Podcasts
CyberWire Daily
Ep 2263
The CyberWire Daily Podcast 3.12.25
Ep 2263 | 3.12.25

Will Plankey lead CISA to victory?

Show Notes
Transcript

The White House names their nominee for CISA’s top spot. Patch Tuesday updates. Apple issues emergency updates for a zero-day WebKit vulnerability. Researchers highlight advanced MFA-bypassing techniques. North Korea's Lazarus Group targets cryptocurrency wallets and browser data. Our guest today is Rocco D’Amico of Brass Valley discussing hidden risks in retired devices and reducing data breach threats. Making sense of the skills gap paradox.

Today is Wednesday March 12th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The White House names their nominee for CISA’s top spot. 

Sean Plankey, a former cybersecurity official in the Trump administration, has been nominated to lead the Cybersecurity and Infrastructure Security Agency (CISA). His nomination is under Senate review. A U.S. Coast Guard veteran, Plankey previously served in key cybersecurity roles at the Department of Energy and National Security Council, earning a Bronze Star for offensive cyber operations in Afghanistan. Until recently, he led cybersecurity efforts at Indigo Vault.

CISA faces criticism, with some lawmakers questioning its mission scope. Supporters praise Plankey’s expertise, citing his focus on risk reduction and national security. He advocates for stricter cloud security regulations and reciprocity in cyber policy. Plankey has emphasized reducing reliance on adversarial nations for critical infrastructure. 

Meanwhile, a former CISA penetration tester claims his 100-person team was cut after Elon Musk’s DOGE unit canceled their contract. Christopher Chenoweth says DOGE also axed another red team, leaving many cybersecurity experts jobless. DOGE, a federal cost-cutting advisory group, has targeted multiple DHS contracts. Meanwhile, the EI-ISAC, a key election security initiative, shut down after DHS funding was cut, and the MS-ISAC faces similar risks. Experts warn these cuts weaken cybersecurity for elections and local governments.

Patch Tuesday updates. 

Microsoft’s March 2025 Patch Tuesday update fixes 57 vulnerabilities, including seven zero-days, six of which were actively exploited. The patches address privilege escalation, remote code execution (RCE), security bypass, and information disclosure flaws.

A critical zero-day, CVE-2025-24983, allows local attackers to gain system privileges via a race condition in the Windows Win32 Kernel. Two NTFS vulnerabilities, CVE-2025-24991 and CVE-2025-24984, let attackers extract sensitive data using a malicious USB drive. A publicly disclosed zero-day, CVE-2025-26630, is an RCE flaw in Microsoft Access.

Critical RCE vulnerabilities impact Windows Remote Desktop Services, Microsoft Office, DNS, and the Windows Subsystem for Linux. The NTFS and FAT flaws are particularly concerning as they enable malware delivery via crafted virtual hard disk files.

Security experts urge immediate patching, especially for Office vulnerabilities, to mitigate exploitation risks. Other vendors, including Cisco, Google, and Fortinet, have also issued March security updates.

Siemens and Schneider Electric have issued their March 2025 Patch Tuesday ICS security advisories, addressing multiple vulnerabilities. Schneider Electric warns of a critical flaw in EcoStruxure that allows command execution if the default password isn’t changed, along with authentication bypass and sensitive data exposure issues. Siemens patched 11 advisories, including a bootloader flaw in Sinamics S200, privilege escalation in SiPass controllers, and authentication bypass vulnerabilities in multiple products. OpenVPN and BIOS vulnerabilities were also fixed.

CISA released two ICS advisories, highlighting critical flaws in Optigo Networks capture tools and a patched Schneider Electric Uni-Telway Driver vulnerability. Security experts urge immediate updates to protect industrial systems from exploitation.

CISA has issued an urgent advisory for CVE-2025-26633, a critical vulnerability in Microsoft Windows Management Console (MMC) that allows remote code execution. Attackers exploit improper input sanitization, enabling lateral movement, data theft, or malware deployment. Federal agencies must patch by April 2, 2025, under BOD 22-01.

Microsoft released an out-of-band patch (KB5012345) on March 10, 2025. Organizations should apply updates immediately, restrict MMC access via firewall rules, and monitor for exploitation. Systems with exposed MMC services are at high risk.

While not confirmed in ransomware attacks, its network-based attack vector makes it dangerous. CISA urges private organizations to prioritize patching and adopt zero-trust architectures to protect against future threats.

Apple issues emergency updates for a zero-day WebKit vulnerability. 

Apple has issued emergency security updates to patch CVE-2025-24201, a zero-day WebKit vulnerability actively exploited in targeted attacks. The flaw, an out-of-bounds write issue, allows malicious web content to escape the Web Content sandbox, potentially enabling unauthorized actions.

The update affects iOS, iPadOS, macOS, Safari, visionOS, and tvOS. Apple warns that the vulnerability was used in sophisticated attacks on older iOS versions. This is Apple’s third zero-day fix in 2025, following similar patches in January and February.

Users should update immediately to mitigate risks, as Apple has not disclosed attacker details or targets.

Researchers highlight advanced MFA-bypassing techniques. 

Adversaries are exploiting advanced MFA-bypassing techniques to gain unauthorized access to accounts, manipulating authentication workflows rather than breaking authentication factors. Researchers at Quarkslab discovered that attackers exploit timing vulnerabilities and session token manipulation to trick systems into believing MFA was successfully completed.

A particularly dangerous technique involves intercepting and modifying authentication response data, injecting JavaScript code to alter session flags before MFA verification is finalized. These attacks are hard to detect, leaving minimal forensic evidence, and often appear as legitimate authentication events.

The vulnerability primarily affects systems that separate authentication and resource servers, creating gaps attackers exploit during network latency or error conditions. Experts recommend continuous MFA validation and cryptographically signed session tokens to prevent unauthorized modifications. Users should monitor accounts for suspicious activity despite MFA being enabled.

North Korea's Lazarus Group targets cryptocurrency wallets and browser data. 

Researchers have identified six malicious npm packages linked to the Lazarus Group, a North Korean hacking collective. These typosquatting packages, downloaded 330 times, aim to steal credentials, deploy backdoors, and extract cryptocurrency data. The Socket Research Team linked this attack to previous Lazarus supply chain operations seen on npm, GitHub, and PyPI.

The malware targets cryptocurrency wallets (Solana, Exodus) and browser-stored data (Chrome, Brave, Firefox). It also loads BeaverTail and InvisibleFerret backdoors. All six packages remain active, and developers are urged to scrutinize dependencies for suspicious activity.

 

 

Making sense of the skills gap paradox. 

And finally, the tech industry finds itself in a bizarre paradox: IT leaders can’t find skilled workers, yet graduates in computer science and data science can’t land jobs. It’s like a dating app where everyone swipes left.

The issue? Employers want “job-ready” recruits but don’t want to train them. Automated hiring systems favor keyword-stuffed resumes, entry-level jobs demand senior-level experience, and companies lean on underpaid interns instead of hiring full-time staff. Meanwhile, cybersecurity teams are especially guilty—31% employ no entry-level pros at all.

Post-COVID layoffs flooded the job market with experienced workers, making things even harder for fresh grads. Plus, budgets are tight, salaries uncompetitive, and companies are “hoarding” trusted employees instead of hiring new ones.

Software development, cloud, AI, and cybersecurity are in demand—but not if you want fair pay. It’s not all bad news - the data shows that for graduates, this hiring freeze might be temporary. For employers, the skills gap is here to stay.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.