DHS Cyber Safety Board Dismissed; CISA/FBI Update Bad Practices Doc; Lessons from Microsoft AI Red Teamers

An internal memo issued January 20, 2025, from Acting Department of Homeland Security (DHS) Secretary Benjamine Huffman, terminated all advisory committee positions. Among those dismissed were the Cyber Safety Review Board (CSRB), a committee responsible for "study[ing] major cyber incidents and recommend[ing] improvements," comprising private sector experts and government cybersecurity officials. Since its establishment in 2022 by President Biden's executive order, the CSRB investigated the Log4Shell security crisis, attacks by Lapsus$, and the Microsoft Exchange Online Breach, and at the time of Huffman's memo was in the process of investigating the massive 2024 breach of US telecommunications networks by the Chinese state-sponsored hacking group, Salt Typhoon.

Read more in

On January 17, the US Cybersecurity & Infrastructure Security Agency (CISA) and the FBI published version 2.0 of "Product Security Bad Practices," revised to include information from 78 suggestions received during a public comment period that began in October, 2024. New elements include updated examples of "insecure or outdated cryptographic functions, hardcoded credentials, and product support periods"; expanded recommendations to prevent SQL injection and command injection; and additional clarity and specificity around Known Exploited Vulnerability (KEV) patch timelines, MFA in Operational Technology (OT), phishing-resistant MFA for software manufacturers, and memory safety.

Read more in

'The work of securing AI systems will never be complete,' states the final point in a list of lessons taken from researchers' study of "red teaming over 100 generative AI products at Microsoft" since 2021. The Microsoft AI Red Team (AIRT) has noted since its establishment in 2018 that "AI systems have become more sophisticated, compelling us to expand the scope of AI red teaming," and that this expanded scope and volume of products have "rendered fully manual testing impractical," driving the development of automation tools to help identify vulnerabilities. AIRT conducted red team operations probing the safety and security of AI apps and features, models, plugins, and copilots, arriving at eight takeaways. Some of these The Register characterizes as "self-evident" to readers with infosec experience, but others include the assertion that gradient-based attacks are not necessary to break AI systems; that red teaming AI requires human operators' subject matter expertise, cultural competence, and emotional intelligence, including "support [for operators'] mental health"; that the potential harms of AI can be subjective and more difficult to identify and measure than security vulnerabilities; and that LLMS not only create "novel attack vectors," but also heighten risk from existing vulnerabilities that may be overlooked. AIRT looks ahead to three "open questions": 1. How will operators keep practices current and probe for new dangers as LLM purposes and capabilities continue to evolve? 2. How can AI red teamers apply and incorporate multilingual and culturally-diverse expertise? 3. How can AI red teaming practices and communication move toward standardization?

Read more in

A report from Lumen's Black Lotus Labs describes their observation of backdoor attacks designed specifically to exploit Juniper enterprise-grade routers. The method of initial access has not been determined, but the agent is a variant of the open-source "cd00r" backdoor, which waits for the threat actor to send a "magic packet" in Transmission Control Protocol (TCP) traffic. In response, "the agent is configured to send back a secondary challenge, following which J-magic establishes a reverse shell to the IP address and port specified in the magic packet. This enables the attackers to control the device, steal data, or deploy additional payloads." The researchers saw global use of this attack from mid-2023 to mid-2024, affecting semiconductor production, energy, manufacturing, and IT sectors, among others. Black Lotus notes the importance of enterprise routers in the threat landscape: 'Typically, these devices are rarely powercycled; malware tailored for routers is designed to take advantage of long uptime and live exclusively in-memory, allowing for low-detection and long-term access ... Routers on the edge of the corporate network or serving as the VPN gateway, as many did in this campaign, are the richest targets.' Black Lotus recommends a number of hunt guides for detecting cd00r, also providing indicators of compromise to search for, and suggesting users review logs and check for "common persistence mechanisms."

Read more in

7-Zip, a free, open-source archive software, is vulnerable to attacks that could bypass a Windows security feature meant to protect users from suspicious files. "7-Zip has supported a Windows security mechanism called the Mark of the Web (MotW) since version 22.00, released in June 2022," using the Zone.Identifier data stream to carry the mark. The Mark of the Web flags a file that originated from the internet, marking it as potentially untrusted, and prompting security checks and restrictions before users open it. Versions of 7-Zip before 24.09 are vulnerable to specially crafted archive files in which the Zone.Identifier data stream is not propagated to files inside archives nested within archives, even if the outermost archive carries the MotW. Trend Micro's advisory notes "An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user." 7-Zip does not update automatically, so users are urged to update manually to version 24.09 or later.

Read more in

Conduent has confirmed that days of outages in their services, including disruption of multiple US states' child support payment and EBT systems, were the result of a cyberattack. Wisconsin's Department of Children and Families had its system restored as of January 19. Conduent is a services vendor with contracts in many government health programs, government agencies, Fortune 100 companies, major insurance providers, car manufacturers, banks, and pharmaceutical companies, among others. Conduent states that their "operational disruption [was] due to a third-party compromise," and that their systems are "free of known malicious activity," but has not provided additional details on the nature of the attack, nor filed an 8-K form with the SEC.

Read more in

According to data gathered by the Shadowserver Foundation, 48,457 Fortinet FortiGate firewalls remain unpatched against a known authentication bypass vulnerability. The vulnerability was disclosed earlier this month; Fortinet released an advisory and updates on January 14.

Read more in

On Tuesday, January 21, Oracle released their quarterly Critical Patch Update. The release addresses more than 300 vulnerabilities across Oracle's product and service lines. Among the vulnerabilities fixed in the release are 10 critical flaws, including a vulnerability in the Oracle Agile Product Lifecycle Management (PLM) Framework that is easily exploitable by an attacker with low privileges, and several that were disclosed more than a year ago.

Read more in

On Wednesday, January 22, Cisco released updates to address three vulnerabilities: a critical privilege elevation issue in the REST API of Cisco Meeting Management; a high-severity denial-of-service vulnerability in the SIP processing subsystem of Cisco BroadWorks; and a medium-severity heap-based buffer overflow vulnerability in the ClamAV Object Linking and Embedding 2 (OLE2) decryption routine.

Read more in

A critical vulnerability in SonicWall's Secure Mobile Access 1000 (SMA 1000) product could be exploited by a remote, unauthenticated attacker to execute arbitrary OS commands. The issue affects SMA1000's Appliance Management Console (AMC) and Central Management Console (CMC). SonicWall has released hotfix version 12.4.3-02854 (platform-hotfix) for the deserialization of untrusted data vulnerability (CVE-2025-23006).

Read more in