U.S. and China dance the telecom tango.

The US scrutinizes Chinese telecoms. Indonesia’s national datacenter is hit with ransomware. RedJulliett targets organizations in Taiwan. Researchers can tell where you are going by how fast you get there. A previously dormant botnet targeting Redis servers becomes active. Thousands of customers may have had info compromised in an attack on Levi’s. A new industry alliance hopes to prevent memory-based cyberattacks. Guest Seeyew Mo, Assistant National Cyber Director, Office of the National Cyber Director at the White House, shares the nuances of the White House's skills-based approach with N2K President Simone Petrella. Assange agrees to a plea deal.

Today is Tuesday June 25th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The US scrutinizes Chinese telecoms. 

In an exclusive, Reuters reports that the Biden administration is investigating China Mobile, China Telecom, and China Unicom over concerns they could share American data with Beijing through their U.S. cloud and internet businesses. Despite being barred from providing telephone and retail internet services in the U.S., these companies still have a small presence, including cloud services and routing internet traffic, giving them access to American data.

Neither the Chinese firms nor their U.S. lawyers commented, and the Justice Department and Commerce Department declined to comment. The Chinese Embassy in Washington accused the U.S. of unjustly targeting Chinese companies.

Reuters found no evidence of the firms intentionally sharing sensitive U.S. data with the Chinese government. However, the investigation is part of a broader U.S. effort to prevent China from exploiting data access for national security risks. Regulators have not decided on actions but might block transactions, limiting the firms' U.S. operations.

China Mobile, China Telecom, and China Unicom have faced U.S. scrutiny for years. The FCC revoked their licenses due to national security concerns, citing instances of misrouting internet traffic through China. The companies' Points of Presence (PoPs) in the U.S. internet infrastructure are also under scrutiny, as they could allow data manipulation.

The Commerce Department is also probing their U.S. cloud services, fearing access to personal information and intellectual property could be compromised. A particular focus is on a China Mobile-owned data center in Silicon Valley, raising concerns about potential data mishandling.

Indonesia’s national datacenter is hit with ransomware. 

Indonesia's national datacenter, operated by the Ministry of Communication and Information Technology (Kominfo), was hit by ransomware on June 20, disrupting several services. The attack impacted at least 210 institutions, including immigration services, which led to delays in processing visas, passports, and residence permits. The datacenter, known as the National Data Center (PDN), was compromised by a ransomware variant called Brain Cipher, identified as LockBit 3.0. Local reports highlighted significant disruptions, including the shutdown of online student registration in some regions. 

RedJulliett targets organizations in Taiwan. 

Suspected Chinese state-sponsored hackers, identified as RedJuliett, have targeted numerous organizations in Taiwan, including universities, state agencies, and electronics manufacturers, according to cybersecurity research by Recorded Future’s Insikt Group. RedJuliett, also known as Flax Typhoon, has been active since mid-2021 and was discovered by Microsoft last year. The group focuses on Taiwan’s economic policies and diplomatic relations, targeting technology companies, aerospace firms, and religious organizations. RedJuliett exploits internet-facing devices like firewalls and VPNs for initial access. Operating from Fuzhou, China, the group is expected to continue high-tempo cyber-espionage activities, focusing on Taiwanese technology and government sectors. Researchers anticipate ongoing reconnaissance and exploitation of public-facing devices globally.

Researchers can tell where you are going by how fast you get there. 

Researchers at Graz University of Technology in Austria discovered a vulnerability they’ve named SnailLoad, which allows spying on users' online activities by monitoring fluctuations in their internet speed. This attack does not require malicious code or intercepting data traffic, affecting all end devices and internet connections. In a SnailLoad attack, the victim's internet connection speed is monitored during interaction with a server, revealing patterns unique to specific websites or videos. Researchers achieved a 98% success rate in identifying online videos and 63% for basic websites, with higher success on slower connections. Closing this loophole is challenging, as it would require providers to randomly slow down internet connections, affecting time-critical applications.

A previously dormant botnet targeting Redis servers becomes active. 

P2PInfect, initially a dormant peer-to-peer malware botnet targeting Redis servers, has become active, deploying ransomware and a cryptominer. Cado Security, monitoring the botnet, suggests it may function as a "botnet for hire." First identified in July 2023, P2PInfect exploits Redis vulnerabilities and spreads via a replication feature. By late 2023, it had increased breach attempts but remained inactive. In May 2024, a new variant began downloading ransomware, encrypting files, and deploying a Monero miner. The ransomware targets various file types, while the miner uses all available processing power, sometimes hindering the ransomware. P2PInfect also employs a user-mode rootkit to hide its activities. Its precise operational structure remains unclear, but it poses a significant threat to Redis servers.

Thousands of customers may have had info compromised in an attack on Levi’s. 

Clothing brand Levi’s has revealed that tens of thousands of customer accounts may have been compromised in a credential stuffing attack. On June 13, an unusual spike in website activity indicated that attackers were using credentials obtained from other breaches to access Levi’s accounts. The Maine Office of the Attorney General reported that 72,231 individuals were affected. Levi’s forced a password reset for all impacted accounts the same day. Although no fraudulent purchases were made, attackers could view personal information like order history, names, emails, addresses, and partial payment details. Levi’s advised users to reset passwords and check personal information accuracy to prevent future attacks.

A new industry alliance hopes to prevent memory-based cyberattacks. 

The CHERI Alliance has been formed to promote the adoption of Capability Hardware Enhanced RISC Instructions (CHERI), a project designed to prevent memory-based cyberattacks. The alliance includes the University of Cambridge, Capabilities Limited, chipmaker Codasip, the FreeBSD Foundation, lowRISC, and SCI Semiconductor. Developed by researchers at the University of Cambridge with support from the U.K. and U.S. governments, CHERI provides fine-grained memory protection and scalable software compartmentalization. The alliance aims to overcome commercial adoption hurdles by developing standardization and compliance guidance. Despite the cost of porting operating systems being a significant challenge, the alliance seeks to coordinate businesses and adopters to deliver market value. Arm is conspicuously not part of the alliance, although they have created demonstration motherboards using CHERI and say they may incorporate it into products if customers demand it.

Our guest is Seeyew (see you) Mo, Assistant National Cyber Director, Office of the National Cyber Director at the White House. Seeyew speaks with N2K President Simone Petrella about the nuances of the White House's skills-based approach (and how it's not only about hiring) as we approach one year since the release of the National Cyber Workforce and Education Strategy.. 

 

Assange agrees to a plea deal. 

And finally, Julian Assange, founder of WikiLeaks, agreed to plead guilty to one felony of illegally obtaining and disclosing national security material, securing his release from a British prison. The plea, part of a deal, means Assange, 52, will be sentenced to time served—about five years. He will appear in a remote federal court in Saipan before returning to Australia. 

 Assange’s extradition fight has been a saga, with his supporters claiming his actions were in the public interest. Meanwhile, U.S. officials argue he endangered lives and national security. After years in Belmarsh Prison, his release will mark the end of this particular chapter.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.