Podcasts
CyberWire Daily
Ep 2248
The CyberWire Daily Podcast 2.19.25
Ep 2248 | 2.19.25

Pennies for access.

Show Notes
Transcript

Credential theft puts sensitive corporate and military networks at risk. A federal judge refuses to block DOGE from accessing sensitive federal data. New York-based Insight Partners confirms a cyber-attack. BlackLock ransomware group is on the rise. OpenSSH patches a pair of vulnerabilities. Russian threat actors are exploiting Signal’s “Linked Devices” feature. Over 12,000 GFI KerioControl firewalls remain exposed to a critical remote code execution (RCE) vulnerability.CISA issued two ICS security advisories. Federal contractors pay $11 million in cybersecurity noncompliance fines. In our CertByte segment, Chris Hare is joined by Steven Burnley to break down a question targeting the ISC2® SSCP - Systems Security Certified Practitioner exam.Sweeping cybercrime reforms are unveiled by…Russia?

Today is Wednesday February 19th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Credential theft puts sensitive corporate and military networks at risk.

Sensitive corporate and military networks in the U.S. could be at risk due to widespread credential theft from infostealer malware. Research from Hudson Rock reveals cybercrime marketplaces are selling credentials from major defense contractors like Lockheed Martin and Boeing, as well as U.S. military and government agencies, sometimes for as little as $10 per log. These logs often include active session cookies, allowing attackers to bypass multi-factor authentication (MFA). Even organizations not directly infected could be compromised through their partners or vendors. Stolen credentials may expose classified systems, procurement details, and mission-critical intelligence. Experts warn this poses a major national security threat, urging immediate password resets and forensic investigations. Infostealer infections stem from phishing, malware-laden downloads, and fake apps, with over 30 million compromised computers identified in recent years.

A federal judge refuses to block DOGE from accessing sensitive federal data. 

A federal judge refused to block Elon Musk and his Department of Government Efficiency (DOGE) from accessing sensitive federal data, despite concerns over privacy and oversight. The lawsuit, filed by 14 state attorneys general, failed to prove “imminent, irreparable harm.” The White House shifted its legal stance, arguing that Musk is merely a senior adviser to President Trump, not DOGE’s leader.

DOGE retains access to key agencies, including Commerce, Energy, and Health and Human Services, and has reportedly fed financial data into AI software via Microsoft Azure. The task force has also granted unchecked system access to young, unvetted employees.

The controversy centers on Musk’s influence over federal workforce reductions and AI-driven efficiency efforts, despite lacking Senate confirmation. The White House called Musk a “special government employee,” while Judge Chutkan acknowledged DOGE’s unpredictability but found no immediate legal basis for intervention. The White House declined further comment.

Meanwhile, A General Services Administration (GSA) worker resigned in protest after Thomas Shedd, a Musk ally and head of Technology Transformation Services (TTS), requested admin access to the Notify.gov system. This platform sends mass government texts and contains personally identifiable information (PII) like phone numbers and Medicaid participation status.

Shedd’s request would grant him unilateral access to this sensitive data without oversight. The resigning worker warned that bypassing the Authorization to Operate (ATO) process violates federal security policies (FISMA). Other employees fear unchecked power over public data and the risk of government systems being misused for AI-driven workforce reductions.

Shedd previously suggested using login.gov for fraud tracking and replacing federal workers with AI coding agents. Employees say his actions are “scary,” and concerns grow that no one will stop him. GSA has not responded to requests for comment.

New York-based Insight Partners confirms a cyber-attack. 

New York-based Insight Partners confirmed a cyber-attack in January 2025, caused by a sophisticated social engineering attack. The breach was detected on January 16, and the firm swiftly contained and remediated it.

The attack did not impact operations or pose risks to portfolio companies, including major IT and cybersecurity firms like SentinelOne, Wiz, and Recorded Future. Insight has informed law enforcement and partners and is investigating the breach with cybersecurity experts. The firm manages $90B in assets and has backed 800+ companies.

BlackLock ransomware group is on the rise. 

Security researchers warn of BlackLock, a rapidly growing ransomware-as-a-service (RaaS) group, which saw a 1,425% increase in data leak posts in late 2024. Expected to be 2025’s most active RaaS group, BlackLock distinguishes itself with custom-built malware, making analysis difficult, and data leak site defenses that prevent victims from assessing stolen data, increasing ransom pressure.

BlackLock operates heavily on the RAMP forum, collaborating with affiliates, developers, and initial access brokers (IABs) to accelerate attacks. Unlike typical RaaS groups, it retains control over early attack stages by recruiting traffers—individuals who steer victims to malicious content—while higher-level developers are discreetly hired.

ReliaQuest warns that BlackLock may exploit Microsoft Entra Connect to target on-premises environments. Organizations are urged to harden synchronization rules, enforce MFA, restrict RDP, and secure ESXi hosts to mitigate risks.

OpenSSH patches a pair of vulnerabilities. 

Qualys reported two OpenSSH vulnerabilities, both now patched in version 9.9p2.

• CVE-2025-26466 (CVSS 9.8): A denial-of-service flaw in OpenSSH 9.5p1, allowing attackers to overload memory and CPU with small ping messages, potentially crashing systems.

• CVE-2025-26465 (CVSS 6.8): A man-in-the-middle attack risk in OpenSSH since 2014, affecting clients with VerifyHostKeyDNS enabled. FreeBSD had this setting on by default from 2013 to 2023.

Admins should update immediately, disable VerifyHostKeyDNS, and monitor SSH traffic for anomalies.

Russian threat actors are exploiting Signal’s “Linked Devices” feature. 

Russian threat actors are exploiting Signal’s “Linked Devices” feature in phishing campaigns to steal access to secure conversations. Google Threat Intelligence Group (GTIG) reports that state-aligned hackers, including Sandworm (APT44), have tricked victims into scanning malicious QR codes, linking their Signal accounts to attacker-controlled devices.

Attackers disguised phishing pages as legitimate Signal group invites or device-pairing instructions. In some cases, modified JavaScript on fake invite pages redirected victims to link their accounts instead of joining a group. Ukrainian military personnel were targeted via a phishing kit impersonating Kropyva artillery software, while WAVESIGN and Infamous Chisel malware helped extract Signal data from compromised devices.

GTIG warns this device-linking attack is hard to detect and can persist unnoticed. Users should update Signal, check linked devices, use strong passwords, be cautious with QR codes, and enable two-factor authentication for better security.

Over 12,000 GFI KerioControl firewalls remain exposed to a critical remote code execution (RCE) vulnerability.

Over 12,000 GFI KerioControl firewalls remain exposed to CVE-2024-52875, a critical remote code execution (RCE) vulnerability. First discovered in December 2024, the flaw allows 1-click RCE attacks due to improper input sanitization, leading to HTTP response splitting and cross-site scripting (XSS) exploits.

Despite a December security update, over 23,800 instances were still vulnerable weeks later. Active exploitation attempts were detected early this year, targeting admin CSRF tokens. As of now, 12,229 firewalls remain exposed, mostly in Iran, the U.S., Italy, and Germany.

With a public proof-of-concept (PoC) available, even low-skilled hackers can exploit the flaw. Organizations should immediately update to version 9.4.5 Patch 2, released on January 31, 2025, for enhanced security.

CISA issued two ICS security advisories. 

CISA issued two ICS security advisories addressing critical vulnerabilities in Delta Electronics CNCSoft-G2 and Rockwell Automation GuardLogix controllers, which are widely used in manufacturing, energy, and critical infrastructure.

• Delta Electronics CNCSoft-G2 (CVE-2024-39880 to CVE-2024-39883) has memory corruption flaws that could allow remote code execution via malicious DPAX files. Users should update to v2.1.0.10 and isolate networks.

• Rockwell Automation GuardLogix (CVE-2025-24478) has a DoS vulnerability in CIP message processing, requiring firmware updates and network restrictions.

CISA urges patching, segmentation, VPN use, and intrusion detection to secure OT environments. 

Federal contractors pay $11 million in cybersecurity noncompliance fines. 

Health Net Federal Services (HNFS) and Centene Corporation will pay $11 million to settle allegations of cybersecurity noncompliance while supporting the U.S. military’s Tricare healthcare program. Prosecutors claim that between 2015 and 2018, HNFS falsely certified compliance with federal cybersecurity standards, failing to patch vulnerabilities, enforce password policies, and secure outdated hardware/software.

The settlement is part of the DOJ’s Civil Cyber-Fraud Initiative, launched in 2021 under the False Claims Act, which holds federal contractors accountable for cybersecurity failures. Similar penalties include Guidehouse Inc. ($11.3M), Penn State ($1.25M), and Georgia Tech (pending lawsuit).

DOJ officials stress that contractors handling sensitive government data must meet security obligations. Acting Assistant AG Brett Shumate warned that the DOJ will continue pursuing violations to protect national security and Americans’ privacy.

 

We’ve got our CertByte segment up next. N2K’s Chris Hare is joined by Steven Burnley to break down a question from N2K’s SSCP - Systems Security Certified Practitioner Practice Test. And, sweeping cybercrime reforms are unveiled by…Russia? We’ll be right back.

Welcome back. Be sure to visit our show notes for links to the practice test and other helpful resources that Chris and Steven talked about. We’ll be right back.

Sweeping cybercrime reforms are unveiled by…Russia?

And finally, Russia has unveiled sweeping cybercrime reforms, aiming to crack down on hackers with harsher penalties, asset seizures, and even public trials.

Under the new laws, hackers could face up to 15 years in prison, lose their crypto stashes, and be banned from IT jobs for a decade. Banks can freeze cybercriminals’ accounts instantly, and government agencies gain expanded surveillance powers to “protect” citizens (totally not for spying, of course).

The plan includes public trials, which officials claim will deter crime, though critics worry they could expose security weaknesses. Meanwhile, Russia is demanding faster extraditions, a move that might strain diplomatic ties with countries hesitant to send hackers back home.

Whether these measures actually reduce cybercrime or just increase state control remains to be seen—but the world is watching.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.