Podcasts
CyberWire Daily
Ep 2319
The CyberWire Daily Podcast 5.30.25
Ep 2319 | 5.30.25

All systems not go.

Show Notes
Transcript

SentinelOne suffers a global service outage. A major DDoS attack hits a Russian internet provider. U.S. banking groups urge the SEC to scrap cybersecurity disclosure rules. Australia mandates reporting of ransomware payments. Researchers uncover a new Browser-in-the-Middle (BitM) attack targeting Safari users. A Florida health system pays over $800,000 to settle insider breach concerns. CISA issues five urgent ICS advisories. Our guest is Matt Covington, VP of Product at BlackCloak, discussing the emergence of advanced impersonation techniques like deepfakes and the importance of digital executive protection. The feds are putting all our digital data in one basket.

Today is Friday May 30th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

SentinelOne suffers a global service outage. 

Cybersecurity firm SentinelOne experienced a global service outage on Thursday that disrupted its extended detection and response (XDR) platform, affecting security monitoring and updates for nearly 13,000 customers. The issue began around 14:00 UTC and lasted about six hours, with administrators reporting problems accessing the cloud-based console. Although customer endpoints remained protected, managed detection and response (MDR) services were offline, and threat data reporting was delayed. SentinelOne attributed the outage to an internal automation error—not a cyberattack. Most of the company’s services, including endpoint and cloud security, were listed as unavailable. Some admins speculated AWS or DNS issues, but evidence didn’t support this. The outage interrupted STAR rule-based custom detections, and impacted clients dependent on real-time updates. SentinelOne classified the incident as SEV0—the highest severity level—and later restored services. Experts viewed the response as effective, despite temporary loss of visibility and MDR functions.

A major DDoS attack hits a Russian internet provider. 

A major DDoS attack hit Russian internet provider ASVT this week, knocking tens of thousands offline in Moscow and nearby areas for several days. The disruption began Tuesday and lasted into Friday, affecting ASVT’s website, mobile app, and customer services. Many residents couldn’t work remotely, use card payments, or access buildings due to downed intercoms. ASVT blamed the Ukrainian “IT Army,” though the group hasn’t claimed responsibility. The incident follows a similar March attack on Lovit, another provider accused of monopolistic practices and now under investigation. Russia’s Federal Antimonopoly Service is also probing ASVT. The broader trend reflects rising cyberattacks on Russian telecoms, often politically motivated. In 2023, over 30% of DDoS attacks in Russia targeted telecoms. Previous attacks have included data theft and infrastructure damage by groups like the Ukrainian Cyber Alliance and Silent Crow. It’s unclear if ASVT’s enterprise or government clients were affected.

U.S. banking groups urge the SEC to scrap cybersecurity disclosure rules. 

U.S. banking groups are urging the SEC to scrap its cybersecurity incident disclosure rules, arguing they clash with confidential protocols meant to protect critical infrastructure. Led by the American Bankers Association, five major industry groups say the SEC’s Cybersecurity Risk Management rule—requiring rapid disclosure of breaches—hinders law enforcement, creates confusion, and disrupts incident response. They argue the rule, in effect since July 2023, has been flawed and difficult to implement. A recent breach at Coinbase underscores the danger, with attackers impersonating support staff to steal user assets. The incident amplifies fears across the financial sector about centralized data risks, as crypto adoption expands. Banking and crypto sectors alike now stress the need for better cybersecurity guardrails without compromising critical operations.

Australia mandates reporting of ransomware payments. 

Australia has become the first country to mandate reporting of ransomware payments. Starting Friday, organizations earning over AUS $3 million annually—or in critical infrastructure—must report any payments made to cybercriminals within 72 hours to the Australian Signals Directorate. Noncompliance could lead to civil penalties. The law aims to improve visibility into ransomware attacks, which are largely underreported, with only 1 in 5 victims currently coming forward. Initially, enforcement will focus on severe violations, but stricter oversight is planned for 2025. This move follows a wave of major cyberattacks in Australia and echoes similar proposals in the UK. Critics argue that while the law may help profile attackers, it won’t stop ransomware. 

Researchers uncover a new Browser-in-the-Middle (BitM) attack targeting Safari users. 

Researchers from SquareX have uncovered a new Browser-in-the-Middle (BitM) attack targeting Safari users by exploiting flaws in the browser’s Fullscreen API. This technique, revealed through the Year of Browser Bugs project, enables stealthy phishing by tricking users into entering fullscreen mode without warning. Unlike Chrome or Firefox, Safari lacks clear visual indicators when fullscreen mode is triggered, making it easier for attackers to disguise malicious sites as legitimate login pages. Using noVNC, attackers can embed a remote session inside the victim’s browser, stealing credentials undetected. Traditional endpoint detection and response tools can’t see browser activity, making this attack hard to detect. Apple has acknowledged the issue but considers Safari’s behavior intentional, not a bug. Experts urge enterprises to use browser-native security tools, as network-based defenses can be bypassed. 

A Florida health system pays over $800,000 to settle insider breach concerns. 

BayCare Health System in Florida has agreed to pay $800,000 and implement a corrective action plan to settle a federal HIPAA investigation over a 2018 insider breach. The incident, reported by a patient at St. Joseph’s Hospital in Tampa, involved unauthorized access to her printed and electronic medical records. The patient said she was later contacted by someone with photos and video of her records. Federal investigators traced the access to credentials belonging to a former non-clinical staffer at a medical practice connected to BayCare. The U.S. Department of Health and Human Services found multiple HIPAA violations, including inadequate access controls and failure to monitor system activity. Although BayCare admitted no wrongdoing, the case highlights the risk of insider threats and the need for continuous monitoring and auditing of access to patient data. Experts emphasize that software alone isn’t enough—effective compliance requires ongoing oversight.

A new malware campaign targets government web servers. 

A new malware campaign, UTG-Q-015, is targeting government web servers across multiple regions, posing a threat to national infrastructure. First detected in May 2025, it uses brute-force, credential stuffing, and SQL injection to breach defense and municipal systems. The malware employs polymorphic code to evade detection and embeds itself via process hollowing, replacing legitimate software with malicious code. It maintains persistence through registry tweaks and scheduled tasks, enabling long-term access and data theft. Agencies report backdoors and service disruptions.

CISA issues five urgent ICS advisories. 

CISA issued five urgent advisories addressing severe vulnerabilities in critical industrial control systems (ICS) used across sectors like healthcare, construction, maritime safety, and infrastructure. Affected systems include Siemens’ SiPass access control platforms, Consilium CS5000 fire panels, Instantel Micromate environmental monitors, and Santesoft medical imaging software. The flaws, ranging from firmware tampering and hard-coded passwords to missing authentication and memory corruption, pose high risks of remote exploitation and system compromise. CVSS scores for these vulnerabilities range from 8.2 to 9.3, highlighting their severity. While Siemens and Santesoft have issued patches, Consilium urges hardware upgrades. CISA advises organizations to immediately apply vendor mitigations, implement network segmentation, use VPNs for remote access, and maintain up-to-date asset inventories. 

The feds putting all your digital data in one basket. 

The federal government’s quiet expansion of data-sharing efforts—enabled by President Trump’s March executive order—has sparked growing concern among privacy advocates, technologists, and civil liberties groups. Central to the initiative is Palantir, a data analytics firm now working across multiple federal agencies, including DHS, HHS, and the IRS, to integrate vast stores of personal data.

While the stated goal is to improve efficiency and break down information silos, the move raises serious questions about oversight, transparency, and the potential risks of centralizing sensitive information. Palantir’s Foundry platform can consolidate and analyze complex datasets, making it possible to create detailed profiles of individuals using data originally collected for other purposes.

Critics worry this level of integration—if not carefully governed—could erode public trust and expose citizens to unintended consequences. Even some Palantir employees have voiced discomfort with the direction of the company’s government work, highlighting the need for ongoing scrutiny and clear limits on how personal data is used.

Maybe the real efficiency was the friends personal information we consolidated along the way.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by BLACKCLOAK
Sponsored by BLACKCLOAK

BlackCloak is a Concierge Cybersecurity™ firm that delivers proprietary and enterprise-grade cybersecurity solutions for corporate executives to protect them from hacking, reputational risks, privacy leaks and identity theft in their personal lives and on their personal devices. Learn more.