Wallet drainer impact, U.S. telecom breach list grows, Moxa router vulnerabilities - Cybersecurity Headlines

Summary7 min read

Cyber Security Headlines: Detailed Summary of January 7, 2025 Episode

Podcast Information:

Title: Cyber Security Headlines
Host/Author: CISO Series
Description: Daily stories from the world of information security. To delve into any daily story, head to CISOseries.com.
Episode: Wallet Drainer impact, U.S. telecom breach list grows, Moxa router vulnerabilities
Release Date: January 7, 2025

Introduction

In the January 7, 2025 episode of Cyber Security Headlines hosted by Lauren Verno from the CISO Series, a comprehensive overview of the most pressing cybersecurity issues of the day was presented. The episode delved into the escalating threat of wallet drainer malware, expanding breaches within U.S. telecom companies, critical vulnerabilities in industrial networking devices, sophisticated Android malware, and other significant security incidents globally. This summary encapsulates the key discussions, insights, and conclusions drawn during the episode.

1. Wallet Drainer Malware Makes Major Impact

Lauren Verno opened the episode by addressing the surge in wallet drainer malware's impact over the past year.

"A new report found close to 500 million was stolen through the malicious cryptocurrency scams," she stated at [00:07].

Key Highlights:

Steep Increase: The Scam Sniffer report highlighted a 67% increase in cryptocurrency-related thefts compared to the previous year.
Victim Statistics: Over 332,000 victims were affected, with significant individual thefts exceeding $55 million and $32 million in August and September respectively.
Temporal Activity: Despite these massive thefts occurring later in the year, the highest activity was recorded in Q1 of 2024.

Insights: The dramatic rise in wallet drainer attacks underscores the growing sophistication of cybercriminals targeting the burgeoning cryptocurrency market. Organizations and individuals must enhance their security measures to safeguard digital assets.

2. U.S. Telecom Breach List Grows

The episode highlighted expanding cybersecurity breaches within the U.S. telecommunications sector.

"Chinese hackers targeted nine US telecom companies," a White House official announced last month, as reported by Lauren at [02:30].

Key Points:

New Victims: Charter Communications, Consolidated Communications, and Windstream have been added to the list of affected companies.
Total Affected: As of the recording, AT&T, Verizon, Lumen, and T-Mobile confirmed their compromises due to the SALT Typhoon breach.
Unclear Scope: It remains uncertain whether the three newly added companies were part of the initial nine targets or additional victims.

Conclusions: The expansion of the breach list among major telecom providers signifies a targeted and persistent threat from sophisticated adversaries, necessitating robust defenses and timely incident response strategies within the sector.

3. Urgent Warning on Moxa Router Vulnerabilities

Lauren Verno addressed critical vulnerabilities discovered in Moxa’s industrial networking devices.

"The flaws allow attackers to escalate privileges to root and execute arbitrary commands," she explained at [04:15].

Details Include:

Affected Devices: Multiple router models and network security appliances from Moxa are vulnerable.
Exploitation Risks: One of the vulnerabilities can be exploited remotely without authentication, posing severe security risks.
Vendor Response: While Moxa has released patches for many devices, models like NAT102 and onCell LTE 4 Series either require direct support or lack available patches.
Mitigation Measures: Organizations are advised to:
- Limit network exposure
- Restrict SSH access
- Deploy intrusion detection systems

Recommendations: Immediate action is essential for organizations utilizing affected Moxa devices to implement the recommended mitigation strategies and secure their networks against potential exploitation.

4. Android Infostealer Masquerades as Telegram Premium

The episode shed light on a sophisticated Android malware named Firescam that impersonates the Telegram Premium app.

"Firescam is posing as a Telegram Premium app to steal sensitive data," Lauren stated at [05:45].

Key Aspects:

Distribution Method: The malware is distributed through a phishing site mimicking Rustor, a Russian app store.
Infection Process: Firescam employs a multi-stage infection process, requesting extensive permissions to intercept notifications, messages, and app data while blocking legitimate updates.
Data Exfiltration: Stolen information is sent to a Firebase database and a command and control server, leveraging legitimate services to evade detection.

Implications: The meticulous design of Firescam highlights the escalating complexity of mobile threats, emphasizing the need for users to download apps only from trusted sources and for organizations to enforce stringent mobile security policies.

5. Eager B Variant Lands Globally

Lauren Verno discussed the emergence of Eager B, a new variant of the Eager Bee malware.

"Eager B is now targeting ISPs and government entities in the Middle East," she reported at [06:30].

Highlights:

Origins: Previously linked to Chinese state-backed groups.
Capabilities: Features advanced plugins for:
- File manipulation
- Remote access
- Service control
- Network monitoring
Operational Tactics: Utilizes a plugin manager attributed to the "coughing down" threat group and has ties to earlier attacks exploiting the proxy logon vulnerability in Southeast Asia.

Analysis: The evolution of Eager B underscores the persistent and adaptive nature of state-sponsored malware, targeting critical infrastructure and government entities with enhanced stealth and operational capabilities.

6. Cyber Attacks on US School Districts

The episode covered recent cyber attacks on educational institutions in the United States.

"Two US School districts in Maine and Tennessee fell victim to attacks over Christmas and New Year's," Lauren noted at [07:15].

Details:

Affected Districts:
- South Portland Public Schools, Maine: Serving 3,000 students and 600 employees. The breach led to network downtime, causing significant disruption despite no data being compromised.
- Rutherford County Schools, Tennessee: Serving over 51,000 students. The attack resulted in network and systems disruption since Thanksgiving and led to the theft of employee personal information.
Attack Timing: Conducted during holiday periods when IT staffing is typically reduced, exploiting the vulnerability of limited resources.

Conclusion: These attacks highlight the vulnerability of educational institutions to cyber threats, especially during periods of reduced staffing, emphasizing the need for robust security measures and incident response plans in such environments.

7. Tenable Issues with Nessus Update

Tenable experienced issues with their Nessus security agents following an update.

"Nessus agents have been disabled after it was discovered they would go offline when installing a faulty update," Lauren explained at [08:00].

Key Points:

Affected Versions: Versions 10 and 10 of Nessus were impacted.
Resolution: Tenable released version 10 to fix the issue.
Customer Guidance: Organizations are advised to:
- Update to the new version 10
- Alternatively, downgrade to the prior stable version
- Reset and manually update plugins for those using agent profiles

Recommendations: Immediate updating or downgrading is crucial for organizations relying on Nessus agents to ensure continuous vulnerability scanning and security monitoring.

8. Argentina Airport Security Compromised

Lauren Verno reported a significant security breach involving Argentina's airport security payroll system.

"Hackers have reportedly compromised Argentina's Airport Security payroll system," she stated at [09:00].

Details:

Breach Method: Exploited a vulnerability in Banco Nation's systems.
Data Compromised: Accessed personal and financial data of officers and civilian staff.
Financial Theft: Attackers withdrew small amounts from employees' salaries, ranging from 2,000 to 5,000 pesos (approximately $100 to $245 USD), under false labels.
Response Measures: The airport security force has blocked certain services and initiated an internal cybersecurity campaign.
Motivation: It remains unclear whether the attack was financially or politically driven.

Implications: This incident underscores the critical importance of securing financial and personal data within public sector institutions and the potential for both financial and reputational damage resulting from such breaches.

9. Cybersecurity Sunsetting Hardware

Towards the end of the episode, Lauren touched upon the challenges related to managing the lifecycle of hardware in cybersecurity.

"Do we need to change how cybersecurity sunsets hardware? That's one of the segments we're digging into," she teased at [09:30].

Key Discussion Points:

Lifecycle Management: Difficulty in identifying and managing hardware once it reaches its end of life or usefulness.
Support and Updates: Manufacturers typically cease support by discontinuing patch updates, rendering equipment vulnerable over time.
Expiration Dates: Often, no clear expiration date is provided upfront, complicating proactive replacement or upgrades.

Conclusion: Effective lifecycle management of hardware is essential to maintain cybersecurity integrity. Organizations may need to develop more structured strategies for hardware replacement and decommissioning to mitigate vulnerabilities associated with outdated equipment.

Closing Remarks

Lauren Verno concluded the episode by encouraging listeners to visit CISOseries.com for more in-depth stories behind the headlines and to stay informed about the latest developments in cybersecurity.

"Cybersecurity headlines are available every weekday. Head to CISOseries.com for the full stories behind the headlines," she reminded listeners at [08:49].

This episode of Cyber Security Headlines provided a comprehensive overview of significant cybersecurity threats and incidents, emphasizing the evolving nature of cyber threats and the critical need for organizations to stay vigilant and proactive in their security measures.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, January 7, 2025. I'm Lauren Verno. Wallet Drainer Malware Makes Major Impact in case you weren't keeping up with the impact of Wallet drainer malware in 2024, don't worry, not many of us were. A new report found close to 500 million was stolen through the malicious cryptocurrency scams. The report from Scam sniffer found a 67% increase from the previous year, with over 332,000 victims. The largest single thefts included over 55 million and 32 million, which occurred in August and September, despite the highest activity being recorded in Q1 US telecom breach list grows 3 more communication companies, Charter Communications Consolidated Communications in Windstream have joined the list of those impacted by the SALT Typhoon breach. Now that's according to the Wall Street Journal. A White House official announced the breach last month stated stating that Chinese hackers targeted nine US telecom companies, though it remains unclear whether these three are part of the initial nine or additional victims. As of this recording, AT&T, Verizon, Lumen and T Mobile are the four communication providers that have confirmed being impacted by the attack. Urgent Warning on Moxa Router vulnerabilities Moxa has disclosed two critical vulnerabilities in its industrial networking devices, impacting several models of routers and network security appliances. The flaws allow attackers to escalate privileges to root and execute arbitrary commands, with one exploitable remotely without authentication. While Moxa has released patches for many affected devices, Some models, like NAT102 and on cell LTE 4 Series, require direct support or have no patch available. The company advises immediate action, including limiting network exposure, restricting SSH access, and deploying intrusion detection systems to mitigate the risk. Android Infosteeler Masquerades as Telegram Premium An Android malware named Firescam is posing as a Telegram Premium app to steal sensitive data and maintain persistent control over infected devices. Distributed through a phishing site impersonating Rustor, a Russian app store, the malware uses a multi stage infection process and requests extensive permissions to intercept notifications, messages and app data while preventing legitimate updates. Stolen information is exfiltrated to a Firebase database and transmitted via a command and control server, leveraging legitimate services to evade detection. Thanks to today's episode sponsor Nudge Security who's using AI tools in your Org? Find out today with Nudge Security. Nudge Security discovers every gen AI tool ever used in your org, even those you've never heard of. For each tool, you'll see who introduced it, who else is using it, where it's integrated into other tools and and a vendor security profile. Visit nudgesecurity.com AI and get your free gen AI inventory today. That's nudgesecurity.com AI new eager B variant lands globally the Eager Bee malware is just that, and Eager B, a new variant of the malware previously linked to Chinese state backed groups, is now targeting ISPs and government entities in the Middle East. Known for its stealth and in memory operations, the malware features advanced plugins for file manipulation, remote access, service control and network monitoring, all orchestrated via a plugin manager attributed to the coughing down threat group. The malware has connections to earlier attacks exploiting the proxy logon vulnerability targeting Southeast Asian organizations the Cyber attacks that just keep giving we all know hackers don't take the day off, even during the holidays. Two US School districts in Maine and Tennessee fell victim to attacks over Christmas and New Year's, a time when cybercriminals know it staffing will be low. South Portland Public Schools in Maine, which serves 3,000 students and nearly 600 employees, detected a breach that led them to take their network offline and although no data was compromised, the attack did cause significant disruption. Meanwhile, Rutherford County Schools in Tennessee, which serves more than 50 51,000 students, revealed in late December they had been dealing with a quote, network and systems disruption since the Thanksgiving holiday. That attack did lead to employee personal information being stolen. Tenable issues Nessus Update 2 tenable Nessus agents have been disabled after it was discovered they would go offline when installing a faulty update. The affected versions 10 and 10 were disabled, with Tenable releasing version 10 to resolve the issue and resume plugin feed updates advising customers to either update to the new version or actually downgrade to the prior version. Organizations using agent profiles are also instructed to reset and manually update the plugins to restore functionality. Argentina Airport Security Compromised Hackers have reportedly compromised Argentina's Airport Security payroll system, gaining access to personal and financial data of officers and civilian staff. The attackers use a vulnerability in Banco Nation's systems, which processes the payroll to withdraw small amounts from employees salaries under false labels ranging from 2,000 to 5,000 pesos, which is about 100 to 245American dollars. The airport security force has blocked some services in response and launched an internal cybersecurity campaign, though it remains unclear if the attack was financially or or politically motivated. We still struggle to identify and manage hardware once it reaches its point of usefulness or end of life. There's often no stated expiration date up front. After years of ownership, the manufacturers will let you know by no longer supporting with patch updates the now very vulnerable equipment. Do we need to change how cybersecurity sunsets hardware? That's one of the segments we're digging into in the latest episode of the CISO Series podcast. We just published our new episode today@cisoseries.com so look for EW. How long has this router been in the fridge? Wherever you get your podcast, I'm Lauren Verno reporting for the CISO Series.
[08:49]
A
Cybersecurity headlines are available every weekday. Head to CSO series.com for the full stories behind the headlines.

Cyber Security Headlines: Detailed Summary of January 7, 2025 Episode

Podcast Information:

Title: Cyber Security Headlines
Host/Author: CISO Series
Description: Daily stories from the world of information security. To delve into any daily story, head to CISOseries.com.
Episode: Wallet Drainer impact, U.S. telecom breach list grows, Moxa router vulnerabilities
Release Date: January 7, 2025

Introduction

1. Wallet Drainer Malware Makes Major Impact

Lauren Verno opened the episode by addressing the surge in wallet drainer malware's impact over the past year.

"A new report found close to 500 million was stolen through the malicious cryptocurrency scams," she stated at [00:07].

Key Highlights:

Steep Increase: The Scam Sniffer report highlighted a 67% increase in cryptocurrency-related thefts compared to the previous year.
Victim Statistics: Over 332,000 victims were affected, with significant individual thefts exceeding $55 million and $32 million in August and September respectively.
Temporal Activity: Despite these massive thefts occurring later in the year, the highest activity was recorded in Q1 of 2024.

2. U.S. Telecom Breach List Grows

The episode highlighted expanding cybersecurity breaches within the U.S. telecommunications sector.

"Chinese hackers targeted nine US telecom companies," a White House official announced last month, as reported by Lauren at [02:30].

Key Points:

New Victims: Charter Communications, Consolidated Communications, and Windstream have been added to the list of affected companies.
Total Affected: As of the recording, AT&T, Verizon, Lumen, and T-Mobile confirmed their compromises due to the SALT Typhoon breach.
Unclear Scope: It remains uncertain whether the three newly added companies were part of the initial nine targets or additional victims.

3. Urgent Warning on Moxa Router Vulnerabilities

Lauren Verno addressed critical vulnerabilities discovered in Moxa’s industrial networking devices.

"The flaws allow attackers to escalate privileges to root and execute arbitrary commands," she explained at [04:15].

Details Include:

Affected Devices: Multiple router models and network security appliances from Moxa are vulnerable.
Exploitation Risks: One of the vulnerabilities can be exploited remotely without authentication, posing severe security risks.
Vendor Response: While Moxa has released patches for many devices, models like NAT102 and onCell LTE 4 Series either require direct support or lack available patches.
Mitigation Measures: Organizations are advised to:
- Limit network exposure
- Restrict SSH access
- Deploy intrusion detection systems

4. Android Infostealer Masquerades as Telegram Premium

The episode shed light on a sophisticated Android malware named Firescam that impersonates the Telegram Premium app.

"Firescam is posing as a Telegram Premium app to steal sensitive data," Lauren stated at [05:45].

Key Aspects:

Distribution Method: The malware is distributed through a phishing site mimicking Rustor, a Russian app store.
Infection Process: Firescam employs a multi-stage infection process, requesting extensive permissions to intercept notifications, messages, and app data while blocking legitimate updates.
Data Exfiltration: Stolen information is sent to a Firebase database and a command and control server, leveraging legitimate services to evade detection.

5. Eager B Variant Lands Globally

Lauren Verno discussed the emergence of Eager B, a new variant of the Eager Bee malware.

"Eager B is now targeting ISPs and government entities in the Middle East," she reported at [06:30].

Highlights:

Origins: Previously linked to Chinese state-backed groups.
Capabilities: Features advanced plugins for:
- File manipulation
- Remote access
- Service control
- Network monitoring
Operational Tactics: Utilizes a plugin manager attributed to the "coughing down" threat group and has ties to earlier attacks exploiting the proxy logon vulnerability in Southeast Asia.

6. Cyber Attacks on US School Districts

The episode covered recent cyber attacks on educational institutions in the United States.

"Two US School districts in Maine and Tennessee fell victim to attacks over Christmas and New Year's," Lauren noted at [07:15].

Details:

Affected Districts:
- South Portland Public Schools, Maine: Serving 3,000 students and 600 employees. The breach led to network downtime, causing significant disruption despite no data being compromised.
- Rutherford County Schools, Tennessee: Serving over 51,000 students. The attack resulted in network and systems disruption since Thanksgiving and led to the theft of employee personal information.
Attack Timing: Conducted during holiday periods when IT staffing is typically reduced, exploiting the vulnerability of limited resources.

7. Tenable Issues with Nessus Update

Tenable experienced issues with their Nessus security agents following an update.

"Nessus agents have been disabled after it was discovered they would go offline when installing a faulty update," Lauren explained at [08:00].

Key Points:

Affected Versions: Versions 10 and 10 of Nessus were impacted.
Resolution: Tenable released version 10 to fix the issue.
Customer Guidance: Organizations are advised to:
- Update to the new version 10
- Alternatively, downgrade to the prior stable version
- Reset and manually update plugins for those using agent profiles

Recommendations: Immediate updating or downgrading is crucial for organizations relying on Nessus agents to ensure continuous vulnerability scanning and security monitoring.

8. Argentina Airport Security Compromised

Lauren Verno reported a significant security breach involving Argentina's airport security payroll system.

"Hackers have reportedly compromised Argentina's Airport Security payroll system," she stated at [09:00].

Details:

Breach Method: Exploited a vulnerability in Banco Nation's systems.
Data Compromised: Accessed personal and financial data of officers and civilian staff.
Financial Theft: Attackers withdrew small amounts from employees' salaries, ranging from 2,000 to 5,000 pesos (approximately $100 to $245 USD), under false labels.
Response Measures: The airport security force has blocked certain services and initiated an internal cybersecurity campaign.
Motivation: It remains unclear whether the attack was financially or politically driven.

9. Cybersecurity Sunsetting Hardware

Towards the end of the episode, Lauren touched upon the challenges related to managing the lifecycle of hardware in cybersecurity.

"Do we need to change how cybersecurity sunsets hardware? That's one of the segments we're digging into," she teased at [09:30].

Key Discussion Points:

Lifecycle Management: Difficulty in identifying and managing hardware once it reaches its end of life or usefulness.
Support and Updates: Manufacturers typically cease support by discontinuing patch updates, rendering equipment vulnerable over time.
Expiration Dates: Often, no clear expiration date is provided upfront, complicating proactive replacement or upgrades.

Closing Remarks

"Cybersecurity headlines are available every weekday. Head to CISOseries.com for the full stories behind the headlines," she reminded listeners at [08:49].