Can the U.S. keep up in cyberspace?

Retired Gen. Paul Nakasone warns the U.S. is falling behind in cyberspace. Australia orders government entities to remove and ban Kaspersky products. FatalRAT targets industrial organizations in the APAC region. A major cryptocurrency exchange reports the theft of $1.5 billion in digital assets. Apple removes end-to-end encryption (E2EE) for iCloud in the UK. Researchers uncover a LockBit ransomware attack exploiting a Windows Confluence server. Researchers uncover zero-day vulnerabilities in a widely used cloud logging utility.A PayPal email scam is tricking users into calling scammers. Republican leaders in the House request public input on national data privacy standards. A Michigan man faces charges for his use of the Genesis cybercrime marketplace. Our guest is Karl Sigler, Senior Security Research Manager from Trustwave SpiderLabs, explaining the domino effect of a cyberattack on the power grid. Meta sues an Insta Extortionist. 

Today is Monday February 24th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Retired Gen. Paul Nakasone warns the U.S. is falling behind in cyberspace. 

Retired Gen. Paul Nakasone warned that the U.S. is falling behind in cyberspace, with adversaries expanding their capabilities. Speaking over the weekend at DistrictCon in Washington DC, he cited Chinese-backed breaches and ransomware attacks as evidence of weak cybersecurity. He also expressed concern about cyber operations causing physical damage, predicting future attacks could disable platforms through digital means.

Nakasone, now at Vanderbilt University, highlighted AI’s role in cyber offense, including autonomous targeting by AI-powered drones. He questioned the limits of AI-driven cyber weapons and their ability to bypass defenses.

He endorsed a more aggressive U.S. cyber strategy, citing past Cyber Command operations against Russian and Iranian hackers. He emphasized “persistent engagement” to keep cyber enemies in check.

Nakasone stressed the need for top cyber talent, warning of recruitment challenges due to past government actions. He acknowledged ongoing Cyber Command reforms but avoided direct criticism of political leadership changes, stating that presidents choose their own advisers.

Australia orders government entities to remove and ban Kaspersky products. 

Australia has ordered government entities to remove and ban Kaspersky products, citing security risks.The order, issued by the Department of Home Affairs, requires all federal systems to eliminate Kaspersky software by April 1. Though no specifics were provided, the move aligns with concerns over Russian government influence on the company.

The decision follows a similar U.S. ban, which began in 2017 and expanded in 2024, leading Kaspersky to exit the U.S. market. The company sold its U.S. customer base to UltraAV, though the transition faced issues.

While Australia previously monitored U.S. actions without immediate restrictions, it has now joined other countries in barring Kaspersky from government networks. Several European nations have already blocked the company’s products for years. Kaspersky has yet to comment on Australia’s decision.

FatalRAT targets industrial organizations in the APAC region. 

Meanwhile, according to researchers with Kaspersky ICS CERT, Chinese-speaking hackers are targeting industrial organizations across the Asia-Pacific (APAC) region with the FatalRAT remote access trojan (RAT). The cyberespionage campaign exploits legitimate Chinese cloud services, including Youdao Cloud Notes and Tencent Cloud, to evade detection.

The attacks focus on manufacturing, energy, IT, and logistics sectors in Taiwan, China, Japan, Thailand, and Singapore. Hackers distribute phishing emails and WeChat/Telegram messages disguised as tax documents to deliver malware. The infection process involves multiple evasion techniques, including DLL sideloading and anti-virtual machine checks.

FatalRAT logs keystrokes, exfiltrates data, and allows remote execution of destructive commands like MBR corruption. Kaspersky warns of risks to operational technology (OT) systems and advises network segmentation, DLL sideloading monitoring, and blocking known indicators of compromise (IoCs).

A major cryptocurrency exchange reports the theft of $1.5 billion in digital assets. 

Bybit, a major cryptocurrency exchange, reported a cyberattack that led to the theft of $1.5 billion in digital assets. Hackers exploited a vulnerability in the smart contract logic, gaining control of an ETH cold wallet and transferring over 400,000 ETH and stETH. The attack may have involved a flaw in the Safe.global platform’s user interface.

Despite a surge in withdrawal requests, Bybit assured users their funds remained secure. CEO Ben Zhou stated the exchange is solvent and can cover the loss with its $20 billion in assets if needed.

The attack comes amid rising crypto-related cybercrime, with Chainalysis reporting $2.2 billion stolen in 2024—a 20% increase from the previous year.

Apple removes end-to-end encryption (E2EE) for iCloud in the UK. 

Apple has removed end-to-end encryption (E2EE) for iCloud in the UK following secret data access demands from the government under the Investigatory Powers Act (IPA), also known as the ‘Snooper’s Charter’. Security and consumer rights experts are calling for lawmakers to hold the government accountable.

Apple argues that creating an E2EE backdoor for the government would compromise all users’ security. Instead, it removed the Advanced Data Protection (ADP) feature for UK customers, disappointing privacy advocates. Experts warn this decision could weaken the UK’s data security reputation and impact data flows with the EU.

Critics say the move sets a dangerous precedent, emboldening other governments to demand similar access. Some warn it could lead to compliance issues for businesses operating in Europe and even threaten the UK’s data-sharing agreement with the US.

Researchers uncover a LockBit ransomware attack exploiting a Windows Confluence server. 

Security researchers at The DFIR Report have uncovered a LockBit ransomware attack that exploited CVE-2023-22527 in a Windows Confluence server. The attackers gained initial access through a remote code execution (RCE) vulnerability, quickly deploying Mimikatz, Metasploit, and AnyDesk to escalate privileges and move laterally across the network via RDP.

They used Rclone to exfiltrate data to MEGA.io before executing the ransomware. PDQ Deploy was leveraged to automate the spread of LockBit across critical systems, ensuring widespread encryption. The entire attack—from initial compromise to ransomware deployment—was completed in just two hours.

The researchers emphasize the importance of patching Confluence vulnerabilities, monitoring network activity, and restricting remote access to prevent similar intrusions. This case underscores the growing sophistication and speed of ransomware operations targeting unpatched enterprise applications.

Researchers uncover zero-day vulnerabilities in a widely used cloud logging utility.

Security researchers at Tenable uncovered zero-day vulnerabilities in Fluent Bit, a widely used logging utility embedded in cloud platforms like AWS, Google Cloud, and Microsoft Azure. The flaws, CVE-2024-50608 and CVE-2024-50609 (CVSS 8.9), exploit null pointer dereference weaknesses in the Prometheus Remote Write and OpenTelemetry plugins, exposing billions of production environments to cyber threats.

Attackers can crash Fluent Bit servers or leak sensitive data using simple HTTP requests. These vulnerabilities affect Kubernetes deployments, enterprise logging systems, and compliance workflows, with major users including Cisco, Splunk, and VMware.

Patches are available in v3.0.4 and v2.2.3, but unpatched systems remain at high risk. Experts urge immediate updates, API access restrictions, and security audits to prevent widespread service disruptions and data leaks.

A PayPal email scam is tricking users into calling scammers. 

A PayPal email scam is tricking users into calling scammers by sending fake purchase confirmations from PayPal’s legitimate email address (service@paypal.com). The scam exploits PayPal’s address settings, allowing attackers to insert fraudulent messages into the “Address 2” field. Victims receive an email stating that their shipping address has changed for a MacBook purchase and are urged to call a fake PayPal support number.

Once on the call, scammers convince victims to install remote access software, enabling theft of funds, data, or malware deployment. The emails bypass security filters because they originate directly from PayPal’s servers.

Users are advised to ignore the email, verify their account directly via PayPal, and not call the provided number. Experts recommend PayPal limit character input in address fields to prevent abuse.

Republican leaders in the House request public input on national data privacy standards. 

Republican leaders on the House Energy and Commerce Committee, Brett Guthrie (R-Ky.) and John Joyce (R-Pa.), are requesting public input on how to develop national data privacy and security standards. They issued a Request for Information to guide legislation that would protect Americans’ digital data across various services.

The lawmakers acknowledged the challenges posed by rapid technological advancements and conflicting state and federal laws. Their request seeks insights on data collection transparency, user consent, and lessons from international privacy laws. They also want input on how a federal privacy law would interact with existing regulations like HIPAA, FCRA, and COPPA.

Congress has long debated digital privacy legislation, but past efforts have failed due to political disagreements. The public can submit responses by April 7 to PrivacyWorkingGroup@mail.house.gov. Lawmakers hope to finally establish baseline privacy protections, similar to those in other Western nations.

A Michigan man faces charges for his use of the Genesis cybercrime marketplace. 

The US Justice Department has charged Andrew Shenkosky, 29, for purchasing 2,500 stolen login credentials from the Genesis Market cybercrime marketplace in 2020. Authorities say he used stolen credentials to steal money from a bank account and attempted to sell data on RaidForums, a now-dismantled cybercrime site.

Shenkosky faces charges including wire fraud and identity theft. His arraignment hearing is this week. The Genesis Market, seized by the FBI in April 2023, had provided cybercriminals access to stolen credentials. While 120 people were arrested, the site’s administrators remained at large, and its dark web presence later disappeared.

The Justice Department previously charged a Buffalo police detective for buying stolen credentials from the site.

 

After the break, I spoke with Trustwave SpiderLabs’ Karl Sigler about the domino effect of a cyberattack on the power grid. And, Meta sues a prolific Instagram extortionist. 

We’ll be right back.

Welcome back. You can find a link in our show notes to the report Karl Sigler and I discussed.

Meta sues an Insta Extortionist. 

And finally, imagine paying rent on your own Instagram account. That’s basically what Idriss Qibaa was making people do—until Meta decided enough was enough. The company is suing Qibaa, accusing him of running an extortion ring called “Unlocked 4 Life,” where he banned and unbanned Instagram accounts for profit. And he wasn’t shy about it—he bragged on the No Jumper podcast that he had over 200 “subscribers” and raked in $600,000 a month.

But Qibaa wasn’t just scamming influencers—he allegedly sent death threats, racial slurs, and even pictures of bloodied victims to those who didn’t comply. He even demanded $20,000 from one victim to stop harassing her.

Qibaa’s “Unlocked 4 Life” scheme worked by gaming Instagram’s reporting system to ban and unban accounts at will. Here’s how he allegedly did it:

Qibaa would submit false reports claiming that a target’s Instagram account violated the platform’s rules (e.g., impersonation, hate speech, nudity, or other violations).

Instagram’s automated moderation system often acted swiftly, disabling accounts the same day based on these reports.

After getting an account banned, Qibaa would offer to “help” restore it—for a price.

Victims who paid his fee would see their accounts reinstated, while those who refused faced threats, harassment, and continued account takedowns.

Meta hit back in February 2024 with a cease-and-desist, banning his accounts. But Qibaa, ever the entrepreneur, just made new ones.

Essentially, Qibaa weaponized Instagram’s own enforcement system against its users, turning a security feature into an extortion racket.

Now, Meta is suing him. Let’s hope Meta’s legal team proves harder to evade than their AI moderators. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.