TODAY'S TOP 5
McCrary Institute for Cyber & Critical Infrastructure Security
Working to protect and advance U.S. interests in the areas of cyber and critical infrastructure security.
NEW CISA RESPONSE PLAN: The Cybersecurity and Infrastructure Security Agency on Monday opened a monthlong public comment period for its updated draft plan detailing how the public and private sectors should respond to significant cyber incidents, CyberScoop reports. The revamped National Cyber Incident Response Plan, which was called for in the Biden administration’s 2023 national cybersecurity strategy, was compiled after years of “broad and extensive engagement” CISA said it had with Sector Risk Management Agencies, regulators, interagency partners and public- and private-sector partners, and “considers the evolution in the cyber threat landscape and lessons learned from historical incidents.”
SMELLING A RAT: The FBI warned that new HiatusRAT malware attacks are now scanning for and infecting vulnerable web cameras and DVRs that are exposed online, Bleeping Computer reports. As a private industry notification published on Monday explains, the attackers focus their actions on Chinese-branded devices that are still waiting for security patches or have already reached the end of life.
‘PRIMARY TARGET’ NOT SECURED?: A number of U.S. military commands failed to keep a complete and accurate inventory of mobile devices used to store and transmit classified information, according to a heavily redacted Defense Department oversight report, NextGov/FCW reports. The findings from the DoD Office of Inspector General also say that the defense entities did not list all technical requirements in their devices’ user training programs or user agreements, nor did they annually review or approve mobile phone incident response plans.
CHINA’S CAPABILITIES: A new report for Congress’s U.S.-China Economic and Security Review Commission warns that China’s rapidly expanding remote sensing capabilities already have raised risks to U.S. national security, as well as created economic challenges, Breaking Defense reports. The findings echo concerns expressed by a raft of top Space Force brass at last week’s Spacepower 2024 conference in Orlando, Fla., that the PLA will use the growing number of Chinese military intelligence, surveillance and reconnaissance satellites and commercial remote sensing satellites to target U.S. terrestrial forces.
WILL STATES LOSE CYBER FUNDING?: Every state but one has taken advantage of the program to fund initiatives such as securing government websites, deploying intrusion-monitoring software and teaching employees to spot phishing emails. But now the program is in danger of lapsing, The Record reports. It expires next September, putting its fate in the hands of a GOP-led Congress and President-elect Donald Trump’s team, which will likely include the one governor who rejected federal funding. If the money dries up, state and local leaders will face difficult choices about whether and how to continue funding vital cybersecurity projects themselves.
CYBER FOCUS PODCAST
In the latest episode of Cyber Focus, host Frank Cilluffo sits down with Eric Geller, a leading cybersecurity journalist who contributes to top outlets including POLITICO, WIRED and The Record. Together, they unpack Geller’s reporting on expectations for changes in AI regulation and cybersecurity under the incoming Trump administration. They also discuss vulnerabilities within critical infrastructure sectors such as agriculture and telecommunications. Geller offers insights into systemic challenges, the evolving threat environment, and the need for innovation in tackling cybersecurity policy and governance.
SUBSCRIBE TO CYBER FOCUS: YouTube | Spotify | Apple Podcasts
FROM McCRARY EXPERTS
How the 119th Congress can move the needle on U.S. cybersecurity
When the 119th Congress convenes in January, it must modernize the U.S. government’s approach to cybersecurity, write David Hickton and McCrary senior fellow Mark Montgomery. This is not only about defending our national security; it is about growing our economic prosperity and ensuring the American way of life. (THEHILL.COM)
CYBER AND CI UPDATES
ATTACKS AND INCIDENTS
Cryptocurrency
Virginia man convicted for crypto financing scheme to ISIS
Mohammed Azharuddin Chhipa of Springfield would raise funds online on various social media accounts. He would receive electronic transfers of funds and travel hundreds of miles to collect funds by hand. He would then convert the money to cryptocurrency and send it to Turkey, where it was smuggled to ISIS members in Syria. His primary co-conspirator was a British-born ISIS member residing in Syria who was involved in raising funds for prison escapes, terrorist attacks, and ISIS fighters. Over the course of the conspiracy, the defendant sent out over $185,000 in of cryptocurrency. (JUSTICE.GOV)
Communications
Namibia’s state telecom provider says hackers leaked data after it refused to pay ransom
Telecom Namibia attributed the attack to a threat actor known as Hunters International. According to the company’s chief executive, Stanley Shanapinda, the hackers made the stolen data public after Telecom Namibia had refused to negotiate with them about the potential ransom. The company didn’t specify what kind of data was stolen by the cybercriminals, but according to local media reports, the hackers accessed over 400,000 files, including personal and financial data belonging to some high-ranking government officials and Telecom Namibia’s clients. (THERECORD.MEDIA)
Healthcare
900,000 people impacted by ConnectOnCall data breach
The newly disclosed incident, the company says, was discovered on May 12, and impacted information related to the communication between patients and healthcare providers that use its service. The potentially compromised information includes names, phone numbers, and may also include dates of birth, Social Security numbers, medical record numbers, and health, treatment, and prescription information. (SECURITYWEEK.COM)
Cyberattack at Texas Tech University health centers exposed patient data
According to a notice posted to the centers’ website, the information compromised includes names, dates of birth, addresses, Social Security numbers, driver’s license numbers, government ID numbers, financial account information, health insurance information and medical information, including medical records numbers, billing and claims data and diagnosis and treatment information. (EDSCOOP.COM)
Malware
Microsoft Teams vishing spreads DarkGate RAT
The attack adds to the other methods for spreading the RAT, which previously has been propagated using phishing emails, malvertising, hijacking of Skype and Teams messages, and search engine optimization (SEO) poisoning, researchers said. Researchers at Trend Micro discovered the voice phishing, or vishing, attack, in which an attacker initially tried to install a Microsoft remote support application to gain access to the user's device, they revealed in a recent blog post. While this failed, the cyberattackers then used social engineering to convince the victim to download the AnyDesk tool for remote access, which they eventually achieved. (DARKREADING.COM)
Phishing
YouTube creators targeted in global phishing campaign
The scammers send malicious emails with subject lines like “Collaboration Proposal” and “Marketing Opportunity,” in order to trick their victims into clicking through or opening malware-laden attachments, according to Cloudsek. Password-protected archives, hosted on cloud platforms like OneDrive, contain malicious executables disguised as agreements or promotional materials. Once extracted, the files deploy malware designed to steal sensitive information such as login credentials and session cookies, or to gain remote access to the victim’s machine. (INFOSECURITY-MAGAZINE.COM)
Ransomware
Deloitte says Brain Cipher behind cybersecurity breach; Rhode Island residents urged to take action
"We do not know yet the extent of the data that the cyber criminals have access," Rhode Island Gov. Dan McKee said at a press conference on Monday. "We do not control if and when the cyber criminals will make this information public or available to other bad actors. That is why, if you believe you or someone in your household may have interfaced with a program on Rhode Island Bridges, you need to act now." (TURNTO10.COM)
ALSO: Lawsuits filed against Deloitte after cybersecurity breach (TURNTO10.COM)
Cicada3301 ransomware claims attack on French Peugeot dealership
The group claims to have stolen 35GB of sensitive data, marking a continuation of their aggressive cyber campaigns. The alleged breach was announced by the group over the weekend on its official dark web leak site. The Cicada3301 ransomware group was first identified by cybersecurity firm Truesec and observed in June 2024. Written in Rust, the ransomware can target both Windows and Linux/ESXi systems, showcasing its cross-platform capabilities. (HACKREAD.COM)
Spyware
Android zero-day exploited in spyware campaigns; Amnesty International points to Cellebrite
In a technical report published Monday, the human rights group detailed how Serbia’s Security Information Agency (BIA) and police used Cellebrite’s forensic extraction products and a newly identified spyware dubbed ‘NoviSpy’ to infect devices of journalists and activists. In one case, a journalist’s phone was allegedly hacked during a police traffic stop, with Cellebrite technology enabling the infection. (SECURITYWEEK.COM)
THREATS
Cybercrime
Hackers can jailbreak digital license plates to make others pay their tolls and tickets
Josep Rodriguez, a researcher at security firm IOActive, has revealed a technique to “jailbreak” digital license plates sold by Reviver, the leading vendor of those plates in the US with 65,000 plates already sold. By removing a sticker on the back of the plate and attaching a cable to its internal connectors, he's able to rewrite a Reviver plate's firmware in a matter of minutes. Then, with that custom firmware installed, the jailbroken license plate can receive commands via Bluetooth from a smartphone app to instantly change its display to show any characters or image. (WIRED.COM)
Drones
Key U.S. Air Force base closes airspace amid drone sightings
Drone activity caused officials to close airspace over one of the United States’ most critical Air Force bases for almost four hours late Friday and early Saturday, according to a base spokesperson and a Notice to Airmen posted on a federal website. Bob Purtiman, chief of public affairs for the 88th Air Base Wing at Wright-Patterson Air Force Base in Ohio, said that the airspace remained restricted for approximately four hours from late Friday into early Saturday, while authorities monitored the situation. (CNN.COM)
New Jersey officials challenge federal response to mysterious drone activity over critical infrastructure
Federal officials are facing mounting criticism from New Jersey local leaders over their handling of repeated drone sightings near critical infrastructure, with one mayor describing the federal response as increasingly dismissive of legitimate public safety concerns. (DRONEXL.CO)
British troops test laser weapon as cheap option to fry drones
British Army troops fired a high-energy laser from an armored vehicle for the first time, using beams of infrared light to destroy dozens of flying drones, in what may be a cost-effective way to address the threat of unmanned aerial systems, the Ministry of Defence said. (DEFENSENEWS.COM)
Malvertising
DeceptionAds delivers 1M-plus daily impressions via 3,000 sites, fake CAPTCHA pages
The campaigns, as documented by several cybersecurity companies in recent months, involve directing visitors of pirated movie sites and others to bogus CAPTCHA verification pages that instruct them to copy and execute a Base64-encoded PowerShell command, ultimately leading to the deployment of information stealers like Lumma. The attacks are no longer confined to a single actor, with Proofpoint recently stating that multiple "unattributed" threat clusters have embraced the clever social engineering approach to deliver remote access trojans, stealers, and even post-exploitation frameworks such as Brute Ratel C4. (THEHACKERNEWS.COM)
New investment scam leverages AI, social media ads to target victims worldwide
A Slovak cybersecurity company is tracking the threat under the name Nomani, a play on the phrase "no money." It said the scam grew by over 335% between H1 and H2 2024, with more than 100 new URLs detected daily on average between May and November 2024. The attacks play out through fraudulent ads on social media platforms, in several cases targeting people who have previously been scammed by making use of Europol- and INTERPOL-related lures about contacting them for help or getting their stolen money refunded by clicking on a link. (THEHACKERNEWS.COM)
Vulnerabilities
Windows kernel bug now exploited in attacks to gain SYSTEM privileges
Tracked as CVE-2024-35250, this security flaw is due to an untrusted pointer dereference weakness that allows local attackers to gain SYSTEM privileges in low-complexity attacks that don't require user interaction. While Microsoft didn't share more details in a security advisory published in June, the DEVCORE Research Team that found the flaw and reported it to Microsoft through Trend Micro's Zero Day Initiative says the vulnerable system component is the Microsoft Kernel Streaming Service. (BLEEPINGCOMPUTER.COM)
ADVERSARIES
North Korea
Recommended by LinkedIn
U.S. sanctions entities and individuals providing financial, military and procurement support to North Korea
The DPRK continues to prioritize revenue generation to support the development of its unlawful WMD and ballistic missile programs, using foreign-based workers, state-owned entities, and financial institutions to access the international financial system. (STATE.GOV)
Russia
EU issues first-ever sanctions over ‘Russian hybrid threats’
It is the first time the bloc’s political executive is issuing sanctions under powers established in October. When the powers were agreed, Brussels said they were a response to the Kremlin’s “intensifying campaign of hybrid activities” targeting member states and partners. The sanctions aim to impact a wide range of actors, from those involved in GRU Unit 29155 — a Russian military intelligence unit that has been accused of cyberattacks and assassinations — through to other intelligence agency staff and private individuals involved in spreading Russian propaganda both in Europe and Africa. (THERECORD.MEDIA)
Report: UK faces intensifying cyber threats from state-backed Russian hackers amid geopolitical tensions
New research from Cyfirma identified that the U.K. faces an escalating cyber threat landscape dominated by sophisticated Russian actors, including state-affiliated groups like Sandworm and APT29, and privateer entities operating with Kremlin leniency. These threats have intensified amid geopolitical tensions, targeting critical infrastructure, governmental and defense organizations, and supply chains. Notable campaigns include espionage via spear-phishing, destructive malware like Whispergate, and supply chain compromises, such as SolarWinds. (INDUSTRIALCYBER.CO)
Russia recruits Ukrainian kids for sabotage and reconnaissance
Ukrainian children as young as 15 are being tricked into working for Russian intelligence under the guise of “quest games,” according to the Security Service of Ukraine (SBU) and the country’s National Police. The authorities claimed Russia’s Federal Security Service (FSB) had enlisted two groups of children aged 15 and 16 to perform reconnaissance and sabotage, including arson. (INFOSECURITY-MAGAZINE.COM)
GOVERNMENT AND INDUSTRY
Artificial intelligence
Does desktop AI come with a side of risk?
The integration of large language models (LLMs) that sift through business information and provide automated scripting of actions — so-called "agentic" capabilities — holds massive promise for knowledge workers but also significant concerns for business leaders and chief information security officers (CISOs). Companies already suffer from significant issues with the oversharing of information and a failure to limit access permissions — 40% of firms delayed their rollout of Microsoft 365 Copilot by three months or more because of such security worries, according to a Gartner survey. (DARKREADING.COM)
California says it’s ready to buy generative AI tools
After a six-month trial of testing generative artificial intelligence tools in a closed environment, California Gov. Gavin Newsom announced the state has opened a formal procurement process so companies can pitch generative AI products that help solve statewide issues like housing, unemployment and budgeting. Newsom’s office also announced the launch of a new website designed to showcase the generative AI projects happening across California state government. (STATESCOOP.COM)
ACLU warns police shouldn’t use generative AI to draft reports
While officers can edit Draft One’s output before swearing to its veracity and submitting it, and Axon has said it created safeguards to protect against errors in the reports its technology produces, Jay Stanley, a senior policy analyst at the ACLU, writes that these fail-safes might not be enough to overcome generative AI’s biases. (STATESCOOP.COM)
Business
Amazon refuses Microsoft 365 deployment because of lax cybersecurity
Some applauded Amazon, saying that the online retail giant — with $575 billion in annual revenue and almost 1.6 million employees — is one of the few companies with enough clout to pressure Microsoft into making major cybersecurity changes. But others were more cynical, saying that the move is less an altruistic effort to improve cybersecurity for all enterprises and more a thinly disguised sales pitch for Amazon Web Services. (CSOONLINE.COM)
Defense
The ‘technology stack’ driving the Army’s next-gen C2 plans
The US Army has made upgrading its command and control capabilities a priority, but has shared relatively few details about how exactly they’re pursuing the sprawling project. But last week at the service’s biannual Technical Exchange Meeting, service officials dove deeper into plans for the next-generation C2 (NGC2) program, revealing among other details a tiered “technology stack” the capability will be built on, and how industry can make it a reality. (BREAKINGDEFENSE.COM)
Healthcare
CDRH cyber chief on compliance with new rules, ongoing security threats
Nastassia Tamari, director of the Center for Devices and Radiological Health’s Division of Medical Device Cybersecurity, said in an interview with MedTech Dive that device manufacturers have responded well and are prioritizing cybersecurity throughout a product’s entire lifecycle — from design to market launch and, eventually, obsolescence. Tamari also discussed challenges that have come up since the new requirements took effect, addressing legacy devices and the ongoing cyberattacks on the healthcare sector. (MEDTECHDIVE.COM)
Nebraska becomes first state to sue Change Healthcare over data breach
State Attorney General Mike Hilgers said he decided to sue because Change Healthcare was not only careless in a way that led to the breach but also failed to notify those impacted in a timely manner, increasing the risk of identity theft and fraud. Notifications were not sent to patients until July and the breach impacted approximately 575,000 residents. (HEALTHEXEC.COM)
Leadership
Intelligence CIO moves to helm IT at the National Institutes of Health
NIH said Adele Merritt officially assumed her new role on Dec. 16 as the agency’s CIO and Director of the NIH Office of the Chief Information Officer. She had previously been serving as CIO for the Office of the Director of National Intelligence since January 2022. As the Intelligence Community CIO, Merritt was responsible for overseeing IT efforts across 18 different federal agencies, including when it came to modernizing systems and enhancing cybersecurity practices. (NEXTGOV.COM)
Privacy
NIST genomic data cybersecurity and privacy publications comment period open
Draft NIST Internal Report (IR) 8467, Genomic Data Cybersecurity and Privacy Frameworks Community Profile (Genomic Data Profile), provides a structured, risk-based approach for managing both cybersecurity and privacy risks in processing genomic data. Draft NIST Cybersecurity White Paper (CSWP) 35, Cybersecurity Threat Modeling the Genomic Data Sequencing Workflow, evaluates potential threats in a genomic data processing environment using an iterative methodology. (NIST.GOV)
Regulations
Final rule for CMMC cybersecurity program goes into effect for defense contractors
The journey toward CMMC implementation — a controversial initiative that has raised concerns among some contractors about the costs involved and other regulatory burdens — has been a long one. After receiving feedback from companies, the department moved away from its original CMMC framework toward a more streamlined version that officials have dubbed CMMC 2.0, which has also entailed a lengthy rulemaking process. (DEFENSESCOOP.COM)
Resilience
2024 Year in Review highlights CISA’s achievements in reducing risk and building resilience
The Cybersecurity and Infrastructure Security Agency (CISA) released its 2024 Year in Review, which reflects accomplishments across the agency’s broad cybersecurity, infrastructure security and emergency communications missions. (CISA.GOV)
DoD releases version 4.3 update to Online Cyber Resilient Weapon Systems Body of Knowledge for engineering workforce
This is a free resource designed to support the public and private sector workforces in designing, engineering, and safeguarding secure cyber resilient systems. Launched in May of 2021 by the Office of the Under Secretary of Defense's System Security (SysSec) team, the CRWS-BoK has continued to evolve through regular updates, enhancing functionality, engagement, and collaboration. (DEFENSE.GOV)
Social media
TikTok asks Supreme Court for a lifeline as sell-or-ban deadline approaches
The social media company requested that the Supreme Court consider blocking the sell-or-ban law passed earlier this year by January 6. This would give American app stores and internet hosting providers just a few weeks to prepare for January 19, the deadline when the U.S. could force them to block TikTok. Also on Monday, TikTok CEO Shou Chew reportedly met with President-elect Donald Trump at Mar-a-Lago. (TECHCRUNCH.COM)
Europol spearheads largest referral action against online hate speech
In total, 12 countries collected over 6,350 links from 46 online platforms and 20 websites that incite violence or contain hate speech against ethnoreligious groups. This includes material produced or disseminated by organisations, individuals or groups containing illegal hate speech, such as anti-Semitic hate speech, as well as material celebrating or calling for violent or terrorist acts against an ethnoreligious group. (EUROPOL.EUROPA.EU)
Space
Space Command strategy aims to boost commercial role in operations
The strategies are part of a larger Defense Department push to better engage with private sector space companies, encouraging the acquisition workforce to look for off-the-shelf systems when possible and developing concepts for how it will leverage commercial technology in future conflicts. Last year, for example, the Space Force created a Commercial Space Office and charged it with identifying more opportunities to buy commercial systems and services. (DEFENSENEWS.COM)
LEGISLATIVE UPDATES
Lawmakers signal movement toward government funding deal
Top Republicans are signaling progress in government funding talks as leaders look to clinch a deal ahead of a looming Friday deadline. House Appropriations Chair Tom Cole (R-Okla.) told reporters Monday that the “differences are narrowing” between all sides as they try to hash out the last significant funding deal in the divided Congress. (THEHILL.COM)
Federal agencies facing partial government shutdown by week’s end
Federal agencies are facing a partial shutdown on Dec. 21 at midnight if Congress doesn't pass another continuing resolution or the funding bills for fiscal 2025. Agencies began preparing for a partial government shutdown on Friday as required under Circular A-11, which initiates the process when the expiration of current funding is a week away. (FEDERALNEWSNETWORK.COM)
EVENTS
SPACE: On Dec. 17, CSIS presents the daylong event Celebrating the U.S. Space Force and Charting its Future with leaders across the enterprise.
CHINA SECURITY POLICY: House Homeland Security Committee Chairman Mark Green (R-Tenn.) and Hudson’s Dr. Jonathan Ward will discuss the importance of cybersecurity, critical infrastructure defense, maritime and border security, the fentanyl crisis, and more amid America’s rising confrontation with China in a Dec. 17 event at the Hudson Institute.
ELECTION SECURITY HEARING: The House Administration Committee will hold the hearing “American Confidence in Elections: Prohibiting Foreign Interference” on Dec. 18.
THE STRATEGIC FUTURE OF SUBSEA CABLES: CSIS will host an event Dec. 18 to discuss cuts of critical cables and ways the U.S. government, partners and allies, and key stakeholders can take to create and maintain a secure and resilient subsea cable infrastructure.
SUPPLY CHAIN SECURITY: On Dec. 19, the Center for Technology Innovation at Brookings will host a speech and fireside chat with White House National Economic Advisor Lael Brainard and Brookings Senior Fellow Darrell West in which they will discuss ways to strengthen and secure America’s supply chains.
ENERGY OUTLOOK: Daniel Yergin, vice chairman of S&P Global and a Pulitzer Prize-winning author, discusses the forces behind the evolving energy landscape and what they mean for the world energy outlook on Jan. 6 at the Atlantic Council.
NUCLEAR SECURITY: CSIS’ Project on Nuclear Issues will host a live debate on AI Integration in U.S. Nuclear Command, Control and Communications (NC3) on Jan. 24. As Russia continues its saber-rattling and China accelerates its nuclear buildup, should the United States increase its reliance on artificial intelligence to enhance resilient decision-making in its NC3 systems to prevent inadvertent escalation?
SPACE SECURITY: Chatham House’s 2025 Space Security Conference online and in person on March 5 convenes policymakers and leaders from the private sector, multilateral organizations, academia and NGOs for a day of high-level interactive discussions examining conflict, competition and cooperation in outer space.
FOLLOW THE McCRARY INSTITUTE ON LINKEDIN | X | FACEBOOK
SUBSCRIBE TO THE CYBER FOCUS PODCAST: YOUTUBE | SPOTIFY | APPLE PODCASTS