Trump’s opening moves.

President Trump rolls back AI regulations and throws TikTok a lifeline. Attackers pose as Ukraine’s CERT-UA tech support. A critical vulnerability is found in the Brave browser. Sophos observes hacking groups abusing Microsoft 365 services and exploiting default Microsoft Teams settings. Researchers uncover critical flaws in tunneling protocols. A breach exposes personal information of thousands of students and educators. Oracle patches 320 security vulnerabilities. Kaspersky reveals over a dozen vulnerabilities in a Mercedes-Benz infotainment system. Tim Starks from CyberScoop discusses executive orders on cybersecurity and the future of CISA. We preview coming episodes of Threat Vector. Honesty isn’t always the best policy. 

Today is Tuesday January 21st 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

President Trump rolls back AI regulations and throws TikTok a lifeline. 

Donald Trump was sworn in as the 47th President of the United States yesterday. Amongst a flurry of executive orders signed during the first few hours of his second term, President Trump revoked a 2023 executive order by President Biden aimed at reducing AI-related risks to consumers, workers, and national security. Biden’s order required AI developers to conduct safety tests, share results with the government, and establish testing standards under the Defense Production Act. Critics, including Republicans, claimed it stifled innovation. Meanwhile, Biden issued a separate order to support AI data centers’ energy needs, which Trump left intact, at least for now. 

TikTok resumed service in the U.S. after President Trump announced an extension of the 90-day deadline for the company to secure a U.S. buyer. The app had been shut down following a Supreme Court decision allowing a potential ban. Trump plans to issue an executive order to formalize the extension, but TikTok must still find a buyer to avoid another ban. While accessible to existing users, the app remains unavailable for download on Google and Apple stores. Trump also suggested partial U.S. ownership of TikTok.

Attackers pose as Ukraine’s CERT-UA tech support. 

Ukrainian researchers uncovered a cyber campaign where attackers posed as Ukraine’s CERT-UA tech support to gain access to devices via AnyDesk, a legitimate remote desktop tool. The hackers falsely claimed to conduct “security audits,” exploiting trust and authority. CERT-UA clarified it only uses such tools with prior agreement and secure channels. The attackers, likely affiliated with Russia, often impersonate state agencies and apps. Ukraine faces a surge in cyberattacks, with CERT-UA detecting over 4,300 incidents in the past year, a 70% increase. These attacks primarily involve malware, phishing, and compromised accounts. Recent campaigns include phishing targeting military enterprises and fraudulent websites mimicking official platforms. Russian-linked actors, like Sandworm, continue to exploit vulnerabilities, escalating cybersecurity challenges for Ukraine.

A critical vulnerability is found in the Brave browser. 

A critical vulnerability in the Brave browser, tracked as CVE-2025-23086, affects desktop versions 1.70.x to 1.73.x, allowing malicious sites to impersonate trusted domains in file selector dialogs. The flaw misrepresents a site’s origin during file uploads or downloads, enabling attackers to exploit user trust. When combined with an open redirect vulnerability on trusted sites, this issue can facilitate phishing and malware distribution.  It was disclosed by bug hunter Syarif Muhammad Sajjad. 

Sophos observes hacking groups abusing Microsoft 365 services and exploiting default Microsoft Teams settings.

Sophos has observed two hacking groups, STAC5143 and STAC5777, abusing Microsoft 365 services and exploiting default Microsoft Teams settings to target organizations. These attackers, likely aiming for ransomware deployment and data theft, initiated chats and calls with internal users, posing as tech support. Using legitimate Microsoft tools like Quick Assist and Teams, they gained remote access to victim devices, deployed malware, and performed reconnaissance.

STAC5143, first seen in November 2024, used spam messages followed by Teams calls from accounts like “Help Desk Manager.” Attackers ran PowerShell commands, dropped malicious payloads, and installed backdoors. Techniques resemble those of FIN7 but with distinct methods.

STAC5777 employed similar tactics but focused more on manual actions, lateral movement, and credential theft, even attempting to deploy Black Basta ransomware.

Sophos emphasizes raising employee awareness of such advanced social engineering tactics.

Researchers uncover critical flaws in tunneling protocols. 

Critical flaws in tunneling protocols (IPIP, GRE, 6in4/4in6) have left millions of devices, including home routers, VPN servers, and CDNs, vulnerable to exploitation. Discovered by Top10VPN and researcher Mathy Vanhoef, these vulnerabilities allow attackers to hijack hosts for anonymous attacks, network access, and powerful DoS techniques like “Ping-pong Amplification.”

A scan revealed 4.2 million affected devices, including infrastructure from major players like Facebook and Tencent. Vulnerable systems accept unauthenticated tunneling traffic, enabling attackers to act as proxies or access private networks. CVEs include CVE-2024-7595 and CVE-2025-23018.

Countries most affected are China, the U.S., France, Japan, and Brazil. The vulnerabilities impact consumer VPNs, routers, and business networks. Enhanced security measures, regular updates, and increased awareness are essential to protect against these threats.

A breach exposes personal information of thousands of students and educators. 

Education tech company PowerSchool suffered a data breach in December 2024, exposing personal information of students and educators from its Student Information System (SIS). The breach, accessed through the PowerSource support portal, compromised data such as names, contact details, Social Security numbers, and medical records, though no financial data was affected. Impacted individuals will receive two years of free credit monitoring.

PowerSchool, serving over 18,000 schools in 90 countries, disclosed the incident in early January 2025. Affected districts include Virginia’s Charlottesville, Richmond, and others, as well as California’s Menlo Park, where 14,000 individuals were impacted. Canadian schools, including Toronto District School Board, were also affected. Authorities suggest the breach may involve ransomware, as credentials were used to export data, which PowerSchool claims was later deleted.

Oracle patches 320 security vulnerabilities across over 90 products in 27 categories. 

Oracle plans to release patches for 320 security vulnerabilities across over 90 products in 27 categories today, including Communications, Construction, E-Business Suite, and middleware. Some flaws are critical, with CVSS scores up to 9.9, notably affecting Oracle Agile Engineering Data Management 6.2.1 and Agile PLM Framework 9.3.6. Five other vulnerabilities have CVSS scores of 9.8. The finalized January 2025 Critical Patch Update urges immediate application to mitigate risks from potential attacks.

Kaspersky reveals over a dozen vulnerabilities in  a Mercedes-Benz infotainment system. 

Kaspersky revealed over a dozen vulnerabilities in Mercedes-Benz’s first-generation MBUX infotainment system. These flaws could enable DoS attacks, data extraction, command injection, privilege escalation, and disabling anti-theft protections. Exploitation requires physical access to the vehicle’s interior and removal of the head unit, using USB or custom UPC connections.

Mercedes-Benz confirmed it was aware of the issues since 2022 and has since patched the vulnerabilities. Newer MBUX versions are unaffected. The company emphasized its commitment to security, encouraging researchers to report issues via its vulnerability disclosure program.

 

We’ve got some great stuff for you coming up after the break. Our friend Tim Starks from CyberScoop joins me to talk about executive orders on cybersecurity and the future of CISA. We share a preview of 2 coming episodes of Threat Vector.  And, honesty isn’t always the best policy. 

We’ll be right back.

Welcome back.

Honesty isn’t always the best policy. 

It seems one Marco Raquan Honesty, a Washington man with perhaps the least fitting surname ever, has admitted to a fraud spree causing over $600,000 in losses—and it’s no laughing matter, except for the irony of his name. From 2021 into 2022, Honesty ran the scam Olympics: COVID relief fraud, smishing, bank account takeovers, forged money orders, and even selling stolen data on Telegram.

Using SMS phishing, or “smishing,” Honesty duped victims into handing over bank credentials, then drained their accounts via Zelle and other transfers. He even scored fake PPP loans for friends, family, and, in a wild twist, his grandmother.

Authorities found his “fraud factory” in 2023, complete with 24 phones, card embossers, and blank IDs. The damage? $622,000 in actual losses, though his ambitions stretched beyond $850,000. Honesty now faces 22 years in prison—plenty of time to ponder his ironic branding. Sentencing is set for May 23.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.