Risky Bulletin: Trump guts the Cyber Safety Review Board - Risky Bulletin

Summary4 min read

Risky Bulletin: Trump Guts the Cyber Safety Review Board
Hosted by risky.biz | Release Date: January 21, 2025

Introduction

In this episode of Risky Bulletin, host Claire Aird delves into significant developments in the cybersecurity landscape, highlighting political shifts, emerging threats, and critical security breaches. Prepared by Catalyn Kimpanu, this edition covers the Trump administration's dismantling of the Cyber Safety Review Board, sophisticated cyber espionage tactics, notable security breaches involving major tech firms, malicious Chrome extensions, phishing strategies exploiting Microsoft Teams, and the emergence of a formidable IoT botnet.

1. President Trump Dismantles the Cyber Safety Review Board

Claire Aird opens the discussion with a major policy shift:

"[...] the Trump administration has removed all non-government members from all DHS committees, including the Cyber Safety Review Board." [00:20]

The Cyber Safety Review Board (CSRB), established in February 2022 with a 14-member panel, previously included prominent private sector figures such as Google's Heather Adkins, CrowdStrike co-founder Dmitri Alperovich, former NSA cybersecurity director Rob Joyce, and CISA's founding director Chris Krebs. The removal of these members signifies a substantial retreat from public-private collaboration in cybersecurity oversight.

Moreover, President Trump has rescinded an executive order initiated by President Biden in 2023, which mandated large AI companies to rigorously test their models to prevent significant societal risks. This reversal also entails the shutdown of the US AI Safety Institute, a move that critics argue undermines safeguards against the misuse of artificial intelligence.

2. Impersonation of the FSB by Gamma Copy Targets Russian Organizations

A sophisticated cyber espionage campaign has emerged, with a threat actor group known as Gamma Copy impersonating the Federal Security Service (FSB) to target Russian entities. Claire notes:

"A cyber espionage group has been imitating the FSB's TTPs to target Russian organisations." [00:45]

Gamma Copy mimics the tactics, techniques, and procedures (TTPs) of the Gamma group, a known FSB-affiliated cyber espionage unit operating from Crimea. Since June, these false flag attacks have led security vendors to incorrectly attribute incidents to Gamma Reddin, as reported by Chinese security firm NOSEC404. The spearphishing campaigns leverage military-related lures, aiming at individuals within Russia's defense and critical infrastructure sectors. Victims are deceived into downloading malicious 7-zip archive files, facilitating unauthorized access and data extraction.

3. HPE Investigates Alleged Data Breach by Intel Broker

High-performance computing giant HPE is currently probing a potential security breach:

"American tech giant HPE is investigating a possible security breach after a threat actor started advertising data allegedly stolen from its servers." [01:10]

The hacker, identified as Intel Broker, claims to have exfiltrated outdated user data and source code associated with HPE's Zerto and ILO products. Notably, Intel Broker was also responsible for breaching Cisco's DevHub portal in late 2024, indicating a pattern of targeted attacks against major technology firms.

4. Discovery of Malicious Chrome Extensions Bypassing Google's Security

Security researcher Vladimir Palant has uncovered a troubling trend in browser security:

"Security researcher Vladimir Palant has discovered 35 Chrome extensions that circumvent Google's restrictions and retrieve execute code from remote servers." [01:35]

These extensions masquerade as legitimate VPN and ad-blocking tools but are, in reality, designed to spy on users and engage in affiliate link fraud. Disturbingly, all 35 malicious extensions remain available on the official Chrome Web Store, posing significant risks to unsuspecting users.

5. Exploitation of Microsoft Teams for Phishing Attacks

Cybercriminals are exploiting vulnerabilities in Microsoft Teams to conduct targeted phishing campaigns:

"Threat actors are spamming workers at large corporations and then contacting the victim posing as their IT help desk." [01:55]

By leveraging misconfigurations within the Teams platform, attackers can call or message via email inside private workspaces, a technique initially deployed last year by ransomware affiliate Blackbaster. This method has since proliferated to other threat groups, including Fin7, enhancing the effectiveness and reach of phishing initiatives.

6. Emergence of the Murdoch IoT Botnet Launching Large-Scale DDoS Attacks

Qualys has identified a new Internet of Things (IoT) botnet named Murdoch responsible for executing extensive Distributed Denial of Service (DDoS) attacks:

"Qualys has identified a new IoT botnet that's carrying out large scale DDoS attacks. Named Murdoch, the botnet began operating in July of last year." [02:15]

The botnet exploits unpatched vulnerabilities in AVTech cameras and Huawei routers, capitalizing on flaws documented through open-source intelligence. Currently, Murdoch operates on approximately 1,000 devices, posing a significant threat to internet infrastructure stability.

Conclusion

Claire Aird wraps up the episode by emphasizing the dominance of President Trump in the current news cycle, impacting the episode's length:

"Just a short one today with Donald Trump absolutely dominating the news cycle. But we'll be back with more news in a couple of days when the agenda, well, hopefully goes back to business as usual." [02:40]

Listeners are assured of more comprehensive updates in future editions of the Risky Bulletin.

Sponsor

This episode of Risky Bulletin is sponsored by Resourcely, a company specializing in secure Terraform management. Discover more at resourcely.io.

Thank you for tuning into Risky Bulletin. Stay informed and stay secure.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Trump guts the Cyber Safety Review Board and revokes AI safeguards A threat actor impersonates the FSB to target Russian organisations HPE investigates a breach and a new year brings new malicious Chrome extensions this is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 22nd of January and this podcast episode is brought to you by Resourcely, the company that can help you manage Terraform securely. In today's top story, the Trump administration has removed all non government members from all DHS committees, including the Cyber Safety Review Board. The CSRB has lost all its private sector members, including Google's Heather Adkins, CrowdStrike co founder Dmitri Alperovich, former NSA cybersecurity director Rob Joyce and CISA's founding director Chris Krebs. The CSRB was founded in February 2022 and had a 14 member panel. President Trump has also revoked an executive order signed by Joe Biden in 2023 that introduced AI safeguards. The order required large AI companies to test and ensure that AI models did not pose significant societal risks. The new Trump order also shuts down the US AI Safety Institute A cyber espionage group has been imitating the FSB's TTPS to target Russian organisations. Named Gamma Copy. The group emulated the tactics of Gamma, a cyber espionage group operated by the Russian FSB intelligence agency from the occupied region of Crimea. The false flag attacks have been taking place since June. The campaign has led to security vendors misattributing the attacks to Gamma Reddin, according to a report from Chinese security firm NOSEC404. The spearphishing campaigns have used military related lures to target individuals in Russia's defence and critical infrastructure sectors and tricked them into extracting malicious 7 zip archive files. American tech giant HPE is investigating a possible security breach after a threat actor started advertising data allegedly stolen from its servers. The hacker claims to have stolen old user data and source code for the Zerto and ILO products. The threat actor is named Intel Broker, which also breached Cisco's DevHub portal in late 2024. Security researcher Vladimir Palant has discovered 35 Chrome extensions that circumvent Google's restrictions and retrieve execute code from remote servers. The extensions pose as VPN and adblock related tools, but spy on users and engage in affiliate link fraud. All the extensions are still available through the official Chrome web Store. Threat actors are spamming workers at large corporations and then contacting the victim posing as their IT help desk. Attackers usually contact workers via Microsoft Teams exploiting a misconfiguration in the teams platform that allows outsiders to call or message email inside private workspaces. The technique was first used last year by a blackbaster ransomware affiliate and has now spread to other groups such as Fin7. Qualys has identified a new IoT botnet that's carrying out large scale DDoS attacks. Named Murdoch, the botnet began operating in July of last year. Qualys says the botnet was assembled by exploiting unpatched vulnerabilities in avtech cameras and Huawei routers. Based on open source intelligence. The botnet is currently running on around 1,000. And that is all for this podcast edition. Just a short one today with Donald Trump absolutely dominating the news cycle. But we'll be back with more news in a couple of days when the agenda, well, hopefully goes back to business as usual. Today's show was brought to you by our sponsor, Resourcely. Find them@resourcely IO. Thanks for your company.