AI’s blind spots need human eyes.

Nakasone addresses AI at the Munich Cyber Security Conference. Court documents reveal the degree to which DOGE actually has access. Dutch police dismantle a bulletproof hosting operation. German officials investigate Apple’s App Tracking. Hackers exploited security flaws in BeyondTrust. CISA issues 20 new ICS advisories. The new Astoroth phishing kit bypasses 2FA. Hackers waste no time exploiting a SonicWall proof-of-concept vulnerability. Our guest today is Lawrence Pingree, VP of Technical Marketing at Dispersive, joining us to discuss why preemptive defense is essential in the AI arms race. Have I Been Pwned ponders whether resellers are worth the trouble.

Today is Friday February 14th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Nakasone addresses AI at the Munich Cyber Security Conference. 

At the Munich Cyber Security Conference, former NSA Director Paul Nakasone emphasized the need for AI integration while preserving human expertise. He highlighted that future national security professionals must blend coding skills with policy knowledge. AI can enhance efficiency, but human intuition remains essential—especially in intelligence work, where operators detect subtle adversarial changes AI cannot.

Nakasone stressed that the side integrating AI fastest will gain the advantage, but ethical and moral decision-making will still require human judgment. Peter Kant, CEO of Enabled Intelligence, reinforced this, advocating for neurodiverse teams to refine AI. He noted that neurodiverse individuals excel at spotting AI hallucinations, biases, and inconsistencies, making AI outputs more reliable.

AI, Kant argued, should automate routine tasks, allowing humans to focus on critical thinking and innovation. Neurodiversity enhances AI development, improving defense applications like satellite image analysis. Ultimately, AI is a tool—but human intelligence, ethics, and adaptability remain irreplaceable.

Court documents reveal the degree to which DOGE actually has access. 

New court documents reveal that Marko Elez, a 25-year-old employee of the Department of Government Efficiency (DOGE), had “write” privileges to a Treasury payment system—contradicting earlier reports that he only had “read-only” access. However, his privileges were mistakenly granted for just one day before Treasury officials revoked them, and there’s no evidence he made unauthorized changes.

The Treasury implemented strict security measures, including monitoring Elez’s activities and restricting his access to certain systems. Despite media claims that he had administrative-level access, officials assert he was only able to edit data in a limited capacity.

A lawsuit has been filed to block DOGE employees from accessing Treasury systems over security concerns. Elez resigned on February 6 following media scrutiny. While some reports suggested he altered Treasury code, court documents indicate his work mainly involved helping automate payment review processes rather than making unauthorized or disruptive changes.

Meanwhile, the doge.gov website has serious security flaws, allowing anyone to edit its database. Two individuals demonstrated the vulnerability by adding public messages mocking the site’s lack of protection.

Doge.gov was hastily launched after Musk touted DOGE’s transparency, but experts say it appears to be hosted on Cloudflare Pages rather than secure government servers. The site pulls data from an open database that has been modified by third parties.

One researcher found they could alter government employment stats by accessing exposed API endpoints. The site’s codebase appears to be deployed from GitHub without proper security measures. Similar issues were found with waste.gov, another DOGE-affiliated site. The lack of cybersecurity raises major concerns. 

Dutch police dismantle a bulletproof hosting operation. 

Dutch police dismantled the ZServers/XHost bulletproof hosting operation, taking 127 illegal servers offline. The U.S., U.K., and Australia recently sanctioned the same service for aiding cybercriminals, particularly LockBit ransomware operators.

Run by Russian nationals Alexander Mishin and Aleksandr Bolshakov, ZServers facilitated botnets, malware distribution, and money laundering. The service openly advertised its tolerance for criminal activity, making it a safe haven for cybercrime.

Authorities found servers hosting hacking tools from LockBit and Conti ransomware, two of the most damaging ransomware operations. The Amsterdam-based servers allowed anonymous purchases via cryptocurrency.

While no arrests were made, Dutch cybercrime specialists are investigating seized equipment for further evidence. Mishin and Bolshakov face asset freezes and travel bans, but criminal charges have not been filed yet. Dutch police emphasized that shutting down bulletproof hosting is key to disrupting global cybercrime.

German officials investigate Apple’s App Tracking. 

Germany’s competition watchdog is investigating Apple’s App Tracking Transparency framework (ATTF), alleging that the company exempts itself from the strict privacy rules it enforces on third-party apps.

Since 2021, iOS developers must ask for user consent before tracking activity across apps, a move that hit Facebook (Meta) hard, costing it an estimated $10 billion in ad revenue. However, regulators claim Apple still tracks users within its own ecosystem, using data from the App Store, Apple ID, and connected devices for personalized ads.

Apple’s consent prompts also appear to favor its own services by reducing user friction compared to third-party apps. The German Federal Cartel Office argues this could be anti-competitive self-preferencing. Apple, which has appealed its regulatory designation in Germany, has yet to respond. A final court decision on its competitive status is expected on March 18.

Hackers exploited security flaws in BeyondTrust. 

Hackers exploited security flaws in BeyondTrust, a company that helps businesses manage secure access to their systems. They used two unknown software bugs and a stolen security key to break into BeyondTrust’s network in December.

A month later, the U.S. Treasury Department was also hacked. Investigators linked this attack to Chinese state-sponsored hackers known as Silk Typhoon, who stole sensitive government documents related to economic sanctions and foreign investments.

Experts later discovered that the hackers also took advantage of a hidden weakness in PostgreSQL, a database tool used in many systems. This flaw allowed them to take control of BeyondTrust’s software remotely.

Although BeyondTrust fixed one of the security issues, it didn’t fully repair the database flaw. Still, their update blocked hackers from using it. CISA has since ordered agencies to secure their systems against these types of attacks.

CISA issues 20 new ICS advisories. 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued 20 new security advisories for Industrial Control Systems (ICS), warning about critical vulnerabilities in products from Siemens, ORing, mySCADA, Mitsubishi Electric, and others. These flaws could allow hackers to disrupt operations, steal sensitive data, or gain unauthorized access.

Key affected products include Siemens SIMATIC, SIPROTEC, SCALANCE W700, Mitsubishi FA Engineering Software, and Outback Power Mojave Inverter. Issues range from remote code execution, authentication bypass, weak encryption, and command injection.

CISA urges organizations to apply security patches, strengthen authentication, and isolate vulnerable systems. 

The new Astoroth phishing kit bypasses 2FA. 

A new phishing kit, Astaroth, has emerged as a major cybersecurity threat, capable of bypassing two-factor authentication (2FA) using advanced session hijacking and real-time credential interception. First seen in January 2025, it targets platforms like Gmail, Yahoo, and Office 365.

Astaroth acts as a man-in-the-middle, mirroring real login pages with SSL certificates to avoid detection. When victims enter credentials and 2FA tokens, attackers intercept session cookies, allowing them to bypass authentication entirely.

Sold for $2,000 on cybercrime forums, it includes real-time credential capture, SSL-certified phishing domains, and takedown-resistant hosting. Experts warn that traditional security measures are ineffective against Astaroth’s real-time attacks. Enhanced cybersecurity, user awareness, and proactive threat detection are crucial to defending against these evolving phishing threats.

Hackers waste no time exploiting a SonicWall proof-of-concept vulnerability. 

Hackers are actively exploiting CVE-2024-53704, a high-severity authentication bypass in SonicWall firewalls, after a proof-of-concept (PoC) exploit was published. This vulnerability allows attackers to bypass multi-factor authentication (MFA), access private data, and disrupt VPN sessions.

SonicWall released patches in January 2025, but as of February 7, around 4,500 devices remain unpatched. Arctic Wolf warns that cybercriminals often exploit firewall and VPN vulnerabilities for ransomware attacks, citing past incidents involving Akira ransomware.

Organizations should immediately update SonicWall firewalls or follow mitigation steps to prevent attacks. Disabling SSLVPN is recommended if patching is not possible, as the public PoC increases the risk of exploitation.

Next up, I talk with Dispersive’s Lawrence Pingree about why preemptive defense is essential in the AI arms race. And, Troy Hunt to resellers: “You're pwned!” We’ll be right back.

Welcome back

Have I Been Pwned ponder whether resellers are worth the trouble. 

Troy Hunt, the mastermind behind Have I Been Pwned (HIBP), is on the verge of banning resellers—and honestly, who can blame him?

HIBP, the go-to site for checking if your email has been pwned (read: stolen and floating around the dark web), offers paid API access to bulk-check data breaches. But some crafty resellers have been buying subscriptions at $1,100 and flipping them for $2,544—a markup that would make even scalpers blush. Worse, despite making up less than 1% of users, resellers account for 15% of support tickets and take five times longer to assist.

Frustrated with endless pricing disputes and bizarre refund requests (seriously, how do you return a Netflix subscription?), Hunt is “very, very, strongly inclined” to kick them out. However, he’s still mulling over a solution—maybe automation—to save HIBP from reseller-induced headaches while keeping legit customers happy. Stay tuned!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

A programming note, we will be observing Washington’s birthday in the US. Have no fear, we will have some great content in your CyberWire Daily feed while we are on our publishing break. 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.