By the CyberWire staff
At a glance.
- DOGE's activities within Federal networks raise cybersecurity concerns.
- UK government has reportedly demanded a backdoor to encrypted iCloud accounts.
- Thailand cuts power to Myanmar to disrupt scam hubs.
- Abandoned cloud infrastructure creates major security risks.
- Researchers identify security issues in DeepSeek's iOS app.
- Five Eyes agencies issue security guidance for network edge devices.
- PoC exploit released for macOS kernel flaw.
- Ransomware payments dropped steeply in 2024.
DOGE's activities within Federal networks raise cybersecurity concerns.
CyberScoop has a roundup of cybersecurity concerns associated with the Department of Government Efficiency's (DOGE's) activities within Federal networks. The Elon Musk-led DOGE is technically an external advisory board established via executive order "to implement the President’s DOGE Agenda, by modernizing Federal technology and software to maximize governmental efficiency and productivity." The extent of its legal authority is unclear, however, and the lack of oversight has raised concerns surrounding DOGE workers' access to the Treasury Department’s payment systems and the Office of Personnel Management’s (OPM's) background check and clearance records.
The White House said on Monday that DOGE employees have "read-only" access to these systems, but WIRED reports that one of the workers has been granted administrative access. A former Federal government employee told CyberScoop, "These systems have now become untrusted, so once this is done and over, to have those systems back to the level of assurances they had on Jan. 20 will require a lot of work and a lot of resources."
The Washington Post reported on Thursday that the DOGE team is feeding troves of data from the Education Department into AI software to audit the department's spending. The Post cites sources as saying DOGE "is using AI software accessed through Microsoft’s cloud computing service Azure to pore over every dollar of money the department disburses, from contracts to grants to work trip expenses." The team plans to use this process across many other government departments and agencies. While the use of AI may increase efficiency, it also introduces security risks since the data is placed in the possession of the AI system's operator. These systems are also prone to errors and hallucinations. It's unclear which AI software the team is using.
Enhance Your Network Security with Zero Trust!
IT pros, are you ready to fortify your defenses? Discover ThreatLocker® Network Control, a powerful Zero Trust host-based firewall with dynamic ACLs. Gain full visibility, granular control, and advanced filtering to secure your network like never before. Learn how to stop breaches, implement microsegmentation, and integrate seamlessly with the ThreatLocker Platform. Download the whitepaper now and get the insights you need to enhance your organization’s defenses!
UK government has reportedly demanded a backdoor to encrypted iCloud accounts.
The Washington Post reports that the UK government issued a secret legal demand last month ordering Apple to create a backdoor that would grant access to encrypted iCloud accounts. The demand was issued as a Technical Capability Notice under the UK's Investigatory Powers Act. The Post notes that the order "requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies."
The Post cites sources familiar with the matter as saying Apple will likely stop offering encrypted storage in the UK rather than comply with the demand, though this won't fulfill the UK's request for the ability to access iCloud accounts worldwide. Apple can appeal the demand to a secret technical panel, but UK law doesn't permit the company to delay compliance during the appeal.
Thailand cuts power to Myanmar to disrupt scam hubs.
The Thai government this week cut off power to five towns in Myanmar along the border of northern Thailand in an effort to disrupt online scam compounds, the Washington Post reports. Prime Minister Paetongtarn Shinawatra told the press, "We must take care of our people first. The impact on Thai people and our country’s image has been enormous. It’s time to take decisive action."
Organized criminal gangs set up compounds in the area following Myanmar's coup in 2021, using them as a base to launch various scams against victims worldwide. Many of the people working in these compounds are essentially slaves, tricked into taking the jobs under false pretenses. Most of the gangs are run by Chinese nationals, and a Chinese delegate visited Thailand last week to discuss cooperation in combatting the syndicates.
Abandoned cloud infrastructure creates major security risks.
Researchers at watchTowr have published a report on the security risks posed by abandoned cloud infrastructure. The researchers focused on AWS S3 buckets, but noted that the same issues can apply to any cloud storage provider.
watchTowr discovered and took control of 150 neglected Amazon S3 buckets—some of which had once been used by governments, Fortune 500 companies, cybersecurity firms, and major open-source projects—that were still being pinged by organizations worldwide for software updates, system configurations, and critical files. One of the buckets was owned by the US Cybersecurity and Infrastructure Security Agency (CISA), which the researchers note "is an incredible example of how this challenge is ubiquitous and not limited to only the unenlightened." The report stresses that a threat actor could have abused these assets to launch devastating supply chain attacks.
The buckets discovered by watchTowr have since been sinkholed. An AWS spokesperson told CyberScoop in response to the research, "[T]he issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications," adding that customers should follow best practices, including "using unique identifiers when creating bucket names to prevent unintended reuse, and ensuring applications are properly configured to reference only customer-owned buckets."
Researchers identify security issues in DeepSeek's iOS app.
Researchers at NowSecure have identified numerous security and privacy issues in the DeepSeek iOS mobile app. The issues include extensive data collection, unencrypted data transmission, weak and hardcoded encryption keys, and insecure data storage. The researchers also note that the app sends data through ByteDance-controlled servers in China.
NowSecure recommends that enterprises "[i]mmediately remove the DeepSeek iOS app from managed and BYOD environments."
Five Eyes agencies issue security guidance for network edge devices.
Cybersecurity agencies from Australia, Canada, New Zealand, the UK, and the US have shared security guidance for producers of network devices and appliances. The guidance, produced by the UK's National Cyber Security Centre (NCSC), "outlines expectations for the minimum requirement for forensic visibility, to help network defenders secure organisational networks both before and after a compromise."
The guidance includes requirements for secure logging and data collection. The advisory notes, "Devices and appliances should support near-real-time log transfer using a standards- based protocol, protected using transport layer security (TLS) encryption in a recognised secure configuration. Log formats should be fully documented to allow third-party platforms and tools to ingest them and be machine readable using a standardised format."
PoC exploit released for macOS kernel flaw.
A proof-of-concept exploit has been released for a critical vulnerability affecting Apple’s macOS kernel, GB Hackers reports. The privilege escalation flaw (CVE-2025-24118) can allow attackers to execute code with kernel-level privileges. Apple released patches for the vulnerability last week, and users are urged to update their systems.
Ransomware payments dropped steeply in 2024.
Chainalysis has published a report finding that ransomware payments dropped by 35% in 2024, which the researchers believe was "driven by increased law enforcement actions, improved international collaboration, and a growing refusal by victims to pay." Victims paid a total of $813.55 million in ransoms last year, compared to a record-setting $1.25 billion in 2023.
Lizzie Cookson, Senior Director of Incident Response at Coveware, told Chainalysis, "The market never returned to the previous status quo following the collapse of LockBit and BlackCat/ALPHV. We saw a rise in lone actors, but we did not see any group(s) swiftly absorb their market share, as we had seen happen after prior high profile takedowns and closures. The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands."
Crime and punishment.
Spanish police have arrested an 18-year-old man accused of launching cyberattacks against NATO, the United Nations, the US Army, the International Civil Aviation Organization (ICAO), and numerous Spanish government and law enforcement agencies. The Spanish National Police allege, "The detainee carried out multiple attacks on the IT services of national and international companies and entities, including public services and government agencies. He also claimed responsibility for the attacks on dark web forums under different pseudonyms to avoid being identified and linked to the criminal acts."
The police haven't specified which pseudonyms the suspect used, but SecurityWeek notes that the breaches line up with posts on underground forums by the threat actor "Natohub." Following the suspect's arrest, Natohub's account was permanently banned on BreachForums.
