Cybersecurity

Trump Kicks Members Off of the Cyber Safety Review Board, Salt Typhoon Probe Jeopardized

Trump pardoned Ulbricht, Cloudflare stopped largest DDoS attack, New Mirai botnet targets AVTECH cameras & Huawei routers, Teen found Cloudflare flaw exposing chat app users locales, Gov't contractor Conduent hit by cyberattack, Ransomware attacks use vishing via Office 365, much more

Cynthia B Brumfield

22 Jan 2025 — 12 min read

Please consider supporting Metacurity with an upgraded subscription so that you can continue receiving our daily missives, packed with the top infosec developments you should know.

Upgrade subscription

If you can't commit to a subscription today, consider tipping or donating to help keep Metacurity going.

Donate whatever you can

Sources say the Cyber Safety Review Board, a Department of Homeland Security investigatory body created under a Biden-era cybersecurity executive order, has been cleared of non-government members as part of a DHS-wide push to cut costs under the Trump administration, likely delaying an ongoing CSRB investigation into the Salt Typhoon hacks.

A Jan. 20 memo shared internally by DHS Acting Secretary Benjamine Huffman said that current memberships on advisory committees in the agency would be terminated “effective immediately.” CSRB and several other advisory bodies have also been cleaned out as part of the announcement. NPR first reported that memorandum.

“In alignment with the Department of Homeland Security's (DHS) commitment to eliminating the misuse of resources and ensuring that DHS activities prioritize our national security, I am directing the termination of all current memberships on advisory committees within DHS, effective immediately,” the memo read.

Chris Krebs, currently the chief intelligence and public policy officer at SentinelOne and the former director of the Cybersecurity and Infrastructure Security Agency, was formerly a member of the CSRB but resigned on January 18, 2025. Trump fired Krebs in 2020 after he said the results of that year’s presidential election were secure.

Rep. Mark Green (R-TN), House Homeland Security Committee chairman, noted that the previous CISA director appointed CSRB members and that “as with any new administration, President Trump is assembling his team.”

“Given the CSRB is tasked with investigating significant cyber intrusions — such as the Microsoft Exchange incident my committee examined last year — President Trump’s new DHS leadership should have the opportunity to decide the future of the Board,” he added. “This could include appointing new members, reviewing its structure, or deciding if the Board is the best way to examine cyber intrusions.” (David DiMolfetta / NextGov/FCW)

Correction: Based on an erroneous press report, this post previously said, "One of those removed from the CSRB was Chris Krebs, currently the chief intelligence and public policy officer at SentinelOne and the former director of the Cybersecurity and Infrastructure Security Agency." Krebs resigned from the CSRB on January 18.

After being sentenced to life in prison and spending more than a decade behind bars, Ross Ulbricht, founder of the world’s first dark-web drug market, will walk free thanks to a pardon from Donald Trump and the president’s ever-closer ties to the American cryptocurrency world.

“I just called the mother of Ross William Ulbright to let her know that in honor of her and the Libertarian Movement, which supported me so strongly, it was my pleasure to have just signed a full and unconditional pardon of her son, Ross,” Trump wrote on Truth Social on Tuesday evening, misspelling Ulbricht's last name. “The scum that worked to convict him were some of the same lunatics who were involved in the modern day weaponization of government against me. He was given two life sentences, plus 40 years. Ridiculous!”

For close to two and a half years after Ulbricht created the Silk Road in 2011, the dark web site facilitated the sale of vast amounts of narcotics, as well as counterfeit documents, money laundering services, and, at times, guns, for hundreds of millions of dollars in bitcoin payments.

After the FBI located the Silk Road’s server in Iceland in 2013 and arrested then 29-year-old Ulbricht in San Francisco, he was convicted on seven charges relating to the distribution of narcotics, money laundering, and computer hacking, as well as a “continuing criminal enterprise” statute—sometimes known as the “kingpin statute”—usually reserved for mob bosses and cartel leaders. In 2015, he was sentenced to life in prison, a punishment beyond even the 20-plus years that prosecutors in the case requested.

Since then, a Free Ross movement has steadily pressed for Ulbricht’s release, first in a failed appeal, then in petitions for clemency. Their arguments have been complicated, however, by allegations that Ulbricht tried to have six people killed who presented a threat to him or the Silk Road. Ultimately, all six alleged murders-for-hire were fake, undercover DEA agents staged one, and five more were a scam.

Ulbricht was charged with only one of those alleged paid killings in a separate prosecution in Maryland, which was then dropped after he received a life sentence in his New York trial. (Andy Greenberg / Wired)

Cloudflare mitigated the largest distributed denial-of-service (DDoS) attack to date, which peaked at 5.6 terabits per second and came from a Mirai-based botnet with 13,000 compromised devices.

The UDP-based attack occurred on October 29 last year and targeted an internet service provider (ISP) in Eastern Asia, attempting to shut down its services.

The assault lasted 80 seconds, did not impact the target, and generated no alerts because its detection and mitigation were completely autonomous.

According to Cloudflare, hypervolumetric DDoS attacks have become more frequent, a trend that became noticeable in the third quarter of 2024. In the fourth quarter of the year, attacks started to exceed 1Tbps, with a quarter-over-quarter growth of 1,885%.

Attacks that exceeded 100 million packets per second (pps) also increased by 175%, with a notable 16% of them also going over 1 billion pps. (Bill Toulas / Bleeping Computer)

Researchers at Qualys are warning of a new Mirai botnet variant that targets vulnerabilities in AVTECH Cameras and Huawei HG523 routers.

The variant, dubbed “Murdoc_Botnet,” was first detected in July and has already been found to have affected at least 1,300 devices globally, especially in Malaysia, Thailand, Mexico, and Indonesia.

The campaign’s infrastructure includes over 100 command and control servers, each responsible for managing and propagating malware to compromised devices. The servers communicate with infected devices to orchestrate payload execution, further infection, and botnet expansion.

The Murdoc_Botnet favors Internet of Things devices, particularly targeting AVTECH cameras and Huawei routers. It targets those devices, knowing that they have existing vulnerabilities that are unlikely to be patched, ensuring a steady stream of new victims to enhance its network.

The malware spreads by executing bash scripts that fetch and execute payloads. The scripts are also designed to remove traces of their activity post-execution, making it harder for security tools to detect and mitigate the threat.

The researchers recommend that enterprise users and administrators make efforts to identify and protect against such attacks. (Duncan Riley / Silicon Angle)

A 15-year-old high school junior and security researcher, Daniel, discovered that an issue with Cloudflare allows an attacker to find which Cloudflare data center a messaging app used to cache an image, meaning an attacker can obtain the approximate location of Signal, Discord, Twitter/X, and likely other chat app users.

In some cases, an attacker only needs to send an image across the app without the target clicking it to obtain their location.

Although the obtained location data is very coarse, Daniel's discovery shows the importance of protecting not just the message contents but also the network activity of some at-risk users.

The issue centers on Cloudflare’s Content Delivery Network, or CDN. A CDN is a system that caches content across a mass of distributed servers and then delivers content to a user based on location. So, if a user were in San Francisco,

Cloudflare’s CDN would use the part of their CDN nearest to the user to speed up the delivery of that content. Cloudflare has data centers in 330 cities across more than 120 countries. Many apps then use Cloudflare’s CDN to help deliver content to users.

This creates a side effect of a third party potentially being able to learn which part of Cloudflare’s CDN was used when sending an image and, from that, infer a user’s location. Daniel reported the issue to Cloudflare, which has subsequently fixed it. (Joseph Cox / 404 Media)

Related: Hackmondev

Sophos X-Ops' Managed Detection and Response (MDR) is warning of ransomware attacks using email bombing and imitating tech support, otherwise known as vishing, through Microsoft Office 365.

These attacks are tied to two separate threat groups, which Microsoft began investigating in response to customer incidents in November and December 2024. The threat groups are tracked as STAC5143 and STAC5777.

STAC5777 overlaps with a group previously identified by Microsoft as Storm-1811, while STAC5143 uses tactics from an old Storm-1811 playbook.

According to Sophos MDR, more than 15 incidents involving these tactics have occurred in the past three months, half occurring in the last two weeks.

These tactics include using Microsoft remote control tools like Quick Assist or Teams screen sharing. From there, attackers take control of a victim's device and install malware, sending Teams messages or making Teams calls from a threat actor-controlled Office 365 impersonating tech support. They also send large volumes of spam emails to overwhelm Outlook mailboxes, a strategy known as email bombing. (Kristina Beek / Dark Reading)

Cryptocurrency financial services firm CLS Global agreed to plead guilty to US charges that it offered to help manipulate the market for a digital token created at the FBI's behest to help uncover fraud in the crypto sector.

The firm, registered in the United Arab Emirates, was one of the three companies and 15 individuals federal prosecutors in Boston charged last year following a novel crypto-focused undercover investigation.

The probe, dubbed "Operation Token Mirrors," marked the first time the FBI directed the creation of its own digital token and a fake cryptocurrency company to help bait and catch fraudsters in the market.

Prosecutors said CLS was one of three so-called market makers that offered illicit trading services to cryptocurrency companies and, during the sting operation, agreed to help manipulate the market for FBI-backed NexFundAI's token, which operated on the Ethereum blockchain.

The company admitted that it agreed to provide services for the NexFundAI token, including sham wash trading transactions, which artificially inflate an asset's trading volume or price.

Prosecutors said CLS would plead guilty to two counts related to its fraudulent manipulation of cryptocurrency trading volume, pay $428,059, and be barred from participating in cryptocurrency transactions on trading platforms available to US investors or providing services to US cryptocurrency clients.

CLS Global also committed to making annual certifications about its business practices and agreed to settle related civil charges by the US Securities and Exchange Commission. (Nate Raymond / Reuters)

An ongoing “service interruption” at government contractor giant Conduent, reportedly caused by a cyberattack, sparked outages across several US states, leaving residents without access to some benefits and support payments.

Conduent spokesperson Sean Collins acknowledged the company’s outage was ongoing but declined to answer questions or rule out a cyber incident.

“We are currently experiencing a service interruption affecting some applications while we have restored service over the past few days. The Conduent technology team is working hard to resolve any remaining issues,” Collins said.

Wisconsin’s Department of Children and Families said four states, including Wisconsin, were affected by the outage at Conduent. Oklahoma Human Services, which manages the state’s food assistance program, told residents in a social media post on January 9 that Conduent’s customer service line was hit by the “technical outage.” (Zack Whittaker / TechCrunch)

Related: The Record

Web developer Ryan Chenkie discovered that hackers are once again abusing Google ads to spread malware, using a fake Homebrew website to infect Macs and Linux devices with an infostealer that steals credentials, browser data, and cryptocurrency wallets.

The malware used in this campaign is AmosStealer (aka 'Atomic'), an infostealer designed for macOS systems and sold to cyber criminals as a subscription of $1,000/month.

The malware was recently seen in other malvertising campaigns promoting fake Google Meet conferencing pages. It is currently the go-to stealer for cybercriminals targeting Apple users.

Homebrew's project leader, Mike McQuaid, stated that the project is aware of the situation but highlighted that it's beyond its control, criticizing Google for its lack of scrutiny.

The malicious ad has been taken down, but the campaign could continue via other redirection domains, so Homebrew users need to be wary of sponsored ads for the project. (Bill Toulas / Bleeping Computer)

Related: Coinpedia

A prominent Russian telecommunications provider, Rostelecom, said it is investigating a suspected cyberattack on one of its contractors after hackers claimed to have leaked the company's data.

The hacker group called Silent Crow published a data dump containing thousands of customer emails and phone numbers allegedly stolen from Rostelecom.

The company stated that the contractor is responsible for maintaining Rostelecom’s corporate website and procurement portal, which hackers reportedly targeted.

As a precaution, the company advised users of the allegedly hacked websites to reset their passwords and enable two-factor authentication.

In response to the incident, the Russian Ministry of Digital Development stated that the breach did not impact the state services portal and that no sensitive data from the operator's subscribers had been leaked online. (Daryna Antoniuk / The Record)

Related: Telecompaper

Seven state employees have been fired for improperly accessing, and in some cases, stealing money from, accounts of thousands of Texans who receive Medicaid, food stamps, and other public assistance.

Four of those employees were fired in December in what is believed to be the largest data breach in the Texas Health and Human Services Commission’s history after officials say they had accessed the personal account information of 61,104 Texans without a clear business reason.

In separate cases earlier last year, one employee was fired after officials said she illegally possessed information on the public assistance accounts of 3,392 people. Another two were fired after $270,000 was stolen from some 500 food stamp accounts, according to the health agency’s watchdog arm, the state’s Health and Human Services Office of Inspector General. The office has referred those three individuals to local district attorney’s offices for prosecution.

The Texas Attorney General’s Office first publicly reported the breach on Jan. 6. The most recent breach impacted 61,104 account holders who had either applied for or received assistance from the state’s Medicaid, Children’s Health Insurance Program, Temporary Assistance for Needy Families, or Supplemental Nutrition Assistance Program, which is commonly referred to as food stamps, between June 2021 and December 2024.

On Friday, the social services agency will begin notifying all 61,104 individuals by first-class mail of the breach and that the state will offer them two years of free credit monitoring. Those who believe they were affected by the breach can call 866-362-1773 with questions and use the reference number B138648. (Terri Langford / The Texas Tribune)

Peter Kyle, the UK secretary of state for science, innovation, and technology, announced that UK citizens could soon carry their passports in a digital wallet on their phones, along with driving licenses, universal credit accounts, and marriage and birth certificates.

The plan was announced as part of a new smartphone app to simplify interactions with government services. Kyle said it meant “the overflowing drawer rammed with letters from the government and hours spent on hold to get a basic appointment will soon be consigned to history.”

The first government-issued credentials people can carry in the new digital wallet, which will launch in June, will be a driving license and a veteran card. The government’s digital service plans to then roll out access to accounts relating to student loans, vehicle tax, benefits, childcare, and local councils. (Robert Booth / The Guardian)

Best Thing of the Day: Could 2025 Be the Year of the Passkey?

The UK's National Cyber Security Centre is doing its part to cheerlead the adoption of passkeys, which it believes are the future of online authentication.

Worst Thing of the Day: Perhaps AI Can Hallucinate a Sense of Decency for Them, Too

Legal experts are calling attention to a string of bizarre typos, formatting errors and oddities, and stilted language in the flurry of executive orders Donald Trump issued after his inauguration, suggesting that the current administration is allowing AI to draft its most important documents.