CISA cuts planned, Windows 'inetpub' warning, health lab breach - Cybersecurity Headlines

Summary

Cyber Security Headlines - April 14, 2025
Hosted by Steve Prentice, CISO Series

1. CISA Faces Major Workforce Cuts

In a significant development, the Cybersecurity and Infrastructure Security Agency (CISA) is set to undergo substantial workforce reductions. The agency plans to slash half of its full-time staff—approximately 1,300 positions—and reduce its contractor workforce by 40%. This move comes amid heightened scrutiny from the White House, which has expressed concerns over CISA's role in allegedly suppressing conservative viewpoints.

Steve Prentice [02:15]: "Half of CISA's full-time staff and 40% of its contractors are facing removal, signaling a drastic shift in the agency's operational capabilities."

While a specific timetable for announcing these cuts has not been disclosed, sources familiar with the plans indicate that the restructuring aims to address both budgetary constraints and political pressure.

2. Microsoft Warns Against Deleting New 'inetpub' Folder

Following the April 2025 Windows security update, Microsoft has issued a warning to users not to delete the newly created inetpub folder located on their C drives. Despite being part of the Microsoft Internet Information Services (IIS) web server platform, this folder appears on systems regardless of whether users utilize IIS.

Researchers from Bleeping Computer speculate that the inetpub folder may be integral to mitigating the recently addressed Windows Process Activation Elevation of Privilege vulnerability. Microsoft has emphasized that deleting this folder could compromise system security.

Steve Prentice [05:40]: "Microsoft advises users to retain the 'inetpub' folder as it may play a crucial role in addressing specific security vulnerabilities introduced in the latest update."

3. Data Breach at Seattle-Based Laboratory Services Cooperative

Seattle’s Laboratory Services Cooperative has announced a data breach affecting 1.6 million individuals. Detected in October 2024, the breach compromised Personally Identifiable Information (PII), medical treatment records, payment details, bank accounts, and payment card information. The affected parties include both employees and patients affiliated with Planned Parenthood.

The breach underscores the vulnerability of medical testing service providers to cyber threats and highlights the ongoing challenges in protecting sensitive health information.

Steve Prentice [08:25]: "The breach at Laboratory Services Cooperative highlights the critical need for robust security measures in safeguarding sensitive medical and financial data."

4. U.S. to Sign International Pact on Commercial Spyware

At the recent PAL Mall Conference, the U.S. State Department announced plans to join an international agreement aimed at regulating the use of commercial spyware. This initiative follows the signing of a voluntary and non-binding code of practice by 21 other countries, established through a year-long diplomatic effort known as the Pall Mall process.

The agreement seeks to jointly regulate cyber intrusion technologies and address the misuse of spyware by companies targeting civil society.

Steve Prentice [12:05]: "The upcoming Pall Mall Spyware Pact represents a unified international stance against the unregulated use of commercial spyware, marking a significant step in global cybersecurity diplomacy."

5. Tycoon2FA Phishing Kit Enhances Attacks on Microsoft 365

Researchers at Trustwave have identified advancements in the Tycoon2FA phishing toolkit, which targets Microsoft 365 and Gmail accounts by circumventing Multi-Factor Authentication (MFA). The latest version incorporates invisible Unicode characters to obscure binary data within JavaScript, allowing malicious payloads to execute at runtime while evading detection through manual and static analysis.

Additional enhancements include a transition from Cloudflare turnstiles to self-hosted CAPTCHA systems rendered via HTML5 canvas, along with anti-debugging JavaScript designed to identify and thwart browser automation and analysis tools.

Steve Prentice [15:50]: "The improvements in Tycoon2FA make it increasingly difficult for traditional security measures to detect and mitigate sophisticated phishing attempts targeting major email platforms."

6. Cyberattack on Oregon Department of Environmental Quality

The Oregon Department of Environmental Quality (DEQ), responsible for regulating air, land, and water quality, reported a cyberattack last week. Although no evidence of data theft has been found, the attack has disrupted operations, leading to the closure of vehicle inspection stations and downtime for employee emails and servers expected to last through the week. Investigations into the attack's source are ongoing.

Steve Prentice [19:30]: "The DEQ incident highlights the broader impact cyberattacks can have on essential governmental services, even in the absence of direct data breaches."

7. Gamaredon Threat Actor Targets Military Mission with USB-Delivered Malware

The Russia-linked threat actor group Gamaredon, also known as Shuk Worm and Blue Alpha, has intensified its espionage activities against Ukraine. In the latest operation, Gamaredon deployed an infected USB drive to infiltrate a military mission of an undisclosed country based in Ukraine. The malware, identified as Gamma Steel, is an updated variant designed to evade detection and enhance operational stealth.

Researchers from Symantec have noted the sophistication of Gamaredon's techniques, emphasizing the persistent threat posed by state-sponsored cyber actors in geopolitical conflicts.

Steve Prentice [23:10]: "Gamaredon’s use of infected USB drives to deliver Gamma Steel underscores the enduring effectiveness of physical media in sophisticated cyber espionage campaigns."

8. Microsoft's Controversial Screenshotting App Returns in Windows 11

Microsoft is progressing with the reintegration of a previously withdrawn screenshotting application into the Windows 11 release preview channel for Copilot PCs. Initially removed due to security concerns—specifically its ability to record user activities—the app is now slated for a gradual, opt-in rollout as part of build 2.6100-3902.

This move suggests that Microsoft has addressed the initial vulnerabilities or deemed the app's functionality crucial enough to warrant its inclusion under controlled conditions.

Steve Prentice [26:45]: "Reintroducing the screenshotting app as an opt-in feature indicates Microsoft's balance between enhancing user functionality and mitigating security risks."

Conclusion

The cybersecurity landscape continues to evolve with significant developments ranging from governmental workforce changes and international regulatory agreements to sophisticated cyber threats targeting both public and private sectors. Organizations must remain vigilant and adaptive to protect sensitive information and maintain operational integrity in the face of these ongoing challenges.

For more detailed insights into these headlines and the full stories behind them, visit CISOseries.com.

Transcript

Steve Prentice (0:00)

From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, April 14, 2025. I'm Steve Prentice. Major Workforce Cuts Planned for CISA the agency is working on plans to slash staffing and spending amidst increased scrutiny from the White House, which is still chafing of what it sees as CISA's role in suppressing conserv viewpoints. Half of its full time staff, 1300 people, face removal, along with 40% of its contractors, according to a source with direct knowledge of the developing plans. Speaking to recorded future news, a timetable for the announcement of these cuts is not yet set. Microsoft warns Windows users not to delete their new initpub folder this new empty folder, spelt I N E T P U B, was installed directly on users C drives following the April 2025 Windows security update. The folder is part of the Microsoft Internet Information Services IIS web server platform. However, after this new update, Windows users have found this newly created CinetPub folder on their systems even if they do not use iis. Although researchers at Bleeping Computer believe the folder may be part of the remediation of a vulnerability, specifically a Windows Process Activation Elevation of privilege vulnerability, Microsoft says this folder should not be deleted regardless Data Breach at testing lab affects 1.6 million people a provider of medical testing services, Seattle based Laboratory Services Cooperative, is now notifying 1.6 million individuals about personal information that was stolen in an October 2024 data breach. The data potentially includes PII, along with medical treatment and care records and payment detail, bank accounts and payment cards. Some of the victims are employees and some are Planned Parenthood patients. US to Sign Pall Mall Spyware Pact More developments from the recent PAL Mall Conference the State Department has announced that the US Plans to sign an international agreement designed to govern the use of commercial spyware. This comes just about a week after 21 other countries signed this voluntary and non binding code of practice outlining how they intend to joint regulate commercial cyber intrusion capabilities and combat spyware companies whose products have been increasingly used to target civil society. Although the PAL MAL conference took place just recently, this code of practice is the result of a year of diplomatic negotiations known as the Pall Mall process. Huge thanks to our sponsor vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines that is V A N T A dot com headlines improved Tycoon2FA phishing kit targets Microsoft 365 this is a phishing as a service platform Tycoon2FA, not Typhoon, which is already known for its ability to slip past Multi factor authentication on Microsoft 365 and Gmail accounts. Researchers at Trustwave now say that the threat actors behind this tool have added improvements such as the use of invisible Unicode characters to hide binary data within JavaScript. This allows the payload to be decoded and executed as normal at runtime while evading manual and static pattern matching analysis. Also on board a switch from Cloudflare turnstiles to a self hosted CAPTCHA rendered via HTML5 canvas with randomized elements and the inclusion of anti debugging JavaScript that detects browser automation and analysis tools. Oregon Department of Environmental Quality suffers a cyber attack this regulatory agency that regulates the quality of air, land and water in the state says it has found no evidence of a data breach following a cyber attack that occurred last week. Week Lauren Wirtis, a spokesperson for the department, said vehicle inspection stations were closed on Friday and that employee emails and servers are expected to be down through the end of the week as the agency continues to check its computer systems. The source of this attack has not yet been confirmed. Gammaredin strikes military mission with infected USB drive the Russia linked threat actor known as gamarradin I.e. g a M A R e D o n also known as Shuk Worm and Blue Alpha, is already known for its attacks and espionage activities against Ukraine. This latest attack focused on the military mission of an undisclosed country, which was also based in Ukraine. According to researchers at Symantec, the attackers used an infected removable drive to deliver an updated version of a known malware called Gamma Steel. G A M M A S T E E L Microsoft recall continues to be a thing Microsoft is quietly including the controversial screenshotting app into the Windows 11 release preview channel for Copilot PCs, signaling its near readiness for general availability. Designed to operate as a screenshot record of everything a person does on a Windows computer, it was withdrawn temporarily last year over security concerns. On Thursday, Microsoft Put Windows 11 build 2, 6100-3902 into the release Preview channel, which is the final stop before mainstream release with recall included. The company says, however, that recall will be an opt in feature that will roll out gradually. Remember to check out our latest episode of Security. You should know our new podcast that gives you the information you need on a vendor Solution in about 15 minutes. Our latest episode profiles what Nudge Security is doing in the SaaS visibility space. You can give it a listen on your coffee break. I'm Steve Prentiss, reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.