When retaliation turns digital. - CyberWire Daily

Summary

CyberWire Daily: Episode Summary – "When Retaliation Turns Digital"

Release Date: January 10, 2025

Host: N2K Networks

Episode Overview

In this episode of CyberWire Daily, host Dave Bittner delivers a comprehensive briefing on the latest developments in the cybersecurity landscape. The episode delves into significant cyber threats, breaches, and defenses, followed by an insightful interview with Casey Marks, ISC²’s Chief Qualifications Officer, discussing the evolving landscape of cybersecurity certifications. The episode concludes with a light-hearted register story highlighting an unexpected software glitch.

Cybersecurity News Highlights

1. Chinese Hackers Breach U.S. Treasury Department

Chinese cyber actors have successfully breached the U.S. Treasury Department's unclassified systems, specifically targeting its sanctions office. The intrusion also impacted the Committee on Foreign Investment in the U.S. (CFIUS), which now wields increased authority over real estate deals near military bases—a hotspot for potential espionage.

Treasury Secretary Janet Yellen remarked at [04:30]: "This breach is a significant setback for U.S.-China relations and underscores the urgent need for enhanced cybersecurity measures."

The breach raises suspicions of retaliation following the sanctions imposed on a Chinese company for prior cyberattacks.

2. Supreme Court Considers TikTok Ban

The Supreme Court is evaluating a law that seeks to ban TikTok in the United States unless its Chinese parent company, ByteDance, divests by January 19th. The legislation, supported by both political parties, aims to mitigate national security risks associated with potential Chinese government influence over the platform.

TikTok's legal representative argued at [05:15]: "Banning TikTok without evidence of direct Chinese control infringes upon First Amendment rights and is akin to shutting down a U.S. newspaper under foreign pressure."

3. Zero Day Exploit in Ivanti Connect Secure VPN

Mandiant reports that Chinese threat group Silk Typhoon has exploited a zero-day vulnerability in Ivanti Connect Secure VPN appliances since December. The attackers deployed malware variants like Spawn, Phase Jam, and Dryhook to exfiltrate credentials, API keys, and VPN session data.

Cybersecurity Analyst at Mandiant noted at [06:45]: "The exploitation of this zero-day highlights the critical need for timely patching and robust network defenses."

CISA has mandated remediation by January 15th to prevent widespread exploitation.

4. WordPress Checkout Page Malware Skimmer

A sophisticated credit card skimmer malware has been identified targeting WordPress checkout pages. The malware injects malicious JavaScript into the database's WP options table, bypassing theme files and plugins to stealthily capture payment information in real-time.

Security Expert explained at [07:30]: "This method of injection allows attackers to remain undetected while siphoning off sensitive financial data, making it imperative for site administrators to frequently audit their HTML widgets and plugins."

5. Banshee macOS Info Stealer Update

The Banshee macOS Info Stealer has been updated to specifically target Russian-language systems. Originally launched in 2024, the malware gathers data such as passwords, browser information, and cryptocurrency wallet details.

Check Point Reports at [08:20]: "Despite improved antivirus detection post-source code leak, new variants risk further exploitation, particularly through phishing websites and counterfeit GitHub repositories."

6. California Health Services Data Breach

Baymark Health Services in California disclosed a data breach impacting nearly 3,000 patients. The compromised information includes names, Social Security numbers, insurance details, and treatment records.

Baymark Secured Systems stated at [09:10]: "We have enhanced our security measures post-incident and are providing one year of free credit monitoring to affected individuals."

7. Florida HIPAA Settlement

USR Holdings, a Florida-based firm, has settled for $337,000 following a 2018 breach that exposed personal information of nearly 3,000 patients. The breach stemmed from a firewall misconfiguration, leading to unauthorized access and data deletion.

HHS Representative at [09:55]: "This settlement underscores the critical importance of robust data backup and proactive monitoring to avert similar incidents."

8. Samsung Patches Android Devices

Samsung released a January 2025 security update addressing critical vulnerabilities in Android and its own devices. The patch resolves five high-priority vulnerabilities that could allow unauthorized code execution and data breaches.

Samsung Security Team urged at [10:30]: "Users are strongly encouraged to apply these updates promptly to safeguard their devices against potential threats."

9. ProtonMail Outage

ProtonMail experienced a global service outage on January 9th due to network issues, affecting services like Calendar, VPN, Drive, Pass, and Wallet. The outage was resolved within a few hours, with ProtonMail apologizing for the inconvenience.

ProtonMail Representative at [11:00]: "We are investigating the root cause to prevent future disruptions and ensure the reliability of our services."

10. Malware on GroupGreeting.com

Malwarebytes uncovered the ZQXQ cyberattack campaign targeting GroupGreeting.com, a popular e-card service used by enterprises like Airbnb and Coca-Cola. The attackers injected obfuscated JavaScript to redirect users to phishing sites or deploy malware.

Adam Gaudiak, CEO of Ag Security Research, highlighted at [12:15]: "The exploitation strategy leverages seasonal traffic spikes, making it a potent tool for large-scale infections."

11. Microsoft PlayReady DRM Vulnerabilities Exposed

Adam Gaudiak exposed vulnerabilities in Microsoft's PlayReady DRM technology that allow unauthorized access to streaming content keys. Despite initial dismissal from Microsoft, the disclosure has raised concerns over bug bounty programs and responsible disclosure practices.

Casey Marks mentioned at [12:50]: "This incident exemplifies the ongoing challenges in balancing researcher incentives with corporate accountability."

12. Facebook Awards Bug Bounty for Ad Platform Vulnerability

Facebook rewarded researcher Ben Sadaginpour with a $100,000 bug bounty for discovering a critical vulnerability in its ad platform linked to an unpatched Chrome bug. This flaw permitted command execution on Facebook's internal servers, granting extensive system access.

Facebook Security Team at [13:30]: "Prompt addressing of such vulnerabilities is crucial to maintaining the integrity and security of our infrastructure."

Featured Interview: Casey Marks, ISC²’s Chief Qualifications Officer

Section Timestamp: [16:07 – 25:16]

In an enlightening segment, host Chris Hare engages with Casey Marks, ISC²'s Chief Qualifications Officer, to explore the future of cybersecurity certifications.

a. Role of Chief Qualifications Officer

Casey Marks elaborates on her responsibilities, which include maintaining and developing ISC²’s certification portfolio, ensuring exam integrity, and upholding the organization’s code of professional conduct.

Casey Marks at [16:13]: "We ensure exams are fair, reliable, and valid, providing every candidate an equal opportunity to demonstrate their knowledge and skills."

b. Trends in Certification Growth

Marks observes a global surge in the demand for cybersecurity certifications, driven by increased governmental interest and the need for standardized qualifications in the cybersecurity profession.

Casey Marks at [17:49]: "There's a noticeable uptick in certifications like CISSP and CCSP, reflecting the industry's shift towards robust, validated qualifications."

c. ISC²’s 1 Million Certified in Cybersecurity Program

ISC² has launched an ambitious initiative to certify one million cybersecurity professionals through the free Certified in Cybersecurity (CC) program. This effort aims to bridge the experience gap for newcomers entering the field.

Casey Marks at [21:17]: "Our CC program provides a foundational certification that helps individuals demonstrate their commitment and readiness to enter the cybersecurity profession."

d. Continuing Professional Education Credits (CPEs)

Marks emphasizes the importance of CPEs in maintaining certifications and outlines various avenues for earning these credits, including courses, certifications, training, events, webinars, and volunteer opportunities.

Casey Marks at [22:39]: "There are myriad opportunities for certified members to earn CPEs, from attending webinars to contributing as subject matter experts. It's a way to continue professional growth and give back to the community."

Register Story: Chrome’s Overzealous Translation Feature Causes Chaos

In an amusing yet cautionary tale, Mac, a developer for a SASE business management suite targeting non-English European markets, encountered an unexpected glitch when a user reported the app displaying English—a language not supported by the application.

After an exhaustive investigation, the team discovered that Chrome’s automatic translation feature was inadvertently triggered by the user, leading to the display anomaly.

Narrative at [26:00]: "Had the app been sabotaged by rogue translators? After much sleuthing, the culprit emerged: Chrome's overly helpful Translate to English feature accidentally triggered by the user."

Takeaway: While helpful features aim to enhance user experience, they can sometimes lead to unintended consequences, underscoring the importance of thorough testing and user education.

Conclusion

This episode of CyberWire Daily provides a thorough overview of pressing cybersecurity issues, from state-sponsored breaches to emerging malware threats. The in-depth interview with Casey Marks offers valuable insights into the evolving certification landscape, highlighting ISC²’s initiatives to bolster the cybersecurity workforce. The light-hearted register story serves as a reminder of the unexpected challenges that can arise even from well-intentioned software features.

For those interested in staying ahead in cybersecurity, this episode delivers essential updates and professional perspectives to navigate the complex digital threat environment effectively.

Stay informed with CyberWire Daily for the latest in cybersecurity news and expert analysis.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire Network. Powered by n2k.

Amazon Sponsor (0:10)

This episode is brought to you by Amazon. Sometimes the most painful part of getting sick is the getting better part. Waiting on hold for an appointment, sitting in crowded waiting rooms, standing in line at the pharmacy that's painful. Amazon One Medical and Amazon Pharmacy remove those painful parts of getting better with things like 24. 7 virtual visits and prescriptions delivered to your door. Thanks to Amazon Pharmacy and Amazon One Medical Healthcare just got less painful.

Dave Bittner (0:40)

Ransomware, supply chain attacks and zero day exploits can strike without warning, leaving your business's sensitive data and digital assets vulnerable. But imagine a world where your cybersecurity strategy could prevent these threats. That's the power of the Threat Locker Zero Trust Endpoint Protection Platform Robust cybersecurity is a non negotiable to safeguard organizations from cyberattacks, ThreatLocker implements a proactive deny by default approach to cybersecurity, blocking every action process end user unless specifically authorized by your team. This least privilege methodology mitigates the exploitation of trusted applications and ensures protection for your organization. 247365 IT professionals are empowered by ThreatLocker application allowance listing, Ring Fencing, Network Control and EDR solutions, enhancing their cybersecurity posture and streamlining internal IT and security operations. To learn more about how ThreatLocker can help mitigate unknown threats in your digital environment and align your organization with respected compliance frameworks, visit threatlocker.com New details emerge about Chinese hackers breaching the US Treasury Department the Supreme Court considers the TikTok ban Chinese hackers exploit a zero day flaw in Avanti Connect Secure VPN A new credit card skimmer malware targets WordPress checkout pages the Banshee macOS Info Stealer has been updated A California health services organization reports a data breach A Florida Firm pays a 337,000 HIPAA settlement following a 2018 breach Samsung patches Android devices A Proton mail outage hits users worldwide A popular E Card site recovers from malware Certbyte segment host Chris Hare interviews our guest Casey Marks, ISC2's chief qualifications officer, about the future of certifications and that's a feature not a HAC.

Chris Hare (3:01)

Foreign.

Dave Bittner (3:04)

It'S Friday, January 10, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Happy Friday and thanks for joining us here today. It is great to have you with us. New details have emerged about Chinese hackers breaching the U.S. treasury Department's unclassified systems, revealing they targeted its sanctions office. In addition to the previously reported hack of other treasury systems. CNN reports the sanctions office had recently penalized a Chinese company for cyberattacks, raising questions about whether the hack was retaliatory. The breach also affected the Committee on Foreign investment in the U.S. which oversees foreign investments for national security risks. This comes as the committee gained new authority over real estate deals near military bases, an area of growing concern for potential Chinese espionage. While no classified information was accessed, officials worry that the stolen, unclassified data could still provide useful intelligence for Beijing. Treasury Secretary Janet Yellen called the breach a blow to U. S China relations, emphasizing the need for stronger cybersecurity measures. The Supreme Court is considering whether to block a law that could ban TikTok in the US if its China based owner ByteDance, doesn't divest by January 19th. The law, enacted with bipartisan support, aims to address national security concerns over potential Chinese government influence on the platform. TikTok and users argue the ban violates First Amendment rights. During oral arguments, TikTok's attorney denied direct Chinese control and compared the divestment to shutting down a US Newspaper under foreign pressure. Mandiant reports that Chinese hackers have exploited a zero day flaw in Ivanti Connect secure VPN appliances since December, deploying malware such as Spawn, Phase Jam and Dryhook to steal credentials, API keys, and VPN session data. CISA has mandated remediation by January 15th. Researchers warn of widespread exploitation, targeting credentials and deploying Web shells for future access. The attacks linked to Chinese Silk Typhoon hackers follow recent breaches of the Treasury Department's systems. A new credit card skimmer malware targets WordPress checkout pages, injecting malicious JavaScript into the database's WP options table to steal sensitive payment details. This approach evades detection by bypassing theme files and plugins, enabling covert operation. The malware dynamically creates fake payment forms or intercepts real ones, capturing credit card information in real time. Data is encrypted and sent to attacker controlled domains to mitigate risks. Experts recommend checking HTML widgets for malicious scripts, applying security updates, and using firewalls and two factor authentication. The Banshee macOS Infostealer has been updated to target systems using the Russian language, according to Check Point. Initially launched in 2024 and sold for $3,000 a month, the malware collects data such as passwords, browser information, and cryptocurrency wallets. After its source code leaked In November of 2024, antivirus detection improved, but concerns grew over new variants. Recent updates removed restrictions on targeting Russian systems and Banshee is still spread via phishing websites and fake GitHub repositories, likely by former customers or new actors. California's Baymark Health Services reported a data breach affecting patients personal information, including names, Social Security numbers, insurance details and treatment information. The breach, linked to a cyberattack between September 24 and October 14, 2024, was discovered on October 11. Baymark Secured Systems launched an investigation with forensic experts and notified law enforcement. Impacted individuals received formal notifications and one year of free credit monitoring. Baymark says they've since enhanced their security measures to prevent future incidents. Florida based USR holdings has paid a $337,000 HIPAA settlement following a 2018 breach exposing the personal information of nearly 3,000 patients. The breach occurred after a firewall misconfiguration allowed unauthorized access, resulting in data deletion. HHS found multiple HIPAA violations, including insufficient risk analysis and backup procedures. USR agreed to implement a corrective action plan and will be monitored for compliance. Experts emphasize robust data backup, disaster recovery plans and proactive monitoring to prevent similar incidents. This marks HHS's largest HIPAA find in 2025 so far. Samsung Mobile has released its January 2025 security maintenance release addressing critical vulnerabilities in Android and Samsung devices. The update resolves five high priority common vulnerabilities and exposures that could allow execute arbitrary code, risking sensitive data and device control. It also includes 22 Samsung specific patches. Samsung urges users to update promptly for improved safety, device performance and longevity. Proton experienced a major worldwide outage yesterday, disrupting services like ProtonMail, Calendar, VPN Drive Pass and Wallet due to network issues. The outage began at 10am Eastern time, leaving many users unable to access their accounts. Just after 12:30pm ProtonMail was restored with all services back online right around 1:30pm ProtoN apologized for the disruption and continues to investigate the issue. Users initially reported error messages when attempting to access affected services during the outage. Malwarebytes uncovered a cyber attack dubbed the ZQXQ campaign, targeting GroupGreeting.com, a popular e card site used by major enterprises like Airbnb and Coca Cola. Exploiting seasonal traffic spikes, attackers injected obfuscated JavaScript to redirect users to phishing sites or malware. The campaign shares traits with the ndsw, NDSX and TDS Parrot malware known for large scale infections and traffic distribution system tactics. Over 2,800 websites have been affected. Group greeting quickly resolved the breach. Adam Gaudiak, CEO of Ag Security Research, has exposed vulnerabilities in Microsoft's PlayReady DRM technology enabling unauthorized access to streaming content keys. His research highlights flaws in Microsoft's Protected Media Path and Warbird compiler, raising concerns about unauthorized downloads from services like Netflix and HBO Max. While Microsoft initially dismissed the findings as implementation issues, Gaudiak advocated for compensation outside the bug bounty program, citing extensive effort and intellectual property concerns. When no agreement was reached, Gaudiak provided technical details to Microsoft in November of last year without seeking payment later, disclosing limited public details to raise awareness. Critics argue this case underscores flaws in bug bounty programs and responsible disclosure practices. Casey Ellis of bugcrowd stressed the need for standardized terms and coordinated disclosure, warning against tactics resembling extortion. The incident highlights ongoing challenges in balancing researcher incentives, corporate responses, and public accountability. Elsewhere, Facebook awarded a $100,000 bug bounty to researcher Ben Sadaginpour for discovering a critical vulnerability in its ad platform. The flaw, linked to an unpatched Chrome bug, allowed Sadegunpour to execute commands on Facebook's internal server, granting extensive access to its infrastructure. Working with Alex Chapman, he reported the issue in October of last year, prompting Meta to address it within an hour. Coming up after the break, Chris Hare interviews our Guest Casey Marks, ISC2's chief qualifications officer, about the future of certifications and that's a feature, not a hack. Stay with us.