Pentagon hits fast-forward on software certs. - CyberWire Daily

Summary

CyberWire Daily: Pentagon Hits Fast-Forward on Software Certs
Released on April 25, 2025

Introduction

In the April 25, 2025 episode of CyberWire Daily, hosted by N2K Networks, a comprehensive overview of the latest developments in the cybersecurity landscape is presented. This episode, titled "Pentagon hits fast-forward on software certs," delves into significant industry news, including major cyberattacks, regulatory investigations, vulnerabilities in critical systems, and innovations shaping the future of cybersecurity. Additionally, the episode features an insightful discussion on the RSAC Innovation Sandbox, highlighting emerging trends and breakthroughs from industry leaders.

Major News Highlights

1. Pentagon Introduces "Swift" for Software Certification

The U.S. Department of Defense is revolutionizing its software approval process with a new system named Swift. Announced by Acting CIO Katy Arrington, Swift leverages artificial intelligence to expedite the certification of software for Defense Department networks, a task that previously took months or even years.

Katy Arrington (04:35): "The old risk management framework and ATO process are stupid and archaic. It's time for a change."

Under this initiative, software vendors will submit security information and software bills of materials to the government’s eMASS system, where AI tools will automatically review the data and issue provisional Authorities to Operate (ATOs) much faster than manual processes allowed. The move also mandates third-party certifications to ensure comprehensive verification.

2. Work Composer Data Breach Exposes 21 Million Screenshots

A significant privacy incident has impacted Work Composer, a widely used employee monitoring tool. Cybersecurity researchers uncovered that over 21 million real-time screenshots were inadvertently exposed on the open internet via an unsecured Amazon S3 bucket. These screenshots captured sensitive employee activities, including emails, passwords, and proprietary company data.

Dave Bittner (04:58): "This leak highlights a bigger issue. Too many companies still don't grasp the shared responsibility model for cloud security."

With more than 200,000 users, the potential risks include identity theft, scams, and fraud, although there is currently no evidence of unauthorized access to the images. Experts emphasize the importance of securing cloud databases to prevent such high-profile breaches.

3. US Launches Antitrust Investigation into TP-Link

The U.S. government has initiated a criminal antitrust investigation into TP-Link, a California-based router manufacturer with Chinese affiliations. Prosecutors are examining whether TP-Link engaged in predatory pricing to dominate the U.S. market and assessing if its expanding presence poses national security threats. This probe, which began under the Biden administration, continues into the Trump era. Concurrently, the Commerce Department is investigating TP-Link’s connections to China. While TP-Link denies any wrongdoing, the investigations are ongoing and could continue for several years.

4. Healthcare Sector Suffers Major Data Breaches

Two significant data breaches in the healthcare sector have come to light:

Yale New Haven Health is notifying 5.5 million individuals after a cyberattack in March compromised data from a third-party vendor, Perry Johnson and Associates. Stolen information includes names, medical records, and Social Security numbers.
Frederick Health in Maryland reported a breach affecting nearly 1 million patients. Hackers accessed sensitive data such as addresses, birth dates, and insurance information by infiltrating the network between December 2023 and January 2024.

These incidents underscore the persistent vulnerabilities associated with third-party vendors and the interconnected nature of healthcare IT systems. Affected individuals are being urged to remain vigilant against identity theft and fraud.

5. South Korea's SK Telecom Confirms Cyberattack

SK Telecom, serving 34 million subscribers, confirmed a cyberattack on April 19 that exposed sensitive SIM card data. The breach occurred late on a Saturday night, exploiting staffing gaps to bypass security measures. While no names or financial details were leaked, the stolen SIM information could facilitate SIM swap attacks. Although SK Telecom detected and contained the malware swiftly, the company faced criticism for delayed customer notifications and has pledged to enhance its security protocols moving forward.

6. Critical Zero-Day Vulnerability in SAP Applications

A zero-day vulnerability has been identified, posing risks to over 10,000 SAP applications. This flaw, which scored a perfect 10 out of 10 on the CVSS scale, allows unauthenticated attackers to upload malicious binaries via the Visual Composer metadata uploader in SAP Netweaver. Discovered by ReliaQuest, the vulnerability has been exploited using malicious JSP web shells, enabling full endpoint control, payload deployment, and lateral movement across networks.

Dave Bittner (05:35): "Experts warn that the vulnerability could lead to espionage, sabotage, and fraud across cloud and on-prem environments."

Although SAP has released a patch, the ease of exploitation necessitates immediate action from organizations to secure exposed systems and mitigate potential threats.

7. Emerging Security Risks in AI Agents

As AI agents become integral to online tasks, new research highlights significant security vulnerabilities:

Extension Total discovered that a suspicious Chrome extension was communicating with a local model context protocol (MCP) server without user consent. This extension could potentially bypass browser sandboxing and manipulate local systems, accessing sensitive data or performing unauthorized actions.

Dave Bittner (07:00): "This discovery exposes a major new attack surface, especially in environments where MCP servers link to services like Slack, WhatsApp, or local file systems."

Security teams are advised to monitor and secure AI infrastructure to prevent unauthorized access and exploitation.

8. Policy Puppetry Attack Bypasses AI Safeguards

Hidden Layer, an AI security firm, revealed a new attack method dubbed Policy Puppetry, which can circumvent the safety guardrails of major generative AI models. By formatting malicious prompts to resemble policy files (e.g., XML, INI, JSON), attackers can override system instructions, enabling AI models to produce restricted or harmful content.

Dave Bittner (07:45): "Policy Puppetry shows that today's LLM training and alignment methods still have critical gaps."

The firm successfully tested this attack on models from OpenAI, Anthropic, Google, and Meta, highlighting the urgent need for additional security layers to protect against such vulnerabilities.

9. Data Breach Class Action Settlements Reach $155 Million

New research from Panaceer indicates that U.S. companies have disbursed $155 million in data breach class action settlements over the past six months. Analyzing lawsuits filed between August 2024 and February 2025, the study found 43 new filings and 73 settlements, averaging approximately $3 million each. The healthcare, finance, and retail sectors were the hardest hit, with most lawsuits citing inadequate security measures, encryption failures, and delayed breach notifications.

Dave Bittner (09:00): "Panaceer stresses that strong, demonstrable cybersecurity practices are now critical for legal defense."

This trend underscores the financial and reputational risks associated with data breaches and the importance of robust cybersecurity frameworks.

RSAC Innovation Sandbox: Accelerating Cybersecurity Innovation

Overview

A significant portion of the episode is dedicated to the RSAC Innovation Sandbox, a prestigious contest held during the RSA Conference (RSAC) 2025. Hosts Cecilia Marinier, Vice President at RSAC, and David Chen, Head of Global Technology Investment Banking at Morgan Stanley, discuss the event's 20th anniversary and its role in fostering cutting-edge cybersecurity solutions.

Interview Highlights

Cecilia Marinier (14:05): Expresses enthusiasm for the 20th anniversary of the Innovation Sandbox, emphasizing its importance in celebrating and amplifying cybersecurity innovation.
David Chen (14:17): Highlights the global significance of RSAC and the Innovation Sandbox, noting that past winners have become industry stars and have significantly impacted the cybersecurity landscape.
Dave Bittner (16:48): Describes the Innovation Sandbox format, where entrepreneurs have three minutes to pitch their ideas to a panel of expert judges, aiming to identify forward-thinking companies addressing contemporary cybersecurity challenges.

Key Themes in Innovations

David Chen identifies three main themes emerging from the top 10 finalists in the Innovation Sandbox contest:

Securing the Use of AI:
With the rapid adoption of AI technologies, ensuring their secure implementation is paramount. Challenges include visualizing AI applications, controlling access, and implementing appropriate data safeguards.
Embedded Systems and Hardware Security:
As industries integrate more embedded systems and hardware, vulnerabilities in these areas present significant security risks. This is especially critical in environments adopting next-generation machinery and robotics.
Automating Security Operations Centers (SoC):
Addressing the labor shortage in cybersecurity, innovations focus on automating processes within SoCs to enhance efficiency, reduce response times, and enable proactive threat hunting.

David Chen (17:22): "Cybersecurity was number one, even actually above AI, believe it or not. And so I think that combined with the escalating cyber threatscape just makes this an incredibly vibrant sector."

These themes reflect the evolving priorities in the cybersecurity industry, emphasizing the need for robust AI security, hardware protection, and operational efficiency.

Event Details

The Innovation Sandbox contest is set to commence at the Moscone Center on Monday, April 28, starting at 9:30 AM, with winners to be announced later that day. The event promises to showcase the most innovative and impactful cybersecurity solutions, providing a platform for startups and established companies to demonstrate their advancements.

Dave Bittner (21:45): "It's so impressive how many companies are out there really working on these challenging problems."

Conclusion

The April 25, 2025, episode of CyberWire Daily provides a deep dive into critical cybersecurity issues ranging from governmental policy changes and major data breaches to innovative solutions propelling the industry forward. The discussion on the RSAC Innovation Sandbox underscores the dynamic nature of cybersecurity, highlighting the continuous effort to stay ahead of emerging threats through innovation and collaboration. For cybersecurity professionals and enthusiasts alike, this episode offers valuable insights into the current state and future directions of the field.

Notable Quotes:

Katy Arrington (04:35): "The old risk management framework and ATO process are stupid and archaic. It's time for a change."
Dave Bittner (04:58): "This leak highlights a bigger issue. Too many companies still don't grasp the shared responsibility model for cloud security."
Dave Bittner (05:35): "Experts warn that the vulnerability could lead to espionage, sabotage, and fraud across cloud and on-prem environments."
Dave Bittner (07:00): "This discovery exposes a major new attack surface, especially in environments where MCP servers link to services like Slack, WhatsApp, or local file systems."
Dave Bittner (07:45): "Policy Puppetry shows that today's LLM training and alignment methods still have critical gaps."
Dave Bittner (09:00): "Panaceer stresses that strong, demonstrable cybersecurity practices are now critical for legal defense."
David Chen (17:22): "Cybersecurity was number one, even actually above AI, believe it or not. And so I think that combined with the escalating cyber threatscape just makes this an incredibly vibrant sector."
Dave Bittner (21:45): "It's so impressive how many companies are out there really working on these challenging problems."

For more detailed insights and ongoing updates in the cybersecurity realm, tune into future episodes of CyberWire Daily.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire network, powered by N2K.

Cecilia Marinier (0:11)

And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire the Defense Department is launching a new fast Track software approval process. A popular employee monitoring tool exposes over 21 million real time screenshots. The US opens a criminal antitrust investigation into router maker TP Link. A pair of health data breaches affect over 6 million people. South Korea's SK Telecom confirms a cyber attack. A critical zero day puts thousands of SAP applications at potential risk. Researchers raise concerns over AI agents performing unauthorized actions. Policy puppetry can break the safety guardrails of all major generative AI models. New research tallies the high costs of data breaches. A preview of the RSAC Innovation Sandbox with Cecilia Marinier, vice president at RSAC and David Chen, head of global technology investment banking at Morgan Stanley and stocking hard drives full of human knowledge just in case. It's Friday, April 25th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief.

David Chen (2:28)

Foreign.

Cecilia Marinier (2:35)

Thanks for joining us here today. Happy Friday. It is great to have you with us. The Pentagon is giving its software approval process a serious makeover. Acting CIO Katy Arrington announced a new system called Swift that will use AI to speed up the months or even years it currently takes to certify software for Defense Department networks. Speaking at an industry event, Errington didn't hold back. She called the old risk management framework and ATO process stupid and archaic and said it's time for a change. Under Swift, software vendors will upload security info and software bills of material into the government's emass system. AI tools will review the data automatically, aiming to issue a provisional ATO much faster than a human could. Third party certification will also be required to make sure everything checks out. Arrington said the official memo launching Swift is being signed now, with industry feedback coming next. Her message was I want the RMF eliminated. A major privacy mess has hit Work Composer, a popular employee monitoring tool. Cyber News Researchers discovered that the company had exposed over 21 million real time screenshots on the open Internet Internet through an unsecured Amazon S3 bucket. These screenshots captured everything employees were doing emails, passwords, sensitive communications, even proprietary company data. Work Composer, which tracks remote workers by logging hours and snapping a screenshot every 20 seconds, boasts over 200,000 users. While there's no evidence yet that hackers accessed the images, the risk for identity theft, scams and wire fraud is huge. This leak highlights a bigger issue. Too many companies still don't grasp the shared responsibility model for cloud security. Experts are again urging businesses to properly lock down their databases or risk joining the growing list of high profile breaches. The US Is conducting a criminal antitrust investigation into TP Link, a California based router maker with Chinese ties. Prosecutors are looking at whether TP Link used predatory pricing to dominate the US Market and whether its growing presence poses national security risks. The probe began under Biden and continues under President Trump. Meanwhile, the Commerce Department is separately investigating TP Link's China connections. TP Link denies wrongdoing but says it will cooperate if contacted. No charges have been filed yet and the investigations could take years. Two major healthcare data breaches are making headlines Yale New Haven Health is notifying five and a half million people after a March cyber attack on a third party vendor, Perry Johnson and Associates. Stolen data includes names, medical records and Social Security numbers. Meanwhile, Frederick Health in Maryland reported a breach impacting nearly 1 million patients. Hackers accessed sensitive data like addresses, birth dates and insurance information after infiltrating Frederick Health's network between December 2023 and January 2024. Both breaches highlight the ongoing risk posed by third party vendors and healthcare systems reliance on interconnected networks. Officials are urging affected individuals to stay alert for identity theft and fraud. South Korea's SK Telecom, serving 34 million subscribers, confirmed a cyber attack on April 19 that exposed sensitive SIM card data. The breach, timed late on a Saturday night, bypassed staffing gaps while no names or financial details leaked. Stolen SIM info could enable SIM swap attacks. SK Telecom detected and contained the malware quickly, but admitted millions may be at risk. After some criticism over slow customer notifications, the company apologize and pledged to boost its security moving forward. A critical zero day vulnerability is putting over 10,000 SAP applications at risk. The flaw scored a perfect 10 out of 10 on the CVSS scale allows unauthenticated attackers to upload malicious binaries through the Visual Composer metadata uploader in SAP. Netweaver ReliaQuest discovered the bug after investigating breaches where even fully patched systems were compromised. Attackers used malicious JSP web shells to gain full control of endpoints, deploy payloads, and move laterally across Networks. Tools like BetterRettel and Heaven's Gate techniques were spotted during post exploitation. Experts warn that the vulnerability could lead to espionage, sabotage and fraud across cloud and even on prem environments. SAP has issued a patch, but concerns remain. Given how easily the flaw could be exploited. Organizations are urged to act quickly to secure exposed systems. AI agents are poised to make online tasks easier, but new research shows the underlying infrastructure could also create serious security risks. Researchers at Extension Total found a suspicious Chrome extension communicating with a local model context protocol server without user permission or detection. Mcp, developed by Anthropic, enables AI agents to interact with tools and resources in real time. However, because MCP servers use open HTTP connections by default, a malicious extension could access sensitive data or perform unauthorized actions. Researchers built a proof of concept showing how a Chrome extension could bypass browser sandboxing and manipulate local systems. This discovery exposes a major new attack surface, especially in environments where MCP servers link to services like Slack, WhatsApp, or local file systems. Security teams are being warned to take this emerging threat seriously. A new attack called Policy Puppetry can break the safety guardrails of all major generative AI models, according to AI security firm Hidden Layer. The technique tricks large language models into interpreting malicious prompts as policy files, bypassing their built in safeguards against producing harmful content. Hidden Layer successfully tested the attack on Top models from OpenAI, Anthropic, Google, Meta, and others. By formatting prompts to look like xml, ini, or JSON files, attackers can override system instructions and generate restricted outputs. This discovery highlights a major AI models can't reliably police themselves with universal jailbreaking now. Easier researchers warn that more external security layers are needed to defend against misuse. Policy Puppetry shows that today's LLM training and alignment methods still have critical gaps. New research From Panaceer shows US companies paid out $155 million in data breach class action settlements over just six months. Analyzing lawsuits filed between August 2024 and February 2025, researchers found 43 new filings and 73 settlements averaging about $3 million each. Healthcare, finance and retail sectors were hit hardest. Most lawsuits cited inadequate security, while encryption failures and delayed notifications also played roles. Panaceer stresses that strong, demonstrable cybersecurity practices are now critical for legal defense. Coming up after break, a preview of the RSAC Innovation Sandbox with Cecilia Marinier and David Chen and stocking hard drives full of human knowledge just in case. Stay with us. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to Spectrops IO today to learn more. Spectrops see your attack paths the way adversaries do. Do you know the status of your compliance controls right now? Right now we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. As we are coming up on the RSAC 2025 conference, that means one of my favorite events of the year. It is the Innovation Sandbox Contest. And joining me to discuss that are Cecilia Marinier, Vice President at rsac, and David Chen, head of Global Technology Investment Banking at Morgan Stanley. Cecilia. Dave, thanks. So for taking the time for us today.