A breach in the U.S. Treasury. - CyberWire Daily

Summary

CyberWire Daily: A Breach in the U.S. Treasury

Release Date: January 2, 2025
Host: Dave Bittner
Guest: Mick Baccio, Global Security Advisor at Splunk

Introduction

In the January 2, 2025 episode of CyberWire Daily, hosted by Dave Bittner, the focus centers on a significant cybersecurity breach within the U.S. Treasury Department. The episode delves into the mechanics of the attack, its broader implications, and expert insights on bridging the cybersecurity resilience gap. Additionally, the episode covers a spectrum of other pressing cybersecurity incidents and legislative updates shaping the industry.

Major Cybersecurity Incidents

1. U.S. Treasury Department Breach

At [00:40], Dave Bittner reports that Chinese state-sponsored hackers successfully breached the U.S. Treasury Department. The attack, attributed to the Salt Typhoon APT group, exploited two zero-day vulnerabilities in Beyond Trust's remote support SaaS platform. Utilizing a stolen API key, the attackers reset passwords, gained privileged access, and exfiltrated sensitive agency documents.

Detection and Response: Beyond Trust identified the breach on December 8, promptly shutting down compromised instances and revoking the API key. Federal authorities, including the FBI and CISA, confirmed that the hackers no longer retained access to Treasury systems.
Broader Impact: This breach follows similar espionage activities targeting major telecommunications companies like AT&T and Verizon. The Salt Typhoon campaign initially impacted eight companies, with a ninth victim identified after detailed federal guidance on Chinese hacking tactics was released.
Quotes:
- Dave Bittner [00:40]: "Using a stolen API key, the attackers reset passwords, gained privileged access and stole agency documents."

2. Chrome Extensions Phishing Campaign

A sophisticated phishing campaign compromised at least 35 Chrome extensions, including those from Cyberhaven, affecting approximately 2.6 million users. Active since March 2024 and escalating in December, attackers impersonated Google to deceive developers into granting permissions to a malicious OAuth app. This allowed the injection of data-stealing code targeting Facebook business accounts, extracting user credentials and access tokens.

Security Flaws Exploited: The campaign bypassed multi-factor authentication by capturing QR codes used for login verification, highlighting significant vulnerabilities in Chrome extension security.
Quote:
- Dave Bittner [00:40]: "Despite multi-factor authentication protections, the phishing method effectively exploited OAuth workflows, exposing significant vulnerabilities in Chrome extension security."

3. Arrest of U.S. Army Soldier for Cybercrimes

Federal authorities arrested Cameron John Waghenius, a 20-year-old U.S. Army soldier, under allegations of stealing and leaking sensitive data from AT&T and Verizon. Operating under the alias Cyber Phantom, Waghenius is accused of hacking 15 telecom firms and leaking call logs of high-profile individuals, including President-Elect Trump and Vice President Kamala Harris.

Investigation Insights: Swift action by security researchers, who identified operational security lapses, led to his arrest near Fort Hood, Texas. The case underscores the escalating risks posed by young cybercriminals and the enhanced capabilities of law enforcement to prosecute such offenses.
Quote:
- Dave Bittner [00:40]: "Experts warn young cybercriminals of escalating risks as law enforcement improves its ability to track and prosecute cybercrimes domestically."

4. Volkswagen EV Data Exposure

Volkswagen's subsidiary, Cariad, inadvertently exposed sensitive data of 800,000 EV owners due to a misconfigured Amazon cloud server. The data, including precise location and movement information, was accessed through a pseudonymized but multi-stage process, ensuring no passwords or payment details were compromised. The breach was discovered by the Chaos Computer Club, which alerted VW, granting a 30-day window for resolution.

Impact: High-profile individuals, including German politicians and intelligence personnel, were among those affected.

5. Rhode Island Ransomware Linked Breach

Rhode Island confirmed a data breach associated with the ransomware group Brain Cipher, compromising personal information of citizens applying for health services. Deloitte, the state's vendor, reported that the data was leaked on the dark web. Governor Dan McKee advised residents to freeze and monitor their credit to safeguard financial information.

Scale of Breach: The group alleged to have stolen one terabyte of data, targeting systems beyond Deloitte’s network.

6. Ascension Healthcare Data Breach

A cyberattack in May 2024 on healthcare giant Ascension exposed the personal and medical data of 5.6 million customers. The breach occurred when an employee inadvertently downloaded a malicious file, leading to the exposure of medical records, payment information, government IDs, and personal details. Although Ascension assured that core clinical systems remained secure, the incident highlights persistent vulnerabilities in healthcare cybersecurity.

7. Windows BitLocker Vulnerability

Researcher Thomas Lamberts revealed that a recent patch to Windows BitLocker encryption remains insufficient. Using the BitPixie method, Lamberts demonstrated how rebooting a device in recovery mode with PXE booting enabled can extract encryption keys from memory, allowing data decryption. He criticized Microsoft's patch as inadequate, recommending the disablement of the network stack in BIOS as the only effective mitigation.

8. Exploitation of Palo Alto Firewalls

A suspected Chinese hacking campaign is exploiting a vulnerability in Palo Alto firewalls to deploy a custom malware backdoor known as Little Lamb Woolt. The malware masquerades as a logd file, providing extensive functionality including file manipulation and network tunneling. Palo Alto has patched the flaw and advised administrators to restrict Web management portal access to trusted IPs.

9. DOJ Bans Sale of Sensitive U.S. Data to Adversarial Nations

The U.S. Department of Justice (DOJ) finalized a rule prohibiting the sale of American sensitive data, including biometric, geolocation, health, and financial information, to adversarial nations such as China, Russia, and Iran. This regulation, stemming from a February executive order, aims to thwart hostile nations from leveraging such data for AI development, cyber espionage, and influence operations. Implementation is set to commence three months post-publication in the Federal Register.

10. HHS Proposes HIPAA Cybersecurity Updates

The Department of Health and Human Services (HHS) has proposed updates to HIPAA cybersecurity rules in response to increasing healthcare data breaches and ransomware attacks. The proposed measures mandate:

Encryption of Protected Health Information (PHI)
Multi-Factor Authentication (MFA)
Network Segmentation to limit attacker movement within networks

White House Official Ann Neuberger emphasized the urgency of these updates, highlighting the potential risks to critical infrastructure and patient safety if action is not taken.

Quote:
- Dave Bittner [00:40]: "The proposed measures include mandatory encryption of protected health information, multi-factor authentication and network segmentation to limit attackers movements."

Expert Insights: Bridging the Cybersecurity Resilience Gap

Guest: Mick Baccio, Global Security Advisor at Splunk
Interview with: Dave Bittner and Jenn Easterly, CISA Director

Understanding the Resilience Confidence Gap

Mick Baccio discusses the resilience confidence gap, a phenomenon where organizations believe they are secure against certain threats while being unprepared for others. Referencing the Foundry report, Baccio notes that 52% of decision-makers in both public and private sectors lack confidence in their understanding of digital resilience requirements.

Quote:
- Mick Baccio [17:33]: "Organizations that prioritize foundational security will be better positioned to implement new technologies effectively."

Challenges in Cybersecurity Prioritization

Baccio identifies a tendency among organizations to favor "cool" and innovative solutions, such as AI and automation, over foundational security measures like asset inventory, patch management, and multi-factor authentication. This misalignment often stems from limited budgets, with 82% of organizations facing budget-related obstacles to implementing essential security measures.

Quote:
- Jenn Easterly [16:23]: "Focusing on the basics is not very sexy, but it's crucial for building a strong security foundation."

Strategic Recommendations

To bridge the resilience gap, Baccio emphasizes the importance of:

Prioritizing Foundational Security: Ensuring that basic security practices are robust before adopting advanced technologies.
Enhancing Budget Allocation: Allocating resources effectively to cover both foundational and innovative security needs.
Fostering Partnerships: Leveraging collaborations with Information Sharing and Analysis Centers (ISACs) and public-private partnerships to share knowledge and resources.
Adopting a Community Approach: Recognizing that collective efforts amplify security measures across the board.

Quote:
- Mick Baccio [22:53]: "Partnerships, whether with ISACs or public-private collaborations, are invaluable in addressing shared cybersecurity challenges."

CISA's Role in Enhancing National Cybersecurity

Jenn Easterly, CISA Director, reflects on CISA's achievements in 2024, highlighting:

Proactive Initiatives: Launching the Pre-Ransomware Notification Initiative, sending over 2,100 alerts to mitigate threats.
Vulnerability Management: Blocking 1.26 billion malicious connections and remediating 861 vulnerabilities.
Cyber Defense Exercises: Conducting Cyberstorm 9, preparing over 2,200 participants for advanced threats.
Election Security: Implementing the Protect 2024 election portal to secure the November elections.
Global Partnerships: Initiating an international strategic plan to advance global cybersecurity collaborations.

Easterly underscores the critical need for ongoing collaboration to address emerging threats and ensure CISA's resilience and innovation amidst evolving geopolitical challenges.

Quote:
- Jenn Easterly [22:53]: "Collaboration is essential to address emerging threats and ensure CISA remains a cornerstone of US cybersecurity."

Conclusion

The episode concludes by emphasizing the intricate and evolving landscape of cybersecurity, underscored by significant breaches and legislative actions. Expert insights from Mick Baccio and Jenn Easterly highlight the imperative for organizations to prioritize foundational security measures, foster strategic partnerships, and navigate budgetary constraints effectively. As cyber threats become more sophisticated, the collective efforts of industry leaders, government agencies, and international partners remain pivotal in safeguarding critical infrastructure and sensitive data.

Key Takeaways:

Foundational Security is Paramount: Organizations must solidify basic security practices to defend against sophisticated attacks.
Budget and Resource Allocation: Efficient use of limited resources is crucial for implementing both foundational and advanced security measures.
Collaborative Efforts: Partnerships and information sharing enhance overall cybersecurity resilience.
Legislative Updates: New rules and proposed regulations aim to bolster data protection and limit adversarial access, emphasizing the government's role in cybersecurity.

For more detailed insights and ongoing updates in cybersecurity, tune into future episodes of CyberWire Daily.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire Network powered by N2K.

Mick Baccio (0:14)

The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere.

Dave Bittner (0:40)

You do business Chinese hackers breach the U.S. treasury Department at least 35 Chrome extensions are compromised. Federal authorities arrest a U.S. army soldier over accusations of sensitive data stolen from AT&T and Verizon. A misconfigured Amazon cloud server exposes sensitive data from over 800,000 VW EV owners. Rhode island confirms a data breach linked to ransomware group Brain Cipher. Ascension Healthcare confirms the exposure of the personal and medical data of 5.6 million customers. A recent patch to Windows BitLocker encryption proves in inadequate A suspected Chinese hacking campaign is exploiting a vulnerability in Palo Alto firewalls for espionage. The DOJ bans the sale of American sensitive data to adversarial nations. HHS proposes a HIPAA update to address cybersecurity Our guest is Mick Baccio, Global Security Advisor at Splunk, with insights on the cybersecurity resilience Gap and CISA. Director Easterly looks back at 20 foreign 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Happy New Year and thank you for joining us here once again. It is great to have you with us. Chinese state sponsored hackers breached the U.S. treasury Department through a compromised remote support platform provided by Beyond Trust. The attack attributed to the Salt Typhoon APT group exploited two zero day vulnerabilities in Beyond Trust's remote support SaaS. Using a stolen API key, the attackers reset passwords, gained privileged access and stole agency documents. Beyond Trust detected The breach on December 8, shut down compromised instances and revoked the API key. The FBI and CISA assisted in the investigation, confirming the hackers no longer have access to treasury systems. The breach follows AT and T and Verizon's confirmation that they've expelled Chinese cyber espionage hackers from their networks following a months long Salt Typhoon campaign. The attackers exploited vulnerabilities to intercept calls, geo locate individuals and access metadata. The breach originally impacted eight companies, but a ninth victim was recently identified after the federal government issued detailed guidance on Chinese tactics. The companies targeted include major players like AT and T. Verizon and Lumen. T Mobile previously reported breaches but said no sensitive customer data was stolen. The hackers leveraged poorly secured admin accounts, giving them sweeping access across networks, including lawful intercept back doors used for court ordered wiretaps. Investigations were complicated by inadequate logging and the attackers efforts to erase their tracks. The White House has called for improved cybersecurity practices, urging measures like network segmentation and better logging. The FCC is also considering mandatory cybersecurity standards and the US plans to ban China Telecom's remaining operations. A phishing campaign targeting Chrome Extension developers compromised at least 35 extensions, including one from cybersecurity firm Cyberhaven, impacting around 2.6 million users. The attack, active since March of 2024, escalated in December with phishing emails impersonating Google. Developers were tricked into granting permissions to a malicious OAuth app, allowing attackers to inject data stealing code into extensions. The malicious code targeted Facebook business accounts, stealing user credentials, IDs, access tokens and ad account information. Threat actors even bypassed two factor authentication by capturing QR codes used for login verification. Extensions were hijacked to distribute new malicious versions via the Chrome Web Store. Investigators identified command and control domains linked to the campaign and suspect many more extensions were targeted. Despite multi factor authentication protections, the phishing method effectively exploited OAuth workflows, exposing significant vulnerabilities in Chrome extension security. Krebs on security reports that federal Authorities have arrested 20 year old US army soldier Cameron John Waghenius, accusing him of being Cyber Phantom or Kyber Phantom. It's hard to say it's Cyber or Kyber with a K. A cybercriminal who sold and leaked sensitive data stolen from AT and T and Verizon. Wigenius, a communications specialist stationed in South Korea, was apprehended near Fort Hood, Texas in December after an indictment for unlawfully transferring confidential phone records. Cyber Phantom allegedly hacked 15 telecom firms, including AT and T and Verizon, and leaked call logs of prominent figures such as President Elect Trump and Vice President Kamala Harris. He also offered SIM swapping services and posted stolen data schemas linked to the nsa. The Swift investigation, spanning just weeks, relied on security researchers identifying operational security mistakes. Experts warn young cybercriminals of escalating risks as law enforcement improves its ability to track and prosecute cybercrimes domestically. This case has been transferred to the Western District of Washington. A Volkswagen subsidiary, Cariad, exposed sensitive data from 800,000 EV owners due to a misconfigured Amazon cloud server. The leak included contact information, movement data and precise location Data accurate to within 10cm for Volkswagen and Seat vehicles and 10km for Audi and Skoda. High profile individuals including German politicians, Hamburg police and intelligence employees were affected. The hacker group Chaos Computer Club discovered the breach and alerted authorities, giving VW 30 days to resolve it. Volkswagen confirmed the data was pseudonymized and accessed through a complex multi stage process. No passwords or payment details were exposed. Rhode island has confirmed that cybercriminals have published personal data stolen from its social services portal RI Bridges. The breach linked to ransomware group Brain Cipher compromised citizen sensitive information, including data from individuals applying for health services. Deloitte, the state's vendor, revealed that files had been leaked on the dark web. Governor Dan McKee stated that it teams were analyzing the release data, urging residents to freeze and monitor credit to protect financial information. Social engineering attacks are also a concern. RI Bridges remains offline with investigations ongoing. Brain Cipher claims to have stolen one terabyte of data in the December breach, targeting systems outside Deloitte's network. Deloitte and Rhode island have not verified these claims. A December 20 filing with Maine's Attorney General revealed that a May 8 cyber attack on healthcare giant Ascension exposed the personal and medical data of 5.6 million customers. The breach occurred after an employee mistakenly downloaded a malicious file. Exposed data varies by individual and includes medical records, payment information, government IDs and personal details. Although Ascension confirmed its core clinical systems were not accessed, the incident highlights ongoing vulnerabilities in healthcare cybersecurity, following similar breaches in 2024 at Change Healthcare and Kaiser Permanente proposed legislation. The Healthcare Cybersecurity and Resilience act seeks to bolster defenses with grants for healthcare organizations. A recently patched flaw in Windows BitLocker encryption remains vulnerable to attacks, researcher Thomas Lamberts revealed at the Chaos Communication Congress. Using a method called BitPixie, Lamberts demonstrated how rebooting a device in recovery mode with PXE booting enabled allowed him to extract encryption keys from memory and decrypt data. Lamberts criticized Microsoft's patch as insufficient, noting that disabling the network stack in the BIOS is the only effective mitigation. A suspected Chinese hacking campaign is exploiting a vulnerability in Palo Alto firewalls to deploy a custom malware backdoor for espionage, according to northwave researchers. The backdoor, a variant of Little Lamb Woolt, installs disguised as a logd file and provides extensive functionality, including file manipulation, network tunneling and socks. 5 Proxy setup exploited since November. Attackers use the vulnerability to gain root privileges and deploy additional payloads. Palo Alto patched this flaw and another, advising administrators to limit Web management portal access to trusted IPs. The campaign aligns with Chinese threat group UNC 5325's strategy of targeting edge devices similar to their past exploits of Ivanti VPNs and Fortinet firewalls. Researchers say thousands of devices may be affected. The U.S. department of justice has finalized a rule banning the sale of American sensitive data, including biometric geolocation, health and financial information to adversarial nations like China, Russia and Iran. Stemming from a February executive order, the rule targets efforts by hostile nations to use such data for AI development, cyber espionage and influence campaigns. Assistant Attorney General Matthew Olson emphasized the rule's role in protecting national security implementation begins three months after its Federal Register publication. The U.S. department of Health and Human Services has proposed updated HIPAA cybersecurity rules to protect patient health data amid increasing healthcare data breaches and ransomware attacks. The proposed measures include mandatory encryption of protected health information, multi factor authentication and network segmentation to limit attackers movements. White House official Ann Neuberger highlighted the urgency, citing high costs of inaction, which could endanger critical infrastructure and patient safety. The Updates, expected within 60 days, mark the first major HIPAA security revisions in a decade. Implementation is projected to cost $9 billion in the first year and $6 billion over the coming up after the break, my conversation with Mick Baccio, Global Security Advisor at Splunk, with insights on the cybersecurity resilience gap and CISA Director Easterly looks back at 2024. Stay with.