By the CyberWire staff
At a glance.
- Chinese hackers breached the US Treasury Department's Office of Foreign Assets Control.
- AT&T, Verizon, and Lumen say they've contained China's Salt Typhoon attacks.
- US Army soldier arrested over alleged involvement in Snowflake hacks.
- Phishing campaign compromised at least 35 browser extensions.
- Apple will pay $95 million to settle proposed privacy lawsuit.
- Judge finds NSO Group liable in WhatsApp lawsuit.
Chinese hackers breached the US Treasury Department's Office of Foreign Assets Control.
The Washington Post reports that Chinese hackers breached workstations within the US Treasury Department's Office of Foreign Assets Control (OFAC) and the Office of the Treasury Secretary. The Treasury Department informed Congress of the breach on Monday, but didn't publicly disclose which offices were targeted. OFAC is responsible for placing economic sanctions on foreign entities and individuals. Anonymous US officials told the Post that Beijing would be interested in collecting information on potential sanctions against Chinese entities. The Treasury Department said the threat actor stole unclassified information from the compromised systems.
The breach occurred last month after the hackers obtained an API key for BeyondTrust's Remote Support SaaS product. BeyondTrust notified the Department of the breach on December 8th.
The Treasury Department said in its letter to Congress, "Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor. In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident." A Treasury spokesperson told the Verge, "The compromised BeyondTrust service has been taken offline and there is no evidence indicating the threat actor has continued access to Treasury systems or information."
Survey Your Security Perimeter with a Free Security Assessment
By getting started with a free identity security assessment, Cisco can help you find and secure the gaps in your identity infrastructure and provide insights for improving your identity posture. Outcomes of the assessment include:
- A complete view of your identity security posture
- A detailed view of all identities and devices logging into your network
- An analysis of your multi-factor authentication usage and adoption
- A snapshot of your total number of inactive accounts
Request Your Free Identity Security Assessment Today
AT&T, Verizon, and Lumen say they've contained China's Salt Typhoon attacks.
AT&T, Verizon, and Lumen say they've completely ejected China's Salt Typhoon hackers from their networks, BankInfoSecurity reports. Verizon said in a statement, "After considerable work addressing this incident, we can report that Verizon has contained the activities associated with this particular incident." AT&T said, "[W]e detect no activity by nation-state actors in our networks at this time," adding that "[w]e will continue to work closely with government officials, other telecommunication companies, and third-party experts on the investigation of this nation-state action, and we are monitoring and remediating our networks to protect our customers' data." A Lumen spokesperson told TechCrunch that an independent forensic analysis confirmed the hackers were ejected, noting that there is "no evidence that customer data was accessed."
Anne, Neuberger, US deputy national security adviser for cyber and emerging technology, said last Friday that a ninth telecom company discovered it was breached by Salt Typhoon, the Record reports. The White House hasn't named the company. The breach was found after the federal government issued a "hunting guide" to help telecoms identify Salt Typhoon's TTPs.
Dropzone AI Named a Gartner Cool Vendor for the Modern SOC.
Dropzone AI has been recognized as a Gartner Cool Vendor, validating its role in transforming SOCs. With an AI SOC Analyst that autonomously investigates alerts 24/7, Dropzone AI helps security teams stay ahead by reducing alert fatigue and providing decision-ready insights. Discover how we're leading SOC innovation.
US Army soldier arrested over alleged involvement in Snowflake hacks.
US authorities have arrested a 20-year-old US Army soldier for his alleged involvement in last year's Snowflake hacks, KrebsOnSecurity reports. The defendant, Cameron John Wagenius, is a communications specialist who was recently stationed in South Korea. He was arrested in Texas on December 20th, and is charged with two counts of unlawful transfer of confidential phone records information.
Wagenius is suspected of being the cybercriminal "Kiberphant0m," who's been selling sensitive customer records stolen from telecommunications companies affected by the Snowflake hacks. Wagenius' mother told KrebsOnSecurity that Wagenius had been associated with Connor Riley Moucka, a Canadian who was arrested in October for his suspected involvement in the Snowflake hacking campaign.
Phishing campaign compromised at least 35 browser extensions.
BleepingComputer reports that a phishing campaign targeting Chrome browser extension developers resulted in the compromise of at least 35 extensions collectively used by around 2.6 million people. The phishing emails purport to come from Google, informing developers that their extensions are violating Chrome Web Store policies. The emails contain a link to a legitimate login page on Google's domain designed to grant permissions to a malicious OAuth application.
One of the compromised extensions belonged to cybersecurity firm Cyberhaven. The company has published a postmortem of the incident, noting that the attack used "the standard authorization flow for granting access to third-party Google applications." Cyberhaven's employee had multifactor authentication enabled and did not need to enter his credentials in order to grant access to the malicious OAuth application.
Once the attackers gained access to the extensions, they inserted code designed to steal data from Facebook accounts and republished the extensions to the Chrome Web Store.
Cobalt Named “Outperformer” for Third Consecutive Year in GigaOm’s Radar Report for PTaaS
Penetration Testing as a Service (PTaaS) is crucial in today's rapidly evolving threat landscape, where traditional point-in-time security assessments are no longer sufficient. GigaOm’s third annual Radar report for PTaaS examines 13 of the top PTaaS solutions, providing an overview of the market to help decision makers evaluate these solutions and make informed investment decisions.
Download the report to learn:
- How the evolving technology and threat landscape are driving new security needs for pentesting
- Key considerations for choosing a PTaaS provider based on your organization’s evolving security challenges
- Why Cobalt is a Leader in Penetration Testing as a Service.
Apple will pay $95 million to settle proposed privacy lawsuit.
Apple will pay $95 million to settle a proposed class-action lawsuit that alleged the company violated users' privacy by allowing contractors to listen to device owners' conversations, according to the Record.
The Guardian reported in 2019 that some Siri recordings were sent to contractors for product improvement, including instances in which Siri had been activated unintentionally. Apple told the Guardian at the time, "A small portion of Siri requests are analysed to improve Siri and dictation. User requests are not associated with the user’s Apple ID. Siri responses are analysed in secure facilities and all reviewers are under the obligation to adhere to Apple’s strict confidentiality requirements."
Apple hasn't commented on the settlement, but the company included its denial of wrongdoing as a settlement term.
Judge finds NSO Group liable in WhatsApp lawsuit.
A Northern California federal judge has ruled that Israeli spyware vendor NSO Group is liable for the infection of devices belonging to 1,400 WhatsApp users, the Record reports. NSO's Pegasus spyware has been abused by the company's government clients to target members of civil society, including activists, journalists, and diplomats, but this marks the first time NSO Group itself has been found liable for these abuses. NSO Group maintains that its products are meant solely for government customers to combat terrorism and crime, but the company has been widely criticized for selling the tools to authoritarian regimes.
The judge ruled that NSO Group violated the US Computer Fraud and Abuse Act (CFAA) and California's Comprehensive Computer Data Access and Fraud Act (CDAFA). Meta-owned WhatsApp said in a statement, "After five years of litigation, we're grateful for today's decision,” WhatsApp said in a statement. “NSO can no longer avoid accountability for their unlawful attacks on WhatsApp, journalists, human rights activists, and civil society." NSO Group hasn't responded to the Record's request for a comment.
Crime and punishment.
A suspected LockBit ransomware developer is awaiting extradition to the US from Israel to face 41 criminal charges, the Register reports. 51-year-old Rostislav Panev, a dual Russian and Israeli national, was arrested by Israeli authorities in August at the request of the US.