The CyberWire Daily Podcast 1.9.25
Ep 2221 | 1.9.25

Biden’s final cyber order tackles digital weaknesses.

Transcript

The Biden administration is finalizing an executive order to bolster U.S. cybersecurity. Ivanti releases emergency updates to address a critical zero-day vulnerability. A critical vulnerability is discovered in Kerio Control firewall software. Palo Alto Networks patches multiple vulnerabilities in its retired migration tool. Fake exploits for Microsoft vulnerabilities lure security researchers. A medical billing company data breach affects over 360,000. A cyberattack disrupts the city of Winston-Salem. CrowdStrike identifies a phishing campaign exploiting its recruitment branding. Our guest is Danny Allan, CTO from Snyk, sharing how a balanced approach between AI and human oversight can strengthen cybersecurity. The worst of the worst from CES.

Today is January 9th, 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Biden administration is finalizing an executive order to bolster U.S. cybersecurity. 

The Biden administration is finalizing an executive order to bolster U.S. cybersecurity in its final days, following major breaches during Biden’s term, including a Treasury Department hack attributed to a Chinese group, Silk Typhoon. The order emphasizes “strong identity authentication and encryption” for government communications. This would protect sensitive information, even if systems are breached, by ensuring hackers cannot access encrypted documents.

The Treasury hack reportedly involved stolen digital keys from BeyondTrust, a third-party provider, granting access to unclassified sanctions-related data. The executive order also proposes securing cryptographic keys via hardware security modules and tightening access management for federal contractors. Additionally, it mandates that software vendors demonstrate adherence to cybersecurity standards, like fixing known vulnerabilities and using multifactor authentication.

It’s unclear if the incoming Trump administration will retain the order, as Trump has signaled intentions to roll back federal regulations, including on artificial intelligence safeguards.

Ivanti releases emergency updates to address a critical zero-day vulnerability. 

Ivanti has released emergency updates to address a critical zero-day vulnerability actively exploited by suspected Chinese nation-state attackers. The flaw, CVE-2025-0282, affects Ivanti Connect Secure (ICS) VPN devices and allows remote code execution. Ivanti recommends factory resetting devices before applying the update to remove potential malware that may fake the update process.

A second vulnerability, CVE-2025-0283, also a stack-based buffer overflow, has a high severity rating but hasn’t been exploited in the wild. Ivanti also warns that similar vulnerabilities exist in its Policy Secure and Neurons for Zero Trust Access gateways, with patches expected by January 21.

Attackers have used malware to block legitimate updates, creating a fake update facade. Ivanti credits Mandiant and Microsoft’s Threat Intelligence Center for discovering the flaws. The U.S. CISA and the UK’s NCSC urge immediate action, highlighting the risks to critical edge devices and advising organizations to review networks for signs of intrusion.

A critical vulnerability is discovered in Kerio Control firewall software. 

A critical vulnerability, CVE-2024-52875, in Kerio Control firewall software (versions 9.2.5–9.4.5) allows attackers to achieve 1-click remote code execution (RCE). Discovered by Egidio Romano, the flaw stems from improper input sanitization in several interface pages, enabling HTTP Response Splitting and Open Redirect attacks, potentially leading to severe consequences like gaining root access to the firewall.

Initially deemed low-risk, it was reclassified as high severity (CVSS 8.8) due to exploitation potential via an older vulnerability. GFI Software, the vendor, has been notified, but no patches are available yet. 

Palo Alto Networks patches multiple vulnerabilities in its retired migration tool. 

Palo Alto Networks has patched multiple vulnerabilities in its retired Expedition migration tool, including a high-severity SQL injection flaw (CVE-2025-0103, CVSS 7.8). This flaw allows authenticated attackers to access sensitive data, such as usernames, passwords, and device configurations, and manipulate files on the system. Expedition, retired as of December 31, 2024, will no longer receive updates or security fixes, and users are urged to find alternatives.

Expedition version 1.2.101 resolves the flaw and four additional medium- and low-severity issues. Palo Alto also updated Prisma Access Browser to address six Chromium vulnerabilities, including two critical flaws in the V8 JavaScript engine. While no exploitation has been reported for the latest vulnerabilities, CISA previously warned about critical Expedition flaws exploited in attacks. Users should restrict network access to Expedition or deactivate it if unused.

Fake exploits for Microsoft vulnerabilities lure security researchers. 

Security researchers are being targeted again, this time with fake exploits for Microsoft vulnerabilities. Trend Micro identified a malicious version of a legitimate proof-of-concept (PoC) exploit for LDAPNightmare, a denial-of-service bug (CVE-2024-49113) patched in December. The counterfeit PoC replaces Python files with a malicious executable that delivers a PowerShell script, which downloads malware to steal user data.

LDAPNightmare highlights two critical vulnerabilities, including CVE-2024-49112 (severity 9.8), both significant due to LDAP’s widespread use in Windows environments. While experienced researchers may spot red flags, such as executables in Python projects, these lures still exploit trending issues to target a broader audience.

This tactic follows a pattern of attackers targeting researchers, including incidents involving North Korean operatives. Previous cases have seen state-sponsored attackers use social media deception, zero-day exploits, and backdoored tools to compromise experts at major tech firms. 

A medical billing company data breach affects over 360,000. 

Medusind, a U.S.-based medical and dental billing company, suffered a data breach affecting over 360,000 individuals. Exposed data includes health insurance details, medical records, payment information, government IDs, and contact information, though impacted data varies per person. Threat actors could exploit this information for medical identity theft or financial fraud.

The breach, discovered on December 29, 2023, involved stolen files containing personal information. Medusind has offered affected individuals 24 months of free credit monitoring and identity protection through Kroll. The company, headquartered in Miami, Florida, serves thousands of healthcare providers across the U.S. and India.

Meanwhile, Excelsior Orthopaedics, a New York-based healthcare provider, experienced a ransomware attack in June 2024, compromising the personal and health information of approximately 357,000 individuals. The breach affected patients and employees of Excelsior and related entities, including Buffalo Surgery Center and Northtowns Orthopaedics.

Exposed data includes names, Social Security numbers, medical records, diagnosis and treatment details, and more. Initially thought to impact only employees, the breach’s scope was later found to include patient data. The Monti ransomware gang claimed responsibility, stealing 300 GB of data, now publicly available.

Excelsior disconnected external access to its network and continues recovery efforts. Affected individuals have been offered 12 months of free credit monitoring and fraud assistance services. The company has not confirmed the specific type of attack but acknowledges significant data compromise.

A cyberattack disrupts the city of Winston-Salem. 

A post-Christmas cyberattack disrupted online utility payment systems in Winston-Salem, North Carolina, affecting 250,000 residents and nearby Forsyth County. Discovered on December 26, the attack forced the city to take systems offline, though fire and police services remain unaffected. Residents can pay bills in person without late penalties.

City officials, working with state and federal agencies, have yet to restore full services. The attack coincides with severe weather communication challenges and follows similar incidents across North Carolina. The state prohibits government entities from paying ransoms under a 2022 law.

CrowdStrike identifies a phishing campaign exploiting its recruitment branding. 

On January 7, 2025, CrowdStrike identified a phishing campaign exploiting its recruitment branding to distribute malware. The attack uses phishing emails impersonating CrowdStrike recruitment to direct victims to a malicious site offering downloads of a fake “employee CRM application.” The downloaded executable, written in Rust, acts as a downloader for the cryptominer XMRig.

The malware employs evasion tactics, such as debugger detection, process checks, and sandbox avoidance, before downloading and running XMRig. It establishes persistence by creating batch scripts in the Startup directory and adding registry entries to re-execute on system logon.

Victims are urged to verify the authenticity of CrowdStrike communications and avoid downloading unsolicited files. CrowdStrike emphasizes that it does not ask candidates to download software for interviews or process payments. Organizations should educate employees on phishing risks, monitor suspicious activity, and implement endpoint protection to mitigate such threats. 

Up next, we’ve got my conversation with Snyk’s CTO Danny Allan about how a balanced approach between AI and human oversight can strengthen cybersecurity. And, hear about worst in show, aka when your fridge knows too much about you, but still can't keep secrets. We’ll be right back.

Welcome back.

The worst of the worst from CES. 

And finally, CES is all about futuristic gadgets designed to improve lives—but sometimes, innovation veers into eyebrow-raising territory. Enter the “Worst in Show” awards, where dystopia experts highlight the most repair-challenged, privacy-invading, and unsustainable tech.

Topping the list of facepalms? Ultrahuman’s $2,200 “Luxury Smart Ring,” which lasts just 500 charges before becoming irreparable bling. “Two years of use for that price? A new low,” quipped iFixit CEO Kyle Wiens.

Next up, Bosch’s AI-powered crib, promising to rock babies to sleep and track their vitals. The Electronic Frontier Foundation dubbed it “surveillance for your infant,” packing cameras, mics, and radar into what should be a privacy-safe sanctuary.

The “least sustainable” prize? SoundHound AI’s in-car commerce system, encouraging wasteful takeout and distracted driving. And TP-Link’s router won “least secure,” thanks to vulnerabilities that prioritize government alerts over user safety.

Finally, the overall “winner”? LG’s AI fridge—flashy, pricey, and doomed to premature obsolescence.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.