U.S. sanctions spark cyber showdown with China. - CyberWire Daily

Summary

CyberWire Daily: U.S. Sanctions Spark Cyber Showdown with China
Hosted by N2K Networks
Release Date: January 7, 2025

1. U.S. Sanctions and Chinese Backlash

The episode opens with a significant focus on the escalating tensions between the United States and China in the cybersecurity arena. The U.S. Treasury imposed sanctions on Beijing-based Integrity Technology Group, accusing it of involvement in the Flax Typhoon cyber campaign targeting U.S. critical infrastructure.

Dave Bittner highlights the controversy:
“China has criticized US Sanctions imposed on Beijing-based Integrity Technology Group accused of involvement in hacking US Critical infrastructure” [02:15].

In response, Integrity Technology and China's Foreign Ministry vehemently denied the allegations. Spokesperson Gao Zhaikun stated, “Washington is using cybersecurity as a tool to smear China” [03:10]. This retaliation underscores the deepening cyber conflict, with China's National Cybersecurity Information Center reporting foreign cyberattacks, including those allegedly originating from the U.S. and the Netherlands, involving Trojan programs and intellectual property theft.

The sanctions specifically freeze Integrity Technology's U.S. assets and limit its business interactions with American entities. This move is part of broader U.S. concerns over persistent Chinese cyber espionage campaigns that have compromised telecommunications and private data across multiple countries.

Additionally, the U.S. Department of Defense has placed Tencent, a major Chinese tech giant, on its Chinese military company list. This inclusion, under the Military Civil Fusion strategy, restricts Pentagon collaborations with Tencent, potentially affecting its subsidiaries like WeChat and popular gaming platforms such as PUBG and Fortnite. Tencent has denied these claims and intends to appeal the decision. The move reflects growing apprehensions about Chinese tech firms' roles in intelligence and potential supply chain disruptions.

2. Cyberattacks on Educational Institutions

The episode sheds light on cyber threats targeting school districts, particularly during the holiday season when IT staffing is minimal.

Dave Bittner reports:
“Two US school districts face cyberattacks over the holiday season, highlighting a persistent trend of targeting educational institutions during low IT staffing periods” [05:00].

In Maine, South Portland Public Schools detected a weekend attack through their network detection system, leading to swift actions such as disconnecting compromised firewalls and restoring systems without compromising student or staff data. Conversely, Rutherford County Schools in Tennessee experienced a prolonged disruption following a Thanksgiving cyberattack, which exposed some employee and student information. These incidents mirror a broader increase in ransomware attacks on educational entities, causing significant recovery challenges and financial strains.

Federal initiatives are underway to enhance digital defenses in K-12 schools through increased cybersecurity funding, training, and robust digital security measures.

3. UN's ICAO Data Breach Investigation

A concerning development involves the United Nations' International Civil Aviation Organization (ICAO), which is currently investigating a potential data breach.

Dave Bittner states:
“The UN's International Civil Aviation Organization is investigating a potential data breach after the hacking” [07:00].

The hacking group NATOHub claims responsibility for compromising 42,000 documents, including personal data of UN delegates. The breach exposed sensitive information such as names, birth dates, and contact details. ICAO has responded by implementing stringent security measures and conducting a thorough investigation, emphasizing the gravity of the incident and its implications for international organizations.

4. Eager B Malware Targets in the Middle East

The episode discusses the emergence of new variants of the Uyghur B malware framework, which are targeting government organizations and Internet Service Providers (ISPs) in the Middle East.

Dave Bittner explains:
“New variants of the Uyghur B malware framework are targeting government organizations and ISPs in the Middle East” [08:30].

According to Kaspersky, Eager B exploits vulnerabilities in Microsoft Exchange proxy logins to achieve initial access, employing DLL hijacking to install backdoors for persistent operations. Enhanced with plugins like File Process, Service, Network, and Remote Access Managers, Eager B facilitates stealthy and persistent cyberattacks. Kaspersky warns of similar threats observed in Japan, urging organizations to patch Exchange servers and monitor for signs of compromise.

5. Data Breaches in Healthcare and Aviation Sectors

Richmond University Medical Center in Staten Island notified 674,000 individuals of a data breach resulting from a ransomware attack in May 2023. The breach disrupted IT systems for nearly a month, leading to the theft of sensitive information such as Social Security numbers and medical details. Concerns arise over delayed incident response, as notifications occurred 18 months post-breach, violating HIPAA regulations. Experts attribute these delays to inadequate cybersecurity resources within healthcare organizations.

In Argentina, hackers infiltrated the Airport Security Police's payroll system, compromising salary records and making unauthorized deductions. Investigations link the breach to Banco Nacion, which processes payroll, suggesting possible foreign server involvement. The PSA has since tightened cybersecurity measures, although criticism remains regarding past data security failures.

6. Critical Vulnerabilities in Moxa Industrial Networking Firm

Industrial networking firm Moxa identified two critical vulnerabilities in its cellular routers and secure network appliances.

Dave Bittner reports:
“Moxa has identified two critical vulnerabilities in its cellular routers, secure routers and network security appliances” [12:00].

The first vulnerability involves hard-coded credentials enabling root access, affecting ten products. The second allows OS command injection via input bypass, impacting seven products and permitting remote exploitation without authentication. With CVSS scores of 8.6 and 9.8, these flaws pose significant security risks. Moxa has released patches and advises minimizing network exposure, restricting SSH access, and employing intrusion detection systems for devices lacking patches.

7. Surge in Phishing Click Rates Among Enterprises

New research from Netskope reveals a 190% increase in phishing click rates among enterprise users in 2024, with over 8 in 1,000 users clicking phishing links monthly.

Dave Bittner summarizes:
“Phishing click rates among enterprise users surged by 190% in 2024” [14:00].

The rise is attributed to more frequent phishing attempts and increasingly sophisticated lures targeting cloud applications, particularly Microsoft services. Attackers exploit compromised accounts for data theft and business email compromise, often using search engines and malicious ads instead of traditional email phishing. This shift necessitates enhanced vigilance and adaptive security measures within organizations to counter evolving phishing strategies.

8. Legal Actions Against Banks for Enabling Cryptocurrency Scams

A California man, Ken Liam, is suing three banks—Chonhing Bank, Fubon Bank, and DBS Bank—for allegedly facilitating a cryptocurrency investment scam that resulted in nearly $1 million in losses.

Dave Bittner explains:
“A California man is suing three banks for allegedly enabling criminals to steal nearly $1 million from him” [15:30].

Liam accuses the banks of neglecting anti-money laundering (AML) protocols under the Bank Secrecy Act, allowing scammers to open fraudulent accounts and execute the scam over six months. This case underscores the growing prevalence of romance baiting and pig butchering scams, where victims are defrauded through manipulated relationships and deceptive investment schemes. The lawsuit highlights the critical need for financial institutions to enforce stringent verification and monitoring to prevent such frauds.

9. Microsoft Bing Mimics Google’s Interface

In a surprising move, Microsoft’s Bing has adopted a strategy to imitate Google’s homepage to attract users.

Dave Bittner reports:
“Microsoft's Bing and Google is heating up again, with the former resorting to some pretty clever or sneaky tactics to try to win over users” [20:30].

Users searching Google on Bing without signing into a Microsoft account encounter a page resembling Google's interface, complete with a similar search bar and a Google-like doodle. Despite the facade, actual search results retain Bing’s branding. This tactic aims to confuse or entice users to switch to Bing, reflecting Microsoft's aggressive efforts to compete with Google's dominance in the search engine market. Google's Parisa Tabriz criticized the move on Twitter, citing it as another instance where imitation serves as a form of competition.

Conclusion

This episode of CyberWire Daily provides a comprehensive overview of the heightened cyber tensions between the U.S. and China, recent data breaches across various sectors, emerging malware threats, and evolving phishing tactics. Additionally, it highlights legal challenges faced by financial institutions in preventing crypto-related scams and Microsoft's strategic maneuvers in the search engine market. These discussions underscore the dynamic and ever-evolving landscape of cybersecurity, emphasizing the need for robust defenses and proactive measures across all sectors.

For more detailed insights and continuous updates on cybersecurity threats and developments, subscribe to CyberWire Daily by N2K Networks.

Transcript

Dave Bittner (0:02)

You're listening to the CyberWire network. Powered by N2K ransomware, supply chain attacks and zero day exploits can strike without warning, leaving your business's sensitive data and digital assets vulnerable. But imagine a world where your cybersecurity strategy could Prevent these threats. That's the power of the ThreatLocker Zero Trust Endpoint Protection platform. Robust cybersecurity is a non negotiable to safeguard organizations from cyberattacks. ThreatLocker implements a proactive, deny by default approach to cybersecurity, blocking every action process end user unless specifically authorized by your team. This least privilege methodology mitigates the exploitation of trusted applications and ensures protection for your organization. 2473655 IT professionals are empowered by Threat Locker Application allow listing, ring fencing, network control and EDR solutions, enhancing their cybersecurity posture and streamlining internal IT and security operations. To learn more about how ThreatLocker can help mitigate unknown threats in your digital environment and align your organization with respected compliance frameworks, visit threatlocker.com China criticizes US sanctions School districts face cyber attacks over the holiday season. The UN's International Civil Aviation Organization is investigating a potential data breach. Eager B malware targets government organizations and ISPs in the middle East. A major New York Medical center notifies 674,000 individuals of a data breach. Hackers infiltrate Argentina's Airport Security Police payroll system. An industrial networking firm identifies critical vulnerabilities in its cellular routers, secure routers and network security appliances. Phishing click rates among enterprise users surged in 2024. A California man is suing three banks for allegedly enabling criminals to steal nearly $1 million from him. On our Threat Vector segment, we preview this week's episode where host David speaks with Margaret Kelly about the evolving landscape of cloud breaches and Microsoft's Bing demonstrates imitation is the sincerest form of flattery. It's Tuesday, January 7th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Foreign thanks for joining us here today. It is great to have you with us. China has criticized US Sanctions imposed on Beijing based Integrity Technology Group accused of involvement in hacking US Critical infrastructure. The US Treasury's move targets the company for alleged ties to Flax Typhoon, a Chinese state sponsored cyber campaign. Integrity Technology and China's Foreign Ministry rejected the claims, with spokesperson Gao Zhaikun accusing Washington of using cybersecurity as a tool to smear China. Meanwhile, China's National Cybersecurity Information center reported foreign cyber attacks on Chinese networks including from the us, Netherlands, and other nations involving Trojan programs, botnets and intellectual property theft. The sanctions freeze the company's US assets and restrict business with Americans. The decision follows broader concerns over Chinese cyber espionage campaigns like Salt typhoon, which compromise U.S. telecommunications and private data. U.S. officials recently revealed Salt Typhoon's impact on eight telecom providers and numerous countries, escalating tensions in CyberSecurity. Meanwhile, the U.S. department of Defense has added Tencent, a Chinese messaging and gaming giant, to its Chinese military company list under the Military Civil Fusion strategy, which aids the Chinese military's modernization efforts. While inclusion doesn't equate to a ban, it prevents the Pentagon from working with listed companies and could trigger supply chain issues or further restrictions. Tencent, which owns WeChat, Voov and Gaming assets like PUBG and Fortnite, denies the claims and plans to appeal. Critics argue WeChat aids Beijing's intelligence efforts with nations like Canada banning it from government devices. Battery maker Catl, a Tesla supplier, was also added to the list, raising concerns about potential impacts on global partnerships. Tencent's addition reflects growing tensions between US authorities and Chinese tech companies. Two US school districts face cyberattacks over the holiday season, highlighting a persistent trend of targeting educational institutions during low IT staffing periods. South Portland Public Schools in Maine discovered a weekend attack through a network detection system identifying compromised firewalls linked to an IP address from Bulgaria. The district acted swiftly, disconnecting equipment and restoring systems before classes resumed. Officials believe no student or staff data was compromised but remain vigilant with continued network monitoring. In Tennessee, Rutherford county schools serving over 51,000 students experienced a prolonged disruption from a Thanksgiving cyber attack that exposed some employee and student data. Third party investigators are reviewing the breach, and affected individuals will be notified. These incidents echo a broader rise in ransomware attacks on schools, with recovery times ranging from months to significant financial and educational losses. Federal initiatives including cybersecurity, training and funding aim to bolster digital defenses across K12 schools. The UN's International Civil Aviation Organization, or ICAO, is investigating a potential data breach after the hacking. Group NATOHub claims to have compromised 42,000 documents, including personal data, on breach forums, two allegedly targeting international organizations. NATO hub stated the breach includes names, birth dates, contact details, and employment histories. The group recently claimed another breach involving 14,000 UN delegates. ICAO has implemented security measures and is conducting a thorough investigation emphasizing the seriousness of the incident. New variants of the Uyghur B malware framework are targeting government organizations and ISPs in the middle east, with possible links to the Chinese state backed group coughing down According to Kaspersky, Eager B exploits Microsoft Exchange proxy login vulnerabilities to gain initial access, though the attack vector in recent cases remains unclear. The malware uses DLL hijacking to load a backdoor into memory, enabling 24. 7 operations. Eager Bs capabilities are enhanced by plugins including File Process, Service, Network and Remote Access Managers. These tools allow for file manipulation, RDP sessions and command shell injection, making the malware both stealthy and persistent. Kaspersky warns that similar attacks have been observed in Japan, indicating a global threat. Organizations are urged to patch Exchange servers and monitor for indicators of compromise to mitigate risks. Richmond University Medical center in Staten island is notifying 674,000 individuals of a data breach from a ransomware attack in May 2023. The incident disrupted the hospital's IT systems for nearly a month and led to the theft of files containing sensitive information such as Social Security numbers, medical details and financial data. While the electronic health record system was reportedly unaffected, manual review revealed compromised files. The notification comes 18 months after the breach, raising concerns about delays in incident response and compliance with HIPAA's 60 day breach notification rule. Experts attribute such delays to insufficient cybersecurity skills, budgets and tools in healthcare organizations. The medical center faces class action lawsuits alleging negligence in safeguarding data. Experts recommend healthcare providers minimize stored data, isolate sensitive information and secure identity systems to mitigate future breaches and accelerate response times. Hackers infiltrated Argentina's Airport Security Police payroll system, exposing vulnerabilities in data management and causing financial losses for personnel. Attackers accessed salary records, tampered with pay slips and made unauthorized deductions of between two and five thousand pesos under misleading labels. Investigators link the breach to Banco Nacion, responsible for processing payroll, and suggest foreign servers were used, though domestic involvement isn't ruled out. The PSA has tightened cybersecurity measures and launched awareness campaigns, but criticism persists over past failures to secure sensitive data. Industrial networking firm Moxa has identified two critical vulnerabilities in its cellular routers, secure routers and network security appliances. The first flaw exploits hard coded credentials to gain root access, affecting 10 products. The second enables OS command injection via input bypass, affecting seven products and allowing remote exploitation by unauthenticated users. Rated 8.6 and 9.8 on CVSS, the vulnerabilities pose significant risks. Moxa has released patches for many devices and advises minimizing network exposure, limiting SSH access and using intrusion detection systems for unpatched products. New research from Netscope says that phishing click rates among enterprise users surged by 190% in 2024, with over 8 in 1,000 users clicking phishing links monthly. The rise stems from increased phishing attempts and more sophisticated lures. Cloud applications were the top targets at 27%, with Microsoft accounting for 42% of clicks. Attackers typically exploit compromised accounts for data theft or business email compromise. Banking and telco providers were also frequently targeted. Phishing clicks increasingly came from search engines via malicious ads and SEO poisoning rather than emails. Other sources included shopping and technology sites Ken Liam, a California man, is suing three banks for allegedly enabling criminals to steal nearly $1 million from him through a cryptocurrency investment scam. The lawsuit accuses Chonhing Bank, Fubon bank and DBS bank of failing to conduct proper anti money laundering checks under the Bank Secrecy act, allowing scammers to open fraudulent accounts over six months. In 2023, Liam transferred $986,000 to these accounts, believing he was investing in crypto. He realized the scam when his investments were frozen for alleged money laundering, followed by a demand for a fake IRS tax payment. Liam alleges the banks ignored know your customer protocols, failing to verify account owner identities or investigate suspicious transactions. This case highlights a growing trend of romance baiting or pig butchering scams where victims are defrauded of billions globally. Similar lawsuits and regulatory efforts worldwide aim to clarify financial institutions responsibility in preventing such fraud. Coming up after the break on our Threat Vector segment, we preview this week's episode with David Moulton speaking with Margaret Kelly about the evolving landscape of cloud breaches and Microsoft's Bing demonstrates imitation is the sincerest form of flattery. Stay with us. And now a word from our sponsor, KnowBe4. It's all connected and we're not talking conspiracy theories. When it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack, or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off it's time for our weekly Threat Vector Preview segment. This time, host David Moulton speaks with Margaret Kelly about the evolving landscape of cloud breaches and how organizations can defend against sophisticated attacks.