Pennies for access.

Dave Buettner

You're listening to the Cyberwire Network powered by N2K. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect Prepare and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more@AI.domo.com that's AI.domo.com credential theft puts sensitive corporate and military networks at risk A federal judge refuses to block DOGE from accessing sensitive federal data New York based Insight Partners confirms a cyber attack Blacklock Ransomware group is on the rise Open SSH patches A pair of vulnerabilities Russian threat actors are exploiting signals Link devices feature over 12,000 GFI Karyo control firewalls remain exposed to a critical remote code execution vulnerability. CISA issues two ICS security advisories federal contractors pay $11 million in cybersecurity non compliance fines in our certfite segment, Chris Hare is joined by Stephen Burnley to break down a question targeting the ISC2 SSCP system security certified Practitioner Exam and sweeping cybercrime reforms are unveiled by Russ It's Wednesday, February 19, 2025. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Our Cyberwire team is on location in Orlando this week at ThreatLocker's Zero Trust World 25 conference. Sensitive corporate and military networks in the US could be at risk due to widespread credential theft from infosteeler malware. Research from Hudson Rock reveals cybercrime marketplaces are selling credentials from major defense contractors like Lockheed Martin and Boeing, as well as US military and government agencies, sometimes for as little as $10 per log. These logs often include active session cookies allowing attackers to bypass multi factor authentication. Even organizations not directly infected could be compromised through their partners or vendors. Stolen credentials may expose classified systems, procurement details and mission critical intelligence experts warn this poses a major national security threat, urging immediate password resets and forensic investigations. Infostealer infections stem from phishing, malware laden downloads and fake apps. With over 30 million compromised computers identified in recent years. A federal judge refused to block Elon Musk and his Department of Government Efficiency from accessing sensitive federal data despite concerns over privacy and oversight. The Lawsuit filed by 14 state attorneys general failed to prove imminent irreparable harm. The White House shifted its legal stance, arguing that Musk is merely a senior adviser to President Trump and not Doge's leader. Doge retains access to key agencies including Commerce, Energy and Health and Human Services, and has reportedly fed financial data into AI software via Microsoft Azure. The task force has also been granted unchecked system access to young, unvetted employees. The controversy centers on Musk's influence over federal workforce reductions and AI driven efficiency efforts. Despite lacking Senate confirmation, the White House calls Musk a special government employee, while Judge Chutkan acknowledged Doge's unpredictability but found no immediate legal basis for intervention. The White House declined further commentary. Meanwhile, a General Services Administration worker resigned in protest after Thomas Shedd, a Musk ally and head of Technology Transformation Services, requested admin Access to the notify.gov system. This platform sends mass government texts and contains personally identifiable information like phone numbers and Medicaid participation status. Shed's request would grant him unilateral access to this sensitive data without oversight. The resigning worker warned that bypassing the authorization to Operate process violates federal security policies. Other employees fear unchecked power over public data and the risk of government systems being misused for AI driven workforce reductions. Shed previously suggested using login.gov for fraud tracking and replacing federal workers with AI coding agents. Employees say his actions are scary and concerns grow that no one will stop him. GSA has not responded to requests for comment. New York based Insight Partners confirmed a cyber attack in January 2025 caused by what they say is a sophisticated social engineering attack. The breach was detected on January 16 and the firm swiftly contained and remediated it. The attack did not impact operations or pose risks to portfolio companies, including major IT and cybersecurity firms like Sentinel One Wiz and Recorded Future. Insight has informed law enforcement and partners and is investigating the breach with cybersecurity experts. The firm manages $90 billion in assets and has backed over 800 companies. Security researchers warn of Blacklock, a rapidly growing ransomware as a service group, which saw a 1400% increase in data leak posts in late 2025, expected to be 2025's most active ransomware. As a service group, Blacklock distinguishes itself with custom built malware, making analysis difficult and data leak site defenses that prevent victims from accessing stolen data, increasing ransom pressure. Blacklock operates heavily on the Ramp forum, collaborating with affiliates, developers and initial access brokers to accelerate attacks. Unlike typical ransomware as a service groups, it retains control over early attack stages by recruiting traffers, individuals who steer victims to malicious content while higher level developers are discreetly hired. ReliaQuest warns that Blacklock may exploit Microsoft Entra connect to target on premises environments. Organizations are urged to harden synchronization rules, enforce MFA, restrict RDP and secure ESXi hosts to mitigate risks. Qualys reported two OpenSSH vulnerabilities, both now patched in the latest version. The first is a denial of service flaw allowing attackers to overload memory and CPU with small ping messages, potentially crashing systems. The second is a man in the middle attack affecting clients with Verify Host key DNS enabled. FreeBSD had this setting on by default from 2013 through 2023. Admins should update immediately, disable Verify Host key DNS and monitor SSH traffic for anomalies. Russian threat actors are exploiting Signals linked devices feature in phishing campaigns to steal access to secure conversations. Google Threat Intelligence Group reports that state aligned hackers including Sandworm have tricked victims into scanning malicious QR codes linking their signal accounts to attacker controlled devices. Attackers disguised phishing pages as legitimate signal group invites or device pairing instructions. In some cases, modified JavaScript on fake invite pages redirected victims to link their accounts instead of joining a group. Ukrainian military personnel were targeted via a phishing kit impersonating artillery software, while Wave Sign and infamous chisel malware helped extract signal data from compromised devices. Google's Threat Intelligence Group warns this device linking attack is hard to detect and can persist unnoticed. Users should update signal, check link devices, use strong passwords, be cautious with qr codes and enable two factor authentication for better security. Over 12,000 GFI Karyo control firewalls remain exposed to a critical remote code execution vulnerability. First discovered in December 2024, the flaw allows one click RCE attacks due to improper input sanitization leading to HTTP response splitting and cross site scripting exploits. Despite a December security update, over 23,800 instances were still vulnerable weeks later and active exploitation attempts were detected early this year targeting admin CSRF tokens. As of now, 12,229 firewalls remain exposed, mostly in Iran, the US, Italy and Germany. With a public proof of concept available, even low skilled hackers can exploit the flaw. Organizations should immediately update to the latest version released on January 31st. Enhanced Security CISA has issued two ICS security advisories addressing critical vulnerabilities in Delta Electronics, CNCsoft G2 and Rockwell Automation Guardlogix controllers which are widely used in manufacturing energy and critical infrastructure. The one affecting Delta Electronics is a memory corruption flaw that could allow remote code execution via malicious DPAX files. Users should update and isolate networks. The one affecting Rockwell Automation has a denial of service vulnerability in CIP message processing, requiring firmware updates and network restrictions. CISA urges patching segmentation, VPN use and intrusion detection to secure OT environments. HealthNet Federal Services and Centene Corporation will pay $11 million to settle allegations of cybersecurity non complian compliance while supporting the US military's TRICARE healthcare program. Prosecutors claim that between 2015 and 2018, HNFs falsely certified compliance with federal cybersecurity standards, failing to patch vulnerabilities, enforce password policies, and secure outdated hardware and software. The settlement is part of the DOJ's Civil Cyber Fraud Initiative, launched in 2021 under the False Claims act, which holds federal contractors accountable for cybersecurity failures. Similar penalties include Guidehouse paying $11.3 million, Penn State paying $1.25 million and a currently pending lawsuit with Georgia Tech. DOJ officials stress that contractors handling sensitive government data must meet security obligations. Acting Assistant AG Brett Shumate warned that the DOJ will continue pursuing violations that protect national security and Americans privacy. Coming up after the break, Chris Hare and Steven Burnley have our weekly certbite segment and cybercrime reforms are unveiled by Russia Stay with us. Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.

Chris Hare

Foreign.

Dave Buettner

Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Delete Me. I have to say, delete me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your DeleteMe plan when you go to JoinDeleteMe.com n2k and use promotional promo code n2k at checkout. The only way to get 20 off is to go to JoinDeleteMe.com N2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K in our recurring Certbytes segment, Chris Hare is joined by Steven Burnley to break down a question targeting the ISC2 SSCP system security certified Practitioner Exam.

Stephen Burnley

Hi everyone, it's Chris. I'm a content developer and project management specialist here at N2K Networks. I'm also your host for this week's edition of certbyte where I share a practice test question from our suite of industry leading content and a study tip to help you achieve the professional certifications you need to fast track your career growth in IT, cybersecurity and project management. Today's question targets the ISE2 SSCP System Security Certified Practitioner exam which was updated on September 15, 2024. This exam is targeted for IT admins, directors, managers and network security professionals who have a hands on role in operational security. I've enlisted Steven once again to join us who is our resident ISC2 expert. Welcome Stephen. How are you today?

Chris Hare

I'm doing great, Kris, thanks for having me.

Stephen Burnley

Absolutely. So Stephen, I understand this cert requires only one year of work experience, so does that make this exam easier when compared to the CISSP and cc?

Chris Hare

Well, I would say actually a better description would be that it fits in between those two exams. The CC exam is an attempt by ISC2 to certify almost a million IT professionals in cybersecurity and that's meant for students, industry professionals, executives, not as technical as the other two. The exam we're talking about today, the SSCP exam, will have more practical knowledge on it and the CISSP we all know is a big capstone part of any one certification path.

Stephen Burnley

All right, great. Thank you for that. So we are going to be turning the tables again and Steven, you are asking me today's question. But first while I gather up some guts. I understand you have a 10 second study bit for this test. What do you have for us today?

Chris Hare

Well, we just mentioned that this exam would have kind of a practical nature to it, which means it is going to have a lot of terminology and acronyms to remember. So one of the aspects of all of our study materials is a collection of flashcards. And flashcards are great for times where you need to take exams that have heavy terminology. You want to do memorization attempts on those. And also we allow you to eventually filter out the flashcards that you already know and just study the ones that are still giving you trouble. So most of our exams include over 150 flashcards.

Stephen Burnley

Excellent. That's a really awesome tip. So, Steven, hit me with today's question.

Chris Hare

All right, well, get ready. This is a long one. An IT security manager is struggling to keep the organization's computers in working order. He's testing updates, configuring them to be installed onto systems, and making tweaks to configuration settings to various systems as business tasks require. However, he often discovers systems which do not have the necessary updates or which are using out of date settings. This may be caused by systems being disconnected from the company network when taken into the field or used for special offline projects. Which technology should the IT security manager implement to help handle this complex issue? You don't have to have it memorized. There are four choices. Here you go. Here's your four choices.

Stephen Burnley

Okay.

Chris Hare

IEEE 802.1x NAC, NTP synchronization or OCSP.

Stephen Burnley

Wow, Stephen, this is a toughie. But I do know that this is part of Understand network attacks and countermeasures. That falls under network and communications security objective, correct?

Chris Hare

IT does. And I warned you about the acronym soup on this one. Now you wish you'd studied those flashcards.

Stephen Burnley

Absolutely. Yes. This is going to be a challenge. So this is such a layered question with so many components. Is this typical of an SSCP question? Stephen? Do they all have this lengthy of a setup?

Chris Hare

Yes, you can expect this type of scenario based question. It actually makes them more like real life scenarios.

Stephen Burnley

All right, well, thank goodness you are here to help us through it today. Okay, so first it would help if I were familiar with these terms and I only have light familiarity, which means the likelihood of me getting this Wrong is almost 100%. Because this seems like a scenario based question, as you mentioned, which is simply more than just matching a term with its definition. Am I correct in assuming that, Steven?

Chris Hare

Yes, exactly.

Stephen Burnley

All right, so right off the bat, the often qualifier is throwing me off. Is it safe to say that there is potentially more than one correct answer out of your options, but one is the slightly better answer?

Chris Hare

Well, all right, let me give you some hints. All the options are protocols, but three of them are security protocols. The IEEE has to do with user authentication and access. NAC is a broad security framework that includes quarantine features. NTP has to do with clock synchronization for audits and logging. And OCSP has to do with validating digital signatures. Maybe that'll help?

Stephen Burnley

I think so. That's really good context and also a great way for a student to isolate their answer choices. So given what you said against the question which asks specifically about network systems being disconnected and not getting the necessary updates, I'm going to rule out ieee which is isolated to User Authentication and access. You said NAC is a broad security framework that includes quarantine features and I think you're trying to give me a hint there, so let's hold on to that one. NTP is regarding syncing clocks, which does not seem to be the issue here, and OSCP has to do with digital certs, which is not the situation that you're describing either. So I am going to go with bnac, am I right?

Chris Hare

That is correct. Excellent work. The NAC the Network Access Control should be implemented in this scenario. When a system is determined by NAC to lack the specific configuration settings or missing a required update, the system will be quarantined. NAC quarantine is an isolation triggered by a system being out of compliance. It usually involves shifting IP address assignments to place the system in a quarantine subnet where that system is only able to access the remediation server. Quarantine remediation can be performed automatically or it may require an administrator to perform manual operations. Once the system is brought into compliance, then it's returned to the production network. This technology ensures not only will systems have the current configuration, but also the updates updates that they need to interact with the production environment. Now you're right about that. IEEE 8021X that is a port based network access control which is used to leverage authentication already present in the network to validate clients connecting over hardware devices such as wireless access points or VPN connectors. The purpose of the IEEE 8021X is to avoid the use of on device static password authentication, which is a very weak form of authentication. The 8021x standard allows existing multi factor or otherwise robust network authentication to be ported or proxied for use onto various hardware software connection options. Online Certification Status Protocol OCSP is a communication query system employed by modern certificate authorities to inform endpoints of the revocation status of digital certificates. OCSP enables endpoints to obtain real time revocation status without significant bandwidth consumption. OCSP replaced an older concept known as the certificate revocation list and the network time protocol. NTP synchronization is the means by which clocks on various systems are brought into alignment. It's essential that all internal systems have synchronized time. The synchronized time is typically synchronized to some sort of world time source. This helps to ensure that all logs and audit trails are in harmony in order to make investigations or historical research into a chronological order of events practical and easier.

Stephen Burnley

Well, that is an awesome question, and thank you so much for that detailed explanation. One thing's for sure, I would have never gotten that one right without your help. So appreciate your being here today. Steven. Are there any upcoming ISE2 or other practice tests you'd like to promote here?

Dave Buettner

Actually I do.

Chris Hare

There is an update to the CISSP exam coming in early 2025 and we just updated the framework for the Cisco Certified Network Associate or CCNA EX just this past September. We're also creating a ton of more updates for Microsoft, Comptia and Amazon exams coming in the new year, so take a look at our website for those.

Stephen Burnley

Great. Thank you so much, Stephen.

Chris Hare

Well, thanks for having me, Chris, and.

Stephen Burnley

Thank you for joining me for this week's CertFight. If you're actively studying for this certification and have any questions about study tips or even future certification questions you'd like to see, please feel free to email me at certbite2k.com that's C-E-R-T B Y T E n2k.com if you'd like to learn more about N2K's practice tests, visit our website at n2k.com certify for more resources, including our new N2K Pro offerings. Check out thecyberwire.com pro for sources and citations for this question. Please check out our show Notes Happy Certifying.

Dave Buettner

And don't forget to check out N2K's system security certified Practitioner Practice Test on our website. Foreign and now a message from our sponsor, Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools, it's time to rethink your security. Zscaler Zero Trust AI stops attackers by hiding your attack surface making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context Simplifying security management with AI powered automation and detecting threats Using AI to analyze over 500 billion daily transactions hackers can't Attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security.

Chris Hare

This episode is brought to you by Nerds Gummy Clusters, the.

Stephen Burnley

Sweet treat that always elevates the vibe.

Chris Hare

With a sweet gummy surrounded with tangy, crunchy nerds. Every bite of Nerds Gummy Clusters brings.

Stephen Burnley

You a whole new world of flavor.

Chris Hare

Whether it's game night, on the way.

Stephen Burnley

To a concert, or kicking back with your crew, unleash your senses with Nerds Gummy Clusters.

Dave Buettner

And finally, Russia has unveiled sweeping cybercrime reforms aiming to crack down on hackers with harsher penalties, asset seizures, and even public trials. Under the new laws, hackers could face up to 15 years in prison, lose their crypto stashes, and be banned from IT jobs for a decade. Banks can freeze cybercriminals accounts instantly, and government agencies gain expanded surveillance powers to protect citizens. Totally not for spying, of course. The plan includes public trials, which officials claim will deter crime, though critics worry they could expose security weaknesses. Meanwhile, Russia is demanding faster extraditions, a move that might strain diplomatic ties with countries hesitant to send hackers back home. Whether these measures actually reduce cybercrime or just increase state control remains to be seen. But the world is watching, and that's the Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Chris Hare

Sa.