FBI Eradicates PlugX Malware; Biden's Executive Order on Cybersecurity; 200+ Fixes From Microsoft

An affidavit unsealed in January, 2025 from a Pennsylvania district court authorized and described an operation by the FBI that took place in August, 2024, during which US agents collaborated with French law enforcement and cybersecurity firm Sekoia.io to unilaterally remove PlugX malware from thousands of Windows machines in the US. PlugX is a remote access trojan (RAT) that can spread via contaminated USB devices, maintaining persistence using registry keys that run the malware on startup. The global malware campaign is associated with a Chinese state-sponsored hacking group tracked under various names including Mustang Panda and Twill Typhoon. French authorities seized the PlugX command and control (C2) IP address in 2023, which the FBI then used to send a self-destruct command, which deleted all files created by the malware, deleted the malware's startup registry keys, and stopped and deleted the malware application and its directory. This operation affected any US-based device containing a version of PlugX that contacted the C2 server; any affected device owners will be notified by their internet service providers.

US President Joseph Biden has issued a sweeping Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity, which among other directives mandates verification of security standards in government systems and federal software contractors. The Department of commerce is directed to issue guidance to businesses on cybersecurity best practices, creating a required baseline for any "companies seeking to do business with the government," and vendors who fail validation risk investigation by the Attorney General. All government IoT devices must carry the new Cyber Trust Mark label by January 4, 2027. The order gives CISA more access to agencies' security platforms to centralize defensive information and broaden its impact. Agencies must also shore up cloud platform authentication in the wake of recent attacks by China. President Biden directs the Department of Homeland Security (DHS), the Department of Commerce, and the National Science Foundation to prioritize comprehensive AI research, and directs DHS and the Department of Energy to investigate the application of AI to protect infrastructure. The order promotes agencies' adoption of digital identity documents, and includes "a provision requiring [The Office of Management and Budget] to help agencies reduce risks associated with concentration in the IT market," which WIRED calls "a not-so-veiled shot at Microsoft." Notably the order also "gives the U.S. more authority to sanction hackers, namely ransomware groups that hold victims' systems hostage in exchange for ransom payments."

Microsoft's Patch Tuesday for January 2025 includes fixes for more than 200 vulnerabilities, 23 of which have been designated critical. Three of the flaws have been actively exploited, and five were disclosed prior to the security release. The three actively exploited vulnerabilities (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335) affect the Hyper-V hypervisor, and are rated important. They can be exploited to attain system privileges. The critical flaws include remote code execution vulnerabilities in Windows Object Linking and Embedding (OLE) and Reliable Multicast Transport Driver (RMCAST).

A half-dozen recently disclosed vulnerabilities in the Rsync file synchronization tool include a pair of flaws that when combined could allow arbitrary code execution: CVE-2024-12084 is a critical heap-based buffer overflow vulnerability in the rsync daemon 'due to improper handling of attacker-controlled checksum lengths (s2length) in the code.' CVE-2024-12085 is a high-severity vulnerability in the Rsync daemon that be 'be triggered when rsync compares file checksums.' The other four vulnerabilities are medium-severity issues. The results of a Shodan search by Bleeping Computer revealed 'over 660,000 IP addresses with exposed Rsync servers.'

Chinese drone manufacturer DJI has updated its geofencing software in most US-sold products so that it no longer automatically enforces keeping the drones from entering US Federal Aviation Administration (FAA) designated no-fly zones. Drone operators will receive in-app alerts if their drones are approaching no-fly zones, but will bear sole responsibility for ensuring they do not enter areas where they are not permitted. DJI implemented a similar policy in the European Union last year. The announcement about drones sold in the US comes about a week after a DJI drone damaged and grounded a firefighting plane in California.

According to a proposed settlement order, the US Federal Trade Commission (FTC) is requiring GoDaddy to 'implement a robust information security program to settle charges that the company failed to secure its website-hosting services against attacks that could harm its customers and visitors to the customers' websites.' The FTC's complaint alleges that since 2018, GoDaddy has failed to adopt 'reasonable and appropriate security measures' and has misled customers regarding security protections provided by their web hosting services. According to the complaint, GoDaddy failed to 'inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments.' While the FTC voted to accept the consent agreement, it will remain open to public comment for 30 days, at which time the commissioners will decide whether or not to finalize the agreement.

A report filed with the Norwegian Data Protection Authority discloses a data breach of Unacast/Gravy Analytics' Amazon Web Services (AWS) cloud storage environment by an "unauthorized person" using a "misappropriated access key." The data broker was not aware of the breach until notified by the hacker on January 4, 2025, and has since taken its main website and associated domains offline and secured its AWS environment. Unacast posits that the stolen data are "associated with users of third-party services that supply this data to Gravy Analytics," which according to 404 Media may include "Tinder, Grindr, Candy Crush and several religious and pregnancy tracking apps." The total duration of unauthorized access and exact scope of data stolen remain under investigation, but this breach has the potential to expose millions of people's sensitive and personally-identifiable location information. Norway's Unacast is the parent company of Gravy Analytics and its subsidiary Venntel, a major supplier of location data to US law enforcement. In December, 2024, Gravy and Venntel were reprimanded for violations of the FTC Act, and barred from collecting and selling sensitive data without consent.

Additional information about the late 2024 data breach of PowerSchool systems has been shared with TechCrunch by school districts affected by the attack. Reports indicate that the attack was not limited to the approximately 18,000 school districts and their current students served by PowerSchool; rather, it also included data belonging to inactive former customers, and in some cases included historical data of alumni, former students, and former personnel going back over a decade, all accessible to the single subcontractor account compromised by the attacker. Mark Racine, co-founder of RootED solutions, notes "PowerSchool has achieved SOC 2 Type 2 certification," but suggests that the details of the attack "raises questions" about the company's compliance and monitoring.

In the wake of rising ransomware attacks on the UK's public sector, the government is consulting on proposals aimed at discouraging attackers by "banning all public sector bodies and critical national infrastructure, including the NHS, local councils, and schools, from making ransomware payments." Government departments are already banned from making such payments. Three main proposals are under consideration: banning ransomware payments by critical national infrastructure and public sector entities; involving the National Crime Agency (NCA) in intelligence gathering, guidance, and blocking payments; and instituting mandatory reporting of ransomware incidents. The announcement of the consultation highlights the threat of Russian attackers, and notes that the National Cyber Security Center (NCSC) calls ransomware the "most immediate and disruptive threat to the UK's critical national infrastructure." The government's response and any resulting legislation will be introduced after the consultation period ends on April 8, 2025.

The US Department of Health and Human Services Office for Civil Rights (HHS OCR) maintains a database of all reported healthcare sector data security incidents that are currently under investigation and affect 500 or more individuals. A SecurityWeek analysis of the 2024 data found that the 585 reported breaches affected nearly 180 million user records. Of those 585 incidents, 440 were at healthcare providers, and nearly 100 were healthcare business associates. The significant majority of the breaches were classified as hacking or IT incidents.