Cyber Security Headlines - April 14, 2025
Hosted by Steve Prentice, CISO Series

1. CISA Faces Major Workforce Cuts

In a significant development, the Cybersecurity and Infrastructure Security Agency (CISA) is set to undergo substantial workforce reductions. The agency plans to slash half of its full-time staff—approximately 1,300 positions—and reduce its contractor workforce by 40%. This move comes amid heightened scrutiny from the White House, which has expressed concerns over CISA's role in allegedly suppressing conservative viewpoints.

Steve Prentice [02:15]: "Half of CISA's full-time staff and 40% of its contractors are facing removal, signaling a drastic shift in the agency's operational capabilities."

While a specific timetable for announcing these cuts has not been disclosed, sources familiar with the plans indicate that the restructuring aims to address both budgetary constraints and political pressure.

2. Microsoft Warns Against Deleting New 'inetpub' Folder

Following the April 2025 Windows security update, Microsoft has issued a warning to users not to delete the newly created inetpub folder located on their C drives. Despite being part of the Microsoft Internet Information Services (IIS) web server platform, this folder appears on systems regardless of whether users utilize IIS.

Researchers from Bleeping Computer speculate that the inetpub folder may be integral to mitigating the recently addressed Windows Process Activation Elevation of Privilege vulnerability. Microsoft has emphasized that deleting this folder could compromise system security.

Steve Prentice [05:40]: "Microsoft advises users to retain the 'inetpub' folder as it may play a crucial role in addressing specific security vulnerabilities introduced in the latest update."

3. Data Breach at Seattle-Based Laboratory Services Cooperative

Seattle’s Laboratory Services Cooperative has announced a data breach affecting 1.6 million individuals. Detected in October 2024, the breach compromised Personally Identifiable Information (PII), medical treatment records, payment details, bank accounts, and payment card information. The affected parties include both employees and patients affiliated with Planned Parenthood.

The breach underscores the vulnerability of medical testing service providers to cyber threats and highlights the ongoing challenges in protecting sensitive health information.

Steve Prentice [08:25]: "The breach at Laboratory Services Cooperative highlights the critical need for robust security measures in safeguarding sensitive medical and financial data."

4. U.S. to Sign International Pact on Commercial Spyware

At the recent PAL Mall Conference, the U.S. State Department announced plans to join an international agreement aimed at regulating the use of commercial spyware. This initiative follows the signing of a voluntary and non-binding code of practice by 21 other countries, established through a year-long diplomatic effort known as the Pall Mall process.

The agreement seeks to jointly regulate cyber intrusion technologies and address the misuse of spyware by companies targeting civil society.

Steve Prentice [12:05]: "The upcoming Pall Mall Spyware Pact represents a unified international stance against the unregulated use of commercial spyware, marking a significant step in global cybersecurity diplomacy."

5. Tycoon2FA Phishing Kit Enhances Attacks on Microsoft 365

Researchers at Trustwave have identified advancements in the Tycoon2FA phishing toolkit, which targets Microsoft 365 and Gmail accounts by circumventing Multi-Factor Authentication (MFA). The latest version incorporates invisible Unicode characters to obscure binary data within JavaScript, allowing malicious payloads to execute at runtime while evading detection through manual and static analysis.

Additional enhancements include a transition from Cloudflare turnstiles to self-hosted CAPTCHA systems rendered via HTML5 canvas, along with anti-debugging JavaScript designed to identify and thwart browser automation and analysis tools.

Steve Prentice [15:50]: "The improvements in Tycoon2FA make it increasingly difficult for traditional security measures to detect and mitigate sophisticated phishing attempts targeting major email platforms."

6. Cyberattack on Oregon Department of Environmental Quality

The Oregon Department of Environmental Quality (DEQ), responsible for regulating air, land, and water quality, reported a cyberattack last week. Although no evidence of data theft has been found, the attack has disrupted operations, leading to the closure of vehicle inspection stations and downtime for employee emails and servers expected to last through the week. Investigations into the attack's source are ongoing.

Steve Prentice [19:30]: "The DEQ incident highlights the broader impact cyberattacks can have on essential governmental services, even in the absence of direct data breaches."

7. Gamaredon Threat Actor Targets Military Mission with USB-Delivered Malware

The Russia-linked threat actor group Gamaredon, also known as Shuk Worm and Blue Alpha, has intensified its espionage activities against Ukraine. In the latest operation, Gamaredon deployed an infected USB drive to infiltrate a military mission of an undisclosed country based in Ukraine. The malware, identified as Gamma Steel, is an updated variant designed to evade detection and enhance operational stealth.

Researchers from Symantec have noted the sophistication of Gamaredon's techniques, emphasizing the persistent threat posed by state-sponsored cyber actors in geopolitical conflicts.

Steve Prentice [23:10]: "Gamaredon’s use of infected USB drives to deliver Gamma Steel underscores the enduring effectiveness of physical media in sophisticated cyber espionage campaigns."

8. Microsoft's Controversial Screenshotting App Returns in Windows 11

Microsoft is progressing with the reintegration of a previously withdrawn screenshotting application into the Windows 11 release preview channel for Copilot PCs. Initially removed due to security concerns—specifically its ability to record user activities—the app is now slated for a gradual, opt-in rollout as part of build 2.6100-3902.

This move suggests that Microsoft has addressed the initial vulnerabilities or deemed the app's functionality crucial enough to warrant its inclusion under controlled conditions.

Steve Prentice [26:45]: "Reintroducing the screenshotting app as an opt-in feature indicates Microsoft's balance between enhancing user functionality and mitigating security risks."

Conclusion

The cybersecurity landscape continues to evolve with significant developments ranging from governmental workforce changes and international regulatory agreements to sophisticated cyber threats targeting both public and private sectors. Organizations must remain vigilant and adaptive to protect sensitive information and maintain operational integrity in the face of these ongoing challenges.

For more detailed insights into these headlines and the full stories behind them, visit CISOseries.com.