US CFPB Warns Employees Against Phone Use Due to China's Salt Typhoon Hacks

Salt Typhoon tapped Trump lawyer's phone, Russian interference is now baked into US elections, China's MirrorFace targeted EU diplomatic org, TSA issues new cyber NPRM, New DPRK campaign seeks crypto firm intrusions through disguised malware, Chinese hackers breached Singapore Telecom, much more

US CFPB Warns Employees Against Phone Use Due to China's Salt Typhoon Hacks


Sponsor Message

In today's digital landscape, protecting your software supply chain from rising threats is essential. This free whitepaper offers five key strategies for enhancing container security, one of the main attack surfaces in dynamic software development practices. Learn about using SBOMs for transparency, shifting vulnerability detection left, and automating policy enforcement, all for a superior developer experience and securing third-party code. 

Interested in reaching the elite audience of cybersecurity decision-makers, public policy professionals, and journalists who read Metacurity? Send an email to info [at] Metacurity.com with the subject line "Sponsorship."


The US Consumer Financial Protection Bureau (CFPB) issued a directive to employees to reduce their phone use for work purposes because of China’s recent hack of US telecommunications infrastructure.

In an email to staff, the chief information officer at the Consumer Financial Protection Bureau warned that internal and external work-related meetings and conversations that involve nonpublic data should only be held on platforms such as Microsoft Teams and Cisco WebEx and not on work-issued or personal phones.

“Do NOT conduct CFPB work using mobile voice calls or text messages,” the email said while referencing a recent government statement acknowledging the telecommunications infrastructure attack. “While there is no evidence that CFPB has been targeted by this unauthorized access, I ask for your compliance with these directives so we reduce the risk that we will be compromised,” said the email, which was sent to all CFPB employees and contractors.

The alert is the latest demonstration of concerns within the federal government about the scale and scope of the hack, which investigators are still endeavoring to understand fully and have attributed to a group dubbed Salt Typhoon. (AnnaMaria Andriotis and Dustin Volz / Wall Street Journal)

Related:  CyberScoopKDFX-TVABC7The Verge, CPO Magazine, CSO Online

Sources say the FBI has informed one of Donald Trump’s lead attorneys, Todd Blanche, that his cellphone was tapped by Chinese hackers known as Salt Typhoon as part of a wide-ranging operation targeting top Republicans and Democrats in US politics that has been underway for months.

According to one source, the FBI informed Blanche last week that the hackers were able to obtain some voice recordings and text messages from his phone but that none of the information was related to Trump.

The source said that the FBI provided Blanche, who had to start using a different number after the breach, with information about what the hackers had obtained, including communications with family. (Paula Reid, Kaitlan Collins, and Sean Lyngaas / CNN)

Related: Forbes, The Independent, ABC News, Mediaite, The New Republic, Daily Mail, Raw Story, Apple Insider

In the days leading up to the US presidential election, Russia abandoned any pretense that it was not trying to interfere in the American presidential election.

The Kremlin’s information warriors not only produced a late wave of fabricated videos that targeted the electoral process and the Democratic presidential ticket but also no longer bothered to hide their role in producing them.

A fabricated interview claiming election fraud in Arizona was conducted by the director of a Kremlin think tank, Mira Terada, who returned to Russia in 2021 after serving a prison sentence in the United States for money laundering. Another video on Rumble, the video-sharing platform, targeted the Democratic vice-presidential nominee and featured John Mark Dougan, a former deputy sheriff from Florida who had previously denied working for the Kremlin’s propaganda apparatus.

This year’s election underlined how much foreign interference and disinformation generally have become baked into American politics. Increasingly unfettered social media platforms like X and Telegram and the country’s constitutional protections of free speech have opened the door for foreign influence, even if American law prohibits it.

“The flood of disinformation from Russian troll farms is just seemingly part of the overarching information environment,” said Chris Krebs, who served as the director of the Cybersecurity and Infrastructure Security Agency during President-elect Donald J. Trump’s first term, only to be fired when he called the last election fairly run.

The brazenness, compared with 2016 or 2020, reflects the stakes Russian President Vladimir Putin faces two and a half years after ordering a full invasion of Ukraine. American and NATO support for Ukraine has helped thwart Russia’s war aims, at great cost in lives and materiel, and Trump’s return offers the best hope for undercutting it.

“In 2016, there wasn’t a grand strategic purpose to Russia’s disinformation campaign,” said Alex Stamos, who led Facebook’s efforts against it during that election and now works for SentinelOne, a cybersecurity company. “Now there is.” (Steven Lee Myers and Julian E. Barnes / New York Times)

Researchers at ESET report that they have spotted MirrorFace, a hacking group they believe is aligned with China, targeting a diplomatic organization in the European Union for the first time.

ESET noted the move marks an expansion in the threat group’s range of targets which have historically been restricted to entities in Japan.

Although the identity of the target diplomatic organization wasn’t disclosed, the lure document in the spearphishing email maintained a Japanese theme, encouraging the target to download a document titled “The EXPO Exhibition in Japan in 2025.”

“Even considering this new geographic targeting, MirrorFace remains focused on Japan and events related to it,” reported ESET.

It follows Japanese authorities warning in July of an expansion in activities linked to MirrorFace. While the hackers focused initially on gaining access to “media, political organizations, think tanks and universities” in the country, they were increasingly also including “manufacturers and research institutions.” (Alexander Martin / The Record)

Related: We Live Security, ESET, Dark Reading, Cyberscoop

The Transportation Security Administration issued long-awaited proposed cyber mandates that would add to the emergency security directives first issued following the Colonial Pipeline ransomware attack in 2021.

Its Notice of Proposed Rulemaking will serve as one of the last major policy actions the Biden administration will take to protect critical infrastructure from malicious cyberattacks before President-elect Donald Trump takes office.

The Biden administration’s efforts to secure pipelines began in earnest in May 2021 following the Colonial Pipeline attack. Weeks after the extortion attempt by the ransomware group BlackCat, TSA sent out security directives that issued first-of-its-kind cyber mandates to the pipeline sector, which previously relied on voluntary efforts.

Many trade organizations representing oil and natural gas considered the security directives unwelcome. However, the TSA issued subsequent directives that soothed industry concerns. Additionally, the TSA’s security directives have to be renewed annually, so the agency moved forward with a more permanent rulemaking process.

TSA’s new proposed rule would impact just under 300 owners and operators that fall under the agency’s authority in freight railroad, passenger railroad, rail transit, and pipeline sectors, the notice states. Additionally, the rule would ensure the aviation sector follows the same mandates.

The mandates would also require covered entities to develop cyber risk management programs and establish a cybersecurity operational plan, including regular audits to assess their effectiveness.

Additionally, the proposal would require covered entities to report incidents to the Cybersecurity and Infrastructure Security Agency in anticipation of the upcoming law.

TSA expects the proposal to impact 73 freight railroads, 34 public transportation agencies and passenger railroads, and 115 pipeline facilities and systems. Additionally, 71 over-the-road bus owners must report significant security concerns. (Christian Vasquez / Cyberscoop)

Related: TSA, Federal Register, Industrial Cyber, DC Velocity, Progressive Railroading, Railway Track and Structures

Researchers at SentinelOne report that North Korean state-sponsored hackers, the notorious BlueNoroff threat actor, a subgroup of the infamous Lazarus Group, expanded their arsenal, launching a new campaign dubbed ‘Hidden Risk’ that seeks to infiltrate crypto firms through malware disguised as legitimate documents.

The series of attacks is a calculated effort to extract funds from the fast-growing $2.6 trillion crypto industry, taking advantage of its decentralized and often under-regulated environment.

Instead of their usual strategy of grooming social media victims, the hackers rely on phishing emails that appear as crypto news alerts, which began cropping up in July, according to SentinelOne.

The emails, disguised as updates on Bitcoin prices or the latest trends in decentralized finance (DeFi), lure victims into clicking on links that appear to lead to legitimate PDF documents. (Sebastian Sinclair / Decrypt)

Related: SentinelOne, Security Affairs, Cybernews, The Record, Bleeping Computer, HackRead, Security Week, Infosecurity Magazine

Source: SentinelLabs.

Sources say Singapore Telecommunications, Singapore’s largest mobile carrier, was breached by Chinese state-sponsored hackers this summer as part of a broader campaign against telecommunications companies and other critical infrastructure operators around the world.

According to the sources, the previously undisclosed breach was discovered in June, and investigators believe it was pulled off by a hacking group known as Volt Typhoon.

Officials in the US, Australia, Canada, the UK, and New Zealand, the “Five Eyes” intelligence-sharing alliance, warned earlier this year that Volt Typhoon was embedding itself inside compromised IT networks to give China the ability to conduct disruptive cyberattacks in the event of a military conflict with the West.

According to the sources, the breach of Singtel, a carrier with operations throughout Southeast Asia and Australia, was seen by China as a test run for further hacks against US telecommunications companies. Information from the attack has provided clues about the expanding scope of suspected Chinese attacks against critical infrastructure abroad, including in the US.

A Singtel spokesperson confirmed that malware on the company’s network was detected in June and that the incident was reported to authorities. No data was taken, and the spokesperson said there was no impact on Singtel’s services. (Jordan Robertson and Katrina Manson / Bloomberg)

Related: Reuters, Light Reading, The Register

In October, video game giant Activision said it had fixed a bug in its anti-cheat system that affected “a small number of legitimate player accounts,” who were getting banned because of the bug.

In reality, according to the hacker calling themself Vizor, who found the bug and was exploiting it, they were able to ban “thousands upon thousands” of Call of Duty players, who they essentially framed as cheaters.

“I could have done this for years and as long as I target random players and no one famous it would have gone without notice,” said Vizor, who added that it was “funny to abuse the exploit.”

In 2021, Activision released its Ricochet anti-cheat system, which runs at the kernel level in an attempt to make it even harder for cheat developers to get around it.

Vizor said they were able to find a unique way to exploit Ricochet and use it against the players it was supposed to protect. The hacker realized Ricochet was using a list of specific hardcoded text strings as “signatures” to detect hackers. For example, Vizor said one of the strings was the words “Trigger Bot,” which refers to a type of cheat that automatically triggers a cheater’s weapon when their crosshair is over a target.

Vizor said they could simply send a private message, known as a “whisper” in the game, that included one of these hardcoded strings, such as “Trigger Bot,” and get the player they were messaging banned from the game. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Cybernews, Fudzilla, NewsBytes

In an SEC filing, Newpark Resources, a key oilfield supplier, said a ransomware attack last week had caused disruptions and limited access to certain systems.

The company said it discovered the ransomware attack on October 29 that affected internal information systems. 

“The incident has caused disruptions and limitation of access to certain of the Company’s information systems and business applications supporting aspects of the Company’s operations and corporate functions, including financial and operating reporting systems,” the company told the Securities and Exchange Commission (SEC).

“However, the Company’s manufacturing and field operations have continued in all material respects utilizing established downtime procedures.” 

The company has not determined what the costs and financial impacts of the incident will be but said the attack “is not reasonably likely to materially impact the Company's financial conditions or results of operations.” (Jonathan Greig / The Record)

Related: SEC, Cybernews, The Cyber Express

According to a document authored by what appears to be law enforcement officials in Detroit, Michigan, law enforcement officers are warning other officials and forensic experts that iPhones stored securely for forensic examination are somehow rebooting themselves, returning the devices to a state that makes them much harder to unlock.

The authors hypothesize that Apple may have introduced a new security feature in iOS 18 that tells nearby iPhones to reboot if they have been disconnected from a cellular network for some time. After being rebooted, iPhones are generally more secure against tools that aim to crack the password of and take data from the phone.

“The purpose of this notice is to spread awareness of a situation involving iPhones, which is causing iPhone devices to reboot in a short amount of time (observations are possibly within 24 hours) when removed from a cellular network,” the document reads. 

The document says that a digital forensics lab had a number of iPhones in an After First Unlock (AFU) state. AFU means that since the last time the device was powered on, someone (typically the owner) has unlocked it with their passcode or similar at least once. Generally, law enforcement has an easier time accessing devices in an AFU state with specialized tools.

“However, something had caused the devices to reboot since their intake, and they lost the AFU state,” the document says. This includes iPhones that were in Airplane mode and even one that was inside a Faraday box. A Faraday box blocks electronic signals from reaching the device, such as wipe commands, and stops it from communicating with cellular networks.

The document says after the reboot, the devices entered a Before First Unlock (BFU) state. This made unlocking them significantly harder, and according to the document, cracking them is now not possible with current tooling.

The document says that three iPhones running iOS 18.0, the latest major iteration of Apple’s operating system, were brought into the lab on October 3. The law enforcement officials hypothesize that “the iPhone devices with iOS 18.0 brought into the lab, if conditions were available, communicated with the other iPhone devices that were powered on in the vault in AFU. That communication sent a signal to devices to reboot after so much time had transpired since device activity or being off network.” They believe this could apply to iOS 18.0 devices that are not just entered as evidence but also personal devices belonging to forensic examiners. (Joseph Cox / 404 Media)

Related: Apple Insider, Android Authority, MacRumors

Source: 404 Media.

A potential cyber intrusion is causing outages within court systems across the state of Washington.

The Washington State Administrative Office of the Courts (AOC) warned state residents that it “recently identified unauthorized activity on the Washington Courts network.” 

The outages have affected courts in the counties of Thurston, Monroe, Renton, Puyallup, Bainbridge, King, Pierce, Whatcom, and Lewis, as well as municipal courts in several cities. 

“We have taken immediate action to secure critical systems and are working to safely restore service. Please be advised that there will be intermittent impacts to accessibility of our public website and systems in the coming days as we continue to restore services,” the AOC said. (Jonathan Greig / The Record)

Related: Washington Courts on Facebook, Seattle Times, The Register, Security Week, Bleeping Computer, TechRadar, Teiss, KIRO7, SC Media, Cyber Daily

The US Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS.

This security flaw, tracked as CVE-2024-5910, was patched in July, and threat actors can remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.

"Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data," CISA says.

CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog on Thursday. As required by the binding operational directive (BOD 22-01) issued in November 2021, US federal agencies must now secure vulnerable Palo Alto Networks Expedition servers on their networks against attacks within three weeks, by November 28. (Sergiu Gatlan / Bleeping Computer)

Related: CISA, Security Week, CRN, Security Affairs, The Stack

Embed Security, which specializes in AI-driven threat analysis, announced it had raised $6 million in early-stage venture funding.

Paladin Capital Group led the round with participation from industry executive angel investors. (Fintech Global)

Related: Paladin Capital Group, ET CIO

Corgea, specializing in AI-driven vulnerability detection and remediation, announced it had closed a $2.6m seed venture funding round.

Shorooq Partners led the round, with participation from prominent investors Y Combinator, Propeller, Decacorn Capital, Unbound Ventures, and various prominent angels such as Jawed Karim (co-founder of Youtube & Y Ventures) and Sam Kassoumeh (Co-founder of SecurityScoreCard). (FinTech Global)

Related: FinSMEs, Zawya

Best Thing of the Day: At Least All That Stress Pays Well

The latest SStateof the Security Profession report issued by the Chartered Institute of Information Security (CIISec) shows that infosec professionals' wage increases have risen at a rate way above inflation over the past several years, even as job-related stress has increased.

Worst Thing of the Day: Ransom for Kidnapping Is Still a Thing

Dean Skurka, the president and CEO of Toronto-based cryptocurrency financial firm WonderFi was kidnapped and held for ransom in downtown Toronto and was released only after a ransom of $1 million was paid in Bitcoin.

Closing Thought

Read more