
Massive malware cleanup.
The FBI deletes PlugX malware from thousands of U.S. computers. Researchers uncover vulnerabilities in Windows 11 allowing attackers to bypass protections and execute code at the kernel level. A look at (a busy) Patch Tuesday. Researchers uncovered six critical vulnerabilities in a popular Linux file transfer tool. Texas sues Allstate for allegedly collecting, using, and selling driving data without proper consent. An executive order enables AI developers to build data centers on federal lands. On our Industry Voices segment, we are joined by Mike Hamilton, Chief Information Officer at Cloudflare, discussing how tech sprawl emulates the snake game. Meta profits while users suffer.
Today is Wednesday January 15th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
The FBI deletes PlugX malware from thousands of U.S. computers.
The U.S. Department of Justice announced that the FBI has deleted PlugX malware, linked to the Chinese espionage group Mustang Panda, from over 4,200 U.S. computers. PlugX, active since 2008, is a powerful cyber espionage tool capable of data theft, keystroke logging, and command execution. This variant spread via USB drives, infecting devices across governments, dissident groups, and companies worldwide.
The operation was part of a global effort led by French law enforcement and cybersecurity firm Sekoia, which started dismantling the botnet in 2024. U.S. authorities obtained court orders to delete PlugX from infected computers without collecting user data. Notifications were sent to affected users.
Sekoia identified the botnet’s command server, which connected to 2.5 million devices globally, with 100,000 daily pings. PlugX’s source code, potentially leaked in 2015, complicates attribution, as various threat actors continue to exploit it. This takedown marks a significant win in combating cyber threats.
Researchers uncover vulnerabilities in Windows 11 allowing attackers to bypass protections and execute code at the kernel level.
Researchers from HN Security uncovered vulnerabilities in Windows 11’s Virtualization-based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI), allowing attackers to bypass protections and execute code at the kernel level. VBS isolates memory for OS security, while HVCI prevents unauthorized drivers from loading. An exploit transforms an arbitrary pointer dereference vulnerability into a read/write primitive, enabling attackers to manipulate kernel memory and execute data-only attacks without triggering security mechanisms.
The techniques allow privilege escalation, disabling of Endpoint Detection and Response (EDR), and manipulation of Protected Process Light (PPL) features. These vulnerabilities affect Windows 11 (21H2 and later) and Windows Server 2016–2022 across x86, x64, and ARM64 systems. While Microsoft has addressed some kernel vulnerabilities, others remain exploitable. Researchers emphasize the importance of layered security beyond built-in OS features, as sophisticated attackers can still bypass advanced protections.
A look at (a busy) Patch Tuesday.
Microsoft’s January 2025 Patch Tuesday addressed eight zero-day vulnerabilities, three of which were actively exploited. These included elevation-of-privilege (EoP) flaws in Windows Hyper-V (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335), with a CVSS score of 7.8. Despite the moderate score, experts warned these vulnerabilities allow attackers to escalate privileges, disable security tools, and pivot within enterprise networks.
Additionally, five publicly disclosed zero-days, including EoP and spoofing vulnerabilities, were patched. Other critical updates addressed issues in Windows NTLM, multicast drivers, and OLE, with CVSS scores as high as 9.8. Experts emphasized the importance of automated patch management due to the 150 vulnerabilities fixed this month.
Google released Chrome 132, fixing 16 security flaws, including high-severity issues in its V8 engine and Skia graphics library. Researchers earned $37,000 in bug bounties. Meanwhile, Nvidia, Zoom, and Zyxel released patches for high-severity vulnerabilities, urging users to update to mitigate risks.
Ivanti resolved critical path traversal flaws in Endpoint Manager, while Apple patched a macOS vulnerability allowing attackers to bypass System Integrity Protection (SIP). This exploit posed significant risks by enabling rootkits and privileged malware installations.
Turning to industrial control systems, Schneider Electric, Siemens, Phoenix Contact, and CISA issued ICS security advisories for January 2025 Patch Tuesday. Schneider addressed nine vulnerabilities, including high-severity flaws in PowerLogic, SCADAPackTM x70, and Modicon products, with risks like privilege escalation, remote code execution, and information disclosure. Siemens published five advisories, covering vulnerabilities in Mendix, Siprotec 5, and Simatic S7-1200, some lacking patches. Phoenix Contact disclosed a cryptographic issue in CmDongle and a privilege escalation flaw in CHARX-SEC3xxx controllers. CISA released four ICS advisories, including critical vulnerabilities in Hitachi Energy Foxman-UN and a DoS flaw in Linphone-Desktop.
The updates underscore the need for proactive security practices, timely updates, and layered defenses to counter evolving threats. Organizations should prioritize patching critical vulnerabilities to prevent potential exploitation.
Researchers uncovered six critical vulnerabilities in a popular Linux file transfer tool.
Researchers uncovered six critical vulnerabilities in rsync, a popular Linux file transfer tool, with the most severe flaw (CVE-2024-12084, CVSS 9.8) allowing remote code execution on rsync servers with anonymous read access. Other issues include information leakage, path traversal, and privilege escalation vulnerabilities. The flaws affect all rsync versions prior to 3.4.0, released on January 14, 2025. Given rsync’s widespread use in backups and software distribution, experts urge immediate updates or mitigation by disabling checksum options in server configurations.
Texas sues Allstate for allegedly collecting, using, and selling driving data without proper consent.
Texas Attorney General Ken Paxton has sued Allstate and its subsidiary Arity for allegedly collecting, using, and selling driving data from over 45 million Americans without proper consent. The companies reportedly embedded tracking software in popular apps like Life360 and GasBuddy to collect location and movement data every 15 seconds. This data was used to profile driving habits, adjust insurance premiums, and sold to other insurers.
The lawsuit claims violations of the Texas Data Privacy and Security Act (TDPSA), the Data Broker Law, and the Texas Insurance Code. It alleges deceptive practices, including purchasing location data from automakers like Toyota and Mazda to refine pricing.
The suit seeks civil penalties, consumer restitution, data destruction, and an injunction to halt these practices. Allstate denies the allegations, asserting compliance with laws.
An executive order enables AI developers to build data centers on federal lands.
President Biden signed an executive order enabling AI developers to build gigawatt-scale data centers powered by clean energy on federal lands. The Departments of Defense, Energy, and Interior will identify suitable locations with minimal community impact and accessible transmission infrastructure. Developers must fully fund and match data center electricity demand with clean energy to avoid burdening consumers with higher energy costs.
This initiative addresses skyrocketing energy needs for AI, highlighted by a 2024 DOE report noting grid strain from hyperscale facilities. Agencies will evaluate AI infrastructure’s impact on energy prices and explore ways to integrate new clean energy sources.
The order also includes safeguards for computing hardware on federal sites, aiming to maintain U.S. leadership in AI and clean energy as competition with China intensifies. Implementation challenges may arise with the upcoming Washington transition.
Coming up next, we’ve got our Industry Voices segment with Cloudflare Chief Information Officer Mike Hamilton. Mike talks about how tech sprawl resembles the old school snake game. And, now on Instagram, turn your scroll into a stroll through AI's ethical gray areas. We’ll be right back.
Welcome back.
Meta profits while users suffer.
An article from 404 Media examines Meta’s uneven moderation policies, and how they enable harm on a massive scale. The company profits from ads promoting Crushmate, an AI app that creates nonconsensual nude images. Despite banning explicit content, Meta platforms like Facebook and Instagram have allowed Crushmate to run thousands of ads featuring doctored videos of real women, including influencers and OnlyFans creators like Sophie Rain and Mikayla Demaiter. These ads violate Meta’s policies, yet they remain live, exploiting loopholes that allow the app to evade detection.
Crushmate’s ads account for 90% of the app’s traffic, according to Similarweb. They show how easily Meta’s systems can be manipulated by bad actors who create fake profiles and redirect URLs. Although flagged repeatedly, hundreds of similar ads remain active, amplifying the app’s reach and harm.
Disturbingly, while individual users uploading explicit images face swift removal, advertisers like Crushmate are held to laxer standards when they pay Meta. This double standard prioritizes profit over the safety of those victimized by the app, including minors, as generative AI tools like this make it easy to target anyone. Meta’s failure to proactively address this issue raises serious questions about its commitment to user safety.
The harm extends beyond privacy violations. By allowing ads that promote the app, Meta not only facilitates exploitation but actively profits from it, making a mockery of its supposed Community Standards. Victims deserve better safeguards from platforms that claim to protect them.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.