Podcasts
CyberWire Daily
Ep 2280
The CyberWire Daily Podcast 4.4.25
Ep 2280 | 4.4.25

A leadership shift.

Show Notes
Transcript

President Trump fires the head of NSA and Cyber Command. The Health Sector Coordinating Council asks the White House to abandon Biden-era security updates. Senators introduce bipartisan legislation to help fight money laundering. A critical vulnerability has been discovered in the Apache Parquet Java library. The State Bar of Texas reports a ransomware-related data breach. New Android spyware uses a password-protected uninstallation method. A Chinese state-backed threat group exploits a critical Ivanti vulnerability for remote code execution. Today’s guest is Dave Dewalt, Founder and CEO of NightDragon, with the latest trends and outlook from cyber leaders. Malware masquerades as the tax man. 

Today is Friday April 4th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

President Trump fires the head of NSA and Cyber Command. 

Late yesterday President Donald Trump dismissed Air Force Gen. Timothy Haugh from his roles as director of the National Security Agency (NSA) and commander of U.S. Cyber Command. Haugh’s civilian deputy, Wendy Noble, was reassigned within the Pentagon. Army Lt. Gen. William Hartman has assumed leadership of both organizations in an acting capacity. The specific reasons for these changes remain unclear. However, far-right activist Laura Loomer, who recently met with President Trump, claimed credit for the dismissals, alleging disloyalty among officials. Senator Mark Warner criticized the move, questioning its impact on national security amid escalating cyber threats, such as the recent Salt Typhoon cyberattack attributed to China. This development follows other significant shifts within the national security apparatus, including the February firing of Air Force Gen. CQ Brown Jr. as chairman of the Joint Chiefs of Staff. 

Meanwhile, the Pentagon’s acting Inspector General has launched an investigation into Defense Secretary Pete Hegseth for using the encrypted app Signal to discuss sensitive government matters. The probe follows a report that journalist Jeffrey Goldberg was accidentally added to a Signal group where top officials, including Hegseth, discussed an upcoming airstrike in Yemen. Senators Jack Reed and Roger Wicker raised concerns about possible mishandling of classified information. The IG aims to assess compliance with communication, classification, and records policies. President Trump has dismissed concerns.

The Health Sector Coordinating Council asks the White House to abandon Biden-era security updates. 

The Health Sector Coordinating Council (HSCC) is urging the Trump administration to abandon proposed HIPAA security rule updates introduced in the final days of the Biden administration. Instead, HSCC advocates for a one-year collaborative effort between the government and healthcare sector leaders to develop more practical, cost-effective cybersecurity standards. Greg Garcia, HSCC’s cybersecurity executive director, emphasized that the sector supports stronger cybersecurity, but criticized the proposed rules as overly vague or stringent, making compliance difficult. Garcia pointed to successful past collaborations, like the 2014 NIST Cybersecurity Framework, as a model. The proposal aims to improve cybersecurity outcomes and patient safety through clear, consensus-based standards. HSCC submitted its alternative plan to the White House and HHS, suggesting regulators avoid creating burdensome rules in isolation and instead work with industry experts to design flexible, impactful cybersecurity controls that can be widely adopted across the healthcare sector.

Senators introduce bipartisan legislation to help fight money laundering. 

Senators Catherine Cortez Masto (D-NV) and Chuck Grassley (R-IA) have reintroduced the Combatting Money Laundering in Cyber Crime Act, aiming to expand the U.S. Secret Service’s authority to investigate digital asset crimes. Current laws limit the agency’s reach, especially regarding unlicensed money transmitting businesses—entities often used in laundering cybercrime profits. The bill would update these laws to help the Secret Service pursue modern cybercriminal tactics, including structuring transactions to evade detection. The legislation comes amid growing concern over North Korean hackers laundering over $1 billion in stolen crypto. While earlier versions of the bill stalled in Congress, lawmakers argue this update is critical as digital financial crimes outpace enforcement. Cortez Masto emphasized the need for law enforcement to evolve with criminal tactics, while Grassley highlighted the importance of proactive measures to disrupt laundering schemes tied to ransomware, terrorism, and rogue nations.

A critical vulnerability has been discovered in the Apache Parquet Java library. 

A critical remote code execution (RCE) vulnerability, CVE-2025-30065, has been discovered in the Apache Parquet Java library, affecting all versions through 1.15.0. With a maximum CVSS score of 10.0, the flaw stems from insecure deserialization in the parquet-avro module and allows attackers to execute arbitrary code via malicious Parquet files—no user interaction or authentication needed. The issue impacts data platforms like Hadoop, Spark, and Flink, as well as cloud environments used by companies like Netflix, Uber, and LinkedIn. If exploited, it could lead to system control, data theft, or service disruption. Discovered by Amazon’s Keyi Li, the vulnerability has not yet been exploited publicly. The Apache Software Foundation urges immediate upgrades to version 1.15.1 and enhanced validation and monitoring. Given its severity, organizations must act swiftly to protect their big data infrastructure.

The State Bar of Texas reports a ransomware-related data breach. 

The State Bar of Texas is notifying over 2,700 individuals about a ransomware-related data breach that occurred between January 28 and February 9, 2025. Discovered on February 12, the attack led to the theft of sensitive files containing Social Security numbers, financial data, medical records, and government-issued ID details. While no fraudulent use has been reported, affected individuals are being offered up to two years of free identity and credit monitoring. The INC Ransom gang has claimed responsibility for the attack.

New Android spyware uses a password-protected uninstallation method. 

A new Android spyware app has emerged that uses a password-protected uninstallation method, making it hard for victims to remove. Once installed—typically by someone with physical access—the app hides its icon, gains device admin privileges, and uses Android’s overlay feature to display a password prompt if removal is attempted. The spyware monitors texts, photos, location, and more. Researchers at Techcrunch found it can be bypassed by booting the phone into safe mode, which disables third-party apps, allowing users to revoke admin access and uninstall it. Security experts warn this is part of a growing market for stalkerware, often disguised as parental or employee monitoring tools. Users are advised to enable Google Play Protect, check for unauthorized admin apps, and use trusted antivirus tools. Unusual phone behavior may signal infection. 

A Chinese state-backed threat group exploits a critical Ivanti vulnerability for remote code execution. 

Chinese state-backed threat group UNC5221 is actively exploiting a critical Ivanti vulnerability, CVE-2025-22457, which allows remote code execution via buffer overflow. Initially seen as a low-risk issue, the flaw has since been weaponized in attacks targeting Ivanti Connect Secure versions 22.7R2.5 and earlier. Mandiant researchers observed the group deploying two new malware families—Trailblaze and Brushfire—both memory-resident and designed for stealth. UNC5221 also deployed advanced Spawn malware variants to disable logging, extract encrypted kernel images, and maintain persistence. Active exploitation has been ongoing since mid-March 2025. Mandiant and Ivanti urge immediate patching. The group’s targeting of edge devices is part of a broader Chinese espionage strategy, with operations extending across global government and critical infrastructure sectors. Experts warn of growing sophistication and intensity in China-linked cyber campaigns.

 

 

Malware masquerades as the tax man. 

Ah, tax season—the most wonderful time of the year for cybercriminals! As April 15 looms, Microsoft reports a swarm of phishing campaigns dressed up in IRS garb, all hoping to trick you out of your data and into downloading malware. These scammers are going full Hollywood with QR codes, fake DocuSign pages, and PDF files claiming “unusual IRS activity.” Once clicked, you might get a bonus gift like Latrodectus, Remcos, or BruteRatel C4—malware that’s anything but deductible.

One charming crew, Storm-0249, sent thousands of fake IRS notices designed to land malware on victims’ devices. Another campaign handed out malicious QR codes like candy. And for the truly social, some attackers even made small talk before zipping over GuLoader or AHKBot.

The message is clear: if it’s tax-themed and digital, treat it with suspicion. Because this year, the only thing scarier than doing your taxes might be the phishing emails about them. Plus, this way things are going in Washington, there may not be anyone left working at the IRS by the time tax day comes around. 

Interesting times, my friends…interesting times. 

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.