ONCD consolidates power, undocumented Bluetooth commands, Japan NTT Breach - Cybersecurity Headlines

Summary

Cyber Security Headlines – Episode Summary

Hosted by CISO Series
Release Date: March 10, 2025

In this episode of Cyber Security Headlines, host Steve Prentiss delves into several critical developments shaping the information security landscape. From governmental restructuring to significant cyber breaches and emerging threats, the episode provides a comprehensive overview of the most pressing cybersecurity issues of the day.

1. ONCD Consolidates Power in US Cybersecurity

The episode opens with an in-depth discussion about the Office of the National Cyber Director (ONCD) and its expanding role within the U.S. cybersecurity framework. Steve Prentiss reports that the ONCD is set to become the executive branch for cybersecurity, marking a significant shift in national cyber governance.

"The ONCD is being described as the pinnacle guiding the NSC, which does foreign policy and offensive cyber, and CISA, which takes care of doing domestic and defensive..." (00:00)

Sean Cairncross has been appointed by the President to lead the ONCD. Despite lacking direct experience in cybersecurity leadership, Cairncross’s close personal ties to the President are viewed as a valuable asset for elevating the office’s influence, which has previously been overshadowed by the National Security Council (NSC).

2. Undocumented Bluetooth Commands in ESP32 Microchips Pose Significant Risks

A major cybersecurity concern highlighted in the episode revolves around undocumented Bluetooth commands found in the ESP32 microchip, a widely-used component in over a billion devices as of 2023. These vulnerabilities were reported by researchers from the Spanish company Tarlogic Security at RootedCon in Madrid.

"ESP32 is one of the world's most widely used chips for Wi-Fi and Bluetooth connectivity in IoT devices, so the risk is significant." (00:02)

The undocumented commands could allow attackers to spoof trusted devices, gain unauthorized access to data, pivot to other devices within a network, and potentially establish long-term persistence. Given the pervasive use of the ESP32 chip in Internet of Things (IoT) devices, the implications of these vulnerabilities are profound, posing a substantial risk to both consumers and enterprises.

3. Japan’s NTT Breach Affects 18,000 Companies

The episode further examines a significant breach at NTT, one of Japan's largest telecom providers. Discovered last month, the breach has compromised the data of approximately 18,000 corporate customers.

"The hackers breached NTT's order information distribution system, which contains basic details on corporate customers such as contract numbers, phone physical address, and service usage." (00:05)

Importantly, the compromised data does not include individual consumer information or contracts for corporate smartphones provided directly by NTT. This breach serves as a stark reminder of the vulnerabilities within large telecom infrastructures and the potential widespread impact on corporate clients.

4. Docomo Signal President Criticizes Agentic AI on Security and Privacy

Meredith Whitaker, President of Docomo Signal, voiced strong concerns regarding the security and privacy implications of Agentic AI during her speech at the South by Southwest conference in Austin, Texas.

"Using AI agents is like putting your brain in a jar," Whitaker remarked. (00:07)

She warned that AI agents, which perform tasks on behalf of users—such as looking up concerts, booking tickets, and scheduling events—pose significant privacy and security risks. These AI applications require root permissions that allow them to access sensitive information like credit card activity and personal data. Whitaker emphasized that this trend reflects the AI industry's underlying surveillance model, which aims for mass data collection and compromises user privacy.

5. Mission, Texas Declares State of Emergency After Cyber Attack

Steve Prentiss reports on a severe cyberattack targeting the city of Mission, Texas, a border city with Mexico. The attack forced the shutdown of much of the city’s network, prompting Mayor Nori Gonzalez Garza to declare a state of emergency.

"The entire city computer server is at a severe risk of a cyber attack that could release protected personal information..." (00:12)

Mayor Gonzalez Garza appealed to Texas Governor Greg Abbott to extend the state of emergency beyond the local level. The compromised systems contain sensitive data, including protected personal information, health records, and civil and criminal records, underscoring the critical nature of the breach and its potential impact on residents and municipal operations.

6. Malicious Use of Cobalt Strike Reduced by 80%, Says Fortra

A positive development in cybersecurity enforcement is the significant reduction in the malicious use of Cobalt Strike, a tool originally designed for penetration testing but frequently exploited by cybercriminals.

"A global crackdown has reduced the use of unauthorized copies of Cobalt Strike by 80% in the past two years." (00:15)

According to Fortra, this decline is attributed to collaborative efforts between Microsoft Health ISAC, Fortra, ISPs, and CERTs. In 2023, a U.S. court order facilitated the dismantling of malicious infrastructure associated with Cobalt Strike by targeting command and control servers. These actions have effectively hindered attackers who relied on Cobalt Strike for spear phishing and network infiltration, demonstrating the impact of coordinated cybersecurity measures.

7. UK Banks Ordered to Compensate Customers for Tech Outages

The episode highlights regulatory actions taken against major UK banks and building societies for repeated technical outages. A parliamentary treasury group has mandated compensation payments of 12.5 million pounds to customers affected by these disruptions.

"The findings once again highlight that the traditional banking sector hasn't kept pace with the investment needed to modernize its infrastructure." – Patrick Burgess, UK's Chartered Institute for IT (00:18)

Nine major banks accumulated the equivalent of 30 days of tech outages over the past two years. These penalties do not include recent outages at Barclays in January or Lloyds Bank last week. Dame Meg Hillier, the committee's chair, expressed empathy for individuals and businesses adversely affected by these service interruptions, particularly around critical times like paydays.

8. Fired Developer Sabotages Company with Killswitch

A cautionary tale in insider threats is presented through the case of Davis Lu, a former senior software developer at Eaton Corporation. Following his demotion and subsequent termination, Lu deployed a malicious Killswitch designed to disrupt company operations.

"Lou wrote a Java code that would release an infinite loop, creating more and more non-terminating threads until the computer running the code crashed..." (00:20)

This sabotage locked thousands of employees out of the company's network globally, resulting in hundreds of thousands of dollars in damages. Lu faces up to 10 years in prison for his actions, underscoring the severe repercussions of insider threats and the importance of implementing robust security measures to prevent such incidents.

Conclusion

This episode of Cyber Security Headlines underscores the dynamic and multifaceted nature of the cybersecurity landscape. From governmental restructuring and policy shifts to technical vulnerabilities and high-profile breaches, the discussions provide valuable insights for professionals and enthusiasts alike. Stay informed by visiting CISOseries.com for more detailed stories behind these headlines.

Timestamps:

00:00 – ONCD Consolidates Power
00:02 – Undocumented Bluetooth Commands in ESP32
00:05 – Japan’s NTT Breach
00:07 – Docomo Signal President on Agentic AI
00:12 – Mission, Texas Cyber Attack
00:15 – Reduction in Malicious Cobalt Strike Use
00:18 – UK Banks Compensated for Outages
00:20 – Developer Sabotages Company

Transcript

Steve Prentiss (0:00)

From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, March 10, 2025. I'm Steve Prentiss, ONCD set to consolidate power in US cyber the Office of the National Cyber Director is poised to gain strength and will operate as the Executive Branch for Cybersecurity. Sean Cairncross was selected by the President to lead the office. While he has no experience as a cybersecurity leader, it is believed his close personal ties to the President are a significant asset for the office, which until now has been overshadowed by the National Security Council. The position to be held by Kern Grass was previously held by Harry Coker. The ONCD is being described as the pinnacle guiding the nsc, which does foreign policy and offensive cyber, and cisa, which takes care of doing domestic and defensive Undocumented commands found in Bluetooth chip used by a Billion devices as described in Bleeping computer the ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023, contains undocumented commands that could be leveraged for attacks. The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network and potentially establishing long term persistence. Researchers from the Spanish company Tarlogic security, speaking at RootedCon in Madrid, point out that ESP32 is one of the world's most widely used chips for WI fi and Bluetooth connectivity in IoT devices, so the risk is significant. End quote. Japanese Telecom NTT breach affects 18,000 companies a warning from one of Japan's largest telecoms providers. A breach discovered last month has likely compromised the data of approximately 18,000 corporate customers. The hackers breached NTT's order information distribution system, which contains basic details on corporate customers such as contract numbers, phone physical address and service usage. This did not contain data on individual consumers, nor did it have contracts for corporate smartphones and mobile phones provided directly by ntt. Docomo Signal President Meredith Whitaker calls out Agentic AI on security and privacy Speaking at the south by Southwest conference in Austin, Texas. Whitaker, well known as an advocate for secure communications, described the use of AI agents as putting your brain in a jar and warned that this techni, which AI apps perform tasks on the user's behalf, has a profound issue with both privacy and security, referring to getting AI to deliver such conveniences like looking up concerts, booking tickets and scheduling the event on a calendar. This, she says, becomes a form of root permission that allows the bots to review things like credit card activity and other data. She pointed out that such muddying of the waters is a direct result and intention of the AI industry built on a surveillance model with mass data collection as its objective. Thanks to today's episode's sponsor, Vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines that is V A N T A Texas Border City Declares State of Emergency after cyber Attack the city of Mission, Texas, which sits on the border with Mexico, filed a state of emergency declaration this past week after a cyberattack forced the shutdown of much of its network. The mayor, Nori Gonzalez Garza, urged Texas governor Greg Abbott on Tuesday to declare a more expansive state of emergency for the city while she filed a local state of disp disaster declaration herself. She described the situation to Governor Abbott as a cybersecurity incident such that the entire city computer server is at a severe risk of a cyber attack that could release protected personal information, protected health information, civil and criminal records, and or any and all other data held by the City of Mission and all departments within the city. End quote. Malicious use of cobalt strike down 80%, says Fortra. A global crackdown has reduced the use of unauthorized copies of cobalt strike by 80% in the past two years, according to the security firm Fortra. Originally developed for penetration testing, older versions of Cobalt Strike have been widely exploited by cybercriminals, as we all know. Since 2023, Microsoft Health ISAC, that is the Health Information Sharing and Analysis center, and Fortra, have worked to disrupt illegal copies used in cyber attacks. A 2023 US court order enabled them to dismantle malicious infrastructure by collaborating with ISPs and CERTs to take down command and control servers. This effort has significantly hindered attackers who rely on Cobalt Strike for spear phishing and network infiltration. UK Banks ordered to compensate customers for outages Nine major UK banks and building societies, which is the UK version of a credit union, were found to have accumulated the equivalent of 30 days of tech outages in the past two years, according to figures published by a parliamentary treasury group, and they must now deliver compensation payments amounting to 12.5 million pounds. This data does not include the Barclays bank outage in January or the Lloyds bank outage of last week. The committee's chair, Dame Meg Hillier, sympathised with working people and companies for whom losing access to banking services on payday can be a terrifying experience. But Patrick burgess of the UK's Chartered Institute for it says the findings once again highlight that the traditional banking sector hasn't kept pace with the investment needed to modernize its infrastructure. Fired developer sabotages company with Killswitch A former senior software developer is now facing up to 10 years in prison for leaving a Killswitch behind following his demotion and termination. Davis Lu, 55, of Houston, Texas, had been a coder for power management company Eaton Corporation between November 2007 and October 2019, following a corporate restructuring in which his position, responsibilities and access were reduced. Lou wrote a Java code that would release an infinite loop, creating more and more non terminating threads that would consume more and more resources until the computer running the code crashed and prevented people from logging in and using the machine. On the day he was let go, the application noticed the revocation of his credentials and launched itself, locking thousands of employees around the world out of the network and causing hundreds of thousands of dollars in damage. If you've been listening to cybersecurity headlines for more than a minute, you know the barrier to entry for cybercrime is getting lower every day. That's why we think this week's Super Cyber Friday conversation is happening just in time. It's all about hacking, the commodification of cybercrime, and how your security program needs to adapt to this reality. It starts at 1pm Eastern this Friday. If you want to join us, head on over to our events page@cisoseries.com to register. I'm Steve Prentiss, reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.