Cyber Security Headlines – CISO Series Episode Summary
Release Date: March 12, 2025
Hosted by: Rich Stroffelino

1. Sean Planke Nominated as New CISA Head

In a significant move for U.S. cybersecurity leadership, Sean Planke has been nominated by President Trump to head the Cybersecurity and Infrastructure Security Agency (CISA). As reported by Rich Stroffelino at 00:06, Planke brings a wealth of experience to the role, having previously served as the Chief Information Officer (CIO) of the U.S. Navy and as the White House's Director of Cyber Policy during the first Trump administration. Additionally, he was the Principal Deputy Assistant Secretary for the Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response from 2019 to 2020. Stroffelino notes, “The nomination now goes before the Senate Homeland Security Committee and is not expected to face significant pushback” (00:06), suggesting a smooth confirmation process ahead.

2. Ballista Botnet Exploits TP-Link Devices

A new threat has emerged targeting TP-Link Archer AX21 routers through the Ballista botnet. According to a report from the CATO Control team discussed at 00:06, threat actors are exploiting a high-severity command injection vulnerability to execute malicious code. Although the flaw was first identified in April 2023, active exploitation was observed in January 2025. The attackers utilize a shell script to deploy malware across various system architectures, enabling remote code execution and potential denial-of-service attacks. Notably, the malware is designed to self-erase after execution to evade detection and includes mechanisms to propagate to additional devices.

Researchers from Census highlighted that Ballista has compromised over 6,000 devices across countries including Brazil, Poland, the UK, Bulgaria, and Turkey. An intriguing development in newer Ballista variants is the shift from hard-coded IP addresses to Tor network domains, indicating ongoing evolution and active development by the threat actors.

3. PowerSchool Breach Report Released

PowerSchool, a leading education software provider, has published its breach report following a 2024 cyber-attack. Collaboration with CrowdStrike revealed that the company experienced initial breaches in August and September 2024, preceding the major December breach. At 00:06, Rich Stroffelino summarizes, “The December attack exfiltrated teachers and students' data using compromised credentials.” However, there is uncertainty regarding whether the same threat actors were responsible for the earlier incidents.

Key findings include:

• Data Exfiltration: Personal information of teachers and students was accessed.
• Malicious Activity: No evidence was found that attackers accessed other company databases or moved laterally within PowerSchool’s network.
• Ransom Demands: As of January 2025, there is no evidence that stolen data was published post-ransom payment.

PowerSchool has yet to disclose the total number of students affected by these breaches.

4. Allstate Faces Lawsuit Over Data Breaches

New York's Attorney General has filed a lawsuit against Allstate and its subsidiaries due to data breaches in 2020 and 2021. As detailed at 00:06, the breaches exploited an auto insurance quoting tool from National General (acquired by Allstate in 2021), which exposed nearly 200,000 driver's license numbers. The legal complaint highlights that the tool displayed driver's license numbers in plain text, a vulnerability that was not addressed promptly.

Post the initial breach, Allstate reportedly:

• Regulatory Notification: Informed relevant authorities.
• Issue Resolution: Fixed the vulnerability quickly.
• Support Measures: Offered credit monitoring services to affected individuals.

The lawsuit underscores the repeated failure to secure sensitive data, prompting legal action from the state to hold the company accountable for its cybersecurity practices.

5. Blind Eagle APT Group Targets Colombian Organizations

Blind Eagle, also known as APTC 36, is reportedly orchestrating a new campaign against government institutions and organizations in Colombia since November 2024. Check Point Research detailed this campaign at 00:06, revealing that the group disseminates malicious URL files designed to trigger WebDAV requests. These requests can initiate the download of second-stage payloads or execute other malicious activities upon specific interactions.

Key tactics employed by Blind Eagle include:

• Malware Distribution: Primarily through consumer services like Google Drive and Dropbox, with a recent expansion into BitBucket and GitHub for payload hosting.
• Evasion Techniques: Utilizing methods that make it harder for traditional security measures to detect and block their activities.

The ongoing campaign highlights the persistent threat posed by advanced persistent threat (APT) groups targeting governmental and critical infrastructure sectors.

6. UK Urges Strengthening of Open Source Supply Chain Security

The United Kingdom's Department for Science, Innovation and Technology (DCIT) has released a report addressing vulnerabilities within the open-source software (OSS) supply chain. As discussed at 00:06, the report identifies several key weaknesses:

• Lack of Industry-Specific Practices: No standardized procedures tailored to different industries.
• Trustworthiness Assessment: Absence of formal processes for evaluating the reliability of OSS components.
• Dominance of Large Tech Companies: Overreliance on major tech entities poses risks to the diversity and security of open-source projects.

DCIT Recommendations include:

• Internal OSS Policies: Organizations should develop comprehensive policies outlining criteria for assessing OSS components.
• Software Bill of Materials (SBOMs): Creating detailed inventories of software components used within products.
• Community Engagement: Actively participating and contributing to the open-source community to foster security and trust.

These measures aim to enhance the overall security posture of the open-source ecosystem and mitigate risks associated with supply chain vulnerabilities.

7. Arrests Made in Connection with Gurantex Crypto Exchange

In a crackdown on illicit cryptocurrency activities, the U.S. Department of Justice (DOJ) unsealed an indictment against Gurantex's alleged founders, Alexander Miraserda and Alexei Beskiokov, on March 7. Gurantex had been sanctioned by the U.S. government in 2022 for facilitating money laundering for criminal organizations. Concurrently, German and Finnish law enforcement agencies seized servers associated with the exchange.

Key developments include:

• Arrests: Indian officials apprehended Beskiokov over the weekend, as reported at 00:06.
• Charges: Beskiokov is accused of being the technical administrator responsible for maintaining Gurantex’s critical infrastructure.

This operation underscores the international efforts to dismantle crypto exchanges involved in financial crimes and enforce regulatory compliance within the digital currency landscape.

8. New Xcode Malware Variant Unveiled by Microsoft

XCSSet, a malware identified in 2022 targeting Xcode projects on macOS, has evolved with a new variant featuring significant enhancements. At 00:06, Rich Stroffelino details Microsoft's findings on the updated malware:

• Modular Infrastructure: The new variant is more adaptable and scalable.
• Encoded Payloads: Utilizes encoding to obscure malicious components.
• Improved Error Handling: Enhances the malware's resilience against detection and analysis.
• Scripting and Legitimate Binaries: Incorporates scripting languages and Unix commands to blend with legitimate system operations, reducing its detection profile.
• Obfuscated Module Names: Makes static analysis more challenging by disguising the names of its modules.
• Persistence Mechanisms: Implements three distinct methods to ensure payload execution whenever a new shell session is initiated.

Microsoft has responsibly disclosed these details to Apple prior to public release and has provided comprehensive information on individual modules in the show notes, aiding security professionals in mitigating this threat.

Conclusion

This episode of Cyber Security Headlines by CISO Series, hosted by Rich Stroffelino, provided a comprehensive overview of the latest developments in the cybersecurity landscape as of March 12, 2025. From significant leadership changes within federal cyber agencies to emerging threats like the Ballista botnet and advanced malware variants, the episode underscored the dynamic and evolving nature of cyber threats. Additionally, the discussions highlighted ongoing efforts to strengthen cybersecurity practices across industries, legal actions against negligent companies, and international collaborations to combat cybercrime. For those keen on staying informed about critical cybersecurity issues, this episode offers valuable insights and actionable information.

For more detailed stories and updates, visit cisoseries.com.