The CyberWire Daily Podcast 1.2.25
Ep 2216 | 1.2.25

A breach in the U.S. Treasury.

Transcript

Chinese hackers breach the U.S. Treasury Department. At least 35 Chrome extensions are compromised. Federal authorities arrest a U.S. Army soldier over accusations of sensitive data stolen from AT&T and Verizon. A misconfigured Amazon cloud server exposes sensitive data from over 800,000 VW EV owners. Rhode Island confirms a data breach linked to ransomware group Brain Cipher. Ascension healthcare confirms the exposure of the personal and medical data of 5.6 million customers. A recent patch to Windows BitLocker encryption proves inadequate. A suspected Chinese hacking campaign is exploiting a vulnerability in Palo Alto firewalls for espionage. The DOJ bans the sale of Americans’ sensitive data to adversarial nations. HHS proposes a HIPAA update to address cybersecurity. Our guest is Mick Baccio, Global Security Advisor at Splunk, with insights on the cybersecurity resilience gap. CISA Director Easterly looks back at 2024.

Today is Thursday January 2nd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Chinese hackers breach the U.S. Treasury Department. 

Chinese state-sponsored hackers breached the U.S. Treasury Department through a compromised remote support platform provided by BeyondTrust. The attack, attributed to the “Salt Typhoon” APT group, exploited two zero-day vulnerabilities (CVE-2024-12356 and CVE-2024-12686) in BeyondTrust’s Remote Support SaaS. Using a stolen API key, the attackers reset passwords, gained privileged access, and stole agency documents. BeyondTrust detected the breach on December 8th, shut down compromised instances, and revoked the API key. The FBI and CISA assisted in the investigation, confirming the hackers no longer have access to Treasury systems.

This breach follows AT&T and Verizon’s confirmation that they’ve expelled Chinese cyber espionage hackers from their networks following a months-long “Salt Typhoon”campaign. The attackers exploited vulnerabilities to intercept calls, geolocate individuals, and access metadata.

The breach originally impacted eight companies, but a ninth victim was recently identified after the federal government issued detailed guidance on Chinese tactics. The companies targeted include major players like AT&T, Verizon, and Lumen. T-Mobile previously reported breaches but said no sensitive customer data was stolen.

The hackers leveraged poorly secured admin accounts, giving them sweeping access across networks, including lawful intercept backdoors used for court-ordered wiretaps. Investigations were complicated by inadequate logging and the attackers’ efforts to erase tracks.

The White House has called for improved cybersecurity practices, urging measures like network segmentation and better logging. The FCC is also considering mandatory cybersecurity standards, and the U.S. plans to ban China Telecom’s remaining operations.

At least 35 Chrome extensions are compromised. 

A phishing campaign targeting Chrome extension developers compromised at least 35 extensions, including one from cybersecurity firm Cyberhaven, impacting around 2.6 million users. The attack, active since March 2024, escalated in December with phishing emails impersonating Google. Developers were tricked into granting permissions to a malicious OAuth app, allowing attackers to inject data-stealing code into extensions.

The malicious code targeted Facebook business accounts, stealing user credentials, IDs, access tokens, and ad account information. Threat actors even bypassed two-factor authentication by capturing QR codes used for login verification.

Extensions were hijacked to distribute “new” malicious versions via the Chrome Web Store. Investigators identified command-and-control domains linked to the campaign and suspect many more extensions were targeted. Despite multi-factor authentication protections, the phishing method effectively exploited OAuth workflows, exposing significant vulnerabilities in Chrome extension security.

Federal authorities arrest a U.S. Army soldier over accusations of sensitive data stolen from AT&T and Verizon. 

Krebs on Security reports that Federal authorities have arrested 20-year-old U.S. Army soldier Cameron John Wagenius, accusing him of being “Kiberphant0m,” a cybercriminal who sold and leaked sensitive data stolen from AT&T and Verizon. Wagenius, a communications specialist stationed in South Korea, was apprehended near Fort Hood, Texas, on December 20 after an indictment for unlawfully transferring confidential phone records.

Kiberphant0m allegedly hacked 15 telecom firms, including AT&T and Verizon, and leaked call logs of prominent figures, such as President-elect Trump and Vice President Kamala Harris. He also offered SIM-swapping services and posted stolen data schemas linked to the NSA.

The swift investigation—spanning just weeks—relied on security researchers identifying operational security mistakes. Experts warn young cybercriminals of escalating risks as law enforcement improves its ability to track and prosecute cybercrimes domestically. The case has been transferred to the Western District of Washington.

A misconfigured Amazon cloud server exposes sensitive data from over 800,000 VW EV owners. 

A Volkswagen subsidiary, Cariad, exposed sensitive data from 800,000 EV owners due to a misconfigured Amazon cloud server. The leak included contact information, movement data, and precise location data—accurate to within 10 cm for Volkswagen and Seat vehicles and 10 km for Audi and Skoda. High-profile individuals, including German politicians, Hamburg police, and intelligence employees, were affected.

The hacker group Chaos Computer Club (CCC) discovered the breach and alerted authorities, giving VW 30 days to resolve it. Volkswagen confirmed the data was pseudonymized and accessed through a complex, multi-stage process. No passwords or payment details were exposed.

Rhode Island confirms a data breach linked to ransomware group Brain Cipher. 

Rhode Island has confirmed that cybercriminals have published personal data stolen from its social services portal, RIBridges. The breach, linked to ransomware group Brain Cipher, compromised citizens’ sensitive information, including data from individuals applying for health services. Deloitte, the state’s vendor, revealed that files had been leaked on the dark web.

Governor Dan McKee stated that IT teams are analyzing the released data, urging residents to freeze and monitor credit to protect financial information. Social engineering attacks are also a concern. RIBridges remains offline, with investigations ongoing. Brain Cipher claims to have stolen 1TB of data in the December breach, targeting systems outside Deloitte’s network. Deloitte and Rhode Island have not verified these claims.

Ascension healthcare confirms the exposure of the personal and medical data of 5.6 million customers. 

A December 20 filing with Maine’s attorney general revealed that a May 8 cyberattack on healthcare giant Ascension exposed the personal and medical data of 5.6 million customers. The breach occurred after an employee mistakenly downloaded a malicious file. Exposed data varies by individual and includes medical records, payment information, government IDs, and personal details, though Ascension confirmed its core clinical systems were not accessed.

The incident highlights ongoing vulnerabilities in healthcare cybersecurity, following similar breaches in 2024 at Change Healthcare and Kaiser Permanente. Proposed legislation, the Health Care Cybersecurity and Resiliency Act, seeks to bolster defenses with grants for healthcare organizations. 

A recent patch to Windows BitLocker encryption proves inadequate. 

A recently patched flaw in Windows BitLocker encryption, tracked as CVE-2023-21563, remains vulnerable to attacks, researcher Thomas Lambertz revealed at the Chaos Communication Congress. Using a method called “bitpixie,” Lambertz demonstrated how rebooting a device in recovery mode with PXE booting enabled allowed him to extract encryption keys from memory and decrypt data.

Lambertz criticized Microsoft’s patch as insufficient, noting that disabling the network stack in the BIOS is the only effective mitigation. 

A suspected Chinese hacking campaign is exploiting a vulnerability in Palo Alto firewalls for espionage. 

A suspected Chinese hacking campaign is exploiting a vulnerability in Palo Alto firewalls (CVE-2024-9474) to deploy a custom malware backdoor for espionage, according to Northwave researchers. The backdoor, a variant of Littlelamb.Wooltea, installs disguised as a logd file and provides extensive functionality, including file manipulation, network tunneling, and SOCKS5 proxy setup.

Exploited since November, attackers used the vulnerability to gain root privileges and deploy additional payloads. Palo Alto patched this flaw and another (CVE-2024-0012), advising administrators to limit web management portal access to trusted IPs. The campaign aligns with Chinese threat group UNC5325’s strategy of targeting edge devices, similar to their past exploits of Ivanti VPNs and Fortinet firewalls. Researchers say thousands of devices may be affected.

The DOJ bans the sale of Americans’ sensitive data to adversarial nations. 

The U.S. Department of Justice has finalized a rule banning the sale of Americans’ sensitive data, including biometric, geolocation, health, and financial information, to adversarial nations like China, Russia, and Iran. Stemming from a February executive order, the rule targets efforts by hostile nations to use such data for AI development, cyberespionage, and influence campaigns. Assistant Attorney General Matthew Olsen emphasized the rule’s role in protecting national security. Implementation begins three months after its Federal Register publication.

HHS proposes a HIPAA update to address cybersecurity. 

The U.S. Department of Health and Human Services (HHS) has proposed updated HIPAA cybersecurity rules to protect patient health data amid increasing healthcare data breaches and ransomware attacks. The proposed measures include mandatory encryption of protected health information (PHI), multifactor authentication, and network segmentation to limit attackers’ movements.

White House official Anne Neuberger highlighted the urgency, citing high costs of inaction, which could endanger critical infrastructure and patient safety. The updates, expected within 60 days, mark the first major HIPAA security revisions in a decade. Implementation is projected to cost $9 billion in the first year and $6 billion over the next four years.

Next up, I am joined by Mick Baccio from Splunk’s security research team SURGe. Mick shares some insights on the cybersecurity resilience gap and top cyber challenges/priorities for the public sector. And, we take a look at CISA’s 2024 year in review. We’ll be right back.

Welcome back.

CISA Director Easterly looks back at 2024. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) celebrated a year of growth and accomplishment in 2024, as highlighted in its Year in Review by outgoing Director Jen Easterly. With warmth and appreciation, Easterly reflected on CISA’s collaborative efforts with industry, government, and international partners to enhance national cybersecurity.

Notable achievements include the Pre-Ransomware Notification Initiative, which sent over 2,100 alerts in 2024, mitigating threats to schools, healthcare organizations, and critical infrastructure. CISA also blocked 1.26 billion malicious connections, remediated 861 vulnerabilities, and issued nearly 1,300 cyber defense alerts. Programs like Secure by Design gained traction, rallying 250 software manufacturers to commit to secure practices.

CISA’s Cyber Storm IX exercise prepared over 2,200 participants for advanced cyber threats, while its #Protect2024 election portal centralized resources for securing the November elections. The Agency also launched its first International Strategic Plan, advancing global partnerships and prioritizing AI system security.

Easterly emphasized the critical need for collaboration to address emerging threats, ensuring CISA remains resilient and innovative in its mission. While CISA’s 2024 accomplishments highlight its role as a cornerstone of U.S. cybersecurity, the Agency faces uncertainty as it transitions to new leadership under an incoming presidential administration. The robust progress made—such as advancing ransomware defenses, securing elections, and fostering international partnerships—serves as a testament to its effectiveness. However, evolving geopolitical threats, challenges in regulating AI, and potential shifts in federal priorities could impact its trajectory. As CISA moves forward, its ability to sustain bipartisan support and adapt to new directives will be critical in navigating this uncertain landscape and ensuring its continued mission to protect the nation’s critical infrastructure.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.