Podcasts
CyberWire Daily
Ep 2270
The CyberWire Daily Podcast 3.21.25
Ep 2270 | 3.21.25

Brute force and broken trust.

Show Notes
Transcript

Over 150 government database servers are dangerously exposed to the internet. Threat actors are exploiting a vulnerability in CheckPoint’s ZoneAlarm antivirus software. Albabat ransomware goes cross-platform. ESET reports on the Chinese Operation FishMedley campaign. VanHelsing ransomware targets Windows systems in the U.S. and France. CISA issues five ICS advisories warning of high-severity vulnerabilities across critical infrastructure systems. A former NFL coach is indicted for allegedly hacking into the accounts of thousands of college athletes. Brandon Karpf joins us with a look at cyberspace in space. A fraud detection firm gets shut down for fraud.

Today is Friday March 21st 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Over 150 government database servers are dangerously exposed to the internet. 

A recent investigation has revealed a major cybersecurity threat to U.S. government data. Over 150 government database servers—used by agencies like the Departments of Agriculture, Education, and Energy—are exposed to the internet, violating basic security protocols. These databases, hosted on Microsoft’s Azure Gov Cloud, have open ports vulnerable to brute-force attacks and known exploits. The report highlights over 655 unauthorized access attempts and more than 200 real-time data replications, suggesting serious flaws in authentication and data protection. Analysts believe the exposure stems from a rushed federal data centralization effort. Experts are calling for urgent action, including Congressional hearings and audits, to address what could become a catastrophic breach.

The White House is shifting cybersecurity responsibilities from federal agencies to states and local governments. A new executive order from President Trump introduces a National Resilience Strategy, aiming to give local entities more control over defending infrastructure and elections from cyber threats. This move follows cuts to federal cybersecurity teams and programs, leaving states without vital support like vulnerability alerts and free risk assessments. Experts warn this decentralization could lead to fragmented defenses, especially as many states lack the resources and intelligence centers to fill the gap. Cybersecurity professionals say the burden will hit underfunded sectors like schools and small municipalities hardest. Critics argue the shift, combined with federal workforce reductions, undermines national security and leaves states to manage growing cyber risks largely on their own.

Threat actors are exploiting a vulnerability in CheckPoint’s ZoneAlarm antivirus software. 

A new report reveals that threat actors are exploiting a vulnerability in CheckPoint’s ZoneAlarm antivirus software to bypass Windows security. Security researcher Nima Bagheri detailed a Bring Your Own Vulnerable Driver (BYOVD) attack using an old, signed driver—vsdatant.sys—with kernel-level privileges. This allows attackers to evade antivirus detection, bypass Windows Memory Integrity protections, and gain full system access. Once in, they steal credentials and establish remote access. Users are urged to update to the latest, non-vulnerable version.

Albabat ransomware goes cross-platform. 

Albabat ransomware has evolved into a cross-platform threat, now targeting Windows, Linux, and macOS systems. Trend Micro researchers found versions 2.0.0 and 2.5 using GitHub for configuration management, allowing remote updates without redeploying malware. The ransomware retrieves settings via the GitHub REST API and avoids encrypting key system files while targeting user data. It terminates processes to ensure encryption success and collects detailed system info. Payment details in its config suggest preparation for expanded attacks using Bitcoin, Ethereum, Solana, and BNB.

ESET reports on the Chinese Operation FishMedley campaign. 

ESET reports that I-Soon, a Chinese cybersecurity contractor linked to Beijing’s Ministry of Public Security, ran a 2022 cyber-espionage campaign called Operation FishMedley. Its operational unit, FishMonger, targeted seven organizations across Taiwan, Hungary, Turkey, Thailand, the U.S., and France. Using tools like ShadowPad, Spyder, and the newly identified RPipeCommander, attackers gained deep network access, extracted credentials, and exfiltrated data. The campaign followed a document leak and U.S. indictments of I-Soon staff for hacking U.S. agencies, activists, and dissidents

VanHelsing ransomware targets Windows systems in the U.S. and France. 

A new ransomware called VanHelsing is targeting Windows systems in the U.S. and France, focusing on government, manufacturing, and pharmaceutical sectors. First spotted in March 2025, it uses advanced encryption and evasion tactics, appending “.vanhelsing” to files and demanding ransom via a Tor-based chat site. VanHelsing employs double extortion by encrypting and exfiltrating sensitive data. It uses rootkits, registry changes, and bootkits for persistence, making detection difficult. Security experts urge strong backups, system patching, MFA, and zero-trust strategies for defense.

CISA issues five ICS advisories warning of high-severity vulnerabilities across critical infrastructure systems. 

CISA issued five ICS advisories warning of high-severity vulnerabilities across critical infrastructure systems. These include flaws in Schneider Electric’s EcoStruxure™ software (CVE-2025-0327, CVSS 8.5) and Enerlin’X IFE components, with multiple input validation issues (CVSS up to 7.1). Siemens Simcenter Femap also contains a memory buffer vulnerability (CVE-2025-25175, CVSS 7.3), while SMA’s Sunny Portal has a file upload flaw (CVE-2025-0731, CVSS 6.9). Finally, Santesoft’s DICOM Viewer Pro suffers from an out-of-bounds write issue (CVE-2025-2480, CVSS 8.4). CISA urges immediate updates to reduce exploitation risks, especially as these systems often support vital infrastructure.

A former NFL coach is indicted for allegedly hacking into the accounts of thousands of college athletes.

Former NFL and University of Michigan assistant coach Matt Weiss has been indicted on 14 counts of unauthorized computer access and 10 counts of identity theft for hacking into the accounts of thousands of college athletes. From 2015 to 2023, Weiss allegedly breached databases managed by Keffer Development Services, targeting over 150,000 athletes across 100+ schools. The indictment says he focused on female athletes, seeking private photos and videos by accessing their social media, cloud, and email accounts. Weiss allegedly cracked encryption using online research and kept detailed notes on stolen content. Fired by Michigan in 2023 after refusing to cooperate with an internal investigation, Weiss had previously worked for the Baltimore Ravens. Federal prosecutors say they will aggressively pursue the case to defend victims’ privacy.

 

A fraud detection firm gets shut down for fraud. 

In a plot twist worthy of a Silicon Valley satire, former CEO of an ad tech company has been sentenced to a year and a day in prison for faking… well, pretty much everything. Paul Roberts, whose ad tech company claimed to detect fraudulent ads with its cloudy software “KAI,” decided to fraud his way to the top. In a bold bit of corporate make-believe, he orchestrated a $1.3 million phony service swap with another company, complete with fake reports generated from non-existent data. Both firms recorded the made-up transaction as real revenue—like a business version of kids trading Monopoly money and calling it profit. It worked—for a while. Kubient even went public, raising $33 million. But the SEC noticed the imaginary math, and Roberts pled guilty. By late 2024, the much-hyped KAI-powered merger vanished, Kubient delisted itself, and the company quietly folded. You have to admire the commitment—it takes real effort to fake that much effort.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.