Daily Brief

Chinese cyber activity in 2024 suggests a shift from espionage to preparing for disruptive attacks, targeting American telecommunications and critical infrastructure. The FBI disrupted a Chinese botnet early in the year, but the involved group, Volt Typhoon, remains active, compromising critical US systems including a city's emergency network and electric companies. US government agencies warn that Volt Typhoon has positioned itself within IT networks to enable attacks on operational technology assets, indicating prepositioning for potential destruction. Another Chinese group, Salt Typhoon, executed a significant hack into US telecom networks, labeled by a US senator as the nation's worst telecom hack. CrowdStrike, monitoring about 63 China-linked groups, emphasizes ongoing risks as these actors continue to target the global supply chain and critical infrastructure. Defensive responses from US agencies include publicized alerts, a threat hunting guide, and mitigation strategies focusing on patching vulnerable systems and implementing robust security measures. Experts from various cybersecurity firms underscore the challenge of detecting and evicting these well-disguised intruders from compromised networks and the importance of enhancing defensive capabilities in critical sectors. Concerns are growing over the readiness of critical infrastructure against sophisticated cybersecurity threats amid calls for better funding and modernization of cybersecurity practices in these vital sectors.

The U.S. Department of Justice has issued a final rule to implement Executive Order 14117, preventing bulk personal data transfers to specific adversarial nations. The affected countries include China, Cuba, Iran, North Korea, Russia, and Venezuela, aimed at safeguarding national security and citizens' privacy. The Executive Order addresses risks such as unauthorized access intended for espionage and other malicious activities by adversarial nations. The final rule imposes restrictions on bulk data sales and other commercial access to personal data including precise geolocation, biometrics, and financial data. Exemptions are provided under the rule for U.S. persons in medical, scientific, and other research engagements in the noted countries of concern. The new regulation will enact civil and criminal penalties to enforce compliance, set to be effective within 90 days. Measures are focused on protecting civil liberties and preventing misuse of sensitive data to intimidate or suppress individuals and groups.

The U.S. Department of Health and Human Services (HHS) is set to overhaul HIPAA rules in response to rising healthcare data breaches. Proposed changes include mandatory encryption, multifactor authentication, and network segmentation to enhance data security. Amidst escalating cyberattacks, these updates aim to protect large volumes of protected health information (PHI). Implementing the new cybersecurity measures will cost approximately $9 billion in the first year, and over $6 billion in the subsequent four years. The updates follow major incidents like the ransomware attack on Ascension, which compromised the data of nearly 5.6 million people. The revised rules represent the first significant update to HIPAA's security provisions in over a decade, addressing both threat evolution and data protection needs. Regulatory entities warn of the high costs and dangers of inaction, emphasizing the potential harm to critical infrastructure and patient safety.

On December 8, 2024, the U.S. Treasury Department experienced a significant cyber incident due to a compromised API key owned by BeyondTrust, a third-party software provider. This breach allowed suspected Chinese state-sponsored actors to access unclassified documents and remotely enter specific user workstations within the Treasury. BeyondTrust had previously detected an intrusion that exploited a Remote Support SaaS API key, which enabled attackers to manipulate account passwords. Following the discovery, BeyondTrust deactivated the API key, informed affected parties, and took immediate corrective measures by providing alternative service instances. CISA has identified related security vulnerabilities in BeyondTrust's products, with one being actively exploited and added to the Known Exploited Vulnerabilities catalog. Despite the breach, the Treasury confirmed that there is no ongoing unauthorized access to their systems and has ceased using the corrupted BeyondTrust service. The incident is under investigation by both the FBI and CISA, focusing on the implications of this breach linked to a Chinese APT group.

Researchers from Palo Alto Networks identified three security vulnerabilities in the Azure Data Factory Apache Airflow integration. These vulnerabilities could allow attackers to launch covert operations such as data exfiltration and malware deployment within Azure Kubernetes Service clusters. Attackers could potentially tamper with log data or send fake logs by exploiting flaws in the Azure-managed Geneva service. Initial exploitation involves manipulating DAG files, with further access facilitated by misconfigured cluster-admin permissions linked to the Airflow runner pod. An attacker could gain persistent shadow administrator access, allowing them to alter pods, create new service accounts, and apply changes undetected. This flaw poses significant risks to Azure's internal infrastructure, enabling deep access to other Azure-managed resources. The discovery highlights the crucial need for rigorous management of service permissions and monitoring of third-party service operations to prevent unauthorized access.

Chinese government-backed hackers infiltrated systems of AT&T, Verizon, and Lumen Technologies, compromising telecommunication networks. The breaches, part of the Salt Typhoon campaign, have impacted nine telecom firms, allowing extensive access including geolocation and call recording capabilities. A White House official stated that this marks the "worst telecom hack in our nation's history," with potential national security implications. Despite the scale, compromised companies reported only select high-profile individuals were targeted and have since secured their networks. Verizon and AT&T communicated to affected customers and assured that they have contained the breach with help from cybersecurity firms and federal agencies. No evidence suggests customer data was accessed in some cases, and ongoing monitoring and cooperation continue. The White House and FCC are pushing for stronger cybersecurity measures and binding rules to safeguard against such nation-state threats. Both public and private sectors are urged to adopt the 60-day Enduring Security Framework to establish minimum cybersecurity practices.

Chinese state-sponsored actors compromised the U.S. Treasury Department by exploiting vulnerabilities in BeyondTrust's remote support platform. BeyondTrust, a provider of remote support SaaS, detected breaches in its system earlier this month, subsequently identifying two zero-day vulnerabilities which facilitated unauthorized access. The attackers used a stolen API key to manipulate passwords and gain privileged access, enabling them to remotely access and steal documents from the Treasury Department. The Treasury confirmed the intrusion in a letter to lawmakers, labeling the incident as a major cybersecurity breach attributed to a known Advanced Persistent Threat group. All compromised software instances were shut down by BeyondTrust, and the stolen API key was revoked to prevent further unauthorized access. The FBI and CISA were involved in the investigation, with no current evidence indicating continued access by the attackers to the Treasury’s systems. Relatedly, the same group of Chinese hackers has been implicated in significant breaches of major U.S. telecom companies, spying on sensitive communications.

Threat actors are utilizing a remote command injection vulnerability in Four-Faith routers, identified as CVE-2024-12856, to create reverse shells. This vulnerability affects certain router models used primarily in critical sectors including energy, utilities, and transportation. Hackers gain access through devices often set up with default credentials, making them susceptible to brute force attacks. The exploitation involves sending a malicious HTTP POST request which manipulates router settings and establishes a reverse shell. Compromised routers potentially allow attackers to modify configurations, pivot to other network devices, and escalate privileges for further attacks. Approximately 15,000 internet-facing Four-Faith routers are at risk worldwide, per a Censys report. Four-Faith has been notified of the ongoing exploitation, though information on patches or affected firmware remains unclear. Recommendations for mitigating risks include updating firmware, changing default credentials, and implementing detections via shared Suricata rules.

The U.S. Health and Human Services’ Office for Civil Rights has proposed updates to the HIPAA Security Rule to combat growing cybersecurity threats in healthcare. The new rules require healthcare organizations to restore critical data within 72 hours and conduct annual compliance audits. Enhancements include mandated encryption of electronic protected health information (ePHI), both at rest and in transit, and the implementation of multi-factor authentication. Healthcare entities must also deploy network segmentation, perform regular vulnerability scans every six months, and undertake annual penetration testing. The proposed changes respond to the increasing frequency and severity of ransomware attacks targeting the healthcare sector, which have seen a significant jump in reported cases from 2021 to 2024. Ransomware not only poses a financial threat but also interrupts critical healthcare services, with a median ransom payment reaching $1.5 million in recent attacks. The World Health Organization has emphasized the urgent need for international cooperation to tackle these cyber threats, underlining their potentially life-threatening consequences.

Palo Alto Networks has recently identified and disclosed a critical vulnerability in its PAN-OS software, rated with a high severity CVSS score of 8.7. The specific flaw could lead to a denial-of-service (DoS) condition when firewalls configured with DNS Security logging process specially crafted DNS packets. Known as CVE-2024-3393, the vulnerability impacts only those devices with DNS Security logging activated. Several customers have reported disruptions due to this DoS when their firewalls intercepted and blocked malicious DNS packets. The company has acknowledged the attack and is presumably working towards a mitigation or fix to protect against potential exploits. In broader cybersecurity news, several CVEs have been identified in popular software including Apache Tomcat, Apache MINA, and others, prompting urgent calls for updates to prevent possible breaches. Additional cybersecurity tips of the week suggest isolating risky mobile apps in separate user profiles to safeguard personal data from untrusted applications.

An extensive attack campaign has recently targeted browser extensions, injecting malicious code to steal user credentials. More than 25 different extensions have been compromised, affecting over two million users globally. LayerX is providing complimentary services to help organizations audit and remediate their exposure to these compromised extensions. These attacks exploit extensive access permissions granted to extensions, creating significant security risks by accessing sensitive user data. Lack of control over browser extension installations in corporate environments heightens the risk of credential theft and potential data breaches. The current situation exposes the vulnerabilities within web browser extensions and their use in corporate contexts. Enhanced awareness and stringent protective measures are recommended for organizations to mitigate risks associated with malicious browser extensions.

AT&T and Verizon have experienced breaches attributed to a large-scale Chinese espionage campaign aimed at global telecom carriers. Both companies have reported that the intruders have been removed from their networks, with no ongoing nation-state actor activity detected. T-Mobile also faced an intrusion by the same Chinese hackers, known as "Salt Typhoon," but halted the breach, ensuring no sensitive customer data was compromised. The U.S. government is responding to these breaches by considering a ban on China Telecom and potentially TP-Link routers, following evidence of their use in cyberattacks. FCC Chairwoman Jessica Rosenwurcel expressed urgency in requiring U.S. carriers to bolster their security frameworks. Senator Ron Wyden has proposed new legislation aimed at securing American telecoms’ networks. The hacking group involved, also known by multiple aliases including Earth Estries and Ghost Emperor, has been active since at least 2019, targeting telecoms and government entities across Southeast Asia.

Criminals are exploiting stolen credentials to access and leverage large language models (LLMs) for spear phishing and social engineering, potentially enabling significant supply chain attacks by 2025. Sysdig, a cybersecurity firm, tracked an increase in unauthorized access to LLMs, noting that attacks often aim to sell this access to other criminals, incurring substantial costs to the cloud account owners. Attackers have broadened their scope, checking credentials across various AI services such as AI21 Labs, Anthropic, and major cloud providers like AWS and Azure. The exploitation of LLMs, termed 'LLMjacking,' has surged, witnessing a 10x rise in LLM access requests and a doubling of unique IP addresses involved in such activities. Crystal Morin, a cybersecurity strategist and former intelligence analyst, underscored the capability of LLMs to craft personalized messages that significantly enhance the effectiveness of phishing campaigns. Spear phishing aided by LLMs will pose challenges in verifying the authenticity of communications, as they can meticulously tailor messages based on individuals' personal information and local context. Enhanced phishing techniques could have severe repercussions, as demonstrated by the massive breach at Change Healthcare, highlighting the potential scale and impact of future LLM-facilitated attacks. Despite emerging AI detection tools, Morin emphasizes basic preventive measures like scrutinizing message sources and resisting impulsive clicks on unsolicited links or communications.

A coordinated attack compromised 16 Chrome browser extensions, exposing over 600,000 users to potential data theft. Cyberattackers utilized phishing to gain access to publishers' accounts on the Chrome Web Store, inserting malicious code into extensions. Compromised extensions allowed attackers to steal sensitive user information like cookies and access tokens. Notably, Cyberhaven, a cybersecurity firm, disclosed that its extension communicated with a Command and Control server to download files and leak user data. Security expert Or Eshed highlighted the underestimation of risks posed by browser extensions, which can access extensive user data. Several extensions involved were found communicating with the same C&C server, indicating a broad attack rather than isolated incidents. Post-discovery actions included the removal or updating of compromised extensions from the Chrome Web Store, though risks remain if malicious versions are still active on devices. Ongoing investigations seek further compromised extensions as the scope and sophistication of the campaign prompt a reevaluation of extension security strategies by organizations.

Two malware botnets, named Ficora and Capsaicin, have increased activity exploiting vulnerabilities in outdated or end-of-life D-Link routers. Targeted models include DIR-645, DIR-806, GO-RT-AC750, and DIR-845L, using exploits linked to four CVEs from 2015 to 2024. Attackers utilize the HNAP interface of compromised D-Link devices to execute commands and potentially steal data. Ficora, an adaptation of the Mirai botnet, has surged its activity notably in October and November, focusing on random targets worldwide. Capsaicin, associated with Keksec group and a variant of Kaiten, demonstrated a brief intense activity targeting East Asian countries. Both botnets possess capabilities for DDoS attacks, including UDP flooding, TCP flooding, and DNS amplification. Security recommendations include updating firmware, replacing end-of-life devices, using strong unique passwords, and disabling unnecessary remote access.