CyberWire Daily Podcast Summary: "Orange you glad you didn't fall for this?"
Release Date: February 25, 2025
Host: Dave Bittner, N2K Networks

Introduction

In the February 25, 2025 episode of CyberWire Daily, host Dave Bittner delivers a comprehensive briefing on the latest cybersecurity threats, breaches, and trends shaping the industry. The episode also features an insightful interview with Lauren Buetta, founder and CEO of Girl Security, discussing the importance of mentoring and fostering intergenerational strategies within the cybersecurity workforce.

Major Security Incidents

1. Orange Group Data Breach

At the outset of the episode, Dave reports a significant security breach involving Orange Group, a major French telecommunications company:

• Breach Details: A hacker named "Ray," associated with the Hellcat ransomware group, claims to have stolen 6.5 gigabytes of internal documents from Orange, primarily affecting its Romanian branch. The stolen data includes 380,000 unique email addresses, customer and employee information, invoices, contracts, and partial payment card details.

  Dave Bittner [04:20]: "Ray says they accessed Orange's systems for over a month using compromised credentials and vulnerabilities in JIRA software."

• Company Response: Orange has stated that the breach impacted a non-critical back-office application, ensuring that customer operations remain unaffected. They are collaborating with authorities to investigate the incident.

Dave Bittner [05:10]: "Orange confirmed the breach affected a non-critical back office application, stating that customer operations were unaffected."

2. Russia's Financial Sector Breach at Lanit

The episode highlights a concerning breach within Russia's financial sector:

• Impact: Lanit, Russia’s largest IT service provider servicing key government agencies, including the Ministry of Defense and firms like Rostec, suffered a security breach affecting two subsidiaries focused on banking technology, ATMs, and payment systems.

  Dave Bittner [06:35]: "The attack could have serious implications for Russia's banking infrastructure."

• Nature of Attack: The incident suggests a supply chain compromise rather than a conventional DDoS attack, indicating a more sophisticated approach by the attackers.

Surge in Cyber Attacks

1. Industrial Control Systems (ICS) and Operational Technology (OT) Attacks

There has been a dramatic increase in cyberattacks targeting ICS and OT:

• Statistics: Cybersecurity firm Dragos reports an 87% surge in such attacks in 2024, with ransomware attacks on industrial infrastructure increasing by 60%.

  Dave Bittner [07:55]: "Ransomware actors are shifting their focus as geopolitical tensions rise."

• Geopolitical Context: Conflicts involving Russia, Ukraine, and China have heightened the risk, with state-sponsored groups like China's Volt Typhoon aiming to infiltrate critical infrastructure.

Dave Bittner [08:45]: "Volt Typhoon has identified strategic US targets, including power substations critical for military deployments."

2. Silver Fox's Spoofing of Medical Software

A Chinese-backed hacking group, Silver Fox, is exploiting vulnerabilities in the healthcare sector:

• Attack Mechanism: Silver Fox is spoofing legitimate medical software, such as Philips DICOM image viewers, to distribute malware like Valleyrat, a remote access tool.

  Dave Bittner [11:15]: "The malware could spread into hospital networks through infected patient devices, posing a major cybersecurity risk to healthcare organizations."

• Technical Tactics: The malware leverages PowerShell commands to evade detection and downloads encrypted payloads from Alibaba Cloud.

UK Home Office Vulnerability Reporting Policy

The podcast addresses controversial changes in the UK's approach to vulnerability reporting:

• Policy Shift: The UK Home Office has introduced a new vulnerability reporting policy that may inadvertently prosecute ethical hackers, even when they adhere to guidelines.

  Dave Bittner [12:30]: "Unlike the Ministry of Defense, which assures researchers they won't face prosecution, the Home Office offers no such protections."

• Industry Impact: Critics argue that this outdated stance under the Computer Misuse Act of 1990 discourages responsible disclosure, potentially weakening the UK's cybersecurity resilience.

Ransomware Trends

A notable shift in ransomware strategies was discussed:

• From Encryption to Data Exfiltration: ReliaQuest's annual cyber threat report reveals that 80% of ransomware attacks in 2024 focused solely on data exfiltration, bypassing encryption.

  Dave Bittner [13:10]: "Attackers achieve lateral movement in as little as 27 minutes, leaving defenders little time to respond."

• Defensive Recommendations: Emphasis on AI-driven security, enhanced VPN monitoring, and rapid vulnerability patching are essential as attackers expedite their methods.

Advanced Malware Campaigns

1. Poseidon Stealer on macOS

A sophisticated malware campaign targeting macOS users with Poseidon Stealer was extensively covered:

• Distribution Tactics: The malware spreads via a counterfeit Deepseek AI website, utilizing malvertising to lure victims into downloading malicious DMG files.

  Dave Bittner [13:50]: "Poseidon employs anti-analysis techniques and exfiltrates stolen data via curl post requests."

• Mitigation Strategies: Experts recommend restricting OSA script execution, utilizing next-generation antivirus, and educating users about terminal-based threats.

2. Light Spy Surveillance Framework Evolution

The Light Spy Surveillance framework has expanded its capabilities:

• Expansion: Originally targeting messaging apps, it now supports over 100 commands, capable of infiltrating multiple platforms including Android, iOS, Windows, macOS, Linux, and routers.

  Dave Bittner [14:30]: "LightSpy also uses malicious plugins for keystroke logging, screen capture, and USB monitoring."

• Defense Measures: Adoption of behavior-based detection strategies is crucial to counteract its advanced evasion tactics.

Botnets and Targeted Attacks

Chinese Botnet Targeting Microsoft 365

A potent threat from a Chinese botnet targeting Microsoft 365 accounts was discussed:

• Botnet Scale: The botnet comprises over 130,000 compromised devices utilizing password spraying to bypass multi-factor authentication.

  Dave Bittner [15:05]: "The campaign, linked to Chinese infrastructure, poses a major threat to financial, healthcare, government, and tech sectors."

• Operational Impact: Attackers exploit non-interactive sign-ins, often going unnoticed, and can trigger account lockouts, disrupting business operations.

• Preventative Measures: Security teams are advised to monitor non-interactive sign-in logs to detect and mitigate such sophisticated attacks.

Vulnerabilities and Exploits

Oracle Agile PLM Flaw

An important vulnerability was highlighted:

• Vulnerability Details: CISA has added an Oracle Agile PLM flaw to its known exploited vulnerabilities catalog. This high-severity deserialization vulnerability allows low-privileged attackers to execute arbitrary code.

  Dave Bittner [15:40]: "While no public reports confirm active exploitation, experts believe attackers likely use it post initial access."

• Industry Relevance: Oracle vulnerabilities, especially those related to WebLogic, remain frequent targets for attackers, underscoring the need for diligent patch management.

Interview with Lauren Buetta, Founder and CEO of Girl Security

Mentoring and Intergenerational Strategies

The episode features an in-depth conversation with Lauren Buetta about Girl Security's initiatives to empower girls and young women in the national security sector:

• Organizational Mission: Girl Security focuses on advancing young women through skills-based learning, mentorship, and professional advancement, emphasizing the application of technology within a national security context.

  Dave Bittner [14:49]: "Central to our mission is an emphasis on educating girls about how technology is applied within the national security context."

• All Secure Alliance Initiative: Launched two years prior, this program identifies gaps in the security sector and promotes an intergenerational workforce through innovative tools like the reverse mentorship toolkit.

  Dave Bittner [15:21]: "We created the first reverse mentorship toolkit that can be used within the security sector, but really by any industry."

• Reverse Mentorship Model: This approach encourages junior employees to mentor senior leaders, facilitating the transfer of contemporary technical knowledge and modern educational experiences.

  Dave Bittner [16:34]: "Younger people mentor up senior people on how to use those technologies."

• Program Success and Expansion: Girl Security maintains a waitlist over six years, signifying high demand. Their workforce training program supports approximately 300 fellows annually, while the mentoring program fosters around 1,000 mentoring relationships each year.

  Dave Bittner [17:43]: "Our challenge, which is not necessarily new, is how do we leverage systems and the communities of people we serve to design for certain efficiencies?"

• Measuring Success: Utilizing comprehensive surveys and analyses, Girl Security boasts a 97% satisfaction and engagement rate, with 87% placement into cybersecurity pathways.

  Dave Bittner [20:30]: "We're at about 87%. That means that someone who's gone through our program has secured an opportunity in the security space."

• Mentor Selection: Girl Security seeks mentors from diverse sectors who understand the security landscape and possess strong listening skills to provide targeted guidance.

  Dave Bittner [21:49]: "We're really just looking for people who have an understanding of what the security sector looks like, believes in the power of engaging young people in the sector..."

• Success Story: Lauren shares the story of Araya, a standout participant who transitioned from the summer fellowship to a workforce training program, securing a scholarship at the University of Chicago for cybersecurity studies, and contributing to notable projects like the White House global convening of girls and women in cyber.

  Dave Bittner [22:59]: "She stayed involved in the mentoring program as an alumni and is just off doing remarkable things."

Conclusion

Dave Bittner wraps up the episode by emphasizing the critical nature of cybersecurity advancements and community initiatives like Girl Security in fostering a resilient and diverse workforce. Listeners are encouraged to stay informed and engaged with the latest developments to stay ahead in the rapidly evolving cybersecurity landscape.

Notable Quotes

• Dave Bittner [04:20]: "Ray says they accessed Orange's systems for over a month using compromised credentials and vulnerabilities in JIRA software."

• Dave Bittner [07:55]: "Ransomware actors are shifting their focus as geopolitical tensions rise."

• Dave Bittner [15:05]: "The campaign, linked to Chinese infrastructure, poses a major threat to financial, healthcare, government, and tech sectors."

• Dave Bittner [20:30]: "We're at about 87%. That means that someone who's gone through our program has secured an opportunity in the security space."

Final Thoughts

This episode of CyberWire Daily offers a wealth of information on current cybersecurity threats and highlights the importance of nurturing the next generation of security professionals through strategic mentoring and educational programs. The discussions underscore the multifaceted nature of cybersecurity challenges and the collaborative efforts required to address them effectively.