CyberWire Daily Summary: "Tomcat Got Your Server?" – March 18, 2025

Hosted by N2K Networks

1. Active Exploitation of Apache Tomcat Vulnerability

A critical remote code execution (RCE) vulnerability in Apache Tomcat, disclosed on March 10, 2025, is currently under active exploitation. This flaw allows attackers to gain server control through a straightforward PUT request. Notably, exploit code surfaced on GitHub merely 30 hours post-disclosure. The attack vector involves uploading Base64-encoded payloads via a PUT request, followed by triggering execution with a GET request using a jsessionid cookie.

Key Insights:

• Detection Challenges: The encoded payloads and multi-step execution complicate detection by conventional security tools.
• Immediate Actions Recommended:
  • Update Apache Tomcat: Apache strongly advises applying immediate updates to mitigate the vulnerability.
  • Disable Partial PUT Support: Organizations should disable partial PUT support to prevent exploitation.
  • Restrict Sensitive File Storage: Limiting the storage of sensitive files can reduce potential attack surfaces.

Notable Quote:
"Attackers upload Base64 encoded payloads via a PUT request, then trigger execution with a GET request using a jsessionid cookie." – Dave Bittner [00:XX]

2. CISA Rehiring Post-Dogecoin Workforce Purge

The Cybersecurity and Infrastructure Security Agency (CISA) is rehiring approximately 130 probationary employees who were previously ousted during President Donald Trump's administration workforce purge. These rehired individuals are currently placed on administrative leave as the agency navigates the legal and operational aftermath of the reappointment.

Key Points:

• Legal Context: The rehiring follows a ruling by U.S. District Judge James Bridar, a decision the White House has vowed to contest.
• Political Repercussions: Former President Trump has criticized the decision, labeling it as dangerous, while cybersecurity experts express concerns that mass firings may undermine national security.
• Internal Challenges at CISA: The agency faces internal confusion regarding the ruling and is actively attempting to communicate with affected employees.
• Impact on Cybersecurity Workforce: CISA has previously defunded cybersecurity hubs and justified workforce reductions by citing the elimination of duplicative roles. Critics argue that these actions have weakened U.S. cybersecurity resilience.

Notable Quote:
"Critics, including former NSA official Rob Joyce, say these actions weaken US Cybersecurity." – Dave Bittner [02:03]

3. Legislative Efforts to Protect Rural Water Systems

Washington lawmakers have reintroduced the Cybersecurity for Rural Water Systems Act of 2025, a bipartisan initiative aimed at safeguarding rural water infrastructures from cyber threats. Sponsored by Representatives Don Davis (D-NC) and Zachary Nunn (R-IA), along with Senators Katherine Cortez Masto (D-NV) and Mike Rounds (R-SD), the bill seeks to expand the circuit rider program to include dedicated cybersecurity assistance for small water utilities serving populations under 10,000.

Key Features:

• Cybersecurity Specialists: Deployment of circuit riders who will:
  • Train rural utilities staff.
  • Assist in cyber defense planning.
  • Enhance threat response capabilities.
• Current Security Landscape: Only 20% of U.S. water systems currently implement robust cyber protections, highlighting the bill's critical importance.
• Legislative History: Originally introduced in 2023, the bill failed to pass but is now receiving renewed support due to escalating cyber threats targeting essential services.

Notable Quote:
"This bill expands the circuit rider program to include cybersecurity assistance for small water utilities serving populations under 10,000." – Dave Bittner [04:XX]

4. Western Alliance Bank Data Breach Notification

Western Alliance Bank has informed approximately 22,000 individuals about a data breach that occurred in October 2024. The breach involved the exploitation of a third-party file transfer tool, CLIO, which was compromised by the CLOP extortion group. The exposed data includes personal information such as names, Social Security numbers, birth dates, and financial details.

Key Details:

• Incident Disclosure: The breach was confirmed after stolen data became available online in January of the current year.
• Bank’s Response: Western Alliance Bank maintains that the breach will not impact its financial condition and has offered affected individuals one year of identity protection services.
• Regulatory and Security Implications: The incident underscores vulnerabilities in third-party tools and the importance of comprehensive security assessments for all connected systems.

Notable Quote:
"Despite the incident, the bank says it won't affect its financial condition. Affected individuals receive one year of identity protection." – Dave Bittner [06:XX]

5. Emergence of "Browser in the Middle" (BITM) Attack Method

A novel cyber attack technique named Browser in the Middle (BITM) has been identified, enabling hackers to bypass Multi-Factor Authentication (MFA) and swiftly steal user sessions. This method involves hijacking authenticated browser sessions, posing a significant threat to organizations reliant on traditional security protocols.

Attack Mechanics:

• Session Hijacking: Bitm attacks proxy victims through attacker-controlled browsers, tricking users into entering credentials and completing MFA challenges on maliciously replicated legitimate sites.
• Tools Utilized: Applications like Evil Jinx 2 and Delusion facilitate real-time session hijacking and scalable phishing campaigns.

Defense Strategies:

• Hardware-Based Authentication: Implementing FIDO2 security keys that bind authentication to physical devices.
• Behavioral Monitoring and Client Certificates: Enhancing detection of unusual activities and validating client identities.
• Security Awareness Training: Educating users to recognize and respond to phishing attempts effectively.

Notable Quote:
"Hardware-based authentication, things like FIDO 2 security keys, are one of the best defenses because they tie authentication to a physical device. No device, no access." – Dave Bittner [08:XX]

6. Chinese Cyber Espionage Group "Mirror Face" Targets Central Europe

The Chinese cyber espionage group known as Mirror Face or Earth Kasha has extended its operations beyond East Asia, recently targeting a Central European diplomatic institute. Research conducted by ESET revealed that the group employed Anel (Uppercut), a backdoor previously associated with APT10, indicating potential tool-sharing among Chinese threat actors.

Attack Breakdown:

• Initial Access: The campaign commenced with a spear-phishing campaign referencing Expo 2025 in Japan.
• Malware Deployment: Victims were sent malicious Word documents that deployed ANEL and Hidden Face malware to maintain persistence.
• Evasion Techniques: Attackers employed methods such as log wiping, utilization of Asyncrat within Windows Sandbox, and abuse of Visual Studio Code’s remote tunnels to evade detection.
• Data Exfiltration: Chrome credentials were extracted, potentially compromising diplomatic communications and sensitive data.

Implications:

• This attack exemplifies China's evolving cyber tactics and the increasing collaboration among state-sponsored cyber groups, posing significant threats to international diplomatic relations and national security.

Notable Quote:
"The attack highlights China's evolving cyber tactics and collaboration between state-sponsored groups." – Dave Bittner [10:XX]

7. Exploitation of OpenAI's ChatGPT Infrastructure via Server-Side Request Forgery (SSRF)

A recent cyber attack campaign is actively exploiting a server-side request forgery (SSRF) vulnerability affecting OpenAI's ChatGPT infrastructure. While OpenAI has not been breached, over 10,000 attack attempts originated from a single malicious IP within just one week, with the highest concentration from the U.S., followed by Germany and Thailand.

Vulnerability and Impact:

• Attack Vector: Attackers exploit misconfigured security tools such as Intrusion Prevention Systems (IPS), Web Application Firewalls (WAF), and standard firewalls to carry out SSRF attacks.
• Target Sectors: The financial sector and U.S. government agencies are primary targets, leveraging AI-driven services to access internal resources and sensitive data.
• Organizational Vulnerability: Approximately 35% of organizations remain vulnerable due to inadequate security configurations.

Recommendations:

• Firewall Settings Review: Security teams should reassess and tighten firewall configurations.
• Attack Log Monitoring: Continuous monitoring of attack logs to identify and respond to suspicious activities.
• AI Security Risk Assessment: Reevaluating security measures surrounding AI-related services to mitigate emerging threats.

Notable Quote:
"Verity urges security teams to review firewall settings, monitor attack logs and reassess AI related security risks." – Dave Bittner [12:XX]

8. Australian Securities Firm FIIG Sued Over 2023 Data Breach

Australia’s financial regulator is pursuing legal action against FIIG Securities for cybersecurity deficiencies that led to a significant data breach in 2023, affecting 18,000 customers. The breach resulted in the theft of 385 gigabytes of sensitive data, including personal and financial information.

Regulatory Actions:

• Allegations: FIIG is accused of neglecting basic security controls for four years, failing to update firewalls, patch software vulnerabilities, and implement adequate employee training.
• Discovery of Breach: FIIG remained unaware of the breach until alerted by Australia’s cybersecurity center and took six days to respond.
• Legal Framework: The case cites violations of the Corporations Act, which mandates financial institutions to maintain robust risk management practices.
• Industry Context: This lawsuit follows a similar 2022 case against RI Advice for analogous cybersecurity lapses, signaling heightened regulatory scrutiny in Australia.

Future Implications:

• Regulatory Stringency: Australian regulators emphasize that cyber risk management is paramount, with impending stricter regulatory measures for financial firms failing to protect customer data.

Notable Quote:
"The Australian regulators allege FIIG violated the Corporations Act, which mandates financial firms maintain adequate risk management." – Dave Bittner [14:XX]

9. Threat Vector Segment: Platformization in Cybersecurity

Guest: Carlos Rivera, Senior Analyst at Forrester
Host: David Moulton

The Threat Vector segment delves into the concept of platformization, exploring how unifying security capabilities can enhance cyber resilience. The discussion highlights the ongoing debate between traditional network security measures and emerging cloud-based strategies.

Key Discussion Points:

• Microsegmentation within Zero Trust:
  • Challenges: Implementing microsegmentation at the host or microservice level is complex and often leads to delays or abandonment of security initiatives.
  • Strategic Approach: Organizations should identify critical assets and assess existing tools to achieve an acceptable maturity level based on risk tolerance before advancing to more granular segmentation.
  • Policy Coordination: Ensuring consistent and non-conflicting policy rule sets across various enforcement points (firewalls, VPNs, etc.) is crucial for effective security architecture.

Notable Quote:
"Organizations should identify where those critical assets are in their environment and then actually assess what are the tools and technology the controls have already in place that they can leverage." – Carlos Rivera [15:07]

• Advantages of Unified Security Platforms:
  • Simplified Management: Reduces the complexity and silos within security operations, facilitating collaborative discussions and streamlined deployments.
  • Cost Efficiency: Consolidates multiple licenses and reduces infrastructure complexity, leading to potential cost savings.
  • Enhanced Incident Response: Improved visibility and centralized management accelerate incident response times and overall security effectiveness.

Notable Quote:
"The idea behind the unification of security controls is really just simplifying deployment and management." – Carlos Rivera [18:10]

• Recent Security Developments:
  • Government Influence: Increasing executive orders and government involvement are shaping organizational cybersecurity practices, setting precedents for industry standards.

Notable Quote:
"We're seeing it kind of unfold now in terms of executive orders, you know, governments buying in and making more, or at least being more influential in how organizations and the industry should approach cybersecurity." – Carlos Rivera [19:27]

10. Emerging Ransomware Tactics by OxThief and Medusa

The podcast concludes with an intriguing narrative of cybercriminal evolution in the ransomware landscape. OxThief, a ransomware group, has adopted unconventional extortion tactics by threatening to expose victims to cybersecurity journalists, privacy advocates, and organizations like the Electronic Frontier Foundation if ransoms are not paid. This strategy aims to pressure victims through reputational and legal risks rather than solely relying on financial demands.

Noteworthy Trends:

• Diversified Extortion Methods: Moving beyond encryption, attackers are leveraging public exposure and legal threats to enforce compliance.
• Cybercriminal Fabrication: Instances where multiple groups, such as OxThief and Medusa, claim breaching the same organization raise questions about the authenticity and coordination within the cybercrime ecosystem.

Notable Quote:
"Instead of just encrypting files and waiting for a payday, OxThief is weaponizing legal liability and media scrutiny." – Dave Bittner [21:XX]

Takeaway:
Organizations must not only bolster their technical defenses but also be prepared for multifaceted extortion attempts that exploit legal and reputational vulnerabilities.

Conclusion

This episode of CyberWire Daily, titled "Tomcat Got Your Server?", provides a comprehensive overview of significant cybersecurity incidents, legislative efforts, emerging threat methods, and industry insights. From active exploitations of critical vulnerabilities to evolving ransomware tactics, the discussion underscores the dynamic and multifaceted nature of today's cyber threat landscape. Additionally, the Threat Vector segment offers valuable perspectives on the importance of platformization and unified security strategies in enhancing organizational resilience against sophisticated cyber threats.

For a detailed analysis of platformization and further insights, listeners are encouraged to explore the Threat Vector podcast series available in the CyberWire's show notes.

For more information and the latest updates, visit thecyberwire.com.