Salt in the wound. - CyberWire Daily

Summary

Summary of "CyberWire Daily" Episode: "Salt in the Wound" (February 13, 2025)

In the February 13, 2025 episode of CyberWire Daily, host Dave Bittner and guest Jason Baker, Principal Security Consultant at GuidePoint Security, delve into a spectrum of pressing cybersecurity issues. The episode, titled "Salt in the Wound," offers a comprehensive analysis of persistent cyber threats, legislative developments, critical vulnerability patches, the evolving ransomware landscape, and emerging concerns surrounding AI agents.

1. Persistent Threats from Salt Typhoon

Salt Typhoon, a notorious Chinese hacker group, continues to pose significant threats despite prior exposures. Bittner highlights their sustained activity in breaching global telecom networks:

"Salt Typhoon remains highly active. They're using compromised Cisco devices to establish covert communication channels and exfiltrate data." [02:30]

Between December and January, Salt Typhoon successfully infiltrated five telecoms, ISPs, and over a dozen universities across multiple countries, including the U.S. They exploited vulnerabilities in Cisco's iOS software to gain full control over network infrastructures. Despite U.S. government warnings and Treasury sanctions, the group has broadened its targets to include educational institutions in Argentina, Indonesia, and beyond, signaling an aggressive stance in cyber espionage.

2. Expansion of Russian Cyber Actor Seashell Blizzard

Seashell Blizzard, a Russian cyber actor, has significantly expanded its operations, now targeting critical sectors such as energy, telecom, shipping, arms, manufacturing, and government networks across the U.S., UK, Canada, and Australia. Bittner notes:

"Seashell Blizzard has expanded the group's reach, securing persistent access to critical sectors like energy, telecom, shipping, arms, manufacturing, and government networks." [04:10]

Microsoft reports that Seashell Blizzard leverages vulnerabilities in remote access software, including ConnectWise, Screen Connect, and Fortinet FortiClient. Using sophisticated scanning tools and exploit kits, they breach network perimeters and deploy Remote Monitoring and Management (RMM) software, web shells, and malicious modifications to maintain long-term access. This expansion aligns with Russia's strategic cyber objectives, with Microsoft cautioning that the group will continue to innovate scalable attack methods to support geopolitical agendas.

3. EFF Sues Doge Over Federal Workers' Data Access

The Electronic Frontier Foundation (EFF) has initiated a lawsuit against Elon Musk's Department of Government Efficiency (Doge) and the Office of Personnel Management (OPM) to block unauthorized access to millions of U.S. government workers' data:

"Doge, created in January to cut federal spending, allegedly gained unauthorized access to OPM's vast employee database, which includes PII, financial, health, and classified information." [06:00]

Filed on February 11, the lawsuit contends that Doge's actions violate the Privacy Act of 1974. The EFF demands that Doge be prohibited from further data access and that any collected data be deleted. This legal action follows a federal ruling that restricted Doge's access to Treasury data. Concurrently, Elon Musk and allies have accused journalists of doxxing following reports that identified employees in the government efficiency program, sparking a debate over the misuse of the term "doxxing" and the protection of public officials under the First Amendment.

4. House Republicans Advocate for Comprehensive Data Privacy Bill

House Republicans, led by Representative John Joyce, have formed a working group to draft a comprehensive data privacy bill aimed at establishing a national standard:

"With 13 states enacting their own privacy laws, Republicans argue that a national standard is necessary to protect Americans' rights and maintain the U.S.' leadership in digital tech." [08:30]

Currently, 13 states have their own privacy regulations, leading to a fragmented legal landscape. The proposed federal legislation seeks to unify these laws, addressing consumer protections and preempting stricter state regulations. This initiative aims to streamline compliance for businesses and reinforce the United States' position in the global digital technology sector.

5. Fortinet Addresses Critical Vulnerability

Fortinet has released patches for a critical vulnerability in its FortiOS security fabric that could allow attackers to escalate privileges to Super Admin:

"The flaw stems from improper privilege assignment, making it possible for a compromised upstream FortiGate device to grant an attacker full system control." [09:50]

The vulnerability affects multiple versions of FortiOS, potentially leading to widespread breaches and data theft. Fortinet urges immediate application of the provided patches to mitigate risks. The issue was internally discovered by Fortinet's Justin Loom, highlighting the company's commitment to proactive security measures.

6. Google Identifies Cybercrime as National Security Threat

Google’s latest cybersecurity report categorizes cybercrime as a national security threat, increasingly leveraged by state-backed groups from Russia, China, Iran, and North Korea:

"Governments leverage cybercriminals for tools, talent, and even full-scale operations." [11:15]

Released ahead of the Munich Security Conference, the report underscores the convergence of financially motivated attacks with state-sponsored activities. It emphasizes that while financially driven cyberattacks outnumber state-sponsored ones, the two are becoming deeply intertwined, with states utilizing cybercriminals for espionage and strategic objectives. The healthcare sector is particularly vulnerable, experiencing a doubling of data leaks in three years.

7. Palo Alto Networks Issues 10 New Security Advisories

Palo Alto Networks has issued ten new security advisories addressing various vulnerabilities, including a high-severity flaw in Pan-OS that allows unauthenticated attackers to bypass firewall authentication:

"While it doesn't enable remote code execution, it could impact system integrity and confidentiality." [12:30]

The advisories also cover vulnerabilities in Cortex XDR Agent and other Pan-OS components. Palo Alto Networks has released patches and recommended mitigations, such as restricting access to trusted IPs, to prevent exploitation. None of these vulnerabilities have been exploited in the wild as of the report.

8. Symantec Reports Chinese APT Utilizing Ransomware Tools

Symantec has identified a Chinese Advanced Persistent Threat (APT) group repurposing ransomware tools for cyber espionage:

"A ransomware attack using tools typically linked to Chinese cyber espionage groups was likely carried out by an individual hacker." [13:45]

The attack involved a Toshiba executable to sideload a malicious DLL, deploying the Plug X backdoor previously used by Mustang Panda, a Chinese APT group. From July 2024 through January, the PlagueX toolset was employed in espionage attacks targeting governments in Southeastern Europe and Southeast Asia. In November 2024, the same tools were used in an extortion attack against a South Asian software firm, exploiting a Palo Alto Networks firewall vulnerability to deploy RA World ransomware. Symantec suggests the possibility of insider involvement or ties to Bronze Starlight (Emperor Dragonfly), a Chinese-based APT known for using ransomware as a decoy.

9. Massive IoT Data Breach Exposes 2.7 Billion Records

A significant IoT data breach has exposed 2.7 billion records, including Wi-Fi passwords, IP addresses, and device identifiers linked to Mars Hydro and LG LED Solutions Ltd.:

"The 1.17-terabyte unprotected database was publicly accessible without encryption or authentication." [14:30]

Discovered by cybersecurity researcher Jeremiah Fowler and reported to VPN Mentor, the breach involved plain text Wi-Fi credentials, device MAC addresses, API tokens, and error logs. The data was associated with Mars Hydro's Mars Pro app, used to control IoT grow lights. While access was promptly restricted after Fowler's report, the duration of the exposure and potential malicious access remain uncertain, raising concerns about data security in IoT devices.

10. Evolving Ransomware Landscape: Insights from Jason Baker

Guest Jason Baker provided an update on the ransomware landscape, noting significant disruptions to major ransomware groups:

"We saw a lot of realignment in the primary ransomware groups responsible for the bulk of observed victims in the space." [15:34]

Law enforcement efforts, including the takedown of Lockbit by the UK National Crime Agency and the disappearance of Alpha (Black Cat) following their attack on Change Healthcare, have created vacancies within the ransomware ecosystem. This has led to the emergence of new groups quickly absorbing affiliates from disrupted entities. Baker expressed optimism about continued law enforcement successes in 2025 but acknowledged that the fragmentation of ransomware groups could lead to increased complexity in combating threats.

Bittner added:

"With ransomware as a service, decapitation operations or taking out a specific leader doesn't necessarily handle the underlying affiliates which still continue to operate and just find a new home." [19:27]

This resilience within the ransomware community highlights the challenges in significantly reducing ransomware activities solely through leader takedowns.

11. Emerging Threats from AI Agents

The episode concluded with a discussion on the evolution of AI agents and their potential security risks:

"Imagine waking up to find your AI assistant accidentally ordered 100 pounds of onions or booked you a surprise trip to Siberia." [27:25]

As AI assistants, developed by OpenAI, Anthropic, and Google DeepMind, gain capabilities to perform actions like browsing the web, filling out forms, and booking reservations, they become susceptible to manipulation by cybercriminals. Experts warned about scenarios where AI agents could be exploited to carry out unauthorized transactions or accept malicious terms, underscoring the need for robust oversight and security measures to prevent such vulnerabilities.

Notable Quotes with Timestamps

“Salt Typhoon remains highly active. They're using compromised Cisco devices to establish covert communication channels and exfiltrate data.” – Dave Bittner [02:30]
“Governments leverage cybercriminals for tools, talent, and even full-scale operations.” – Dave Bittner [11:15]
“Ransomware as a service, decapitation operations or taking out a specific leader doesn't necessarily handle the underlying affiliates which still continue to operate and just find a new home.” – Dave Bittner [19:27]
“Imagine waking up to find your AI assistant accidentally ordered 100 pounds of onions or booked you a surprise trip to Siberia.” – Dave Bittner [27:25]

Key Takeaways

Persistent Cyber Threats: Nation-state actors like Salt Typhoon and Seashell Blizzard continue to exploit vulnerabilities in critical infrastructure, emphasizing the need for robust cybersecurity measures.
Legal and Legislative Actions: The EFF's lawsuit against Doge underscores the importance of protecting federal workers' data, while House Republicans' push for a comprehensive data privacy bill aims to unify state regulations.
Vulnerability Management: Critical patches from Fortinet and Palo Alto Networks highlight the ongoing challenges in maintaining secure network infrastructures.
Evolving Ransomware Ecosystem: The fragmentation of major ransomware groups leads to greater complexity in defense strategies, requiring adaptive and multifaceted approaches.
AI Security Concerns: As AI agents become more autonomous, ensuring their security against manipulation is paramount to prevent unauthorized actions and potential breaches.

This episode of CyberWire Daily offers invaluable insights into the dynamic and multifaceted world of cybersecurity, providing listeners with a clear understanding of current threats, legislative developments, and emerging challenges in the digital landscape.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire network, powered by N2K.

Jason Baker (0:12)

Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. Salt Typhoon is still at it Russian cyber actor Seashell Blizzard expands its reach. The EFF sues Doge to protect federal workers data House Republicans pursue a comprehensive data privacy bill Fortinet patches a critical vulnerability. Google views cybercrime as a national security threat. Palo Alto Networks issues 10 new security advisories. Symantec suspects a Chinese APT side hustle. Our guest, Jason Baker, principal security consultant at GuidePoint Security, joins us to share an update on the state of ransomware. A massive IoT data breach exposes 2.7 billion records and here come the AI agents foreign February 13, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thank you for joining us here today. It is great to have you with us. Salt Typhoon, the Chinese hacker group, has continued breaching global telecom networks despite exposure last fall. Cybersecurity firm recorded future reports that between December and January, the group hacked five telecoms and ISP and over a dozen universities across multiple countries, including the U.S. the hackers exploited vulnerabilities in Cisco's iOS software targeting routers and switches to gain full control of network infrastructure. Even after US Government warnings, media reports and treasury sanctions, Salt Typhoon remains highly active. They're using compromised Cisco devices to establish covert communication channels and exfiltrate data. The hackers have expanded beyond telecoms targeting universities in the U.S. argentina, Indonesia, and more. Experts warn that China's cyber espionage is more aggressive than widely recognized. Despite government efforts, the attacks persist, prompting officials to urge Americans to use encrypted messaging apps. Recorded Future believes the scale of Salt Typhoon's operations is likely even larger than currently detected. Microsoft has reported that Russian cyber actor Seashell Blizzard has enlisted a special initial access subgroup to enhance its ability to compromise high value global targets. This long running operation has expanded the group's reach, securing persistent access to critical sectors like energy, telecom, shipping, arms, manufacturing and government networks. Initially focused on Ukraine and Eastern Europe, Seashell Blizzard has now extended operations to the US uk, Canada and Australia. The subgroup exploits published vulnerabilities in remote access software including ConnectWise, Screen Connect and Fortinet Forticlient. Using scanning tools and exploit kits. They breach network perimeters, then deploy RMM software, web shells and malicious modifications to maintain long term access. These techniques align with Russia's strategic cyber objectives. Microsoft warns the group will continue innovating scalable attack methods to support Russia's geopolitical agenda. The Electronic Frontier foundation is leading a lawsuit against Elon Musk's Department of Government Efficiency to block its access to millions of US Government workers data alongside federal employee unions. The EFF filed the lawsuit on February 11 against Doge and the Office of Personnel management, arguing that Doge's access violates the Privacy act of 1974. Doge, created in January to cut federal spending, allegedly gained unauthorized access to OPM's vast employee database, which includes PII, financial, health and classified information. The plaintiffs demand Doge be blocked from further access and delete any collected data. The EFF warns that misuse of this data could lead to privacy violations, cyber threats and political abuse. This follows a federal ruling limiting Doge's access to treasury data. Meanwhile, Elon Musk and allies are accusing journalists of doxxing after reports identified employees in his government efficiency program. Doge critics argue Musk is misusing the term to silence legitimate reporting on public officials. The EFF and legal experts stress that government employees are not protected from public scrutiny under the First Amendment. Interim U.S. attorney Ed Martin hinted at criminal charges against reporters, though no federal anti doxing law exists. Wired and the Wall Street Journal reported on Doge hires, including an official with a history of racist posts. In response, Musk attacked reporters online while supporters targeted them with harassment. Experts say the backlash exposes hypocrisy. As Musk and Trump allies have previously doxxed federal employees, free speech groups are demanding clarification on legal threats against the press. House Republicans have launched a working group to draft a comprehensive data privacy bill led by Representative John Joyce. The group, composed of nine Republicans and no Democrats, aims to create legislation that can pass Congress following years of failed efforts due to disagreements over consumer protections. With 13 states enacting their own privacy laws, Republicans argue that a national standard is necessary to protect Americans rights and maintain the U.S. s leadership in digital tech, including AI industry groups, have pushed for a federal law that preempts stricter state regulations. Fortinet has patched a critical vulnerability in its fortaos security fabric, which could allow attackers to escalate privileges to Super Admin affecting multiple fortaos versions. The flaw stems from improper privilege assignment, making it possible for a compromised upstream fortigate device to to grant an attacker full system control. This could lead to widespread breaches and data theft. Fortinet urges immediate updates, releasing patches for affected versions. The issue was internally discovered by Fortinet's Justin Loom. Google's latest cybersecurity report warns that cybercrime has become a national security threat, increasingly exploited by state backed groups like those from Russia, China, Iran and North Korea. The report, released ahead of the Munich Security Conference, reveals that while financially motivated attacks outnumbered state sponsored ones, the two are now deeply intertwined. Governments leverage cybercriminals for tools, talent and even full scale operations. Ransomware gangs have shifted focus to Ukraine and Chinese and Iranian espionage groups supplement their activities with cybercrime. North Korea is notorious for cryptocurrency, theft and covert IT worker schemes. Despite growing threats, cybercrime gets less attention than state backed hacking. Google stresses international cooperation is needed to combat it. Healthcare is especially vulnerable, with ransomware attacks worsening patient outcomes and data leaks in the sector doubling in three years. Palo Alto Networks has issued 10 new security advisories, including a high severity vulnerability in Pan OS that allows unauthenticated attackers to bypass authentication via the firewall's management interface. While it doesn't enable remote code execution, it could impact system integrity and confidentiality. Patches and mitigations are available with risk reduced by restricting access to trusted IPs. Another high severity flaw involves command injection but requires admin privileges. Additional advisories address Cortex XDR Agent and Panos vulnerabilities, none of which have been exploited in the wild. A ransomware attack using tools typically linked to Chinese cyber espionage groups was likely carried out by an individual hacker. According to Symantec. The attack leveraged a Toshiba executable to sideload a malicious dll, deploying a Plug X backdoor previously used only by Mustang Panda, a Chinese APT group. From July 2024 through January of this year PlagueX was used in espionage attacks targeting governments in southeastern Europe and Southeast Asia. However, In November of 2024, Plug, the same tool set was used in an extortion attack against a South Asian software firm. The attacker exploited a Palo Alto network's firewall vulnerability for access, stole Amazon S3 credentials, and deployed RA World ransomware. Symantec suggests the attacker was an insider monetizing espionage tools, though they may have ties to Bronze Starlight, also known as Emperor Dragonfly, a Chinese based APT known for using ransomware as a decoy. A massive IoT data breach exposed 2.7 billion records containing Wi Fi passwords, IP addresses and device identifiers linked to Mars Hydro, a China based Grow light manufacturer, and LG LED Solutions Ltd. A California registered firm. Discovered by cybersecurity researcher Jeremiah Fowler and reported to VPN Mentor, the 1.17 terabyte unprotected database was publicly accessible without encryption or authentication. It contains plain text, WI fi, ssids and passwords, device Mac addresses, API tokens and error logs. The data appears tied to Mars Hydro's Mars Pro app, which controls IoT grow lights despite its privacy policy. Claiming no user data collection, Fowler alerted LG LED and Mars Hydro, leading to rapid restriction of access, but it remains unclear how long the data was exposed or if it was accessed maliciously. Coming up after the break, Jason Baker from GuidePoint Security joins us to share an update on the state of ransomware and here come the AI Agents stick around Cyber threats are evolving every second, and staying ahead is more than just a challenge, It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. Look at this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber. That's vanta.com cyber for $1,000 off. Jason Baker is principal security consultant at Guidepoint Security. I caught up with him for an update on the state of ransomware.