The CyberWire Daily Podcast 1.22.25
Ep 2229 | 1.22.25

The uncertain future of cyber safety oversight.

Transcript

The latest cyber moves from the Trump White House. Pompompurin faces resentencing. An attack on a government IT contractor impacts Medicaid, child support, and food assistance programs. Helldown ransomware targets unpatched Zyxel firewalls. Murdoc is a new Mirai botnet variant. Cloudflare maps the DDoS landscape. North Korea’s Lazarus group uses fake job interviews to deploy malware. Hackers are abusing Google ads to spread AmosStealer malware. Pwn2Own Automotive awards over $382,000 on its first day. In our CertByte segment, Chris Hare and Steven Burnley take on a question from N2K’s Agile Certified Practitioner (PMI-ACP)® Practice Test. NYC Restaurant week tries to keep bots off the menu.

Today is Wednesday January 22nd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The latest cyber moves from the Trump White House. 

On its first full day, the Trump administration terminated all advisory committee members within DHS, including those on the Cyber Safety Review Board (CSRB). This board was investigating Chinese state-sponsored hacking group Salt Typhoon, linked to breaches in several telecommunications networks.

In a Jan. 20 letter, Acting DHS Secretary Benjamine Huffman cited resource misuse as the reason for the terminations. The CSRB, created under President Biden’s 2021 cybersecurity executive order, included cybersecurity leaders from firms like Sentinel One and former Biden officials. While the board’s future remains uncertain, the letter encouraged former members to reapply and emphasized a focus on advancing DHS priorities.

TSA Administrator David Pekoske was ousted by the Trump administration on Monday. Appointed by Trump in 2017 and reappointed by Biden in 2022, Pekoske played a key role in strengthening U.S. transportation cybersecurity after the 2021 Colonial Pipeline ransomware attack. His directives mandated incident reporting, response plans, and cybersecurity standards, significantly improving compliance across pipelines, railways, and aviation. Pekoske emphasized collaboration and urgency in countering cyber threats, citing growing concerns about adversarial nations like China and Russia.

Meanwhile, President Donald Trump has issued a full pardon to Ross Ulbricht, the founder of Silk Road, a dark web marketplace for illegal drugs, hacking tools, and stolen goods. Convicted in 2015 on charges of drug trafficking, money laundering, and computer hacking, Ulbricht had received two life sentences plus 40 years. Prosecutors alleged he also solicited murders-for-hire, though no evidence of killings emerged.

Silk Road, which operated anonymously via Tor and Bitcoin, was shut down in 2013 after Ulbricht’s arrest in a San Francisco library. Trump framed the pardon as a stand against government overreach, aligning with libertarians who championed Ulbricht’s cause. The controversial decision drew praise from Republican allies like Rep. Thomas Massie but reignited debate over the balance between privacy rights and crime enforcement online.

Pompompurin faces resentencing. 

Conor Brian Fitzpatrick, founder of BreachForums, a major dark web marketplace for stolen data, is set to be resentenced after a federal appeals court vacated his initial 17-day sentence. Operating as “Pompompurin,” Fitzpatrick oversaw the sale of over 14 billion sensitive records, including Social Security numbers and banking details, earning approximately $698,000. Initially sentenced to time served due to his young age and autism diagnosis, the court deemed the punishment too lenient. Prosecutors argue for a harsher sentence aligned with federal guidelines, emphasizing deterrence and public safety. The Fourth Circuit Court of Appeals criticized the district court for prioritizing mitigating factors over the severity of Fitzpatrick’s crimes. Legal experts expect a significantly longer prison term upon resentencing, potentially setting a precedent for handling severe cybercrime cases.

An attack on a government IT contractor impacts Medicaid, child support, and food assistance programs. 

Government IT contractor Conduent experienced a cyberattack that caused outages across several state government programs, impacting services like Medicaid, child support, and food assistance. A spokesperson confirmed a “third-party compromise” but did not disclose whether ransomware or data theft was involved. The disruption lasted several days, delaying payment processing for beneficiaries in four states, including Wisconsin, where families struggled to make or receive payments.

Conduent restored systems by Sunday and added staff to expedite backlogs. The company emphasized its commitment to system integrity, supporting around 100 million U.S. residents and disbursing $100 billion in government payments annually. The incident follows Conduent’s history with ransomware, notably a 2020 attack.

Helldown ransomware targets unpatched Zyxel firewalls. 

A new ransomware threat, “Helldown,” is exploiting a critical vulnerability (CVE-2024-11667) in Zyxel firewall devices, particularly those using IPSec VPNs. This flaw, with a CVSS score of 7.5, enables attackers to gain unauthorized access via crafted URLs. Helldown targets both Windows and Linux systems, with Windows attacks derived from LockBit 3.0 and Linux variants focused on VMware ESXi servers. Employing a double extortion strategy, the group has claimed at least 31 victims since August 2024, primarily SMBs in the U.S. and Europe. Despite Zyxel’s release of firmware patches in September 2024, some organizations remain vulnerable due to poor security hygiene, such as unchanged passwords and unchecked malicious accounts. 

Murdoc is a new Mirai botnet variant. 

The Murdoc Botnet, a new Mirai variant, targets vulnerabilities in AVTECH IP cameras and Huawei HG532 routers, exploiting CVE-2024-7029 and CVE-2017-17215 to compromise IoT devices. Active since July 2024, it has infected over 1,300 systems, primarily in Malaysia, Thailand, Mexico, and Indonesia, with over 100 servers distributing malware. Researchers found the botnet uses command-line injections to deploy payloads, leveraging compromised devices to propagate through C2 servers. 

Cloudflare maps the DDoS landscape. 

Cloudflare’s 20th DDoS Threat Report highlights the evolving landscape of distributed denial-of-service (DDoS) attacks in 2024. The company blocked 21.3 million attacks last year, a 53% increase from 2023, with an average of 4,870 attacks per hour. Hyper-volumetric network-layer attacks grew 1,885% quarter-over-quarter, with a record-breaking 5.6 Tbps attack in Q4.

HTTP DDoS attacks comprised 51% of incidents, with 73% launched by botnets, often spoofing legitimate browsers or using suspicious attributes. Key attack vectors included SYN floods (38%) and DNS floods (16%). Indonesia was the largest attack source, while China, the Philippines, and Taiwan were the most targeted countries. Industries like telecommunications and internet services faced the most attacks. 

North Korea’s Lazarus group uses fake job interviews to deploy malware. 

The North Korean APT Lazarus group has launched a sophisticated campaign, “Contagious Interview” or “DevPopper,” targeting technology, financial, and cryptocurrency sectors. Using fake job interviews, they deploy malware like BeaverTail and InvisibleFerret to compromise systems and exfiltrate sensitive data. InvisibleFerret, a Python-based malware, steals cryptocurrency wallets, source code, credentials, and more, using FTP, encrypted connections, and Telegram for data exfiltration. The campaign exploits social engineering and malicious coding challenges to lure software developers, demonstrating advanced tactics in cyber espionage.

Hackers are abusing Google ads to spread AmosStealer malware. 

Hackers are abusing Google ads to spread AmosStealer malware, targeting macOS and Linux users through a fake Homebrew website. Homebrew, a popular open-source package manager, allows users to install and manage software via the command line. A malicious ad displayed the correct URL, “brew.sh,” but redirected users to a fake site, “brewe.sh,” where they were tricked into running commands that installed malware. AmosStealer, sold for $1,000/month, steals credentials, browser data, and cryptocurrency wallets.

Homebrew’s leader, Mike McQuaid, criticized Google’s inadequate ad scrutiny, noting this is a recurring issue. Though the ad was removed, similar campaigns may resurface. To minimize risks, users should verify URLs, avoid clicking on ads, and bookmark trusted websites. This incident highlights the dangers of malicious ads and the importance of caution when downloading software.

Pwn2Own Automotive awards over $382,000 on its first day. 

Trend Micro’s Zero Day Initiative (ZDI) launched Pwn2Own Automotive 2025 in Tokyo, awarding $382,750 on the first day for 16 zero-day exploits targeting infotainment systems, EV chargers, and automotive operating systems. Top rewards included $50,000 each for exploits on Autel and Ubiquiti chargers, while a ChargePoint charger exploit earned $47,500. Participants also received $20,000 for hacking Alpine, Kenwood, and Sony infotainment systems. Nearly two dozen more attempts are planned. 

 

We’ve got our CertByte segment up next. N2K’s Chris Hare is joined by Steven Burnley to break down a question from N2K’s Agile Certified Practitioner (PMI-ACP)® Practice Test. And, bots dining out during NYC Restaurant Week! We’ll be right back.

Welcome back. Be sure to visit our show notes for links to the practice test and other helpful resources that Chris and Steven talked about. We’ll be right back.

Welcome back.

NYC Restaurant week tries to keep bots off the menu. 

And finally, our culinary desk warns us that it will soon be NYC Restaurant Week—where tables are hot, plates are hotter, and… bots are on the prowl? Yep, while foodies are dreaming of Michelin stars, malicious bots are giving restaurants more scrutiny than Gordon Ramsey on Kitchen Nightmares.

Researchers at DataDome are responsible for this truth bomb—every restaurant booking site they tested? Totally vulnerable. Bots are out there creating fake accounts, grabbing tables, and even scalping prime reservations. One bot? It booked a table-for-two far into the future, just because it could. Another went full buffet mode, snagging multiple tables in minutes. Meanwhile, defenses? Pretty bare. CAPTCHAs? Only 20% had ’em. Multi-factor authentication? A measly 20%. Email validation? Forty percent. Ouch.

The recipe for fixing this? Platforms need to level up—advanced bot protection, better user validation, and behavioral monitoring. Let’s keep the bots out of the kitchen and the humans at the table, where they belong.

NYC Restaurant Week? It’s for people, not malware. Bon appétit!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.