SUSE flaw found hiding in plain port. - CyberWire Daily

Summary8 min read

Podcast Summary: CyberWire Daily - "SUSE Flaw Found Hiding in Plain Port"

Podcast Information:

Title: CyberWire Daily
Host/Author: N2K Networks
Description: The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.
Episode: SUSE flaw found hiding in plain port
Release Date: August 1, 2025

1. Critical SUSE Manager Vulnerability

A significant security flaw has been identified in SUSE Manager, a popular system management tool. This vulnerability allows attackers to execute commands with root privileges without authentication by exploiting an exposed WebSocket endpoint on port 443.

Impact:
- Affects multiple SUSE Manager versions, including recent container and cloud deployments.
- Requires only network access to exploit.
Recommendations:
- Immediate Action: Block port 443 or isolate vulnerable systems from untrusted networks.
- Patch Deployment: Apply the updates released by SUSE until systems are fully patched.
- Network Controls: Enforce strict network segmentation to limit exposure.

Dave Bittner emphasized the urgency, stating, “Immediate action is needed. Block Port 443 or isolate vulnerable systems from untrusted networks, then patch using the updates SUSE has released until fully patched” [05:15].

2. CISA and US Coast Guard Threat Hunt Findings

A joint cybersecurity threat hunt conducted by the Cybersecurity and Infrastructure Security Agency (CISA) and the US Coast Guard at a critical infrastructure site uncovered several severe cybersecurity issues, though no active threat actors were detected.

Key Risks Identified:
- Shared Admin Accounts: Use of shared administrative accounts with plain text passwords.
- Weak IT/OT Segmentation: Insufficient separation between IT and Operational Technology (OT) environments.
- Inadequate Logging: Lack of comprehensive logging mechanisms.
- Misconfigured Systems: Allowed IT users direct access to SCADA networks, posing potential safety risks.
- Credential Management: Admin credentials stored in scripts and reused across multiple devices.
- Network Controls: Absence of bastion hosts and insufficient network segmentation.
CISA’s Urgent Recommendations:
- Fix misconfigurations promptly.
- Enforce unique credentials and implement Multi-Factor Authentication (MFA).
- Segment IT and OT environments effectively.
- Adopt bastion hosts and Virtual Private Networks (VPNs) to enhance security.

Dave highlighted the advisory, noting, “CISA urges critical infrastructure operators to fix misconfigurations, enforce unique credentials, use MFA, segment IT and OT environments, and adopt bastion hosts and VPNs” [07:45].

Additionally, CISA released two high-severity Industrial Control Systems (ICS) advisories addressing major vulnerabilities in GuroP seismic devices and Rockwell Automation systems utilizing VMware. These vulnerabilities allow unauthenticated remote access and code execution, respectively.

3. Healthcare Sector Data Breaches

Several healthcare providers across the United States have reported data breaches compromising sensitive patient information:

Mid Florida Primary Care: Breach occurred between November and December 2024.
Northwest Denture Center, Washington: Exposed protected health information of over 12,000 individuals.
Equilibria Mental Health Services, Massachusetts: Phishing attack compromised data of up to 2,000 individuals.
National Data Bank for Rheumatic Diseases: Unauthorized access in March affected personal and medical data.
West Virginia Primary Care Association: Alleged breach by Inc. Ransom, claiming theft of 296 gigabytes of data (unconfirmed by WVPCA).

Response Measures:

Impacted organizations are offering credit monitoring, enhancing security protocols, and conducting thorough investigations to prevent future incidents.

4. Indonesian Bank Breach via Raspberry Pi Planting

Cybercriminal group UNC 2891 successfully infiltrated an Indonesian bank in early 2024 by physically installing a Raspberry Pi on a network switch connected to the Atmosphere system.

Attack Details:
- The Raspberry Pi was equipped with a 4G modem, enabling remote access to the bank’s internal systems.
- Utilized a backdoor named TinyShell, disguised as a Linux display manager, to evade detection.
- Maintained persistent access via the bank's mail server, facilitating cash theft.
Challenges in Mitigation:
- Advanced obfuscation tactics, including the use of Linux bind mounts (MITRE ATT&CK Technique T1564.013), complicated forensic investigations.
Outcome:
- Attackers aimed to deploy the CAKE tap rootkit for further withdrawals but were ultimately blocked by defenders.

Group IB reported, “The incident highlights the need for advanced memory and network forensics beyond standard response measures” [09:30].

5. Russian State-Backed Hackers Target Moscow Diplomats

The APT group Secret Blizzard (also known as Turla and Krypton), backed by the Russian state, is actively targeting Moscow diplomats to deploy custom malware named Apollo Shadow.

Modus Operandi:
- Utilizes adversary-in-the-middle (AitM) attacks via domestic surveillance systems like Sorm to intercept traffic.
- Redirects victims through a fake captive portal where Apollo Shadow installs a counterfeit Kaspersky certificate to gain system control.
- The malware modifies system settings, installs root certificates through Certutil, and creates a persistent admin account.
Impact:
- Provides system control and persistent access to targeted diplomats.
Microsoft’s Advisory:
- Targeted Individuals: Diplomats using Russian ISPs.
- Recommendations: Use VPNs, enforce least privilege policies, and implement script blocking to mitigate risks.

Dave noted, “This is the first confirmed case of ISP-level adversary in the middle malware deployment inside Russia” [11:20].

6. Luxembourg Telecom Outage Investigation

On July 23rd, Luxembourg experienced a major telecom outage lasting over three hours, disrupting 4G and 5G services, emergency calls, internet access, and banking services.

Suspected Cause:
- A sophisticated denial-of-service attack targeting Huawei equipment, exploiting a software flaw in Post Luxembourg's infrastructure.
Consequences:
- Disruption of critical services, prompting concerns over national resilience.
Current Status:
- A comprehensive forensic investigation is underway.
- Potential regulatory changes may emerge to enhance network redundancy and prevent future outages.

7. Nvidia Summoned by China’s Cyberspace Regulator

China's Cyberspace Administration has summoned Nvidia over alleged security risks associated with its H2O AI chips sold in China.

Concerns Raised:
- The chips may contain tracking and remote shutdown features, posing national security risks.
Regulatory Actions:
- China is demanding explanations and supporting evidence from Nvidia, citing national data and network security laws.
Context:
- US lawmakers, including Senator Tom Cotton, have proposed legislation mandating such features in exported chips.
- Nvidia's H2O AI chips are under scrutiny for potentially embedding this technology.

8. Graynoise Report on Pre-Disclosure Exploit Activity

Graynoise released a report revealing that attackers often exploit vulnerabilities in edge devices up to six weeks before public disclosure or assignment of a Common Vulnerabilities and Exposures (CVE) identifier.

Findings:
- In 80% of cases, there is a spike in pre-disclosure activities such as scanning, brute forcing, and zero-day exploit attempts.
- This trend is particularly prevalent among eight major vendors: Cisco, Citrix, Fortinet, Avanti, Juniper, Mikrotik, Palo Alto Networks, and SonicWall.
- Graynoise identified 216 pre-disclosure exploit spikes, urging defenders to treat these as early warning signals.
Recommendations:
- Enhance monitoring during identified spikes.
- Harden systems against potential exploits.
- Block malicious IP addresses proactively.

Dave summarized, “These early indicators provide a window for proactive defense, especially against nation-state actors like Typhoons targeting enterprise edge devices for surveillance and long-term access” [13:10].

9. Expert Interview: Ryan Whelan on Scattered Spider and PWN2 Own

Guest: Ryan Whelan, Managing Director and Global Head of Accenture Cyber Intelligence

Discussion Highlights:

Overview of Scattered Spider:
- Described as a financially motivated threat group comprising many young individuals with evolving motives, making their actions less predictable.
- Highly active, employing advanced social engineering techniques to compromise high-security organizations globally.
“Scattered Spider employs some very advanced social engineering techniques in order to conduct pretty advanced compromises of some of the most advanced security organizations and firms in the world.” – Ryan Whelan [14:34]
Tactics and Techniques:
- Living Off the Land: Minimal use of novel exploits, relying instead on existing tools and techniques, enhancing stealth and detection evasion.
“They employ some very advanced social engineering techniques... which makes them even more hard to detect.” – Ryan Whelan [15:20]
- Social Engineering Red Flags:
  - Imitating IT personnel or help desk staff to extract credentials.
  - Impersonating trusted roles to bypass security controls.
  - Unusual requests for credentials or MFA codes via phone calls.
“Most organizations are not going to call you up on the phone and ask you to hand over individual credentials... One of the first things you should do... is hang up and contact your own organization’s security operations center.” – Ryan Whelan [19:16]
Demographics and Adaptability:
- Notably, many members originate from Western countries (e.g., UK, USA), making them more adept at mimicking local communication styles and cultural nuances.
- Gender Diversity: A recent arrest involved a female member, challenging the stereotype that cybersecurity threats are predominantly male.
“These are native English speakers... which makes it harder to detect as they target organizations.” – Ryan Whelan [18:08]
Organizational Preparedness:
- Emphasis on building a culture of awareness and resilience beyond the Security Operations Center (SOC).
- Importance of training frontline staff, such as help desk personnel, to recognize and respond to sophisticated social engineering attempts.
“Security extends beyond the SoC... build a culture of awareness and resilience to the folks who might be manning their help desks.” – Ryan Whelan [16:53]
Upcoming Engagements:
- Ryan is preparing to attend the Black Hat conference to explore emerging adversary tactics and defensive strategies.
“Black Hat and DEFCON are more of the practitioner conference... emerging tactics and techniques we're seeing adversaries use.” – Ryan Whelan [21:18]

Key Takeaways from the Interview:

Advanced Social Engineering: Scattered Spider’s use of sophisticated, culturally aware tactics makes them a formidable threat.
Proactive Defense: Organizations must foster widespread security awareness and implement robust verification protocols.
Adaptability: Understanding the evolving nature of threat groups is crucial for effective defense strategies.

Conclusion

This episode of CyberWire Daily delves into a spectrum of pressing cybersecurity issues, from critical vulnerabilities in widely-used management tools to sophisticated attacks on essential infrastructure and diplomatic entities. The interview with Ryan Whelan provides valuable insights into the evolving tactics of threat groups like Scattered Spider, underscoring the importance of advanced social engineering defenses and organizational resilience. As cyber threats continue to grow in complexity and sophistication, staying informed and proactive remains paramount for safeguarding digital and physical assets.

Notable Quotes:

Ryan Whelan: “Scattered Spider employs some very advanced social engineering techniques... which makes them even more hard to detect.” [15:20]
Ryan Whelan: “Most organizations are not going to call you up on the phone and ask you to hand over individual credentials... One of the first things you should do... is hang up and contact your own organization’s security operations center.” [19:16]
Ryan Whelan: “These are native English speakers... which makes it harder to detect as they target organizations.” [18:08]

Additional Resources:

For a deeper dive into Scattered Spider and PWN2 Own's million-dollar WhatsApp hack challenge, tune into the full interview with Ryan Whelan.
Stay updated with the latest cybersecurity news and expert analyses by subscribing to CyberWire Daily.

Loading summary

Transcript19 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network powered by N2K. Did you know Active Directory is targeted in 9 out of 10 cyber attacks. Once attackers get in, they can take control of your entire network. That's why Semperis created Purple Night, the free security assessment tool that scans your Active directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands of IT pros using Purple Night to stay ahead of threats. Download it now at sempras.com purple-night that's sempras.com purple knight a critical vulnerability in SUSE Manager allows attackers to run commands with root privilege A joint CISA and US Coast Guard threat hunt at a critical infrastructure site reveals serious cybersecurity issues. Health care providers across the US Report recent data breaches. Cybercriminals infiltrate a bank by physically planting a Raspberry PI on a network switch. Russian state backed hackers target Moscow diplomats to deploy Apollo shadow malware. Luxembourg investigates a major telecom outage tied to Huawei equipment. China's cyberspace regulator summons Nvidia over alleged security risks linked to its H2O AI. A new report examines early indicators of system compromise. Today our guest is Ryan Whelan, Managing director and global head of Accenture Cyber Intelligence, with their analysis of scattered Spider and PWN to own puts a million dollar bounty on WhatsApp. 0 clicks It's Friday, August 1, 2025. I'm Dave F and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Happy Friday. I don't know how the rest of you feel, but it seems impossible to me that we are already in August. A critical vulnerability in SUSE Manager allows attackers to run commands with root privileges without authentication through an exposed WebSocket endpoint on port 443. This flaw, found during a customer security audit, affects multiple SUSE Manager versions, including recent container and cloud deployments. Attackers only need network access to exploit it. A proof of concept confirmed the risk using a simple HTML page, Immediate action is needed. Block Port 443 or isolate vulnerable systems from untrusted networks, then patch using the updates SUSE has released until fully patched. Organizations should enforce strict network controls to limit exposure. A joint CISA and US Coast Guard threat hunt at a critical infrastructure site revealed serious cybersecurity issues, though no active threat actors were found. Key risks included shared admin accounts with plain text passwords, weak IT OT segmentation, and insufficient logging. Misconfigured systems allowed IT users direct access to SCADA networks, raising concerns about potential real world safety impacts. Admin credentials were stored in scripts and reused across many devices, increasing the risk of lateral movement and persistence by attackers. Inadequate network controls and missing bastion hosts further weaken defenses. CISA urges critical infrastructure operators to fix misconfigurations, enforce unique credentials, use MFA, segment IT and OT environments, and adopt bastion hosts and VPNs. The advisory stresses urgency in addressing these gaps to prevent potential cyber physical impacts. Additionally, yesterday CISA issued two high severity ICS advisories warning of major vulnerabilities in Gurop seismic devices and Rockwell automation systems using VMware. The GuroP flaw allows unauthenticated remote access via telnet, risking manipulation of seismic monitoring equipment. Rockwell Systems face four critical VMware related bugs enabling code execution and full system compromise. No exploitation has been reported, but CISA urges immediate isolation of affected systems, network segmentation and patching Several healthcare providers across the US have reported recent hacking related data breaches. Mid Florida Primary Care disclosed a breach affecting sensitive patient data accessed between November and December 2024. Northwest Denture center in Washington confirmed the exposure of protected health information for over 12,000 individuals may of this year. Equilibria Mental Health Services in Massachusetts was hit by a phishing attack compromising up to 2,000 individuals forward. The National Data bank for Rheumatic Diseases reported unauthorized access in March affecting personal and medical data. Meanwhile, Inc. Ransom claims to have targeted the West Virginia Primary Care association, allegedly stealing 296 gigabytes of data. However, WVPCA has not confirmed any breach. Impacted organizations are offering credit, monitoring and enhancing security protocols in response to these incidents. Cybercriminal group UNC 2891 infiltrated an Indonesian bank in early 2024 by physically planting a Raspberry PI on a network switch linked to an atmosphere, Group IB reports. Equipped with a 4G modem, the device allowed remote access to the bank's internal systems. The attackers used a backdoor called TinyShell disguised as a Linux display manager to evade detection and maintain persistent access via the bank's mail server. Though they successfully stole cash, the attack was mitigated days later. Forensics teams struggled due to the group's advanced obfuscation tactics and including the use of Linux bind mounts, now documented as mitre attack technique T1564 013. While the attackers aimed to deploy the CAKE tap rootkit for further withdrawals, defenders ultimately blocked their goal. The incident highlights the need for advanced memory and network forensics beyond standard response measures. Russian state backed hackers from the APT group Secret Blizzard, also known as Turla and Krypton are targeting diplomatic personnel in Moscow using adversary in the middle attacks to deploy custom malware called Apollo Shadow, Microsoft reports. The group, active since 2006 and linked to Russia's FSB, uses access at the ISP level via domestic surveillance systems like Sorm to intercept traffic and deliver malware. Victims are redirected through a fake captive portal where Apollo Shadow installs a fake Kaspersky certificate to gain system control. The malware modifies system settings, installs root certificates via Certutil, and creates a persistent admin account. Microsoft warns that diplomats using Russian ISPs are likely targets and urges use of VPNs, least privilege policies and script blocking to reduce risk. This is the first confirmed case of ISP level adversary in the middle malware deployment inside Russia. Luxembourg is investigating a major telecom outage on July 23rd caused by a cyberattack that disrupted 4G and 5G services for over three hours. The attack, reportedly targeting Huawei equipment, also disrupted emergency calls, Internet access and banking services. Officials believe it was a deliberate sophisticated denial of service attack exploiting a software flaw in Post Luxembourg's infrastructure. A full forensic probe is underway. The incident has prompted a review of national resilience and may lead to regulatory changes for network redundancy during outages. China's cyberspace regulator has summoned Nvidia over alleged security risks linked to its H2O AI chips sold in China. The Cyberspace Administration of China requested explanations and supporting evidence, citing national laws on data and network security. This follows growing concerns about U S made AI chips containing tracking and remote shutdown features. US Lawmakers, including Senator Tom Cotton, have proposed laws to require such features for exported chips. The Cyberspace Administration of China claims Nvidia's chips may already include this technology, prompting further scrutiny. A new report from Graynoise reveals that attackers often begin exploiting vulnerabilities in edge devices up to six weeks before they're publicly disclosed or assigned a CVE. In 80% of cases, pre disclosure activity like scanning, brute forcing and zero day exploit attempts spikes before the CVE is announced. This trend is especially common for eight major vendors Cisco, Citrix, Fortinet, Avanti, Juniper, Mikrotik, Palo Alto Networks and SonicWall. Graynoise identified 216 such pre disclosure spikes, urging defenders to treat them as early warnings. Security teams should enhance monitoring during these spikes, harden systems and block malicious IPs to prevent compromise. These early indicators provide a window for proactive defense, especially against nation state actors like typhoons targeting enterprise edge devices for surveillance and long term access. Coming up after the break, Ryan Whelan, Managing Director and global Head of Accenture Cyber Intelligence, joins us with their analysis of scattered spider and PWN2 own puts. A million dollar bounty on WhatsApp zero clicks. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's V A N-T A.com cyber foreign Dave here. I've talked about Delete me before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now our listeners get a special deal 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K Ryan Whelan is managing Director and global head of Accenture Cyber Intelligence. I recently sat down with him to discuss their analysis of Scattered Spider.
[14:35]
Ryan Whelan
So Scattered Spider we would describe as a threat group that is primarily financially motivated, although that's one of the complicating factors because this group is also made up of a number of very young individuals who have exhibited some new and evolving motives, which makes them a little bit less predictable. But they've been extremely active recently, and we'll talk a little bit more about that. And they employ some very advanced social engineering techniques in order to conduct pretty advanced compromises of some of the most advanced security organizations and firms in the world.
[15:14]
Dave Bittner
Well, let's dig into the research here. I mean, what are some of the key points you'd like to share?
[15:20]
Ryan Whelan
So obviously Scatterspud has been getting a lot of coverage recently and we've seen, you know, there's been a lot of discussion of their use of living off the land techniques. Right. Less use of things like novel exploits and things like that which make them even more hard to detect. But what we've been tracking has been some of the things that have become more confounding for, I think, cyber defenders recently. And that is given the fact that some of the members are very young. In addition to some of the more predictable things that they've done around cyber criminal activity, deploying ransomware, looking to sell data that they've compromised and things like that, they've also taken kind of revenge tactics. They've taken tactics to pursue notoriety where in the middle of a response, they'll engage media organizations, they'll weaponize media to try to prove defenders wrong or to try to prove wrong the statements of companies as they look to rebuild their reputation and trust with customers. And so, you know, they've, they've, they've demonstrated tactics that have made them much harder to confront for security researchers.
[16:43]
Dave Bittner
Is there anything in particular to take away from the fact that we seem to be dealing with a group of comparatively young people?
[16:53]
Ryan Whelan
So I think there's a couple of things. One is, you know, on this, the predictability side, right. What we see is the fact that they've, you know, the, the approaches that they're taking are impacting organizations in non traditional kind of security domains. Right. They're using these social engineering techniques to target help desks, right. To impersonate IT workers or other sorts of help workers to convince individuals within the organization that they should hand over their passwords or they should help circumvent multi factor authentication. Right. Some of our traditional security controls and so I think the number one takeaway for us is that security extends kind of beyond the SoC. Right. We are putting out a number of detections and traditional detections that can be used. But one of the most important things here, I think, for organizations to think about is how do they spread and build a culture of awareness, a culture of resilience to the folks who might be manning their help desks or to segments of their workforce that might be targeted in incidents like this, like developers and folks like that.
[18:03]
Dave Bittner
Do we have any sense for who these folks are, where they hail from?
[18:08]
Ryan Whelan
We do. And what's interesting about this actually is this is one of the few groups where we actually have a pretty robust number of members that originate from western organizations. Right. So we've had members arrested across the UK in various law enforcement actions in the United States and elsewhere. And what makes that difficult, I think from a defensive perspective, is that, you know, these aren't, these aren't like the, the Nigerian princes trying to convince us to hand over our information. They're native English speakers. Right. And they're, they're folks who understand some of the cultural dynamics of how we communicate and how we engage. And so it lets them be very adaptive as they engage kind of their targets, their victims. And that just makes it harder to detect as they target organizations and harder for us to understand. Which again means that we need to invest more in how we're preparing ourselves and testing ourselves to be ready for these kinds of adversaries.
[19:04]
Dave Bittner
Well, as you mentioned, one of this group's specialties is social engineering. Are there any particular red flags that folks on the help desks should be tuned into?
[19:17]
Ryan Whelan
Most organizations are not going to call you up on the phone and ask you to hand over individual credentials. They're not going to call you up on the phone and ask you to provide a code for a multi factor scenario. They're not going to call you on the phone and ask you to do that. One of the first things you should do, obviously, is in that situation is hang up and contact your own organizations, you know, security operations center, or follow your organization's protocols in order to get around that. I think that's, that's defensive line number one, right? Don't just automatically hand over those sorts of, those sorts of information.
[19:55]
Dave Bittner
So, Ryan, I mean, there have been some arrests here, and I think it's fair to say one in particular is probably a little unusual.
[20:04]
Ryan Whelan
It is, it is, Dave. And you know, I think the one you're talking about is there is a scattered spider member that was arrested who turned out to be female. And what's notable about that is the, you know, the vast majority of members that are rolled up in actions like this are male. You know, like, well, well over 90% are male. And so when we think about that in the context of social engineering, it creates a more believable story. Right. We think about these actors as being male. And so if we get a phone call from a female, we may automatically be less inclined to question it or to think about it, especially as we already kind of discussed if there's somebody who's a native English speaker who sounds trustworthy. Right. Who's got this information that they've been able to pull from previous data leaks and really build a believable narrative. And so it just goes to show an added layer of complexity and sophisticated chin that we are seeing from this actor.
[21:04]
Dave Bittner
Yeah. Beware of your own preconceived notions, I guess.
[21:07]
Ryan Whelan
Absolutely. Absolutely.
[21:09]
Dave Bittner
Ryan, before I let you go, my understanding is that you are heading off to the Black Hat conference here soon. Is that so?
[21:18]
Ryan Whelan
That is true. I'm excited to be there next week.
[21:21]
Dave Bittner
What is it that you get out of this particular conference? Why is it worth your time to attend?
[21:26]
Ryan Whelan
I'm always excited to go. I think, Dave, RSA is kind of like the business conference for me, whereas Black Hat and then DEFCON are kind of more of the practitioner conference. And so I think, you know, what we get to dig into there is more of some of the emerging tactics and techniques that we're seeing adversaries use and then creative ways that we're seeing defenders get ready to confront those tactics and techniques.
[21:51]
Dave Bittner
Well, good luck and safe travels, and thanks for checking in with us. That's Ryan Whelan, managing director and global head of Accenture Cyber Intelligence. Did you know Active Directory is targeted in 9 out of 10 cyber attacks? Once attackers get in, they can take control of your entire network. That's why Sempras created Purple Night, the free security assessment tool that scans your Active directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands of IT pros using Purple Knight to stay ahead of threats. Download it now at sempris.com purple-knight that's sempras.com purple-knight Bad actors don't break in. They log in. Attackers use stolen credentials in nearly nine out of 10 data breaches. Once inside, they're after one thing. Your data. Varonis AI powered data security platform secures your data at scale across las SaaS and hybrid cloud environments. Join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment@veronis.com and finally, the Zero Day Initiative is dangling a cool $1 million carrot in front of hackers who can crack WhatsApp with a zero click exploit at this year's Pwn to Own Ireland contest. That's right. No taps, no swipes, no oops, I shouldn't have clicked that. Just code execution on a platform used by over 3 billion people. The challenge runs October 21st through the 24th in Cork, and Meta is all in as co sponsor and enthusiastic target. After last year's WhatsApp category saw zero takers, ZDI seems to think seven figures might change some minds. Contestants can also go after everything from smart glasses and smartphones to surveillance gear and printers, because who doesn't want to hack a pair of Ray Bans? There are bonus points and prizes for breaking in via USB on a locked phone. As always, vendors get 90 days to patch up before the Zero Day Initiative spills the beans. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show notes. Please do check it out. Be sure to check out this weekend's Research Saturday and my conversation with Eric Woodruff, Chief Identity Architect at Semperis. We're discussing no auth abuse alert full account takeover of Entra Cross tenant SaaS applications. That's research Saturday. Check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes, were mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Foreign is AI built for the enterprise soc, fully private schema, free and capable of running in sensitive air gapped environments. Krogle autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context aware, auditable decisions aligned to your workflows. Krogle empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your SOC operate at scale with precision and control. Learn more@krogel.com that's C-R-O GL.com.