
From the cybersecurity personnel front
- Saturday morning, two term South Dakota Governor Kristi Noem received Senate confirmation of the President’s nomination of her to be Secretary of Homeland Security, which is the home of the Cybersecurity and Infrastructure Security Administration (CISA). The Senate vote was 59-34 in her favor.
- In the meantime, Benjamine Huffman has been the acting Department of Homeland Security Secretary this week.
- Federal News Network reports in a January 24, article,
- Greg Barbaccia seems to be the new federal chief information officer. Barbaccia updated his LinkedIn page just recently.
- He replaces Clare Martorana, who was the federal CIO for the last three-plus years.
- Emails to OMB and the White House seeking confirmation and comment was not immediately returned.
- Barbaccia is a former Army intelligence sergeant and intelligence community analyst from 2003 to 2009. Since then, he’s worked in the private sector.
- FedScoop lets us know in a January 22, 2025, article,
- The Office of Personnel Management again has a new chief information officer.
- Greg Hogan will serve as CIO, an agency spokesperson confirmed to FedScoop on Wednesday [January 22]. His appointment comes roughly a week after Melvin Brown II took over that role following former CIO Guy Cavallo’s retirement from federal service.
From the cybersecurity vulnerabilities and breaches front,
- On January 16, 2025, HHS’s Health Sector Cybersecurity Coordination Center issued its report on December 2024 vulnerabilities of concern to the health sector.
- MedCity News points out that “Cybersecurity Threats Continue to Rise for Healthcare Organizations, Research Shows. The vast majority of healthcare organizations have spotted a cyberattack and suffered financial consequences as a result in the past 12 months, according to new research. A separate report also found that overall cyberattacks on healthcare organizations have risen by 32% year-over-year.”
- Cybersecurity Dive tells us,
- “Conduent, a New Jersey-based government contractor that provides technology platforms to multiple social service agencies and transit systems across the U.S., confirmed Wednesday it was impacted by a cyberattack.
- “The incident first became public after Wisconsin officials reported delays in child support payments. Wisconsin was one of four states impacted by the outage.
- “A spokesperson for Conduent confirmed the disruption was due to a cyber incident, but did not elaborate on the details. Conduent did not provide any details about how the incident was initially discovered or a specific timeline about the response.”
- and
- “BeyondTrust determined 17 customers were impacted in a December attack spree related to the compromise of a Remote Support SaaS API key.
- “The attack, attributed to a state-linked threat actor, included the compromise of several offices of the U.S. Treasury Department, where hackers gained access to unclassified data.
- “BeyondTrust said it worked with its affected customers to support their respective investigations by providing them with artifacts, logs, indicators of compromise and other information.
- and
- “Hewlett Packard Enterprise said it is investigating claims a threat group gained access to a trove of sensitive company data.
- “The threat group, IntelBroker, posted a claim on BreachForums that it had access to a large trove of HPE data, according to researchers from Arctic Wolf.
- “The allegedly stolen data includes private GitHub repositories, Docker builds, source code and other information, according to the posting.
- “Upon learning of the claim Thursday [January 23], the company immediately activated cyber response protocols, disabled related credentials and launched an investigation to determine whether the claims were valid, a spokesperson said Tuesday via email.
- “There is no operational impact to our business at this time, nor evidence that customer information is involved,” the spokesperson said.”
- The American Hospital Association informs us
- “The Cybersecurity and Infrastructure Security Agency and FBI Jan. 22 released an advisory explaining how cyberthreat actors “chained” vulnerabilities — deploying multiple vulnerabilities in rapid succession — during attacks on certain versions of Ivanti Cloud Service Appliances in September. Threat actors used an administrative bypass, structured query language and remote code execution vulnerabilities during the attack. The agencies said the actors gained initial access, obtained credentials and implanted webshells on victim networks.
- “These attacks serve as another reminder of the importance of patch management in defending networks,” said Scott Gee, AHA deputy national advisor of cybersecurity and risk. “Think of this as a thief using bolt cutters to get through a perimeter fence, using a pry bar to force the door to the building open, and then using a hammer to break the glass protecting the jewels they came to steal. The good news for network defenders in this instance regarding Ivanti is that each of these tools can be detected.”
- “CISA and the FBI strongly encouraged network administrators to upgrade to the latest supported version of Ivanti CSA.
- “Any hospitals still using outdated versions of Ivanti CSA should update their systems immediately,” Gee said. “If unable to remove the outdated version, network security teams should implement detections based on the indicators of compromise in the advisory and understand the risk posed by this vulnerable technology.”
- Cyberscoop notes,
- “Researchers at Black Lotus Labs have uncovered an operation where a back door is dropped onto enterprise-grade Juniper Networks routers and listens for specific network signals, known as “magic packets,” to execute malicious commands.
- “The campaign, which researchers at the cybersecurity wing of Lumen Technologies refer to as “J-Magic,” was active between mid-2023 and mid-2024. The malware uses a custom variant of the open-source backdoor ‘cd00r,’ which operates invisibly to lay the groundwork for a reverse shell attack. The malware scans for five different predefined parameters before activating. If any of these parameters or “magic packets” are received, the malware sends a confirmation request. Once confirmed, J-Magic establishes a reverse shell on the local file system, allowing operators to control the device, steal data, or deploy further malware.
- “Although the specific method of transmission into these routers remains unclear, many targeted devices are configured as virtual private network (VPN) gateways. Lumen’s analysis found that approximately half of the routers affected during the campaign functioned as VPN gateways.
- “The strategic focus of J-Magic on routers underscores a level of stealth, given that routers are rarely monitored with security software. The malware specifically targets JunoOS, Juniper’s FreeBSD-based operating system.”
- Per Dark Reading,
- Cisco has released a patch for a critical vulnerability found in its Cisco Meeting Management feature that could allow a remote, authenticated attacker to elevate themselves to administrator privileges on an affected device.
- “Cisco Meeting Management is a management tool for Cisco’s on-premises meeting platform, Cisco Meeting Server. The management system allows users to monitor and manage meetings that are running on the platform through two user roles: the first is for administrators with full rein over the platform; and the second is for “video operators,” who only have access to the meetings and overview pages.
- “The vulnerability, tracked as CVE-2025-20156 (CVSS score of 9.9), is located in the REST API and exists because “proper authorization” is not enforced on REST API users. Should an attacker send specially crafted API requests to a specific endpoint, they could exploit the vulnerability and allow an attacker to gain administrator-level control over edge nodes managed by Cisco Meeting Management.
- “This poses a risk to businesses, as a threat actor with video operator access on the platform could exploit this vulnerability to give themselves administrator privileges, allowing them the ability to change configurations, add users, and more, according to the advisory.”
- Per Bleeping Computer,
- “SonicWall is warning about a pre-authentication deserialization vulnerability in SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), with reports that it has been exploited as a zero-day in attacks.
- “The flaw, tracked as CVE-2025-23006 and rated critical (CVSS v3 score: 9.8), could allow remote unauthenticated attackers to execute arbitrary OS commands under specific conditions.
- “The vulnerability affects all firmware versions of the SMA100 appliance up to 12.4.3-02804 (platform-hotfix). * * *
- “We strongly advise users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability.”
- “Microsoft’s Threat Intelligence Center discovered the flaw, so more details about the exploitation activity and when it started might be shared by Microsoft at a later date.”
- CISA added two known exploited vulnerabilities to its catalog this week.
- January 23, 2025
- CVE-2020-11023 JQuery Cross-Site Scripting (XSS) Vulnerability
- January 24, 2025
- CVE-2025-23006 SonicWall SMA1000 Appliances Deserialization Vulnerability
- January 23, 2025
- The Hacker News adds,
- “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday placed a now-patched security flaw impacting the popular jQuery JavaScript library to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
- “The medium-severity vulnerability is CVE-2020-11023 (CVSS score: 6.1/6.9), a nearly five-year-old cross-site scripting (XSS) bug that could be exploited to achieve arbitrary code execution.
- “Passing HTML containing <option> elements from untrusted sources – even after sanitizing them – to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code,” according to a GitHub advisory released for the flaw.
- Plus we learn friom Cyberscoop,
- A critical security flaw has been identified and potentially exploited in SonicWall’s Secure Mobile Access (SMA) 1000 series appliances, sparking significant concern among cybersecurity experts and users worldwide.
- The vulnerability, registered as CVE-2025-23006, allows remote, unauthenticated attackers to execute arbitrary operating system commands under certain conditions. The issue specifically impacts the Appliance Management Console (AMC) and Central Management Console (CMC) used widely in enterprise and government networks for administrative functions.
- SonicWall issued a warning Wednesday [January 22, 2025] saying the flaw has a severity rating of 9.8 out of 10 by the Common Vulnerability Scoring System (CVSS) and may have been exploited by malicious actors. Microsoft’s Threat Intelligence Center is credited with uncovering the flaw, although it remains unclear when the exploitation might have commenced. Despite this, SonicWall’s advisory urges all SMA1000 users to upgrade immediately to the patched software version to prevent potential security breaches.
- SonicWall’s products provide secure remote access for a wide swath of organizations, often serving managed security service providers (MSSPs), enterprises, and government agencies.
- Bleeping Computer relates,
- “The FBI warned today [January 23] that North Korean IT workers are abusing their access to steal source code and extort U.S. companies that have been tricked into hiring them.
- “The security service alerted public and private sector organizations in the United States and worldwide that North Korea’s IT army will facilitate cyber-criminal activities and demand ransoms not to leak online exfiltrated sensitive data stolen from their employers’ networks.
- “North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this activity represents a large-scale risk of theft of company code,” the FBI said.
From the ransomware front,
- Cyberscoop reports,
- “Researchers at cybersecurity firm Sophos are tracking multiple clusters of hacking activity leveraging Microsoft 365 instances, Microsoft Teams and email bombing tactics to deliver ransomware.
- “In new research released Tuesday [January 21], the company said it had identified at least two distinct clusters of hacking activity using the tactics to infect targets between November and December 2024.
- “First, several individuals at an organization are inundated with emails — up to 3,000 in 45 minutes in some cases. The sheer volume of spam is designed to overwhelm the target’s inbox and “create a sense of urgency” that may push them to reach out to IT for assistance, the researchers said.
- “Then, using an external account, the hackers will message one of the targets over Microsoft Teams, posing as the organization’s IT support or a “Help Desk Manager.” Under the guise of assistance, the actors push the victim to permit a remote screen control session through Teams or Microsoft Quick Assist, which is then used to create command shells, access an external Sharepoint file and deploy malware on the victim’s device.
- “With a command-and-control channel established, the attackers then use the target’s credentials to disable multifactor authentication and antivirus protections, connect to other hosts on the network and move laterally to compromise other systems.”
- Cybersecurity News lets us know,
- “New ransomware strains are quietly infiltrating VMware ESXi hosts by setting up SSH tunnels and concealing malicious traffic within legitimate activity.
- “This stealth tactic allows attackers to access critical virtual machine environments without triggering many of the standard alarms or detection systems that monitor more conventional network paths.
- “Because ESXi appliances often remain unmonitored, cybercriminals have seized the opportunity to hide in plain sight, exfiltrate data, and lock down virtual machines with minimal interference.
- “Virtualized infrastructures are attractive targets for ransomware actors due to the high value of virtual machines and the rapid damage attackers can inflict if they seize control.
- “Instead of compromising each guest system individually, criminals can focus on the ESXi host itself, enabling them to encrypt all virtual disks in one coordinated attack.”
- Per the SentinelOne blog,
- “The previous six months have seen heightened activity around new and emerging ransomware operations. Across the tail-end of 2024 and into 2025, we have seen the rise of groups such as FunkSec, Nitrogen and Termite. In addition, we have seen the return of Cl0p and a new version of LockBit (aka LockBit 4.0).
- “Within this period of accelerated activity, the Ransomware-as-a-Service offerings HellCat and Morpheus have gained additional momentum and notoriety. Operators behind HellCat, in particular, have been vocal in their efforts to establish the RaaS as a ‘reputable’ brand and service within the crimeware economy.
- “As a result of this recent activity, we analyzed payloads from both HellCat and Morpheus ransomware operations. In this post, we discuss how affiliates across both operations are compiling payloads that contain almost identical code. We take a high-level look at two samples in particular and examine their characteristics and behavior.” Check it out.
From the cybersecurity defenses front,
- CISA advises,
- “If you’re an IT defender or a vulnerability management pro, CISA’s Vulnrichment project can make your life easier. It enriches basic CVE data with actionable insights like Stakeholder-Specific Vulnerability Categorization (SSVC) decision points, Common Weakness Enumeration (CWE) IDs, and Common Vulnerability Scoring System (CVSS), all bundled into the CVE records you’re already pulling. Think of it as a turbocharged upgrade to the CVE data you’re already consuming. Best part? You don’t need to set up anything new—this enriched data is automatically baked into the CVE feeds you’re already using.
- “You’re soaking in it! Today, all Vulnrichment data ends up in the Authorized Data Publisher (ADP) container for individual CVEs, so if you’re pulling CVE data from https://cve.org via the API, or from GitHub at https://github.com/CVEProject/cvelistV5 , you’re already collecting Vulnrichment data. It’s just a matter of parsing it out.”
- Check out Dark Reading for an article about MITRE’s Latest ATT&CK Simulations Tackle Cloud Defenses. The MITRE framework’s applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.”
- Security Week discusses attack surface management.
- “The attack surface of an organization represents all of the assets (physical, virtual or human) that a malicious actor can potentially use to breach an organization,” says Alex Hoff, co-founder and chief strategy officer at Auvik Networks.
- “Traditionally,” continues Raj Samani, SVP and chief scientist at Rapid7, “the focus of attack surface management has been on securing the broader attack surface – but the emphasis is now on preventing the exploitation of assets within increasingly complex environments.”
- “While we have traditionally considered the Attack Surface to be a part of the overall IT infrastructure that can be treated and managed discretely, our view now is that the AS includes anything and everything a threat actor can target for exploitation.”
- Per Beckers Health IT,
- “Global IT spending is expected to grow 9.8% in 2025, to $5.6 trillion, with much of that increase going to price hikes, according to Gartner.
- “And while CIOs’ expectations for generative AI are on the wane — what the IT consultant called a “trough of disillusionment” — their spending on the technology will continue to rise, Gartner predicted. Those hardware upgrades will drive double-digit growth in data center systems, devices and software this year.”
- Here is a link to Dark Reading’s CISO Corner.