Daily Brief

Hackers initiated a phishing campaign targeting developers of Google Chrome extensions, compromising 35 extensions to inject data-stealing malware. The targeted extensions are collectively used by approximately 2.6 million users, with an unauthorized OAuth application facilitating unauthorized permissions. Cyberhaven, a cybersecurity firm, was among those whose security-focused extension was compromised early in the campaign. The phishing emails, designed to appear as official Google communications, tricked developers into authorizing a malicious third-party OAuth application named "Privacy Policy Extension." Despite having multi-factor authentication, the infiltrated developer accounts did not prompt for additional security verification, leading to the silent authorization of malignant access. The compromised extensions included malicious JavaScript files aimed at stealing Facebook user data, including IDs, access tokens, and account information. The attackers specifically targeted Facebook business accounts, attempting to capture two-factor authentication QR codes and CAPTCHA interactions to bypass security measures. The scope of the attack suggests premeditation, with domains registered as early as March 2024, indicating a well-planned operation by the threat actors.

The U.S. Department of the Treasury reported a significant security breach, traced back to a compromised key from BeyondTrust's Remote Support service. BeyondTrust alerted the Treasury on December 8 about the stolen API key that enabled unauthorized access to certain workstations and unclassified data. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are collaborating with the Treasury to dissect the breach, supported by third-party forensic teams. The incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) group, according to the Treasury. Despite quick action to revoke the compromised key and take the affected service offline, there was a window during which attackers roamed the systems. The Treasury Department is preparing a detailed report to be released in 30 days and has upgraded security measures in response to the incident. BeyondTrust has issued patches for vulnerabilities discovered during its investigation and performed security enhancements for its cloud-based customers.

Researchers revealed that over 3.1 million "stars" on GitHub projects are fraudulent, used to boost the popularity of repositories, often for distributing scams and malware. GitHub treats stars similar to social media likes, influencing the platform’s content recommendations and global ranking system. The study used "StarScout," analyzing 20TB of data from GHArchive to detect artificial star patterns and identify fake accounts and coordinated activities. The analysis indicated that 4.5 million stars are suspected to be fake, given by 1.32 million accounts across nearly 23,000 repositories. Findings were narrowed to 3.1 million fake stars from 278,000 accounts, impacting 15,835 repositories, following more stringent analysis criteria. Approximately 91% of repositories involved in these fraudulent activities were deleted by October 2024, validating the effectiveness of the StarScout tool. The issue of fake stars is undermining trust in GitHub, suggesting users must diligently verify the authenticity of repositories before trusting or using them. A surge in fake star activity was observed in 2024, with significant ramifications for how GitHub projects are perceived and interacted with by users.

Chinese cyber activity in 2024 suggests a shift from espionage to preparing for disruptive attacks, targeting American telecommunications and critical infrastructure. The FBI disrupted a Chinese botnet early in the year, but the involved group, Volt Typhoon, remains active, compromising critical US systems including a city's emergency network and electric companies. US government agencies warn that Volt Typhoon has positioned itself within IT networks to enable attacks on operational technology assets, indicating prepositioning for potential destruction. Another Chinese group, Salt Typhoon, executed a significant hack into US telecom networks, labeled by a US senator as the nation's worst telecom hack. CrowdStrike, monitoring about 63 China-linked groups, emphasizes ongoing risks as these actors continue to target the global supply chain and critical infrastructure. Defensive responses from US agencies include publicized alerts, a threat hunting guide, and mitigation strategies focusing on patching vulnerable systems and implementing robust security measures. Experts from various cybersecurity firms underscore the challenge of detecting and evicting these well-disguised intruders from compromised networks and the importance of enhancing defensive capabilities in critical sectors. Concerns are growing over the readiness of critical infrastructure against sophisticated cybersecurity threats amid calls for better funding and modernization of cybersecurity practices in these vital sectors.

The U.S. Department of Justice has issued a final rule to implement Executive Order 14117, preventing bulk personal data transfers to specific adversarial nations. The affected countries include China, Cuba, Iran, North Korea, Russia, and Venezuela, aimed at safeguarding national security and citizens' privacy. The Executive Order addresses risks such as unauthorized access intended for espionage and other malicious activities by adversarial nations. The final rule imposes restrictions on bulk data sales and other commercial access to personal data including precise geolocation, biometrics, and financial data. Exemptions are provided under the rule for U.S. persons in medical, scientific, and other research engagements in the noted countries of concern. The new regulation will enact civil and criminal penalties to enforce compliance, set to be effective within 90 days. Measures are focused on protecting civil liberties and preventing misuse of sensitive data to intimidate or suppress individuals and groups.

The U.S. Department of Health and Human Services (HHS) is set to overhaul HIPAA rules in response to rising healthcare data breaches. Proposed changes include mandatory encryption, multifactor authentication, and network segmentation to enhance data security. Amidst escalating cyberattacks, these updates aim to protect large volumes of protected health information (PHI). Implementing the new cybersecurity measures will cost approximately $9 billion in the first year, and over $6 billion in the subsequent four years. The updates follow major incidents like the ransomware attack on Ascension, which compromised the data of nearly 5.6 million people. The revised rules represent the first significant update to HIPAA's security provisions in over a decade, addressing both threat evolution and data protection needs. Regulatory entities warn of the high costs and dangers of inaction, emphasizing the potential harm to critical infrastructure and patient safety.

On December 8, 2024, the U.S. Treasury Department experienced a significant cyber incident due to a compromised API key owned by BeyondTrust, a third-party software provider. This breach allowed suspected Chinese state-sponsored actors to access unclassified documents and remotely enter specific user workstations within the Treasury. BeyondTrust had previously detected an intrusion that exploited a Remote Support SaaS API key, which enabled attackers to manipulate account passwords. Following the discovery, BeyondTrust deactivated the API key, informed affected parties, and took immediate corrective measures by providing alternative service instances. CISA has identified related security vulnerabilities in BeyondTrust's products, with one being actively exploited and added to the Known Exploited Vulnerabilities catalog. Despite the breach, the Treasury confirmed that there is no ongoing unauthorized access to their systems and has ceased using the corrupted BeyondTrust service. The incident is under investigation by both the FBI and CISA, focusing on the implications of this breach linked to a Chinese APT group.

Researchers from Palo Alto Networks identified three security vulnerabilities in the Azure Data Factory Apache Airflow integration. These vulnerabilities could allow attackers to launch covert operations such as data exfiltration and malware deployment within Azure Kubernetes Service clusters. Attackers could potentially tamper with log data or send fake logs by exploiting flaws in the Azure-managed Geneva service. Initial exploitation involves manipulating DAG files, with further access facilitated by misconfigured cluster-admin permissions linked to the Airflow runner pod. An attacker could gain persistent shadow administrator access, allowing them to alter pods, create new service accounts, and apply changes undetected. This flaw poses significant risks to Azure's internal infrastructure, enabling deep access to other Azure-managed resources. The discovery highlights the crucial need for rigorous management of service permissions and monitoring of third-party service operations to prevent unauthorized access.

Chinese government-backed hackers infiltrated systems of AT&T, Verizon, and Lumen Technologies, compromising telecommunication networks. The breaches, part of the Salt Typhoon campaign, have impacted nine telecom firms, allowing extensive access including geolocation and call recording capabilities. A White House official stated that this marks the "worst telecom hack in our nation's history," with potential national security implications. Despite the scale, compromised companies reported only select high-profile individuals were targeted and have since secured their networks. Verizon and AT&T communicated to affected customers and assured that they have contained the breach with help from cybersecurity firms and federal agencies. No evidence suggests customer data was accessed in some cases, and ongoing monitoring and cooperation continue. The White House and FCC are pushing for stronger cybersecurity measures and binding rules to safeguard against such nation-state threats. Both public and private sectors are urged to adopt the 60-day Enduring Security Framework to establish minimum cybersecurity practices.

Chinese state-sponsored actors compromised the U.S. Treasury Department by exploiting vulnerabilities in BeyondTrust's remote support platform. BeyondTrust, a provider of remote support SaaS, detected breaches in its system earlier this month, subsequently identifying two zero-day vulnerabilities which facilitated unauthorized access. The attackers used a stolen API key to manipulate passwords and gain privileged access, enabling them to remotely access and steal documents from the Treasury Department. The Treasury confirmed the intrusion in a letter to lawmakers, labeling the incident as a major cybersecurity breach attributed to a known Advanced Persistent Threat group. All compromised software instances were shut down by BeyondTrust, and the stolen API key was revoked to prevent further unauthorized access. The FBI and CISA were involved in the investigation, with no current evidence indicating continued access by the attackers to the Treasury’s systems. Relatedly, the same group of Chinese hackers has been implicated in significant breaches of major U.S. telecom companies, spying on sensitive communications.

Threat actors are utilizing a remote command injection vulnerability in Four-Faith routers, identified as CVE-2024-12856, to create reverse shells. This vulnerability affects certain router models used primarily in critical sectors including energy, utilities, and transportation. Hackers gain access through devices often set up with default credentials, making them susceptible to brute force attacks. The exploitation involves sending a malicious HTTP POST request which manipulates router settings and establishes a reverse shell. Compromised routers potentially allow attackers to modify configurations, pivot to other network devices, and escalate privileges for further attacks. Approximately 15,000 internet-facing Four-Faith routers are at risk worldwide, per a Censys report. Four-Faith has been notified of the ongoing exploitation, though information on patches or affected firmware remains unclear. Recommendations for mitigating risks include updating firmware, changing default credentials, and implementing detections via shared Suricata rules.

The U.S. Health and Human Services’ Office for Civil Rights has proposed updates to the HIPAA Security Rule to combat growing cybersecurity threats in healthcare. The new rules require healthcare organizations to restore critical data within 72 hours and conduct annual compliance audits. Enhancements include mandated encryption of electronic protected health information (ePHI), both at rest and in transit, and the implementation of multi-factor authentication. Healthcare entities must also deploy network segmentation, perform regular vulnerability scans every six months, and undertake annual penetration testing. The proposed changes respond to the increasing frequency and severity of ransomware attacks targeting the healthcare sector, which have seen a significant jump in reported cases from 2021 to 2024. Ransomware not only poses a financial threat but also interrupts critical healthcare services, with a median ransom payment reaching $1.5 million in recent attacks. The World Health Organization has emphasized the urgent need for international cooperation to tackle these cyber threats, underlining their potentially life-threatening consequences.

Palo Alto Networks has recently identified and disclosed a critical vulnerability in its PAN-OS software, rated with a high severity CVSS score of 8.7. The specific flaw could lead to a denial-of-service (DoS) condition when firewalls configured with DNS Security logging process specially crafted DNS packets. Known as CVE-2024-3393, the vulnerability impacts only those devices with DNS Security logging activated. Several customers have reported disruptions due to this DoS when their firewalls intercepted and blocked malicious DNS packets. The company has acknowledged the attack and is presumably working towards a mitigation or fix to protect against potential exploits. In broader cybersecurity news, several CVEs have been identified in popular software including Apache Tomcat, Apache MINA, and others, prompting urgent calls for updates to prevent possible breaches. Additional cybersecurity tips of the week suggest isolating risky mobile apps in separate user profiles to safeguard personal data from untrusted applications.

An extensive attack campaign has recently targeted browser extensions, injecting malicious code to steal user credentials. More than 25 different extensions have been compromised, affecting over two million users globally. LayerX is providing complimentary services to help organizations audit and remediate their exposure to these compromised extensions. These attacks exploit extensive access permissions granted to extensions, creating significant security risks by accessing sensitive user data. Lack of control over browser extension installations in corporate environments heightens the risk of credential theft and potential data breaches. The current situation exposes the vulnerabilities within web browser extensions and their use in corporate contexts. Enhanced awareness and stringent protective measures are recommended for organizations to mitigate risks associated with malicious browser extensions.

AT&T and Verizon have experienced breaches attributed to a large-scale Chinese espionage campaign aimed at global telecom carriers. Both companies have reported that the intruders have been removed from their networks, with no ongoing nation-state actor activity detected. T-Mobile also faced an intrusion by the same Chinese hackers, known as "Salt Typhoon," but halted the breach, ensuring no sensitive customer data was compromised. The U.S. government is responding to these breaches by considering a ban on China Telecom and potentially TP-Link routers, following evidence of their use in cyberattacks. FCC Chairwoman Jessica Rosenwurcel expressed urgency in requiring U.S. carriers to bolster their security frameworks. Senator Ron Wyden has proposed new legislation aimed at securing American telecoms’ networks. The hacking group involved, also known by multiple aliases including Earth Estries and Ghost Emperor, has been active since at least 2019, targeting telecoms and government entities across Southeast Asia.