The BI says, a million Smart TV devices are part of Bad Box 2.0 botnet. Unpatched critical vulnerability in some security camera. DVRs , botnet police busts, forcing criminals away from Bulletproof hosts to using residential proxies. And ask your vendors about their post quantum crypto plans, say Experts. Finally, white House Dismantles Biden Era cybersecurity policy in latest executive order. This is cybersecurity today, and I'm your host, David Shipley.
Let's kick some things off with a major warning from the FBI. They flagged a massive malware campaign called Bad Box 2.0, which has already compromised 1 million consumer devices around the world. We're talking about Android-based smart TVs, streaming boxes, tablets, projectors, you name it. Most of them are cheap noname devices built in mainland China and shipped globally. But here's the kicker. These things either come preloaded with malware.
Or get infected during setup via malicious apps or fake firmware updates. Once they're compromised, these devices become part of the bad box 2.0 botnet, which connects 'em to a criminal command and control system, and then the fund really begins. They're turned into residential proxies, which means criminals can route their traffic through your home IP address to hide their activity.
They're often used in ad fraud scams, generating fake clicks for revenue, and they're enabling credential stuffing attacks, trying stolen usernames and passwords across hundreds of sites. Using your network. This isn't exactly new though. Bad box first showed up in 2023 and in 2024, German authorities managed to disrupt part of the network, but the crooks bounce back pretty fast.
Within a week, researchers found 192,000 more infected devices, and now even mainstream brands like Yandex TVs and Hisense smartphones are getting hit. As of March, 2025, cybersecurity company, humans, Satori Threat Intelligence team says The botnet has topped 1 million devices and spread to more than 200 countries, the biggest infection hotspots, Brazil, the United States, Mexico, and Argentina. Now here's a technical footnote.
These devices run the Android open source project, not the official Android TV V os, or play protected certified systems. So if you're bargain hunting on tech websites, say Temu, uh, installing sketchy apps, you may be bringing home more than Upstreaming box. Be careful. Now while Bad Box 2.0 is making a lot of noise, it's not the only botnet in the headlines.
Over in the digital video recording or DVR World, there's a new variant of the infamous Mira Malware that's targeting T-B-K-D-V-R 41 40 and DVR 42 16 devices. Bad guys are exploiting a command injection vulnerability tracked as CVE 20 24 37 21 that lets 'em take control of these devices with specially crafted post request. The vulnerability was disclosed in April, 2024 by a researcher going by the name NetSec Fish, and now cybersecurity firm.
Kaspersky says that their Linux honeypots are seeing active exploitation. Once devices are infected, the DVRs download malware. join a bot. Nest Used to Ddo S traffic, proxying and more estimates vary, but there're some between 50 and 114,000 exposed DVRs out there, depending on whose telemetry you trust. Kaspersky says the infections are hitting China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. Particularly hard.
But a heads up because Kaspersky products are banned now in several countries, including the United States. This may not be the full picture. Now let's talk cybersecurity infrastructure and one of the major drivers for why botnets are back in the headlines in a big way. For years, criminals have relied on so-called bulletproof hosts to run their operations. Basically sketchy hosting.
Companies that would look the other way would not respond to law enforcement or were hosted in countries that didn't care. But with international law enforcement turning up the heat. There is a shift happening at the Sleuth Con Conference in Arlington, Virginia.
Last week, team Simon researcher, alt rit, outlined how crooks are ditching sketchy web hosts and moving to VPNs and proxy networks that are much harder to trace these services mix legitimate and malicious traffic, making it tough to separate the good from the bad. Now what's especially concerning is the rise of residential proxy networks where traffic flows through people's home devices like old Android phones, dusty laptops, smart TVs that aren't updated.
These offer real fresh rotating ips, which makes it a nightmare for detection systems and law enforcement. It is the equivalent of hiding in plain sight, and it's gonna be a major thorn in the side of things like conditional access policies that look to restrict bad actors access through IP ranges from foreign jurisdictions as Ronnie Toky from Intelligence for Good If attackers are coming from the same IP ranges as your employees, good luck spotting them.
Now after this botnet bonanza, let's pull back and talk about another issue. And it's the looming specter of what's referred to as the quantum computing moment where it breaks conventional encryption, whereas some folks are calling it Q Day. At Infra Security Europe conference this week, experts called on CISOs to start pressuring vendors for clear post quantum cryptography or p QC readiness roadmaps.
The idea, even though quantum computers powerful enough to break, most encryption aren't here yet. There's a big concern about harvest now, decrypt later strategies that criminals are using. Now in theory, here's how this attack would work. adversaries collecting encrypted data from an attack, say it's an extortion ransomware attack with the exfil of data. Uh, but they can't break through it, but they store it and then they wait until quantum systems can crack it, and that could be years away.
Nobody knows for sure. . Now here's a dose of healthy skepticism. While Q Day is a real possibility, we haven't seen confirmed widespread harvest now decrypt later campaigns in the wild in any of the big busts by law enforcement. We haven't seen solid evidence that criminals have been sitting on huge amounts of encrypted data ready to crack. Reality is they're sitting on a lot of unencrypted data, so it's important not to let fear run the show.
Instead, we should use this moment to make sure we're doing smart things like inventorying where and how we use encryption, what systems we're using, and thinking about our planning and supply chain vetting, which are always good ideas. All right, let's end with a major policy U-Turn coming out of Washington. Late last week on Friday, president Donald Trump signed a new executive order that wiped a whole slate of cybersecurity initiatives put in place by former President Joe Biden.
According to the Trump administration, those efforts were more about problematic and distracting issues than actual cybersecurity. The new executive order makes big claims saying it's focused on technical and organizational professionalism to improve America's digital defenses. But let's be clear, this is a massive regulatory rollback, . One of the most consequential changes. Trump scrap Biden's efforts to use federal procurement muscle to push better software security.
Remember, this initiative came after years of high profile breaches. Think SolarWinds, move it. Log four J that were linked to weak supply chain software controls. Biden's 2021 executive order started the shift and by 2024, the government was planning to require secure software attestations where vendors had to prove with technical data that their products followed modern secure development practices.
I. Trump's new order erases those requirements, specifically gone are Secure software attestations for federal contractors cease a's role in verifying those attestations oversight from the National Cybersecurity Director and provisions for referring bad actors to the Justice Department. Instead, the Trump team calls Biden's approach, an unproven and burdensome software accounting process that valued checklists over real security.
The only thing still standing, a collaborative effort with NIST to improve the software development framework, but now it's just voluntary. No federal enforcement teeth. Now what about ai? AI security. It's cut too. Trump took the knife to AI and cyber defense initiatives. Biden's orders had pushed for federal research into how AI could be used to defend critical infrastructure, especially in sectors like energy.
That included research on secure AI coding tools, designing trustworthy AI systems, and using advanced AI for cyber defense within the Pentagon. That's all gone. Trump's new executive order Acts as the research priorities, the mandates and those plans to use AI and federal cyber operations. And in fact, the message is let's let the private sector figure it out. Don't bake it into government strategy. When it comes to quantum cryptography that got gutted too.
Biden's original order, tried to jumpstart post quantum cryptography. That's the stuff we were just talking about earlier that we need to do to stay ahead of when quantum can break today's encryption. Biden's order told agencies to start migrating to quantum safe algorithms to push vendors to the same, and also to put efforts in place to coordinate with allies and get global adoption of NIST post quantum computing standards. Trump's order leaves just one piece.
CISA still has to keep a list of product categories that support post quantum crypto. Everything else scrubbed. No more urgency to migrate. No more push to get vendors or allies moving and no clear guidance from NIST on the minimum security bar. federal contractors should be meeting . And the cuts don't stop there. Trump's new directive also eliminates a plan to test phishing resistant authentication.
NIST led guidance on internet routing security, a requirement for strong email encryption across agencies and OM B'S role in managing risk tied to it Vendor concentration. So what does this all mean? In short, we've just watched a major shift in US Federal Cybersecurity Posture, Biden's approach focused on the long-term resilience, supply chain accountability, and preparing for an AI and quantum future Trump's order.
It's a return to minimal federal oversight, heavy on rhetoric about cutting red tape, but light on actual replacement strategy. Now you can agree or disagree with the idea that Biden's security initiatives were too heavy handed. But here's the rub. Without those mechanisms, what's gonna push software vendors, cloud providers, and AI developers to build more secure systems?
We're seeing more attacks, more automation, cyber crime, and greater reliance on critical digital infrastructure than ever before in society. This rollback might win points with industry on paperwork, but it leaves a lot of unanswered questions about long-term digital defense. Bottom line, whether it's malware hiding in your tv, DVRs, joining botnets, criminals using your toaster as a VPN exit node or hype around Q Day. We need to keep cool heads and take smart action.
Meanwhile, in Washington Cyber Policy just got sent back to party like it's 1999. That's all for now. Stay patched, stay skeptical, and don't plug in anything you've got for $20 off Amazon or Temo without thinking twice. We're always interested in your opinion, and you can contact us at [email protected] or leave a comment under the YouTube video. I've been your host, David Shipley, sitting in for Jim Love, who will be back on Wednesday. Thanks for listening.