Podcasts
CyberWire Daily
Ep 2253
The CyberWire Daily Podcast 2.26.25
Ep 2253 | 2.26.25

Hacked in plain sight.

Show Notes
Transcript

A major employee screening provider discloses a data breach affecting over 3.3 million people. Signal considers exiting Sweden over a proposed law that would give police access to encrypted messages. House Democrats call out DOGE’s negligent cybersecurity practices. Critical vulnerabilities in Rsync allow attackers to execute remote code. A class action lawsuit claims Amazon violates Washington State’s privacy laws. CISA warns that attackers are exploiting Microsoft’s Partner Center platform. A researcher discovers a critical remote code execution vulnerability in MITRE’s Caldera security training platform. An analysis of CISA’s JCDC AI Cybersecurity Collaboration Playbook. Ben Yelin explains Apple pulling iCloud end-to-end encryption in response to the UK Government. A Disney employee’s cautionary tale. 

Today is Wednesday February 26th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

 A major employee screening provider discloses a data breach affecting over 3.3 million people. 

Texas-based DISA Global Solutions, a major employee screening provider, has disclosed a data breach affecting over 3.3 million people. DISA, which serves 55,000 customers with background checks and drug testing, reported that hackers accessed its systems from February 9 to April 22, 2024. The breach exposed names, Social Security numbers, driver’s licenses, financial data, and more. DISA conducted an extensive review to identify affected individuals and is offering one year of free credit monitoring. The company has not found evidence of data misuse and has not confirmed if ransomware was involved. No cybercriminal group has claimed responsibility.

House Democrats call out DOGE’s negligent cybersecurity practices. 

House Democrats have urged President Trump to halt Elon Musk’s Department of Government Efficiency (DOGE) due to “negligent cybersecurity practices” that could expose sensitive federal systems to cyber threats. Lawmakers warned that DOGE’s reckless actions, including accessing networks at the Treasury, Office of Personnel Management, and Energy Department’s nuclear programs, have created security risks. Many DOGE members lack government experience and have disrupted agencies, prompting legal challenges and congressional outcry. A group of 21 DOGE employees, formerly from the U.S. Digital Service, resigned in protest, refusing to compromise government security. Lawmakers, led by Rep. Gerry Connolly, have requested a briefing by March 11 to assess cybersecurity violations. 

Meanwhile, a U.S. District Court judge blocked Elon Musk’s DOGE team from accessing Treasury payment systems, citing a rushed and flawed approval process under the Trump administration. Judge Jeannette Vargas ruled that Democratic attorneys general were likely to succeed in proving Treasury acted illegally. She criticized the agency’s “chaotic” handling of security risks and noted serious lapses in training and oversight. 

Signal considers exiting Sweden over a proposed law that would give police access to encrypted messages. 

Signal is considering exiting Sweden over a proposed law that would allow police to access encrypted messages retrospectively. Signal CEO Meredith Whittaker stated that complying would require breaking encryption, undermining the app’s core purpose. If passed, the law would take effect in 2026.

Sweden’s police and security services support the bill, but the Swedish Armed Forces oppose it, warning it would introduce security vulnerabilities. Brigadier General Mattias Hanson even endorsed Signal for non-classified military communications.

This follows a similar standoff in the UK, where Signal and Meta opposed encryption backdoors in the Online Safety Act, leading the government to back down. Recently, the UK also pressured Apple to remove iCloud end-to-end encryption. Security experts warn that such government demands undermine global cybersecurity and user privacy.

Critical vulnerabilities in Rsync allow attackers to execute remote code. 

Critical vulnerabilities in Rsync versions 3.2.7 and earlier allow attackers to execute remote code, exfiltrate sensitive data, and bypass security controls. The most severe flaw (CVE-2024-12084) is a heap buffer overflow in checksum handling, enabling memory corruption. Attackers can also bypass Address Space Layout Randomization (ASLR) (CVE-2024-12085) and exfiltrate client files (CVE-2024-12086) using checksum brute-forcing.

Additionally, symbolic link exploits (CVE-2024-12087/12088) allow attackers to evade Rsync’s –safe-links protection. Combining these flaws enables full remote code execution, with researchers demonstrating exploitation on Debian 12’s Rsync 3.2.7 daemon.

Users must upgrade to Rsync 3.4.0 immediately, which patches these issues by implementing stricter bounds checking, stack buffer initialization, and improved path sanitization. Administrators should disable anonymous access and enforce –safe-links for untrusted connections to prevent breaches.

A class action lawsuit claims Amazon violates Washington State’s privacy laws. 

A proposed federal class action lawsuit alleges Amazon’s software development kit (SDK) illegally collects and sells sensitive user data, violating Washington’s My Health My Data Act (MHMD). Plaintiff Cassaundra Maxwell claims Amazon’s SDK, embedded in thousands of mobile apps, tracks location and biometric data without user consent. Filed on Feb. 20, this is the first lawsuit invoking the MHMD Act since it took full effect in 2024.

Maxwell alleges Amazon’s data collection could reveal health-related searches or visits. The lawsuit seeks damages, penalties, and injunctive relief. Amazon denies the claims, stating it prohibits partners from sharing health or precise location data and discards any mistakenly received information.

Legal experts predict more lawsuits under the MHMD Act, with implications for healthcare and app developers. 

CISA warns that attackers are exploiting Microsoft’s Partner Center platform. 

CISA issued an urgent advisory warning that attackers are exploiting a critical privilege escalation flaw (CVE-2024-49035) in Microsoft’s Partner Center platform. The vulnerability allows unauthenticated attackers to gain elevated privileges, potentially accessing sensitive data and spreading malware. Initially rated 8.7 CVSS, it was later upgraded to 9.8 due to its severity.

Microsoft has patched the issue automatically, but CISA mandates federal agencies to apply updates by March 18. Organizations are urged to enforce network segmentation, audit access controls, and adopt zero-trust principles. The flaw’s impact on Microsoft’s partner ecosystem raises supply chain security concerns. CISA advises businesses to follow cloud security best practices and monitor Microsoft advisories.

A researcher discovers a critical remote code execution vulnerability in MITRE’s Caldera security training platform. 

A critical remote code execution (RCE) vulnerability (CVE-2025-27364) in MITRE’s Caldera security training platform has been discovered, affecting all versions since 2017 except the latest patched releases (5.1.0+). Security researcher Dawid Kulikowski urges users to update immediately, as the flaw allows attackers to hijack the platform remotely, particularly in default configurations.

Caldera, widely used for adversary emulation, relies on Go, Python, and GCC—conditions often met in real-world setups. The vulnerability exploits an unauthenticated API endpoint, allowing attackers to manipulate Manx and Sandcat agents via crafted HTTPS requests. Developers were aware the endpoint lacked authentication, heightening the risk.

Kulikowski published a partial proof of concept (PoC) while omitting key details to prevent easy exploitation. Users should apply patches or restrict access to prevent unauthorized attacks.

An analysis of  CISA’s JCDC AI Cybersecurity Collaboration Playbook. 

In an editorial for CyberScoop, cybersecurity expert Sam Kinch discusses the growing threat of AI-driven cyberattacks and the importance of the JCDC AI Cybersecurity Collaboration Playbook, recently released by CISA. Kinch is currently an executive client adviser at Tanium, and  previously served as director of the Department of Homeland Security’s technical security team and as senior executive to the commander at U.S. Cyber Command. He argues that as adversaries weaponize AI, defenders must respond in kind, leveraging AI for security while improving coordination between public and private sectors.

Kinch praises the playbook’s focus on operational collaboration, highlighting its structured information-sharing checklist and improved coordination between federal, private, and international partners. However, he warns that delays in intelligence-sharing, particularly between DHS and other federal agencies, could hinder rapid response efforts.

He emphasizes that trust is key to successful cybersecurity collaboration, urging clearer protocols and stronger protections for private-sector partners hesitant to share threat data. While commending CISA’s proactive approach, Kinch stresses that industry leaders must take responsibility for implementing and refining the playbook to strengthen national AI-driven cybersecurity defenses.

Next up, we are joined by my Caveat podcast co-host Ben Yelin to discuss Apple pulling iCloud end-to-end encryption at the request of the UK Government. And, a Disney employee’s cautionary tale. We’ll be right back

Welcome back.

A Disney employee’s cautionary tale. 

And finally, the Wall Street Journal chronicles how Disney employee Matthew Van Andel’s life fell apart because of a simple mistake—downloading an AI tool from GitHub. A software development manager,  he thought he was experimenting with AI-generated images. Instead, he unknowingly installed malware that gave a hacker full access to his computer, including his Disney login credentials.

For months, the hacker lurked undetected, collecting Van Andel’s passwords and session cookies. Then, in July 2024, a chilling message arrived on Discord. A stranger knew about a private conversation Van Andel had at lunch with coworkers—details no outsider should have. Minutes later, Disney’s internal Slack messages began appearing online. The hacker had used Van Andel’s credentials to breach the company’s systems, leaking 44 million sensitive messages, including private customer data, employee passport numbers, and financial reports.

Disney’s cybersecurity team scrambled to contain the fallout, but the damage was done. Meanwhile, Van Andel’s personal nightmare worsened. The hacker drained his bank accounts, stole his Social Security number, and even accessed his home security cameras. His private information was dumped online, leaving him exposed to identity theft.

Then came another blow: Disney fired him. The company’s forensic review claimed he had accessed pornography on his work device, an allegation he vehemently denies. “It’s impossible to convey the sense of violation,” he said.

The incident highlights the growing dangers of AI-driven cyber threats. Hackers are increasingly using infostealers—malicious software hidden inside downloads—to collect credentials, which are then resold on the dark web. Stolen credentials were behind nearly 40% of cyber intrusions in 2024, up from just 20% the year before.

Van Andel’s story is a cautionary tale for both individuals and corporations. As companies expand remote work and AI adoption, attackers are finding new ways to exploit unsuspecting users. One careless download was all it took to bring down a Disney employee—and compromise an entire company’s security.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.