CyberWire Daily - U.S. sanctions spark cyber showdown with China.
Episode Date: January 7, 2025China criticizes U.S. sanctions. School districts face cyberattacks over the holiday season. The U.N.’s International Civil Aviation Organization (ICAO) is investigating a potential data breach. Eag...erbee malware targets government organizations and ISPs in the Middle East. A major New York medical center notifies 674,000 individuals of a data breach. Hackers infiltrate Argentina’s Airport Security Police (PSA) payroll system. An industrial networking firm identifies critical vulnerabilities in its cellular routers, secure routers, and network security appliances. Phishing click rates among enterprise users surged in 2024. A California man is suing three banks for allegedly enabling criminals to steal nearly $1 million from him. On our Threat Vector segment, we preview this week’s episode where host David Moulton speaks with Margaret Kelley about the evolving landscape of cloud breaches. Microsoft’s Bing demonstrates imitation is the sincerest form of flattery. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment On our Threat Vector segment, we preview this week’s episode where host David Moulton speaks with Margaret Kelley about the evolving landscape of cloud breaches and how organizations can defend against sophisticated attacks. You can catch new episodes of Threat Vector every Thursday here and on your favorite podcast app. Selected Reading China Protests US Sanctions for Its Alleged Role in Hacking, Complains of Foreign Hacker Attacks (SecurityWeek) Tencent added to US list of 'Chinese military companies' (The Register) School districts in Maine, Tennessee respond to holiday cyberattacks (The Record) UN aviation agency 'actively investigating' cybercriminal’s claimed data breach (The Record) Eagerbee backdoor deployed against Middle Eastern govt orgs, ISPs (Bleeping Computer) Staten Island Hospital Notifying 674,000 of May 2023 Hack (BankInfo Security) Industrial networking manufacturer Moxa reports 'critical' router bugs (CyberScoop) Phishing Click Rates Triple in 2024 (Infosecurity Magazine) Pig butchering victim sues banks for allowing scammers to open accounts (The Record) Hackers Compromised Argentina’s Airport Security Payroll System (GB Hackers) Microsoft is using Bing to trick people into thinking they’re on Google (The Verge) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
China criticizes U.S. sanctions.
School districts face cyber attacks over the holiday season.
The U.N.'s International Civil Aviation Organization is investigating a potential data breach.
Eager B malware targets government organizations and ISPs in the Middle East.
A major New York medical center notifies 674,000 individuals of a data breach.
Hackers infiltrate Argentina's airport
security police payroll system. An industrial networking firm identifies critical vulnerabilities
in its cellular routers, secure routers, and network security appliances. Phishing click
rates among enterprise users surged in 2024. A California man is suing three banks for allegedly enabling criminals to steal nearly
$1 million from him. On our Threat Vector segment, we preview this week's episode where host David
Moulton speaks with Margaret Kelly about the evolving landscape of cloud breaches.
And Microsoft's Bing demonstrates imitation is the sincerest form of flattery. It's Tuesday, January 7th, 2025.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Thanks for joining us here today. It is great to have you with us. China has criticized
U.S. sanctions imposed on Beijing-based Integrity Technology Group, accused of involvement in hacking U.S.
critical infrastructure. The U.S. Treasury's move targets the company for alleged ties to
Flax Typhoon, a Chinese state-sponsored cyber campaign. Integrity Technology and China's
foreign ministry rejected the claims, with spokesperson Gao Zhaikun accusing Washington of using cybersecurity as a
tool to smear China. Meanwhile, China's National Cybersecurity Information Center reported foreign
cyberattacks on Chinese networks, including from the U.S., Netherlands, and other nations,
involving Trojan programs, botnets, and intellectual property theft.
The sanctions freeze the company's U.S. assets and restrict business with Americans.
The decision follows broader concerns over Chinese cyber espionage campaigns like Salt Typhoon,
which compromise U.S. telecommunications and private data.
U.S. officials recently revealed Salt Typhoon's impact on eight telecom providers
and numerous countries, escalating tensions in cybersecurity. Meanwhile, the U.S. Department
of Defense has added Tencent, a Chinese messaging and gaming giant, to its Chinese military company
list under the Military-Civil Fusion strategy, which aids the Chinese military's
modernization efforts. While inclusion doesn't equate to a ban, it prevents the Pentagon from
working with listed companies and could trigger supply chain issues or further restrictions.
Tencent, which owns WeChat, VOOV, and gaming assets like PUBG and Fortnite, denies the claims and plans to appeal.
Critics argue WeChat aids Beijing's intelligence efforts, with nations like Canada banning it from government devices.
Battery maker CATL, a Tesla supplier, was also added to the list, raising concerns about potential impacts on
global partnerships. Tencent's addition reflects growing tensions between U.S. authorities and
Chinese tech companies. Two U.S. school districts faced cyberattacks over the holiday season,
highlighting a persistent trend of targeting educational institutions during low IT staffing periods.
South Portland Public Schools in Maine discovered a weekend attack through a network detection system,
identifying compromised firewalls linked to an IP address from Bulgaria.
The district acted swiftly, disconnecting equipment and restoring systems before classes resumed.
disconnecting equipment and restoring systems before classes resumed.
Officials believe no student or staff data was compromised,
but remain vigilant with continued network monitoring.
In Tennessee, Rutherford County Schools, serving over 51,000 students,
experienced a prolonged disruption from a Thanksgiving cyberattack that exposed some employee and student data.
Third-party investigators are
reviewing the breach and affected individuals will be notified. These incidents echo a broader rise
in ransomware attacks on schools with recovery times ranging from months to significant financial
and educational losses. Federal initiatives including including cybersecurity training and funding,
aim to bolster digital defenses across K-12 schools.
The UN's International Civil Aviation Organization, or ICAL, is investigating a potential data breach
after the hacking group NATOHUB claims to have compromised 42,000 documents, including personal data, on Breach Forums 2.
Allegedly targeting international organizations, NATO Hub stated the breach includes names,
birthdates, contact details, and employment histories. The group recently claimed another
breach involving 14,000 UN delegates. ICAO has implemented security measures and is conducting a thorough investigation,
emphasizing the seriousness of the incident.
New variants of the Eager-B malware framework are targeting government organizations
and ISPs in the Middle East,
with possible links to the Chinese state-backed group Coughing Down, according to Kaspersky.
Eager B exploits Microsoft Exchange proxy login vulnerabilities to gain initial access,
though the attack vector in recent cases remains unclear.
The malware uses DLL hijacking to load a backdoor into memory, enabling 24-7 operations.
door into memory, enabling 24-7 operations.
Eager B's capabilities are enhanced by plugins, including file, process, service, network,
and remote access managers. These tools allow for file manipulation, RDP sessions, and command shell injection, making
the malware both stealthy and persistent.
Kaspersky warns that similar attacks have been observed in Japan,
indicating a global threat. Organizations are urged to patch exchange servers and monitor
for indicators of compromise to mitigate risks. Richmond University Medical Center in Staten
Island is notifying 674,000 individuals of a data breach from a ransomware attack in May
2023. The incident disrupted the hospital's IT systems for nearly a month and led to the theft
of files containing sensitive information, such as social security numbers, medical details,
and financial data. While the electronic health record system was reportedly unaffected,
manual review revealed compromised files.
The notification comes 18 months after the breach,
raising concerns about delays in incident response
and compliance with HIPAA's 60-day breach notification rule.
Experts attribute such delays
to insufficient cybersecurity skills, budgets, and tools in healthcare organizations.
The medical center faces class-action lawsuits alleging negligence in safeguarding data.
Experts recommend healthcare providers minimize stored data, isolate sensitive information,
and secure identity systems to mitigate future breaches and accelerate response
times. Hackers infiltrated Argentina's airport security police, the PSA payroll system,
exposing vulnerabilities in data management and causing financial losses for personnel.
Attackers accessed salary records, tampered with pay slips, and made unauthorized
deductions of between 2 and 5,000 pesos under misleading labels. Investigators link the breach
to Banco Nacion, responsible for processing payroll, and suggest foreign servers were used,
though domestic involvement isn't ruled out. The PSA has tightened cybersecurity
measures and launched awareness campaigns, but criticism persists over past failures to secure
sensitive data. Industrial networking firm Moxa has identified two critical vulnerabilities in
its cellular routers, secure routers, and network security appliances.
The first flaw exploits hard-coded credentials to gain root access, affecting 10 products.
The second enables OS command injection via input bypass, affecting 7 products and allowing remote exploitation by unauthenticated users.
Rated 8.6 and 9.8 on CVSS,
the vulnerabilities pose significant risks.
Moxa has released patches for many devices
and advises minimizing network exposure,
limiting SSH access,
and using intrusion detection systems
for unpatched products.
New research from Netscope says that phishing
click rates among enterprise users surged by 190% in 2024, with over 8 in 1,000 users
clicking phishing links monthly. The rise stems from increased phishing attempts and more
sophisticated lures. Cloud applications were the top targets at 27%,
with Microsoft accounting for 42% of clicks.
Attackers typically exploit compromised accounts for data theft or business email compromise.
Banking and telco providers were also frequently targeted.
Phishing clicks increasingly came from search engines via
malicious ads and SEO poisoning rather than emails. Other sources included shopping and technology
sites. Ken Liam, a California man, is suing three banks for allegedly enabling criminals to steal
nearly $1 million from him through a cryptocurrency
investment scam. The lawsuit accuses Chonghing Bank, Fubon Bank, and DBS Bank of failing to
conduct proper anti-money laundering checks under the Bank Secrecy Act, allowing scammers to open
fraudulent accounts. Over six months in 2023, Liam transferred $986,000 to these accounts,
believing he was investing in crypto. He realized the scam when his investments were frozen for
alleged money laundering, followed by a demand for a fake IRS tax payment. Liam alleges the
bank's ignored know-your-customer protocols, failing to verify account owner identities or investigate suspicious transactions.
This case highlights a growing trend of romance baiting or pig butchering scams, where victims are defrauded of billions globally.
Similar lawsuits and regulatory efforts worldwide aim to clarify financial institutions' responsibility in preventing such fraud.
Coming up after the break on our Threat Vector segment, we preview this week's episode with David Moulton speaking with Margaret Kelly about the evolving
landscape of cloud breaches. And Microsoft's Bing demonstrates imitation is the sincerest
form of flattery. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
It's time for our weekly Threat Vector preview segment.
This time, host David Moulton speaks with Margaret Kelly It's time for our weekly Threat Vector preview segment.
This time, host David Moulton speaks with Margaret Kelly about the evolving landscape of cloud breaches
and how organizations can defend against sophisticated attacks.
Here's a quick preview of this week's Threat Vector.
Tune into the full show on Thursday,
and don't forget to subscribe so you never miss a single episode.
Let's get into it.
Don't forget to subscribe so you never miss a single episode.
Let's get into it.
Margaret, last time we tried this, I had issues with neighbors building incredible bits and pieces of landscaping.
I wanted to open today, though, with a quick question.
Do you now have a cybersecurity joke that you want to tell our listening audience?
Absolutely.
How did the hacker get away from the authorities?
I don't know.
You ransomware.
Margaret, given your extensive experience in cybersecurity,
how have you seen the landscape of cloud security breaches evolve over the years?
So when organizations were first moving to the cloud and migrating their workloads, what we saw was a lot of basic misconfigurations that led to really large data breaches. So I still remember reading article after article
about the latest organization
that had exposed all of their data to the internet
because they had made their object-level storage
publicly accessible.
Well, luckily now that is not the headline
that we are seeing constantly anymore.
But now we are seeing these cloud security breaches where the threat actors
are really advanced with their cloud knowledge and that they are using cloud-native attack
techniques to exfiltrate data as opposed to just taking basic data that's publicly accessible.
Are there any patterns or recurring vulnerabilities that have persisted despite the advancements
in cloud technologies?
Yeah, so what we're seeing is each of the cloud service providers are continuously improving
their default security measures, which is something that is always great to see.
But what we are seeing time and time again is kind of the old story of, you know, these organizations not patching their virtual machines and leaving them publicly accessible.
And it's a lot of work to make a virtual machine publicly accessible in a cloud environment.
You got to click a lot of buttons to say, you know, yes, I want this thing to be public.
a lot of buttons to say, yes, I want this thing to be public, but what you're still seeing time and time again, really unpatched old hosts with all these vulnerabilities on them that are public
to the internet. And this is something that we continue to see within our investigations.
Margaret, do you have a hypothesis on why that's true? Is it playbooks that deploy automatically and they haven't been updated?
Is it they've forgotten about those machines and they just persist and scale with those mistakes in them?
Is it something else?
these virtual machines are made publicly accessible because the people creating them don't have enough cloud knowledge as well as basic networking experience and knowledge.
So someone said to a random engineer, hey, we need someone to spin up our cloud environment.
Will you do it? And one or two people end up spinning the corporate cloud
environment, but then those people don't have the proper security background. They're not network
engineers. And the easiest way for them to set up the environment is just make these hosts publicly
accessible. So then when they're working in the traditional on-prem environment, they can access these cloud hosts and they don't have to worry about
actually engineering complex networks.
You can just kind of set it up
and they think it's, you know, good enough.
But in reality, you have these public vulnerable hosts
then on the internet.
Looking ahead to the future,
what emerging trends or threats in cloud security do you believe will
demand the most attention from organizations so when it comes to emerging cloud threats we are
continuing to see threat actors broaden their cloud attacks This is really including automation and scripting.
So we are seeing threat actors deploy resources
in the cloud via a script.
And so the time that it takes a threat actor
to gain initial access, spin up resources,
and exfiltrate data keeps getting shorter and shorter.
David, earlier you asked me about how the evolution of AI
has impacts on these
cloud attacks. And what we are seeing is that attackers now don't have to write their own
scripts by hand. It makes it a lot easier for them to say that they want a script to do X, Y, Z in
the cloud. And that can be written very quickly for them. And so this also
shortens the length of the attack because they don't have to do any of the scripting by hand
anymore. So it sounds like, once again, speed is the ultimate feature, either for an attacker or
a defender. Who can go faster wins the day. Yep, exactly.
And these attacks, sometimes they take a couple months to take place, but a lot of times these attacks are done within a span of two or three days,
and terabytes of data have gone out the door just in the span of a couple hours of that attack timeline.
hours of that attack timeline. from Palo Alto Networks to get their insights on cybersecurity, the threat landscape, and the constant changes we face.
See you there.
Be sure to check out
new episodes of Threat Vector
every Thursday
on your favorite podcast app. Cyber threats are evolving every second and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. Run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio. And finally, the age-old rivalry between Microsoft's Bing and Google is heating up again, with the former resorting to some pretty clever or sneaky tactics to try to win over users.
If you search Google on Bing right now without signing into a Microsoft account,
you'll be greeted with a page that looks an awful lot like, well, Google.
Yeah, the Bing interface has been modified to mimic the look and feel of its rival's homepage.
And it's not just a simple skin-deep change either.
This mock Google page includes all the trimmings from a search bar to an image
that resembles a Google Doodle. But here's the thing. Underneath this fancy UI, your standard
Bing search results still appear. It's a clever trick and one that might just confuse or delight
users who are new to the world of PC searching. And it's not like Microsoft is trying to hide its hand.
As soon as you click on any of those search results,
the Bing branding rears its head.
But why would Microsoft go to such lengths
to create a fake Google interface?
Well, it seems that this is just one more tactic
in the company's ongoing efforts
to get people to use Bing instead of switching to Google.
Google's Chrome boss, Parisa Tabriz, has made her feelings about Microsoft's behavior clear
in a recent post on ex-Twitter, stating,
Imitation is the sincerest form of flattery, but Microsoft spoofing the Google homepage
is another tactic in its long history of tricks to confuse users and limit choice.
So there's some serious shade. At any rate, it's clear that the battle between Bing and Google is
far from over. At any rate, it's clear that the battle between Bing and Google is far from over,
and we'll be keeping a close eye on how things develop. After all, when it comes to competing for users' attention,
Microsoft is pulling out all the stops, and who knows?
Maybe one day we'll even see a fake Google interface on Bing's homepage
that doubles as a doodle itself. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders and operators
in the public and private sector,
from the Fortune 500
to many of the world's preeminent
intelligence and law enforcement agencies.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester,
with original music and sound design
by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Park.
Simone Petrella is our president.
Peter Kilty is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you.