Podcasts
CyberWire Daily
Ep 2267
The CyberWire Daily Podcast 3.18.25
Ep 2267 | 3.18.25

Tomcat got your server?

Show Notes
Transcript

An Apache Tomcat vulnerability is under active exploitation. CISA rehires workers ousted by DOGE. Lawmakers look to protect rural water systems from cyber threats. Western Alliance Bank notifies 22,000 individuals of a data breach. A new cyberattack method called BitM allows hackers to bypass multi-factor authentication. A Chinese cyberespionage group targets Central European diplomats. A new cyberattack uses ChatGPT infrastructure to target the financial sector and U.S. government agencies. Australia sues a major securities firm over inadequate protection of customer data. Our Threat Vector segment examines how unifying security capabilities strengthens cyber resilience. Cybercriminals say, “Get me Edward Snowden on the line!”

Today is Tuesday March 18th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

An Apache Tomcat vulnerability is under active exploitation. 

A critical remote code execution (RCE) vulnerability in Apache Tomcat, tracked as CVE-2025-24813, is being actively exploited. The flaw, disclosed on March 10, 2025, allows attackers to gain control of servers via a simple PUT request. Exploits appeared on GitHub just 30 hours after disclosure.

Attackers upload base64-encoded payloads via a PUT request, then trigger execution with a GET request using a JSESSIONID cookie. Security tools struggle to detect this due to encoded payloads and multi-step execution.

Apache urges immediate updates to Tomcat 11.0.3+, 10.1.35+, or 9.0.99+. Meanwhile, organizations should disable partial PUT support and restrict sensitive file storage. 

CISA rehires workers ousted by DOGE. 

The Cybersecurity and Infrastructure Security Agency (CISA) is rehiring roughly 130 probationary employees ousted under President Donald Trump’s workforce purge but is immediately placing them on administrative leave. The move follows a ruling by U.S. District Judge James Bredar, which the White House vowed to fight.

Trump criticized the decision, calling it “dangerous”, while experts warn the mass firings threaten national security. CISA faces internal confusion over the ruling and is trying to contact impacted employees.

The agency has also defunded cybersecurity hubs and defended workforce cuts as eliminating duplication. Critics, including former NSA official Rob Joyce, say these actions weaken U.S. cybersecurity. The White House and key agencies have not responded to requests for comment.

Lawmakers look to protect rural water systems from cyber threats. 

Elsewhere in Washington, lawmakers have reintroduced the Cybersecurity for Rural Water Systems Act of 2025, a bipartisan bill aimed at protecting rural water systems from cyber threats. Sponsored by Reps. Don Davis (D-NC) and Zachary Nunn (R-IA) and Sens. Catherine Cortez Masto (D-NV) and Mike Rounds (R-SD), the bill expands the Circuit Rider Program to include cybersecurity assistance for small water utilities serving populations under 10,000.

The bill funds cybersecurity specialists, known as Circuit Riders, who will train rural utilities, assist in cyber defense planning, and improve threat response. Only 20% of U.S. water systems currently have cyber protections, making this legislation critical. Though initially introduced in 2023, it failed to pass but is now gaining renewed support in 2025.

Western Alliance Bank notifies 22,000 individuals of a data breach. 

Western Alliance Bank is notifying 22,000 individuals of a data breach involving a third-party file transfer tool exploited in October 2024. The breach exposed names, Social Security numbers, birthdates, and financial details.

The Cl0p extortion group exploited Cleo file transfer vulnerabilities (CVE-2024-50623 & CVE-2024-55956), impacting dozens of organizations. Western Alliance confirmed the breach after stolen data appeared online in January 2025.

Despite the incident, the bank says it won’t affect its financial condition. Affected individuals receive one year of identity protection.

A new cyberattack method called BitM allows hackers to bypass multi-factor authentication.  

A new cyberattack method called Browser-in-the-Middle (BitM) allows hackers to bypass multi-factor authentication (MFA) and steal user sessions in seconds. This technique hijacks authenticated browser sessions, making it a major threat to organizations relying on traditional security measures.

BitM attacks proxy victims through an attacker-controlled browser, mimicking legitimate sites. Users unknowingly enter credentials and complete MFA challenges, allowing attackers to steal session tokens. Tools like Evilginx2 and Delusion enable real-time session hijacking and scalable phishing campaigns.

Experts say hardware-based authentication—things like FIDO2 security keys—are one of the best defenses because they tie authentication to a physical device. No device? No access. Behavioral monitoring and client certificates help too. And, of course, good old-fashioned security awareness training can go a long way.

A Chinese cyberespionage group targets Central European diplomats. 

A Chinese cyberespionage group, MirrorFace (Earth Kasha), has expanded beyond East Asia, targeting a Central European diplomatic institute in August 2024. Researchers from Eset found the group using Anel (Uppercut), a backdoor previously linked to APT10, suggesting tool-sharing among Chinese threat actors.

The attack began with a spear-phishing campaign referencing Expo 2025 in Japan. Once victims engaged, they received a malicious Word document, deploying Anel and HiddenFace for persistence. The hackers wiped logs, used AsyncRAT in Windows Sandbox, and abused Visual Studio Code’s remote tunnels to evade detection.

They also exfiltrated Chrome credentials, potentially compromising diplomatic communications. The attack highlights China’s evolving cyber tactics and collaboration between state-sponsored groups.

A new cyberattack uses ChatGPT infrastructure to target the financial sector and U.S. government agencies. 

According to the latest research from Veriti, a new cyberattack campaign is actively exploiting CVE-2024-27564, a Server-Side Request Forgery (SSRF) vulnerability affecting OpenAI’s ChatGPT infrastructure—but OpenAI itself has not been breached. In just one week, 10,479 attack attempts were recorded from a single malicious IP, with the U.S. seeing the highest concentration (33%), followed by Germany and Thailand (7% each). 35% of organizations are vulnerable due to misconfigured security tools like IPS, WAFs, and firewalls.

The financial sector and U.S. government agencies are prime targets, as attackers exploit AI-driven services to access internal resources and sensitive data. Veriti urges security teams to review firewall settings, monitor attack logs, and reassess AI-related security risks, emphasizing that even medium-severity vulnerabilities can become major attack vectors.

Australia sues a major securities firm over inadequate protection of customer data. 

Australia’s financial regulator is suing FIIG Securities over cybersecurity failures that led to a 2023 data breach affecting 18,000 customers. The Australian Securities and Investments Commission (ASIC) says FIIG lacked basic security controls for four years, failing to update firewalls, patch software, or train employees, allowing threat actors to steal 385GB of sensitive data.

FIIG, which manages $2.88 billion in funds, was unaware of the breach until Australia’s Cyber Security Centre alerted them. It took six days to respond. ASIC alleges FIIG violated the Corporations Act, which mandates financial firms maintain adequate risk management.

The case follows a 2022 lawsuit against RI Advice for similar cybersecurity lapses. ASIC warns that cyber risk management is a top priority, with tighter regulatory actions coming for financial firms failing to protect customer data.

Coming up, we’ve got our Threat Vector segment. Host David Moulton sits down with Forrester’s Senior Analyst Carlos Rivera to explore the concept of platformization–how unifying security capabilities strengthens cyber resilience.. We’ll be right back.

Welcome back. You can find a link to the full examination of platformization by David and Carlos in our show notes. 

 

Cybercriminals say, “Get me Edward Snowden on the line!”

Alright, let’s set the scene. You’re a cybercriminal, trying to make an honest dishonest living in the ransomware world, but payments are down, negotiations are tougher, and victims just aren’t coughing up the cash like they used to. What do you do? Well, if you’re Ox Thief, you get creative—and by creative, I mean you threaten to call Edward Snowden.

That’s right. This newly discovered extortion crew isn’t just demanding ransom; they’re fast-tracking the consequences. Don’t pay? They’ll rat you out to cybersecurity journalists like Brian Krebs, privacy advocates, and even the Electronic Frontier Foundation. They’ll outline legal penalties, predict massive fines, and warn of a PR disaster. The message? You’re in trouble whether you pay or not.

Analysts at Fortra say this is a noteworthy escalation in ransomware tactics. Instead of just encrypting files and waiting for a payday, Ox Thief is weaponizing legal liability and media scrutiny. It’s all part of a bigger trend—ransomware payments are dropping, and attackers are getting desperate.

Case in point: Ox Thief claims to have hacked Broker Educational Sales & Training (BEST). But here’s where it gets messy—another cybercrime gang, Medusa, also claims to have breached BEST. Did Ox Thief really do it? Or are they recycling someone else’s heist? Either way, BEST hasn’t commented, and the cybercriminal underworld just keeps getting weirder.

So what’s the takeaway here? Well, if you get hacked, maybe set up an outbound call blocker for Snowden—just in case.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.