign

Sonatype has uncovered a significant malware campaign orchestrated by North Korea's notorious Lazarus Group targeting open-source ecosystems such as npm and PyPi. From January to July 2025, Sonatype blocked 234 malicious packages masquerading as developer tools. These packages were actually espionage tools designed to steal data, profile systems, and install persistent backdoors, potentially affecting over 36,000 systems. Lazarus, known for high-profile attacks like Sony Pictures and WannaCry, is now shifting its focus from disruption to infiltration. Developers frequently install packages without thorough vetting, making CI/CD pipelines and developer environments prime targets. This campaign underscores that open source has become a critical cyber battleground, emphasizing the necessity of securing the software supply chain.

2. President Trump's New Electronic Health Records System

President Trump announced a new electronic health records (EHR) system aimed at simplifying data sharing among healthcare providers. Backed by tech giants like Google, Apple, Amazon, and OpenAI, the opt-in system is overseen by the Centers for Medicare and Medicaid Services. It features AI tools to assist users in managing symptoms and navigating care, particularly for chronic conditions such as diabetes and obesity. Trump assured the public, stating, “[There] will be no centralized government database” (02:02), yet experts express concerns regarding data protection and unclear privacy standards, especially for third-party apps not covered by HIPAA. Critics also note that similar past initiatives have struggled, highlighting significant regulatory hurdles that the new system must overcome.

3. Chinese State-Sponsored Hackers Collaborating with Tech Companies

A report from Sentinel Labs reveals intricate connections between Chinese state-sponsored hackers and Chinese tech companies developing offensive cyber tools. The group Silk Typhoon, also known as Hafnium, implicated in attacks on U.S. government entities and global IT infrastructures, is linked to firms such as Isoon, Shanghai Firetech, and others. These companies allegedly collaborate with China's Ministry of State Security and regional bureaus like the Shanghai State Security Bureau. Notably, the report suggests that these firms may have contributed to exploiting Microsoft Exchange zero-days in 2021. This collaboration blurs the lines between the private sector and state cyber operations, complicating attribution and showcasing China's expanded cyber capabilities through quasi-corporate fronts.

4. New Prompt Injection Threat Targeting Large Language Models (LLMs)

LayerX researchers have identified a novel prompt injection threat targeting Large Language Models (LLMs) via browser extensions used by 99% of enterprise users. These malicious extensions can silently read, modify, and inject prompts into AI tools like ChatGPT, Gemini, and internal LLMs without requiring special permissions. Dubbed "Man in the Prompt," this exploit leverages how AI prompts are handled in the browser's Document Object Model (DOM). Once compromised, an extension can exfiltrate data, delete its activity, and evade detection. Proof-of-concept attacks on ChatGPT and Gemini demonstrate the malware's ability to leak intellectual property, financial data, and personally identifiable information (PII). To combat this threat, experts recommend shifting to behavior-based browser monitoring and restricting risky extensions in real-time.

5. Palo Alto Networks Unit 42 Introduces a New Attribution Framework

Palo Alto Networks' Unit 42 has proposed a new attribution framework aimed at standardizing the process of attributing cyber threat activities. Traditional attribution methods relied heavily on individual analysts and lacked consistency. Inspired by the Diamond Model and Admiralty System, the framework employs systematic scoring for source reliability and information credibility. Analysts categorize threats into three clusters: activity clusters, temporary threat groups, and named threat actors. By linking related incidents, even without knowing the actor's identity, these clusters can evolve into temporary groups or fully attributed threat actors over time. The framework emphasizes ongoing reassessment, evidence-based confidence scoring, and rigorous review processes, ultimately aiming to reduce confusion in threat naming and enhance the professionalism of threat intelligence across the industry.

6. Honeywell Patches Critical Vulnerabilities in Experion Process Knowledge System

Honeywell has addressed six vulnerabilities in its Experion Process Knowledge system, widely used in critical infrastructure sectors globally. These vulnerabilities, flagged by CISA, include remote code execution via the controlled data access component and denial of service (DoS) attacks. Additionally, a medium-severity bug could disrupt communication and system behavior. Reported by Russian firm Positive Technologies, these flaws affect isolated industrial systems. Honeywell advises users to apply the latest updates promptly and recommends robust vulnerability management practices to safeguard against potential exploits.

7. Evolution of a Sophisticated Android Banking Trojan

Zimperium's Z Labs has traced the rapid evolution of an advanced Android banking trojan initially disseminated through phishing sites. The malware, which impersonates European banks, now infiltrates devices via bogus websites shared on platforms like Discord. Its capabilities have expanded from basic overlays and keylogging to more sophisticated features such as screen capture, fake lock screens, and real-time data exfiltration. By abusing Android's accessibility services and employing session-based installation, the malware can bypass user suspicion. It effectively steals passwords, one-time passwords (OTPs), crypto wallets, and other critical information. This campaign highlights the increasing threats in mobile malware and underscores the need for stringent app permission scrutiny and robust mobile threat defenses.

8. Scattered Spider Group Goes Dormant Following Arrests

The cybercriminal group Scattered Spider, associated with attacks on British retailers and airlines like Hawaiian and WestJet, has gone quiet following the July 10 arrest of four UK-based suspects. While these individuals are not the only members, their apprehension appears to have spooked the remaining members, leading to a temporary halt in the group's activities, according to Mandiant. Despite no direct link being confirmed to recent attacks, experts warn that similar groups, such as Shiny Hunters, continue to employ comparable social engineering tactics, ensuring that the threat persists even if specific groups go dormant.

Interview: CISA’s Open Source Eviction Strategy Tool for Cyber Incident Response

Guests: Germaine Roebuck, Associate Director for Threat Hunting at CISA
Ann Galschute, Technical Lead at CISA

In a detailed discussion, Roebuck and Galschute introduce CISA's open-source eviction strategy tool designed to enhance cyber incident response. The tool addresses a critical gap in the incident response lifecycle—eradicating adversaries from compromised environments effectively and thoroughly.

Background and Development Roebuck explains, “[The tool] was really designed to address a gap that we've seen throughout the incident response lifecycle” (14:39). Historically, organizations have either reset credentials or taken systems offline, measures that are insufficient against sophisticated threats. The new tool aims to provide a structured approach to completely remove adversaries, preventing revictimization.

Challenges in Evicting Adversaries Ann Galschute highlights the complexities incident responders face: “Understanding how the attacker works, what they could have done in the environment… to catch everything and not leaving enough for them to hide” (15:48). Effective eviction requires comprehensive knowledge of the adversary’s actions and ensuring no remnants remain that could allow re-entry.

How the Tool Works The tool utilizes a database called COUNTER (with a '7' instead of a 'T'), developed alongside MITRE’s ATT&CK framework. COUNTER comprises atomic countermeasures derived from analyzing top attacker TTPs (Tactics, Techniques, and Procedures). As Galschute explains, “Counter is a database that CISA developed along with MITRE to basically [provide] those atomic countermeasures… How do we stop them in the network” (18:48). Users input the detected TTPs, and the tool generates a customized remediation plan with ordered steps to effectively evict the adversary.

Target Audience and Application Roebuck emphasizes that the tool is designed for any organization that has experienced a cyberattack, regardless of size. It facilitates collaboration across various departments—system admins, network engineers, and security operations—by providing a clear, actionable plan. Galschute adds, “People should not wait until the emergency to begin doing this… [they can] create scenarios for tabletop exercises” (21:02). This proactive approach ensures organizations are prepared for swift and efficient incident response.

Open Source Advantage By releasing the tool as open source, CISA ensures broad accessibility and adaptability. Galschute states, “I wanted the guidance to be out there for everyone to use” (21:55), allowing organizations with closed or classified environments to implement the tool without concerns over proprietary restrictions. This openness fosters community collaboration, enabling continuous improvement and customization to meet diverse security needs.

CISA’s Mission Alignment Roebuck ties the tool’s significance to CISA’s broader mission: enhancing national cybersecurity resilience. “[This tool] highlights that [the] containment and eradication side of the response effort” (23:14) is equally important as detection. By providing structured eviction strategies, CISA empowers organizations to mitigate threats effectively and prevent future compromises.

Final Thoughts Galschute expresses personal satisfaction with the tool’s development: “Being able to do something about it is really important” (25:03). The open-source eviction strategy tool represents a significant advancement in cyber incident response, equipping organizations with the necessary tools to thoroughly remove adversaries and enhance their overall security posture.

9. Legal Action Against Hackers Fixing Polish Trains

In a unique twist, Polish train manufacturer Newag has filed lawsuits worth over $3 million against both a repair shop and ethical hackers from the group Dragon Sector. The legal action stems from these hackers removing anti-repair booby traps to fix trains, actions that led to Newag locking up three more trains and briefly refusing to unlock them. Newag alleges that the hackers implanted malicious code, manipulated the software to disable trains, and caused disruptions at train stations. The lawsuits are perceived as an attempt to suppress the right to repair within Poland's $40 million train repair market, raising questions about the balance between security measures and repair freedoms.

As cybersecurity threats continue to evolve, this episode of CyberWire Daily highlights the critical importance of robust security practices, innovative response tools, and the intricate interplay between state-sponsored activities and private sector vulnerabilities. The featured interview with CISA experts provides valuable insights into enhancing incident response strategies, emphasizing the need for comprehensive and proactive measures in the face of sophisticated cyber adversaries.

Loading summary

Transcript21 lines

[00:02]
Dave Buettner
You're listening to the Cyberwire Network powered by N2K. Bad actors don't break in, they log in. Attackers use stolen credentials in nearly nine out of 10 data breaches. Once inside, they're after one thing your data. Varonis AI powered data security platform secures your data at scale across las SaaS and hybrid cloud environments. Join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment@varonis.com A sweeping malware campaign by North Korea's Lazarus Group targets open source ecosystems President Trump announces a new electronic health record system. A new report reveals deep ties between Chinese state sponsored hackers and Chinese tech companies. Researchers describe a new prompt injection threat targeting LLMs via browser extensions. Palo Alto Networks Unit 42 proposes a new attribution framework. Honeywell patches six vulnerabilities in its Experian process. Knowledge Systems researchers track the rapid evolution of a sophisticated Android banking Trojan. Scattered spider goes quiet following recent arrests Our guests are Germaine Roebuck and Ann Galschute from CISA discussing open source eviction strategies, tools for cyber incident response and A Polish train maker sues hackers for fixing trains It's Thursday, July 31st, 2025. I'm Dave Buettner and this is your CyberWire Intel Brief. Thanks for joining us here today. It's great to have you with us. Sonatype has uncovered a sweeping malware campaign by North Korea's Lazarus Group targeting open source systems like npm and PyPi. From January through July of this year, Sonatype blocked 234 malicious packages disguised as developer tools. These were actually espionage tools designed to steal data profile systems and install persistent backdoors. Over 36,000 systems may be affected. Lazarus, known for high profile hacks like Sony Pictures and WannaCry, is shifting from disruption to infiltration, using tailored malware and exploiting weaknesses in open source practices. Developers often install packages without vetting them or making CI CD pipelines and developer environments prime targets. The campaign is a wake up call. Open source is now a key cyber battleground. Securing the software supply chain is no longer optional, it's essential. President Trump announced a new electronic health records system aimed at simplifying how Americans share medical data with providers. Backed by tech giants like Google, Apple, Amazon and OpenAI, the system is opt in and overseen by the Centers for Medicare and Medicaid Services. It includes AI tools to help users manage symptoms and navigate care, particularly for conditions like diabetes and obesity. Trump emphasized privacy, saying there would be no centralized government database. However, experts raised concerns about data protection and the lack of clarity around privacy standards, especially with third party apps not covered by hipaa. Critics also noted that much of the proposed system already exists and that similar past efforts have struggled. The initiative aims to cut paperwork and enhance health data access, but major regulatory hurdles remain. A new report from Sentinel Labs reveals deep ties between Chinese state sponsored hackers and Chinese tech companies developing offensive cyber tools. The group Silk Typhoon, also known as Hafnium, linked to attacks on US Government entities and global IT infrastructure, is connected to firms like isoon, Shanghai, firetech and others. These companies allegedly work with China's Ministry of State Security and regional bureaus like the Shanghai State Security Bureau. The report suggests these firms may have helped Exploit Microsoft Exchange 0 days in 2021. Sentinel Labs Highlights that these companies hold patents for tools aiding espionage, forensics and even human operations. The scale of the collaboration blurs the line between private sector and state cyber ops, complicating attribution and showing China's expanding cyber capabilities through quasi corporate fronts. Researchers at LayerX have discovered a new prompt injection threat targeting LLMs via browser extensions tools used by 99% of enterprise users. These extensions can silently read, modify and inject prompts into AI tools like ChatGPT, Gemini, and internal LLMs without needing special permissions. Once compromised, an extension can exfiltrate data, delete its activity, and avoid detection. The exploit, dubbed man in the prompt, stems from how AI prompts are handled in the browser's document object model. Internal LLMs are particularly vulnerable due to their access to sensitive corporate data. Traditional security tools can't detect these interactions, making it a serious blind spot. Proof of concept attacks on ChatGPT and Gemini show that even minimal extensions can leak IP financial data and PII. To mitigate, enterprises should shift to behavior based browser monitoring and restrict risky extensions in real time. Palo Alto Networks Unit 42 has proposed a new attribution framework, a structured method for attributing cyber threat activity. Working from the notion that traditional attribution relied too heavily on individual analysts and lacked consistency, this new framework, inspired by the diamond model and Admiralty system, applies systematic scoring for source reliability and information credibility. Analysts track threats through three activity clusters, temporary threat groups, and named threat actors. Clusters are formed by linking related incidents even without knowing the actor's identity. With enough consistent data. Over time, these clusters may evolve into temporary groups or fully attributed threat actors. The framework evaluates data across tactics, tooling, infrastructure targeting and timelines, ensuring accuracy and transparency. It emphasizes ongoing reassessment, evidence based confidence scoring, and rigorous review processes by formalizing attribution unit 42 aims to reduce confusion in threat naming and elevate the professionalism and effectiveness of threat intelligence across the industry. Honeywell has patched six vulnerabilities in its Experion Process Knowledge system used in critical infrastructure sectors globally. CISA flagged these issues, including critical flaws enabling remote code execution via the controlled data access component and high severity vulnerabilities allowing denial of service attacks. One medium severity bug could disrupt communication and system behavior. Russian firm Positive Technologies reported the flaws, which affect isolated industrial systems. Honeywell urges users to apply updates, while researchers recommend robust vulnerability management for protection. Zimperium's Z Labs has tracked the rapid evolution of a sophisticated Android banking trojan initially spread via phishing sites. Mimicking European banks, the malware now hides in bogus websites shared on Discord. Its capabilities have grown from basic overlays and key logging to advanced features like screen capture, fake lock screens and real time data exfiltration. The malware abuses Android's accessibility services, disguises itself with trusted icons, and employs session based installation to bypass user suspicion. It logs keystrokes, monitors app usage, blocks specific apps with fake system messages, and overlays fake login screens to steal sensitive data. Screen content is captured using media projection APIs, encoded and silently transmitted to a command and control server. Researchers have identified multiple samples and emphasize that this malware can compromise passwords, one time passwords, crypto wallets and other critical information. The campaign highlights growing threats in mobile malware and the importance of app permission scrutiny and robust mobile threat defenses. Scattered Spider, the cybercriminal group linked to the. Com, has gone quiet following the July 10 arrest of four UK based suspects tied to cyberattacks on British retailers. Though these individuals aren't the group's only members, their arrests appear to have spooked others, halting new activity from the group, according to Mandiant. While suspected attacks on airlines like Hawaiian and WestJet followed, no direct link to Scattered Spider has been confirmed. Experts warn the group is likely just lying low. Meanwhile, other thecom affiliated actors such as Shiny Hunters, continue using similar social engineering tactics. Shiny Hunters has been linked to recent data breaches at Qantas Airlines and Allianz Life, where attackers exploited CRM systems and impersonated IT staff to steal data. The threat from such groups persists even if one goes dormant. Coming up after the break, Jermaine Roebuck and Anne Galschute from CISA discuss open source eviction strategy tools for cyber incident response and a Polish trainmaker sues hackers for fixing trains stay with U.S. compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's V A N-T A.com cyber foreign Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K Today we're joined by Jermaine Roebuck, Associate Director for threat hunting at CISA, and Ann Galshute, technical lead at CISA. They're discussing CISA's recent release of an open source eviction strategy tool for cyber incident response.
[14:40]
Jermaine Roebuck
We'll Start off with a bit of background and sort of how this came to be. So this particular tool was really designed to address a gap that we've seen throughout the incident response lifecycle. So many, many years ago, when we first formed the Incident Response Team, we went through a lot of different incident response efforts with departments and agencies. And what we learned was not enough attention and focus was put on, you know, what do you do after the adversary has impacted your environment, and what's the right way to do that? And what we found was organizations would either reset credentials or just take a, you know, take a system offline, reformat it and put it back. And quite honestly, that's not enough, especially with some of the threats that we're facing. There's a really defined way to do this, and we wanted to make it easier for folks to be able to effectively eradicate an adversary from an environment because we've seen many organizations be revictimized.
[15:41]
Dave Buettner
Ann, what are some of the specific challenges that incident responders are facing these days when it comes to evicting adversaries?
[15:49]
Ann Galschute
I don't think that they quite understand the extent of what it takes to evict an adversary. As Jermaine just said, sometimes they just evict what they know about that immediate resetting credentials and everything. But understanding how the attacker works, what they could have done in the environment, that was beyond what you detected them, because some of them are very clever, they'll cover their tracks and everything and kind of understanding what they've done in the past and getting scoping that intrusion entirely so that when you do go in to do your remediation, you're catching everything and not leaving behind enough for them to kind of hide and just come back when you're done with it. Understanding a full spread of what's possible in that environment, and then taking care of all of it has been really important for them to do.
[16:44]
Dave Buettner
Well, let's walk through step by step here. I mean, how would a defender use this tool to build an effective eviction strategy?
[16:52]
Jermaine Roebuck
Strategy we used to do this the hard way, and the hard way really was trying to corral all the different stakeholders that need to be involved with the remediation. That includes the system admins, the network engineers, the security operations center leadership, et cetera. And then you'd sit down in a room and devise this plan. So Ann, once she came on board, after I had developed basically a remediation team, which is AES today, she had this really great idea around how do we automate or how do we make that simpler? WebMD style, essentially for cyber, to make it easy for defenders to basically output a list of steps in the right order in order to deal with these threats. Ann can definitely go in depth there.
[17:43]
Ann Galschute
Yeah, the idea that I had was that you could reduce the technical steps that you would do to evict an adversary into these atomic tasks. Think, change passwords, reimage, machine, these specific things, and then take what you found during your investigation and match it to those countermeasures. And then you would get basically a customized plan to do it. What I'd seen in my incident response career was it wasn't so hard to really figure out what to do. It was kind of organizing all the pieces and parts, all those departments in the organization that do different things, and then conveying what they needed to do in an orderly fashion in the right order to get the job done.
[18:35]
Dave Buettner
This tool uses something called counter. And because it's cyber, that's counter with the number seven instead of a T. And it integrates with the mitre, ATT and CK and defend. Can you explain to us what COUNTER is?
[18:49]
Ann Galschute
Yeah, Counter is a database that CISA developed along with MITRE to basically it's those collection of those atomic countermeasures. We took a lot of data about what were the top things that attackers did. The MITRE's ATTCK framework, what was the top TTPS, their tactics, techniques and procedures. And then we figured out what would we do in response to that, what would stop that, what would counter that action. And the aim is unique in that we're not looking at detections, we're looking at how to stop them. The prevention has failed, the attacker is in the network already. How do we stop them? And so it was a kind of a unique look at their traditional detection based cyber security is that we were looking at how do you stop them in the network. We matched mitre, ATT and CK techniques, which is fairly industry standard, with counter things that you would do. And then the adversary eviction tool matches that together, people will be able to go to the tool, put in those ttps that they found or the artifacts from their investigation, and then the tool will match them to the countermeasures and show them on the screen for ease of use.
[20:12]
Dave Buettner
Who is this tool aimed at? What kind of organizations do you think are going to most benefit from this?
[20:19]
Jermaine Roebuck
So I would say that this tool is really aimed at any organization that's been victimized by a cyber attack. So we're encouraging small organizations, mid size, large organizations just about anybody can pick this tool up and use it. So if you think about intrusions that have involved identity compromise and folks are running either active directory or whatever identity structure that they're using, they could essentially pick up this playbook, implement or hit a couple of checkboxes saying, hey, this is what I see in my environment from the adversary. And this will spit out a list of steps that they can take to deal with it. So it's aimed at everyone.
[21:02]
Ann Galschute
Yeah, and this is also one of the things, the big use cases that I'm hoping people will pick up is its use in creating scenarios for tabletop. People should not wait until the emergency to begin doing this because eviction can be very resource intensive. Sometimes it takes some organizations weeks or months to do a complete password reset. What they can do is go to the website, just throw in, you know, pick a template or something off the website, and then sit down and look and see, like, how long would it take us to do this? And if the answer is months, well, maybe that's something that they might want to look at fixing before they need to do it during an emergency.
[21:48]
Dave Buettner
You all are releasing this as an open source project. Well, why was it important to do it that way?
[21:55]
Ann Galschute
Playbook NG is the pet name for the adversary eviction tool. I wanted to see what people could do with a tool that would match against a commonly used framework like mitre, ATT and ck, because it does allow you to change. And if someone wanted to develop their own detections database to do that, I also wanted it open source so that organizations that have closed environments, like some IR teams do, have an analysis environment that's cut off from the Internet. Or if you have a classified environment, you have the code in front of you that you can examine to get it into those environments. On the other side, counter being an open source product, I wanted people to feel comfortable taking the guidance and using it in their own guidance. They could just copy and paste. They can use it as a reference and then not have to worry about copyright or closed doors or anything like that. The guidance is out there for everyone to use.
[23:00]
Dave Buettner
Jermaine, when we look at this tool from the high level here, I mean, how does this fit into CISA's capabilities and CISA's mission to support the security of our nation?
[23:15]
Jermaine Roebuck
So at a high level, I think this is one of the pieces that we're missing most for the cybersecurity community we talk a lot about. These are the ttps that we're seeing here are the detections. This is how you find the threat actor. We don't talk enough about the steps that need to be taken afterwards, the right order of those steps, the fact that you have to get so many different groups within your organizations involved in the response efforts. And we really want to highlight that. That's also why we open source this as well, because we feel very strongly that the community should pay special focus and attention on this side of the on the containment and eradication side of the response effort. And we really want them to pick up this tool and adopt it, implement it that way they're not re victimized. But you know, so far today we have tested it across a number of different federal departments and agencies. So we're planning on adopting it ourselves and we're hopeful that the rest of the community will adopt it as well. Final words, I would say that with this capability, I really view this as sort of gen 1. I'm really looking forward to the community providing feedback, input, adopting it themselves, improving upon it, and I'm looking forward to what this could eventually become. We know that within the federal government that remediation and eradication is important, which is why we stood up a team to do just that. And I'm looking forward to across critical infrastructure, other organizations kind of viewing it the same way we do.
[24:54]
Dave Buettner
Ann, I have to imagine this is gratifying to see this idea that you had be implemented and put out into the real world.
[25:03]
Ann Galschute
Yeah, it's been something since 2016 that I've wanted to do and this is just kind of my gift for those people who have important IT and cybersecurity tasks but maybe didn't get the training or they're not real deep cyber professionals that they can easily get the guidance they need to actually take action. I'm all for actionable guidance versus just pointing at oh the bad guys are there. Being able to do something about it is really important.
[25:36]
Dave Buettner
Our thanks to Jermaine Roebuck and Ann Galschute from CISA for joining us. We'll have a link to the open source eviction strategies tool for cyber incident response in our show Notes Foreign did you know Active Directory is targeted in 9 out of 10 cyber attacks? Once attackers get in, they can take control of your entire network. That's why Semperis created Purple Knight, the free security assessment tool that scans your Active directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands of IT pros using Purple Knight to stay ahead of threats. Download it now@sempras.com Purple Night that's sempris.com Purple Night Bad actors don't break in, they log in. Attackers use stolen credentials in nearly nine out of 10 data breaches. Once inside, they're after one thing your data. Varonis AI powered data security platform secures your data at scale across las SaaS and hybrid cloud environments. Join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment@varonis.com and finally, remember when hackers fixed Polish trains in 2023 by removing anti repair booby traps? Well, the manufacturer Newag is back and now it's suing. After locking up three more trains last month and briefly refusing to unlock them, Newag filed lawsuits worth over $3 million against both the repair shop and ethical hackers from Dragon Sector. Their crime Making trains work again. Here's the software that disables trains if they linger too long or visit a rival repair shop. One version even bricked a train near a totally innocent train station. When confronted, Newag claimed hackers planted the code, then claimed the same hackers didn't actually change anything, and then claimed both in court. This is all possibly to keep a tight and profitable grip on Poland's $40 million train repair market. As it stands, this legal circus might be less about safety and more about squashing the right to repair by rail. And that's the Cyber Wire or links to all of today's stories. Check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show notes. Please take a moment and check it out. N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Pelfsman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
[29:53]
Ann Galschute
Foreign.
[30:04]
Dave Buettner
Is AI built for the enterprise soc, fully private schema, free and capable of running in sensitive air gapped environments. Krogle autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context aware, auditable decisions aligned to your workflows. Krogel empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your SOC operate at scale with precision and control. Learn more@krogel.com that's C-R-O GL.com.