Transcript
CISO Series (0:00)
From the CISO series. It's Cybersecurity Headlines.
Rich Stroffelino (0:06)
These are the cybersecurity headlines for Thursday, May 29, 2025. I'm Rich Stroffelino. Microsoft Wants to Update all the Things Microsoft opened a private preview for a new update orchestration platform that operates on top of Windows Update. This aims to unify updates for all apps, drivers and Windows components for an organization. Organizations can use WinRT APIs or PowerShell commands to onboard their updates. The new model will plan downloads and updates to minimize bandwidth, user downtime and CPU usage. This will also show the history of all updates in the Settings app alongside official Windows updates. No word on Microsoft's timetable to publicly launch the tool. LexisNexis breach impacts 364,000 people the prominent analytics company disclosed that its LexisNexis risk solutions business received a report from an unknown third party about accessing company information on April 1. An investigation found that the company itself didn't suffer a breach of its systems, but that some data, which was held in GitHub, was acquired by an unknown third party. This information includes names, contact details, Social Security numbers and driver's license numbers. Regulatory filings in Maine, South Carolina and Vermont disclose that this GitHub data was initially accessed on December 25, 2024. The company has found no signs of misuse and will offer impacted victims two years of credit monitoring. Cyber Insurance premium volume expected to double Bloomberg reports that the insurance company Munich Reag expects the global cyber insurance market to hit $16.3 billion in 2025 and roughly double to $30 billion by 2030. Cybersecurity Ventures estimates that hacking crimes resulted in $9.5 trillion in losses in 2024, with the vast majority of those risks uninsured. The insurer Beasley PLC estimates that less than half of the Fortune 100 and less than 10% of SMEs have a cyber policy. Surveillance Industry clashes with Indian regulations Late last year, India created new regulations that require all Internet connected CCTV models imported after April 9, 2025 to submit hardware, software and source code for assessment in government labs before being sold in the country. The rules require CCTV cameras sold in India to have tamper proof enclosures, strong malware detection and use encryption. Although the regulations do not call out any specific country sources speaking to and documents seen by Reuters attest that these rules were in part a response to China's surveillance capabilities. An April 3 meeting with surveillance gear executives including Hanhua, Motorola, Bon Bosch, Honeywell and Xiaomi told government officials they weren't ready to meet certification requirements. The government declined a request to delay the regulations at the meeting. India currently has 15 labs that can review 28 applications at a time, but as of May 28, there were 342 applications pending. And since testing began, labs have approved just 35 applications and only one from a foreign country. And now, thanks to our sponsor ThreatLocker, ThreatLocker is a global leader in zero Trust Endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com CISO that's T H R E A T L O c k e r.com CISO botnet hits ASUS routers Security researchers at Graynoise discovered a novel botnet dubbed Ashush, operating a campaign since mid March 2025 targeting SoHo routers from Asus, hence the name, as well as Cisco D Link and Linksys on Asus routers. Specifically, the campaign exploits an old command injection flaw to add a threat actor controlled SSH public key and enable listening on TCP port 53282. This allows for persistence across configuration changes and firmware updates. The Researchers identified over 9,000 infected ASUS routers, although so far malicious requests have been minimal. It's unclear what the operational goal of the botnet is long term. Dark Partners Dropping info stealers Cybersecurity researcher Gongzha discovered a threat group dubbed Dark Partners. This group fakes websites to impersonate dozens of apps and other tools, including seven cryptocurrency platforms, VPN services, payment processors, and remote desktop solutions. These pages all provide a simple download button to these services, but instead deliver malware loaders like Payday or the infostealers Poseidon and Luma. These attempt to scrape crypto wallet information and use a Google Calendar Link to retrieve C2 server addresses. On Windows, Dark Partners uses code signing certificates, but as of this recording, none are valid. Faux BitDefender site delivers real malware in other spoofed site news, researchers at Domain Tools discovered a campaign that uses a spoofed version of Bitdefender's antivirus download page for Windows. But instead of legitimate tooling, it redirects visitors to the StoreInstaller EXE file, which installs Venomrat, StormKitty, and Silent Trinity malware. Combined, the three provide persistent remote access, attempts to steal crypto wallet information, and provides a framework for long term control. While this might seem like another campaign to quickly grab crypto credentials like we just covered, the researchers say the total malware bundle shows signs of looking to resell access to the infected device. US Laptop Farms enabling North Korean Remote Jobs the Wall Street Journal profiled Christina Chapman, a 50 year old operator of a laptop farm used by North Korean operators to infiltrate as remote workers in US companies. Chapman was approached on LinkedIn to be the US face of a company placing overseas IT workers, with North Koreans operating similar schemes on Upwork and fiverr. Notably, Chapman wasn't aware that she was working for North Korea. These farmers set up domestic online connections, facilitate paychecks, send along tax and identification forms, and maintain the laptops that North Koreans log into. CrowdStrike identified roughly 150 cases of North Korean workers operating on customer networks, and laptop farms have been seen in at least eight. These operators also hired Americans to provide domestic mailing addresses, pass liveliness checks and conduct job interviews. The FBI raided Chapman's home back in October 2023 and she pleaded guilty to wire fraud and money laundering charges and is set for sentencing on July 16. A survey found 72% of cybersecurity professionals took creative liberties on their resumes. Why do so many otherwise qualified professionals feel forced to spice up their resumes to get a gig? That's what we're talking about on our latest episode of Defense In Depth. Look for why cybersecurity professionals lie on their resumes. Wherever you get your podcasts and if you have some thoughts on the news from today or just about the show in general, be sure to reach out to us@feedbacksoseries.com we'd love to hear from you and profile your emails on our weekend Review show. Reporting for the CISO series, I'm Rich Strofolino, reminding you to have a super sparkly day.