CybersecurityHQ News Roundup - December 31, 2024

News By Daniel Michan Published on December 31, 2024

Chinese Hackers Accessed US Treasury Workstations in ‘Major’ Cybersecurity Incident

In a significant cybersecurity breach, Chinese state-sponsored hackers infiltrated U.S. Treasury Department workstations and accessed unclassified documents. The hackers exploited a stolen API key from BeyondTrust’s cloud-based service, bypassing security protocols to remotely access workstations. Treasury officials revealed that the breach occurred earlier this month and is part of a broader cyberespionage campaign attributed to Beijing. Immediate responses included revoking the compromised API key and engaging federal agencies like the FBI and CISA to assess the damage. This attack coincides with a larger espionage operation, dubbed Salt Typhoon, targeting U.S. telecommunications companies. For further details, read here.



Palo Alto Networks Patches Firewall Zero-Day Exploited for DoS Attacks

Palo Alto Networks has issued critical patches for a zero-day vulnerability (CVE-2024-3393) in its PAN-OS software, which powers its firewalls. The flaw, exploited in the wild, allowed unauthenticated attackers to force firewalls into maintenance mode via crafted DNS packets. While the company rated the urgency as moderate, organizations are urged to update their systems immediately to prevent further attacks. Estonia’s CERT-EE assisted in the investigation, highlighting the increasing global cooperation in cybersecurity. Learn more from the vendor’s advisory here.



Four-Faith Industrial Router Vulnerability Exploited in Attacks

Threat actors are actively exploiting a command injection vulnerability (CVE-2024-12856) in Four-Faith industrial routers. The flaw allows remote execution of OS commands, potentially leading to severe disruptions in industrial systems. Researchers at VulnCheck noted that default credentials exacerbate the risk, effectively turning this into an unauthenticated vulnerability. At least 15,000 internet-facing devices are at risk, with attacks originating from multiple IPs. Full mitigation strategies can be found here.



US Issues Final Rule for Protecting Personal Data Against Foreign Adversaries

The U.S. Department of Justice finalized a rule under Executive Order 14117 to restrict data brokers from selling bulk personal data to foreign adversaries, including China and Russia. The rule targets sensitive data such as biometric identifiers, health information, and geolocation data. It also outlines protocols for designating “covered persons” and obtaining licenses for specific data transactions. This move aims to bolster national security against the misuse of personal data in espionage and AI development. Details of the rule are available here.



Several Chrome Extensions Compromised in Supply Chain Attack

A supply chain attack on Google Chrome Web Store compromised extensions, including Cyberhaven’s data security tool. Attackers deployed a malicious OAuth app, targeting Facebook advertising accounts. Cyberhaven quickly replaced the infected version but warned of potential data exfiltration. Other affected extensions include Internxt VPN and VPNCity. This incident raises alarms about the security of browser extensions. More on the attack can be found here.



Cisco Confirms Authenticity of Data After Second Leak

Cisco confirmed the authenticity of a second batch of data leaked by hackers from its public-facing DevHub. While no systems were breached, the exposed data includes source code and configuration files. Hackers initially claimed to have stolen terabytes of data but have only leaked gigabytes so far. Cisco continues to monitor and mitigate any risks associated with the incident. Read more about Cisco’s response here.



Ninth U.S. Telecom Confirmed as Victim of Chinese Espionage Campaign

A ninth telecom company has been identified as a victim of Salt Typhoon, a Chinese cyberespionage campaign targeting call records and private communications. The White House urged improved cybersecurity practices across the telecommunications sector and announced forthcoming measures to combat such threats. Learn about Salt Typhoon here.



The Intersection of AI and OSINT: Advanced Threats on the Horizon

Open-source intelligence (OSINT) is evolving with AI integration, enabling both defenders and attackers to harness vast amounts of publicly available data. While AI-powered OSINT tools enhance threat detection, they also enable advanced spear phishing, supply chain compromise, and social engineering attacks. Organizations are urged to conduct OSINT audits and enforce strict AI governance policies. Explore the potential of AI in OSINT here.



Defense Giant General Dynamics Targeted in Phishing Campaign

General Dynamics revealed that 37 employee accounts were compromised through a phishing attack on its benefits portal. Attackers accessed personal and financial information and, in some cases, altered bank account details. The company has since notified affected individuals and offered free credit monitoring. More on this breach here.



Cl0p Ransomware Group Threatens to Name Over 60 Victims

The Cl0p ransomware gang has threatened to name over 60 victims of a recent attack exploiting Cleo file transfer software vulnerabilities. Only one victim, Blue Yonder, has been publicly identified. Cl0p’s use of these vulnerabilities highlights the increasing sophistication of ransomware attacks. Read about Cl0p’s latest exploits here.



Japan Airlines Hit by Cyberattack, Delays Flights

A cyberattack disrupted Japan Airlines' operations, delaying 24 domestic flights. The attack, identified as a DDoS assault, temporarily suspended ticket sales. This incident underscores the vulnerabilities in Japan’s critical infrastructure during peak travel periods. More on JAL’s response here.



FBI Blames North Korea for $308M Cryptocurrency Hack

The FBI attributed a $308 million Bitcoin heist to North Korea’s TraderTraitor hacking group. The sophisticated attack targeted Japan-based Ginco, exploiting social engineering and technical vulnerabilities. This adds to a growing list of North Korean-linked cryptocurrency thefts in 2024, totaling over $2 billion. Details of the investigation are available here.



Ascension Health Ransomware Attack Impacts 5.6 Million

Ascension Health confirmed a ransomware attack affecting 5.6 million individuals, exposing sensitive personal and medical data. The Black Basta ransomware group is suspected, though unconfirmed. Ascension is offering free credit monitoring to affected individuals. Learn more about the breach here.



Sophos Patches Critical Firewall Vulnerabilities

Sophos has patched a critical SQL injection vulnerability (CVE-2024-12727) in its firewall products that allowed remote code execution. The flaw affected a small percentage of devices with specific configurations. Sophos urges immediate updates and recommends disabling WAN access to prevent exploitation. Advisory details are available here.



LockBit Ransomware Developer Arrested in Israel

Israeli authorities arrested Rostislav Panev, a developer for the LockBit ransomware group, at the request of the U.S. Panev allegedly developed code used in attacks that targeted over 2,500 organizations worldwide. This arrest marks significant progress in dismantling LockBit’s operations. Learn more about this case here.