Cybersecurity News: New CISA head, Ballista botnet, PowerSchool breach report

In today’s cybersecurity news…

Sean Plankey nominated to head CISA

According to a list of nominations sent to Congress, President Trump tapped Sean Plankey to lead the US cyber agency. Plankey previously served as the CIO of the US Navy, as the White House’s director of cyber policy during the first Trump administration, and as the principal deputy assistant secretary for the Energy Department’s Office of Cybersecurity, Energy Security and Emergency Response in 2019 and 2020. The nomination now goes before the Senate Homeland Security Committee, and is not expected to face significant pushback. 

(Axios, CyberScoop)

Ballista Botnet hits TP-Link devices

A new report from the Cato CTRL team details how threat actors exploit a high-severity command injected vulnerability to execute code on TP-Link Archer AX-21 routers to deploy the botnet ultimately. This flaw isn’t new, the first evidence of exploitation dates back to April 2023. The researchers saw the Ballista campaign using the flaw in January 2025. The attackers use a shell script to execute a malware binary across various system architectures, which opens the door to remote code execution or a denial of service. The researchers noted the malware can erase itself once execution begins, covering its tracks while spreading to other routers. Newer Ballista variants use TOR network domains rather than hardcoded IP addresses, indicating its under active development. Research by Censys found that Ballista infected over 6,000 devices across Brazil, Poland, the United Kingdom, Bulgaria, and Turkey. 

(The Hacker News)

PowerSchool publishes breach report

The education software giant released CrowdStrike’s investigation into its December 2024 breach. This showed signs that the company was initially breached in August 2024 and then again in September before the December breach. It’s not clear if the same threat actors was responsible for either of the two prior breaches. The December attack exfiltrated teachers’ and students’ data using compromised credentials, but researchers did not see evidence the attacks accessed other company databases. There was also no evidence the attacks moved laterally in their network or downstream to any school systems directly. As of January 2025, CrowdStrike found no evidence the threat actors published any data from the breach after being paid a ransom. PowerSchool has not confirmed how many students were impacted by the attacks. 

(Bleeping Computer)

Allstate sued for back-to-back breaches

The New York State Attorney General office filed a lawsuit against the insurance companies and several of its subsidiaries, accusing them of poor cybersecurity practices that led to data breaches in 2020 and 2021. Both attacks exploited an auto insurance quoting tool from National General, which Allstate acquired in 2021, exposing almost 200,000 driver’s license numbers. The lawsuit said the tool populated driver’s license numbers in plain text, something not fixed after the first breach. Allstate says it notified regulators and fixed the issue promptly, offering creditor monitoring services to those impacted. 

(CyberScoop)

Thanks to today’s episode sponsor, Vanta

Blind Eagle flies high with .url files

Check Point Research released an advisory about a new campaign targeting government institutions and organizations in Colombia since November 2024. These attacks are attributed to the group Blind Eagle, also known as APT-C-36 for those that don’t like cool names. This campaign distributes malicious .url files which trigger a WebDAV request when interacting with it that can start a second-stage payload download or execute other malicious actions. The group largely distributes malware through consumer services like Google Drive or Dropbox, but the researcher found that they are expanding to Bitbucket and GitHub for payload hosting. 

(Infosecurity Magazine)

UK calls for improvements to open source supply chain security

A new report from the UK’s Department for Science, Innovation & Technology (DSIT) outlined weakness in the open source supply chain, citing a lack of industry-specific practices, a lack of formal process for judging component trustworthiness, and dominant influence of large tech companies. As best practices, it recommends organizations create “internal OSS policy that details the criteria for evaluating the trustworthiness and maturity of OSS components,” develop software bill of materials, or SBOMs for their products, and actively engage and contribute to the open source community. 

(Security Week)

Suspected Garantex founder arrested

The crypto exchange Garantex was sanctioned by the US government in 2022 for facilitating money laundering by criminal organizations. On March 7, the US Department of Justice unsealed an indictment against its alleged founders Aleksandr Mira Serda and Aleksej Besciokov. At the same time, German and Finnish law enforcement seized servers used by the service. Sources speaking to KrebsOnSecurity say that Indian officials apprehended Besciokov over the weekend. The DOJ charges Besciokov as the technical administrator maintaining the exchanges’ critical infrastructure. 

(Krebs on Security)

Xcode malware learns new tricks

Researchers discover the XCSSET malware in 2022, which infects Xcode projects on macOS and runs while the project is being built. Microsoft released details on a new variant with several improvements, including a modular infrastructure, encoded payloads, and improved error handling. It also uses scripting languages, UNIX commands, and legitimate binaries to further lower its profile. The variant also obfuscates module names to make static analysis less effective and includes three persistence approaches to launch a payload whenever a new shell session is initiated. Microsoft shared full details with Apple before publication and published details on individual modules, which we’ve linked in our show notes. 

(Microsoft)