Feds Push Defense Measures Against Salt Typhoon, Say Americans Should Use Encrypted Apps

Sponsor Message

In today's digital landscape, protecting your software supply chain from rising threats is essential. This free whitepaper offers five key strategies for enhancing container security, one of the main attack surfaces in dynamic software development practices. Learn about using SBOMs for transparency, shifting vulnerability detection left, and automating policy enforcement, all for a superior developer experience and securing third-party code.

Interested in reaching the elite audience of cybersecurity decision-makers, public policy professionals, and journalists who read Metacurity? Send an email to info [at] Metacurity.com with the subject line "Sponsorship."

In a sign that the infiltration of US communications networks by the Chinese threat group Salt Typhoon is reaching crisis levels, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released guidance to help communications network defenders harden their systems against attacks coordinated by the group.

Although it's still unknown when the telecom giants' networks were first breached, the Chinese hackers had access "for months or longer," according to press reports, which allowed them to steal vast amounts of "internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers."

"We cannot say with certainty that the adversary has been evicted because we still don't know the scope of what they're doing. We're still trying to understand that, along with those partners," a senior CISA official told reporters during a press call.

In a joint advisory with CISA, the US Justice Department, and Canadian and Australian cybersecurity agencies, the US National Security Agency said the Chinese attackers have targeted exposed and vulnerable services, unpatched devices, and generally under-secured environments.

The advisory includes tips on hardening devices and network security to reduce the attack surface these threat actors exploit.

It also includes defensive measures to enhance visibility for system administrators and engineers managing communications infrastructure for more detailed insight into network traffic, data flow, and user activities.

During the press call, a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, recommended that Americans use encrypted messaging apps to ensure their communications stay hidden from foreign hackers.

“Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” Greene said.

The FBI official said, “People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant” multi-factor authentication for email, social media and collaboration tool accounts.

The scope of the telecom compromise is so significant, that Greene said that it was “impossible” for the agencies “to predict a time frame on when we’ll have full eviction.” (Sergiu Gatlan / Bleeping Computer and Kevin Collier / NBC News)

Related: NSA, NSA, CISA, CISA, Axios, Washington Post, Forbes, The Record, Associated Press, ComputerWeekly.com, TechCrunch, Cyber Daily, CNN,  Politico, Nextgov/FCW, DataBreachToday.com, PCMag, r/politics, r/conspiracy, r/technology, r/signal, Slashdot, Reuters, Forbes, Associated Press, Politico, PCMag, VOA News

In a November 29 Texas bankruptcy court filing, vodka maker Stoli Group CEO Chris Caldwell said a ransomware attack on the multinational company in August helped push two of its subsidiaries into bankruptcy.

“In August 2024, the Stoli Group's IT infrastructure suffered severe disruption in the wake of a data breach and ransomware attack,” Caldwell said in the filing.

“The attack caused substantial operational issues throughout all companies within the Stoli Group, including Stoli USA and KO, due to the Stoli Group's enterprise resource planning (ERP) system being disabled and most of the Stoli Group's internal processes (including accounting functions) being forced into a manual entry mode.”

Caldwell said the systems will be restored “no earlier than in the first quarter of 2025.”

The attack also caused issues with how Stoli Group complied with debt repayment requirements issued by its lenders. The cyberattack allegedly hindered the company’s efforts to provide current financial data to lenders, who accused the companies of defaulting on their debt. (Jonathan Greig / The Record)

Related: Bleeping Computer, Plain Dealer, TechCrunch, RetailWire, Fast Company, Proactive,  Fortune, CBS News, SC Media, Infosecurity Magazine

The US Federal Trade Commission (FTC) announced sweeping action against some of the most important companies in the location data industry, including those that power surveillance tools used by a wide range of law enforcement agencies, demanding they delete data related to certain sensitive areas like health clinics and places of worship.

Venntel, through its parent company Gravy Analytics, takes location data from smartphones, either through ordinary apps installed on them or through the advertising ecosystem, and then provides that data feed to other companies that sell location tracking technology to the government or sell the data directly themselves. Venntel is the company that provides the underlying data for various other government contractors and surveillance tools, including Locate X.

The FTC says in a proposed order that Gravy and Venntel will be banned from selling, disclosing, or using sensitive location data, except in “limited circumstances” involving national security or law enforcement. Sensitive locations include medical facilities, religious organizations, correctional facilities, labor union offices, schools and childcare facilities, domestic abuse and homeless support centers, shelters for refugee or immigrant populations, and military installations. The FTC also demands that the companies delete all historic location data. 

The IRS, DEA, and FBI have all purchased Venntel data. So have Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE).

According to an internal Department of Homeland Security document, Venntel has also provided the data for other location data tracking products the government buys, including Babel Street’s Locate X. According to emails obtained by the Electronic Frontier Foundation, Venntel also appears to provide the data to Fog Data Science, a company that sells a similar monitoring product to local law enforcement.

 The FTC said that Gravy and Venntel violated the FTC Act by “unfairly selling sensitive consumer location data and by collecting and using consumers’ location data without obtaining verifiable user consent for commercial and government uses.” The FTC says that Gravy continued to use consumers’ location data even after learning that the consumers did not provide informed consent. “Gravy Analytics also unfairly sold sensitive characteristics, like health or medical decisions, political activities, and religious viewpoints, derived from consumers’ location data,” the agency adds.

According to the FTC, Gravy and Venntel collect more than 17 billion signals from around a billion mobile devices daily.

The FTC also announced action against Mobilewalla, another location data company, which reportedly monitored phones at Black Lives Matter protests. (Joseph Cox / 404 Media)

Related: FTC, Consumer Affairs, PYMNTS, CyberScoop, The Record, Free Press, The Verge, NBC News, Insurance Journal, Wired, Bleeping Computer

We missed Giving Tuesday, but...

Please consider using any leftover year-end funds to support Metacurity. We need your help to continue providing our labor-of-love daily summaries of the most critical infosec developments you need to know. Thank you.

An international law enforcement operation codenamed 'Operation Passionflower' shut down MATRIX, an encrypted messaging platform cybercriminals use to coordinate illegal activities while evading police.

It should be noted that MATRIX is a different entity from the secure open-source, decentralized, real-time communications protocol with the same name, which is perfectly legal to continue using.

The operation was conducted across Europe, including France, the Netherlands, Italy, Lithuania, Spain, and Germany, and was coordinated by Europol and Eurojust.

The police tracked down MATRIX after recovering the phone of a shooter who attempted to assassinate journalist Peter R. de Vries in July 2021.

After analyzing the phone, they discovered it was customized to connect to an encrypted messaging service called Matrix.

A joint investigation team (JIT) between the Dutch and French authorities allowed the police to monitor and intercept 2.3 million messages in 33 different languages sent through the devices. However, no technical details were provided on how they could do so.

MATRIX's 40 servers spread across Europe facilitated the communications of at least 8,000 user accounts. These accounts paid between $1350 and $1700 in cryptocurrency for a Google Pixel-based device and a six-month subscription to the service installed on the phone.

MATRIX was also sold under the names' Mactrix,' 'Totalsec,' 'X-quantum,' and 'Q-safe,' but they all used the same infrastructure. (Bill Toulas / Bleeping Computer)

Related: Europol, The Register, The Record, ReadWrite, NL Times, Help Net Security

Germany has taken down the largest online cybercrime marketplace in the country, named "Crimenetwork," and arrested its administrator for facilitating the sale of drugs, stolen data, and illegal services.

The law enforcement action was carried out by the Public Prosecutor's Office in Frankfurt am Main, the Central Office for Combating Cybercrime (ZIT), and the Federal Criminal Police Office (BKA).

Crimenetwork was the largest German-language marketplace where criminals posted stolen data and drugs for sale and offered services such as document forging.

When it was shut down, the site had over 100 registered sellers and 100,000 users, most of whom were based in German-speaking countries. Crimenetwork users could pay for goods and services using Bitcoin or the hard-to-trace cryptocurrency Monero (XMR).

BKA says that between 2018 and 2024, transactions on the platform amounted to 1,000 Bitcoin and over 20,000 Monero, which are currently valued at approximately 93,000,000 Euros ($98,000,000).

Crimenetwork earned a 5% cut from those transactions, plus a monthly subscription fee from sellers and advertising revenue. This means that the market's operators made at least $5,000,000 since 2018.

The arrested administrator is a 29-year-old suspect known online as "Techmin," believed to have served as a technical expert for Crimenetwork for several years.

He now faces charges related to Section 127 of the German Criminal Code, which regulates the operation of criminal online marketplaces, and offenses under Sections 29a and 30a of the Narcotics Act.

BKA also said that it had secured information about registered members of the cybercrime platform so that more arrests might follow in the future. (Bill Toulas / Bleeping Computer)

Related: BKA, AFP, Infosecurity Magazine, Heise Online

Sources say a nineteen-year-old hacker, Remington Ogletree, arrested last month in California, is suspected of belonging to the notorious cybercrime group Scattered Spider.

US prosecutors charged him on Oct. 30 with wire fraud about alleged crimes conducted from October 2023 through May 2024.

According to the government's request for detention, he was arrested in California within a week of the charges. Two people familiar with the matter said he’s an expert in phishing and is suspected of working with Scattered Spider to gain access to corporations. They declined to name those organizations.

Scattered Spider, a loosely organized cybercrime group, is infamous for terrorizing several large organizations in recent years. Authorities say it’s largely made up of young men in the US and the UK who use social engineering techniques to trick workers into gaining access to company networks. Members of Scattered Spider have been tied to attacks on MGM Resorts International, Caesars Entertainment Inc., Coinbase Inc., and others.

US prosecutors recently accused five alleged members of the gang in a hacking campaign that resulted in the theft of sensitive data and at least $11 million in cryptocurrency, according to a complaint and indictment unsealed last month. Court filings don’t identify the victims' names in that case, but one of them was Riot Games Inc., according to a person familiar with the matter. Riot Games declined to comment. UK police in July also arrested a 17-year-old for his alleged role in the group.

It’s unclear which Scattered Spider activities Ogletree allegedly participated in or to which victims the charges are related.

According to sources, he has been on law enforcement's radar for his alleged involvement in the Com. The large, international group is made up mostly of young male SIM swappers who organized on Telegram and Discord Inc. to steal cryptocurrency by taking control of victims’ phone numbers.

Ogletree’s case is before a federal court in New Jersey. He was released Nov. 19 on $50,000 bail. (Margi Murphy / Bloomberg)

Related: Bail Document

Sources say Kash Patel, Donald Trump’s pick to run the FBI, was recently informed by the bureau that he had been targeted as part of an Iranian hack.

According to one source, hackers are believed to have accessed at least some of Patel’s communications.

Iran has for several years targeted members of Trump’s first administration and more recently sent information they stole from his presidential campaign to people who were affiliated with President Joe Biden’s campaign this summer.

In June, Iranian hackers breached the email account of longtime Trump ally Roger Stone and used the account to try to break into a senior Trump campaign official’s email, investigators have said. (Kristen Holmes, Evan Perez and Holmes Lybrand / CNN)

Related: Newsweek, CBS News, Jerusalem Post, Washington Examiner, ABC News, The Daily Beast, Daily Mail, WION

New research finds that phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs), such as .shop, .top, and .xyz, that attract scammers with rock-bottom prices and no meaningful registration requirements.

Meanwhile, the nonprofit entity that oversees the domain name industry is moving forward with plans to introduce a slew of new gTLDs.

A study on phishing data released by Interisle Consulting finds that new gTLDs introduced in the last few years command just 11 percent of the market for new domains but account for roughly 37 percent of cybercrime domains reported between September 2023 and August 2024.

Interisle sources data about cybercrime domains from anti-spam organizations, including the Anti-Phishing Working Group (APWG), the Coalition Against Unsolicited Commercial Email (CAUCE), and the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG).

The study finds that while .com and .net domains made up approximately half of all domains registered in the past year (more than all other TLDs combined), they accounted for just over 40 percent of all cybercrime domains. Interisle says an almost equal share, 37 percent, of cybercrime domains were registered through new gTLDs.

Spammers and scammers gravitate toward domains in the new gTLDs because these registrars tend to offer cheap or free registration with little to no account or identity verification requirements.

For example, among the gTLDs with the highest cybercrime domain scores in this year’s study, nine offered registration fees for less than $1, and nearly two dozen offered less than $2.00. By comparison, the cheapest price identified for a .com domain was $5.91. (Brian Krebs / Krebs on Security)

Related: Interisle

Signzy, a popular vendor offering online “know your customer” ID verification and customer onboarding services to several top financial institutions, commercial banks, and fintech companies, has confirmed a security incident.

Sources say the Bengaluru-based startup, which serves over 600 financial institutions globally, including the four largest Indian banks, was hit by a cyberattack last week.

PayU, a Signzy customer, said that Signzy was hit by an “information stealer malware” and asserted that it had no exposure to the incident.

“There is no impact on PayU customers or their data due to Signzy’s information stealer malware. We have received written confirmation from the vendor that PayU and its customers’ data have not been compromised and remain secure with the best security standards in place,” PayU spokesperson Dimple Mehta said.

Signzy declined to comment on whether customer data had been exfiltrated. Debdoot Majumder, a spokesperson representing Signzy, said the company had hired a “professional agency for conducting the security incident investigation.” (Jagmeet Singh and Manish Singh / TechCrunch)

Related: SC Media, Inc42

A woman has been arrested as part of an investigation into a potentially substantial Electric Ireland data breach last year.

Gardaí said the woman, aged in her 20s, was taken into custody on Monday and detained at a station in the Dublin metropolitan area.

Although gardaí did not specify the incident, in early November, Electric Ireland issued a press release saying it was aware that an employee of a company working on its behalf may have inappropriately accessed a small proportion of 1.1 million residential customer accounts.

It said this had the potential for misuse of personal and financial information.

“Our investigations have established that approximately 8,000 customer accounts may have been compromised,” it said at the time. (Mark Hilliard / Irish Times)

In a public service announcement, the US Federal Bureau of Investigation (FBI) warned that cybercriminals increasingly rely on generative artificial intelligence (AI) to generate text, images, audio, and videos to amplify their scam.

Fraudsters already use AI to generate large volumes of more believable content and automate their scams to achieve larger scale. The FBI has listed dozens of ways cybercriminals are misusing AI tools to advance their fraudulent agenda.

In its announcement, the FBI provided examples of how criminals may use generative AI in their fraud schemes to generate synthetic content. (Ernestas Naprys / Cybernews)

Related: IC3

Best Thing of the Day: Making the Move From Twitter Even Easier

After he was banned from Twitter for tweeting about a site that tracks Elon Musk's jets, privacy-focused programmer Micah Lee launched Cyd, an acronym for “Clawback Your Data,” that gives users more control over their X history: archiving it, trimming it to their preferences, or destroying it altogether.

Bonus Best Thing of the Day: How to Operate in Stealth Mode

A group of security professionals launched the No Trace Project, which contains tools "to help anarchists and other rebels understand the capabilities of their enemies, undermine surveillance efforts, and ultimately act without getting caught."

Worst Thing of the Day: No One Needs AI Slop in Security Reports

Security developer Seth Larson has noticed an uptick in extremely low-quality, spammy, and LLM-hallucinated security reports to open source projects.

Closing Thought