Summary

CyberWire Daily: "Targeting Schools is Not Cool" - May 8, 2025

Hosted by N2K Networks

Episode Overview

In this episode of CyberWire Daily, host Dave Bittner delivers a comprehensive briefing on the latest cybersecurity threats, vulnerabilities, and industry developments. The episode features an in-depth conversation with Caleb Barlow, CEO of Cyberbit, focusing on the persistent cyber skills gap and strategies to bridge it. Additionally, the podcast pays tribute to Joseph Nye, a luminary in international relations and cybersecurity. This summary encapsulates the key discussions, insights, and conclusions presented in the episode.

Key News Highlights

1. Lockbit Ransomware Gang Compromised

Timestamp: [02:02]
Details: The Lockbit ransomware group suffered a significant breach, resulting in the leakage of internal data. Hackers defaced Lockbit's dark web affiliate panels with a message condemning cybercrime: "Don't do crime, Crime is bad. Xoxo from Prague." A MySQL database dump revealed approximately 60,000 unique Bitcoin addresses, detailed ransomware configurations, and over 4,400 chat logs from victim negotiations spanning December 2024 to April 2025. This exposes Lockbit's operational mechanisms and affiliates' strategies in customizing attacks.

2. Emergence of "Lost Keys" Malware

Timestamp: [02:02]
Details: Google researchers have identified a new malware variant named Lost Keys, deployed by the Russian state-backed hacking group Coldriver (also known as Star Blizzard, UNC4057, and Callisto). Previously engaged in phishing, Coldriver now employs Lost Keys to steal files and system data through fake captcha sites that trick users into executing malicious PowerShell code. Targets include diplomats, journalists, and NATO-linked entities.

3. Noodle File Stealer Campaign

Timestamp: [02:02]
Details: Cybercriminals are distributing Noodle File Stealer via deceptive AI tool advertisements on platforms like Facebook. The multi-stage attack begins with users downloading a zip file masquerading as a video editing tool, which installs malware that captures browser credentials, crypto wallets, and can deploy remote access tools such as Xworm. The malware leverages Telegram for data exfiltration and evades detection by operating payloads in memory.

4. Critical Vulnerabilities Patched by SonicWall, Apple, and Cisco

SonicWall:
- Timestamp: [02:02]
- Details: SonicWall urges immediate patching of three critical vulnerabilities in its SMA 100 series devices, one of which is actively exploited. Discovered by Rapid7, these flaws can lead to remote code execution as root across multiple devices. SonicWall recommends enabling MFA, monitoring logs for unauthorized access, and using a Web Application Firewall for enhanced protection.
Apple:
- Timestamp: [02:02]
- Details: Apple has addressed a critical remote code execution flaw in macOS related to improper bounds checking in the SIPs utility. The vulnerability allows attackers to execute arbitrary code via malicious ICC profiles. Users are advised to update to the latest OS versions promptly, despite no active exploits being reported.
Cisco:
- Timestamp: [02:02]
- Details: Cisco released patches for 35 vulnerabilities across various products, including critical flaws in iOS XE wireless LAN controllers and identity services. Notably, a significant vulnerability in iOS XE allows unauthenticated attackers to upload arbitrary files via crafted HTTPS requests, potentially compromising devices entirely. Users should update affected systems immediately as no workarounds exist.

5. Iranian Hackers Target German Modeling Agency

Timestamp: [02:02]
Details: Iranian state-linked hackers, associated with APT 35 Charming Kitten, cloned the website of Hamburg's Mega Model Agency to surveil Iranian dissidents. The counterfeit site features a dormant private album link intended as a phishing lure. Obfuscated JavaScript on the site collects extensive visitor data, aiding in stealthy surveillance and facilitating future targeted cyberattacks.

6. SentinelOne's EDR Bypassed

Timestamp: [02:02]
Details: Researchers at AONS Strozfriedberg uncovered a method called "Bring Your Own Installer" (BYOI) that can bypass SentinelOne's Endpoint Detection and Response (EDR) protections. By exploiting the upgrade process, attackers can momentarily disable defenses, allowing them to deploy ransomware such as Babook. SentinelOne has implemented mitigations, including enforcing local upgrade authorization by default, and other vendors have been privately notified of similar risks.

7. PowerSchool Faces Renewed Extortion

Timestamp: [02:02]
Details: Following a December 2024 breach affecting over 60 million students and 9 million teachers, education technology firm PowerSchool is experiencing renewed extortion attempts. Hackers are targeting individual school districts with stolen data, despite PowerSchool's initial belief that the breach was contained. The company has alerted law enforcement and is actively assisting affected districts.

8. CrowdStrike Implements Workforce Reduction Amid AI Shift

Timestamp: [02:02]
Details: CrowdStrike announced layoffs affecting approximately 500 employees (5% of its workforce) as part of a strategic pivot towards artificial intelligence (AI). CEO George Kurtz highlighted AI's role in streamlining operations and aiming for $10 billion in annual revenue. Despite revenue growth, CrowdStrike reported a $92.3 million quarterly loss. The company anticipates related costs to reach up to $53 million and faces challenges in maintaining employee morale amid the reductions.

In-Depth Interview: Caleb Barlow, CEO of Cyberbit

Topic: The Cyber Skills Gap and Bridging the Experience Divide

Understanding the Skills vs. Experience Gap

Timestamp: [13:18 - 22:33]
Caleb Barlow's Insight:
- Skill vs. Experience: Barlow suggests that the prevalent notion of a "skills gap" may be more accurately described as an "experience gap." He points out that while there are approximately 450,000 unfilled cybersecurity positions in the U.S., many of these roles require hands-on experience with specific commercial tools like Splunk, QRadar, or Google Chronicle. This creates a barrier for new graduates who possess theoretical knowledge but lack practical experience with industry-standard tools.
- Educational Shortcomings: Current cybersecurity education often emphasizes open-source tools and manual testing methods (e.g., Kali Linux for penetration testing) but falls short in providing training on commercial platforms that are in high demand in the industry. Barlow emphasizes the need for educational institutions to integrate practical, commercial tool-based training into their curricula.
- Recruitment Challenges: He highlights the inefficiency and cost of recruiting experienced professionals who may not even possess the claimed expertise. Barlow argues that training internal candidates provides better long-term value, reduces recruitment costs, and enhances employee retention.
- Vendor Support: Barlow advocates for vendors to offer free or low-cost licenses for educational purposes, enabling students to gain hands-on experience with the tools they will encounter in the workforce.

Strategies to Bridge the Gap

Timestamp: [19:28 - 25:53]
Developing Internal Talent:
- Training Programs: Barlow encourages organizations to invest in training programs that upskill existing employees rather than solely focusing on hiring experienced candidates. He likens this approach to sports training, where continuous practice and exposure to challenging scenarios build the necessary reflexes and expertise.
- Curriculum Development: Forward-thinking Chief Information Security Officers (CISOs) are now developing structured training curricula that incorporate the deployment and mastery of new tools. This proactive approach ensures that teams remain adaptable and proficient with evolving technologies.
- Cost Efficiency: By training internal staff, companies can significantly reduce recruitment costs and improve employee satisfaction and retention. Barlow estimates that this method can save organizations substantial resources compared to traditional hiring practices.
- Performance Measurement: Implementing measurable training outcomes allows organizations to assess readiness and performance, ensuring that employees are adequately prepared to handle real-world cyber threats.

Caleb Barlow's Analogies and Recommendations

Sports Training Analogy:
- Timestamp: [23:12 - 25:53]
- Explanation: Barlow draws parallels between cybersecurity training and sports, emphasizing the necessity of regular, rigorous practice against formidable opponents to develop resilience and expertise. Just as athletes improve through continuous competition, cybersecurity professionals must engage in repetitive, challenging exercises to hone their skills and adapt to evolving threats.
Mindset of Aspiring Cybersecurity Professionals:
- Timestamp: [23:37 - 25:53]
- **Barlow discusses the mindset of individuals entering the cybersecurity field, highlighting the importance of dedication, continuous learning, and practical experience over mere credential accumulation. He stresses that real-world application and time spent "in the seat" are critical for developing the reflexive responses needed to counter sophisticated cyber adversaries.

Tribute to Joseph Nye

Timestamp: [26:24]

In a heartfelt acknowledgment, CyberWire Daily honors the late Joseph Nye, who passed away on May 6 at the age of 88. Nye, renowned for coining the term "soft power," made significant contributions to international relations and cybersecurity. His work emphasized the integration of cybersecurity into international policy and the development of norms to govern state behavior in cyberspace. As a founding member of the Global Commission on the Stability of Cyberspace and former dean of Harvard's Kennedy School, Nye's legacy endures through his influence on global diplomacy and the protection of civilian infrastructure from cyber threats.

Concluding Insights

The episode effectively underscores the multifaceted challenges in the cybersecurity landscape, from emerging threats and vulnerabilities to the ongoing struggle to cultivate a skilled workforce. Caleb Barlow's insights into the experience gap shed light on actionable strategies to bridge the divide between education and industry requirements, advocating for a paradigm shift towards hands-on, practical training. As cyber threats continue to evolve, the emphasis on continuous learning and adaptive training becomes paramount in safeguarding digital infrastructure and maintaining global cyber stability.

For more detailed information on today's stories, visit CyberWire Daily Briefing. Share your feedback to help us deliver the insights that keep you ahead in the ever-changing world of cybersecurity.

Summary

CyberWire Daily: "Targeting Schools is Not Cool" - May 8, 2025

Hosted by N2K Networks

Episode Overview

Key News Highlights

1. Lockbit Ransomware Gang Compromised

Timestamp: [02:02]
Details: The Lockbit ransomware group suffered a significant breach, resulting in the leakage of internal data. Hackers defaced Lockbit's dark web affiliate panels with a message condemning cybercrime: "Don't do crime, Crime is bad. Xoxo from Prague." A MySQL database dump revealed approximately 60,000 unique Bitcoin addresses, detailed ransomware configurations, and over 4,400 chat logs from victim negotiations spanning December 2024 to April 2025. This exposes Lockbit's operational mechanisms and affiliates' strategies in customizing attacks.

2. Emergence of "Lost Keys" Malware

Timestamp: [02:02]
Details: Google researchers have identified a new malware variant named Lost Keys, deployed by the Russian state-backed hacking group Coldriver (also known as Star Blizzard, UNC4057, and Callisto). Previously engaged in phishing, Coldriver now employs Lost Keys to steal files and system data through fake captcha sites that trick users into executing malicious PowerShell code. Targets include diplomats, journalists, and NATO-linked entities.

3. Noodle File Stealer Campaign

Timestamp: [02:02]
Details: Cybercriminals are distributing Noodle File Stealer via deceptive AI tool advertisements on platforms like Facebook. The multi-stage attack begins with users downloading a zip file masquerading as a video editing tool, which installs malware that captures browser credentials, crypto wallets, and can deploy remote access tools such as Xworm. The malware leverages Telegram for data exfiltration and evades detection by operating payloads in memory.

4. Critical Vulnerabilities Patched by SonicWall, Apple, and Cisco

SonicWall:
- Timestamp: [02:02]
- Details: SonicWall urges immediate patching of three critical vulnerabilities in its SMA 100 series devices, one of which is actively exploited. Discovered by Rapid7, these flaws can lead to remote code execution as root across multiple devices. SonicWall recommends enabling MFA, monitoring logs for unauthorized access, and using a Web Application Firewall for enhanced protection.
Apple:
- Timestamp: [02:02]
- Details: Apple has addressed a critical remote code execution flaw in macOS related to improper bounds checking in the SIPs utility. The vulnerability allows attackers to execute arbitrary code via malicious ICC profiles. Users are advised to update to the latest OS versions promptly, despite no active exploits being reported.
Cisco:
- Timestamp: [02:02]
- Details: Cisco released patches for 35 vulnerabilities across various products, including critical flaws in iOS XE wireless LAN controllers and identity services. Notably, a significant vulnerability in iOS XE allows unauthenticated attackers to upload arbitrary files via crafted HTTPS requests, potentially compromising devices entirely. Users should update affected systems immediately as no workarounds exist.

5. Iranian Hackers Target German Modeling Agency

Timestamp: [02:02]
Details: Iranian state-linked hackers, associated with APT 35 Charming Kitten, cloned the website of Hamburg's Mega Model Agency to surveil Iranian dissidents. The counterfeit site features a dormant private album link intended as a phishing lure. Obfuscated JavaScript on the site collects extensive visitor data, aiding in stealthy surveillance and facilitating future targeted cyberattacks.

6. SentinelOne's EDR Bypassed

Timestamp: [02:02]
Details: Researchers at AONS Strozfriedberg uncovered a method called "Bring Your Own Installer" (BYOI) that can bypass SentinelOne's Endpoint Detection and Response (EDR) protections. By exploiting the upgrade process, attackers can momentarily disable defenses, allowing them to deploy ransomware such as Babook. SentinelOne has implemented mitigations, including enforcing local upgrade authorization by default, and other vendors have been privately notified of similar risks.

7. PowerSchool Faces Renewed Extortion

Timestamp: [02:02]
Details: Following a December 2024 breach affecting over 60 million students and 9 million teachers, education technology firm PowerSchool is experiencing renewed extortion attempts. Hackers are targeting individual school districts with stolen data, despite PowerSchool's initial belief that the breach was contained. The company has alerted law enforcement and is actively assisting affected districts.

8. CrowdStrike Implements Workforce Reduction Amid AI Shift

Timestamp: [02:02]
Details: CrowdStrike announced layoffs affecting approximately 500 employees (5% of its workforce) as part of a strategic pivot towards artificial intelligence (AI). CEO George Kurtz highlighted AI's role in streamlining operations and aiming for $10 billion in annual revenue. Despite revenue growth, CrowdStrike reported a $92.3 million quarterly loss. The company anticipates related costs to reach up to $53 million and faces challenges in maintaining employee morale amid the reductions.

In-Depth Interview: Caleb Barlow, CEO of Cyberbit

Topic: The Cyber Skills Gap and Bridging the Experience Divide

Understanding the Skills vs. Experience Gap

Timestamp: [13:18 - 22:33]
Caleb Barlow's Insight:
- Skill vs. Experience: Barlow suggests that the prevalent notion of a "skills gap" may be more accurately described as an "experience gap." He points out that while there are approximately 450,000 unfilled cybersecurity positions in the U.S., many of these roles require hands-on experience with specific commercial tools like Splunk, QRadar, or Google Chronicle. This creates a barrier for new graduates who possess theoretical knowledge but lack practical experience with industry-standard tools.
- Educational Shortcomings: Current cybersecurity education often emphasizes open-source tools and manual testing methods (e.g., Kali Linux for penetration testing) but falls short in providing training on commercial platforms that are in high demand in the industry. Barlow emphasizes the need for educational institutions to integrate practical, commercial tool-based training into their curricula.
- Recruitment Challenges: He highlights the inefficiency and cost of recruiting experienced professionals who may not even possess the claimed expertise. Barlow argues that training internal candidates provides better long-term value, reduces recruitment costs, and enhances employee retention.
- Vendor Support: Barlow advocates for vendors to offer free or low-cost licenses for educational purposes, enabling students to gain hands-on experience with the tools they will encounter in the workforce.

Strategies to Bridge the Gap

Timestamp: [19:28 - 25:53]
Developing Internal Talent:
- Training Programs: Barlow encourages organizations to invest in training programs that upskill existing employees rather than solely focusing on hiring experienced candidates. He likens this approach to sports training, where continuous practice and exposure to challenging scenarios build the necessary reflexes and expertise.
- Curriculum Development: Forward-thinking Chief Information Security Officers (CISOs) are now developing structured training curricula that incorporate the deployment and mastery of new tools. This proactive approach ensures that teams remain adaptable and proficient with evolving technologies.
- Cost Efficiency: By training internal staff, companies can significantly reduce recruitment costs and improve employee satisfaction and retention. Barlow estimates that this method can save organizations substantial resources compared to traditional hiring practices.
- Performance Measurement: Implementing measurable training outcomes allows organizations to assess readiness and performance, ensuring that employees are adequately prepared to handle real-world cyber threats.

Caleb Barlow's Analogies and Recommendations

Sports Training Analogy:
- Timestamp: [23:12 - 25:53]
- Explanation: Barlow draws parallels between cybersecurity training and sports, emphasizing the necessity of regular, rigorous practice against formidable opponents to develop resilience and expertise. Just as athletes improve through continuous competition, cybersecurity professionals must engage in repetitive, challenging exercises to hone their skills and adapt to evolving threats.
Mindset of Aspiring Cybersecurity Professionals:
- Timestamp: [23:37 - 25:53]
- **Barlow discusses the mindset of individuals entering the cybersecurity field, highlighting the importance of dedication, continuous learning, and practical experience over mere credential accumulation. He stresses that real-world application and time spent "in the seat" are critical for developing the reflexive responses needed to counter sophisticated cyber adversaries.

Tribute to Joseph Nye

Timestamp: [26:24]

Concluding Insights

For more detailed information on today's stories, visit CyberWire Daily Briefing. Share your feedback to help us deliver the insights that keep you ahead in the ever-changing world of cybersecurity.

wavePod

Targeting schools is not cool.

Powered by Wave AI

Summary

Episode Overview

Key News Highlights

1. Lockbit Ransomware Gang Compromised

2. Emergence of "Lost Keys" Malware

3. Noodle File Stealer Campaign

4. Critical Vulnerabilities Patched by SonicWall, Apple, and Cisco

5. Iranian Hackers Target German Modeling Agency

6. SentinelOne's EDR Bypassed

7. PowerSchool Faces Renewed Extortion

8. CrowdStrike Implements Workforce Reduction Amid AI Shift

In-Depth Interview: Caleb Barlow, CEO of Cyberbit

Understanding the Skills vs. Experience Gap

Caleb Barlow's Analogies and Recommendations

Tribute to Joseph Nye

Concluding Insights

Summary

Episode Overview

Key News Highlights

1. Lockbit Ransomware Gang Compromised

2. Emergence of "Lost Keys" Malware

3. Noodle File Stealer Campaign

4. Critical Vulnerabilities Patched by SonicWall, Apple, and Cisco

5. Iranian Hackers Target German Modeling Agency

6. SentinelOne's EDR Bypassed

7. PowerSchool Faces Renewed Extortion

8. CrowdStrike Implements Workforce Reduction Amid AI Shift

In-Depth Interview: Caleb Barlow, CEO of Cyberbit

Understanding the Skills vs. Experience Gap

Caleb Barlow's Analogies and Recommendations

Tribute to Joseph Nye

Concluding Insights