Hacking allegations and antitrust heat.
The U.S. considers a ban on Chinese made routers. More than 200 Cleo managed file-transfer servers remain vulnerable. The Androxgh0st botnet expands. Schneider Electric reports a critical vulnerability in some PLCs. A critical Apache Struts 2 vulnerability is being actively exploited. Malicious campaigns are targeting Chinese-branded IoT devices. A Nebraska-based healthcare insurer discloses a data breach affecting over 225,000 individuals. IntelBroker leaks 2.9GB of data from Cisco’s DevHub environment. CISA issues a Binding Operational Directive requiring federal agencies to enhance cloud security. On today’s CERTByte segment, Chris Hare and Dan Neville unpack a question targeting the Network+ certification. INTERPOL says, “Enough with the pig butchering.“
Today is Wednesday December 18, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
The U.S. considers a ban on Chinese made routers.
The Wall Street Journal reports that the U.S. government is considering a ban on TP-Link routers amid rising security concerns. Investigations by the Commerce, Defense, and Justice Departments suggest TP-Link routers, made by a China-based company, may pose national security risks. A Microsoft report linked TP-Link devices to a Chinese hacking network targeting Western organizations. The devices dominate the U.S. home and small-business router segment with a 65% market share.
TP-Link routers are often shipped with unresolved security flaws, and the company reportedly doesn’t cooperate with security researchers. The Justice Department is also probing whether TP-Link’s low pricing strategy violates antitrust laws. The potential ban could disrupt the router market, which TP-Link has dominated due to affordability and partnerships with over 300 U.S. internet providers.
TP-Link denies selling products below cost and insists on compliance with U.S. laws. While U.S. officials haven’t disclosed evidence of deliberate collusion with Chinese state-sponsored hackers, concerns persist. TP-Link’s founders remain connected to Chinese institutions conducting military cyber research. Despite efforts to rebrand as U.S.-centric, including announcing a California headquarters, critics see the company’s ties to China as inseparable.
If enacted, the ban would mark the largest removal of Chinese telecom equipment in the U.S. since Huawei in 2019. Similar bans have been enacted in Taiwan and India, citing security risks. The move underscores the broader challenges of securing the telecommunications supply chain, with U.S. officials acknowledging systemic vulnerabilities across the router market, including domestic brands.
More than 200 Cleo managed file-transfer servers remain vulnerable.
More than 200 Cleo managed file-transfer servers remain vulnerable despite warnings of active mass attacks exploiting critical flaws in the software. These vulnerabilities, tracked as CVE-2024-50623 and CVE-2024-55956, allow attackers to execute arbitrary commands and exfiltrate data. Despite a December 11 patch (version 5.8.0.24), only 199 of the exposed servers are fully updated.
The Clop ransomware group is suspected of exploiting these vulnerabilities, marking its fifth major file-transfer software attack. Organizations including retail and energy sectors have been targeted, with incidents involving significant data transfers to suspicious IPs. Researchers found attackers using Java-based remote-access Trojans for system reconnaissance, file exfiltration, and command execution.
Security experts urge users to patch immediately, review logs for post-exploitation indicators, and take vulnerable systems offline if necessary. Cleo has released updated fixes and logging mechanisms to address these threats, but systemic risks remain for unpatched systems.
The Androxgh0st botnet expands.
CloudSEK’s Xvigil platform has revealed a significant expansion of the Androxgh0st botnet, now exploiting 27 vulnerabilities, up from 11 in November 2024. The botnet has integrated with the IoT-focused Mozi botnet, targeting web servers, IoT devices, and platforms like Cisco ASA, Atlassian JIRA, and PHP frameworks. Exploits include remote code execution (RCE), brute-force attacks, and credential stuffing, leveraging vulnerabilities in Sophos Firewalls, TP-Link routers, and more. The botnet’s sophistication suggests coordinated control, potentially linked to Chinese CTF communities. This poses global risks of data breaches, ransomware, and surveillance.
Schneider Electric reports a critical vulnerability in some PLCs.
A critical flaw (CVE-2024-11737) in Schneider Electric Modicon Controllers (M241, M251, M258, LMC058) allows unauthenticated attackers to exploit port 502/TCP, compromising systems without user interaction. Rated 9.8 on CVSS v3.1, this vulnerability impacts controllers used globally in critical infrastructure sectors like energy and manufacturing. With no patch yet available, users are advised to isolate devices from the public internet, restrict access to port 502/TCP, segment networks, and secure controllers physically. Schneider Electric is developing a remediation plan.
A critical Apache Struts 2 vulnerability is being actively exploited.
A critical Apache Struts 2 vulnerability (CVE-2024-53677) is being actively exploited using public proof-of-concept (PoC) exploits to identify vulnerable systems. Affecting Struts versions 2.0.0-2.3.37, 2.5.0-2.5.33, and 6.0.0-6.3.0.2, the flaw allows attackers to upload malicious files via path traversal, enabling remote code execution. Exploitation has been detected, with attackers deploying scripts to verify compromised systems. Apache urges users to upgrade to Struts 6.4.0+ and implement the new file upload mechanism, as patching alone is insufficient.
Malicious campaigns are targeting Chinese-branded IoT devices.
Malicious campaigns are targeting Chinese-branded IoT devices, including Hikvision and Xiongmai web cameras and DVRs, exploiting weak passwords and unpatched vulnerabilities. The FBI warns of attacks using HiatusRAT, which scans devices with tools like Ingram to bypass authentication and inject commands. Active since July 2022, the malware has targeted IoT devices globally and U.S. government servers. Many vulnerabilities remain unpatched. The FBI advises isolating vulnerable devices, enforcing strong passwords, enabling multi-factor authentication, and promptly applying updates to mitigate risks.
A Nebraska-based healthcare insurer discloses a data breach affecting over 225,000 individuals.
Nebraska-based healthcare insurer Regional Care disclosed a data breach affecting over 225,000 individuals. The breach, detected in mid-September 2024, involved unauthorized access to an account, which was promptly shut down. An investigation revealed sensitive data, including names, birth dates, Social Security numbers, medical, and health insurance information, had been compromised. Affected individuals are being offered free credit monitoring. Regional Care has not linked the breach to any ransomware group and provided limited additional details about the incident.
IntelBroker leaks 2.9GB of data from Cisco’s DevHub environment.
IntelBroker has leaked 2.9GB of data from Cisco’s DevHub environment, part of a larger 4.5TB breach, raising concerns about the security of the tech giant. The breach, revealed in October 2024, exploited an exposed API token and involved sensitive data, including source code, hardcoded credentials, encryption keys, and customer-related resources. Allegedly, data from major corporations like Verizon and Microsoft was also compromised. Cisco, while confirming the breach, stated its core systems remain unaffected and attributed the incident to a misconfigured developer environment. The company has disabled DevHub access, launched an investigation, and engaged law enforcement. Cybersecurity experts emphasize this incident underscores the need for stronger access controls and monitoring of public-facing systems, as hackers increasingly validate breaches with partial leaks to attract buyers in underground markets.
CISA issues a Binding Operational Directive requiring federal agencies to enhance cloud security.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 25-01, requiring federal agencies to enhance cloud security by adopting secure configuration baselines. The directive aims to mitigate risks from misconfigurations and weak controls by mandating compliance with CISA’s Secure Cloud Business Applications (SCuBA) standards.
Agencies must identify cloud tenants and create an inventory by February 21, 2025, deploy SCuBA assessment tools by April 25, 2025, and implement mandatory SCuBA policies, including Microsoft Office 365 baselines, by June 20, 2025. Annual updates to cloud tenant inventories and continuous reporting are also required.
CISA plans to maintain and update policies, assist agencies, and monitor compliance. While directed at federal agencies, CISA encourages broader adoption to bolster collective cybersecurity resilience.
Meanwhile, the Office of the National Cyber Director and CISA released a playbook to guide federal grant managers and recipients on integrating cybersecurity into critical infrastructure projects. The “Playbook for Strengthening Cybersecurity in Federal Grant Programs” offers model language and recommendations for incorporating cybersecurity into grant-making processes and project assessments. Reflecting Biden administration priorities like the Investing in America initiative, the playbook emphasizes secure-by-design principles and critical infrastructure resilience. While advisory, it encourages agencies and grant recipients to prioritize cybersecurity in upcoming infrastructure upgrades.
We’ve got our CertByte segment up next. N2K’s Chris Hare is joined by Dan Neville to break down a question from the CompTIA® Network+ Practice Test. And, a possible end to "pig butchering" from scam talk. We’ll be right back.
Welcome back. Be sure to visit our show notes for links to the practice test and other helpful resources that Chris and Dan talked about.
INTERPOL says, “Enough with the pig butchering. “
INTERPOL wants to ditch the grim term “pig butchering” in favor of the less stigmatizing “romance baiting” to describe scams involving fake romances and fraudulent investments. The old term, coined by fraudsters themselves, likens victims to “pigs” fattened up for financial slaughter—a description that shames victims and deters them from seeking help. Instead, “romance baiting” highlights the emotional manipulation scammers use to gain trust and exploit victims.
INTERPOL says words matter, drawing parallels to shifts in language around domestic abuse and sexual violence. By adopting victim-focused terminology, INTERPOL hopes to encourage reporting and put the spotlight on the criminals, not the victims. This push is part of their Think Twice campaign, which also tackles online threats like ransomware and phishing. The message? Let’s swap out victim-blaming language for empathy, and hold scammers accountable for their despicable cons.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.