Podcasts
CyberWire Daily
Ep 2249
The CyberWire Daily Podcast 2.20.25
Ep 2249 | 2.20.25

No rest for the patched.

Show Notes
Transcript

The CISA and FBI warn that Ghost ransomware has breached organizations in over 70 countries. President Trump announces his pick to lead the DOJ’s National Security Division. A new ransomware strain targets European healthcare organizations. Researchers uncover four critical vulnerabilities in Ivanti Endpoint Manager. Microsoft has patched a critical improper access control vulnerability in Power Pages. The NSA updates its Ghidra reverse engineering tool. A former U.S. Army soldier admits to leaking private call records. Our guest is Stephen Hilt, senior threat researcher at Trend Micro, sharing the current state of the English cyber underground market. The pentesters’ breach was simulated — their arrest was not.

Today is Thursday February 20th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The CISA and FBI warn that Ghost ransomware has breached organizations in over 70 countries. 

The CISA and FBI warn that Ghost ransomware has breached organizations in over 70 countries, targeting critical infrastructure, healthcare, government, education, technology, and manufacturing. Active since 2021, Ghost exploits outdated software vulnerabilities, including Fortinet, ColdFusion, and Exchange flaws.

Ghost ransomware operators frequently change their malware, ransom notes, and email contacts, making attribution difficult. The group, also known as Cring, Crypt3r, Phantom, and others, uses publicly available exploits to infiltrate systems.

Defensive measures include regular backups, prompt patching, network segmentation, and phishing-resistant MFA. Ghost attackers have previously used Mimikatz, Cobalt Strike, and CertUtil to evade detection. The advisory provides indicators of compromise (IOCs) and tactics to help defenders mitigate threats. Fortinet users were repeatedly warned to patch vulnerabilities, but Ghost continues to exploit them.

President Trump announces his pick to lead the DOJ’s National Security Division. 

Former Trump White House legal adviser John Eisenberg is set to be nominated to lead the DOJ’s National Security Division, which oversees terrorism, cyber-espionage, and FISA surveillance. Eisenberg was a key figure in Trump’s first impeachment, handling the Ukraine phone call that sparked the inquiry. He reportedly ordered the call’s recording into a classified system, though he denied it.

Eisenberg’s nomination is highly relevant to cybersecurity, as he would oversee cybercrime investigations and foreign cyber threats. The division plays a crucial role in combating nation-state hackers, ransomware groups, and espionage operations. He is also expected to face scrutiny over FISA’s Section 702, a critical foreign surveillance tool under debate for renewal.

With recent leadership shake-ups in the division, Eisenberg’s appointment signals Trump’s intent to install loyalists in key national security roles ahead of potential cyber policy shifts.

Meanwhile, Katie Arrington, a Trump ally and former DoD cybersecurity official, has been appointed as the Department of Defense (DoD) Chief Information Security Officer (CISO). Her return to the Pentagon is unexpected, given her 2021 suspension over allegations of disclosing classified information—claims she disputes, arguing that Biden appointees forced her out due to her Trump ties.

Arrington, previously a champion of the Cybersecurity Maturity Model Certification (CMMC) program, now faces major budget cuts that could hinder cyber defense initiatives. With an 8% defense budget reduction, concerns grow that cybersecurity programs may be deprioritized. Experts warn that staff cuts could threaten the implementation of CMMC, crucial for securing defense contractors.

Her role is critical in advancing zero trust security and ensuring stronger cyber hygiene practices, but funding and personnel shortages could limit progress.

A new ransomware strain targets European healthcare organizations. 

A new ransomware strain, NailaoLocker, has been used in attacks against European healthcare organizations between June and October 2024. The attackers exploited a Check Point Security Gateway vulnerability (CVE-2024-24919) to gain access and deploy malware linked to Chinese state-sponsored groups.

Though relatively unsophisticated, NailaoLocker encrypts files with AES-256-CTR and drops a ransom note without mentioning data theft. Analysts suggest this could be a false flag, a mix of espionage and extortion, or state-backed hackers moonlighting for profit—a shift in Chinese cyber tactics.

Researchers uncover four critical vulnerabilities in Ivanti Endpoint Manager. 

Horizon3.ai has disclosed four critical vulnerabilities in Ivanti Endpoint Manager (EPM), tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 (CVSS 9.8). These path traversal flaws, patched in January 2025, can be exploited by unauthenticated attackers to coerce machine account credentials, enabling relay attacks that could lead to server compromise.

Attackers can use these flaws to gain domain admin privileges and compromise all connected EPM clients. Ivanti initially released a patch that caused issues, followed by a second update. Organizations should install the latest fix to mitigate the risk.

Microsoft has patched a critical improper access control vulnerability in Power Pages. 

Microsoft has patched CVE-2025-24989, a critical improper access control vulnerability in Power Pages, its low-code SaaS platform for business websites. The flaw, already exploited in attacks, allows attackers to elevate privileges and bypass user registration controls.

Microsoft automatically mitigated the issue and notified affected customers, advising them to review their sites for signs of compromise. No additional patch installation is needed. The company has not disclosed details on the attacks. This follows recent research on misconfigured Power Pages exposing sensitive data.

The NSA updates its Ghidra reverse engineering tool. 

The NSA has released Ghidra 11.3, a major update to its open-source Software Reverse Engineering (SRE) framework, introducing advanced debugging, faster emulation, and improved integrations for cybersecurity professionals. Key enhancements include kernel-level analysis tools, cross-platform debugging, and collaborative workflows, making Ghidra even more effective for analyzing malware and vulnerabilities.

The update enhances low-level debugging with TraceRMI connectors, supports macOS kernel debugging via LLDB, and improves Windows kernel analysis using Microsoft’s eXDI framework. This is crucial for reverse-engineering advanced persistent threats (APTs) that manipulate the kernel to evade detection.

Ghidra 11.3 also replaces Eclipse-based tooling with Visual Studio Code integration, accelerates p-code emulation via JIT compilation, and improves binary visualization and processor support. Security teams can now analyze modern cryptographic algorithms, IoT firmware, and complex malware more efficiently.

A former U.S. Army soldier admits to leaking private call records. 

U.S. Army soldier Cameron John Wagenius has admitted to leaking private call records from AT&T and Verizon. He intends to plead guilty to two counts of unlawfully transferring confidential phone records, without a plea deal. Prosecutors suspect Wagenius is Kiberphant0m, a hacker who allegedly compromised at least 15 telecom firms and threatened to leak U.S. government call logs.

Authorities also link Wagenius to a major extortion scheme involving stolen data from 150 Snowflake cloud accounts. He was allegedly recruited by Alexander “Connor” Moucka and John Binns, who extorted $2 million from AT&T, Ticketmaster, and others. After Binns’ arrest, Kiberphant0m threatened further leaks unless AT&T negotiated.

Wagenius faces up to 20 years in prison. Moucka and Binns, arrested in Canada and Turkey, await extradition on multiple fraud and hacking charges.

 

Next up, I’ve got Stephen Hilt, senior threat researcher at Trend Micro, talking about the current state of the English cyber underground market. And, pentesters get arrested for breaking into a building. We’ll be right back.

Welcome back.

The pentesters’ breach was simulated — their arrest was not. 

And finally, two penetration testers from Threat Spike Labs learned the hard way that miscommunication can be more dangerous than actual hacking. During a simulated breach at a corporate office in Malta, the duo successfully gained unauthorized access, stole a master key card, and retrieved sensitive data—all part of an approved security assessment.

But then, things took a turn. The general manager who authorized the test panicked and called the police, convinced that real criminals were at work. Despite waving their authorization documents like a backstage pass at a concert, the testers were arrested and hauled in for questioning.

Later, Curt Hems reflected on the experience: “Penetration tests don’t always end with a report—sometimes they end with flashing lights and handcuffs.”

Lesson learned? Tell law enforcement about security tests before they happen. Ironically, the security test worked—the company’s response was swift, even if it resulted in unnecessary arrests.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.