SAN MATEO, CA, January 6, 2025 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
Apple agrees to $95 million settlement
A class action lawsuit alleging that Apple’s Siri assistant recorded private conversations and shared them with third-party marketers without users’ consent has resulted in the company agreeing to pay out a $95 million settlement. Apple device users “complained of being targeted on their Apple devices with advertisements for products concerning sensitive and very specific matters discussed in private conversations, when Siri had been activated by accident.” The lawsuit accuses Apple of violating the federal Wiretap Act and California’s Invasion of Privacy Act. In addition to payment, Apple is required to “permanently delete all Siri audio recordings obtained while in violation of the said laws within six months after the settlement’s effective date.” The proposed settlement may change, as it is still subject to objections and how the court will handle them. Read more.
U.S. soldier arrested for AT&T and Verizon breach
U.S. Army soldier Cameron John Wagenius, 20, has been arrested in Texas for “selling customer data stolen from AT&T and Verizon last year, according to KrebsonSecurity’s Brian Krebs.” Recently stationed in South Korea as a communications specialist, Wagenius is believed to be the true identity of a cybercriminal called Kiberphant0m, who claimed to have hacked at least 15 telecom companies, including AT&T and Verizon. A November 2024 post on BreachForums by Kiberphant0m saw the individual bragging about having call logs associated with President-elect Donal Trump and Vice President Kamala Harris, as well as posting sales threats for stolen call logs from U.S. government agencies and first responders. Wagenius has been charged with two criminal counts of unlawfully transferring confidential phone records. Read more.
Thousands of industrial routers vulnerable to Mirai malware
Thousands of industrial Four-Faith routers are susceptible to a post-authentication flaw that allows threat actors to infect the devices with Mirai malware. The flaw, CVE-2024-12856, appears to be exploited in the wild, with a malicious IP observed attempting to take advantage of the vulnerability. Mirai is an “infamous malware and botnet known to target Internet of Things devices,” and its variants are one of the most popular forms of IoT malware in circulation. According to Zscaler, “Mirai was identified in over a third of all IoT malware attacks between June 2023 and May 2024, far outpacing other malware families, while more than 75% of blocked IoT transactions were linked to the malicious code.” VulnCheck has reported the vulnerability to Four-Faith, headquartered in Xiamen, China, multiple times since discovery with the understanding that “the company is currently testing the flaw on their end.” Read more.
Rhode Island citizen data appears on the dark web
Ransomware group Brain Cipher has claimed credit for an attack on Deloitte that saw the gang make off with 1TB of compressed data associated with Rhode Island residents via the state’s RIBridges platform. While neither Deloitte nor the State of Rhode Island have confirmed Brain Cipher’s boast, Governor Dan McKee has revealed that files containing stolen citizen data have appeared on the dark web. “Right now, IT teams are working diligently to analyze the released files. This is a complex process, and we do not yet know the scope of the data included in those files, but as we’ve been saying for several weeks, we should assume that data contained in the RIBridges system has been compromised.” Citizens are being warned to look for social engineering scams while the state and Deloitte work to identify and directly inform those affected by the breach. Read more.
Russian and Iranian groups sanctioned
The U.S. State Department has sanctioned two foreign organizations and one individual for working on behalf of Russian and Iranian intelligence agencies and interfering with the 2024 general election. One sanctioned entity, the Cognitive Design Production Center, is associated with Iran’s Islamic Revolutionary Guard Corps and is said to have “planned influence operations designed to incite socio-political tensions among the U.S. electorate in the lead up to the 2024 U.S. elections, on behalf of the IRGC.” The Center for Geopolitical Expertise and Valery Mikhaylovich Korovin, its director, has also been sanctioned for working on behalf of Russia’s Main Intelligence Directorate. It is alleged that the Russian organization created disinformation campaigns, laundered money to American online influencers to spread their messaging, generated AI content and hosted it on a server built to avoid foreign web-hosting blockers, and made a botfarm that created almost 1,000 fake X accounts. Iranian efforts include hacking into Donald Trump’s campaign to steal documents they attempted to leak. Read more.
Chinese hackers steal U.S. Treasury documents
In what the U.S. Treasury is calling a “major incident” in a letter to lawmakers, Chinese hackers have stolen unclassified documents from the agency after compromising a third-party cybersecurity service provider. The hackers allegedly “gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.” The Treasury is placing the blame on Chinese state-sponsored hackers “based on available indicators.” Chinese officials deny the claims, saying that “China has always opposed all forms of hacker attacks” and that Beijing “firmly opposes the U.S.’s smear attacks against China without any factual basis.” Read more.
800,000 electric car owners’ data leaked in VW breach
Eight hundred thousand electric vehicle owners had their data exposed due to a misconfiguration in Volkwagon’s software subsidiary, Cariad. The company apparently left sensitive customer data that could allow for “the creation of detailed movement profiles of the vehicles and their owners” publicly accessible on Amazon Cloud for months. The issue was discovered by the Chaos Computer Club, an ethical hacking group based in Germany, who reported their findings to Volkswagen. The data exposure is part of the growing security concerns in the automotive sector, which has been referred to as a “privacy nightmare” by the Mozilla Foundation. Volkswagen has not yet responded with how they intend to mitigate any potential damage caused by the leak. Read more.
New HIPAA rules proposed to safeguard patient data
The United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has made a proposal that looks to modify the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to “better address ever-increasing cybersecurity threats to the healthcare sector.” The proposal “requires organizations to review the technology asset inventory and network map, identify potential vulnerabilities that could pose a threat to electronic information systems, and establish procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.” It also requires annual compliance audits, the encryption of electronically protected health information at rest and in transit, multi-factor authentication, network segmentation, technical controls for recovery, and more. “The highly sensitive nature of healthcare information and need for accessibility will always place a bullseye on the healthcare industry from cybercriminals,” Sophos CTO John Shier said. “Unfortunately, cybercriminals have learned that few healthcare organizations are prepared to respond to these attacks, demonstrated by increasingly longer recovery times.” Read more.
Salt Typhoon campaign success due to poor cybersecurity
The White House issued a statement regarding Salt Typhoon’s massive espionage campaign, in which a lack of rudimentary cybersecurity practices and policies among U.S. telecoms is blamed for the success of Chinese hackers. In one case, Salt Typhoon attackers “obtained credentials to one administrator account that had access to over 100,000 routers.” The hackers erased logs of their activities, and any remaining logs were insufficient for assessing the attack in any meaningful way. “The reality is that from what we’re seeing regarding the level of cybersecurity implemented across the telecom sector, those networks are not as defensible as they need to be to defend against a well-resourced, capable offensive cyber actor like China,” said Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technology. Read more.
AT&T and Verizon: Salt Typhoon hackers removed
AT&T and Verizon were targeted and breached by Salt Typhoon’s major espionage campaign, and they have reported that all of the Chinese state-sponsored groups’ hackers have been removed from their networks. “We have not detected threat actor activity in Verizon’s network for some time, and after considerable work addressing this incident, we can report that Verizon has contained the activities associated with this particular incident,” Verizon’s Chief Legal Officer told Reuters. AT&T also said, “We detect no activity by nation-state actors in our networks at this time. Based on our current investigation of this attack, the People’s Republic of China targeted a small number of individuals of foreign intelligence interest.” The campaign is said to have impacted nine U.S. telecoms and also breached dozens of others worldwide. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
