Thursday, Jan 23, 2025 // (IG): BB // GITHUB // SGM Jarrell
Trump Administration Seeks Resignation of Democrats on Intelligence Oversight Board
Bottom Line Up Front (BLUF): The Trump administration has asked all Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB) to step down, sparking concerns about the agency's ability to function and allegations of politicization. If the resignations are carried out, PCLOB could lose its quorum and be unable to oversee critical government surveillance programs like Section 702 of the Foreign Intelligence Surveillance Act.
Analyst Comments: This development underscores increasing concerns about partisanship within U.S. oversight bodies. The PCLOB has been a crucial check on government surveillance practices, especially regarding privacy protections under controversial programs like Section 702. Removing Democratic members could incapacitate the board, undermining transparency and accountability in intelligence operations. This could embolden critics of the administration's surveillance policies and intensify legislative scrutiny ahead of Section 702's upcoming renewal in 2026. Moreover, it sets a troubling precedent for governance in bipartisan agencies.
FROM THE MEDIA: The agency's oversight role became contentious in 2023 when it recommended court approval for searches involving U.S. citizens' data under Section 702—a failed proposal. Critics, including Senator Ron Wyden (D-OR), argue this move compromises the board's independence and weakens its ability to address surveillance abuses. The New York Times first reported this development, but the White House has declined to comment on the situation. If all requested resignations proceed, the PCLOB cannot approve or terminate any oversight projects until replacements are confirmed.
READ THE STORY: The Record // THN // arsTechnica // The Register
Unconstrained Actors: Assessing Global Cyber Threats to the Homeland
Bottom Line Up Front (BLUF): A new report from the Foundation for Defense of Democracies (FDD) highlights growing cyber threats from "unconstrained actors" such as nation-states, cybercriminal groups, and hacktivists targeting critical infrastructure and democratic institutions. The report emphasizes the urgency of addressing advanced persistent threats (APTs) and calls for enhanced international collaboration, investment in cybersecurity, and robust deterrence strategies to defend against increasingly sophisticated attacks.
Analyst Comments: The FDD report underscores the evolving nature of the global cyber threat landscape, where boundaries between state and non-state actors continue to blur. Nation-states like China, Russia, Iran, and North Korea remain prominent threats, employing cyber operations for espionage, economic disruption, and influence campaigns. The report also highlights the growing role of ransomware groups and proxy actors who provide plausible deniability to their sponsors. Strengthening U.S. resilience through public-private partnerships, active defense measures, and improved attribution capabilities will be key to mitigating these threats. The report also notes the necessity of addressing vulnerabilities in emerging technologies, such as AI, 5G, and IoT, which present new opportunities for exploitation.
FROM THE MEDIA: The report identifies key adversaries, including nation-states like China and Russia, which engage in cyber espionage, economic theft, and influence operations, while Iran and North Korea focus on disruptive attacks and financial cybercrime. It also highlights the role of cybercriminal groups, such as ransomware gangs targeting critical infrastructure, and hacktivists or proxy actors aligned with state interests, complicating attribution. Additionally, the report critiques weaknesses in U.S. cybersecurity policy, including the absence of robust deterrence strategies, poor inter-agency coordination, and insufficient global norms to combat cyber aggression. To address these challenges, the report calls for improved cyber hygiene, the development of offensive cyber capabilities, and stronger international partnerships to deter adversaries.
READ THE STORY: FDD
Baltic Sea Cable Damage: Accident or Sabotage?
Bottom Line Up Front (BLUF): Recent damage to critical power and communication cables in the Baltic Sea, including an incident involving the oil tanker Eagle S on Christmas Day, has sparked debate over whether these were accidents or acts of sabotage. While Western intelligence sources suggest the events were unintentional, maritime and security experts argue the circumstances and patterns may indicate deliberate actions, potentially tied to geopolitical tensions involving Russia.
Analyst Comments: The recurring incidents of undersea infrastructure damage in the Baltic Sea highlight critical infrastructure vulnerabilities to maritime activities. While some experts attribute these events to accidents, the scale, frequency, and geopolitical context — including Russia's presence in the region and reliance on shadow fleets — suggest the possibility of strategic interference. If proven to be sabotage, these incidents could represent a form of hybrid warfare aimed at disrupting Western assets while maintaining plausible deniability. Regardless of intent, the situation underscores the urgent need for enhanced monitoring and protection of subsea infrastructure, as disruptions have significant economic and security implications.
FROM THE MEDIA: On Christmas Day 2024, the oil tanker Eagle S dragged its anchor for nearly 100 kilometers along the Baltic Sea seabed, rupturing several undersea power and telecom cables. Finnish authorities have detained the vessel and its crew for investigation. This incident follows a pattern of similar events, including the damage to the C-Lion1 cable by the Chinese cargo ship Yi Peng 3 in November and the rupture of a gas pipeline between Finland and Estonia by another Chinese vessel, Newnew Polar Bear, in 2023. Reports from The Washington Post and Norway’s Verdens Gang claim Western intelligence agencies view these incidents as accidents, citing a lack of direct evidence implicating Russia. However, critics, including maritime experts, question this assessment. Experts argue it is improbable for a ship to unintentionally drag a 100-ton anchor for such distances without noticing.
READ THE STORY: The Record
U.S. Lawmakers Debate CISA Funding Amid Rising Cyber Threats from China
Bottom Line Up Front (BLUF): The U.S. House Homeland Security Committee emphasized addressing Chinese cyber threats targeting critical infrastructure. While Chairman Mark Green called for a more aggressive approach against China, partisan disputes over funding for the Cybersecurity and Infrastructure Security Agency (CISA) could undermine efforts. The debate centers on balancing CISA’s role in countering misinformation and securing critical systems.
Analyst Comments: This debate highlights the growing tension between escalating cybersecurity risks and partisan politics surrounding resource allocation. While CISA’s funding is critical to safeguarding infrastructure, skepticism among some lawmakers could reduce its operational capacity. The Chinese government’s advanced cyber capabilities threaten U.S. infrastructure, potentially compromising national security during geopolitical tensions. Future funding decisions will significantly impact the U.S.’s ability to harden defenses and coordinate with private sectors. If underfunded, vulnerabilities in critical systems may persist, leaving the U.S. at risk.
FROM THE MEDIA: CISA has criticized some Republicans, including Sen. Rand Paul, R-Ky., for its focus on combating disinformation, which they argue distracts from its primary mission. Homeland Security Secretary nominee Kristi Noem echoed this sentiment, advocating for a “smaller, more nimble” agency focused exclusively on critical infrastructure. Meanwhile, experts like Mark Montgomery from the Foundation for Defense of Democracies warned that China has embedded malware in U.S. networks, potentially crippling infrastructure in a conflict scenario. Kemba Walden of Paladin Global Institute called for renewed legislation to enhance private-sector information sharing with CISA.
READ THE STORY: Roll Call
PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack
Bottom Line Up Front (BLUF): The China-aligned APT group PlushDaemon has been linked to a supply chain attack that compromised a South Korean VPN provider in 2023. The attackers replaced a legitimate software installer with a trojanized version to deploy a backdoor named SlowStepper, a sophisticated toolkit with more than 30 espionage modules. The incident underscores ongoing risks in software supply chains and the growing sophistication of APT toolsets.
Analyst Comments: PlushDaemon's use of a multistage malware framework, leveraging DNS-based command-and-control and modular backdoor design, highlights a level of sophistication aimed at espionage and data exfiltration. The targeting of South Korean organizations, particularly those in the semiconductor and software development sectors, aligns with China's strategic interest in critical industries. Organizations should strengthen their supply chain security by conducting code audits, enforcing software signing practices, and monitoring network behavior for DNS-based anomalies. The development and long-term operation of the SlowStepper implant also point to sustained investment in offensive cyber capabilities by China-aligned actors.
FROM THE MEDIA: During a separate attack in Hong Kong, the attackers hijacked legitimate software update channels and exploited an unknown vulnerability in an Apache HTTP server. Telemetry data indicates the supply chain compromise impacted South Korean networks in the semiconductor and software industries, with early victims recorded in Japan and China in late 2023. The SlowStepper backdoor is activated through a complex chain of loader DLLs and uses DNS queries to communicate with its command-and-control infrastructure. The backdoor allows operators to execute Python modules, extract sensitive data, and perform surveillance. Many tools associated with SlowStepper were hosted on the Chinese GitCode platform, suggesting possible connections to Chinese developers.
READ THE STORY: THN
U.S. Sanctions Sichuan Juxinhe for Links to China-Backed Salt Typhoon Cyber Group
Bottom Line Up Front (BLUF): The U.S. government imposed sanctions on Sichuan Juxinhe, a Chinese cybersecurity firm allegedly tied to the Salt Typhoon cyber threat group, which has targeted U.S. telecommunications and internet service providers since 2019. Preliminary research suggests Sichuan Juxinhe operates as a front company for China’s Ministry of State Security (MSS), raising concerns over state-sponsored cyber operations targeting critical U.S. infrastructure.
Analyst Comments: This action by the U.S. Treasury underscores heightened scrutiny of Chinese cyber operations, particularly those leveraging front companies to cloak state-sponsored activities. The identification of Sichuan Juxinhe highlights the persistent threat posed by MSS-linked Advanced Persistent Threat (APT) groups targeting telecommunications infrastructure, a critical vulnerability for national security. These sanctions may temporarily disrupt Salt Typhoon’s operations, but defending against similar threats remains a challenge without detailed intrusion information. Future U.S. actions must emphasize public-private information sharing to safeguard critical infrastructure.
FROM THE MEDIA: A Natto Team investigation revealed that Sichuan Juxinhe fits the profile of an MSS front company, sharing characteristics such as limited business activity, a small workforce, and a minimal digital footprint. However, the company registered 15 software copyrights, an unusual move for an MSS-linked entity, suggesting potential revenue streams or operational complexity. Experts suspect Sichuan Juxinhe developed tools used in Salt Typhoon’s activities, including those targeting telecommunication systems. The sanctions followed months of speculation after the Wall Street Journal exposed Salt Typhoon’s activities in September 2024. While the Treasury’s action is significant, the lack of public intrusion complicates defensive measures, leaving critical sectors at risk.
READ THE STORY: Natto Thoughts
Trump Pardons Silk Road Founder Ross Ulbricht
Bottom Line Up Front (BLUF): President Donald Trump issued a full pardon to Ross Ulbricht, the founder of the Silk Road dark web marketplace, on January 22, 2025. Ulbricht had been serving a life sentence for running the illegal platform, which facilitated the sale of drugs, malware, fake IDs, and other illicit services. The decision fulfills a campaign promise to Trump’s Libertarian supporters and has sparked controversy over its implications for justice and cybersecurity.
Analyst Comments: This pardon is a politically charged decision that could have far-reaching implications for cybercrime deterrence. Granting clemency to a convicted dark web operator risks emboldening cybercriminals and undermining years of law enforcement efforts to disrupt illegal online marketplaces. The Silk Road case was a landmark in prosecuting internet-enabled crime, and this reversal could signal to other operators that accountability is negotiable. Additionally, the pardon may further politicize cybersecurity enforcement, as Trump linked the pardon to criticisms of federal prosecutors. Moving forward, this decision could intensify calls for greater regulation of cryptocurrency, which played a central role in Silk Road’s operations.
FROM THE MEDIA: Ross Ulbricht, who founded the Silk Road dark web marketplace, received President Donald Trump's full and unconditional pardon. Announced by White House press secretary Karoline Leavitt, the pardon was framed as a gesture of support for the Libertarian Party, which endorsed Trump in his 2024 presidential campaign. Trump personally informed Ulbricht's mother of his decision, praising her advocacy and criticizing the federal prosecutors involved in the case. Ulbricht was convicted in 2015 on charges of narcotics distribution, money laundering, conspiracy to commit hacking, and operating a continuing criminal enterprise. Silk Road facilitated illegal transactions through cryptocurrency and operated anonymously on the dark web, earning Ulbricht at least $13 million in commissions. Prosecutors linked the platform to numerous drug-related deaths and criminal activities, including Ulbricht’s alleged attempts to commission murders to protect his identity.
READ THE STORY: The Record // THN
13,000 MikroTik Routers Hijacked for Botnet and Malspam Campaigns
Bottom Line Up Front (BLUF): A botnet leveraging 13,000 hijacked MikroTik routers is propagating malware through spam campaigns and other cyberattacks. The compromised devices exploit misconfigured DNS records and permissive email safeguards, making detection and attribution difficult. This highlights the urgent need for MikroTik device owners to update firmware and secure configurations.
Analyst Comments: The exploitation of MikroTik routers underscores how poorly secured Internet of Things (IoT) devices remain a significant vulnerability in global cybersecurity. SOCKS proxies to anonymize malicious traffic and bypass defenses complicate efforts to track threat actors. The campaign also highlights the continued risk of misconfigured email security mechanisms, such as overly permissive SPF records. Moving forward, organizations should prioritize securing their DNS and email configurations and encouraging customers to harden their devices. Without these measures, the risks of botnets being used for DDoS, phishing, and malware propagation will continue to grow.
FROM THE MEDIA: Infoblox researchers revealed that 13,000 MikroTik routers worldwide have been compromised and weaponized as part of a botnet. Mikro Typo, the botnet, is being used to distribute malware through malicious spam (malspam) campaigns. The activity was first detected in November 2024 when attackers used phishing emails with freight invoice lures to deploy a ZIP payload containing an obfuscated JavaScript file. The malicious script executes PowerShell commands to connect with a command-and-control (C2) server at 62.133.60[.]137. The attackers leverage compromised routers as SOCKS proxies, enabling them to disguise their activities and evade detection. A critical MikroTik vulnerability, CVE-2023-30799, which allows privilege escalation and arbitrary code execution, may have been exploited. Further analysis revealed that attackers exploited weak email sender policy framework (SPF) records across 20,000 domains, bypassing protections by using the "+all" configuration. This allowed legitimate domains to be spoofed to distribute malicious emails.
READ THE STORY: THN
Iran and Russia Strengthen Cybersecurity Cooperation in New Agreement
Bottom Line Up Front (BLUF): Iran and Russia have signed a new treaty to deepen cybersecurity, internet regulation, and technological collaboration. The agreement builds on existing ties between the two nations, formalizing their commitment to share expertise and coordinate cyber capabilities. Both countries aim to enhance control over their national internet infrastructures, further isolating their populations from the global internet.
Analyst Comments: The deal reflects the growing partnership between Iran and Russia as they seek to counter Western sanctions and build more resilient cyber ecosystems. Both nations have been developing strategies to create sovereign internet systems, limit external influence, and enhance domestic surveillance. This alignment signals a shift toward more centralized, authoritarian internet models that may accelerate the global fragmentation of cyberspace. Additionally, exchanging cybersecurity expertise between these two governments could lead to more sophisticated cyber operations targeting adversaries, especially given Russia's advanced capabilities.
FROM THE MEDIA: A key aspect of the treaty involves collaboration in cybersecurity and internet regulation, aiming to counter cybercrime and develop national internet infrastructure. Both nations have histories of censorship and surveillance, and the agreement aligns with their efforts to increase control over digital information. This deal follows a 2021 agreement between the countries focused on cybersecurity cooperation and mutual non-aggression in cyberspace. Recent meetings between Russian and Iranian officials have explored exporting Russian technology to Iran and collaborating on cybersecurity solutions. The Russian cybersecurity firm Positive Technologies, sanctioned by the U.S., has also analyzed Iran’s cyber landscape, further indicating increased cooperation. The partnership has raised concerns about enhanced capabilities for censorship, surveillance, and state-sponsored cyberattacks. Both countries have pursued sovereign internet projects to limit access to the global web, with Freedom House rating their internet environments as “not free.”
READ THE STORY: The Record
Mirai Botnet Launches Record-Breaking 5.6 Tbps DDoS Attack
Bottom Line Up Front (BLUF): The Mirai botnet executed the largest-ever Distributed Denial-of-Service (DDoS) attack on October 29, 2024, peaking at 5.6 Tbps and targeting an unnamed ISP in Eastern Asia. The attack leveraged over 13,000 compromised Internet of Things (IoT) devices, highlighting the escalating threat posed by IoT botnets and the urgent need for enhanced IoT security measures.
Analyst Comments: This record-breaking DDoS attack demonstrates the evolving sophistication and scale of IoT-based botnets like Mirai. The exponential growth of volumetric DDoS attacks, including the 1,885% quarterly increase in attacks exceeding 1 Tbps, is concerning. Exploiting poorly secured IoT devices remains a critical vulnerability, as these devices continue to be targeted for their weak credentials and unpatched flaws. Regulatory measures for IoT security, vendor accountability, and stronger network-layer defenses are crucial to mitigating such large-scale attacks. The incident also underscores the importance of cloud-based DDoS mitigation services like those Cloudflare provides.
FROM THE MEDIA: Cloudflare disclosed on January 22, 2025, that it detected and mitigated a 5.6 Terabit per second (Tbps) DDoS attack on October 29, 2024. This attack, originating from over 13,000 IoT devices infected with a Mirai-variant malware, targeted an unnamed internet service provider in Eastern Asia. The UDP-based assault lasted only 80 seconds, representing the largest volumetric DDoS attack ever recorded. The average unique source IP count during the attack was 5,500, with each device generating approximately 1 Gbps of traffic. In 2024, Cloudflare mitigated over 21.3 million DDoS attacks, a 53% increase from 2023, with a significant rise in attacks exceeding 1 Tbps. Notably, SYN floods, DNS flood attacks, and UDP floods were the most prevalent vectors. Cybersecurity firms, including Qualys and Trend Micro, have reported that Mirai botnet offshoots continue to exploit IoT device vulnerabilities and weak credentials. The prevalence of DDoS attacks targeting telecommunications and IT sectors, particularly in countries like China, Hong Kong, and Taiwan, highlights the need for enhanced global IoT security measures.
READ THE STORY: THN
Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet
Bottom Line Up Front (BLUF): Threat actors are leveraging a zero-day vulnerability in Cambium Networks cnPilot routers to deploy the AIRASHI botnet, a variant of the AISURU botnet. The botnet has been active since June 2024, primarily launching DDoS attacks with 1–3 Tbps capabilities. The exploitation of IoT vulnerabilities continues to enable massive-scale cyberattacks globally.
Analyst Comments: The AIRASHI botnet highlights the persistent threat of insecure IoT devices in enabling large-scale distributed denial-of-service (DDoS) attacks. The botnet’s evolution, including its proxy functionality and use of advanced encryption protocols like HMAC-SHA256 and CHACHA20, indicates ongoing investments in sophisticated botnet development by cyber criminals. Organizations should act quickly to secure IoT devices through timely firmware updates, strong access credentials, and network segmentation. Additionally, using a zero-day vulnerability underscores the importance of proactive vulnerability management and threat intelligence to preempt exploitation.
FROM THE MEDIA: The AIRASHI botnet, a derivative of the AISURU botnet, employs a variety of IoT vulnerabilities, including CVE-2023-28771, CVE-2020-25499, and others affecting AVTECH IP cameras, Shenzhen TVT devices, and LILIN DVRs. The botnet’s operator has been publicizing test results of its DDoS capabilities on Telegram. Notably, AIRASHI has evolved into two variants: AIRASHI-DDoS, which supports both DDoS attacks and arbitrary command execution, and AIRASHI-Proxy, which adds proxyware functionality. The botnet’s communication is encrypted using advanced algorithms, and its infrastructure is updated dynamically through DNS queries to enhance resilience. Most compromised devices are located in Brazil, Russia, Vietnam, and Indonesia, while primary targets include entities in the United States, China, Poland, and Russia. The campaign underscores the continued exploitation of IoT vulnerabilities to build robust botnets for cybercriminal purposes.
READ THE STORY: THN
Items of interest
BreachForums Founder to Be Resentenced After Appeals Court Overturns Light Sentence
Bottom Line Up Front (BLUF): Conor Fitzpatrick, the 21-year-old founder of the dark web platform BreachForums, will be resentenced after an appellate court ruled that his original sentence of 17 days in prison and 20 years of supervised release was "substantively unreasonable." The court criticized the lower court's leniency, highlighting Fitzpatrick’s role in operating a massive cybercrime marketplace and his repeated violations of supervised release conditions.
Analyst Comments: This decision reflects growing judicial scrutiny of sentences perceived as overly lenient in high-profile cybercrime cases. BreachForums played a significant role in facilitating cybercriminal activities, including the sale of stolen data and sensitive government information. The platform’s scale and Fitzpatrick's repeated parole violations demonstrate the systemic risks posed by unregulated dark web marketplaces. A more stringent sentence could serve as a deterrent and reinforce the seriousness of cybercrime prosecutions. The case also highlights the challenges of balancing justice with considerations like mental health and rehabilitation in cases involving young offenders.
FROM THE MEDIA: Conor Fitzpatrick, also known as "pompompurin," created BreachForums in March 2022 as a successor to RaidForums, facilitating the trade of over 14 billion stolen personal records. Fitzpatrick pleaded guilty to charges including possession of child pornography and conspiracy to traffic stolen personally identifiable information. Despite the severity of his crimes, a district court sentenced him to time served and 20 years of supervised release, citing his autism diagnosis and young age as factors in their decision. The government appealed the decision, arguing it was excessively lenient, and on January 22, 2025, a three-judge appellate panel agreed. Judge Paul Niemeyer noted that the district court failed to consider Fitzpatrick's significant violations of release conditions, including internet use to participate in chatrooms where he denied his crimes and joked about selling sensitive data.
READ THE STORY: The Record
This Cybercrime Forum Is Full Of Hackers (Video)
FROM THE MEDIA: Exploit.in is a well-known and long-standing underground cybercrime forum that operates as a marketplace and discussion hub for cybercriminals. It has gained notoriety over the years for being a platform where threat actors trade hacking services, stolen data, and vulnerabilities, and discuss topics related to cybercrime and security exploitation. Unlike some other forums that cater to English-speaking audiences, Exploit.in is primarily Russian-speaking, though it is frequented by cybercriminals worldwide due to its reputation and influence in the cybercriminal ecosystem.
The Yandex Leak: How a Russian Search Giant Uses Consumer Data (Video)
FROM THE MEDIA: In late January 2023, almost 45 GB of source code from the Russian search giant Yandex was leaked on BreachForums by a former Yandex employee. While the leak itself did not contain user data, it reportedly contained the source code for all major Yandex services, including Metrika, which collects user analytics through a widely used SDK, and Crypta, Yandex's behavioral analytics technology.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.