SAN MATEO, CA, January 13, 2025 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
Chinese threat group implicated in U.S. Treasury hack
The U.S. Treasury, recently breached by threat actors using a stolen Remote Support SaaS API key from third-party cybersecurity vendor BeyondTrust, now has a group to blame for the incident: Silk Typhoon, AKA Hafnium. Having built a reputation for targeting organizations in healthcare and defense, Silk Typhoon is a prolific Chinese state-sponsored threat group primarily interested in cyber espionage and data theft campaigns. The group is also responsible for targeting the Treasury Department’s Office of Financial Research, a newly discovered breach still under investigation. Read more.
Researchers hijack thousands of web backdoors
Security researchers at watchTowr have uncovered over 4,000 forgotten web backdoors, which they then seized to prevent them from being used by other threat actors. The backdoors were commanded via expired web domains, and even though they were no longer being used, the associated malware was still functional. Victims targeted by the backdoors are spread worldwide and include web servers belonging to universities and those used for government agencies in China, Thailand, and South Korea. “The backdoors appear to be a mix of legitimate APT-level tools and other, less sophisticated implementations, leading the researchers to speculate that multiple threat actors, of different skill levels, were involved.” The researchers also suggested that North Korean APT gang Lazarus Group originally used some of the backdoors, although they had been taken over and used by other hackers since. Read more.
China hacking Japan’s National Security for years
An alert published by the Japanese government accuses Chinese hacker group MirrorFace of a years-long hacking spree. “The MirrorFace attack campaign is an organized cyberattack suspected to be linked to China, with the primary objective of stealing information related to Japan’s national security and advanced technology,” the authorities wrote in the alert, according to a machine translation. According to the Associated Press, targeted agencies include Japan’s Foreign and Defense ministries, the country’s space agency, politicians, journalists, private companies, and tech think tanks. Japan’s report alleges that MirrorFace has been compromising the country’s organizations since 2019. Read more.
Microsoft 365 abused by scammers to phish PayPal users
According to findings from Fortinet, a new phishing technique is being used to exploit PayPal’s money request feature. According to Fortinet’s advisory, “the scammer registered a free Microsoft 365 test domain and created a distribution list containing the targeted email addresses. A payment request was then initiated via PayPal, with the distribution list used as the recipient address.” The request, which appears to be valid, contains a link asking for PayPal login credentials that, if filled out, allows the scammer access to the account. While phishing scams usually involve creating and then blasting emails across a wide audience, in this case, “the emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request. This makes [it] difficult for mailbox providers to distinguish [them] from genuine communications, leaving PayPal as potentially the only entity capable of mitigating the issue.” Read more.
Telegram gives user data to U.S. law enforcement
Telegram, a favored means of communication used by many cybercriminals to keep their messaging private, has revealed that it has “fulfilled 900 U.S. government requests, sharing the phone number or IP address information of 2,253 users with law enforcement.” Previously, Telegram would only share the IP addresses and phone numbers of users implicated in cases of terrorism. However, changes to the platform’s privacy policy mean that “Telegram will now share user data with law enforcement in other cases of crime, including cybercrime, the selling of illegal goods, and online fraud.” The policy change resulted from pressure from law enforcement that led to Telegram’s founder and CEO, Pavel Durov, arrest in France in August. “If Telegram receives a valid order from the relevant judicial authorities that confirms you’re a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities.,” reads the updated Telegram privacy policy. Read more.
FCC reveals “Cyber Trust Mark” certification for IoT devices
The U.S. government has revealed a new cybersecurity safety label for Internet-of-Things devices. Meant to indicate that a device meets “robust secret standards,” the new logo will also feature a QR code that, when scanned, will take users to security details about the product, including the support period and whether or not software updates are automatic. “Eligible products that come under the purview of the Cyber Trust Mark program include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors.” According to the FCC, testing for compliance with the new mark will be the responsibility of accredited labs. “The U.S. Cyber Trust Mark program allows [manufacturers] to test products against established cybersecurity criteria from the U.S. National Institute of Standards and Technology via compliance testing by accredited labs and earn the Cyber Trust Mark label, providing an easy way for American consumers to see the cybersecurity of products they choose to bring into their homes,” the White House said. Read more.
U.S. Treasury hack did not impact other federal agencies
CISA has reported no evidence that the cyberattack targeting the U.S. Treasury Department has impacted other federal agencies. They are working with BeyondTrust to analyze the breach and mitigate its effects. The attack “involved a breach of BeyondTrust’s systems that allowed the adversary to infiltrate some of the company’s Remote Support SaaS instances by using a compromised Remote Support SaaS API key.” BeyondTrust has said that “no new customers have been identified beyond those we have communicated with previously.” China has characteristically denied any involvement in any cyberattacks against the U.S., saying that the U.S. has been “using the issue of cybersecurity to vilify and smear China.” Read more.
OpenVPN Connect vulnerability gives access to private keys
OpenVPN Connect has been found to have a bug that could let attackers compromise VPN traffic after accessing users’ private keys. The flaw tracked as CVE-2024-8474 “stems from improper handling of sensitive information within the application. Specifically, OpenVPN Connect logs the private key from configuration profiles in clear text within its application logs.” Unauthorized users who gain access to a device using the VPN can retrieve this private key and intercept traffic that should otherwise be confidential. Primarily, Android devices are affected, but other platforms may also be at risk “depending on how logs are managed and accessed.” OpenVPN is aware of the flaw and has issued a patch to remedy it. All users are encouraged to update their systems immediately. Read more.
Chinese telecom hack larger than previously thought
The recent Chinese state-sponsored hack of major telecoms appears to have been even more significant than previously known, with Charter Communications, Consolidated Communications, and Windstream compromised, according to the Wall Street Journal. The hackers also appear to have exploited “unpatched network devices from security vendor Fortinet and compromised large network routers from Cisco Systems.” The paper’s report also “added that U.S. national security adviser Jake Sullivan told telecommunications and technology executives at a secret White House meeting in the fall of 2023 that Chinese hackers had gained the ability to shut down dozens of U.S. ports, power grids, and other infrastructure targets at will.” As the breadth and severity of the compromise continue to unfold, telecoms are working with law enforcement agencies to secure their networks and evict hackers. Read more.
New infostealer campaign circulating on Discord
Malwarebytes has reported that an infostealer campaign being spread via Discord targets video game fans with direct messages asking them if they want to test a new game. The messages sent from the alleged developer contain a link that leads to “various locations like Dropbox, Catbox, and often on the Discord content delivery network (CDN), by using compromised accounts which add extra credibility. What the target will download and install is, in fact, an information-stealing Trojan” as opposed to an in-development game. Different versions of the scam employ NSIS or MSI installers to spread Nova Stealer, Ageo Stealer, or Hexon Stealer malware. The campaign aims to steal login credentials to access bank or crypto accounts. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
