Flax Typhoon sanctions, Atos dismisses ransomware, German airport outage - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines: Flax Typhoon Sanctions, ATOS Ransomware Dismissal, German Airport Outage

Hosted by CISO Series, released on January 6, 2025

In this episode of Cyber Security Headlines by CISO Series, host Steve Prentiss delves into significant developments in the realm of information security. The episode covers a range of topics, including U.S. sanctions on a Chinese technology group, the dismissal of ransomware attack claims by a major French contractor, a substantial IT outage at German airports, and several other pressing cybersecurity issues. Below is a comprehensive summary capturing all key points, discussions, insights, and conclusions from the episode.

1. U.S. Sanctions on China's Integrity Technology Group (Flax Typhoon)

Overview: The U.S. Department of State has officially sanctioned Integrity Technology Group, a Beijing-based company, for its alleged role in facilitating cyberattacks. Known in the private sector as Flax Typhoon, Integrity Technology has been implicated in providing the Chinese Ministry of State Security and various state-backed hacking groups with the necessary infrastructure to execute cyberattacks targeting multiple U.S. entities.

Key Details:

Targeted Sectors: Universities, government agencies, telecommunications providers, and media organizations across the U.S. and other regions.
Impact of Sanctions: The sanctions freeze all U.S. assets of Integrity Technology and restrict financial institutions from engaging with the company.

Notable Quote:

"China-based hackers working for Integrity Tech, known to the private sector as Flax Typhoon, successfully targeted universities, government agencies, telecommunications providers, and media organizations in the U.S. and elsewhere," stated State Department spokesperson Matthew Miller at [01:25].

Implications: The sanctions signify a robust stance by the U.S. against state-sponsored cyber threats, aiming to disrupt the operational capabilities of groups like Flax Typhoon. This move is expected to hinder their ability to launch further cyberattacks and signal to other state actors the seriousness of such offenses.

2. ATOS Dismisses Ransomware Attack Claims

Overview: ATOS, a prominent France-based company specializing in securing communications for France's military and intelligence services, has firmly denied allegations from the ransomware group Space Bearers. The group had claimed responsibility for compromising an internal company database and threatened to publish the stolen data.

Key Details:

Company Status: ATOS employs approximately 90,000 individuals and is currently negotiating the sale of its advanced computing division to the French state. This strategic move is part of the company's efforts to restructure and avert financial instability.
Ransomware Group's Claim: Space Bearers announced intentions to release the compromised data on January 8.

Notable Quote:

"The claims made by Space Bearers regarding the compromise of our internal database are entirely unfounded," asserted a spokesperson from ATOS at [03:15].

Implications: ATOS's dismissal of the ransomware attack claims underscores the complexities surrounding cyber threat attributions. By maintaining that the claims are unfounded, ATOS seeks to preserve its reputation and ongoing restructuring efforts without the additional burden of a confirmed security breach.

3. German Airports IT Outage

Overview: A significant IT outage has disrupted operations at major German airports, affecting police systems at border controls and resulting in longer immigration queues for passengers arriving from non-Schengen countries.

Key Details:

Affected Airports: Berlin, Frankfurt, and Düsseldorf.
Impact: Passengers from outside the Schengen Area—comprising 29 European countries that have abolished mutual border controls—experienced delays due to the outage.
Current Status: The cause of the IT outage remains unidentified, with authorities investigating potential technical failures or cyber incidents.

Notable Quote:

"The nationwide IT outage is causing significant disruptions at our busiest airports, leading to extended waiting times for non-Schengen passengers," reported a German State Official at [04:50].

Implications: The outage highlights vulnerabilities in critical infrastructure systems, particularly those managing border security and immigration controls. The delay in identifying the root cause underscores the need for enhanced resilience and rapid response mechanisms to prevent future disruptions.

4. Additional Cybersecurity Developments

a. Unencrypted Mail Servers at Risk

Overview: Shadow Server, a security threat monitoring platform, has alerted that approximately 3.3 million mail servers are operating POP3 or IMAP email services without TLS encryption. This lack of encryption exposes usernames and passwords to potential interception and facilitates password-guessing attacks.

Key Details:

Affected Services: Large-scale operators like Microsoft, Google, Apple, and Mozilla have long adopted TLS, but many other email operators have yet to implement this security measure.
Action Taken: Shadow Server is suspending reports on this issue due to numerous potential false positives.

Implications: The absence of TLS encryption on a significant number of mail servers poses a substantial security risk, making it imperative for email service providers to adopt encrypted protocols to safeguard user credentials and prevent unauthorized access.

b. Vulnerability in Nuclei Vulnerability Scanner

Overview: A high-severity security flaw has been identified in Project Discovery's Nuclei, a widely-used open-source vulnerability scanner. Discovered by the cloud security firm Wiz, the vulnerability resides in the template signature verification process, which ensures the integrity of templates from the official repository.

Key Details:

Affected Functionality: The flaw compromises the verification process, potentially allowing malicious templates to bypass integrity checks.
Response: Shadow Server has paused reporting on related issues pending further investigation.

Implications: Given Nuclei's widespread use in identifying security flaws across various platforms, the discovered vulnerability could have far-reaching consequences. Users of Nuclei are advised to monitor updates and apply patches promptly to mitigate potential exploitation.

c. Richmond University Medical Center Ransomware Attack Confirmation

Overview: Richmond University Medical Center in Staten Island, New York, has officially confirmed a ransomware attack that occurred in May 2023, affecting approximately 670,000 individuals. The attack disrupted operations, forcing staff to revert to manual data entry and patient monitoring.

Key Details:

Attack Details: No specifics have been disclosed, and no ransomware group has claimed responsibility.
Data Compromised: PII and other sensitive information, including financial and health-related data, were stolen.
Operational Impact: Despite the disruption, the hospital maintained full patient services throughout the attack.

Implications: The confirmation of this attack emphasizes the critical need for robust cybersecurity measures in healthcare institutions. Protecting sensitive patient data is paramount, and such breaches highlight the potential for extensive damage to both the institution's operations and patient trust.

d. Apple's Privacy Violation Settlement

Overview: Apple has agreed to a $95 million settlement to resolve a class-action lawsuit alleging that the company violated user privacy through its Siri assistant. The settlement mandates Apple to pay $20 per eligible device to affected users.

Key Details:

Eligibility: U.S.-based individuals who are current or former owners of Siri-enabled devices and had their voice communications with Siri improperly accessed or shared due to unintended activations.
Timeline: The privacy violations occurred between September 17, 2014, and December 31, 2024.
Claim Submission: Eligible individuals can submit claims for up to five Siri devices each.

Notable Quote:

"Our commitment to user privacy remains unwavering, and we are taking steps to ensure such incidents do not recur," stated Apple's spokesperson at [06:45].

Implications: This settlement underscores the increasing scrutiny tech giants face regarding user privacy and data protection. It serves as a reminder of the importance of safeguarding user interactions with digital assistants and the potential legal and financial repercussions of privacy breaches.

Conclusion

The episode of Cyber Security Headlines provides a thorough examination of current events shaping the cybersecurity landscape. From geopolitical tensions manifesting in cyberattacks to corporate responses to ransomware claims, the discussions highlight the multifaceted challenges in protecting information systems. Additionally, the segment sheds light on vulnerabilities in widely-used tools and the imperative of enforcing encryption standards to safeguard sensitive data.

For a deeper dive into these stories and more, listeners are encouraged to visit CISOseries.com and explore comprehensive articles and upcoming podcast episodes, including Defence in Depth and the Week in Review livestream.

Note: The timestamps referenced in the notable quotes correspond to specific moments within the podcast transcript, providing context to the highlighted statements.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Monday, January 6, 2025. I'm Steve Prentiss. U.S. sanctions China's integrity Technology for Role in Flax Typhoon Attacks following up on a story we covered last September, US Officials are now confirming that the Beijing based Integrity Technology Group provide provided China's Ministry of State Security and several Chinese state backed hacking groups with infrastructure that allows them to attack multiple victims based in the US End quote. China based hackers working for Integrity Tech, known to the private sector as Flax Typhoon, successfully targeted universities, government agencies, telecommunications providers and media organizations in the U.S. and elsewhere, according to State Department spokesperson Matthew Miller speaking on Friday. These sanctions freeze all US Assets of the company and limit the amount of interaction financial institutions can have with it. French Military Contractor ATOS Dismisses Ransomware Attack Claims this is following up on a story we covered last April. The France based company that secures communications for France's military and intelligence services on Friday dismissed as unfounded a ransomware group's claims to have compromised an internal company database. The group, called Space Bearers, has promised to publish the stolen data on January 8. ATOS, spelled ATOS, employs around 90,000 people and is in negotiations to sell off its advanced computing division to the French state as the company attempts to restructure and avoid financial collapse. End quote German Airports Hit by IT Outage as reported in Reuters, German airports were hit by a nationwide IT outage affecting police systems at border control on Friday, causing disruption and longer immigration queues for passengers from outside the European Union's Schengen travel zone. The Schengen zone consists of 29 European countries that have officially abolished border controls at their mutual borders and placed them under a single jurisdiction. The cause of this IT outage is not yet known, but major airports including Berlin, Frankfurt and Dusseldorf reported longer waiting times at immigration for non Schengen passengers, thanks to today's episode's sponsor, Nudge Security what do identity risks, data security risks and third party risks all have in common? They are all exacerbated dramatically by SAS sprawl. Nudge Security helps you mitigate these risks by delivering an inventory of every SaaS account ever created by anyone in your organization within minutes of starting a free trial. But discovery is just the first step. With Nudge, you can automate ongoing governance tasks like security posture checks, user access reviews, employee offboarding and more. Visit nudgesecurity.com headlines to start a free trial that is n u d g e security com more than 3 million unencrypted mail servers potentially exposed to sniffing attacks. The security threat monitoring platform Shadow Server is notifying mail server operators that about 3.3 million hosts are running POP3 or IMAP email services without TLS encryption enabled, which can expose usernames and passwords in plain text when transmitted over the Internet. This means that passwords used for mail access may be intercepted by a network sniffer. Additionally, service exposure may enable password guessing attacks against the server, the company said most large scale operators like Microsoft, Google, Apple and Mozilla have been using TLS for more than 20 years, but it seems some email operators have not got on board with TLS encryption. However, Shadow Server also announced on Friday that it is currently suspending their reporting on this issue due to a large number of potential false positive Vulnerability discovered in Nuclei vulnerability Scanner A high severity security flaw has been disclosed in Project Discovery's nuclei, which is a widely used open source vulnerability scanner. NUCLEI is designed to probe modern applications, infrastructure, cloud platforms and networks to identify security flaws, end quote. According to cloud security firm Wiz, which made the discovery, the vulnerability is rooted in the template signature verification process which is used to ensure the integrity of the templates made available in the official Templates repository. Richmond University Medical center confirms a May 2023 ransomware attack that affected 670,000 individuals this ransomware attack on the medical center, based in Staten Island, New York and which provides a range of medical services including inpatient and outpatient care, emergency and specialty care, caused a multi week disruption and forced staff to revert to manual data entry and individual patient monitoring. No details about the attack itself have been released and no ransomware group has claimed responsibility. The hospital was able to maintain full patient services during the attack. A notice released recently, which refers to a manual review process that released its own findings on December 1, 2024, says that PII and other VIT including financial account information, credit or debit card information and or health insurance policy information was stolen. Apple to Pay Siri users $20 per device in settlement over privacy violations the outcome of a class action suit against Apple sees the company agreeing to pay $95 million to settle accusations that the iPhone maker invaded users privacy through its Siri assistant According to Reuters, the settlement applies to U.S. based individuals who are current or former owners or purchasers of a Siri enabled device, who had their confidential voice communications with the assistant obtained by Apple and or were shared with third parties as a result of an unintended Siri activation. The timeline for this issue is between September 17, 2014 and December 31, 2024. Eligible individuals can submit claims for up to five Siri devices. Valid claims can receive $20 per device. It's the first full week of 2025, and the CISO series is back hard at work. We've got new episodes of Defence in Depth and the CISO Series podcast coming up this week on our usual cadence. And we've got our regular Week in Review livestream this Friday, so be sure you're heading to cisoseries.com to see all the latest content. We will post more blog posts, live content and some new shows, so check in regularly. I'm Steve Prentiss, reporting for the CISO series.
[07:23]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.

Cyber Security Headlines: Flax Typhoon Sanctions, ATOS Ransomware Dismissal, German Airport Outage

Hosted by CISO Series, released on January 6, 2025

1. U.S. Sanctions on China's Integrity Technology Group (Flax Typhoon)

Key Details:

Targeted Sectors: Universities, government agencies, telecommunications providers, and media organizations across the U.S. and other regions.
Impact of Sanctions: The sanctions freeze all U.S. assets of Integrity Technology and restrict financial institutions from engaging with the company.

Notable Quote:

"China-based hackers working for Integrity Tech, known to the private sector as Flax Typhoon, successfully targeted universities, government agencies, telecommunications providers, and media organizations in the U.S. and elsewhere," stated State Department spokesperson Matthew Miller at [01:25].

2. ATOS Dismisses Ransomware Attack Claims

Key Details:

Company Status: ATOS employs approximately 90,000 individuals and is currently negotiating the sale of its advanced computing division to the French state. This strategic move is part of the company's efforts to restructure and avert financial instability.
Ransomware Group's Claim: Space Bearers announced intentions to release the compromised data on January 8.

Notable Quote:

"The claims made by Space Bearers regarding the compromise of our internal database are entirely unfounded," asserted a spokesperson from ATOS at [03:15].

3. German Airports IT Outage

Key Details:

Affected Airports: Berlin, Frankfurt, and Düsseldorf.
Impact: Passengers from outside the Schengen Area—comprising 29 European countries that have abolished mutual border controls—experienced delays due to the outage.
Current Status: The cause of the IT outage remains unidentified, with authorities investigating potential technical failures or cyber incidents.

Notable Quote:

"The nationwide IT outage is causing significant disruptions at our busiest airports, leading to extended waiting times for non-Schengen passengers," reported a German State Official at [04:50].

4. Additional Cybersecurity Developments

a. Unencrypted Mail Servers at Risk

Key Details:

Affected Services: Large-scale operators like Microsoft, Google, Apple, and Mozilla have long adopted TLS, but many other email operators have yet to implement this security measure.
Action Taken: Shadow Server is suspending reports on this issue due to numerous potential false positives.

b. Vulnerability in Nuclei Vulnerability Scanner

Key Details:

Affected Functionality: The flaw compromises the verification process, potentially allowing malicious templates to bypass integrity checks.
Response: Shadow Server has paused reporting on related issues pending further investigation.

c. Richmond University Medical Center Ransomware Attack Confirmation

Key Details:

Attack Details: No specifics have been disclosed, and no ransomware group has claimed responsibility.
Data Compromised: PII and other sensitive information, including financial and health-related data, were stolen.
Operational Impact: Despite the disruption, the hospital maintained full patient services throughout the attack.

d. Apple's Privacy Violation Settlement

Key Details:

Eligibility: U.S.-based individuals who are current or former owners of Siri-enabled devices and had their voice communications with Siri improperly accessed or shared due to unintended activations.
Timeline: The privacy violations occurred between September 17, 2014, and December 31, 2024.
Claim Submission: Eligible individuals can submit claims for up to five Siri devices each.

Notable Quote:

"Our commitment to user privacy remains unwavering, and we are taking steps to ensure such incidents do not recur," stated Apple's spokesperson at [06:45].

Conclusion

Note: The timestamps referenced in the notable quotes correspond to specific moments within the podcast transcript, providing context to the highlighted statements.