Robin’s Newsletter #357

20 April 2025. Volume 8, Issue 16
MITRE CVE funding secured, for now. Florida lawmakers want in on E2EE backdoor. Silicon Valley traffic crossings hacked to play spoof Zuck, Musk audio.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Need to Know, 20th April 2025

  • Silicon Valley traffic crossings play Zuck, Musk spoofs
  • Florida lawmakers unanimously vote for encryption backdoor
  • Whistleblower warns over DOGE data access practices
  • Funding for MITRE CVE programme secured, for now
  • China places NSA operatives on wanted list for cyberattacks
  • Chris Krebs resigns from SentinelOne
  • Maximum ages for digital certificates set to drop to 47 days

Interesting stats

2.8x increase in ransom demands where ransomware gangs find evidence of “insurance” “policy” amongst the victim’s files. Victims are  27x less likely to pay if they have proper backups in place, though still 5/100 cases involve payment because it’s quicker or prevents reputational damage. LINK

39.2 million malicious ad accounts were suspended by Google in 2024. LINK

Five things

  1. MITRE’s funding for the Common Vulnerability and Exposures (CVE) repository came within hours of losing its US government funding this week, prompting many panicked posts on social media. MITRE, a non-profit, warned CVE board members of the potential issue in a letter acknowledging government efforts to avoid a pause in service. The Department of Homeland Security exercised a contract extension option with just hours left to run on the contract. Ultimately, there was no impact on service. The CVE repository forms an important part of cyber security infrastructure, providing a centralised index of software issues, and it’s become the de facto reference for vulnerability and patch management. So this is an important resource, though alternatives and workarounds would no doubt have sprung up. Arguably, having a single resource with one stream of funding isn’t a resilience option, and the events have caused the board members to establish a foundation to provide more stable funding for the initiative — a great step for longer-term resilience. LINK

  2. A whistleblower at the National Labor Relations Board (NLRD), which adjudicates complaints about unfair labour practices, has raised concerns about how Department of Government Efficiency (DOGE) employees have been accessing sensitive data. NLRB holds data on unions, ongoing legal cases and corporate secrets. Once DOGE staffers gained access to NLRB systems - ostensibly to find areas to cut spending or review efficiency - the whistleblower and other staff noticed a spike in data leaving the agency, and suspicious log-in attempts from a Russian IP address were also detected. Equally alarming were actions and requests made by DOGE to turn off security monitoring tools, delete audit trails and other evasive actions more typical of threat actors rather than government employees. NLRD’s case management system is called “NxGen”, and one DOGE staffer briefly had a public project called “NxGenBdoorExtract” on their Github project, suggesting a ‘backdoor’ to continue exfiltrating data from the system. None of this looks good. LINK (h/t Didar)

  3. Chris Krebs has resigned from his position at SentinelOne a week after Donald Trump signed an executive order calling out the former CISA director and revoking SentinelOne employee’s government clearances. In a resignation letter posted to the SentinelOne website and on social media, Krebs said, “For those who know me, you know I don’t shy away from tough fights. But I also know this is one I need to take on fully—outside of SentinelOne.” Trump, who fired Krebs by tweet during his first administration, directed the Department of Justice to investigate Krebs for “through CISA, falsely and baselessly denied that the 2020 election was rigged and stolen, including by inappropriately and categorically dismissing widespread election malfeasance and serious vulnerabilities with voting machines.” The order has come under fire from critics both left and right on the political spectrum. LINK, CRITICISM

  4. Florida lawmakers have decided they want in on the encryption backdoor action. The Social Media Use by Minors bill (SB 868) passed unanimously and would require “social media platforms to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena.” The same access is afforded to parents and would also prevent the use of disappearing messages. This is the same sort of access that the UK Home Office is requesting from Apple. End-to-end encryption (E2EE), which protects information as it traverses the Internet on its way to its destination, does not allow for such access. Tech companies are increasingly implementing E2EE to protect users’ privacy and prevent their content from being accessed even by the companies themselves. Critics warn that introducing such ‘backdoors’ weakens protections for individuals and presents an attractive target for threat actors. LINK

  5. The CA/Browser Forum, an industry body that sets standards for digital certificates on the web, has voted to reduce the lifespan of SSL/TLS certificates from the current 398-day period down to 47 days in 2029. This is a pretty sensible move and something long-discussed after the current period was implemented in 2020. It moves towards having robust and repeatable processes to deploy and manage certificates (rather than ad-hoc, which have resulted in outages previously) and minimises exposure should cryptographic material be compromised. LINKS (h/t Tim)

In brief

  • 🤓 Interesting reads: Using CaMeL’s to prevent prompt injection in AI models. CAMEL

  • ⚠️ Incidents: Conduent, a US government IT services provider, has confirmed that client data was stolen during a January 2025 cyberattack. In a filing to the SEC, the firm said, “The Company determined that the threat actor exfiltrated a set of files associated with a limited number of the Company’s clients.” Hertz has confirmed that customer data was stolen in the exploitation of Cleo file transfer appliances, including some limited social Security and Medicaid information. “Infamous Internet imageboard and wretched hive of scum and villainy,” 4chan was offline this week after rivals from another community claimed responsibility for gaining access to the site, its code and its database. The cause appears to be an out-of-date version of PHP. Access to user registration and posting information may allow users to be identified on the notoriously anonymous message board. Landmark Admin, a Texas-based insurance service provider, says that a May 2024 breach is now believed to affect over 1.6 million individuals. US motor insurance firm Lemonade says the personal information of 190,000 people was exposed via an API integration with a third party. CONDUENT, HERTZ, 4CHAN, LANDMARK, LEMONADE

  • 🕵️ Threat Intel: Cybercriminals are targeting healthcare and pharmaceutical organisations with new ResolverRAT remote access trojan malware. The EU is giving staff travelling to the US on official business burner devices to avoid espionage attempts. Taking ‘clean’ devices to Russia and China is an established practice amongst governments and high-profile businesses, but the change marks a souring in US-EU relations. A China-linked threat group dubbed UNC5174 uses custom malware, including the SNOWLIGHT dropper and Shell in-memory backdoor, to compromise organisations. The group’s tooling is being described as “ever better” than Cobalt Strike. Russian threat actors are using invitations to wine-tasting events as a lure to European politicians to open malware on their devices. RESOLVERRAT, EU/US BURNER, UNC5174, WINE

  • 🪲 Vulnerabilities: Apple has patched two zero-day vulnerabilities in iOS used to attack ‘targeted individuals’. A critical vulnerability in Erlang/OTP SSH allows remote code execution (CVE-2025-32433; 10/10). A high-severity vulnerability in Cisco Webex can allow unauthenticated attacks to gain client-side remote code execution using malicious meeting links (CVE-2025-20236; 8.8/10). IOS, ERLANG/OTP SSH (ADVISORY), WEBEX (ADVISORY)

  • 🧑‍💻 End user and consumer: That new inetpub/ directory on your Windows system drive is legit, and part of Microsoft’s mitigations to a privilege escalation vulnerability tracked as CVE-2025-21204. (Inetpub is associated with Microsoft’s IIS web server). Android devices will not automatically reboot locked, unused devices after three days to clear memory and reduce the device’s attack surface. Microsoft will block ActiveX by default in M365/Office 2024 starting later this month. INETPUB, ANDROID, ACTIVEX

  • 🛠️ Security engineering: Microsoft Exchange 2016 and 2019 will reach the end of support in six months, on 14th October 2025. Installations will “of course” continue to run but will not receive any security patches or bug fixes. You can move to M365 today, but if you want an on-premise installation, you’ll have to wait for Exchange Server SE’s release in “July 2025”; not giving long for a switchover. EXCHANGE (SE/UPGRADE PATH)

  • 🏭 Operational technology: Andy Greenberg has a write-up on CyberAv3ngers (aka Bauxite), widely believed to be Iran’s Revolutionary Guard Corps. The group “has been vocal about their operations that targeted Israel and Israeli technology products. But they’ve also quietly expanded their target list to include a variety of other devices and networks, including a US oil and gas firm and a wide array of industrial control systems across the world”. CYBERAV3NGERS

  • 🧿 Privacy: Web browsers rending ‘visited’ links in a different style can be helpful for users but also give away your browsing history to that website; Google Chrome is fixing this long-standing privacy issue in the upcoming 136 release. The ICO has fined UK law firm DPP Law £60,000 ($80K) for poor controls over its case management system after criminals stole data without the firm knowing and publishing sensitive information on the dark web. dPP became aware of the incident when notified by the National Crime Agency; however, the ICO says DPP “did not consider the loss of access to personal information constituted a personal data breach” and didn’t report it to the ICO for another 43 days. CHROME, DPP

  • 👮 Law Enforcement: China has placed three NSA operatives on a wanted list for alleged “cyberattacks on critical systems of the Asian Winter Games”. This is not dissimilar to the US ‘naming and shaming’ Chinese and Russian spies for their cyberattacks. Swedish investigators cannot rule out sabotage of subsea cables by a Chinese bulk carrier in the Baltic Sea last year, citing obstructions to normal investigative procedures. Meanwhile Taiwan is charging a Chinese captain for dragging anchor and severing subsea cables. Google has lost a trial and been found to hold a monopoly in online advertising, so the DOJ is pushing for parts of Google’s ad business to be sold off. SUBSEA, TAIWAN, WANTED, GOOGLE

  • 💰 Investments, mergers and acquisitions: Virtue AI has banked $30 million in Seed and Series A funding for plans to build an enterprise AI security platform. RunSafe Security has closed a $12 million Series B funding round led by BMW’s i Ventures for its technology that “immunises memory-based system from unknown vulnerabilities”.  VIRTUE, RUNSAFE

And finally 

  • Pedestrian crossing buttons in Silicon Valley have been compromised to play clips spoofing Mark Zuckerberg and Elon Musk. There are various clips, from ‘Zuck’ saying how proud he is to rot people’s brains with AI slop to ‘Musk’ mulling on the fact that money can’t buy happiness. LINK
Robin
  MITRE Common Vulnerability and Exposures (CVE) Department of Homeland Security (DHS) Whistleblower Department of Government Efficiency (DOGE) National Labor Relations Board (NLRD) SentinelOne Florida Social Mediau Use by Minors Digital certificates Prompt injection CApabilities for MachinE Learning (CaMeL) Cleo Conduent 4chan ResolverRAT Webex CyberAv3ngers Iran Microsoft Exchange Subsea cables Sabotage Taiwan Hacktivism End-to-End Encryption (E2EE) File Transfer Chris Krebs Robin's Newsletter - Volume 8
Next:
Robin’s Newsletter #358
Previous:
Robin’s Newsletter #356