By the CyberWire staff
At a glance.
- Ivanti patches actively exploited Connect Secure zero-day.
- US Supreme Court hears arguments related to TikTok ban.
- Mirai variant targets router zero-days.
- UN confirms aviation agency hack.
- Japan attributes more than 200 cyberattacks to China.
- New report on Volt Typhoon's activity against Guam's power utility.
- Nuclei vulnerability could allow attackers to bypass template signature verification.
- US Treasury Department sanctions Chinese cybersecurity firm.
- US Department of Defense adds Tencent to its list of Chinese military companies.
- New version of the Banshee macOS stealer.
- Tenable CEO Amit Yoran passes away.
Ivanti patches actively exploited Connect Secure zero-day.
Ivanti has issued a patch for a Connect Secure remote code execution vulnerability (CVE-2025-0282) that was being exploited as a zero-day, BleepingComputer reports. The flaw also affects Policy Secure and Neurons for ZTA gateways, though the company has only observed exploitation in Connect Secure. Patches for Policy Secure and Neurons for ZTA gateways will be released on January 21st. Rapid7 warns that "[c]ustomers should apply available Ivanti Connect Secure patches immediately, without waiting for a typical patch cycle to occur."
Ivanti discovered the flaw through its Integrity Checker Tool (ICT) and has been collaborating with Google's Mandiant and Microsoft's Threat Intelligence Center. Mandiant's CTO Charles Carmakal said in a LinkedIn post that a China-nexus threat actor has been exploiting the vulnerability to deploy malware since at least mid-December 2024.
In a blog post, Mandiant attributes the exploitation to the China-aligned espionage actor UNC5221. The researchers write, "In at least one of the appliances undergoing analysis, Mandiant observed the deployment of the previously observed SPAWN ecosystem of malware (which includes the SPAWNANT installer, SPAWNMOLE tunneler, and the SPAWNSNAIL SSH backdoor). The deployment of the SPAWN ecosystem of malware following the targeting of Ivanti Secure Connect appliances has been attributed to UNC5337, a cluster of activity assessed with moderate confidence to be part of UNC5221....Mandiant has also identified previously unobserved malware families from additional compromised appliances, tracked as DRYHOOK and PHASEJAM that are currently not yet linked to a known group."
Mandiant concludes that "defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access."
US Supreme Court hears arguments related to TikTok ban.
The US Supreme Court heard arguments yesterday concerning a law that would effectively ban TikTok in the United States on January 19th unless the app's owner, China-based ByteDance, agrees to sell off its US operations, NBC News reports. The law was passed by Congress earlier this year with broad bipartisan support and was signed by President Biden in April. TikTok and its supporters argue that the law violates the First Amendment, while proponents of the ban maintain that TikTok represents a national security risk due to its Chinese ownership. President-elect Trump has dropped his previous support for a ban and requested that the court delay the law in order to allow his incoming administration to reach a "political resolution." CBS News notes that it's unclear if the Supreme Court will take the president-elect's request into account when deciding the case.
If the law goes into effect, new users won't be able to download TikTok from Google or Apple's app stores, and existing users won't be able to update the app.
Mirai variant targets router zero-days.
A new variant of the Mirai botnet is exploiting zero-day vulnerabilities affecting industrial routers and smart home devices, Infosecurity Magazine reports. Researchers at Chinese security firm Qi'anxin XLab have been tracking the Mirai variant since February 2024, noting that it began exploiting zero-days in November. The botnet targets more than 20 vulnerabilities, including zero-days affecting Four-Faith industrial routers (CVE-2024-12856), Neterbit routers, and Vimar smart home devices. The botnet currently consists of approximately 15,000 active IPs, and is used to launch DDoS attacks.
UN confirms aviation agency hack.
The United Nations' International Civil Aviation Organization (ICAO) has confirmed that a hacker stole approximately 42,000 records from its recruitment database, BleepingComputer reports. A threat actor dubbed "Natohub" posted the alleged stolen data on BreachForums earlier this week. ICAO told BleepingComputer that the breach involves recruitment application data from April 2016 to July 2024, noting that it does not affect "financial information, passwords, passport details, or any documents uploaded by applicants." The data posted by Natohub includes names, dates of birth, addresses, phone numbers, email addresses, and education and employment information. ICAO added that the "incident is limited to the recruitment database and does not affect any systems related to aviation safety or security operations."
Japan attributes more than 200 cyberattacks to China.
Japan's National Police Agency (NPA) has attributed more than 200 cyberattacks over the past five years to the Chinese threat actor MirrorFace, the AP reports. The attacks targeted Japan's Aerospace and Exploration Agency (JAXA), the country's Foreign and Defense ministries, private companies, think tanks, and individuals including politicians and journalists. The NPA believes the goal of the attacks was theft of information related to national security and advanced technology. The threat actor gained initial access to its targets via malware-laden phishing emails or by exploiting VPN vulnerabilities.
New report on Volt Typhoon's activity against Guam's power utility.
Bloomberg has published a report on a 2022 cyberattack by the Chinese APT Volt Typhoon against Guam's Power Authority (GPA), the only power utility on the US island territory. The threat actor used unique strains of malware to infiltrate numerous entities in Guam and gained access to "sensitive defense networks meant to be impregnable." The US Navy is GPA's largest customer, and much of the US military activity on the island relies on civilian infrastructure.
The goal of the operation appears to be prepositioning to disrupt military and civilian operations in the event of conflict over Taiwan. The US government has accused Volt Typhoon of conducting widespread battlespace preparation within US critical infrastructure in case of future conflicts. Beijing has denied its involvement in the campaign, calling the accusations "smear attacks against China without any factual basis."
Nuclei vulnerability could allow attackers to bypass template signature verification.
Researchers at Wiz discovered a vulnerability in open-source vulnerability scanner Nuclei that could allow attackers to bypass template signature verification and inject malicious code. The researchers explain, "An attack vector for this vulnerability arises when organizations run untrusted or community-contributed templates without proper validation or isolation. Additionally, services that allow users to modify or upload Nuclei templates, such as automated scanning platforms or shared security pipelines, become particularly vulnerable. An attacker could exploit this functionality to inject malicious templates, leading to arbitrary command execution, data exfiltration, or system compromise."
Nuclei's owner ProjectDiscovery issued a fix for the flaw on September 4th, and users should ensure their instances are up to date.
US Treasury Department sanctions Chinese cybersecurity firm.
The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Beijing-based cybersecurity company Integrity Technology Group for its alleged involvement in cyberattacks targeting US critical infrastructure. OFAC says the company supported the operations of the Chinese state-sponsored threat actor Flax Typhoon.
The Treasury Department stated, "Between summer 2022 and fall 2023, Flax Typhoon actors used infrastructure tied to Integrity Tech during their computer network exploitation activities against multiple victims. During that time, Flax Typhoon routinely sent and received information from Integrity Tech infrastructure."
The Chinese Foreign Ministry has protested the sanctions, calling them part of an effort to "defame and smear China," SecurityWeek reports.
US Department of Defense adds Tencent to its list of Chinese military companies.
The US Department of Defense has added Chinese web and gaming giant Tencent to its list of "Chinese military companies," meaning the US DOD can no longer work with the company. The Register notes that the designation doesn't restrict US companies from doing business with Tencent, but its addition to the list complicates matters for US firms with DOD contracts. The New York Times observes that US firms often voluntarily stop working with companies on the list in order to avoid being barred from future Pentagon contracts. A Tencent spokeswoman told the Times the company's inclusion on the list was "clearly a mistake" and that Tencent would "work with the Department of Defense to address any misunderstanding."
New version of the Banshee macOS stealer.
Researchers at Check Point are tracking a new version of Banshee, a strain of macOS malware designed to steal browser credentials, cryptocurrency wallets, passwords, and other sensitive data. The new version of Banshee surfaced in late September 2024, using a string encryption algorithm from Apple's XProtect antivirus engine that allowed it to evade detection for more than two months.
Banshee's malware-as-a-surface operation shut down after its source code was leaked in November 2024, but Check Point notes that multiple phishing campaigns are still distributing the malware.
Tenable CEO Amit Yoran passes away.
Amit Yoran, CEO of Tenable and a respected leader in the cybersecurity community, passed away on Friday at the age of 54 following a battle with cancer. Yoran became Tenable's CEO in 2016, previously serving as president of RSA, founding CEO of NetWitness, and CEO of In-Q-Tel. He also served as a founding member of the US Department of Defense's Computer Emergency Response Team.
Tenable's CFO Steve Vintz and COO Mark Thurmond will lead the company as co-CEOs until a new chief executive is found. Tenable said in a press release, "A visionary leader and a pioneer in the cybersecurity industry, Amit dedicated his life to making the digital world safer. His unwavering commitment to innovation and relentless pursuit of excellence transformed Tenable into a global leader in exposure management. His contributions to the field have left an indelible mark, not only on the company but on the broader cybersecurity community."