Transcript
Dave Bittner (0:02)
You're listening to the CyberWire network, powered by N2K. And now a brief message from our sponsor, DropZone AI. Is your SoC drowning in alerts with legitimate threats sitting in queues for hours or even days? The latest SANS SOC survey report reveals alert fatigue and limited automation are SOC Team's greatest barriers. Drop Zone AI, recognized by Gartner as a cool vendor, directly addresses these challenges through autonomous recursive reasoning investigations, quickly eliminating false positives, enriching context and enabling analysts to prioritize real incidents faster. Take control of your alerts and investigations with dropzone AI. An Apache Tomcat vulnerability is under active exploitation CISA rehires workers ousted by Doge Lawmakers look to protect rural water systems from cyber threats. Western Alliance bank notifies 22,000 individuals of a data breach A new cyber attack method called bitm allows hackers to bypass Multi factor authentication. A Chinese cyber espionage group targets Central European diplomats. A new Cyber attack uses ChatGPT infrastructure to target the financial sector and US government agencies. Australia sues a major securities firm over inadequate protection of customer data. Our Threat Vector segment examines how unifying security capabilities strengthens cyber resilience and cybercriminals say get me Edward Snowden on the line.
Carlos Rivera (2:03)
Foreign.
Dave Bittner (2:10)
March 18, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us once again here. It is great to have you with us. A critical remote code execution vulnerability in Apache Tomcat is being actively exploited. The flaw, disclosed on March 10, allows attackers to gain control of servers via a simple put request. Exploits appeared on GitHub just 30 hours after disclosure. Attackers upload base 64 encoded payloads via a PUT request, then trigger execution with a GET request using a jsessionid cookie. Security tools struggle to detect this due to encoded payloads and multi step execution. Apache urges immediate updates. Meanwhile, organizations should disable partial PUT support and restrict sensitive file storage. The Cybersecurity and Infrastructure Security Agency is rehiring roughly 130 probationary employees ousted under President Donald Trump's workforce purge. Bud is immediately placing them on administrative leave. The move follows a ruling by U.S. district Judge James Bridar, which the White House vowed to fight. Trump criticized the decision, calling it dangerous, while experts warn the mass firings threaten national security. CISA faces internal confusion over the ruling and is trying to contact impacted employees. The agency has also defunded cybersecurity hubs and defended workforce cuts as eliminating duplication. Critics, including former NSA official Rob Joyce, say these actions weaken US Cybersecurity The White House and key agencies have not responded to requests for comment. Elsewhere in Washington, lawmakers have reintroduced the Cybersecurity for Rural Water Systems act of 2025, a bipartisan bill aimed at protecting rural water systems from cyber threats. Sponsored by Representatives Don Davis, Democrat from North Carolina, and Zachary Nunn, a Republican from Iowa, and Senators Katherine Cortez Masto, Democrat from Nevada, and Mike Rounds, a Republican from South Dakota, the bill expands the circuit rider program to include cybersecurity assistance for small water utilities serving populations under 10,000. The bill funds cybersecurity specialists known as circuit riders, who will train rural utilities, assist in cyber defense planning and improve threat response. Only 20% of US water systems currently have cyber protections, making this legislation critical. Though initially introduced in 2023, it failed to pass but is now gaining renewed support. This year, Western alliance bank is notifying 22,000 individuals of a data breach involving a third party file transfer tool exploited in October 2024. The breach exposed names, Social Security numbers, birth dates and financial details. The CLOP extortion group exploited CLIO file transfer vulnerabilities impacting dozens of organizations. Western alliance confirmed the breach after stolen data appeared online in January of this year. Despite the incident, the bank says it won't affect its financial condition. Affected individuals receive one year of identity protection. A new cyber attack method called Browser in the Middle, or bitm, allows hackers to bypass Multi factor Authentication and steal user sessions in seconds. This technique hijacks authenticated browser sessions, making it a major threat to organizations relying on traditional security measures. BITM attacks proxy victims through an attacker controlled browser. Mimicking legitimate sites, users unknowingly enter credentials and complete MFA challenges, allowing attackers to steal session tokens. Tools like Evil Jinx 2 and Delusion enable real time session hijacking and scalable phishing campaigns. Experts say hardware based authentication, things like FIDO 2 security keys are one of the best defenses because they tie authentication to a physical device. No device, no access. Behavioral monitoring and client certificates help too. And of course, good old fashioned security awareness training can go a long way. A Chinese cyber espionage group, Mirror Face, also known as Earth Kasha, has expanded beyond East Asia. Targeting a Central European diplomatic institute in August of last year, researchers from ESET found the group used Anel, or Uppercut, a backdoor previously linked to APT10, suggesting tool sharing among Chinese threat actors. The attack began with a spear phishing campaign referencing Expo 2025 in Japan. Once victims engaged, they received a malicious Word document, deploying ANEL and Hidden Face for persistence. The hackers wiped logs, used Asyncrat in Windows Sandbox and abused Visual Studio Code's remote tunnels to evade detection. They also exfiltrated Chrome credentials, potentially compromising diplomatic communications. The attack highlights China's evolving cyber tactics and collaboration between state sponsored groups. According to the latest research from Verity, a new cyber attack campaign is actively exploiting a server side request forgery vulnerability affecting OpenAI's ChatGPT infrastructure, but OpenAI itself has not been breached. In just one week, over 10,000 attack attempts were recorded from a single malicious IP, with the US seeing the highest concentration, followed by Germany and Thailand. 35% of organizations are vulnerable due to misconfigured security tools like ips, web application firewalls and firewalls. The financial sector and US government agencies are prime targets as attackers exploit AI driven services to access internal resources and sensitive data. Verity urges security teams to review firewall settings, monitor attack logs and reassess AI related security risks, emphasizing that even medium severity vulnerabilities can become major attack vectors. Australia's financial regulator is suing FIIG securities over cybersecurity failures that led to a 2023 data breach affecting 18,000 customers. The Australian securities and Investments Commission says FIIG lacked basic security controls for four years, failing to update firewalls, patch software or train employees, allowing threat actors to steal 385 gigabytes of sensitive data. FIIG, which manages $2.88 billion in funds, was unaware of the breach until Australia's cybersecurity centre alerted them. It took six days to respond. The Australian regulators allege FIIG violated the Corporations act, which mandates financial firms maintain adequate risk management. This case follows a 2022 lawsuit against RI Advice for similar cybersecurity lapses. Australian regulators warn that cyber risk management is a top priority, with tighter regulatory actions coming for financial firms failing to protect customer data. Coming up after the break, our Threat Vector segment examines how unifying security capabilities strengthens cyber resilience and cyber criminals say get me Edward Snowden on the line. Play with us. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring. Indeed is all you need. Stop struggling to get your job post noticed. Indeed. Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with sponsored jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed, according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need Looking for a career where innovation meets impact? Vanguard's technology team is shaping the future of financial services by solving complex challenges with cutting edge solutions. Whether you're passionate about AI, cybersecurity or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas drive change. With career growth opportunities and a focus on work life balance, you'll have the flexibility to thrive both professionally and personally. Explore open cybersecurity and technology roles today@vanguardjobs.com it's time for our Threat Vector segment. David Moulton sits down with Forrester Senior Analyst Carlos Rivera to explore the concept of platformization how unifying security capabilities strengthens cyber resilience Hi, I'm David Moulton, host.