Daily Brief

The U.S. Treasury has sanctioned Yin Kecheng, a Shanghai-based hacker linked to China's MSS, for his involvement in hacking the Treasury's network. Yin, with a decade-long career in cyber activities, played a role in compromising the Department of Treasury’s Departmental Offices network through a zero-day vulnerability. Sichuan Juxinhe Network Technology Co., a Chinese cybersecurity firm, is also sanctioned due to direct ties with the state-backed Salt Typhoon hacker group. Salt Typhoon has been implicated in breaches of major U.S. telecom and internet providers to snoop on high-profile communications. These entities, linked to the MSS, used sophisticated methods including exploiting zero-day vulnerabilities and received strong national backing. The sanctions block all U.S. property and financial assets of the implicated parties and prohibit any transactions with them without OFAC's approval. This move follows similar actions against other Chinese firms and is part of ongoing efforts to counter state-sponsored cyber activities targeting U.S. interests.

The FCC has mandated U.S. telecom carriers to enhance network security following severe breaches by the Salt Typhoon hacking group. Chairwoman Jessica Rosenworcel emphasized the urgency of implementing robust cybersecurity measures in light of recent vulnerabilities exposed by state-sponsored cyberattacks. A new FCC ruling effective immediately under CALEA requires telecoms to secure their networks against unauthorized access and interceptions. Telecom companies are now required to submit annual cybersecurity risk management plans to demonstrate compliance with new security standards. The ruling also includes a call for public comment on additional methods to fortify the security of U.S. communications infrastructure. National Security Advisor Jake Sullivan highlighted the necessity of these measures to counter sophisticated threats from nation state actors like China. Salt Typhoon breaches impacted several major U.S. telecommunications providers, leading to unauthorized access to sensitive government communications and personal data from officials. While some incidents linked to network vulnerabilities were managed effectively, such as the attempted breach at T-Mobile, the overall situation highlighted significant national security risks.

Six severe vulnerabilities were identified in the popular file synchronization tool rsync, affecting versions since October 2022. The most critical vulnerability reported had a CVSS severity rating of 9.8 and allowed attackers to execute arbitrary code with just read access to a server. In response, rsync version 3.4.0, which fixes all identified issues, was released immediately after the vulnerabilities were disclosed. A subsequent version, rsync 3.4.1, was quickly issued to address minor regressions introduced in the initial fix. Over 600,000 machines potentially affected by these vulnerabilities, prompting urgent updates from Linux distributions including Canonical for Ubuntu versions. The vulnerabilities, dating back to issues found in 1996, range in severity and include problems like heap buffer overflow and path traversal. Security research teams from Google and individual researchers reported these vulnerabilities through coordinated disclosures.

Cybersecurity experts have identified three significant vulnerabilities in Planet Technology's WGS-804HPT industrial switches. These flaws enable pre-authentication remote code execution, allowing attackers to take full control of the devices without prior authorization. The compromised switches can be exploited to attack further within internal networks, enabling lateral movements and broader network exploitation. The vulnerabilities center on the dispatcher.cgi interface, critical for the device's web services. Attackers can execute operating system commands and disrupt operations by embedding malicious code into HTTP requests. Claroty, using the QEMU framework, conducted the comprehensive study revealing these security weaknesses. Following these findings, Planet Technology has issued patches to address these vulnerabilities with the latest firmware update (Version 1.305b241111) as of November 15, 2024. It is crucial for users of the WGS-804HPT switches in home and building automation networks to update their devices immediately to mitigate potential risks.

Cybersecurity researchers have identified a new campaign using Python-based bots to target PHP web servers to advance gambling platforms in Indonesia. The malicious bots deploy GSocket, an open-source tool, facilitating a communication channel that aids in executing cryptojacking and stealing payment information through malicious JavaScript. Most attacks focus on exploiting servers with a popular learning management system, Moodle, using pre-existing web shells for initial access. The attackers modify bashrc and crontab system files, ensuring that GSocket remains operational even after the web shells are cleared. The malicious PHP files delivered by attackers contain HTML content promoting gambling and are configured to selectively show content to search bots, redirecting regular users to other gambling domains. Specifically, users are redirected to "pktoto[.]cc", a noted Indonesian gambling site. Another related malware campaign has compromised over 5,000 global sites, installing a malicious plugin and extracting data, emphasizing the need for WordPress site owners to maintain strong security measures, including regular updates and monitoring.

Medusa ransomware group attacked Gateshead Council on January 8, leaking sensitive documents on their site and demanding a £600,000 ransom. The cybersecurity breach was promptly investigated by police following the confirmation of the attack by Council officials. Stolen data includes personally identifiable information (PII) such as names, contact details, employment history, and internal financial documents. The Council has contacted the Information Commissioner's Office (ICO) and claims to have contained the incident; operations continue as usual. Ongoing investigations focus on understanding the incident's origin and potential broader implications, with updates promised as new information comes to light. The council is proactively reaching out to individuals potentially affected by the data breach to prevent further harm and advises public vigilance against phishing. This incident forms part of a broader trend of increasing ransomware attacks against UK public sector organizations. Discussions on banning ransom payments in the public sector are underway, with a similar licensing approach like Australia's being considered.

Recent data breaches have underscored the importance of secure guest Wi-Fi infrastructure to protect against unauthorized access and ensure compliance. Zero Trust architectures integrated with cloud-based captive portals are being deployed to enhance network security, ensuring strict access controls and continuous verification of all connected devices. These advanced security systems help in segregating networks and mitigating risks from unauthorized access, data interception, and other cyber threats. BYOD policies contribute significantly to network vulnerabilities, introducing unmanaged devices that could potentially compromise network security. Implementing these systems involves adherence to complex regulatory frameworks, adjusting to varying international standards for data retention and privacy. The implementation of a cloud-based Zero Trust captive portal system simplifies the management and strengthens the security of guest Wi-Fi networks across distributed organizational environments. Businesses can benefit from a comprehensive, scalable solution that offers tight access control based on identity, device risk assessment, and continuous policy enforcement. Shifting from traditional perimeter-based security models to a Zero Trust approach provides multiple operational benefits, including enhanced security, scalability, and compliance for modern enterprises.

The U.S. Treasury Department sanctioned two individuals and four entities for generating illicit revenue for North Korea through global IT employment. Sanctioned North Korean IT workers hide their identities to secure freelance IT contracts worldwide, violating international sanctions. A significant portion of the wages earned by these workers, up to 90%, is appropriated by the North Korean government to fund its weapons of mass destruction and missile programs. These schemes have been under scrutiny since at least 2018, and involve exporting workers to generate regime revenue, under aliases and fraudulent identities. The operations, known under various monikers such as Famous Chollima and Nickel Tapestry, have recently targeted cryptocurrency and Web3 companies, leading to network compromises. Increased public awareness of these activities has led to a rise in intellectual property theft and extortion, demanding substantial cryptocurrency ransoms. The U.S. continues efforts to disrupt these networks which support not only North Korea's illegal weapons programs but also its involvement in global destabilizing activities.

Cybersecurity researchers have unveiled an adversary-in-the-middle (AitM) phishing kit named Sneaky 2FA, designed to steal Microsoft 365 credentials and bypass two-factor authentication. Discovered by Sekoia in December 2024, Sneaky 2FA has been identified across nearly 100 domains, indicating growing use among cybercriminals. This Phishing-as-a-Service (PhaaS) is sold through a Telegram bot called 'Sneaky Log', allowing customers to deploy the phishing kit independently after purchasing a license. Phishing methods involve sending emails with payment receipts linking to fake PDFs that direct victims to authentication pages hosted on compromised WordPress sites and other domains. The phishing pages include sophisticated anti-bot and anti-analysis measures, such as traffic filtering and Cloudflare Turnstile challenges. Sneaky 2FA employs deceptive tactics like using blurred images of legitimate Microsoft interfaces to trick users into submitting their credentials. The phishing kit checks with a central server to ensure only users with active subscriptions can utilize its services, indicating a managed, subscription-based model. Links to a phishing syndicate named W3LL Store, previously involved in other cyber activities, suggest operational and developmental overlaps with previous phishing kits.

Microsoft researchers tested over 100 generative AI products, uncovering amplified and new security risks. Key findings indicate that securing AI systems is an ongoing challenge that will never be fully complete. Larger AI models, while better at understanding instructions, are also more capable of executing potentially harmful commands. Microsoft developed an open-source red teaming toolkit, PyRIT, for enhanced automation in probing AI weaknesses. Despite automation's benefits, the "human element" remains essential in AI security red teaming to address nuanced risks. AI can inadvertently reinforce harmful social biases, illustrated by a case study where gender stereotypes were perpetuated. Red teaming serves to identify novel risks rather than merely benchmark against known threats, essential for comprehensive AI security. Microsoft emphasizes the perpetual need for vigilant and innovative defense strategies against evolving AI-driven cybersecurity threats.

Austrian privacy advocacy group noyb has filed complaints against TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi for allegedly transferring EU user data to China against regulations. Noyb contends that these companies cannot prevent the Chinese government from accessing this data, citing China's lack of equivalent data protection standards to the EU. Legal actions have been initiated in Austria, Belgium, Greece, Italy, and the Netherlands to halt these data transfers. The complaints highlight non-compliance with the EU's General Data Protection Regulation (GDPR), noting these companies' obligatory compliance with Chinese data access demands. AliExpress, TikTok, SHEIN, and Xiaomi's privacy policies acknowledge data transfers to China, while Temu and WeChat reference transfers to unspecified third countries, likely including China. Concurrently, the U.S. FTC is taking measures against companies like General Motors and GoDaddy for privacy violations, emphasizing a global focus on strengthening data protection. Noyb has been actively filing GDPR-related complaints against major corporations, including Google, Microsoft, and Mozilla, for improper tracking practices.

Nvidia has launched new AI microservices under its NeMo Guardrails collection to secure AI agents from misuse and ensure compliance. These services include tools for preventing prompt injection attacks, controlling topics, ensuring content safety, and detecting AI jailbreaks. Nvidia's solutions are based on smaller language models to minimize resource usage and are accessible to AI Enterprise customers and via Hugging Face. Cisco has unveiled AI Defense tools to identify and secure against risks in AI applications and find unauthorized shadow AI implementations. AI Defense will include a range of tools integrated into Cisco's Security Cloud and Secure Access, enhancing the oversight and management of AI applications within organizations. Nvidia's Garak, an open-source tool, will also assist in identifying AI vulnerabilities like data leaks and hallucinations across applications. Both companies aim to address the growing security challenges associated with AI technologies, ensuring these tools perform safely and as intended.

General Motors has settled with the Federal Trade Commission (FTC) following allegations of unauthorized geolocation data sharing in its Smart Driver program. The FTC claimed GM collected precise driver location data and shared it with third-party firms Verisk and LexisNexis, who then provided it to insurers to potentially raise premiums based on driving behavior. GM discontinued the Smart Driver program and ended relationships with the third-party data providers after receiving customer complaints about privacy violations. The settlement includes a decree requiring GM to obtain affirmative consent from drivers before collecting connected vehicle data, with certain exceptions for emergency services. Part of the agreement stipulates that drivers can control, access, and delete their collected data through GM's consolidated privacy policy and website. This consent decree, to prevent future undisclosed data sharing, is open to public comment for 30 days and will last for 20 years. This action comes amid broader concerns about privacy and national security related to technologies integrated into vehicles, prompting new rules on vehicles with foreign-manufactured components.

Non-profit group noyb filed GDPR complaints against six Chinese companies for transferring EU user data to China. The complaints target TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi for not complying with EU data protection laws. Legal action initiated in five EU countries: Greece, Italy, Belgium, the Netherlands, and Austria. Noyb argues that China's data protection does not meet EU standards, posing a risk to EU citizens' privacy. The complaints cite violations of GDPR's general data transfer principles and lack of adequate safeguards. Noyb highlights that the targeted firms must comply with data access demands from Chinese state authorities. Potential fines for GDPR violations could reach up to 4% of the annual global turnover, significantly impacting companies financially.

A significant vulnerability in the W3 Total Cache WordPress plugin, affecting over one million sites, allows unauthorized information access. Tracked as CVE-2024-12365, the flaw was identified in the plugin's function that lacks proper security checks, enabling exploitation even by low-level subscribers. Attackers can manipulate the site’s infrastructure to forge proxy requests and gather data for further cyber attacks. Although a patch is available in version 2.8.2 of W3 Total Cache, a large number of sites have not updated, leaving them vulnerable. About 150,000 websites upgraded after the patched version was released, with several hundred thousand still at risk. Website owners are advised to install updates immediately and reduce the number of plugins to enhance security. Implementing a web application firewall is recommended to detect and block potential exploit attempts.