Podcasts
CyberWire Daily
Ep 2285
The CyberWire Daily Podcast 4.11.25
Ep 2285 | 4.11.25

CISA shrinks while threats grow.

Show Notes
Transcript

CISA braces for widespread staffing cuts. Russian hackers target a Western military mission in Ukraine. China acknowledges Volt Typhoon. The U.S. signs on to global spyware restrictions. A lab supporting Planned Parenthood confirms a data breach. Threat actors steal metadata from unsecured Amazon EC2 instances. A critical WordPress plugin vulnerability is under active exploitation. A new analysis details a critical unauthenticated remote code execution flaw affecting Ivanti products. Joining us today is Johannes Ullrich, Dean of Research at SANS Technology Institute, with his take on "Vibe Security." Does AI understand, and does that ultimately matter?

Today is Friday April 11th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA braces for widespread staffing cuts. 

The Trump administration is preparing to cut about 1,300 positions at the Cybersecurity and Infrastructure Security Agency (CISA), slashing roughly half its full-time staff and 40% of its contractors. These planned cuts follow White House frustration over CISA’s perceived role in moderating conservative content. Major reductions are expected at the National Risk Management Center and the Stakeholder Engagement Division. CISA’s threat hunting team will also be downsized. Some responsibilities may shift to the Cybersecurity Division. Officials say the exact scope and timeline remain undecided and could change. Meanwhile, the administration is pushing early retirements and buyouts, offering up to $25,000. Political appointments for regional directors are also under consideration. CISA Director nominee Sean Plankey’s confirmation is being blocked by Sen. Ron Wyden over transparency issues.

The cybersecurity industry has largely stayed silent after President Trump revoked security clearances for SentinelOne staff, Reuters reports. The move appears tied to the company hiring Chris Krebs, ex-CISA chief fired by Trump in 2020 for rejecting election fraud claims. Despite Krebs’ respect in cyber circles, most major cybersecurity firms declined to comment, fearing retaliation. Only the Cyber Threat Alliance spoke out, criticizing the action as political targeting. SentinelOne said it expects no major impact, though its stock dropped 7% following the news.

Russian hackers target a Western military mission in Ukraine. 

Russian state-backed hacking group Gamaredon, also known as Shuckworm, has been targeting a Western military mission in Ukraine using removable drives to deploy attacks. Between February and March 2025, they used an upgraded version of their GammaSteel malware to steal sensitive data. The group likely gained access via malicious shortcut (.LNK) files on external drives. Recent tactics show a shift to PowerShell-based tools, increased obfuscation, and use of legitimate services for stealth. Once infected, the malware collects screenshots, system info, and documents, storing payloads in the Windows Registry and using PowerShell or cURL over Tor for exfiltration. It also spreads to other drives and establishes persistence via Registry keys. Symantec notes Gamaredon’s tactics are evolving, making the group a growing threat despite its relatively unsophisticated methods.

China acknowledges Volt Typhoon. 

In a secret December 2024 meeting in Geneva, Chinese officials indirectly admitted to cyberattacks on U.S. infrastructure tied to the Volt Typhoon campaign, according to The Wall Street Journal. The U.S. delegation, part of the outgoing Biden administration, interpreted the admission as a warning over American support for Taiwan. Volt Typhoon, attributed to China in 2023, targeted critical U.S. sectors using zero-day exploits and stayed undetected in parts of the electric grid for 300 days. The attacks spanned communications, energy, transportation, and more, raising concerns about espionage and potential disruption. The meeting also touched on the Salt Typhoon campaign, which compromised telecom data from senior officials. While the U.S. views Volt Typhoon as a serious provocation, Salt Typhoon is seen as typical cyberespionage. Both nations continue to escalate mutual cyberattack accusations.

The U.S. signs on to global spyware restrictions. 

The U.S. will join an international agreement under the Pall Mall Process, an international initiative launched in February 2024 by the United Kingdom and France to address the misuse of commercial spyware. This follows a voluntary Code of Practice signed by 21 countries, aiming to regulate commercial cyber intrusion capabilities (CCICs) and curb abuses targeting civil society. Sparked by scandals in Poland, Mexico, Greece, and more, the agreement seeks to separate responsible vendors from those linked to human rights violations. Human rights advocates praised the move as a bipartisan step toward responsible spyware governance.

A lab supporting Planned Parenthood confirms a data breach. 

Laboratory Services Cooperative (LSC), a nonprofit supporting reproductive health labs, confirmed a data breach affecting 1.6 million people. Hackers accessed its network in October 2024, stealing sensitive data including personal IDs, medical records, and insurance details. Most affected individuals had lab work done through select Planned Parenthood centers. LSC is offering credit and identity protection services and says no stolen data has appeared on the dark web so far. An investigation is ongoing, with federal law enforcement and cybersecurity experts involved.

Threat actors steal metadata from unsecured Amazon EC2 instances. 

In March, a threat actor used server-side request forgery (SSRF) attacks to steal metadata from unsecured Amazon EC2 instances, according to F5 Labs. The attacker targeted EC2-hosted websites that left instance metadata exposed, potentially leaking sensitive IAM credentials. The campaign ran from March 13–25 and involved tens of thousands of GET requests from IPs tied to French firm FBW NETWORKS SAS. F5 advises migrating from IMDSv1 to IMDSv2 or blocking requests to the metadata IP to mitigate future risks.

A critical WordPress plugin vulnerability is under active exploitation. 

A critical vulnerability (CVE-2025-3102) in the OttoKit WordPress plugin is being actively exploited, according to security firm Defiant. The plugin, with over 100,000 installs, allows attackers to bypass authentication and create admin accounts on unconfigured sites by exploiting a missing value check in API key validation. This gives full site control, including uploading malicious files or injecting spam. While only unconfigured installations are at risk, users are urged to update to version 1.0.79 or later to patch the flaw.

A new analysis details a critical unauthenticated remote code execution flaw affecting Ivanti products. 

A newly published analysis details CVE-2025-22457, a critical unauthenticated remote code execution flaw affecting Ivanti products, including Connect Secure, Policy Secure, Pulse Connect Secure, and ZTA Gateways. Exploited by a suspected China-linked actor, the bug stems from a stack-based buffer overflow in the web server binary via the X-Forwarded-For header. Exploitation is complex due to payload restrictions—only digits and periods are allowed—forcing attackers to use heap spray and ROP techniques to gain code execution. The attack bypasses ASLR through brute force. Ivanti patched Connect Secure in February 2025, with other product updates due in April. Pulse Connect Secure is no longer supported. Given the public proof-of-concept and active exploitation, urgent patching or mitigation is critical.

 

My guest today is SANS Technology Institute Dean of Research Johannes Ulrich discussing "Vibe Security," which is similar to “Vibe Coding” where security teams overly rely on AI to do their job.

 

Does AI understand, and does that ultimately matter? 

Large language models are acing benchmarks faster than researchers can invent them—but does that mean they understand? To tackle this big question, IEEE Spectrum and the Computer History Museum hosted a lively March 25 debate. On the “no” side was Emily Bender, a vocal LLM critic and coauthor of “Stochastic Parrots.” On the “yes” side stood Sébastien Bubeck of OpenAI, coauthor of “Sparks of AGI.” The fiery but respectful showdown explored whether these AI systems truly comprehend—or just cleverly imitate.

The debate kicks off with Emily Bender (Team “Nope!”) and Sebastian Bubeck (Team “Kinda, Yeah!”), diving into linguistics, AI benchmarks, and whether machines can grasp meaning like we do. Bender leans hard into the “they’re just parrots” metaphor, warning us about the illusions of understanding and the dangers of relying on LLMs in healthcare, law, and more. Meanwhile, Bubeck cheerfully reminds us these models are pulling off math feats that’d make your high school teacher weep, and whether or not they “understand,” they’re undeniably useful.

The debate? Spirited, nuanced, and philosophical—think Oxford Union meets Silicon Valley. The takeaway? Understanding might be overrated if your chatbot can still beat you at logic puzzles… or build you an app overnight.

These are still early days, and time will tell how much we come to trust and rely on these technologies in our day to day lives. For now, I think it’s fair to say that love ‘em hate ‘em, they are here to stay. 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

This week, we’ve got something special for you in your Research Saturday feed. You know I dabble in other podcasts…well, each month, Selena Larson from Proofpoint and I host Only Malware in the Building here on the N2K CyberWire network. We thought it’d be fun for you all to check that out as we talk about a new malware that’s popped up. Tune in tomorrow!  I hope you like it! 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.