Twas the season for shaky cyber reporting and holiday season infosec news recap

Happy New Year to all our readers!

Starting today and as long as it makes sense, the whole issue of Metacurity will be available only to our paid subscribers on Tuesdays and Thursdays.

Our goal is to introduce original content on these days that precedes the usual content you've come to expect from Metacurity, namely concise summaries and related links regarding the crucial infosec developments you need to know.

Our premium subscribers will have access to the more expansive summaries and relevant related articles on these two days, along with our best and worst things of the day and our customary closing thoughts.

So, please take this opportunity to sign up for a monthly or annual premium subscription and gain access to all of Metacurity's content, including unlimited access to our archives.

We won't leave our free subscribers entirely high and dry, though. Before you hit the paywall on these Tuesday/Thursday issues, we will offer a quick, scannable summary of the most critical infosec developments.

So today, for example, these summaries encompass the following incidents:

• In a letter to the US Senate Banking Committee, the US Treasury Department said it had been hacked by a Chinese state-sponsored actor who gained access to government workstations and unclassified documents through a third-party security contractor, with sources later saying the specific targets were the Office of Foreign Assets Control (OFAC) as well as the Office of the Treasury Secretary.
• Offering no evidence or analysis about how they achieved a critical feat, AT&T, Verizon Communications, and Lumen acknowledged that the China-linked Salt Typhoon hacking operation had hit them, but they managed to eject the threat actors, and their networks are now clear of intrusion.
• During a briefing with reporters,  Anne Neuberger, the US deputy national security advisor for cyber and emerging technology, said that under a proposed HHS rulemaking, healthcare organizations may be required to bolster their cybersecurity to better prevent sensitive information from being leaked by cyberattacks like the ones that hit Ascension and UnitedHealth.
• In a precedent-setting ruling, Northern California federal judge Phyllis Hamilton found NSO Group, the developer of the powerful Pegasus spyware, liable for its role in infecting devices belonging to 1,400 WhatsApp users.
• Eagle S, a ship that is part of Russia's shadow fleet, an assemblage of aged tankers created to carry Russian crude oil around the world covertly, was not only suspected of damaging an underwater electricity cable on Christmas Day, it was also equipped with special transmitting and receiving devices that were used to monitor naval activity, according to a source with direct involvement in the ship, which Finnish police have since detained.
• Federal authorities arrested and indicted Cameron John Wagenius, a US Army communications specialist recently stationed in South Korea, on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon.
• US authorities charged Rostislav Panev, a dual Russian and Israeli national, in connection with his alleged participation with the LockBit ransomware group and are seeking his extradition.
• Hospital operator Ascension told Maine's state attorney general that a ransomware attack earlier this year affected nearly 5.6 million people.
• The US Federal Bureau of Investigation (FBI), along with other agencies, including the Department of Defense Cyber Crime Center (DC3) and Japan’s National Police Agency (NPA), published a report explaining how malicious actors from North Korea stole a massive $305 million from Japanese crypto exchange DMM, earlier this year in May.
• The US Treasury Department announced it had imposed sanctions on entities in Iran and Russia, accusing them of attempting to interfere in the 2024 US election.
• Hyperliquid, a crypto-derivatives trading platform, suffered its biggest-ever daily outflow as traders rushed to remove funds amid concern that North Korean hackers were trading on the exchange.
• Rhode Island Gov. Daniel McKee said cybercriminals who hacked Rhode Island’s system for health and benefits programs have released files to a site on the dark web, a scenario the state has been preparing for.
• The cybercriminal IntelBroker leaked more data stolen from a Cisco DevHub instance, and the tech giant has confirmed its authenticity, stating that it originated from a recently disclosed security incident.
• A DDoS attack disrupted Japan Airlines operations the day after Christmas, causing delays to both domestic and international flights.
• The South Korean government sanctioned over a dozen individuals and one organization for a wide-ranging global scheme to fund North Korea’s nuclear and missile programs by impersonating IT workers abroad, stealing cryptocurrency, and facilitating cyberattacks.
• According to a report from Der Spiegel, the VW Group stored sensitive information for 800,000 electric vehicles from various brands on a poorly secured and misconfigured Amazon cloud storage system, leaving the digital door open for months.
• The Clop ransomware gang started extorting victims of its Cleo data theft attacks and announced on its dark web portal that 66 companies had 48 hours to respond to the demands.
• Data-loss prevention startup Cyberhaven says hackers published a malicious update to its Chrome extension that could steal customer passwords and session tokens, according to an email sent to affected customers, who may have been victims of this suspected supply-chain attack.
• Fortinet Inc.’s FortiGuard Labs issued a report detailing the activities of two different botnets observed through October and November that are being spread through vulnerabilities in D-Link Systems Inc. devices.
• Pittsburgh’s transit authority was hit with a ransomware attack, causing temporary disruptions to the city’s public transportation system.
• The pro-Russian, supposedly hacktivist group NoName057 attacked the websites of Milan's two airports, Malpensa and Linate, causing inconvenience for users who wanted to check incoming and outgoing flights but did not disrupt flights.
• VulnCheck discovered a critical new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), with evidence of active exploitation in the wild.
• According to blockchain investigator Taylor Monahan, crypto hackers have devised a new sophisticated scam in which they target individuals by advertising roles with salaries ranging between $200,000 and $350,000, luring them into downloading malware that ultimately enables access to crypto accounts.
• Blockchain security firm SlowMist warned investors that hackers had been targeting crypto users with a sophisticated phishing scam to access their sensitive data using a phishing attack disguised as Zoom meeting links, with some victims installing malicious software and losing assets worth millions of dollars.
• A hack exposed energy giant Duke Energy's customers’ personal and account information in May.
• Tennessee-based American Addiction Centers is notifying more than 422,000 people that their personal information was stolen in a recent data breach.
• Palo Alto Networks is warning that hackers are exploiting the CVE-2024-3393 denial of service vulnerability to disable firewall protections by forcing it to reboot.
• The Ukrainian government reported that a Russian cyberattack on Ukraine's justice ministry registries caused a shutdown of online services for marriages and other matters, but no data appears to have been leaked or stolen.
• CloudSEK’s TRIAD team identified critical security vulnerabilities and risks from misusing Postman Workspaces, a popular cloud-based API development and testing platform.

Please note that student and non-profit organizations may be eligible for complimentary premium subscriptions. Drop me an email at cynthia [at] Metacurity.com to discuss this option.

Happy reading, and again, consider upgrading your subscription to gain access to all of Metacurity's content.

Twas the season for shaky infosec reporting

Writing about cybersecurity is a career fraught with feints, switchbacks, uncertainty, and confusion, given the often incomplete information available to infosec journalists. Not to mention that cybersecurity is frequently under the control of unreliable threat actors and is highly technical, political, and corporate agenda-driven, which can cause even the best security experts to hedge or misdirect their messages, leaving frustrated reporters making the best of what is frequently a muddle.

Still, during this past holiday season, two press reports about Chinese threats propagated a spate of follow-on articles that led readers to wrong or incomplete conclusions. These shaky reports might have been avoided if greater care had been taken to dig a little deeper in the case of one set of articles and, in the case of the second set of articles, if a more skeptical journalistic eye had been applied to corporate statements.