China’s shadow over U.S. telecom networks.
New reports shed light on both Volt and Salt Typhoons. Tenable updates faulty Nessus Agents and resumes plugin updates. A new infostealer campaign targets gamers on Discord. A fake version of a popular browser extension has been discovered stealing login credentials and conducting phishing attacks. ESET warns Windows 10 users of a potential “security fiasco.” A vulnerability in Nuclei allows attackers to bypass template signature verification and inject malicious code. An Indiana dental practice pays a $350,000 settlement over an alleged ransomware coverup. Tim Starks, Senior Reporter from CyberScoop, joins us today to discuss a new United Nations cybercrime treaty and his outlook for 2025. Farewell to a visionary leader.
Today is Monday January 6th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
New reports shed light on both Volt and Salt Typhoons.
Two major reports published this past weekend shed light on China’s escalating hacking campaigns. A Bloomberg article focused on Volt Typhoon, a Chinese group behind a 2022 cyberattack on Guam’s Power Authority (GPA). This hack, tied to over 100 intrusions, raised concerns about China’s capability to disrupt U.S. military operations in Guam, a strategic hub in the Indo-Pacific. Experts see this as part of a potential strategy to disable U.S. responses in a Taiwan conflict. The GPA incident is particularly alarming since it serves the U.S. Navy, highlighting the national security stakes. The U.S. has made countering Volt Typhoon a priority, but China has denied any involvement. Liu Pengyu, a Chinese Embassy spokesperson, dismissed the allegations as baseless smear campaigns.
A Wall Street Journal piece examined Salt Typhoon, another Chinese hacking group that has infiltrated at least nine major U.S. telecom companies, including AT&T, Verizon, and T-Mobile. Newly identified victims include Charter Communications, Consolidated Communications, and Windstream. The article also revisited China’s 2021 Port Houston hack, where a disguised attacker accessed a password-reset server. Notably, a cybersecurity vendor flagged the breach, but a misjudgment by the port’s cybersecurity chief led to the attack being dismissed as a false alarm—before he went to lunch at Whataburger.
These incidents illustrate China’s sophisticated and targeted cyber campaigns, with serious implications for U.S. national security. The revelations spotlight the vulnerabilities in critical infrastructure and the growing urgency to bolster defenses against state-sponsored cyberattacks.
Tenable updates faulty Nessus Agents and resumes plugin updates.
Tenable temporarily disabled Nessus Agent versions 10.8.0 and 10.8.1 after discovering they went offline during plugin updates. The issue, affecting Tenable Vulnerability Management (TVM) and Security Center (TSC), led to halted updates while the company investigated. On January 2, Tenable released version 10.8.2, which resolves the problem, and resumed plugin updates. Organizations are advised to upgrade to version 10.8.2 or downgrade to 10.7.3, ensuring plugin resets where needed. The root cause remains undisclosed, with potential customer impacts unclear.
A new infostealer campaign targets gamers on Discord.
Gaming enthusiasts are being warned about a new infostealer campaign targeting Discord users. Scammers send unsolicited messages claiming to be game developers seeking beta testers. Victims receive a download link and password for an installer, but instead of a game, they unknowingly install information-stealing malware like Nova Stealer, Ageo Stealer, or Hexon Stealer. These malware strains steal credentials, Discord tokens, browser data, cryptocurrency wallet information, and more.
The scam often uses compromised accounts and credible hosting platforms, including Dropbox and Discord’s own content delivery network (CDN), to appear legitimate. Criminals leverage stolen Discord credentials to manipulate users into further scams, expanding their reach.
To stay safe, users should maintain up-to-date anti-malware software, verify suspicious messages through alternate channels, and avoid downloading files from unsolicited messages. The ultimate goal of these scams is financial theft and account compromise.
A fake version of a popular browser extension has been discovered stealing login credentials and conducting phishing attacks.
A fake version of the popular “EditThisCookie” browser extension has been discovered stealing login credentials and conducting phishing attacks. The legitimate EditThisCookie, used by millions to manage browser cookies, was recently removed from the Chrome Web Store, likely due to incompatibility with Google’s new Manifest V3 framework. Cybercriminals exploited this gap, launching a fraudulent version, “EditThisCookie®,” now downloaded over 50,000 times.
Malware analyst Eric Parker revealed the extension’s malicious features, including phishing mechanisms, Facebook credential theft, and advertising scripts for revenue. Although current versions lack cookie exfiltration, future updates could escalate risks through Chrome’s automatic updates.
Users should audit their extensions, avoid suspicious add-ons, and enable Chrome’s Enhanced Safe Browsing. This incident underscores ongoing challenges in Google’s Chrome Web Store security and the controversial rollout of Manifest V3.
ESET warns Windows 10 users of a potential “security fiasco.”
ESET is urging Windows 10 users to upgrade to Windows 11 or Linux before the operating system’s support ends on October 14, 2025. Without free updates, Windows 10 users will face significant security risks from newly discovered vulnerabilities. ESET’s Thorsten Urbanski warns that delaying the upgrade could lead to a “security fiasco.”
Windows 10 remains the most widely used OS globally, with 63% of Windows users, compared to 34% on Windows 11. Many users hesitate to upgrade due to missing features, performance issues, or hardware incompatibilities, such as the Trusted Platform Module (TPM) requirement.
Businesses and consumers relying on older devices face limited options: upgrade to Windows 11, switch to another OS, or pay costly extended security updates (ESU). These updates, priced at up to $427 over three years, highlight the urgency to transition.
A vulnerability in Nuclei allows attackers to bypass template signature verification and inject malicious code.
A vulnerability in Nuclei, an open-source vulnerability scanner, allowed attackers to bypass template signature verification and inject malicious code. Nuclei uses YAML templates to scan websites for vulnerabilities and executes commands locally to extend functionality. Templates are protected by a digest hash for verification.
Tracked as CVE-2024-43405, the flaw exploited differences between Go’s regex-based signature verification and YAML parser behavior with line breaks. Attackers could inject malicious content by manipulating how \r is processed, bypassing verification but executing when parsed.
Additionally, Nuclei only verified the first # digest: line in a template, allowing attackers to add additional malicious payloads in subsequent lines. Wiz researchers disclosed the issue to ProjectDiscovery on August 14, 2024. It was fixed in Nuclei v3.3.2 on September 4. Users should update immediately and isolate Nuclei to prevent risks.
An Indiana dental practice pays a $350,000 settlement over an alleged ransomware coverup.
Indiana-based Westend Dental has agreed to pay $350,000 and enhance data security measures following allegations of a ransomware cover-up from 2020. The incident, which encrypted patient records via MedusaLocker malware, only came to light during a 2022 investigation triggered by a patient complaint about missing X-rays. Westend allegedly failed to conduct a forensic investigation or notify affected individuals, violating HIPAA and state breach laws.
Despite knowing its systems were hacked, the practice falsely claimed the data loss resulted from a server formatting error. Regulators allege Westend attempted to hide the breach and delayed reporting it for two years.
Under a consent order, Westend must improve HIPAA compliance, notify all patients as of November 2023, and address allegations of improperly sharing patients’ protected health information online. The case highlights the growing enforcement of data privacy regulations in healthcare.
CyberScoop’s Tim Starks is back today to discuss a new United Nations cybercrime treaty and his outlook for 2025. After, we share a farewell to a fine cybersecurity leader. We’ll be right back.
Welcome back.
Farewell to a visionary leader.
Cybersecurity leader Tenable has announced the heartbreaking passing of its chairman and CEO, Amit Yoran, at the age of 54, following a courageous battle with cancer. A pillar in the cybersecurity world, Yoran was admired for his leadership and vision, having guided Tenable since 2016.
Yoran’s career was marked by significant contributions, including roles at RSA Security, NetWitness (which he founded), and Symantec. He also served as National Cybersecurity Director at the U.S. Department of Homeland Security, leaving a lasting legacy in public and private sectors.
Following his medical leave in December, CFO Steve Vintz and COO Mark Thurmond were named interim co-CEOs, ensuring stability during this transition. Art Coviello, an industry veteran, will chair the board.
Tenable honors Yoran’s impact and assures stakeholders of its ability to meet financial expectations, reflecting the resilience he instilled in the company. The cybersecurity community mourns the loss of a true visionary and leader.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.