Podcasts
CyberWire Daily
Ep 2293
The CyberWire Daily Podcast 4.23.25
Ep 2293 | 4.23.25

States struggle with cyber shift.

Show Notes
Transcript

The White House’s shift of cybersecurity responsibilities to the states is met with skepticism. Baltimore City Public Schools suffer a ransomware attack. Russian state-backed hackers target Dutch critical infrastructure. Microsoft resolves multiple Remote Desktop issues. A new malware campaign is targeting Docker environments for cryptojacking. A new phishing campaign uses weaponized Word documents to steal Windows login credentials. Zyxel Networks issues critical patches for two high-severity vulnerabilities. CISA issues five advisories highlighting critical vulnerabilities in ICS systems. Our guest is Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division, sharing the findings of their latest IC3 report. So long, Privacy Sandbox.

Today is Wednesday April 23rd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The White House’s shift of cybersecurity responsibilities to the states is met with skepticism. 

President Trump’s recent executive order shifts cybersecurity responsibilities from the federal government to states and localities. However, many states are unprepared for this transition. A 2023 Nationwide Cybersecurity Review revealed that only 22 of 48 participating states met recommended security standards. Compounding the issue, federal funding cuts have reduced resources for state and local officials, including a cybersecurity grant program and a key cybersecurity agency. This has left states grappling with increased cyber threats, such as ransomware attacks and foreign interference, while facing shortages of IT experts and limited budgets. Recent cyberattacks in Rhode Island, Virginia, and Massachusetts highlight the vulnerabilities in state systems. Experts warn that expecting states to manage cybersecurity independently, without adequate support, is unrealistic and could compromise national security. 

Baltimore City Public Schools suffer a ransomware attack. 

Baltimore City Public Schools suffered a ransomware attack on February 13, 2025, linked to the Cloak gang. The breach exposed sensitive personal data of about 25,000 people, including Social Security numbers, student records, and employment documents. Those affected include current and former staff, volunteers, and over 1,150 students. BCPS confirmed no ransom was paid. Law enforcement and cybersecurity experts are investigating. Notification letters were sent April 22, with two years of free credit monitoring and a call center provided for support.

Russian state-backed hackers target Dutch critical infrastructure. 

Russian state-backed hackers have targeted Dutch critical infrastructure in cyber sabotage attempts during 2023 and 2024, according to the Dutch Military Intelligence and Security Service (MIVD). Though the attacks had minimal immediate impact, they mark the first known sabotage of Dutch control systems. The MIVD warns such operations are rising across Europe, aiming to gain digital access to critical systems for potential future disruption. The Netherlands, home to Europe’s largest port in Rotterdam and key NATO logistics hubs, remains strategically vital. Russian cyber activity, including prior infiltration attempts of global institutions in The Hague, is escalating. The Dutch government is boosting its military and cybersecurity investments, sharing intelligence with Ukraine, and warning that Europe must act swiftly to counter increasingly sophisticated Russian cyber threats amid global geopolitical instability.

Microsoft resolves multiple issues affecting Remote Desktop. 

Microsoft has resolved multiple issues affecting Remote Desktop on Windows Server 2025 and Windows 11 24H2. A bug causing RDP sessions to freeze was fixed in February’s KB5052093 update for Windows 11 and in April’s KB5055523 update for Windows Server. Microsoft also used Known Issue Rollback to reverse bugs causing RDP disconnections. Additionally, a longstanding bug triggering blue screen errors on servers with over 256 logical processors was fixed. Other recent issues include login problems with Windows Hello and domain controller failures.

A new malware campaign is targeting Docker environments for cryptojacking. 

A new malware campaign is targeting Docker environments to hijack compute resources for cryptojacking, using highly layered obfuscation to evade detection. Researchers from Darktrace and Cado Security Labs found the attackers deploy a Docker image, kazutod/tene:ten, which runs a deeply obfuscated Python script, requiring 63 decode loops to reach the final payload. Instead of mining cryptocurrency directly, the malware connects to teneo.pro, a Web3 platform, to simulate node activity and earn private tokens. This low-resource tactic avoids triggering alarms tied to traditional mining. Docker’s popularity and frequent misconfigurations make it an attractive target. Experts warn organizations to secure Docker setups with strong authentication, avoid unnecessary internet exposure, and vet images carefully. This campaign signals a shift toward abusing legitimate decentralized systems for stealthy profit.

A new phishing campaign uses weaponized Word documents to steal Windows login credentials. 

A new phishing campaign uncovered by Fortinet’s FortiGuard Labs uses weaponized Word documents to steal Windows login credentials. Disguised as sales orders, the emails carry attachments exploiting a known vulnerability (CVE-2017-11882) in Microsoft Equation Editor. This flaw enables remote code execution, leading to the deployment of a new FormBook malware variant. The attack chain involves a Word document embedding an obfuscated RTF file and DLL, triggering buffer overflows and stealthily launching the malware via process hollowing. The payload, downloaded as a disguised PNG file, decrypts into a fileless executable injected into a legitimate Windows process. The malware collects credentials, keystrokes, and screenshots while maintaining persistence through registry edits. Fortinet has flagged this campaign and urges users to update systems and remain alert to phishing threats exploiting old vulnerabilities.

Two significant data breaches have recently impacted U.S. organizations, compromising the personal information of over 600,000 individuals.

Onsite Mammography, a Massachusetts-based medical services provider, reported unauthorized access to an employee’s email account in October 2024. The breach exposed sensitive data—including names, Social Security numbers, dates of birth, driver’s license and credit card numbers, and medical information—affecting approximately 357,000 patients. The company asserts that the intrusion was limited to the email account and is offering 12 months of free credit monitoring to those affected.  

Kelly Benefits, a Maryland-based benefits and payroll solutions provider, disclosed a breach affecting nearly 264,000 individuals. Hackers accessed the company’s systems between December 12 and 17, 2024, exfiltrating files containing personal data such as names, dates of birth, Social Security numbers, tax ID numbers, medical and health insurance information, and financial account details. While no ransomware group has claimed responsibility, the possibility of a ransomware attack has not been ruled out. 

Zyxel Networks issues critical patches for two high-severity vulnerabilities. 

Zyxel Networks has issued critical patches for two high-severity vulnerabilities—CVE-2025-1731 and CVE-2025-1732—affecting USG FLEX H series firewalls. These flaws could allow authenticated users to escalate privileges and gain unauthorized access. CVE-2025-1731 enables low-privileged users to reach admin-level access via PostgreSQL command issues, especially if an admin remains logged in. CVE-2025-1732 lets admins upload malicious configs to gain further control. Discovered by security researchers, both bugs are fixed in firmware version uOS V1.32. Immediate patching is urged.

CISA issues five advisories highlighting critical vulnerabilities in ICS systems. 

CISA has issued five advisories highlighting critical vulnerabilities in ICS systems from Siemens, Schneider Electric, and ABB, with potential impacts on industrial automation and infrastructure. Siemens’ TeleControl Server Basic SQL suffers from multiple high-severity SQL injection flaws (CVSS 9.8), enabling attackers to manipulate databases and bypass controls. Another Siemens advisory cites a lower-risk vulnerability causing partial DoS in redundant server setups. Schneider Electric’s Wiser Home Controller contains a flaw (CVSS 9.8) allowing remote credential exposure. ABB MV Drives are affected by CODESYS vulnerabilities enabling memory-based attacks. A previous advisory for Schneider’s Modicon M580 PLCs was updated to address a buffer size flaw (CVSS 7.5) that could cause denial-of-service. CISA urges patching, network segmentation, and continuous monitoring to safeguard critical infrastructure from these escalating threats.

 

RIP, Privacy Sandbox. 

RIP, Privacy Sandbox – we hardly knew ye. Google’s ambitious plan to banish third-party cookies and reinvent online ads while championing privacy has quietly collapsed into a pixelated puff of irony. After six years of tinkering, Privacy Sandbox has been shelved, with Google citing AI hopes, mysterious privacy tech, and—you guessed it—regulators breathing down its neck.

Originally pitched as a privacy-forward alternative to creepy tracking cookies, the Sandbox ran into trouble from ad tech rivals and watchdogs who weren’t convinced Google wouldn’t just rule the ad world even harder. As it turns out, fighting global regulators and industry skeptics proved tougher than debugging the Sandbox APIs.

Now Chrome will keep third-party cookies, meaning your digital shadow lives on. While some Sandbox remnants (like IP Protection) might survive, the dream of a Google-led privacy renaissance has fizzled. When push came to shove, Chrome didn’t clear your cookies—it just rearranged them on a shinier tray.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.