CyberWire Daily – "X Marks the Hack"

Release Date: March 11, 2025

Overview

In this episode of CyberWire Daily, host Dave Bittner delves into a spectrum of pressing cybersecurity issues, ranging from significant cyberattacks affecting major platforms like X Twitter to evolving threats posed by agentic AI and sophisticated cybercriminal activities. Additionally, the episode features an in-depth discussion with Gerald Bushelt, CISO at Acronis, highlighting the critical role of threat research and intelligence for Managed Service Providers (MSPs). The episode also celebrates the success of the UK's Cyber First Girls competition, underscoring the importance of fostering female talent in cybersecurity.

Main Cyber News

1. X Twitter Suffers Multi-Wave Cyberattack

On Monday, X Twitter experienced extensive outages attributed to a massive cyberattack. While initially, Elon Musk described the incident as orchestrated by a coordinated group or nation-state, further analysis revealed that the attack traffic predominantly originated from the United States, Vietnam, and Brazil, suggesting a Distributed Denial of Service (DDoS) attack methodology.

“This was likely a DDoS attack where compromised devices overwhelm a system with traffic,” explained a cybersecurity analyst (12:45). The Dark Storm Team, a pro-Palestine hacktivist group potentially linked to Russia, claimed responsibility. However, other groups, including Anonymous-affiliated hacktivists, also asserted involvement, making verification challenging.

This incident highlights the blurred lines between hacktivism, cybercrime, and state-sponsored operations, reminiscent of previous attacks on X Twitter by groups like Anonymous Sudan.

2. Signal President Raises Alarms Over Agentic AI

At the South by Southwest conference, Meredith Whitaker, President of Signal, articulated significant concerns regarding the advent of agentic AI. She compared AI agents to “putting your brain in a jar,” emphasizing the deep access these agents require to perform tasks, such as managing calendars and sending messages.

“Integrating AI agents with secure messaging apps like Signal would compromise message privacy,” Whitaker warned (05:30). She highlighted that the reliance on mass data collection by the AI industry could lead to further erosion of privacy, prioritizing convenience over security.

3. Lawsuit Targets DOGE for Security Breaches at SSA

A recent lawsuit accuses the Department of Government Efficiency Doge (DOGE) of bypassing critical security measures at the Social Security Administration (SSA). Tiffany Flick, former SSA Acting Chief of Staff, alleged that DOGE operatives pressured officials to grant system access to individuals with unresolved security clearances, thereby risking the exposure of sensitive data.

“Doge’s actions jeopardize national security,” Flick asserted (18:20). The AFL-CIO-backed lawsuit emphasizes the dangers of mass government dismissals and weakened data protection, garnering attention from federal cybersecurity experts.

4. Five Eyes Alliance Considers Revising Intelligence Sharing

Amidst growing concerns over President Trump’s warming ties with Russia, several Five Eyes alliance members—including the UK, Canada, Australia, New Zealand, Israel, and Saudi Arabia—are reevaluating their intelligence-sharing protocols. Sources indicate fears that increased cooperation with Russia could jeopardize sensitive data and compromise global security efforts.

“Scaling back intelligence sharing could undermine global security,” a former intelligence official cautioned (22:10). The hesitation stems from Russia’s historical association with cybercriminal activities, prompting allies to protect foreign assets and uphold stringent confidentiality standards.

5. NINJA Attack Exploits AI Memory Through User Interaction

Researchers from Michigan State University, University of Georgia, and Singapore Management University unveiled a novel attack method named Minja, targeting AI models by manipulating their memory without backend access. This Memory Injection Attack (Minja) successfully altered AI responses by embedding misleading prompts during user interactions.

“With over 95% injection success, Ninja bypasses traditional moderation filters,” stated one researcher (14:50). The attack demonstrated vulnerabilities in GTP4-powered AI agents, highlighting the urgent need for enhanced AI memory safeguards.

6. Sidewinder APT Group Escalates Global Cyber Threats

SecureList researchers reported a surge in activities from the Sidewinder APT group in 2024. The group has expanded its targets beyond military and government entities to include maritime, logistics, and nuclear sectors across South Asia, Southeast Asia, the Middle East, and Africa. Utilizing spear-phishing emails and exploiting existing vulnerabilities, Sidewinder deploys the Stealer Bot malware, which employs advanced evasion techniques to remain undetected.

“Sidewinder rapidly adapts, modifying malware within five hours of detection,” noted the report (17:00). This evolution underscores the critical importance of patching outdated systems to defend against increasingly sophisticated threats targeting vital infrastructure.

7. Critical Veritas Vulnerability Exposes Disaster Recovery Systems

A severe remote code execution flaw in Veritas Arcterra Infoscale has been identified, stemming from insecure deserialization in the Windows plugin host service. This vulnerability allows attackers to execute arbitrary code via malicious Net remoting messages, affecting Infoscale versions 7.0 and 8.0.2 on Windows systems with system-level privileges.

“Outdated technologies like net deserialization remain prime targets,” warned security experts (19:45). Veritas recommends disabling the plugin host or manually configuring Dr. Configurations to mitigate the risk, emphasizing the need for proactive defense measures beyond mere patching.

8. Kansas Healthcare Provider Breach Exposes 220,000 Patients

In December, Sunflower Medical Group suffered a cyberattack that compromised sensitive data of 221,000 patients, including Social Security numbers and medical records. Although the extent of the breach remained unclear, the Raisida ransomware gang claimed responsibility, demanding $800,000.

“No operational disruptions occurred,” stated Sunflower Medical Group, which has since offered credit monitoring to affected individuals (21:30). This incident highlights the persistent vulnerabilities within healthcare systems and the escalating threats from ransomware gangs targeting sensitive medical data.

9. New York Sues Allstate Over Data Exposure

New York State initiated legal action against Allstate, alleging failures in securing personal data, which resulted in the exposure of thousands of driver’s license numbers. The breach, originating from National General’s quote-generating websites, allowed fraudsters to harvest over 12,000 records through unsecured channels.

“National General failed to notify affected individuals, violating state laws,” the lawsuit contends (23:00). Additionally, weak access controls, such as plain-text passwords and the absence of multi-factor authentication, compromised another 187,000 individuals, prompting New York to seek penalties and injunctions against continued security lapses.

10. CISA Identifies Critical Ivanti and Veracode Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has cataloged three critical vulnerabilities in Ivanti endpoint management, including path traversal flaws that facilitate remote leakage of sensitive information. Additionally, CISA flagged two Veracode vulnerabilities: an unrestricted file upload flaw and an SQL injection vulnerability.

“Organizations must immediately patch these issues to prevent cyber attacks,” urged a CISA spokesperson (24:35). The agency emphasizes the urgency of addressing these vulnerabilities to safeguard against potential breaches.

11. FTC to Refund Victims of Tech Support Scams

The Federal Trade Commission (FTC) announced plans to distribute $25.5 million in refunds to over 736,000 consumers deceived by tech support scams operated by Restoro and Reimage. These firms fabricated security threats to coerce users into purchasing overpriced repair plans, ranging from $58 to $499.

“Refunds will be sent via PayPal starting March 13,” the FTC stated (25:10). The companies face a $26 million fine for deceptive practices, reinforcing the FTC's commitment to combating fraudulent tech schemes.

Industry Voices: Gerald Bushelt, CISO at Acronis

In the Industry Voices segment, Gerald Bushelt discusses the indispensable role of threat research and intelligence for Managed Service Providers (MSPs). He emphasizes that effective security programs must transcend mere compliance checklists to address the actual threats faced by customers.

“Understanding threat intelligence is crucial to fully comprehend the risk and exposure of your customers,” Bushelt explained (20:25).

Key Insights:

• Proactive Security Measures: Bushelt advocates for leveraging telemetry and advanced threat information to proactively lock down environments and prevent issues before they escalate.

  “The true magic comes when you integrate telemetry from endpoints into a centralized environment, enhancing your overall security posture,” he added (22:19).

• Centralized Threat Management: Implementing solutions like Extended Detection and Response (XDR) allows for comprehensive monitoring and response across an organization’s entire infrastructure.

• Collaborative Defense: Working with third-party providers like Acronis enables MSPs to gain insights from a broader range of threats, enhancing their ability to protect clients effectively.

  “Working with an organization that invests back into leveraging threat information significantly strengthens our defensive capabilities,” Bushelt noted (24:10).

• Strategic Recommendations: For organizations aiming to integrate threat intelligence, Bushelt recommends selecting trusted vendors with proven track records and establishing dedicated security functions to continually assess and optimize threat responses.

  “Having a function within your security team to map your activities against the digital underground landscape is essential,” he advised (25:38).

Celebrating the Cyber First Girls Competition in the UK

The episode also highlights the triumph of the UK's Cyber First Girls competition, which saw a record participation of 14,500 girls across 4,159 teams. The competition, held at Jodrell Bank, crowned Hillcrest School in Birmingham as the top-scoring state newcomer and Henrietta Barnett School in North London as the top-scoring team.

“Encouraging young women into cyber careers is vital for closing the industry's skills gap,” stated Chris Ensor of the National Cyber Security Centre (NCSC) (26:40).

With women currently filling just 17% of cybersecurity roles, initiatives like Cyber First are pivotal in fostering diversity and inspiring the next generation of cybersecurity professionals.

Conclusion

This episode of CyberWire Daily provides a comprehensive overview of the current cybersecurity landscape, highlighting significant breaches, evolving threats, and strategic defenses. The insightful discussion with Gerald Bushelt underscores the importance of threat intelligence for MSPs, while the celebration of the Cyber First Girls competition emphasizes the ongoing efforts to diversify the cybersecurity workforce. As cyber threats continue to evolve, staying informed and proactive remains paramount for individuals and organizations alike.

For more detailed insights and updates, visit CyberWire Daily or subscribe to the podcast on your preferred platform.