By the CyberWire staff
At a glance.
- CISA issues security guidance for highly targeted individuals amid Salt Typhoon hacks.
- Biden Administration moves to ban China Telecom from US networks.
- US considers a ban on Chinese-made TP-Link routers.
- Threat actors stole $2.2 billion worth of cryptocurrency in 2024.
- CISA issues new draft of its National Cyber Incident Response Plan.
- Clop ransomware gang claims responsibility for Cleo attacks.
- HiatusRAT malware operators are scanning for vulnerable web cameras and DVRs.
- Hacker leaks data allegedly stolen from Cisco.
- APT29 launches widespread rogue RDP campaign.
- Telecom Namibia sustains data breach.
- California healthcare system hit by ransomware attack.
- South Asia-nexus threat actor targets Turkish defense sector.
CISA issues security guidance for highly targeted individuals amid Salt Typhoon hacks.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory yesterday recommending that "highly targeted individuals" use end-to-end encrypted apps such as Signal amid ongoing Chinese espionage campaigns targeting US telecom providers. The advisory is meant for "individuals who are in senior government or senior political positions and likely to possess information of interest to these threat actors," though the guidance is applicable to anyone interested in securing their communications.
The agency says highly targeted individuals "should assume that all communications between mobile devices—including government and personal devices—and internet services are at risk of interception or manipulation."
Biden Administration moves to ban China Telecom from US networks.
The US Commerce Department last week issued a notice to the US subsidiary of China Telecom outlining a preliminary finding that the company’s presence in American networks poses a national security risk to the United States, the New York Times reports. The move is viewed as the Biden Administration's response to China's alleged hacking of multiple US telecommunications networks. The US government has already reduced China Telecom's presence in American networks over the past few years, but the company still maintains nodes that would be stripped under the Commerce Department's order. The final decision on whether to ban China Telecom Americas will likely fall to the incoming Trump Administration.
US considers a ban on Chinese-made TP-Link routers.
The Wall Street Journal reports that authorities from the US Commerce, Defense, and Justice departments have each opened investigations into whether Chinese-manufactured TP-Link home routers pose a national security risk, and are considering banning the devices in the US. The Journal notes that TP-Link holds around 65% of the US market for routers for homes and small businesses, and the routers are used by the Defense Department and other Federal agencies.
A TP-Link spokesperson stated, "We welcome any opportunities to engage with the U.S. government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the U.S. market, U.S. consumers, and addressing U.S. national security risks."
SOAR isn’t dead - but it can hold your teams back.
Outdated SOAR platforms can slow your response times and leave your team struggling to keep up with emerging threats.
Today’s biggest security challenges demand evolved solutions:
- AI-driven
- easy to connect with your tech stack
- built for scale
This SOAR Buyer’s Guide helps you pinpoint where next-gen orchestration and automation can deliver the greatest impact for your team - and choose the right tools to support these priorities.
Get the latest guide from Tines today.
Threat actors stole $2.2 billion worth of cryptocurrency in 2024.
Researchers at Chainalysis found that hackers have stolen a total of $2.2 billion in cryptocurrency over the past year, with a majority (61%) of the thefts linked to North Korean threat actors. The researchers found that North Korean "attacks between $50 and $100 million, and those above $100 million occurred far more frequently in 2024 than they did in 2023, suggesting that the DPRK is getting better and faster at massive exploits."
Chainalysis observed a noticeable drop in DPRK cryptocurrency theft following a meeting between Vladimir Putin and Kim Jong Un in late June, during which the two leaders signed a mutual defense pact that freed up millions of dollars in North Korean assets previously frozen by Russia. The researchers note, "[A]mounts stolen by the DPRK dropped by approximately 53.73% after the summit, whereas non-DPRK amounts stolen rose by approximately 5%. It is therefore possible that, in addition to redirecting military resources toward the conflict in Ukraine, the DPRK — which has dramatically increased its cooperation with Russia in recent years — may have altered its cybercriminal activity as well."
The blockchain analysis firm adds, "Private key compromises accounted for the largest share of stolen crypto in 2024, at 43.8%. For centralized services, ensuring the security of private keys is critical, as they control access to users’ assets. Given that centralized exchanges manage substantial amounts of user funds, the impact of a private key compromise can be devastating."
CISA issues new draft of its National Cyber Incident Response Plan.
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new draft of its National Cyber Incident Response Plan (NCIRP), which "addresses significant changes in policy and cyber operations since NCIRP was released in 2016." The agency says the updates to the draft include:
- "A defined path for non-federal stakeholders to participate in coordination of cyber incident response;
- "Improved usability by streamlining content and aligning to an operational lifecycle;
- "Relevant legal and policy changes impacting agency roles and responsibilities; and
- "A predictable cycle for future updates of the NCIRP."
The update is open for public comment on the Federal Register.
Dropzone AI Named a Gartner Cool Vendor for the Modern SOC.
Dropzone AI has been recognized as a Gartner Cool Vendor, validating its role in transforming SOCs. With an AI SOC Analyst that autonomously investigates alerts 24/7, Dropzone AI helps security teams stay ahead by reducing alert fatigue and providing decision-ready insights. Discover how we're leading SOC innovation.
Clop ransomware gang claims responsibility for Cleo attacks.
The Clop ransomware gang has claimed responsibility for data theft attacks exploiting a critical vulnerability (CVE-2024-55956) affecting Cleo's file transfer products, BleepingComputer reports. The gang told BleepingComputer that it had breached "quite a lot" of companies through the flaw.
Cleo released an updated patch for the vulnerability last week, but attackers have been exploiting the flaw since at least December 3rd. The company urges customers to apply the patch as soon as possible. Huntress, Rapid7, Arctic Wolf, and Sophos have observed widespread exploitation of the vulnerability.
HiatusRAT malware operators are scanning for vulnerable web cameras and DVRs.
The US FBI has issued an alert warning that HiatusRAT malware operators are conducting scanning campaigns against Chinese-branded web cameras and DVRs across the US, Australia, Canada, New Zealand, and the United Kingdom. The Bureau states, "The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords. Many of these vulnerabilities have not yet been mitigated by the vendors. In particular, the actors targeted Xiongmai and Hikvision devices with telnet access."
The FBI recommends limiting the use of these devices or isolating them from the rest of the network.
Hacker leaks data allegedly stolen from Cisco.
SecurityWeek reports that the criminal hacker "IntelBroker" has leaked a sample of data allegedly stolen from Cisco. The data was taken from a public-facing DevHub environment meant to share scripts and source code with customers. Cisco confirmed that hackers obtained some data that wasn't intended for public access and was exposed due to a configuration error. IntelBroker claims to have stolen source code, certificates, credentials, confidential documents, and encryption keys, and has leaked 2.9 GB of data related to Cisco’s Catalyst, IOS, Identity Services Engine (ISE), Secure Access Service Edge (SASE), Umbrella, and WebEx products.
Cisco said in response, "As noted in prior updates, we are confident that there has been no breach of our systems, and we have not identified any information in the content that an actor could have used to access any of our production or enterprise environments."
The top-ten nastiest vulnerabilities of Q3
Are you exposed? Download the Q3 2024 Vulnerability Watch report to find out. The usual vulns from Microsoft and VMware make the list, but there are some surprises too. Chances are at least one of these vulnerabilities is lurking in your environment. The Watch isn't just a sh*t list, but details exposure risk specifications and provides practical mitigating actions for each included CVE to minimize your cyber risk. Download the report and stay one step ahead of the most-critical exposure risk.
APT29 launches widespread rogue RDP campaign.
Trend Micro has published a report on a spearphishing campaign by Russia's APT29 (tracked by Trend Micro as "Earth Koshchei") designed to trick recipients into using a rogue RDP configuration file, causing their machines to connect to one of the threat actor's RDP relays. APT29 has been widely attributed to Russia's foreign intelligence service, the SVR. The campaign, which peaked in October, targeted governments, armed forces, think tanks, academic researchers, and Ukrainian entities.
Telecom Namibia sustains data breach.
Namibia's national telecommunications operator Telecom Namibia has disclosed a data breach affecting customer information, the Record reports. Telecom Namibia says the information was leaked by the Hunters International cybercrime group after the company refused to pay a ransom. The company's CEO Stanley Shanapinda said in an interview with the Namibian, "We don’t negotiate with cyber terrorists. We know the sums they’re asking for are exorbitant and unaffordable, so there’s no reason to even consider discussing it. And even if you do pay a ransom, there’s no guarantee the information won’t still be leaked."
California healthcare system hit by ransomware attack.
PIH Health, a regional healthcare provider serving more than 3 million residents across southern California, is still recovering from a ransomware attack it sustained on December 1st, BankInfoSecurity reports. The Los Angeles Daily News obtained a letter purportedly sent by the hackers, in which the crooks claim to have stolen 2 terabytes of data containing 17 million patient records. The healthcare provider hasn't confirmed these details.
The health system said in an update on its website, "PIH Health is working with cyber forensic specialists to assess the issue. Impacted individuals will be notified if protected health information is found to be compromised."
Simplify Your Identity Management.
Identity architects and engineers, securely integrate non-standard apps with any IDP using Strata. Apply modern MFA and ensure seamless failover during outages. Avoid app refactoring and reduce legacy tech debt. Share your identity challenge and get a free set of AirPods Pro.
South Asia-nexus threat actor targets Turkish defense sector.
Proofpoint says the South Asia-based cyberespionage actor TA397 (also known as "Bitter") is targeting defense organizations in Turkey with a new malware family dubbed "MiyaRAT." Proofpoint belives MiyaRAT "may be reserved for targets TA397 deems high value due to the observed sporadic deployment of the malware in only a certain number of campaigns."
The malware was delivered via a spearphishing lure related to infrastructure development in Madagascar. Proofpoint notes that this "theme is very common for TA397, as the majority of the organizations they target are either in the public sector or receive public investments and is indicative of the targeted nature of their campaigns."
Crime and punishment.
A Ukrainian man has been sentenced to 60 months in a US prison after pleading guilty to his involvement in distributing the Raccoon Infostealer malware. The US Justice Department says 28-year-old Mark Sokolovsky operated Raccoon as a malware-as-a-service offering, leasing access to the malware for about $200 per month. Sokolovsky was arrested in the Netherlands in 2022 and extradited to the US earlier this year.
A New York City resident has been sentenced to 69 months in prison for "conspiracies to engage in computer hacking, trafficking in stolen payment card numbers and money laundering." The defendant, 32-year-old Vitalii Antonenko, was arrested at JFK Airport in 2019 after arriving from Ukraine with laptops holding hundreds of thousands of stolen payment card numbers. The Justice Department says Antonenko and co-conspirators scanned the Internet for vulnerable websites and used SQL injection attacks to payment card data. Antonenko will also need to pay approximately $1.8 million in restitution to a victim.
Courts and torts.
Nebraska’s attorney general Mike Hilgers has sued Change Healthcare over the ransomware attack and data breach the company sustained in February, alleging that the company failed to implement proper security measures beforehand and mishandled the breach after it occurred. A spokesperson for Change Healthcare's parent company UnitedHealth told TechCrunch, "We believe this lawsuit is without merit and we intend to defend ourselves vigorously."
Ireland's Data Protection Commission (DPC) has fined Meta €251 million ($263 million) over a 2018 data breach that affected approximately 29 million Facebook accounts, the Record reports. The majority of the fines related to the company's alleged failure "to ensure that data protection principles were protected in the design of processing systems" and failure to ensure that "only personal data that are necessary for specific purposes are processed." A Meta spokesperson said in a statement, "We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission. We have a wide range of industry-leading measures in place to protect people across our platforms."
Note.
The CyberWire will publish on its winter holiday schedule beginning this Tuesday. We'll resume regular publication on January 2nd, in the new year. Best holiday wishes to you all, and thanks for reading.