CyberWire Daily: "States Struggle with Cyber Shift" – April 23, 2025
Introduction
In the April 23, 2025 episode of CyberWire Daily, hosted by N2K Networks, the focus centers on the shifting landscape of cybersecurity responsibilities in the United States. As the federal government delegates more cybersecurity duties to state and local authorities, numerous challenges have surfaced. This episode delves into the implications of this shift, recent high-profile cyber incidents, and insights from Deputy Assistant Director Cynthia Kaiser of the FBI's Cyber Division regarding the latest IC3 report.
Key News Highlights
1. Federal to State Shift in Cybersecurity Responsibilities
President Trump's recent executive order has reallocated cybersecurity responsibilities from federal agencies to state and local governments. This transition poses significant challenges:
-
State Preparedness: A 2023 National Cybersecurity Review revealed that only 22 out of 48 participating states met the recommended security standards.
-
Funding Cuts: Reduction in federal funding has severely impacted resources available to states, including the cybersecurity grant program and essential cybersecurity agencies.
-
Increased Threats: States are now more vulnerable to cyber threats like ransomware attacks and foreign interference while contending with limited IT expertise and budget constraints.
-
Recent Attacks: Incidents in Rhode Island, Virginia, and Massachusetts underscore the vulnerabilities within state systems.
Expert Opinion: "Expecting states to manage cybersecurity independently without adequate support is unrealistic and could compromise national security."
2. Ransomware Attack on Baltimore City Public Schools
On February 13th, Baltimore City Public Schools fell victim to a ransomware attack attributed to the Cloak Gang. Key details include:
-
Data Compromised: Approximately 25,000 individuals were affected, including staff, volunteers, and over 1,100 students. Exposed data encompassed Social Security numbers, student records, and employment documents.
-
Response: The school district confirmed that no ransom was paid. Investigation efforts are ongoing, and affected parties received notification letters on April 22, accompanied by two years of free credit monitoring and access to a support call center.
3. Russian Cyber Sabotage of Dutch Critical Infrastructure
The Dutch Military Intelligence and Security Service (MIVD) reported that Russian state-backed hackers targeted critical infrastructure in the Netherlands throughout 2023 and 2024. Highlights include:
-
Nature of Attacks: These attempts aimed at cyber sabotage of Dutch control systems, marking the first known such incidents in the country.
-
Strategic Importance: The Netherlands hosts Europe's largest port in Rotterdam and key NATO logistics hubs, making it a strategic target.
-
Dutch Response: Increased investments in military and cybersecurity measures, intelligence sharing with Ukraine, and urgent calls for Europe to counter sophisticated Russian cyber threats.
4. Microsoft Resolves Remote Desktop Protocol (RDP) Issues
Microsoft addressed multiple RDP issues affecting Windows Server 2025 and Windows 11:
-
Bugs Fixed:
- Freezing of RDP sessions, resolved in February's Windows 11 update and April's Windows Server update.
- Blue screen errors on servers with over 256 logical processors.
- Other issues included login problems with Windows Hello and domain controller failures.
-
Action Taken: Implemented known issue rollbacks to reverse bugs causing RDP disconnections and other malfunctions.
5. New Cryptojacking Malware Targets Docker Environments
A sophisticated malware campaign is exploiting Docker environments to hijack computing resources for cryptojacking:
-
Attack Vector: Deployment of a Docker image containing a deeply obfuscated Python script requiring 63 decode loops to activate the final payload.
-
Tactics: Instead of direct cryptocurrency mining, the malware simulates node activity on a Web3 platform to earn private tokens, avoiding traditional mining alarms.
-
Recommendations:
- Secure Docker setups with strong authentication.
- Avoid unnecessary exposure of Docker environments to the internet.
- Rigorously vet Docker images before deployment.
6. Phishing Campaign Using Weaponized Word Documents
A new phishing strategy employs malicious Word documents to steal Windows login credentials:
-
Mechanism:
- Emails contain attachments exploiting a known vulnerability in Microsoft Equation Editor.
- The attachment embeds an obfuscated RTF file and DLL, triggering buffer overflows and deploying a FormBook malware variant via process hollowing.
- The payload, disguised as a PNG file, decrypts into a fileless executable that collects credentials, keystrokes, and screenshots.
-
Protective Measures:
- Update systems to patch the exploited vulnerability.
- Stay vigilant against phishing attempts with suspicious attachments.
7. ZYZL Networks Patches Critical Vulnerabilities
ZYZL Networks released urgent patches for two high-severity vulnerabilities affecting USG Flex H series firewalls:
-
Vulnerabilities:
- Privilege Escalation: Allows low-privileged users to gain admin access via PostgreSQL command injections.
- Malicious Config Uploads: Enables admins to upload harmful configurations to gain further system control.
-
Action Required: Immediate implementation of the latest firmware updates to mitigate these security flaws.
8. CISA Issues Advisories on ICS System Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) released five advisories highlighting critical vulnerabilities in Industrial Control Systems (ICS) from manufacturers like Siemens, Schneider Electric, and ABB:
-
Key Vulnerabilities:
- Siemens Telecontrol Server: Multiple high-severity SQL injection flaws.
- Schneider Electric's Weiser Home Controller: Remote credential exposure flaw.
- ABB MV Drives: Codesys vulnerabilities enabling memory-based attacks.
- Schneider's Modicon M580 PLCs: Buffer size flaw causing denial of service.
-
Recommendations:
- Apply all relevant patches promptly.
- Implement network segmentation and continuous monitoring to protect critical infrastructure.
In-Depth Interview: Deputy Assistant Director Cynthia Kaiser, FBI Cyber Division
Overview of the IC3 Report
Dave Bittner welcomes Deputy Assistant Director Cynthia Kaiser to discuss the latest Internet Crime Complaint Center (IC3) report, marking its 25th year of operation.
-
Mission of IC3: Established in 2000, IC3 serves as the primary platform for the public to report cyber-enabled crimes and fraud, assisting law enforcement in disseminating information on scams and cyber threats.
-
Growth of IC3: Since inception, IC3 has received over 9 million complaints, with recent years seeing an average of 2,000 complaints per day.
Ransomware Trends and FBI Initiatives
-
2024 Statistics:
- Total Complaints: 859,532 with losses exceeding $16.6 billion, a 33% increase from the previous year.
- Ransomware Variants: Identification of 67 new ransomware strains targeting American networks.
- Top Affected Sectors: Critical manufacturing, healthcare, and public health.
-
FBI Efforts:
- Deployment of decryptors to victims, preventing over $800 million in ransom payments since mid-2022.
- Collaboration with law enforcement partners to dismantle major ransomware groups like Lockbit and ALFV.
- Emphasis on public reporting to aid in the distribution of decryptors and connect disparate incidents for broader investigations.
"There's an increase in effort by the ransomware actors to maximize their income, probably because some of their traditional methods aren't working." – Cynthia Kaiser [16:55]
Impact on Critical Infrastructure
-
Complaint Data: Over 4,800 complaints from organizations within critical infrastructure sectors, primarily reporting ransomware and data breaches.
-
Top Targeted Sectors:
- Critical Manufacturing: Impacts industries such as automotive, aviation, and electronics.
- Healthcare and Public Health: Threats to hospitals can have life-threatening consequences, including forced shutdowns and compromised patient care.
"Targeting healthcare facilities can actually become a threat to life matter with consequences that include hospitals being forced to be shut down or negative effects against patients." – Cynthia Kaiser [20:10]
Reporting Mechanisms and Data Usage
-
Complaint Processing: Each complaint is meticulously reviewed by dedicated individuals who triage, provide additional information, and link related cases before escalating to field offices for further investigation.
-
Data Distribution: Reports are analyzed to identify patterns and larger threats, enabling the FBI to build comprehensive cases against cybercriminals targeting U.S. citizens.
-
Public Reporting Benefits: Encourages timely reporting by the public, which is crucial for the FBI's ability to issue decryptors and prevent ransom payments.
"These reports are all read, they're all reviewed, and they're all looked at for a way for us to be able to enrich them and build out a case from them so that we can provide American citizens the justice they deserve." – Cynthia Kaiser [24:34]
Focus on Cryptocurrency and Elder Fraud
-
New Report Inclusion: For the first time, the IC3 report dedicates an entire section to cryptocurrency fraud and elder fraud.
-
Elder Fraud: Criminals increasingly target individuals over 60, exploiting their vulnerabilities to defraud them of significant sums.
-
Cryptocurrency Fraud: Leveraging the anonymity and decentralized nature of cryptocurrencies to execute sophisticated scams.
"Cryptocurrency fraud and elder fraud...criminals are going after the people who are over 60 in a huge amount, really trying to trick our family members out of millions, billions of dollars." – Cynthia Kaiser [22:30]
Conclusion
The April 23, 2025 episode of CyberWire Daily underscores the complexities and growing challenges in the cybersecurity landscape, particularly as responsibilities shift to less-prepared state and local governments. With escalating threats from ransomware, state-backed cyber sabotage, and sophisticated malware campaigns, the need for robust, well-funded cybersecurity measures has never been more critical. Insights from Cynthia Kaiser highlight the proactive efforts of the FBI in combating cybercrime and the importance of public reporting in these endeavors.
Notable Quotes
-
Cynthia Kaiser [19:57]: "The more reports we have that can pull them all together, the more we can investigate, and then the more we can warn others."
-
Cynthia Kaiser [24:55]: "These reports are all read, they're all reviewed, and they're all looked at for a way for us to be able to enrich them and build out a case from them so that we can provide American citizens the justice they deserve."
For more detailed insights and the full episode transcript, visit CyberWire Daily.
