CyberWire Daily: A Breach in the U.S. Treasury
Release Date: January 2, 2025
Host: Dave Bittner
Guest: Mick Baccio, Global Security Advisor at Splunk
Introduction
In the January 2, 2025 episode of CyberWire Daily, hosted by Dave Bittner, the focus centers on a significant cybersecurity breach within the U.S. Treasury Department. The episode delves into the mechanics of the attack, its broader implications, and expert insights on bridging the cybersecurity resilience gap. Additionally, the episode covers a spectrum of other pressing cybersecurity incidents and legislative updates shaping the industry.
Major Cybersecurity Incidents
1. U.S. Treasury Department Breach
At [00:40], Dave Bittner reports that Chinese state-sponsored hackers successfully breached the U.S. Treasury Department. The attack, attributed to the Salt Typhoon APT group, exploited two zero-day vulnerabilities in Beyond Trust's remote support SaaS platform. Utilizing a stolen API key, the attackers reset passwords, gained privileged access, and exfiltrated sensitive agency documents.
-
Detection and Response: Beyond Trust identified the breach on December 8, promptly shutting down compromised instances and revoking the API key. Federal authorities, including the FBI and CISA, confirmed that the hackers no longer retained access to Treasury systems.
-
Broader Impact: This breach follows similar espionage activities targeting major telecommunications companies like AT&T and Verizon. The Salt Typhoon campaign initially impacted eight companies, with a ninth victim identified after detailed federal guidance on Chinese hacking tactics was released.
-
Quotes:
- Dave Bittner [00:40]: "Using a stolen API key, the attackers reset passwords, gained privileged access and stole agency documents."
2. Chrome Extensions Phishing Campaign
A sophisticated phishing campaign compromised at least 35 Chrome extensions, including those from Cyberhaven, affecting approximately 2.6 million users. Active since March 2024 and escalating in December, attackers impersonated Google to deceive developers into granting permissions to a malicious OAuth app. This allowed the injection of data-stealing code targeting Facebook business accounts, extracting user credentials and access tokens.
-
Security Flaws Exploited: The campaign bypassed multi-factor authentication by capturing QR codes used for login verification, highlighting significant vulnerabilities in Chrome extension security.
-
Quote:
- Dave Bittner [00:40]: "Despite multi-factor authentication protections, the phishing method effectively exploited OAuth workflows, exposing significant vulnerabilities in Chrome extension security."
3. Arrest of U.S. Army Soldier for Cybercrimes
Federal authorities arrested Cameron John Waghenius, a 20-year-old U.S. Army soldier, under allegations of stealing and leaking sensitive data from AT&T and Verizon. Operating under the alias Cyber Phantom, Waghenius is accused of hacking 15 telecom firms and leaking call logs of high-profile individuals, including President-Elect Trump and Vice President Kamala Harris.
-
Investigation Insights: Swift action by security researchers, who identified operational security lapses, led to his arrest near Fort Hood, Texas. The case underscores the escalating risks posed by young cybercriminals and the enhanced capabilities of law enforcement to prosecute such offenses.
-
Quote:
- Dave Bittner [00:40]: "Experts warn young cybercriminals of escalating risks as law enforcement improves its ability to track and prosecute cybercrimes domestically."
4. Volkswagen EV Data Exposure
Volkswagen's subsidiary, Cariad, inadvertently exposed sensitive data of 800,000 EV owners due to a misconfigured Amazon cloud server. The data, including precise location and movement information, was accessed through a pseudonymized but multi-stage process, ensuring no passwords or payment details were compromised. The breach was discovered by the Chaos Computer Club, which alerted VW, granting a 30-day window for resolution.
- Impact: High-profile individuals, including German politicians and intelligence personnel, were among those affected.
5. Rhode Island Ransomware Linked Breach
Rhode Island confirmed a data breach associated with the ransomware group Brain Cipher, compromising personal information of citizens applying for health services. Deloitte, the state's vendor, reported that the data was leaked on the dark web. Governor Dan McKee advised residents to freeze and monitor their credit to safeguard financial information.
- Scale of Breach: The group alleged to have stolen one terabyte of data, targeting systems beyond Deloitte’s network.
6. Ascension Healthcare Data Breach
A cyberattack in May 2024 on healthcare giant Ascension exposed the personal and medical data of 5.6 million customers. The breach occurred when an employee inadvertently downloaded a malicious file, leading to the exposure of medical records, payment information, government IDs, and personal details. Although Ascension assured that core clinical systems remained secure, the incident highlights persistent vulnerabilities in healthcare cybersecurity.
7. Windows BitLocker Vulnerability
Researcher Thomas Lamberts revealed that a recent patch to Windows BitLocker encryption remains insufficient. Using the BitPixie method, Lamberts demonstrated how rebooting a device in recovery mode with PXE booting enabled can extract encryption keys from memory, allowing data decryption. He criticized Microsoft's patch as inadequate, recommending the disablement of the network stack in BIOS as the only effective mitigation.
8. Exploitation of Palo Alto Firewalls
A suspected Chinese hacking campaign is exploiting a vulnerability in Palo Alto firewalls to deploy a custom malware backdoor known as Little Lamb Woolt. The malware masquerades as a logd file, providing extensive functionality including file manipulation and network tunneling. Palo Alto has patched the flaw and advised administrators to restrict Web management portal access to trusted IPs.
9. DOJ Bans Sale of Sensitive U.S. Data to Adversarial Nations
The U.S. Department of Justice (DOJ) finalized a rule prohibiting the sale of American sensitive data, including biometric, geolocation, health, and financial information, to adversarial nations such as China, Russia, and Iran. This regulation, stemming from a February executive order, aims to thwart hostile nations from leveraging such data for AI development, cyber espionage, and influence operations. Implementation is set to commence three months post-publication in the Federal Register.
10. HHS Proposes HIPAA Cybersecurity Updates
The Department of Health and Human Services (HHS) has proposed updates to HIPAA cybersecurity rules in response to increasing healthcare data breaches and ransomware attacks. The proposed measures mandate:
- Encryption of Protected Health Information (PHI)
- Multi-Factor Authentication (MFA)
- Network Segmentation to limit attacker movement within networks
White House Official Ann Neuberger emphasized the urgency of these updates, highlighting the potential risks to critical infrastructure and patient safety if action is not taken.
- Quote:
- Dave Bittner [00:40]: "The proposed measures include mandatory encryption of protected health information, multi-factor authentication and network segmentation to limit attackers movements."
Expert Insights: Bridging the Cybersecurity Resilience Gap
Guest: Mick Baccio, Global Security Advisor at Splunk
Interview with: Dave Bittner and Jenn Easterly, CISA Director
Understanding the Resilience Confidence Gap
Mick Baccio discusses the resilience confidence gap, a phenomenon where organizations believe they are secure against certain threats while being unprepared for others. Referencing the Foundry report, Baccio notes that 52% of decision-makers in both public and private sectors lack confidence in their understanding of digital resilience requirements.
- Quote:
- Mick Baccio [17:33]: "Organizations that prioritize foundational security will be better positioned to implement new technologies effectively."
Challenges in Cybersecurity Prioritization
Baccio identifies a tendency among organizations to favor "cool" and innovative solutions, such as AI and automation, over foundational security measures like asset inventory, patch management, and multi-factor authentication. This misalignment often stems from limited budgets, with 82% of organizations facing budget-related obstacles to implementing essential security measures.
- Quote:
- Jenn Easterly [16:23]: "Focusing on the basics is not very sexy, but it's crucial for building a strong security foundation."
Strategic Recommendations
To bridge the resilience gap, Baccio emphasizes the importance of:
- Prioritizing Foundational Security: Ensuring that basic security practices are robust before adopting advanced technologies.
- Enhancing Budget Allocation: Allocating resources effectively to cover both foundational and innovative security needs.
- Fostering Partnerships: Leveraging collaborations with Information Sharing and Analysis Centers (ISACs) and public-private partnerships to share knowledge and resources.
- Adopting a Community Approach: Recognizing that collective efforts amplify security measures across the board.
- Quote:
- Mick Baccio [22:53]: "Partnerships, whether with ISACs or public-private collaborations, are invaluable in addressing shared cybersecurity challenges."
CISA's Role in Enhancing National Cybersecurity
Jenn Easterly, CISA Director, reflects on CISA's achievements in 2024, highlighting:
- Proactive Initiatives: Launching the Pre-Ransomware Notification Initiative, sending over 2,100 alerts to mitigate threats.
- Vulnerability Management: Blocking 1.26 billion malicious connections and remediating 861 vulnerabilities.
- Cyber Defense Exercises: Conducting Cyberstorm 9, preparing over 2,200 participants for advanced threats.
- Election Security: Implementing the Protect 2024 election portal to secure the November elections.
- Global Partnerships: Initiating an international strategic plan to advance global cybersecurity collaborations.
Easterly underscores the critical need for ongoing collaboration to address emerging threats and ensure CISA's resilience and innovation amidst evolving geopolitical challenges.
- Quote:
- Jenn Easterly [22:53]: "Collaboration is essential to address emerging threats and ensure CISA remains a cornerstone of US cybersecurity."
Conclusion
The episode concludes by emphasizing the intricate and evolving landscape of cybersecurity, underscored by significant breaches and legislative actions. Expert insights from Mick Baccio and Jenn Easterly highlight the imperative for organizations to prioritize foundational security measures, foster strategic partnerships, and navigate budgetary constraints effectively. As cyber threats become more sophisticated, the collective efforts of industry leaders, government agencies, and international partners remain pivotal in safeguarding critical infrastructure and sensitive data.
Key Takeaways:
- Foundational Security is Paramount: Organizations must solidify basic security practices to defend against sophisticated attacks.
- Budget and Resource Allocation: Efficient use of limited resources is crucial for implementing both foundational and advanced security measures.
- Collaborative Efforts: Partnerships and information sharing enhance overall cybersecurity resilience.
- Legislative Updates: New rules and proposed regulations aim to bolster data protection and limit adversarial access, emphasizing the government's role in cybersecurity.
For more detailed insights and ongoing updates in cybersecurity, tune into future episodes of CyberWire Daily.