
National security in the digital age.
A draft cybersecurity executive order from the Biden administration seeks to bolster defenses. Researchers identify a “mass exploitation campaign” targeting Fortinet firewalls. A Chinese-language illicit online marketplace is growing at an alarming rate. CISA urges patching of a second BeyondTrust vulnerability. The UK proposes banning ransomware payments by public sector and critical infrastructure organizations. A critical flaw in Google’s authentication flow exposes millions to unauthorized access.OWASP releases its first Non-Human Identities (NHI) Top 10. A Microsoft lawsuit targets individuals accused of bypassing safety controls in its Azure OpenAI tools. Our guest is Chris Pierson, Founder and CEO of BlackCloak, discussing digital executive protection. The feds remind the health care sector that AI must first do no harm.
Today is Tuesday January 14th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
A draft cybersecurity executive order from the Biden administration seeks to bolster defenses.
A draft cybersecurity executive order from the Biden administration seeks to bolster defenses across federal agencies, contractors, and even outer space, CyberScoop reports. Aimed at countering threats like those from China and cybercriminals, the order assigns agencies 53 tasks over timelines spanning 30 days to three years. Measures include encrypting federal email, strengthening contractor security oversight, and enhancing the Cybersecurity and Infrastructure Security Agency’s (CISA) ability to detect threats across federal systems.
The order also addresses broader issues like cybercrime, artificial intelligence (AI), and quantum computing. It calls for using AI to protect critical infrastructure and directs agencies to advance post-quantum cryptography. Space systems, deemed vital to national security, would undergo continuous cybersecurity assessments.
Recognizing the burden of minimum cybersecurity standards on private industry, the Commerce Department is tasked with developing guidance on common practices. While ambitious in scope, the order underscores the urgency of addressing evolving cyber threats.
Researchers identify a “mass exploitation campaign” targeting Fortinet firewalls.
Security researchers have identified a “mass exploitation campaign” targeting Fortinet firewalls, likely using an unpatched zero-day vulnerability. The attacks, which began in November 2024 and peaked in December, involved gaining access to FortiGate firewalls with exposed management interfaces. Arctic Wolf Labs observed tens of intrusions, with attackers altering configurations, creating admin accounts, and exploiting SSL VPN access to steal credentials and enable lateral movement.
The attacks used automated login attempts via spoofed IPs on web-based CLI ports, with changes to firewall settings starting in late November. Significant configuration changes occurred between December 4 and 7. While attackers were removed before completing their objectives, researchers suggest ransomware may have been a motive.
Fortinet has acknowledged the issue is under investigation but has not confirmed the vulnerability or issued a patch. Affected firmware includes versions released between February and October 2024. Security teams are advised to monitor systems and implement mitigations immediately.
A Chinese-language illicit online marketplace is growing at an alarming rate.
The scam ecosystem is thriving, with Huione Guarantee emerging as a dominant player in enabling online fraud. A story in Wired says this Chinese-language marketplace, described as the “largest illicit online marketplace,” has reportedly facilitated $24 billion in transactions, doubling its activity in under a year. Offering services like escrow, money laundering, victim data sales, and deepfake tools, Huione has become a one-stop shop for scammers. Its activities, mostly on Telegram, utilize the Tether stablecoin for transactions and include gambling-like platforms suspected of laundering money.
Despite efforts to expand with proprietary tools like a stablecoin, crypto exchange, and messaging service, Huione still relies heavily on centralized platforms like Telegram and Tether—potential vulnerabilities for law enforcement. Elliptic researchers stress the platform’s critical role in industrializing online scams and its growing influence, warning of the challenges posed if Huione becomes fully independent. Suppressing its operations now could significantly disrupt global scam networks.
CISA urges patching of a second BeyondTrust vulnerability.
The US cybersecurity agency CISA is urging federal agencies to patch a second vulnerability, CVE-2024-12686, in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) solutions after evidence of active exploitation. The medium-severity flaw, allowing remote command execution, was identified during an investigation into a Chinese state-sponsored attack on the US Treasury, attributed to the Silk Typhoon group. Agencies must patch by February 3 per federal mandates, while organizations are advised to prioritize addressing this and related vulnerabilities.
The UK proposes banning ransomware payments by public sector and critical infrastructure organizations.
The UK government has proposed banning ransomware payments by public sector and critical infrastructure organizations to deter attacks on essential services like hospitals, schools, and transportation. Part of a 12-week Home Office consultation, the measures include mandatory reporting of ransomware incidents to boost intelligence sharing and assist international law enforcement efforts, such as Operation Cronos against the LockBit gang.
The plan also suggests a ransomware payment prevention regime to guide victims and block payments to criminal groups. While the proposals aim to disrupt ransomware actors’ financial incentives, experts warn of unintended consequences, such as increased targeting of private businesses and prolonged disruptions to critical services.
Ransomware remains the UK’s most immediate cyber threat, with attacks on public services causing significant disruptions, data breaches, and economic losses in recent years.
A critical flaw in Google’s authentication flow exposes millions to unauthorized access.
A critical flaw in Google’s “Sign in with Google” authentication flow exposes millions of accounts to unauthorized access, particularly for users of failed startups. The vulnerability stems from Google’s OAuth implementation, which ties access claims to email domains. Attackers can exploit this by purchasing domains of defunct companies, recreating email accounts, and accessing sensitive SaaS platform data like HR systems and private chats.
The issue is exacerbated by inconsistent unique user identifiers (sub claims) in Google’s system, leaving many platforms reliant on domain claims for authentication. Sensitive data such as Social Security numbers and pay stubs are at risk, with over 100,000 vulnerable domains identified.
Initially dismissed by Google, the case was reopened after a security researcher demonstrated its impact. Google has promised a fix but provided no timeline. Meanwhile, users are urged to enable SSO with 2FA for critical services.
OWASP releases its first Non-Human Identities (NHI) Top 10.
OWASP has released its first Non-Human Identities (NHI) Top 10, addressing cybersecurity risks tied to automated systems like APIs, bots, and cloud services. With NHIs outnumbering human credentials 10-to-50 times in organizations, they represent a massive attack surface for cybercriminals. Vulnerabilities such as secret leakage, overprivileged accounts, and insecure cloud deployments are key risks.
Recent breaches, including Microsoft’s Midnight Blizzard attack and Okta’s support system compromise, highlight the need for stronger NHI management. OWASP’s guidance emphasizes mitigation strategies like ephemeral credentials, least privilege policies, and advanced tooling for managing NHIs at scale. As automation expands, securing NHIs becomes critical for resilience against cyber threats. The report provides a roadmap for prioritizing actions and strengthening identity management in today’s highly interconnected digital landscape.
A Microsoft lawsuit targets individuals accused of bypassing safety controls in its Azure OpenAI tools.
Microsoft has filed a lawsuit against 10 unnamed individuals accused of using a hacking-as-a-service scheme to bypass safety controls in its Azure OpenAI tools, including DALL-E. The defendants allegedly exploited stolen API keys and custom tools, like “de3u” and a reverse proxy service, to generate harmful content, violating Azure’s AI safeguards. Microsoft claims the individuals used software to mimic legitimate API requests, subverting checks designed to prevent abuse, such as generating violent or inappropriate images. The company first detected the exploitation in July 2024 and has since revoked access and implemented countermeasures. The lawsuit, filed in a Virginia court, seeks to seize related infrastructure, including a domain hosting the illicit service. Microsoft aims to disrupt the operation, gather evidence, and improve its AI security protocols.
Today’s guest is BlackCloak’s Founder and CEO Chris Pierson discussing digital executive protection. And, let’s not play favorites in healthcare. We’ll be right back.
Welcome back.
The feds remind the health care sector that AI must first do no harm.
Federal regulators are giving the healthcare sector a friendly nudge (or maybe a firm shove) to ensure that AI and other tech marvels don’t accidentally play favorites—or worse, discriminate. In a letter, HHS Office for Civil Rights Director Melanie Fontes Rainer reminded providers and insurers to align their AI use with Section 1557 of the ACA, which prohibits discrimination based on race, age, sex, disability, and other factors.
This isn’t just a polite suggestion; the law’s “affirmative requirements” kick in May 1, 2025, compelling healthcare entities to proactively root out potential biases in their AI tools. Easier said than done, though. Many organizations rely on third-party AI systems with complex, opaque algorithms, making it tricky to peek under the hood and spot issues.
Experts recommend auditing AI systems and ensuring diverse datasets during training, but even that’s a tall order when the tech feels like a black box. And don’t forget HIPAA! Fontes Rainer stressed that safeguarding patient privacy while navigating AI’s complexities is non-negotiable.
Adding to the mix, HHS rolled out a 200-page strategic AI plan, aiming to improve healthcare efficiency, equity, and safety while addressing AI-driven cybersecurity risks. Whether this ambitious vision survives a pending leadership change remains to be seen.
For now, healthcare providers are urged to plan ahead, because ignoring AI compliance isn’t just legally risky—it might also hurt patients. After all, the ultimate goal is tech that heals, not harms.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.