Cyber Security Headlines – January 13, 2025

Host: Steve Prentiss
Podcast: Cyber Security Headlines by CISO Series

1. IRS Identity Protection PIN Now Available for Filing Season

Timestamp: [00:30]

The IRS has relaunched its Identity Protection Personal Identification Number (IP PIN) program for the current filing season. This six-digit number is assigned annually to individual taxpayers and is mandatory for filing tax returns. The primary objective of the IP PIN is to thwart scammers attempting to file tax returns using stolen Social Security numbers and personal identification information.

Steve Prentiss highlighted the program's increased importance this year, noting, “With over 100 million people's Social Security numbers exposed in the massive national public data breach, the IP PIN program serves as a critical defense mechanism” ([00:45]).

Key Points:

• The IP PIN is valid for the current tax year only.
• A new IP PIN is issued each year to enhance security.
• The program aims to prevent fraudulent tax filings using stolen identities.

2. CISA Sees Enrollment Surge in Cyber Hygiene for Critical Infrastructure

Timestamp: [02:15]

The Cybersecurity and Infrastructure Security Agency (CISA) reported a significant uptick in enrollments for its Cyber Hygiene service among critical infrastructure organizations. Analyzing data from August 1, 2022, to August 31, 2024, CISA observed increased participation from sectors such as communications, emergency services, critical manufacturing, and water and wastewater systems.

Steve Prentiss emphasized the impact of these enrollments: “The surge in Cyber Hygiene enrollments has led to tangible improvements across our six cybersecurity performance goals, including mitigating known vulnerabilities and implementing strong encryption practices” ([02:25]).

Key Points:

• CISA analyzed 7,791 critical infrastructure organizations for vulnerability scanning.
• Cyber Hygiene service focuses on proactive monitoring and attack mitigation.
• Improvements noted in areas like limiting OT connections and deploying security TXT files.

3. City Services in Winston-Salem Affected by Cyberattack

Timestamp: [04:10]

Residents of Winston-Salem, North Carolina, are experiencing disruptions in paying utility bills online due to a cyberattack that began on December 26, 2024. The city officially announced the breach on December 30, revealing that computer systems for digital payments of water and electricity bills were taken offline. However, essential services such as fire and police operations remained unaffected.

Steve Prentiss reassured listeners, stating, “There will be no service interruptions or late penalties charged to accounts, and residents can still pay in person with cash or checks” ([05:00]).

Key Points:

• The cyberattack targeted digital payment systems for utilities.
• Systems were taken offline post-Christmas, causing temporary inconvenience.
• Authorities ensured that critical emergency services remained operational.

4. Marijuana Dispensary Warns of Data Breach

Timestamp: [06:30]

The California-based marijuana dispensary, Steezy (STIIZY), announced a data breach that impacted its point-of-sale processing vendor. The breach affected retail locations in Union Square and Mission in San Francisco, as well as Alameda and Modesto. Between October 10 and November 10, 2024, unauthorized access led to the exposure of driver's licenses, medical cannabis cards, and other personal information.

Steve Prentiss reported, “The Everest Cybercrime Group claimed responsibility for the attack, initially demanding ransom by December 8, but later opted to leak the stolen data after negotiations failed” ([07:00]).

Key Points:

• Personal data compromised includes driver's licenses and medical cannabis cards.
• The breach was traced back to the Everest Cybercrime Group.
• The group followed through with data leakage after unsuccessful ransom negotiations.

5. Slovakia's Land Registry Hit by Biggest Cyberattack in Country's History

Timestamp: [08:45]

Slovakia's land registry agency, UGKK, faced its most significant cyberattack to date, resulting in the shutdown of its systems and the closure of physical offices last week. Agriculture Minister Richard Takak confirmed that systems would be restored using backups, assuring the public that there was no risk of data tampering or fraudulent ownership changes.

Steve Prentiss noted potential geopolitical underpinnings, saying, “There are strong indications that the attack originated from Ukraine, possibly linked to rising tensions following Kyiv's suspension of Russian gas transit through Slovakian territory” ([09:15]).

Key Points:

• The attack led to the temporary closure of UGKK's digital and physical operations.
• Restoration efforts are underway using secure backups.
• The attack is suspected to be linked to regional geopolitical tensions.

6. 4000 Hijacked Backdoors Neutralized by Watchtower

Timestamp: [10:30]

Addressing the ongoing issue of shadow IT and the proliferation of backdoors, Watchtower Labs in collaboration with the Shadow Server Foundation successfully neutralized over 4,000 abandoned but active web backdoors. These backdoors were dormant yet contained live malware, deployed on high-profile targets including government and university systems.

Steve Prentiss explained, “By sinkholing their communication infrastructure, we prevent these backdoors from being exploited by malicious actors, thereby enhancing overall cybersecurity resilience” ([11:00]).

Key Points:

• The efforts targeted web servers with inactive but dangerous backdoors.
• Neutralization prevents potential future exploitation by hackers.
• High-profile targets included governmental and educational institutions.

7. Microsoft Sues Hacking Group Exploiting Azure AI for Harmful Content Creation

Timestamp: [12:45]

Microsoft has initiated legal action against a foreign-based threat actor group that exploited Azure AI services to generate offensive and harmful content. The group operated as a hacking-as-a-service infrastructure, bypassing Microsoft's AI safety controls by using stolen customer credentials sourced from public websites. They monetized this access by selling credentials and detailed instructions for creating harmful content.

Steve Prentiss highlighted Microsoft's response, stating, “We have revoked the threat actors' access and implemented new countermeasures to fortify our safeguards, ensuring such activities are thwarted in the future” ([13:15]).

Key Points:

• The hacking group exploited Azure OpenAI services to produce malicious content.
• Stolen credentials were sold to other malicious actors along with usage instructions.
• Microsoft has taken steps to revoke access and strengthen security measures.

Conclusion

In this episode of Cyber Security Headlines, Steve Prentiss delivered a comprehensive overview of significant cybersecurity events ranging from national identity protection initiatives to sophisticated cyberattacks on critical infrastructure and corporate entities. The discussions underscored the evolving landscape of cyber threats and the proactive measures various organizations are implementing to safeguard against them.

For more detailed stories behind these headlines, listeners are encouraged to visit CISOSeries.com.

This summary captures the key discussions and insights from the January 13, 2025, episode of Cyber Security Headlines. Notable quotes are attributed to Steve Prentiss with corresponding timestamps for reference.