Lawmaker Concerns Mount Over Salt Typhoon's Access to Wiretapping Requests

Important Publishing Notice: Metacurity will not publish on Monday, October 14, in honor of the US Indigenous People's holiday. We resume publication on Tuesday, October 15.

An important message from our sponsor, Anchore

Learn the building blocks for adopting a secure software factory model in a highly informative webinar. The Department of Defense (DoD) software factory model has emerged as a cornerstone of innovation and security for national defense and cybersecurity. Software factories represent an integration of principles and practices found within the DevSecOps movement, with technical guidelines to support continuous cyber-readiness with real-time visibility.

Interested in reaching the elite audience of cybersecurity decision-makers, public policy professionals, and journalists who read Metacurity? Send an email to info [at] Metacurity.com with the subject line "Sponsorship."

US officials are racing to understand the full scope of a China-linked hack of major US broadband providers as concerns mount that the breach could amount to a devastating counterintelligence failure given that the hackers may have been able to spy on the US government's own efforts to spy on Chinese threats.

Federal authorities and cybersecurity investigators are probing the breaches of Verizon Communications, AT&T, and Lumen Technologies. A stealthy hacking group known as Salt Typhoon, tied to Chinese intelligence, is believed to be responsible. The compromises may have allowed hackers to access information from systems the federal government uses for court-authorized network wiretapping requests.

The House Select Committee on China sent letters asking the three companies to describe when they became aware of the breaches and what measures they are taking to protect their wiretap systems from attack.

Combined with other Chinese cyber threats, news of the Salt Typhoon assault makes clear that “we face a cyber-adversary the likes of which we have never confronted before,” Rep. John Moolenaar, the Republican chairman of the House Select Committee Committee on China, and Raja Krishnamoorthi, the panel’s top Democrat, said in the letters. “The implications of any breach of this nature would be difficult to overstate,” they said. (Dustin Volz and Drew Fitzgerald / Wall Street Journal)

As social media platforms are increasingly scrutinized for their potential impact on children, the United States and Britain unveiled a joint working group to examine ways of improving children’s safety online.

US Commerce Secretary Gina Raimondo and British Science and Technology Minister Peter Kyle issued a statement urging tech platforms to protect children “further and faster.”

According to the NSPCC (the National Society for the Prevention of Cruelty to Young Children), Snapchat accounted for 43% of cases in Britain in which social media was used to distribute indecent images of children.

Meta's platforms, Facebook, Instagram, and WhatsApp, were used in 33% of child abuse crimes on social media, according to the NSPCC research. (Martin Coulter / Reuters)

Related: TechCrunch, GOV.UK, GOV.UK, London Evening Standard, ComputerWeekly.com, The Independent, BBC News

Ukraine's cyber police arrested a 28-year-old man who operated a massive virtual private network (VPN) service, allowing people from within the country to access the Russian internet (Runet).

Runet is the portion of the internet that includes Russian sites on the ".ru" and ".su" top-level domains, including government sites, social media platforms, search engines, and various news platforms from the country. The Russian government has taken steps to control, restrict, monitor, and isolate from the broader global internet,

Under restrictions and sanctions imposed by Ukraine's National Security and Defense Council (NSDC), access to the Runet is forbidden, and Ukrainian internet service providers (ISPs) are blocked from accessing Russian platforms from within the country.

According to the police's announcement, the VPN service offered access to over 48 million Runet IP addresses and facilitated network traffic that surpassed 100 gigabytes daily.

The service was advertised through Telegram channels and related online communities, with the hacker presenting himself as a project developer.

The suspect controlled the rogue VPN service from an autonomous server located in his apartment. At the same time, he also rented servers in Germany, France, the Netherlands, and Russia to facilitate access to the Russian network.

Because of this, the Ukrainian police believe Russian intelligence agents had access to information on the VPN service's users.

During the arrest and associated searches in Khmelnytskyi and Zhytomyr, the police seized server equipment, computers, and mobile phones. (Bill Toulas / Bleeping Computer)

Related: Cyberpolice.gov.ua

The European Union Council officially adopted the Cyber Resilience Act (CRA), which will introduce EU-wide cybersecurity requirements for products with digital elements.

The regulation will apply to all products connected directly or indirectly to another device or network, from smart doorbells and speakers to baby monitors.

The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent. It will ensure that products with digital components, such as Internet of Things (IoT) products, are secure throughout the supply chain and their lifecycle.

The CRA requirements will apply to the design, development, production, and making available hardware and software products on the market to avoid overlapping requirements stemming from different pieces of legislation in EU member states.

Software and hardware products will bear the CE marking to indicate that they comply with the regulation's requirements.

Following the adoption of the legislation, the legislative act will be signed by the presidents of the Council and the European Parliament and published in the EU’s official journal in the coming weeks.

The new regulation will enter into force twenty days after this publication and will apply 36 months after it enters into force, with some provisions to apply at an earlier stage. (Beth Maundrill / Infosecurity Magazine)

Related: Industrial Cyber, BankInfoSecurity, Cybernews, Heise Online

An important message from Cynthia

Metacurity is a labor of love, but as they say, love doesn't pay the bills. If you enjoy reading Metacurity, please consider becoming a premium subscriber today for access to our archives and other exclusive perks. Thank you.

In a regulatory filing, one of the world’s largest asset managers, Fidelity Investments, confirmed that over 77,000 customers' personal information, including Social Security numbers and driver’s licenses, was compromised during an August data breach.

The firm said an unnamed third party accessed information from its systems between August 17 and August 19 “using two customer accounts that they had recently established.” 

“We detected this activity on August 19 and immediately took steps to terminate the access,” Fidelity said in a letter sent to those affected, adding that the incident did not involve any access to customers’ Fidelity accounts.

Fidelity confirmed that 77,099 customers were affected by the breach, and its completed review of the compromised data determined that customers’ personal information was affected.

In other regulatory filings, Fidelity revealed that the third party “accessed and retrieved certain documents related to Fidelity customers and other individuals by submitting fraudulent requests to an internal database that housed images of documents about Fidelity customers.” (Carly Page / TechCrunch)

Related: Office of the Maine Attorney General, Mass.gov, Benzinga, Engadget, CNET, Bleeping Computer, PYMNTS, Engadget, Cybernews, Dark Reading, The Register, Cointelegraph, Silicon Angle

Blockchain security detection agency Scam Sniffer discovered that a crypto whale accidentally lost $36 million in fwDETH after signing a phishing signature that looked like a legitimate ‘permit.’

The victim, likely linked to @ContinueFund, lost 15,079 fwDETH in this attack. 

The hacker, identified by the wallet address 0x06…16eC, quickly sold off the stolen fwDETH, significantly dropping the dETH market. This decentralized asset, usually pegged at a 1:1 ratio, plummeted in trading on DuoExchange, hitting lows of 0.06 ETH and fluctuating around 0.27 ETH. (Qadir AK / Coinpedia)

Related: cryptonews, Coingape

Researchers at Sonatype report that the number of malicious packages in the open-source ecosystem has jumped by more than 150% compared to last year.

Even when there is a fix, it also takes longer to patch or mitigate, and Sonatype found that some major bugs, like Log4Shell, are still being downloaded years after discovery. The researchers found that 13% of Log4J downloads included vulnerable versions.

Critical vulnerabilities used to take 200 to 250 days to fix, but now it can take up to 500 days before a new release.

Medium- and low-severity bugs saw an even more dramatic increase in mitigation time, taking more than 500 and, in some cases, 800 days or more before a patch was issued. The report shows that less than five years ago, those numbers rarely exceeded 400. (Christian Vasquez / Cyberscoop)

Related: Sonatype, Silicon Angle, Infosecurity Magazine

Palo Alto Networks warned customers to patch security vulnerabilities (with public exploit code) that can be chained to let attackers hijack PAN-OS firewalls.

The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors. These bugs are a combination of command injection, reflected cross-site scripting (XSS), cleartext storage of sensitive information, missing authentication, and SQL injection vulnerabilities.

They can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts.

Horizon3.ai vulnerability researcher Zach Hanley, who found and reported four of the bugs, published a root cause analysis write-up that details how he found three of these flaws while researching the CVE-2024-5910 vulnerability (disclosed and patched in July), which allows attackers to reset Expedition application admin credentials.

He also released a proof-of-concept exploit that chains the CVE-2024-5910 admin reset flaw with the CVE-2024-9464 command injection vulnerability to gain "unauthenticated" arbitrary command execution on vulnerable Expedition servers. (Sergiu Gatlan / Bleeping Computer)

Related: Palo Alto Networks, Horizon3.ai,
GitHub, TechMonitor, SC Media, Security Week, Channel E2E, CSO Online

Mozilla issued an emergency security update for the Firefox browser to address a critical use-after-free vulnerability currently exploited in attacks.

The vulnerability tracked as CVE-2024-9680, discovered by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines.

This type of flaw occurs when the program still uses freed memory, allowing malicious actors to add their own malicious data to the memory region to execute code.

The vulnerability impacts the latest Firefox (standard release) and the extended support releases (ESR).

Given the active exploitation status for CVE-2024-9680 and the lack of any information on how people are targeted, upgrading to the latest versions is essential. (Bill Toulas / Bleeping Computer)

Related: Mozilla, PC World, Android Authority, Help Net Security, Heise Online

Best Thing of the Day: Expanding Help to Those Who Deserve It

Google's Project Shield, which has helped news, human rights, and elections-related organizations defend against distributed denial of service (DDoS) attacks since 2013, is now expanding eligibility criteria to support and protect organizations representing marginalized groups and non-profit organizations supporting the arts and sciences.

Bonus Best Thing of the Day: Boosting Cyber Pros Into High-Ranking Roles

The British government announced that Poppy Gustafsson, the former CEO of cybersecurity firm Darktrace, would be its new investment minister.

Worst Thing of the Day: Apple AI Says She's Dumping You

Software developer Nick Spreen received an alert on his iPhone 15 Pro, delivered through an early test version of Apple's upcoming Apple Intelligence text message summary feature notifying him that his girlfriend is "No longer in a relationship; wants belongings from the apartment,"

Bonus Worst Thing of the Day: Fool Me Once...

Korean NFT artist DeeKay Kwon said that his crypto wallet was stolen, causing him to lose all his life savings. This was the second time he had fallen prey to a crypto theft attack.

Closing Thought