Targeting schools is not cool. - CyberWire Daily

Summary

CyberWire Daily: "Targeting Schools is Not Cool" - May 8, 2025

Hosted by N2K Networks

Episode Overview

In this episode of CyberWire Daily, host Dave Bittner delivers a comprehensive briefing on the latest cybersecurity threats, vulnerabilities, and industry developments. The episode features an in-depth conversation with Caleb Barlow, CEO of Cyberbit, focusing on the persistent cyber skills gap and strategies to bridge it. Additionally, the podcast pays tribute to Joseph Nye, a luminary in international relations and cybersecurity. This summary encapsulates the key discussions, insights, and conclusions presented in the episode.

Key News Highlights

1. Lockbit Ransomware Gang Compromised

Timestamp: [02:02]
Details: The Lockbit ransomware group suffered a significant breach, resulting in the leakage of internal data. Hackers defaced Lockbit's dark web affiliate panels with a message condemning cybercrime: "Don't do crime, Crime is bad. Xoxo from Prague." A MySQL database dump revealed approximately 60,000 unique Bitcoin addresses, detailed ransomware configurations, and over 4,400 chat logs from victim negotiations spanning December 2024 to April 2025. This exposes Lockbit's operational mechanisms and affiliates' strategies in customizing attacks.

2. Emergence of "Lost Keys" Malware

Timestamp: [02:02]
Details: Google researchers have identified a new malware variant named Lost Keys, deployed by the Russian state-backed hacking group Coldriver (also known as Star Blizzard, UNC4057, and Callisto). Previously engaged in phishing, Coldriver now employs Lost Keys to steal files and system data through fake captcha sites that trick users into executing malicious PowerShell code. Targets include diplomats, journalists, and NATO-linked entities.

3. Noodle File Stealer Campaign

Timestamp: [02:02]
Details: Cybercriminals are distributing Noodle File Stealer via deceptive AI tool advertisements on platforms like Facebook. The multi-stage attack begins with users downloading a zip file masquerading as a video editing tool, which installs malware that captures browser credentials, crypto wallets, and can deploy remote access tools such as Xworm. The malware leverages Telegram for data exfiltration and evades detection by operating payloads in memory.

4. Critical Vulnerabilities Patched by SonicWall, Apple, and Cisco

SonicWall:
- Timestamp: [02:02]
- Details: SonicWall urges immediate patching of three critical vulnerabilities in its SMA 100 series devices, one of which is actively exploited. Discovered by Rapid7, these flaws can lead to remote code execution as root across multiple devices. SonicWall recommends enabling MFA, monitoring logs for unauthorized access, and using a Web Application Firewall for enhanced protection.
Apple:
- Timestamp: [02:02]
- Details: Apple has addressed a critical remote code execution flaw in macOS related to improper bounds checking in the SIPs utility. The vulnerability allows attackers to execute arbitrary code via malicious ICC profiles. Users are advised to update to the latest OS versions promptly, despite no active exploits being reported.
Cisco:
- Timestamp: [02:02]
- Details: Cisco released patches for 35 vulnerabilities across various products, including critical flaws in iOS XE wireless LAN controllers and identity services. Notably, a significant vulnerability in iOS XE allows unauthenticated attackers to upload arbitrary files via crafted HTTPS requests, potentially compromising devices entirely. Users should update affected systems immediately as no workarounds exist.

5. Iranian Hackers Target German Modeling Agency

Timestamp: [02:02]
Details: Iranian state-linked hackers, associated with APT 35 Charming Kitten, cloned the website of Hamburg's Mega Model Agency to surveil Iranian dissidents. The counterfeit site features a dormant private album link intended as a phishing lure. Obfuscated JavaScript on the site collects extensive visitor data, aiding in stealthy surveillance and facilitating future targeted cyberattacks.

6. SentinelOne's EDR Bypassed

Timestamp: [02:02]
Details: Researchers at AONS Strozfriedberg uncovered a method called "Bring Your Own Installer" (BYOI) that can bypass SentinelOne's Endpoint Detection and Response (EDR) protections. By exploiting the upgrade process, attackers can momentarily disable defenses, allowing them to deploy ransomware such as Babook. SentinelOne has implemented mitigations, including enforcing local upgrade authorization by default, and other vendors have been privately notified of similar risks.

7. PowerSchool Faces Renewed Extortion

Timestamp: [02:02]
Details: Following a December 2024 breach affecting over 60 million students and 9 million teachers, education technology firm PowerSchool is experiencing renewed extortion attempts. Hackers are targeting individual school districts with stolen data, despite PowerSchool's initial belief that the breach was contained. The company has alerted law enforcement and is actively assisting affected districts.

8. CrowdStrike Implements Workforce Reduction Amid AI Shift

Timestamp: [02:02]
Details: CrowdStrike announced layoffs affecting approximately 500 employees (5% of its workforce) as part of a strategic pivot towards artificial intelligence (AI). CEO George Kurtz highlighted AI's role in streamlining operations and aiming for $10 billion in annual revenue. Despite revenue growth, CrowdStrike reported a $92.3 million quarterly loss. The company anticipates related costs to reach up to $53 million and faces challenges in maintaining employee morale amid the reductions.

In-Depth Interview: Caleb Barlow, CEO of Cyberbit

Topic: The Cyber Skills Gap and Bridging the Experience Divide

Understanding the Skills vs. Experience Gap

Timestamp: [13:18 - 22:33]
Caleb Barlow's Insight:
- Skill vs. Experience: Barlow suggests that the prevalent notion of a "skills gap" may be more accurately described as an "experience gap." He points out that while there are approximately 450,000 unfilled cybersecurity positions in the U.S., many of these roles require hands-on experience with specific commercial tools like Splunk, QRadar, or Google Chronicle. This creates a barrier for new graduates who possess theoretical knowledge but lack practical experience with industry-standard tools.
- Educational Shortcomings: Current cybersecurity education often emphasizes open-source tools and manual testing methods (e.g., Kali Linux for penetration testing) but falls short in providing training on commercial platforms that are in high demand in the industry. Barlow emphasizes the need for educational institutions to integrate practical, commercial tool-based training into their curricula.
- Recruitment Challenges: He highlights the inefficiency and cost of recruiting experienced professionals who may not even possess the claimed expertise. Barlow argues that training internal candidates provides better long-term value, reduces recruitment costs, and enhances employee retention.
- Vendor Support: Barlow advocates for vendors to offer free or low-cost licenses for educational purposes, enabling students to gain hands-on experience with the tools they will encounter in the workforce.

Strategies to Bridge the Gap

Timestamp: [19:28 - 25:53]
Developing Internal Talent:
- Training Programs: Barlow encourages organizations to invest in training programs that upskill existing employees rather than solely focusing on hiring experienced candidates. He likens this approach to sports training, where continuous practice and exposure to challenging scenarios build the necessary reflexes and expertise.
- Curriculum Development: Forward-thinking Chief Information Security Officers (CISOs) are now developing structured training curricula that incorporate the deployment and mastery of new tools. This proactive approach ensures that teams remain adaptable and proficient with evolving technologies.
- Cost Efficiency: By training internal staff, companies can significantly reduce recruitment costs and improve employee satisfaction and retention. Barlow estimates that this method can save organizations substantial resources compared to traditional hiring practices.
- Performance Measurement: Implementing measurable training outcomes allows organizations to assess readiness and performance, ensuring that employees are adequately prepared to handle real-world cyber threats.

Caleb Barlow's Analogies and Recommendations

Sports Training Analogy:
- Timestamp: [23:12 - 25:53]
- Explanation: Barlow draws parallels between cybersecurity training and sports, emphasizing the necessity of regular, rigorous practice against formidable opponents to develop resilience and expertise. Just as athletes improve through continuous competition, cybersecurity professionals must engage in repetitive, challenging exercises to hone their skills and adapt to evolving threats.
Mindset of Aspiring Cybersecurity Professionals:
- Timestamp: [23:37 - 25:53]
- **Barlow discusses the mindset of individuals entering the cybersecurity field, highlighting the importance of dedication, continuous learning, and practical experience over mere credential accumulation. He stresses that real-world application and time spent "in the seat" are critical for developing the reflexive responses needed to counter sophisticated cyber adversaries.

Tribute to Joseph Nye

Timestamp: [26:24]

In a heartfelt acknowledgment, CyberWire Daily honors the late Joseph Nye, who passed away on May 6 at the age of 88. Nye, renowned for coining the term "soft power," made significant contributions to international relations and cybersecurity. His work emphasized the integration of cybersecurity into international policy and the development of norms to govern state behavior in cyberspace. As a founding member of the Global Commission on the Stability of Cyberspace and former dean of Harvard's Kennedy School, Nye's legacy endures through his influence on global diplomacy and the protection of civilian infrastructure from cyber threats.

Concluding Insights

The episode effectively underscores the multifaceted challenges in the cybersecurity landscape, from emerging threats and vulnerabilities to the ongoing struggle to cultivate a skilled workforce. Caleb Barlow's insights into the experience gap shed light on actionable strategies to bridge the divide between education and industry requirements, advocating for a paradigm shift towards hands-on, practical training. As cyber threats continue to evolve, the emphasis on continuous learning and adaptive training becomes paramount in safeguarding digital infrastructure and maintaining global cyber stability.

For more detailed information on today's stories, visit CyberWire Daily Briefing. Share your feedback to help us deliver the insights that keep you ahead in the ever-changing world of cybersecurity.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire the lockbit ransomware gang has been hacked. Google researchers identify a new info stealer called Lost Keys. Sonicwall is urging customers to patch three critical device vulnerabilities. Apple patches a critical remote code execution flaw and Cisco patches 35 vulnerabilities across multiple products. Iranian hackers clone a German modeling agency's website to spy on Iranian dissidents. Researchers bypass Sentinel One's EDR protection. Education tech firm Power School faces renewed extortion. CrowdStrike leans into AI amidst layoffs Our guest is Kayla Barlow, CEO of Cyberbit, discussing the mixed messages of the cyber skills gap and honoring the legacy of Joseph Nye.

Caleb Barlow (2:02)

Foreign.

Dave Bittner (2:08)

It's Thursday, May 8, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. The Lockbit ransomware gang has been hacked, leading to a major leak of its internal data. Yesterday, Lockbit's Dark web affiliate panels were defaced with a message stating don't do crime, Crime is bad. Xoxo from Prague and including a link to download a MySQL database dump. The leaked database contains 20 tables including nearly 60,000 unique Bitcoin addresses, detailed ransomware build configurations and over 4,400 chat logs from victim negotiations between December 2024 and April of this year. This breach exposes the inner workings of Lockbit's ransomware as a service operation, revealing how affiliates customized attacks and communicated with victims. The incident follows previous law enforcement actions against Lockbit, including infrastructure seizures and arrests, further destabilizing the group. Google researchers have identified a new malware called Lost Keys used by the Russian state backed hacking group Cold river, also known as Star Blizzard, UNC4057 and Callisto. This group, known for phishing, now uses Lost Keys to steal files and system data via a fake captcha site that tricks victims into running malicious PowerShell code. Cold river active since 2022 targets diplomats, journalists and NATO linked groups. Lost keys like earlier malware, Spica is used in selective espionage operations tied to Russian intelligence services. Elsewhere, scammers are spreading a new malware called Noodle File Stealer using fake AI tools and Facebook ads. The campaign targets users with a multi stage attack that begins on phony AI websites offering free image or video generation. Victims download a zip file disguised as a video editing tool, which installs malware that steals browser credentials, crypto wallets and can deploy remote access tools like Xworm. The malware uses Telegram for data exfiltration and evades detection by running payloads in memory. SonicWall is urging customers to patch three critical vulnerabilities in its SMA 100 series devices, one of which is being actively exploited. Discovered by Rapid7, the flaws can be chained to allow remote code execution as root multiple devices are affected. Patches are available in recent firmware versions. SonicWall advises enabling MFA checking logs for unauthorized access and using the Web Application Firewall for added protection. A critical remote execution flaw in macOS allows attackers to run arbitrary code if a user opens a malicious ICC profile found by Trend Micro's Zero Day Initiative. The bug stems from improper bounds checking in macOS's SIPs utility. Apple has patched it in recent OS versions. No active exploitation has been seen, but users should update immediately due to the risk and technical details now being public. Cisco has released patches addressing 35 vulnerabilities across multiple products, including critical flaws in iOS XE wireless LAN controllers and identity services. Engine 1 significant vulnerability in iOS XE wireless controllers allows unauthenticated attackers to upload arbitrary files via crafted HTTPs requests, potentially leading to full device compromise. In ise, two critical vulnerabilities enable remote attackers with read only access to execute arbitrary commands and alter configurations due to insecure deserialization and improper input validation. Additionally, Cisco addressed high severity SNMP flaws in iOS, iOS XE and iOS XR that could cause denial of service conditions. Users are strongly advised to update affected systems promptly, as no workarounds are available for these vulnerabilities. Iranian State Linked hackers tied to APT 35 charming kitten cloned a German modeling agency's website to spy on Iranian dissidents. The fake site discovered this month mimics Hamburg's Mega Model Agency and features a fake model profile with a dormant private Album link, likely a fishing lure. Obfuscated JavaScript collects detailed visitor data including browser and device fingerprints, IP addresses, and plugin info. The data is sent to a disguised analytics endpoint aiding in stealthy surveillance and future targeted cyberattacks. Researchers at AONS Strozfriedberg discovered a technique called Bring your own installer that can bypass SentinelOne's EDR protection. By exploiting the upgrade downgrade process of the SentinelOne agent, attackers can briefly disable its defenses, leaving endpoints exposed. One threat actor used this method to gain admin access and Deploy Babook ransomware. SentinelOne responded with mitigations, including enabling local upgrade authorization by default. While no current EDRs are confirmed vulnerable when properly configured, other vendors were privately notified of the risk. Despite paying a ransom After a December 2024 breach, education tech firm PowerSchool now faces renewed extortion as the hacker targets individual school districts with stolen data. The breach affected over 60 million students and 9 million teachers. PowerSchool had believed the incident was contained after the hacker shared a deletion video. However, recent threats prove otherwise. At least four school boards have been contacted and the reused data matches that from the initial attack. PowerSchool has alerted law enforcement and is assisting affected districts. CrowdStrike is laying off about 500 employees 5% of its workforce, in a move aimed at boosting efficiency. CEO George Kurtz framed the decision around the growing role of AI, which he says will streamline operations and fuel growth toward $10 billion in annual revenue. While the company highlights AI as a force multiplier, its own regulatory filings caution about AI risks, including potential errors and legal liabilities. Despite increasing revenue, CrowdStrike posted a $92.3 million loss in its latest quarter. The layoffs are a harsh blow to affected employees and the company acknowledged the pain caused layoff. Related costs are expected to total up to $53 million. CrowdStrike joins other tech firms turning to automation while cutting staff amid economic uncertainty Coming up after the break, my conversation with Kayla Barlow from Cyberbit on the mixed messages of the cyber skills gap and honoring the legacy of Joseph Nye. Traditional pen testing is resource intensive, slow and expensive, providing only a point in time snapshot of your application's security, leaving it vulnerable between development cycles. Automated scanners alone are unreliable in detecting faults within application logic and critical vulnerabilities. Outpost 24's continuous pen testing as a service solution offers year round protection with recurring manual penetration testing conducted by Crest certified pen testers, allowing you to stay ahead of threats and ensure your web applications are always secure. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy just Use Indeed. When it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed. Plus we with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed According to Indeed Data worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility@indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. It is always my pleasure to welcome back to the show Caleb Barlow. He is the CEO at Cyberbit. Caleb, welcome back.