The CyberWire Daily Podcast 3.26.24
Ep 2032 | 3.26.24

The great firewall breached: China's covert cyber assault on America exposed.


An alleged sinister hacking plot by China. CISA and the FBI issued a 'secure-by-design' alert. Ransomware hits municipalities in Florida and Texas. The EU sets regulations to safeguard the upcoming European Parliament elections. ReversingLabs describe a suspicious NuGet package. Senator Bill Cassidy questions a costly breach at HHS. A data center landlord sues over requests to reveal its customers. On our Industry Voices segment, Jason Kikta, CISO & Senior Vice President of Product at Automox, discusses ways to increase IT efficiency while avoiding tool overload & complexity. And Google's AI Throws Users a Malicious Bone. 

Today is March 26th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

An alleged sinister hacking plot by China. 

The Justice Department and FBI revealed what they’ve labeled a "sinister" hacking plot by China, charging seven Chinese nationals for a cyber-attack campaign spanning 14 years, targeting US officials, critics of China, businesses, and politicians globally. Accused of sending over 10,000 malicious emails affecting thousands, this operation, backed by China's government, aimed at undermining US cybersecurity and appropriating American innovations. The US State Department is offering a $10m reward for information on the accused, emphasizing the US's determination to combat cyber espionage. This follows similar accusations from the UK and New Zealand against China for targeting electoral systems and parliament. China, denying the allegations, criticized the accusations as baseless and slanderous. The hacking involved sophisticated methods, including compromising emails and electronic devices to acquire sensitive information from government officials, foreign dissidents, and industries crucial to US defense and technology.

CISA and the FBI issued a 'secure-by-design' alert. 

CISA and the FBI issued a 'secure-by-design' alert urging organizations to check for and eliminate SQL injection (SQLi) vulnerabilities in their software. Despite being well-documented with known mitigations, SQLi remains a common security flaw, risking customer data as seen in the cyberattack on Progress Software's MOVEit Transfer. Authorities advise technology manufacturers to review their code for SQLi vulnerabilities and start immediate mitigations to remove such defects from all software products. A secure-by-design approach, starting from the design phase through to development and updates, can prevent SQLi by separating SQL code from user-supplied data using parameterized queries. This strategy reduces cybersecurity burdens on customers and minimizes public risk, promoting proactive security practices over reactive measures.

Meanwhile, CISA has updated its known exploited vulnerabilities catalog to include critical vulnerabilities affecting Fortinet FortiClient EMS, Ivanti EPM CSA, and Nice Linear eMerge E3-Series, drawing particular attention to a significant SQL injection flaw in Fortinet's software that permits unauthorized code execution through specially crafted requests. This issue, actively exploited in the wild, was highlighted after security researchers released a proof-of-concept exploit. The exploit demonstrates potential for remote code execution utilizing SQL Server functionalities. Fortinet, having initially reported no known wild exploitation, updated their advisory to confirm the active exploitation. CISA has set a compliance deadline of April 15, 2024, for federal agencies to remediate these vulnerabilities and recommends private organizations to do the same to protect their networks.

Ransomware hits municipalities in Florida and Texas. 

St. Cloud, Florida, has become the latest city to report a cyberattack, joining Pensacola and Jacksonville Beach in facing similar incidents. The ransomware attack disrupted various city services, forcing some to operate in cash-only modes, though essential services like Police, Fire Rescue, and trash collection continue as normal. The attack did not affect the Osceola County Tax Collector's Office or external utilities. With no group claiming responsibility and state officials yet to comment, the attack reflects the growing trend of ransomware incidents targeting state and local governments. In 2023, 256 attacks were reported, up from 196 the previous year. Florida, having experienced numerous attacks across different sectors, has a law prohibiting government entities from paying ransom demands and mandates rapid incident reporting.

The Tarrant County Appraisal District (TAD) in Texas is dealing with a ransomware attack, with hackers demanding $700,000. Following the March 21 attack, TAD held an emergency meeting to address the ransom demand and explore data recovery options. The suspected group behind this is Medusa. TAD is considering the impact on personal taxpayer information and has initiated steps to bolster security, including purchasing Office 365 and SentinelOne software, and hiring a cyber-consultant for an estimated $200,000. Residents expressed their concerns about the district's preparedness and transparency. TAD has yet to decide on paying the ransom.

Staying with ransomware, A Sophos-commissioned survey of nearly three thousand IT professionals reveals significant insights on ransomware attacks, particularly the compromise of backups. In attacks where backups were compromised, organizations were nearly twice as likely to pay the ransom, facing recovery costs eight times higher than those with intact backups. 94% of affected organizations reported attempts to compromise their backups, with a success rate of 57% across industries. The energy and education sectors experienced the highest rates of successful backup compromise, while IT and retail were more resilient. Compromised backups led to higher encryption rates, doubled ransom demands, and nearly doubled the rate of ransom payments compared to unaffected backups. 

The EU sets regulations to safeguard the upcoming European Parliament elections.

The European Commission has introduced new regulations under the Digital Services Act for major tech platforms, targeting those with over 45 million users in the EU, to safeguard the upcoming European Parliament elections in June against misinformation and interference. These rules mandate the setup of internal teams to monitor interference risks and require a publicly accessible repository of political ads for enhanced transparency. The initiative responds to concerns over potential Russian meddling and the rise of far-right nationalism. Platforms are also urged to promote official electoral information and adapt their systems to counteract content that compromises electoral integrity, including the use of generative AI to create fake content. Violations could result in fines up to 6% of a company's global turnover.

ReversingLabs describe a suspicious NuGet package. 

Researchers at ReversingLabs discovered a suspicious NuGet package, SqzrFramework480, potentially aimed at developers using technology from the China-based BOZHON Precision Industry Technology Co., Ltd. The package, flagged for behaviors associated with malicious files, raised concerns about a possible malicious software supply chain campaign targeting industrial espionage. The SqzrFramework480.dll, responsible for various functions including GUI management and robotic movement settings, exhibited alarming behaviors like screenshot taking, ping packet sending, and data transmission over open sockets. Despite the lack of definitive evidence linking the package to a broader espionage campaign, its potential for data exfiltration and continuous operation hints at malicious intent. The discovery underscores the growing risk of supply chain threats in open source repositories, urging developers to exercise caution and apply rigorous scrutiny to third-party code.

Senator Bill Cassidy questions a costly breach at HHS. 

Senator Bill Cassidy is questioning a breach at the Department of Health and Human Services (HHS) where $7.5 million was fraudulently stolen through a grant payment platform between March and November 2023. Hackers compromised email accounts of about five grantees, redirecting funds to their own bank accounts. Cassidy's concern emphasizes the impact on at-risk populations and healthcare facilities, accusing HHS of failing to notify Congress, thereby undermining public trust and highlighting government unpreparedness against cyber threats. HHS, however, describes the incident as a targeted fraud campaign, not a cyberattack, and claims to have been in contact with Congress, assuring efforts to fully compensate affected grantees. The issue raises broader concerns about cybersecurity in healthcare, evidenced by recent legislation and inquiries following a ransomware attack on UnitedHealth Group.

A data center landlord sues over requests to reveal its customers. 

Our “mind your own business” desk reports that CoreSite LLC, a Denver-based data center company, has sued Fairfax County Virginia for overstepping its authority by demanding tenant information for tax assessment purposes. The suit, filed on March 8 in Fairfax County Circuit Court, challenges the county's requests for tenant contact details from CoreSite's four data centers and one office in Reston, Virginia, where it serves approximately 300 customers. CoreSite argues such demands are arbitrary and exceed legal boundaries, asserting that tax disputes should be directly between the county and the tenants, not involving the landlord. The company seeks judicial relief from compliance and protection against penalties while the case is ongoing. The county's stance, supported by Virginia law, aims at assessing tax liabilities based on the valuable computer equipment housed in data centers, but CoreSite contends disclosing tenant information could breach customer confidentiality and impose undue burdens.


Coming up next on our Industry Voices segment, Automox’s CISO and Senior VP of Product Jason Kikta shares some ways to increase IT efficiency through automation.


Google's AI Throws Users a Malicious Bone. 

And finally, Google's recently launched Search Generative Experience (SGE) feature, designed to provide users with text summaries and site recommendations for complex queries, has come under scrutiny for inadvertently recommending malicious websites. SEO consultant Lily Ray highlighted instances where she was searching for Pitbull puppies on Craigslist, but SGE suggested sites involved in scams, malware, and fake giveaways. These dubious sites, often sharing the same .online domain and HTML templates, appear to be part of an SEO poisoning campaign. Users clicking on these links were led through redirects to scam sites, encountering fake captchas, spam ads, and affiliate scams. Google has since removed the questionable SGE results and emphasizes its ongoing efforts to refine its systems and algorithms to combat spam. This incident follows another recent controversy where Google paused its Gemini AI image generation feature due to concerns over producing historically inaccurate and offensive images.

Seems Google's AI was like, 'Forget the pitbull puppy, here's a Trojan Horse instead.” Yep, those results were pawsitively unfurgivable. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.