CyberWire Daily - A breach in the U.S. Treasury.
Episode Date: January 2, 2025Chinese hackers breach the U.S. Treasury Department. At least 35 Chrome extensions are compromised. Federal authorities arrest a U.S. Army soldier over accusations of sensitive data stolen from AT&T a...nd Verizon. A misconfigured Amazon cloud server exposes sensitive data from over 800,000 VW EV owners. Rhode Island confirms a data breach linked to ransomware group Brain Cipher. Ascension healthcare confirms the exposure of the personal and medical data of 5.6 million customers. A recent patch to Windows BitLocker encryption proves inadequate. A suspected Chinese hacking campaign is exploiting a vulnerability in Palo Alto firewalls for espionage. The DOJ bans the sale of Americans’ sensitive data to adversarial nations. HHS proposes a HIPAA update to address cybersecurity. Our guest is Mick Baccio, Global Security Advisor at Splunk, with insights on the cybersecurity resilience gap. CISA Director Easterly looks back at 2024. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Mick Baccio, Global Security Advisor at Splunk’s security research team SURGe, sharing some insights on the cybersecurity resilience gap and top cyber challenges/priorities for the public sector. You can read more about this in SURGe’s blog and whitepaper. Selected Reading US Treasury Department breached through remote support platform (Bleeping Computer) New details reveal how hackers hijacked 35 Google Chrome extensions (Bleeping Computer) U.S. Army Soldier Arrested in AT&T, Verizon Extortions (Krebs on Security) AT&T and Verizon Say Chinese Hackers Ejected From Networks (GovInfo Security) Volkswagen leak exposes private information of 800,000 EV owners, including location data (TechSpot) Hackers Leak Rhode Island Citizens' Data on Dark Web (Infosecurity Magazine) Ascension cyberattack exposed medical data of 5.6M customers (Healthcare IT News) Patched BitLocker Flaw Still Susceptible to Hack (GovInfo Security) Palo Alto Firewalls Backdoored by Suspected Chinese Hackers (BankInfo Security) US prohibits data sales to adversarial nations (SC Media) Massive healthcare breaches prompt US cybersecurity rules overhaul (Bleeping Computer) CISA's 2024 Review Highlights Major Efforts in Cybersecurity Industry Collaboration (Infosecurity Magazine) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Chinese hackers breach the U.S. Treasury Department.
At least 35 Chrome extensions are compromised.
Federal authorities arrest a U.S. Army soldier over accusations of sensitive data stolen from AT&T and Verizon.
A misconfigured Amazon cloud server exposes sensitive data from over 800,000 VW EV owners.
Rhode Island confirms a data breach linked to ransomware group BrainCypher.
Ascension Healthcare confirms the exposure of the personal and medical data of 5.6 million customers.
A recent patch to Windows BitLocker encryption proves inadequate.
A suspected Chinese hacking campaign is exploiting a vulnerability in Palo Alto firewalls for espionage.
The DOJ bans the sale of American sensitive data to adversarial nations.
HHS proposes a HIPAA update to address cybersecurity.
Our guest is Mick Boccio, Global Security Advisor at Splunk,
with insights on the cybersecurity resilience gap.
And CISA Director Easterly looks back at 2024.
It's Thursday, January 2nd, 2025.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Happy New Year and thank you for joining us here once again. It is great to have you with
us. Chinese state-sponsored hackers breached the U.S. Treasury Department through a compromised remote support platform provided by Beyond Trust.
The attack, attributed to the Salt Typhoon APT group, exploited two zero-day vulnerabilities in Beyond Trust's remote support SaaS.
Using a stolen API key, the attackers reset passwords, gained privileged access, and stole agency documents.
Beyond Trust detected the breach on December 8,
shut down compromised instances, and revoked the API key.
The FBI and CISA assisted in the investigation,
confirming the hackers no longer have access to Treasury systems.
The breach follows AT&T and Verizon's confirmation
that they've expelled Chinese cyber espionage hackers from their networks
following a months-long salt typhoon campaign.
The attackers exploited vulnerabilities to intercept calls,
geolocate individuals, and access metadata.
The breach originally impacted eight companies,
but a ninth victim was recently identified
after the federal government issued detailed guidance on Chinese tactics.
The companies targeted include major players like AT&T, Verizon, and Lumen.
T-Mobile previously reported breaches,
but said no sensitive customer data was stolen.
The hackers leveraged poorly secured admin accounts, giving them sweeping access across networks,
including lawful intercept back doors used for court-ordered wiretaps.
Investigations were complicated by inadequate logging and the attackers' efforts to erase their tracks.
The White House has called for improved
cybersecurity practices, urging measures like network segmentation and better logging. The FCC
is also considering mandatory cybersecurity standards, and the U.S. plans to ban China
Telecom's remaining operations. A phishing campaign targeting Chrome extension developers compromised at least 35
extensions, including one from cybersecurity firm Cyberhaven, impacting around 2.6 million users.
The attack, active since March of 2024, escalated in December with phishing emails impersonating
Google. Developers were tricked into granting permissions to a malicious OAuth app,
allowing attackers to inject data-stealing code into extensions.
The malicious code targeted Facebook business accounts,
stealing user credentials, IDs, access tokens, and ad account information.
Threat actors even bypassed two-factor authentication
by capturing QR codes used for login verification.
Extensions were hijacked to distribute new malicious versions via the Chrome Web Store.
Investigators identified command and control domains linked to the campaign
and suspect many more extensions were targeted.
Despite multi-factor authentication protections,
the phishing method effectively exploited OAuth workflows,
exposing significant vulnerabilities in Chrome extension security.
Crabzone Security reports that federal authorities have arrested
20-year-old U.S. Army soldier Cameron John Waganious,
have arrested 20-year-old U.S. Army soldier Cameron John Wagenius,
accusing him of being cyber phantom or kyber phantom.
It's hard to say. It's cyber or kyber with a K.
A cyber criminal who sold and leaked sensitive data stolen from AT&T and Verizon.
Wagenius, a communications specialist stationed in South Korea, was apprehended near Fort Hood, Texas in December
after an indictment for unlawfully transferring confidential phone records.
Cyber Phantom allegedly hacked 15 telecom firms, including AT&T and Verizon,
and leaked call logs of prominent figures such as President-elect Trump and Vice President Kamala Harris.
He also offered SIM swapping services and posted stolen data schemas linked to the NSA.
The swift investigation, spanning just weeks, relied on security researchers identifying operational security mistakes.
operational security mistakes. Experts warn young cybercriminals of escalating risks as law enforcement improves its ability to track and prosecute cybercrimes domestically.
This case has been transferred to the Western District of Washington.
A Volkswagen subsidiary, Cariad, exposed sensitive data from 800,000 EV owners due to a misconfigured Amazon cloud server.
The leak included contact information, movement data, and precise location data
accurate to within 10 centimeters for Volkswagen and Seat vehicles
and 10 kilometers for Audi and Skoda.
High-profile individuals, including German politicians, Hamburg police,
and intelligence employees, were affected. The hacker group Chaos Computer Club discovered the
breach and alerted authorities, giving VW 30 days to resolve it. Volkswagen confirmed the data was
pseudonymized and accessed through a complex multistage process. No passwords or payment
details were exposed. Rhode Island has confirmed that cybercriminals have published personal data
stolen from its social services portal, RI Bridges. The breach, linked to ransomware group
BrainCypher, compromised citizens'ensitive information, including data from individuals applying for
health services. Deloitte, the state's vendor, revealed that files had been leaked on the dark
web. Governor Dan McKee stated that IT teams were analyzing the released data, urging residents to
freeze and monitor credit to protect financial information. Social engineering attacks are also a concern.
RI Bridges remains offline with investigations ongoing.
BrainCypher claims to have stolen one terabyte of data in the December breach,
targeting systems outside Deloitte's network.
Deloitte and Rhode Island have not verified these claims.
A December 20th filing with Maine's Attorney General revealed that a May 8th
cyber attack on healthcare giant Ascension exposed the personal and medical data of 5.6 million
customers. The breach occurred after an employee mistakenly downloaded a malicious file. Exposed
data varies by individual and includes medical records, payment information, government IDs, and personal details, although Ascension confirmed its core clinical systems were not accessed.
The incident highlights ongoing vulnerabilities in healthcare cybersecurity following similar breaches in 2024 at Change Healthcare and Kaiser Permanente.
in 2024 at Change Healthcare and Kaiser Permanente.
Proposed legislation, the Healthcare Cybersecurity and Resilience Act,
seeks to bolster defenses with grants for healthcare organizations.
A recently patched flaw in Windows BitLocker encryption remains vulnerable to attacks, researcher Thomas Lamberts revealed at the Chaos Communication Congress.
researcher Thomas Lamberts revealed at the Chaos Communication Congress.
Using a method called BitPixie, Lamberts demonstrated how rebooting a device in recovery mode with PXE booting enabled allowed him to extract encryption keys from memory and decrypt data.
Lamberts criticized Microsoft's patch as insufficient,
noting that disabling the network stack in the
BIOS is the only effective mitigation. A suspected Chinese hacking campaign is exploiting
vulnerability in Palo Alto firewalls to deploy a custom malware backdoor for espionage,
according to Northwave researchers. The backdoor, a variant of littlelam.wulti, installs disguised as a
logd file and provides extensive functionality, including file manipulation, network tunneling,
and SOX5 proxy setup. Exploited since November, attackers use the vulnerability to gain root
privileges and deploy additional payloads.
Palo Alto patched this flaw and another, advising administrators to limit web management portal access to trusted IPs.
The campaign aligns with Chinese threat group UNC-5325's strategy of targeting edge devices,
similar to their past exploits of Ivanti VPNs and Fortinet firewalls.
Researchers say thousands of devices may be affected.
The U.S. Department of Justice has finalized a rule banning the sale of American-sensitive data,
including biometric, geolocation, health, and financial information,
to adversarial nations like China, Russia, and Iran.
Stemming from a February executive order, the rule targets efforts by hostile nations to use
such data for AI development, cyber espionage, and influence campaigns. Assistant Attorney General
Matthew Olson emphasized the rule's role in protecting national security.
Implementation begins three months after its Federal Register publication.
The U.S. Department of Health and Human Services has proposed updated HIPAA cybersecurity rules
to protect patient health data amid increasing healthcare data breaches and ransomware attacks.
The proposed measures include mandatory encryption
of protected health information, multi-factor authentication, and network segmentation to
limit attackers' movements. White House official Ann Neuberger highlighted the urgency, citing high
costs of inaction, which could endanger critical infrastructure and patient safety. The updates, expected within 60 days, mark the first major HIPAA security revisions in a decade.
Implementation is projected to cost $9 billion in the first year and $6 billion over the next four years.
Coming up after the break,
my conversation with Mick Boccio,
Global Security Advisor at Splunk, with insights on the cybersecurity resilience gap.
And CISA Director Easterly looks back at 2024.
Stay with us. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Mick Macchio is Global Security Advisor at Splunk's security research team,
Surge. He joins me to share some insights on the cybersecurity resilience gap and the top cyber challenges and priorities for the public sector.
When it comes to supply chains heading to 2025,
I think it's really, really weird.
It goes back to the Foundry report we just put out
talking about the resilience confidence gap,
where a lot of folks think that they're more,
they're very secure, very prepared for a specific scenario.
And the other scenarios are maybe more likely to
happen, they are unprepared for. So I think the folks that I've talked to, the organizations I've
worked with, 50-50. I think it was around 52% decision makers, both public and private sector,
don't feel confident in the understanding of requirements for digital resilience. So if you're not able to, you know, kind of articulate what it means
for your organization, that's going to kind of muddy up the waters. We are trying to find
how can I secure my supply chain and be confident in that going into 2025.
Is this kind of the cyber equivalent of, you know, being afraid to get on an airplane, but
even though it's much more likely
you're going to get run over crossing the street? Well, I think the metaphor I would use, the
analogy I would use is, I'm buying three different kinds of insurance, but I'm not going to wear my
seatbelt on the plane. Gotcha. Gotcha. you know, when you look at organizations
that are kind of 50-50,
and the survey we did,
the private sector scored slightly higher,
but I think it's really even across the board,
where organizations that prioritize things
like asset inventory, MFA, patch management,
you know, those things I kind of call the cyber veggies,
where these are the things you know you're supposed to do. And if you don't, your enterprise
suffers in the same way you know you're supposed to exercise, get some water and eat mostly green
stuff. And you don't, your body suffers for it. So I think it's a prioritization of those
organizations that realize how important that is. That foundation is going to be what's most critical.
You know, I think the analogy that I've heard a lot
or what I've tried to use is, you know,
don't be more concerned with innovation
and focus on foundation.
What do you suppose is generating this gap here?
I mean, why the focus on things that might not be the best
first place to start? Because they're so cool, Dave. They're so cool. When you look at all,
and I am so guilty of this as well, right? When you look at all of the advancements,
and we haven't talked about AI in about three or four minutes, so let's talk about AI.
When you look at the advancements in generative AI, large language
models, and all of the use cases that have been developed in just the past eight months, the past
18 months, it's been phenomenal to see on the defensive side of the board. And focusing on that
is amazing because it solves this very specific problem. But when you look at the overarching themes of it, focusing
on the basics, it's not very sexy. It's not very cool to say in a briefing, it doesn't make a cool
slide that everyone in our enterprise has multi-factor authentication. All the administrator
accounts are using hardware tokens, FIDO-based, things like that. It's the things we need to do,
but there's not really an appeal to doing them.
You want to do the cool thing, the new thing. And I think we're losing sight of the foundational
security that makes us better at implementing the new things we have.
Is this an opportunity for folks to focus on things that maybe are a better bang for their buck?
to focus on things that maybe are a better bang for their buck?
Well, and I think when you talk about more bang for your buck,
that's the issue, right?
The Foundry report we said, I think the data was 82% of both public and private sector organizations
face budget-related obstacles.
And that's not a new story, right?
Money, it always comes down to resources.
It always comes down to available resources
to implement the things that you want,
and I think budget's always going to be a challenge.
I think across the public sector and the private sector,
and I know the public sector has more budgetary concerns,
but I think it's the prioritization of those things,
what you can do inside your budget,
that more bang for your buck,
what can I do that is low cost but high effort?
One of the things that caught my eye in your research
was it seems like supply chain security
is slipping down the priority list.
Am I right there?
I don't know if I would say that it's slipping down the list. I think it's a matter
of other issues kind of bubbling to the top or becoming equally as important. When you look at
supply chain, you know, supply chain, I think is just one facet of your organization's resilience confidence.
You know, and if there is a cyber attack, 95% of the folks we surveyed agreed, hey,
resilience is super essential. And I think two thirds of them really agreed with that.
But I think that really comes down to that foundational security. What are you focusing on to get better
in a case of an attack or in case of downtime? How can you recover? How can you stay
above board? How can your business, how can your enterprise keep running? I think
when you look at supply chain attacks, that's just one of the many scenarios
that can happen that would affect that resilience posture.
If I'm the person in my organization who's responsible for this stuff, and I have to
get in front of the powers that be and justify the things that we're doing here,
do you have any tips on telling this story of making sure that the non-sexy stuff gets its due?
Wow, the non-sexy stuff gets its due? Wow, the non-sexy stuff gets its due.
It sounds like the title of my autobiography.
So I think it's kind of making that message resonate
in a manner that's going to speak to your board,
to your leadership, to your executives.
I think when we talk about value,
what value are we bringing?
And on a lower scale, we think of value not in monetary terms, but when you speak to your executives, please keep that in mind.
There's an organization of business that they're running.
I think that, you know, putting the basics in the frame of cloud security, observability, AI, you know, orchestration, automation.
AI, orchestration, automation. I think more and more folks in the public and private sectors,
I think two-thirds of public sector are realizing how important SOAR is because of the amount of data that we're processing now, the amount of data that we're looking at to aggregate,
and it's growing more and more. So I think the ability to speak to the board, to speak to your leadership and say,
hey, us doing the foundational things right will let us be more agile in the future. I think what
is the phrase, if you're not agile, you're fragile. But again, it's that foundational security, I
think that folks kind of overlook and that becomes more critical as we move on as the data expands.
And that becomes more critical as we move on as the data expands.
What are your recommendations for organizations that want to do a better job with this?
Recognize, see the numbers here, recognize that they need to make some adjustments.
Any words of wisdom?
Words of wisdom.
What adjustments can you make? make. I honestly, my, my biggest, um, achievements, my biggest successes have come from partnerships, whether that be a partnership with, with something like an ISAC that is specific to,
to your organization's vertical. We are talking with colleagues who are essentially facing the
same issues that your organization is. you're not in this alone.
And I think it's that community effort, the whole rising tide lifts all boats. I think a lot of
organizations find themselves facing the same challenges and having professional colleagues
to work through those with is invaluable. And building on that, I think when you look at the
public-private partnerships, those become even more critical and useful as we move on.
When you look at NIST 2 that just came out in the EU, the AI NIST directive that came out years back, or the AI Bill of Rights that was released from the administration months earlier,
I think those public-private partnerships kind of give you an overarching idea of what the federal government may be planning
that may be able to assist you, what resources are available to you, you know, what other folks
are having these issues or what legislation is coming out soon. That's Mick Boccio, Global
Security Advisor at Splunk's security research team, Surge. We'll have a link in the show notes
to their blog and white paper.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, the U.S. Cybersecurity and Infrastructure Security Agency celebrated a year of growth and accomplishment in 2024,
as highlighted in its Year in Review by outgoing director Jen Easterly.
With warmth and appreciation, Easterly reflected on CISA's collaborative efforts with industry,
government, and international partners to enhance national cybersecurity.
Notable achievements include the Pre-Ransomware Notification Initiative, which sent over 2,100 alerts in 2024, mitigating threats to schools, healthcare organizations, and critical infrastructure.
healthcare organizations, and critical infrastructure. CISA also blocked 1.26 billion malicious connections, remediated 861 vulnerabilities, and issued nearly
1,300 cyber defense alerts. Programs like Secure by Design gained traction,
rallying 250 software manufacturers to commit to secure practices. CISA's Cyber Storm 9 exercise prepared
over 2,200 participants for advanced cyber threats, while its Protect 2024 election portal
centralized resources for securing the November elections. The agency also launched its first
international strategic plan, advancing global partnerships and prioritizing
AI system security. Easterly emphasized the critical need for collaboration to address
emerging threats, ensuring CISA remains resilient and innovative in its mission.
While CISA's 2024 accomplishments highlight its role as a cornerstone of U.S. cybersecurity,
2024 accomplishments highlight its role as a cornerstone of U.S. cybersecurity, the agency faces uncertainty as it transitions to new leadership under an incoming presidential
administration. The robust progress made, such as advancing ransomware defenses, securing elections,
and fostering international partnerships, serves as a testament to its effectiveness. However, evolving geopolitical
threats, challenges in regulating AI, and potential shifts in federal priorities could impact its
trajectory. As CISA moves forward, its ability to sustain bipartisan support and adapt to new
directives will be critical in navigating this uncertain landscape and ensuring its continued mission to protect the nation's critical infrastructure.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review in your favorite podcast app. Please also fill out the survey in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders and operators
in the public and private sector,
from the Fortune 500
to many of the world's preeminent
intelligence and law enforcement agencies. This episode was produced by Liz Stokes, public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies. This episode was produced by Liz Stokes. Our mixer is Trey Hester,
with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer
Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilby
is our publisher. And I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. you