By the CyberWire staff
At a glance.
- Supreme Court upholds TikTok ban, but the Biden Administration doesn't plan to enforce it.
- Fortinet confirms actively exploited zero-day.
- President Biden signs cybersecurity-focused executive order.
- US Treasury sanctions entities tied to North Korea's fake IT worker operations.
- FBI deletes Chinese malware from over 4,200 computers.
- Russia's Star Blizzard targets WhatsApp accounts.
- Ransomware campaign abuses AWS encryption service to encrypt S3 buckets.
- Personal information was compromised in OneBlood ransomware attack.
- Spain's largest telecommunications company confirms data breach.
- Clop ransomware gang claims to have hacked 59 victims via Cleo vulnerability.
Supreme Court upholds TikTok ban, but the Biden Administration doesn't plan to enforce it.
Bloomberg reports that the US Supreme Court yesterday upheld a law that would ban TikTok in the US this Sunday. The Associated Press cites sources in the Biden Administration as saying the president won't enforce the ban, leaving the decision to the incoming Trump Administration. Senate Democratic Leader Chuck Schumer said he spoke with Biden on Thursday to advocate for keeping the app available, stating on the Senate floor, "It’s clear that more time is needed to find an American buyer and not disrupt the lives and livelihoods of millions of Americans, of so many influencers who have built up a good network of followers."
Incoming President Trump has reversed his earlier calls to ban TikTok, and has since pledged to find a way to keep the app available in the US. The Washington Post reports that the president-elect is considering an executive order to suspend the ban.
Fortinet confirms actively exploited zero-day.
Fortinet has confirmed a critical vulnerability (CVE-2024-55591) affecting FortiOS and FortiProxy that attackers are using to gain super-admin privileges on FortiGate firewalls. The company has issued a patch and provided a workaround. The vulnerability has been assigned a CVSS score of 9.6
Arctic Wolf warned last week that an attack campaign was likely exploiting an unknown zero-day to compromise internet-exposed Fortinet FortiGate firewall devices. SecurityWeek notes that this appears to be the same vulnerability disclosed by Fortinet. The researchers state, "In early December, Arctic Wolf Labs began observing a campaign involving suspicious activity on Fortinet FortiGate firewall devices. By gaining access to management interfaces on affected firewalls, threat actors were able to alter firewall configurations. In compromised environments, threat actors were observed extracting credentials using DCSync. While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected."
Arctic Wolf says organizations "should urgently disable firewall management access on public interfaces as soon as possible." The researchers notified Fortinet of the attacks last month, and the company confirmed that "the activity was known and under investigation."
What’s next for SOAR? Find out on January 14 with Tines and GigaOm
The demands on security teams have never been greater. Between alert fatigue, repetitive manual tasks, endless false positives, inflexible technology, and the looming risk of burnout, it adds up.
Modern teams – and modern threats – demand modern solutions.
Join Tines Field CISO Matt Muller & GigaOm's Andrew Green on January 14th to explore SOAR trends, vendor insights, and innovations driving agility in security teams. Uncover the state of SOAR -- and what’s next for security automation in 2025.
President Biden signs cybersecurity-focused executive order.
President Biden this week signed an executive order aimed at improving Federal cybersecurity defenses, the Washington Post reports. Anne Neuberger, deputy national security adviser for cyber and emerging threats at the White House, said in a press briefing that this is the Biden Administration's "capstone" cyber order, which is “designed to put the country on a path to defensible networks across the government and private sector."
The 53-page EO includes measures for "[i]mproving accountability for software and cloud service providers, strengthening the security of Federal communications and identity management systems, and promoting innovative developments and the use of emerging technologies for cybersecurity across executive departments and agencies (agencies) and with the private sector." The EO calls out China specifically, stating that "the People’s Republic of China [presents] the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks." The order also gives the government greater authority to use sanctions against ransomware actors.
While the Trump administration could decide to reverse the EO, Neuberger said she believes the incoming administration will keep many of the order's objectives in place. Neuberger stated, "Our feeling is that securing the nation in cyberspace and making it harder for ransomware hackers are pretty nonpartisan goals. We wanted to put the incoming administration on the best foot forward as they did for us."
US Treasury sanctions entities tied to North Korea's fake IT worker operations.
The US Department of the Treasury's Office of Foreign Assets Control (OFAC) on Thursday announced sanctions against two individuals and four entities accused of involvement in North Korea's fraudulent IT worker scheme, SecurityWeek reports. OFAC sanctioned "a network that consists of a DPRK government weapons-trading department, two of its front companies that employ DPRK IT workers in Laos, two DPRK leaders of those front companies, and a Chinese company supplying the DPRK government with electronics equipment."
Treasury stated, "The DPRK dispatches thousands of highly skilled information technology (IT) workers around the world with orders to generate revenue for the DPRK government to circumvent U.S. and United Nations (UN) sanctions. These IT workers obfuscate their identities and locations to fraudulently obtain freelance employment contracts from clients around the world for IT projects, such as software and mobile application development. The DPRK government withholds up to 90 percent of the wages earned by these overseas workers, thereby generating annual revenues of hundreds of millions of dollars for the Kim regime’s weapons programs to include weapons of mass destruction (WMD) and ballistic missile programs.
Elevate your Cybersecurity Posture with ‘Visible Ops’: Insights from Experts
Order your copy of VisibleOps Cybersecurity now to unlock essential strategies for combating advanced threats. This comprehensive guide offers actionable frameworks, proven methodologies, and insights to help you build a resilient cybersecurity culture within your organization. Designed for leaders and teams alike, it equips you with the knowledge to drive operational excellence to both proactively guard and stay ahead of emerging cybersecurity risks. Strengthen your defenses and lead with confidence. VisibleOps Cybersecurity, available at Amazon.
FBI deletes Chinese malware from over 4,200 computers.
The US Justice Department has announced a multi-month operation that deleted Chinese PlugX malware from more than 4,200 computers in the United States. The Justice Department says the Chinese government paid the Mustang Panda threat actor to develop this strain of PlugX. The threat actor then used the malware to compromise "thousands of computer systems in campaigns targeting U.S. victims, as well as European and Asian governments and businesses, and Chinese dissident groups." Mustang Panda has been using the PlugX malware since at least 2014.
The Justice Department explains, "The international operation was led by French law enforcement and Sekoia.io, a France-based private cybersecurity company, which had identified and reported on the capability to send commands to delete the PlugX version from infected devices. Working with these partners, the FBI tested the commands, confirmed their effectiveness, and determined that they did not otherwise impact the legitimate functions of, or collect content information from, infected computers. In August 2024, the Justice Department and FBI obtained the first of nine warrants in the Eastern District of Pennsylvania authorizing the deletion of PlugX from U.S.-based computers. The last of these warrants expired on Jan. 3, 2025, thereby concluding the U.S. portions of the operation. In total, this court-authorized operation deleted PlugX malware from approximately 4,258 U.S.-based computers and networks."
The FBI is working with internet service providers to notify owners of computers affected by the operation.
Russia's Star Blizzard targets WhatsApp accounts.
Microsoft has published a report on a Russian spearphishing campaign that's impersonating US government officials to target WhatsApp accounts belonging to non-profits supporting Ukraine. Microsoft attributes the campaign to a threat actor tracked as "Star Blizzard," noting that this is the first time the group has targeted WhatsApp.
The phishing emails contain broken QR codes designed to prompt targets to reply to the email and ask for a working link. The threat actor then provides a shortened link leading to a working QR code. Microsoft explains, "When this link is followed, the target is redirected to a webpage asking them to scan a QR code to join the group. However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal. This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web."
Ransomware campaign abuses AWS encryption service to encrypt S3 buckets.
Researchers at Halcyon warn that a new ransomware campaign is abusing AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. The attacks don't exploit any AWS vulnerabilities; the threat actors simply use stolen or publicly disclosed AWS keys with permission to write and read S3 objects. The attacker then generates a local encryption key and encrypts the victim's data. Halcyon notes, "AWS CloudTrail logs only an HMAC of the encryption key, which is insufficient for recovery or forensic analysis." In the cases observed by Halcyon, the attackers mark the encrypted files for deletion in seven days, and place a ransom note with a Bitcoin address in the affected directory.
AWS provided the following statement in response to Halcyon's findings: "AWS helps customers secure their cloud resources through a shared responsibility model. Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment. We encourage all customers to follow security, identity, and compliance best practices. In the event a customer suspects they may have exposed their credentials, they can start by following the steps listed in this post."
Personal information was compromised in OneBlood ransomware attack.
OneBlood, a not-for-profit that supplies donated blood for more than 250 hospitals across the United States, has confirmed that donors' personal information was compromised during a ransomware attack the organization sustained in July 2024, BleepingComputer reports. The exposed data is limited to names and Social Security numbers. OneBlood began notifying affected individuals last month, and is offering victims a year of free credit monitoring.
Spain's largest telecommunications company confirms data breach.
Telefonica, Spain's largest telecommunications company, has disclosed a data breach affecting "documents, tickets, and various data," some of which may have belonged to customers, HackRead reports. The company said in an email to BleepingComputer, "We have become aware of an unauthorized access to an internal ticketing system which we use at Telefónica. We are currently investigating the extent of the incident and have taken the necessary steps to block any unauthorized access to the system."
HackRead cites sources as saying the hackers used compromised employee credentials to access around 2.3 GB of internal data from the company's Jira ticketing system. The alleged stolen information has since been posted on BreachForums
Clop ransomware gang claims to have hacked 59 victims via Cleo vulnerability.
The Clop ransomware gang claims to have hacked dozens of organizations via a vulnerability affecting Cleo file software products, TechCrunch reports. Cleo issued an updated patch for the flaw last month after Huntress researchers observed mass exploitation. Clop is threatening to publish data allegedly stolen from 59 organizations on January 18th unless the victims pay up.
Some of the organizations named on Clop's leak site, including German manufacturing giant Covestro, have confirmed they were hacked. Other companies named by the gang told TechCrunch they've seen no evidence of a breach.
Patch news.
Microsoft on Tuesday issued patches for 161 vulnerabilities, including three actively exploited zero-days, KrebsOnSecurity reports. The three zero-days (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335) affect the Windows Hyper-V hypervisor. The vulnerabilities are privilege-escalation flaws that can allow attackers to gain SYSTEM privileges. The flaws were assigned CVSS severity scores of 7.8.
Courts and torts.
Texas Attorney General Ken Paxton has sued Allstate and its subsidiary Arity, accusing the insurer of "unlawfully collecting, using, and selling data about the location and movement of Texans’ cell phones through secretly embedded software in mobile apps, such as Life360," the New York Times reports. Allstate then allegedly used the data to justify raising customers' insurance rates.
The Attorney General said in a press release, "Allstate, through its subsidiary data analytics company Arity, would pay app developers to incorporate its software to track consumers’ driving data. Allstate collected trillions of miles worth of location data from over 45 million consumers nationwide and used the data to create the “world’s largest driving behavior database.” When a consumer requested a quote or renewed their coverage, Allstate and other insurers would use that consumer’s data to justify increasing their car insurance premium."
Paxton says Allstate violated the violated the Texas Data Privacy and Security Act (TDPSA), which "requires clear notice and informed consent regarding how a company will use Texans’ sensitive data."