DOGE outrage and lawsuit, CISA KEV additions, DeepSeek encryption lapses - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines - February 10, 2025

Host: Steve Prentiss
Podcast: Cyber Security Headlines
Series: CISO Series
Release Date: February 10, 2025

1. Doge Group Faces Outrage and Legal Challenges Over Security Failures

Steve Prentiss opens the episode by addressing the escalating controversy surrounding the Doge Group, officially known as the Department of Government Efficiency (DOGE). The group is under intense scrutiny due to alleged security lapses that amount to an ongoing data breach affecting millions of federal employees.

Steve Prentiss [00:00]: "Experts in cybersecurity and government process are likening the current activities of the Doge Group... as an ongoing data breach."

Key Points:

Data Exposure: DOGE's actions have led to the exposure of sensitive personal data of federal employees, violating federal laws designed to protect classified and sensitive information.
Vulnerabilities Created: The breach opens new avenues for malicious hackers to exploit federal systems.
Elon Musk's Involvement: A significant concern is the attempt by Elon Musk's team to access the Department of the Treasury's payment system within the Bureau of Fiscal Service, which manages critical spending programs like Social Security.

Steve Prentiss [00:00]: "The White House stated last Monday that Doge employees' access to these systems were restricted to read-only."

Security Clearance Issues: Brian Krebs, citing Wired Magazine, reports that a 19-year-old with prior cybercrime associations was granted access to sensitive systems, bypassing standard security clearances.

Steve Prentiss [00:00]: "This individual is reported to be a former denizen of the com, an archipelago of discord and telegram chat channels..."

Legal Actions: University of California students have initiated a lawsuit against the federal Education Department to prevent DOGE from accessing federal student financial aid databases, citing violations of the Federal Privacy Act and the Internal Revenue Code.

Conclusion: The DOGE group's activities have sparked significant legal and cybersecurity concerns, highlighting systemic vulnerabilities within federal systems and raising questions about the adequacy of current security protocols.

2. CISA Updates Known Exploited Vulnerabilities Catalog

The podcast delves into the latest additions to the Cybersecurity and Infrastructure Security Agency's (CISA) catalog of known exploited vulnerabilities (KEVs).

New Vulnerabilities Added:

7-Zip Mark of the Web Bypass Vulnerability
DANTE Discovery Process Control Vulnerability
Cyber Roam OS SQL Injection Vulnerability
Sophos XG Firewall Buffer Overflow Vulnerability
Microsoft Outlook Improper Input Validation Vulnerability

Steve Prentiss [00:00]: "Both the Microsoft Outlook vulnerability and the buffer overflow issue from Sophos XG Firewall each have a CVSS score of 9.8."

Impact:

High Severity: The Microsoft Outlook and Sophos XG Firewall vulnerabilities are rated highly, with CVSS scores of 9.8, indicating critical threats.
Active Exploitation: Trend Micro security researcher Peter Gurness notes that the 7-Zip vulnerability is actively being exploited by Russian cybercrime groups through sophisticated spear-phishing campaigns.

Action Required:

Federal Agencies Deadline: All affected federal agencies are mandated to remediate these vulnerabilities by February 27th.
Reference: A comprehensive list of CVE numbers related to these vulnerabilities is available in the episode's show notes.

3. DeepSeek's Mobile App Sends Unencrypted Sensitive Data

A report from mobile security firm NowSecure reveals significant security flaws in DeepSeek's mobile application for Apple iOS.

Security Issues Identified:

Unencrypted Data Transmission: The app transmits sensitive user and device data over the internet without proper encryption.
Insecure Encryption Practices: When encryption is used, it relies on an insecure symmetric algorithm, utilizes a hard-coded encryption key, and reuses initialization vectors, making the data susceptible to breaches.
Data Handling: Collected data is sent to servers managed by Volcano Engine, a cloud platform owned by ByteDance, the parent company of TikTok.

Steve Prentiss [00:00]: "Deepseek's app encrypts data using an insecure symmetric encryption algorithm, a hard coded encryption key, and reuses initialization vectors."

Implications:

User Risk: The lack of robust encryption exposes users' sensitive information to potential interception and misuse.
Regulatory Compliance: These practices likely violate multiple data protection regulations, putting DeepSeek at risk of legal repercussions.

4. UK Introduces Hurricane-Grade Scale for Cyberattacks

The United Kingdom has unveiled a new cyberattack rating system developed by the Cyber Monitoring Center (CMC), comprising members from the cyber insurance industry and cybersecurity thought leaders.

Features of the Scale:

Parallel to Hurricane Scales: The system mirrors the Saffir-Simpson Hurricane Scale, categorizing cyber events based on severity.
Scale Range: Events are rated on a scale from one to five, with five representing the most severe incidents.
Criteria: The categorization considers both the financial impact and the number of UK organizations affected.

Steve Prentiss [00:00]: "As an independent non-profit organization, the CMC will categorize cyber events on a one through five scale, with five being the most severe..."

Purpose:

Standardization: Provides a uniform framework for defining systemic cyber events, aiding cyber insurance companies and reinsurers in risk assessment.
Examples: Notable incidents like NotPetya and the CrowdStrike breach serve as benchmarks for what constitutes high-severity events.

5. Hackers Publish Taliban Government Records

A significant cyberattack has targeted the Taliban government's computer systems, resulting in the public release of over 50 gigabytes of stolen documents.

Details of the Breach:

Publishing Group: The hacker collective known as TabbyLeaks has disseminated links to the stolen data across social media platforms.
Content Exposed: The leaked information encompasses data from 21 Taliban ministries and government agencies, including details on prisoners, travel restrictions, and various governmental activities.

Steve Prentiss [00:00]: "These links point to 21 Taliban ministries and government agencies and include information about prisoners, travel restrictions and many other types of activities and restrictions."

Taliban's Response:

Denial of Breach: The Taliban's Ministry of Communications claims that most of the leaked files were already publicly accessible and denies that their systems were hacked.

6. Zyxel Declines to Patch Exploited Flaws in End-of-Life Routers

Security firm Vulnchek reports that Taiwan-based Zyxel has issued a security advisory regarding actively exploited vulnerabilities in its Customer Premises Equipment (CPE) series, including modems and routers.

Issues Highlighted:

Unpatched Vulnerabilities: Zyxel has stated it will not release patches for these flaws in their end-of-life devices.
Exposure Risk: Over 1,500 Zyxel CPE series devices remain exposed to the internet, significantly increasing the attack surface for potential cyber threats.

Steve Prentiss [00:00]: "Over 1500 Zyxel CPE series devices are exposed to the Internet, so the attack surface is significant."

Recommendation:

User Action: Zyxel advises users to transition to newer, supported models to mitigate the risk posed by these unpatched vulnerabilities.

Conclusion

Steve Prentiss provides a comprehensive overview of the latest cybersecurity developments, highlighting significant breaches, emerging vulnerabilities, and the evolving landscape of cyber threats. From governmental data mishandlings and high-severity vulnerabilities to international cyberattacks and unpatched hardware flaws, the episode underscores the critical importance of robust cybersecurity measures and proactive threat mitigation strategies.

For a deeper dive into each of these stories, listeners are encouraged to visit CISOseries.com.

This summary is based on the transcript provided and aims to encapsulate all key discussions and insights presented in the episode of "Cyber Security Headlines" by CISO Series.

Loading summary

Transcript1 lines

[00:00]
Steve Prentiss
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, February 10, 2025. I'm Steve Prentiss. Shock and Lawsuit over Security Failures in Doge Takeover following up on a story we were covering last week. This is a triple story. Today, experts in cybersecurity and government process are likening the current activities of the Doge Group, that is the Department of Government Efficiency, as an ongoing data breach, stating that the act of exposing the personal data of millions of federal employees violates federal laws against sharing classified or sensitive information with uncleared individuals and creates new cybersecurity vulnerabilities for malicious hackers to exploit, end quote. Chief amongst these concerns, they say, are efforts by Elon Musk's team to access the Department of the Treasury's payment system housed in the Bureau of Fiscal Service, which controls much of the spending by the federal government, including congressionally mandated programs like Social Security. The White House stated last Monday that Doge employees access to these systems were restricted to read only. In addition, according to Brian Krebs quoting wired magazine, a 19 year old person working for the DOGE group was given given access to sensitive US government systems, even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. This individual is reported to be a former denizen of the com, an archipelago of discord and telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration, end quote. And thirdly, students at the University of California on Friday sued the federal Education Department to stop the Doge team from accessing federal student financial aid databases, which house sensitive information belonging to more than 42 million Americans. The plaintiffs, who are members of the University of California Student association, which serves all of the system's campuses statewide, argue that the access granted to Doge by Acting Secretary of Education Denise Carter violates the Federal Privacy act and the Internal Revenue Code, end quote. This lawsuit is different from the one we reported on last week from union groups filed against Treasury Secretary Scott Besant on Monday of last week. CISA adds Microsoft Outlook and Sophos XG firewall to its known exploited Vulnerabilities catalog. Five new vulnerabilities have been added to the catalog this last week, being a 7 zip mark of the web bypass vulnerability, a DANTE Discovery Process Control vulnerability, a Cyber Roam OS SQL Injection vulnerability, the aforementioned Sophos XG firewall Buffer Overflow vulnerability, and the Microsoft Outlook Improper Input Validation Vulnerability that we reported on on Friday. This Microsoft Outlook vulnerability and the buffer overflow issue from Sophos XG Firewall each have a CVSS score of 9.8. In addition, according to Trend Micro security researcher Peter Gurness, the 7zip vulnerability has already been actively exploited by Russian cybercrime groups through spearfishing campaigns using homoglyph attacks to spoof document extensions and trick users and the Windows operating system into executing malicious files. Federal agencies must fix these vulnerabilities by February 27th, and a list of the CVE numbers assigned to each is available in the show. Notes to this episode. Thanks to today's episode's sponsor Vanta do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and they help you get security questionnaires done five times faster with AI. Now that's a new way to GRC. You can get started at vanta.com headlines that is V A N T A Deepseek's app transmits sensitive user and device data without encryption A new report from mobile security company Now Secure reveals that Deepsea's mobile app for the Apple iOS operating system contains some serious security issues, including the fact that it sends sensitive data over the Internet without encryption, as well as collecting extensive user and device data. The report said that when data is encrypted, the app uses an insecure symmetric encryption algorithm, a hard coded encryption key, and reuses initialization vectors. Furthermore, the report says the data is sent to servers that are managed by a cloud compute and storage platform named Volcano Engine, which is owned by ByteDance, the Chinese company that also operates TikTok. End Quote UK releases hurricane grade scale for cyberattacks this is a product of a group named the Cyber Monitoring center, which is made up of cyber insurance industry figures and some cybersecurity thought leaders. This rating system parallels that of the Safir Simpson Scale, which identifies the severity of hurricanes. It is intended to help cyber insurance companies and their reinsurers independently define what constitutes a systemic event, which is one that emanates from a single source, such as an attack on a vendor, but has a significant impact on myriad other organizations. Examples of this include NotPetya and the CrowdStrike event. As an independent non profit organization, the CMC will categorize cyber events on a one through five scale, with five being the most severe, based on data around the financial impact of the event and the number of UK organizations affected. Hackers allegedly publish secret Taliban records the Taliban government of Afghanistan is none too happy these days at the fact that hackers successfully carried out a massive cyber attack against its computer systems and published over 50 gigabytes of stolen documents and files online. End quote. The group named TabbyLeaks, that's T A B I, has posted links to its collection on social media. These links point to 21 Taliban ministries and government agencies and include information about prisoners, travel restrictions and many other types of activities and restrictions. For its part, the Taliban's Ministry of Communications says that most of the files had already been publicly accessible for years and that no system has been hacked. Zyxel will not patch newly exploited flaws in end of life Routers According to security company Vulnchek, the Taiwan based Zyxel has issued a security advisory about actively exploited flaws in its Customer Premises Equipment series devices such as modems and routers, warning that it has no plans to issue fixing patches and urges users to move to actively supported models. According to Network Scanning Engines, FOFA and census, over 1500 Zyxel CPE series devices are exposed to the Internet, so the attack surface is is significant. We are taking the week off from our Super Cyber Friday show, but that doesn't mean that you don't get to close out your week with the CISO series. Make sure that you are subscribed to the CISO Series YouTube channel to catch our Week in Review live stream running down the biggest stories of the week with a CISO guest. When you join us live, you can get in on our lively chat room and help shape the conversations on the show. It all starts at 3:30pm Eastern each and every Friday. I'm Steve Prentiss reporting for the CISO Series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.