Robin’s Newsletter #345

This week

• MoJ to review computer accuracy presumption (Interesting Reads)
• Silk Road founder pardoned (Law Enforcement)
• EU power grid runs on unencrypted radio signals (Interesting Reads)
• PowerSchools breach affects millions of students (This Week)
• Trump admin dismisses CSRB members (This Week)

Trump administration dismisses CSRB members, halts cyber diplomacy programmes

• The Trump administration has fired all Department of Homeland Security committee members, including the Cybersecurity Safety Review Board (CSRB). However, a memo advising members of their termination did suggest that they are “welcome to reapply” to their posts. LINK

“Effective immediately, the Department of Homeland Security will no longer tolerate any advisory committee which push agendas that attempt to undermine its national security mission, the President’s agenda or Constitutional rights of Americans,” — DHS spokesperson

• A DHS spokesperson, who did not respond to TechCrunch when asked for a name, attributed the firings to being part of a commitment to “eliminating the misuse of resources” and prevent agendas that do not align with US national security. It’s unclear how any of the DHS committees were attempting to undermine US national security or the constitutional rights of Americans. It’s also unclear what resources were being misused: the committee members received no salary for their involvement. LINK
• The CSRB was investigating the Salt Typhoon attacks, and it’s unknown what impact the disruption to the committee’s business will have. Rob Joyce, former NSA cyber director, and Chris Krebs, chief intelligence officer at Sentinel One, were amongst the private sector members serving on the committee. Meanwhile, CISA’s Cybersecurity Advisory Commitment (CSAC) included industry luminaries such as Ciaran Martin, NCSC’s founding CEO, former US cyber director Chris Ingles, and Mandiant founder Kevin Mandia. LINK
• Funding for the US State Department’s foreign assistance programmes, including its cyber diplomacy bureau, has also been stopped due to an executive order banning all foreign aid for 90 days. Assistance has included sending incident responders to Costa Rica to help its government respond to government ransomware attacks and training Vietnamese officials on North Korean tactics. LINK

PowerSchools breach may affect millions of students

• More details are coming to light about the breach at PowerSchool, which the company became aware of on 28th December 2024. The edtech provider supplies software supporting over 60 million students (around 18,000 schools). PowerSchool’s tech support portal was compromised, allowing onward access to their ‘school information system’ that manages student records, including grades, attendance and other student data. 
• PowerSchool has confirmed that it did not have multi-factor authentication (MFA) on its support portal, and that CrowdStrike has been appointed to provide incident response support. 
• What hasn’t been made public is the scale of the breach and how much the company paid attackers (it said that “appropriate steps” were taken to stop the data from being shared). LINK

Interesting stats

45.7% of initial access to cloud environments in H2 2024 was due to weak or no credentials, followed by  34.3% resulting from service misconfiguration, according to Google’s Threat Horizons Report H1 2025. LINK (PDF)

91% of nearly 30,000 openly reachable Microsoft Exchange servers are still vulnerable to ProxyLogon, four years on from Microsoft disclosing the vulnerability, according to Tenable. LINK

Other newsy bits / in brief

🤓 Interesting reads:

• Lily Hay Newman’s exit interview with former CISA director Jen Easterly, who has “not been asked to stay” at the agency under the new Trump administration. LINK
• Researchers say that it may be possible to destabilise the Central European power grid by manipulating the unencrypted(!) radio signals used to coordinate the dis/connection of solar power generation. This cool research (featuring a good ol’ Flipper Zero) is simultaneously remarkable and unsurprising. LINK
• The UK Ministry of Justice is to review a long-held legal presumption that ‘the computer is always right’ in the wake of the Post Office’s Horizon IT scandal, which saw hundreds of sub-postmasters jailed for accounting errors caused by a faulty Fujitsu computer system. LINK
• CRQ vendor Axio on using qualitative approaches for compliance purposes. ‘Closing the loop’ is something we talk about at Cydea — the interrelatedness of cyber risk scenarios and security incidents — and how modelling different impacts helps communicate risk to stakeholder groups. Doing so also means when you’re triaging an incident, you’ve also got a good idea of the range of potential outcomes. With increasing requirements to report incidents and their materiality (or not), knowing the range of potential outcomes is a real boon. LINK

⚠️ Incidents:

• Hewlett Packard Enterprise (HPE) says it hasn’t found any evidence of a breach in response to claims made by a criminal group called IntelBroker, which says they have stolen the HPE source code. Sometimes, a threat actor has gained access to a third party, maybe a customer or supplier, and finds some code marked as belonging to a larger company. LINK
• Conduent, a technology vendor supporting US government programmes like Medicaid, has confirmed that an outage last week was the result of a “third-party compromise”. LINK
• ESET says a China-aligned threat group called PlushDaemon compromised South Korean VPN provider IPany via a supply chain attack. The original intrusion is believed to have occurred before November 2023. LINK
• UK telco TalkTalk is investigating claims from an individual using the handle “b0nd” that they stole data relating to 19 million current and former customers. TalkTalk says it’s investigating the claims and believes it relates to an “external standalone data platform” used for a “small part” of its customer base. B0nd claims to have subscriber PINs, names, email, phone and IP address information. Financial and other sensitive data is not referenced, and the criminal’s claims should be taken with a pinch of salt: TalkTalk currently has around 2.4 million customers, and journalists speculate it has never had 19 million customers. LINK

🕵️ Threat Intel:

• Attackers are targeting Mac (and Linux) users of the popular Homebrew package management software with a malvertising campaign that installs the AmosStealer (aka Atomic) info stealer malware. LINK
• Sophos says that ransomware groups are email bombing targets’ inboxes (in one case, up to 3,000 emails in 45 minutes) and then approaching them via Microsoft Teams, posing as IT Support to get the victim to grant remote control of their device. LINK
• Cloudflare recently stopped a 5.6 terabit per second distributed denial of service (DDoS) attack against one of its customers. The traffic largely originated from poorly secured IoT devices that had been compromised and joined to a Mirai-variant botnet. LINK
• Black Lotus Labs says that a campaign from mid-2023 through mid-2024 targeted Juniper border routers and VPN appliances and used a “magic packet” to enable a reverse shell. The campaign prioritised “low-detection and long-term access” and shares some similarities with the SeaSpy campaign against Barracuda email security gateways. LINK
• The UK is to hold an inquiry into the vulnerability of undersea cables following recent incidents in the Baltic Sea and the appearance of a Russian ‘spy ship’ in UK waters. LINK

🪲 Vulnerabilities:

• Cisco says users should patch its ClamAV software to address a denial of service (DOS) vulnerability. CVE-2025-20128 (5.3/10) is a heap buffer overflow issue with a low CVSS score, but a proof of concept has been released, and DOS, in this context, is to prevent the scanning for and protection against malware. LINK, ADVISORY
• Cisco is also warning about a critical vulnerability in its Meeting Management tool. CVE-2025-20156 (9.9/10) allows remote, unauthenticated attackers to gain administrator privileges. LINK, ADVISORY
• Oracle has highlighted a critical vulnerability amongst over 600 recently shipped patches. CVE-2025-21556 (9.9/10) resides in Oracle’s Agile Product Lifecycle Management Framework and allows an attacker with network access to escalate their privileges and gain onward access to other Oracle tools. LINK, ADVISORY
• SonicWall has patched a critical pre-authentication vulnerability in its SMA1000 Appliance Management Console and Central Management Console. The network vendor says that the vulnerability has been exploited in zero-day attacks. CVE-2025-23006 (9.8/10) allows remote, unauthenticated attackers to execute arbitrary OS commands. LINK, ADVISORY

🧑‍💻 End user and consumer:

• Future versions of Android will feature “Identity Check” that will lock certain sensitive settings behind biometric authentication when outside of certain user-defined physical locations. The feature is intended to prevent criminals from making quick changes to stolen devices when a user is away from home, for example. LINK
• Google has launched a ‘Web Store for Enterprise’ allowing business customers to provide their users with a curated collection of Chrome browser extensions. LINK

🏭 Operational technology:

• Basic flaws in Subaru systems could allow millions of vehicles to be remotely unlocked and tracked. LINK

📜 Policy & Regulation:

• Iran and Russia have signed a deal to work closely on security and technology and “expand cooperation in countering the use of information and communication technologies for criminal purposes.” Some analysts say this new treaty is just a formality, with no new provisions over a previous 2021 agreement. LINK

👮 Law Enforcement:

• Donald Trump has pardoned Ross Ulbricht, aka Dread Pirate Roberts, who was 10 years into a life sentence for creating and operating the Silk Road dark web marketplace. President Trump used the announcement to label the law enforcement officers involved in bringing the conviction “scum” and “lunatics”. LINK
• Meanwhile, a US appeals court has vacated the sentence given to Conor Brian Fitzpatrick (aka Pompompurin) for running the BreachForums website. The US government brought the appeal, indicating that they’re seeking a longer sentence. Prosecutors have sought a 16-year custodial sentence, but the court eventually decided on time served plus 20 years of supervised release. LINK
• The Lancang-Mekong law enforcement cooperation (LMLEC) of Cambodia, Laos, Myanmar, Thailand, Vietnam and China says it is making successful progress in dismantling romance scam centres operating in the Myanmar, Laos, Cambodia, and Thailand border areas. Many of the operators at these centres are lured or people trafficked there and forced to work by organised crime gangs. LINK

💰 Investments, mergers and acquisitions:

• Cloud incident response firm Mitiga has announced a $30 million Series B funding round, led by SYN Ventures. LINK

🗞️ Industry news:

• AWS has launched a £5 million fund to improve cyber security in the UK’s education sector. LINK

And finally 

• Over 18,000 devices belonging to “script kiddies” have been infected with malware. CloudSEK says that a threat actor specifically targeted those new to cyber security research by including remote access trojans in tools references in hacking tutorials. The trojan included a kill switch to uninstall the malware, which CloudSEK has attempted to utilise, though some devices remain infected. As ever, there is no honour amongst thieves. LINK