The CyberWire Daily Podcast 1.10.25
Ep 2222 | 1.10.25

When retaliation turns digital.

Transcript

New details emerge about Chinese hackers breaching the US Treasury Department. The Supreme Court considers the TikTok ban. Chinese hackers exploit a zero-day flaw in Ivanti Connect Secure VPN. A new credit card skimmer malware targets WordPress checkout pages. The Banshee macOS info-stealer has been updated. A California health services organization reports a data breach. A Florida firm pays a $337,750 HIPAA settlement following a 2018 breach. Samsung patches Android devices. A Proton Mail outage hits users worldwide. A popular e-card site recovers from malware. CertByte segment host Chris Hare interviews our guest Casey Marks, ISC2's Chief Qualifications Officer, about the future of certifications. That’s a feature, not a hack.

Today is Friday January 10th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

New details emerge about Chinese hackers breaching the US Treasury Department. 

New details have emerged about Chinese hackers breaching the US Treasury Department’s unclassified systems, revealing they targeted its sanctions office in addition to the previously reported hack of other Treasury systems, CNN reports. The sanctions office had recently penalized a Chinese company for cyberattacks, raising questions about whether the hack was retaliatory.

The breach also affected the Committee on Foreign Investment in the US (CFIUS), which oversees foreign investments for national security risks. This comes as CFIUS gained new authority over real estate deals near military bases, an area of growing concern for potential Chinese espionage.

While no classified information was accessed, officials worry that the stolen unclassified data could still provide useful intelligence for Beijing. Treasury Secretary Janet Yellen called the breach a blow to US-China relations, emphasizing the need for stronger cybersecurity measures.

The Supreme Court considers the TikTok ban. 

The Supreme Court is considering whether to block a law that could ban TikTok in the U.S. if its China-based owner, ByteDance, doesn’t divest by January 19. The law, enacted with bipartisan support, aims to address national security concerns over potential Chinese government influence on the platform. TikTok and users argue the ban violates First Amendment rights. During oral arguments, TikTok’s attorney denied direct Chinese control and compared the divestment to shutting down a U.S. newspaper under foreign pressure.

Chinese hackers exploit a zero-day flaw in Ivanti Connect Secure VPN. 

Mandiant reports that Chinese hackers have exploited a zero-day flaw (CVE-2025-0282) in Ivanti Connect Secure VPN appliances since December, deploying malware such as SPAWN, PHASEJAM, and DRYHOOK to steal credentials, API keys, and VPN session data. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated remediation by January 15. Researchers warn of widespread exploitation targeting credentials and deploying web shells for future access. The attacks, linked to Chinese Silk Typhoon hackers, follow recent breaches of the Treasury Department’s systems.

A new credit card skimmer malware targets WordPress checkout pages. 

A new credit card skimmer malware targets WordPress checkout pages, injecting malicious JavaScript into the database’s wp_options table to steal sensitive payment details. This approach evades detection by bypassing theme files and plugins, enabling covert operation. The malware dynamically creates fake payment forms or intercepts real ones, capturing credit card information in real time. Data is encrypted and sent to attacker-controlled domains. To mitigate risks, experts recommend checking HTML widgets for malicious scripts, applying security updates, and using firewalls and two-factor authentication.

The Banshee macOS info-stealer has been updated. 

The Banshee macOS info-stealer has been updated to target systems using the Russian language, according to Check Point. Initially launched in 2024 and sold for $3,000/month, the malware collects data such as passwords, browser info, and cryptocurrency wallets. After its source code leaked in November 2024, antivirus detection improved, but concerns grew over new variants. Recent updates removed restrictions on targeting Russian systems, and Banshee is still spread via phishing websites and fake GitHub repositories, likely by former customers or new actors.

A California health services organization reports a data breach. 

California’s BayMark Health Services reported a data breach affecting patients’ personal information, including names, Social Security numbers, insurance details, and treatment information. The breach, linked to a cyberattack between September 24 and October 14, 2024, was discovered on October 11. BayMark secured systems, launched an investigation with forensic experts, and notified law enforcement. Impacted individuals received formal notifications and one year of free credit monitoring. BayMark has since enhanced its security measures to prevent future incidents.

A Florida firm pays a $337,750 HIPAA settlement following a 2018 breach. 

Florida-based USR Holdings has paid a $337,750 HIPAA settlement following a 2018 breach exposing the ePHI of nearly 3,000 patients. The breach occurred after a firewall misconfiguration allowed unauthorized access, resulting in data deletion. HHS found multiple HIPAA violations, including insufficient risk analysis and backup procedures. USR agreed to implement a corrective action plan and will be monitored for compliance. Experts emphasize robust data backup, disaster recovery plans, and proactive monitoring to prevent similar incidents. This marks HHS’s largest HIPAA fine in 2025 so far.

Samsung patches Android devices. 

Samsung Mobile has released its January 2025 Security Maintenance Release (SMR), addressing critical vulnerabilities in Android and Samsung devices. The update resolves five high-priority Common Vulnerabilities and Exposures (CVEs) that could allow attackers to execute arbitrary code, risking sensitive data and device control. It also includes 22 Samsung-specific patches. Samsung urges users to update promptly for improved safety, device performance, and longevity. 

A Proton Mail outage hits users worldwide. 

Proton experienced a major worldwide outage yesterday, disrupting services like Proton Mail, Calendar, VPN, Drive, Pass, and Wallet due to network issues. The outage began at 10:00 AM ET, leaving many users unable to access their accounts. By 12:37 PM ET, Proton Mail was restored, with all services back online by 1:27 PM ET. Proton apologized for the disruption and continues investigating the issue. Users initially reported error messages when attempting to access affected services during the outage.

A popular e-card site recovers from malware. 

Malwarebytes uncovered a cyberattack, dubbed the “zqxq” campaign, targeting GroupGreeting[.]com, a popular e-card site used by major enterprises like Airbnb and Coca-Cola. Exploiting seasonal traffic spikes, attackers injected obfuscated JavaScript to redirect users to phishing sites or malware. The campaign shares traits with the NDSW/NDSX and TDS Parrot malware, known for large-scale infections and Traffic Distribution System (TDS) tactics. Over 2,800 websites have been affected, highlighting risks to trusted, high-traffic platforms during busy holiday periods. GroupGreeting quickly resolved the breach.

The limitations of bug bounties. 

Adam Gowdiak, CEO of AG Security Research, has exposed vulnerabilities in Microsoft’s PlayReady DRM technology, enabling unauthorized access to streaming content keys. His research highlights flaws in Microsoft’s Protected Media Path and Warbird compiler, raising concerns about unauthorized downloads from services like Netflix and HBO Max. While Microsoft initially dismissed the findings as implementation issues, Gowdiak advocated for compensation outside the bug bounty program, citing extensive effort and intellectual property concerns. When no agreement was reached, Gowdiak provided technical details to Microsoft in November 2024 without seeking payment, later disclosing limited public details to raise awareness.

Critics argue this case underscores flaws in bug bounty programs and responsible disclosure practices. Casey Ellis of Bugcrowd stressed the need for standardized terms and coordinated disclosure, warning against tactics resembling extortion. The incident highlights ongoing challenges in balancing researcher incentives, corporate responses, and public accountability.

Elsewhere, Facebook awarded a $100,000 bug bounty to researcher Ben Sadeghipour for discovering a critical vulnerability in its ad platform. The flaw, linked to an unpatched Chrome bug, allowed Sadeghipour to execute commands on Facebook’s internal server, granting extensive access to its infrastructure. Working with Alex Chapman, he reported the issue in October 2024, prompting Meta to address it within an hour. 

Coming up next in our interview segment, CertByte host Chris Hare talks with ISC2's Chief Qualifications Officer Casey Marks about certifications and where they could be heading. And, what if your app mysteriously "learns" English overnight when it wasn’t programmed for English? We’ll be right back.

Welcome back.

That’s a feature, not a hack. 

And finally, the Register describes “Mac,” a developer for a SaaSy business management suite catering to non-English-speaking European markets. One uneventful Wednesday, Mac’s day took a twist when a user reported the app mysteriously displaying English—a language the app didn’t even support. Cue panic.

Logs and deployment history were combed for signs of sabotage. Had the app been kidnapped by rogue translators? After much sleuthing, the culprit emerged: Chrome’s overly helpful “Translate to English” feature, accidentally triggered by the user.

The fix? Explaining how to disable the translation. The takeaway? “Helpful” features can cause chaos too. Mac and his team chuckled (and sighed) as they filed this one under “crisis averted,” glad it wasn’t a hack—just Chrome being a bit too helpful.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.