X marks the hack. - CyberWire Daily | Wave AI Podcast Notes

Summary

CyberWire Daily – "X Marks the Hack"

Release Date: March 11, 2025

Overview

In this episode of CyberWire Daily, host Dave Bittner delves into a spectrum of pressing cybersecurity issues, ranging from significant cyberattacks affecting major platforms like X Twitter to evolving threats posed by agentic AI and sophisticated cybercriminal activities. Additionally, the episode features an in-depth discussion with Gerald Bushelt, CISO at Acronis, highlighting the critical role of threat research and intelligence for Managed Service Providers (MSPs). The episode also celebrates the success of the UK's Cyber First Girls competition, underscoring the importance of fostering female talent in cybersecurity.

Main Cyber News

1. X Twitter Suffers Multi-Wave Cyberattack

On Monday, X Twitter experienced extensive outages attributed to a massive cyberattack. While initially, Elon Musk described the incident as orchestrated by a coordinated group or nation-state, further analysis revealed that the attack traffic predominantly originated from the United States, Vietnam, and Brazil, suggesting a Distributed Denial of Service (DDoS) attack methodology.

“This was likely a DDoS attack where compromised devices overwhelm a system with traffic,” explained a cybersecurity analyst (12:45). The Dark Storm Team, a pro-Palestine hacktivist group potentially linked to Russia, claimed responsibility. However, other groups, including Anonymous-affiliated hacktivists, also asserted involvement, making verification challenging.

This incident highlights the blurred lines between hacktivism, cybercrime, and state-sponsored operations, reminiscent of previous attacks on X Twitter by groups like Anonymous Sudan.

2. Signal President Raises Alarms Over Agentic AI

At the South by Southwest conference, Meredith Whitaker, President of Signal, articulated significant concerns regarding the advent of agentic AI. She compared AI agents to “putting your brain in a jar,” emphasizing the deep access these agents require to perform tasks, such as managing calendars and sending messages.

“Integrating AI agents with secure messaging apps like Signal would compromise message privacy,” Whitaker warned (05:30). She highlighted that the reliance on mass data collection by the AI industry could lead to further erosion of privacy, prioritizing convenience over security.

3. Lawsuit Targets DOGE for Security Breaches at SSA

A recent lawsuit accuses the Department of Government Efficiency Doge (DOGE) of bypassing critical security measures at the Social Security Administration (SSA). Tiffany Flick, former SSA Acting Chief of Staff, alleged that DOGE operatives pressured officials to grant system access to individuals with unresolved security clearances, thereby risking the exposure of sensitive data.

“Doge’s actions jeopardize national security,” Flick asserted (18:20). The AFL-CIO-backed lawsuit emphasizes the dangers of mass government dismissals and weakened data protection, garnering attention from federal cybersecurity experts.

4. Five Eyes Alliance Considers Revising Intelligence Sharing

Amidst growing concerns over President Trump’s warming ties with Russia, several Five Eyes alliance members—including the UK, Canada, Australia, New Zealand, Israel, and Saudi Arabia—are reevaluating their intelligence-sharing protocols. Sources indicate fears that increased cooperation with Russia could jeopardize sensitive data and compromise global security efforts.

“Scaling back intelligence sharing could undermine global security,” a former intelligence official cautioned (22:10). The hesitation stems from Russia’s historical association with cybercriminal activities, prompting allies to protect foreign assets and uphold stringent confidentiality standards.

5. NINJA Attack Exploits AI Memory Through User Interaction

Researchers from Michigan State University, University of Georgia, and Singapore Management University unveiled a novel attack method named Minja, targeting AI models by manipulating their memory without backend access. This Memory Injection Attack (Minja) successfully altered AI responses by embedding misleading prompts during user interactions.

“With over 95% injection success, Ninja bypasses traditional moderation filters,” stated one researcher (14:50). The attack demonstrated vulnerabilities in GTP4-powered AI agents, highlighting the urgent need for enhanced AI memory safeguards.

6. Sidewinder APT Group Escalates Global Cyber Threats

SecureList researchers reported a surge in activities from the Sidewinder APT group in 2024. The group has expanded its targets beyond military and government entities to include maritime, logistics, and nuclear sectors across South Asia, Southeast Asia, the Middle East, and Africa. Utilizing spear-phishing emails and exploiting existing vulnerabilities, Sidewinder deploys the Stealer Bot malware, which employs advanced evasion techniques to remain undetected.

“Sidewinder rapidly adapts, modifying malware within five hours of detection,” noted the report (17:00). This evolution underscores the critical importance of patching outdated systems to defend against increasingly sophisticated threats targeting vital infrastructure.

7. Critical Veritas Vulnerability Exposes Disaster Recovery Systems

A severe remote code execution flaw in Veritas Arcterra Infoscale has been identified, stemming from insecure deserialization in the Windows plugin host service. This vulnerability allows attackers to execute arbitrary code via malicious Net remoting messages, affecting Infoscale versions 7.0 and 8.0.2 on Windows systems with system-level privileges.

“Outdated technologies like net deserialization remain prime targets,” warned security experts (19:45). Veritas recommends disabling the plugin host or manually configuring Dr. Configurations to mitigate the risk, emphasizing the need for proactive defense measures beyond mere patching.

8. Kansas Healthcare Provider Breach Exposes 220,000 Patients

In December, Sunflower Medical Group suffered a cyberattack that compromised sensitive data of 221,000 patients, including Social Security numbers and medical records. Although the extent of the breach remained unclear, the Raisida ransomware gang claimed responsibility, demanding $800,000.

“No operational disruptions occurred,” stated Sunflower Medical Group, which has since offered credit monitoring to affected individuals (21:30). This incident highlights the persistent vulnerabilities within healthcare systems and the escalating threats from ransomware gangs targeting sensitive medical data.

9. New York Sues Allstate Over Data Exposure

New York State initiated legal action against Allstate, alleging failures in securing personal data, which resulted in the exposure of thousands of driver’s license numbers. The breach, originating from National General’s quote-generating websites, allowed fraudsters to harvest over 12,000 records through unsecured channels.

“National General failed to notify affected individuals, violating state laws,” the lawsuit contends (23:00). Additionally, weak access controls, such as plain-text passwords and the absence of multi-factor authentication, compromised another 187,000 individuals, prompting New York to seek penalties and injunctions against continued security lapses.

10. CISA Identifies Critical Ivanti and Veracode Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has cataloged three critical vulnerabilities in Ivanti endpoint management, including path traversal flaws that facilitate remote leakage of sensitive information. Additionally, CISA flagged two Veracode vulnerabilities: an unrestricted file upload flaw and an SQL injection vulnerability.

“Organizations must immediately patch these issues to prevent cyber attacks,” urged a CISA spokesperson (24:35). The agency emphasizes the urgency of addressing these vulnerabilities to safeguard against potential breaches.

11. FTC to Refund Victims of Tech Support Scams

The Federal Trade Commission (FTC) announced plans to distribute $25.5 million in refunds to over 736,000 consumers deceived by tech support scams operated by Restoro and Reimage. These firms fabricated security threats to coerce users into purchasing overpriced repair plans, ranging from $58 to $499.

“Refunds will be sent via PayPal starting March 13,” the FTC stated (25:10). The companies face a $26 million fine for deceptive practices, reinforcing the FTC's commitment to combating fraudulent tech schemes.

Industry Voices: Gerald Bushelt, CISO at Acronis

In the Industry Voices segment, Gerald Bushelt discusses the indispensable role of threat research and intelligence for Managed Service Providers (MSPs). He emphasizes that effective security programs must transcend mere compliance checklists to address the actual threats faced by customers.

“Understanding threat intelligence is crucial to fully comprehend the risk and exposure of your customers,” Bushelt explained (20:25).

Key Insights:

Proactive Security Measures: Bushelt advocates for leveraging telemetry and advanced threat information to proactively lock down environments and prevent issues before they escalate.

“The true magic comes when you integrate telemetry from endpoints into a centralized environment, enhancing your overall security posture,” he added (22:19).
Centralized Threat Management: Implementing solutions like Extended Detection and Response (XDR) allows for comprehensive monitoring and response across an organization’s entire infrastructure.
Collaborative Defense: Working with third-party providers like Acronis enables MSPs to gain insights from a broader range of threats, enhancing their ability to protect clients effectively.

“Working with an organization that invests back into leveraging threat information significantly strengthens our defensive capabilities,” Bushelt noted (24:10).
Strategic Recommendations: For organizations aiming to integrate threat intelligence, Bushelt recommends selecting trusted vendors with proven track records and establishing dedicated security functions to continually assess and optimize threat responses.

“Having a function within your security team to map your activities against the digital underground landscape is essential,” he advised (25:38).

Celebrating the Cyber First Girls Competition in the UK

The episode also highlights the triumph of the UK's Cyber First Girls competition, which saw a record participation of 14,500 girls across 4,159 teams. The competition, held at Jodrell Bank, crowned Hillcrest School in Birmingham as the top-scoring state newcomer and Henrietta Barnett School in North London as the top-scoring team.

“Encouraging young women into cyber careers is vital for closing the industry's skills gap,” stated Chris Ensor of the National Cyber Security Centre (NCSC) (26:40).

With women currently filling just 17% of cybersecurity roles, initiatives like Cyber First are pivotal in fostering diversity and inspiring the next generation of cybersecurity professionals.

Conclusion

This episode of CyberWire Daily provides a comprehensive overview of the current cybersecurity landscape, highlighting significant breaches, evolving threats, and strategic defenses. The insightful discussion with Gerald Bushelt underscores the importance of threat intelligence for MSPs, while the celebration of the Cyber First Girls competition emphasizes the ongoing efforts to diversify the cybersecurity workforce. As cyber threats continue to evolve, staying informed and proactive remains paramount for individuals and organizations alike.

For more detailed insights and updates, visit CyberWire Daily or subscribe to the podcast on your preferred platform.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire Network powered by N2K. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indee indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. X Twitter had multiple waves of outage yesterday Signals president warns against agentic AI A new lawsuit alleges DOGE bypassed critical security safeguards Is the Five Eyes alliance fraying? The NINJA attack poisons AI memory through user interaction. Researchers report increased activity from the Sidewinder APT group. A critical Veritas vulnerability enables remote code execution. A Kansas healthcare provider breach exposes 220,000 patients Data New York sues Allstate over data exposure and insurance Web CISO warns of critical Avanti and Veracode vulnerabilities. The FTC is going to refund 25 and a half million dollars to victims of tech support scams. On our Industry Voices segment, we're joined by Gerald Bushelt, CISO at Acronis, who's discussing how threat research and intelligence matter to MSPs. And the UK celebrates a record breaking cyber first girls compet foreign March 11, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is great to have you with us. A cyber attack caused outages on X Twitter on Monday with reports indicating multiple attack waves. While Elon Musk called it a massive cyber attack and suggested a coordinated group or nation state was involved. Details remain unclear. Musk later pointed to IP addresses from Ukraine, but sources say most attack traffic came from the US, Vietnam and Brazil. The attack was likely a DDoS attack where compromised devices overwhelm a system with traffic. The Dark Storm Team, a pro Palestine hacktivist group possibly linked to Russia, claimed responsibility. Other groups, including Anonymous affiliated hacktivists, also took credit, but verifying these claims is difficult. Cyber attacks like these often blur the lines between hacktivism, cybercrime and state sponsored operations. X Twitter has been targeted before, including by Anonymous Sudan, a group whose members were recently charged in the US for offering DDoS services. Investigations into this latest attack are ongoing. Speaking at the south by Southwest conference, Signal President Meredith Whitaker warned that agentic AI poses serious privacy and security risks. She compared AI agents to putting your brain in a jar as they perform tasks on users behalf such as booking tickets, managing calendars and sending messages. To function, these agents would need deep access to user systems including web browsing, credit card details, messaging apps and calendars, likely with route level permissions. She cautioned that processing such tasks would almost certainly happen on cloud servers. Exposing sensitive data Whitaker stressed that integrating AI agents with secure messaging apps like Signal would compromise message privacy. She also criticized the AI industry's reliance on mass data collection, arguing that prioritizing bigger is better AI risks further eroding privacy in exchange for convenience. A new lawsuit alleges the Department of Government Efficiency Doge bypassed critical security safeguards at the Social Security Administration, risking exposure of sensitive data. Former SSA Acting Chief of Staff Tiffany Flick warned that Doge operatives led by Mike Russo, pressured officials to grant system access to Akash Baba despite unresolved security clearances. Doge's push for unrestricted data access ignored federal protections designed to prevent financial exploitation and unauthorized system breaches. Flick accused Doge of forcing staff to share highly sensitive information via potentially unsecured email channels, relying on AI tools to analyze data and determine federal job cuts. She resigned after security policies were disregarded and Leland Dudek, a mid level analyst, was elevated to acting commissioner. The AFL CIO backed lawsuit warns that Doge's actions jeopardize national security, with federal cybersecurity experts sounding alarms over mass government dismissals and weakened data protection measures, NBC News reports Several US allies are reconsidering their intelligence sharing protocols, fearing that President Trump's warming ties with Russia could compromise sensitive data, sources say concerns center on protecting foreign assets as intelligence agencies are bound by strict commitments to shield sources identities Members of the Five Eyes alliance, the uk, Canada, Australia, New Zealand, along with Israel and Saudi Arabia are evaluating whether to limit intelligence flow to Washington. While publicly downplaying concerns, some officials privately question U.S. reliability and the risk of intelligence leaks. Trump's recent pauses in intelligence assistance to Ukraine and the reported halt of cyber operations against Russia have heightened security worries. Some fear a U S Russia cyber detente. Despite Russia's history of harboring cybercriminals, former intelligence officials warn that Moscow is an unreliable partner and scaling back intelligence sharing could undermine global security efforts. Researchers from Michigan State University, University of Georgia, and Singapore Management University have uncovered a new attack method that manipulates AI models with memory without requiring backend access. Dubbed Minja for Memory Injection Attack, the technique allows a regular user to poison an AI's memory simply by interacting with it. The attack injects misleading prompts into the model's memory, altering future responses. Tested on GTP4 powered AI agents, Minja tricked a medical chatbot into swapping patient records, a webshop AI into misdirecting purchases, and a QA agent into answering questions incorrectly. With over 95% injection success, Ninja bypasses traditional moderation filters by disguising manipulations as legitimate reasoning. The findings highlight serious security risks for AI systems with memory, urging immediate improvements in AI memory safeguards. OpenAI has not yet commented on the vulnerability. Researchers at SecureList report increased activity from the Sidewinder APT group in 2024 with enhanced malware, expanded targets, and global reach. Traditionally focused on military and government entities, the group now targets maritime, logistics and nuclear nuclear sectors across South Asia, Southeast Asia, the Middle east, and Africa. Using Spear phishing emails, Sidewinder exploits a vulnerability to deploy Stealer Bot, a post exploitation toolkit. Their malware, disguised as legitimate DLL files, includes advanced evasion techniques like control flow flattening. Sidewinder rapidly adapts modifying malware within five hours of detection. Their continued reliance on old vulnerabilities underscores the importance of patching outdated systems to defend against sophisticated threats targeting critical infrastructure worldwide. A severe remote code execution flaw in Veritas Arcterra Infoscale exposes enterprise disaster recovery infrastructure to attck. The issue stems from insecure deserialization in the Windows plugin host service, allowing attackers to execute arbitrary code via malicious Net remoting messages. The flaw affects infoscale versions 7.0 and 8.0.2 on Windows with system level privilege risks. Veritas advises disabling plugin host or using manual Dr. Configurations to mitigate exposure. Security experts warn that outdated technologies like net deserialization remain prime targets requiring proactive defense. Beyond patching, organizations should audit doctor workflows to prevent exploitation. A December cyber attack on Sunflower Medical Group compromised 221,000 patients Sensitive data including Social Security numbers, medical records and insurance details. The breach, discovered January 7, revealed hackers had been inside the system since mid December, stealing files. While Sunflower has not confirmed a ransomware attack, the Raisida ransomware gang claimed responsibility, demanding $800,000. The company notified regulators, offered credit monitoring and stated no operational disruptions occurred. Raisida has previously targeted healthcare and nonprofit organizations, heightening concerns over medical data security. New York State is suing all state insurance for failing to secure personal data, allowing criminals to steal thousands of driver's license numbers from poorly designed quote generating websites. The issue stemmed from National General, an all state unit which exposed driver's license numbers in plain text during the quoting process. Fraudsters exploited the system, harvesting at least 12,000 records for identity theft and unemployment fraud. The breach went undetected for over two months, with 9,100 New Yorkers affected, yet National General failed to notify them, violating state laws. Another 187,000 individuals data was compromised due to weak access controls, including plain text passwords and no multi factor authentication for insurance agents. New York seeks penalties and an injunction against continued security failures. Texas has also sued Allstate for allegedly collecting telematics data without user consent, further raising privacy concerns. CISA has added three critical Ivanti endpoint management vulnerabilities to its known exploited vulnerabilities catalog. These path traversal flaws allow unauthenticated attackers to leak sensitive information remotely. CISA also flagged two veracode vulnerabilities, an unrestricted file upload flaw and an SQL injection vulnerability. The agency urges all organizations to immediately patch these issues to prevent cyber attacks. The Federal Trade Commission will begin distributing $25.5 million in refunds to over 736,000 consumers deceived by Restoro and Reimage, tech support companies that used fake system warnings to trick users into paying for unnecessary computer repairs. These firms impersonated Windows Pop ups, falsely claiming devices had malware or performance issues. Investigators found their software fabricated security threats to push users into buying repair plans ranging from $58 to $499. Fined $26 million in 2024. The companies are now banned from deceptive telemarketing. The FTC continues to crack down on fraudulent tech practices previously targeting TurboTax, Avast and data brokers. Refunds will be sent via PayPal starting March 13, with recipients needing to redeem them within 30 days. Coming up after the break, my conversation with Gerald Bushelt, CISO et Acronis. We're discussing how threat research and intelligence matter to MSPs and the UK celebrates a record breaking Cyber First Girls competition. Stick around. Foreign threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door, the login. Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats Upgrade your security today.