U.S. sanctions spark cyber showdown with China.
China criticizes U.S. sanctions. School districts face cyberattacks over the holiday season. The U.N.’s International Civil Aviation Organization (ICAO) is investigating a potential data breach. Eagerbee malware targets government organizations and ISPs in the Middle East. A major New York medical center notifies 674,000 individuals of a data breach. Hackers infiltrate Argentina’s Airport Security Police (PSA) payroll system. An industrial networking firm identifies critical vulnerabilities in its cellular routers, secure routers, and network security appliances. Phishing click rates among enterprise users surged in 2024. A California man is suing three banks for allegedly enabling criminals to steal nearly $1 million from him. On our Threat Vector segment, we preview this week’s episode where host David Moulton speaks with Margaret Kelley about the evolving landscape of cloud breaches. Microsoft’s Bing demonstrates imitation is the sincerest form of flattery.
Today is Tuesday January 7th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
China criticizes U.S. sanctions.
China has criticized U.S. sanctions imposed on Beijing-based Integrity Technology Group, accused of involvement in hacking U.S. critical infrastructure. The U.S. Treasury’s move targets the company, also known as Yongxin Zhicheng Technology Group, for alleged ties to Flax Typhoon, a Chinese state-sponsored cyber campaign. Integrity Technology and China’s Foreign Ministry rejected the claims, with spokesperson Guo Jiakun accusing Washington of using cybersecurity as a tool to “smear China.”
Meanwhile, China’s National Cyber Security Information Center reported foreign cyberattacks on Chinese networks, including from the U.S., Netherlands, and other nations, involving Trojan programs, botnets, and intellectual property theft.
The sanctions freeze the company’s U.S. assets and restrict business with Americans. The decision follows broader concerns over Chinese cyberespionage campaigns like Salt Typhoon, which compromised U.S. telecommunications and private data. U.S. officials recently revealed Salt Typhoon’s impact on eight telecom providers and numerous countries, escalating tensions in cybersecurity.
Meanwhile, the U.S. Department of Defense has added Tencent, a Chinese messaging and gaming giant, to its “Chinese military company” list under the Military-Civil Fusion strategy, which aids the Chinese military’s modernization efforts. While inclusion doesn’t equate to a ban, it prevents the Pentagon from working with listed companies and could trigger supply chain issues or further restrictions.
Tencent, which owns WeChat, VooV, and gaming assets like PUBG and Fortnite, denies the claims and plans to appeal. Critics argue WeChat aids Beijing’s intelligence efforts, with nations like Canada banning it from government devices. Battery maker CATL, a Tesla supplier, was also added to the list, raising concerns about potential impacts on global partnerships. Tencent’s addition reflects growing tensions between U.S. authorities and Chinese tech companies.
School districts face cyberattacks over the holiday season.
Two U.S. school districts faced cyberattacks over the holiday season, highlighting a persistent trend of targeting educational institutions during low IT staffing periods. South Portland Public Schools in Maine discovered a weekend attack through a network detection system, identifying compromised firewalls linked to an IP address from Bulgaria. The district acted swiftly, disconnecting equipment and restoring systems before classes resumed. Officials believe no student or staff data was compromised but remain vigilant with continued network monitoring.
In Tennessee, Rutherford County Schools, serving over 51,000 students, experienced a prolonged disruption from a Thanksgiving cyberattack that exposed some employee and student data. Third-party investigators are reviewing the breach, and affected individuals will be notified.
These incidents echo a broader rise in ransomware attacks on schools, with recovery times ranging from months to significant financial and educational losses. Federal initiatives, including cybersecurity training and funding, aim to bolster digital defenses across K-12 schools.
The U.N.’s International Civil Aviation Organization (ICAO) is investigating a potential data breach.
The U.N.’s International Civil Aviation Organization (ICAO) is investigating a potential data breach after the hacking group “Natohub” claimed to have compromised 42,000 documents, including personal data, on BreachForums 2. Allegedly targeting international organizations, Natohub stated the breach includes names, birthdates, contact details, and employment histories. The group recently claimed another breach involving 14,000 U.N. delegates. ICAO has implemented security measures and is conducting a thorough investigation, emphasizing the seriousness of the incident.
Eagerbee malware targets government organizations and ISPs in the Middle East.
New variants of the Eagerbee malware framework are targeting government organizations and ISPs in the Middle East, with possible links to the Chinese state-backed group “CoughingDown,” according to Kaspersky. Eagerbee exploits Microsoft Exchange ProxyLogon vulnerabilities (CVE-2021-26855) to gain initial access, though the attack vector in recent cases remains unclear. The malware uses DLL hijacking to load a backdoor into memory, enabling 24/7 operations.
Eagerbee’s capabilities are enhanced by plugins, including file, process, service, network, and remote access managers. These tools allow for file manipulation, RDP sessions, and command shell injection, making the malware both stealthy and persistent.
Kaspersky warns that similar attacks have been observed in Japan, indicating a global threat. Organizations are urged to patch Exchange servers and monitor for indicators of compromise to mitigate risks.
A major New York medical center notifies 674,000 individuals of a data breach.
Richmond University Medical Center (RUMC) in Staten Island is notifying 674,000 individuals of a data breach from a ransomware attack in May 2023. The incident disrupted the hospital’s IT systems for nearly a month and led to the theft of files containing sensitive information such as Social Security numbers, medical details, and financial data. While the electronic health records system was reportedly unaffected, manual review revealed compromised files.
The notification comes 18 months after the breach, raising concerns about delays in incident response and compliance with HIPAA’s 60-day breach notification rule. Experts attribute such delays to insufficient cybersecurity skills, budgets, and tools in healthcare organizations.
RUMC faces class action lawsuits alleging negligence in safeguarding data. Experts recommend healthcare providers minimize stored data, isolate sensitive information, and secure identity systems to mitigate future breaches and accelerate response times.
Hackers infiltrate Argentina’s Airport Security Police (PSA) payroll system.
Hackers infiltrated Argentina’s Airport Security Police (PSA) payroll system, exposing vulnerabilities in data management and causing financial losses for personnel. Attackers accessed salary records, tampered with pay slips, and made unauthorized deductions of 2,000–5,000 pesos under misleading labels. Investigators link the breach to Banco Nación, responsible for processing payroll, and suggest foreign servers were used, though domestic involvement isn’t ruled out. The PSA has tightened cybersecurity measures and launched awareness campaigns, but criticism persists over past failures to secure sensitive data.
An industrial networking firm identifies critical vulnerabilities in its cellular routers, secure routers, and network security appliances.
Industrial networking firm Moxa has identified two critical vulnerabilities in its cellular routers, secure routers, and network security appliances. The first flaw (CVE-2024-9138) exploits hardcoded credentials to gain root access, affecting 10 products. The second (CVE-2024-9140) enables OS command injection via input bypass, affecting 7 products and allowing remote exploitation by unauthenticated users. Rated 8.6 and 9.8 on CVSS, the vulnerabilities pose significant risks. Moxa has released patches for many devices and advises minimizing network exposure, limiting SSH access, and using intrusion detection systems for unpatched products.
Phishing click rates among enterprise users surged in 2024.
Phishing click rates among enterprise users surged by 190% in 2024, with over eight in 1,000 users clicking phishing links monthly, according to Netskope. The rise stems from increased phishing attempts and more sophisticated lures. Cloud applications were the top targets (27%), with Microsoft accounting for 42% of clicks. Attackers typically exploit compromised accounts for data theft or business email compromise. Banking (17%) and telco (13%) providers were also frequently targeted.
Phishing clicks increasingly came from search engines (19%) via malicious ads and SEO poisoning, rather than emails. Other sources included shopping (10%) and technology sites (8.8%).
A California man is suing three banks for allegedly enabling criminals to steal nearly $1 million from him.
Ken Liem, a California man, is suing three banks for allegedly enabling criminals to steal nearly $1 million from him through a cryptocurrency investment scam. The lawsuit accuses Chong Hing Bank, Fubon Bank, and DBS Bank of failing to conduct proper anti-money laundering (AML) checks under the Bank Secrecy Act, allowing scammers to open fraudulent accounts. Over six months in 2023, Liem transferred $986,000 to these accounts, believing he was investing in crypto. He realized the scam when his “investments” were frozen for alleged money laundering, followed by a demand for a fake IRS tax payment.
Liem alleges the banks ignored “Know Your Customer” protocols, failing to verify account owner identities or investigate suspicious transactions. This case highlights a growing trend of “romance baiting” or “pig-butchering” scams, where victims are defrauded of billions globally. Similar lawsuits and regulatory efforts worldwide aim to clarify financial institutions’ responsibility in preventing such fraud.
Next up, we’ve got our biweekly Threat Vector segment giving you a preview of this week’s episode. Host David Moulton talks with Margaret Kelley from Palo Alto Networks about the evolving landscape of cloud breaches. And, hear about Microsoft's Bing pulling a Clark Kent, dressing up as Google to trick users into sticking around—glasses off, it's still Bing! We’ll be right back.
Welcome back.
Microsoft’s Bing demonstrates imitation is the sincerest form of flattery.
The age-old rivalry between Microsoft's Bing and Google is heating up again, with the former resorting to some pretty clever – or sneaky, depending on your perspective – tactics to try and win over users.
If you search for "Google" on Bing right now without signing into a Microsoft account, you'll be greeted with a page that looks an awful lot like... well, Google. Yes, you read that right – the Bing interface has been modified to mimic the look and feel of its rival's homepage. And it's not just a simple skin-deep change either; this mock-Google page includes all the trimmings, from a search bar to an image that resembles a Google Doodle.
But here's the thing: underneath this fancy UI, your standard Bing search results will still appear. It's a clever trick, and one that might just confuse (or delight) users who are new to the world of PC searching. And it's not like Microsoft is trying to hide its hand – as soon as you click on any of those search results, the Bing branding rears its head.
But why would Microsoft go to such lengths to create a fake Google interface? Well, it seems that this is just one more tactic in the company's ongoing efforts to get people to use Bing instead of switching to Google.
Google's Chrome boss, Parisa Tabriz, has made her feelings about Microsoft's behavior clear in a recent X post: "Imitation is the sincerest form of flattery, but Microsoft spoofing the Google homepage is another tactic in its long history of tricks to confuse users & limit choice." Ouch – that's some serious shade.
In any case, it's clear that the battle between Bing and Google is far from over – and we'll be keeping a close eye on how things develop. After all, when it comes to competing for users' attention, Microsoft is pulling out all the stops. And who knows? Maybe one day we'll even see a fake-Google interface on Bing's homepage that doubles as a Doodle itself...
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
