Tuesday, Dec 31, 2024 // (IG): BB // GITHUB // SGM Jarrell
Chinese State-Sponsored Hackers Breach U.S. Treasury Department via Third-Party Service
Bottom Line Up Front (BLUF): Chinese state-sponsored hackers recently infiltrated the U.S. Treasury Department, exploiting a third-party service provider, BeyondTrust. The attackers accessed several employee workstations and unclassified documents using a stolen access key. Immediate containment measures were implemented, and no evidence of continued access has been found.
Analyst Comments: This breach highlights the persistent vulnerability of supply chain services in cybersecurity. Using a stolen key emphasizes the need for stringent third-party vendor management and regular key rotation practices. With China's history of targeting U.S. government entities, this incident underscores the geopolitical dimensions of cyber threats. Future intrusions of this nature could lead to more significant compromises if preventive measures are not intensified.
FROM THE MEDIA: The U.S. Treasury Department informed lawmakers that Chinese state-sponsored hackers infiltrated their systems in early December. BeyondTrust, a third-party cybersecurity provider, reported the breach to the Treasury on December 8. The attackers exploited a stolen key to gain remote access to several employee workstations and unclassified documents. The department promptly involved the Cybersecurity and Infrastructure Security Agency (CISA) and other law enforcement agencies to contain the breach. The compromised BeyondTrust service was taken offline shortly after the breach was identified. China’s embassy in Washington, D.C., denied the allegations, characterizing them as unfounded accusations. However, the incident aligns with a pattern of sophisticated cyber-espionage activities attributed to Chinese hackers. For instance, in 2023, Chinese state-sponsored actors breached high-profile email accounts of U.S. officials and compromised more than two dozen global organizations. The Treasury Department has been a frequent target of such attacks due to its critical role in managing international financial sanctions and sensitive financial data. In 2020, Russian hackers also targeted the department in a separate high-profile breach.
READ THE STORY: The Guardian // Reuters // WSJ
Chinese Embassy Denies Treasury Cyberattack as Evidence Points to APT Involvement
Bottom Line Up Front (BLUF): The Chinese government denies involvement in the U.S. Treasury Department cyberattack, which leveraged a compromised API key from third-party vendor BeyondTrust. The breach allowed remote access to unclassified workstations, and technical indicators suggest the attack aligns with known techniques of Chinese APT groups such as APT41.
Analyst Comments: This incident underscores the Treasury's attractiveness as a target for espionage due to its critical role in sanctions, financial strategy, and global economic policy. Leveraging supply chain vulnerabilities is a hallmark of advanced Chinese APT groups, and using a compromised API key demonstrates the sophistication of the operation. The attack further highlights systemic risks in third-party vendor security, particularly in privileged access management, reinforcing the need for Zero Trust architectures and stricter regulatory oversight.
FROM THE MEDIA: The Chinese foreign ministry swiftly rejected accusations of involvement in the U.S. Treasury cyberattack. A spokesperson labeled the claims “groundless,” asserting that China “opposes all forms of hacker attacks” and criticizing the U.S. for spreading “false information for political purposes.” This denial follows a well-established pattern of rejecting responsibility for cyber incidents attributed to Chinese state-backed groups. China’s stance aligns with its broader strategy of portraying itself as a victim of cyber aggression rather than a perpetrator. Acknowledging the breach would risk affirming U.S. allegations of espionage, which could strain trade negotiations, provoke sanctions, or justify expanded cybersecurity initiatives targeting Chinese firms. Additionally, an admission could embolden international coalitions to increase scrutiny of Chinese cyber activities, isolating Beijing further on the global stage.
Note:
China's extensive cyber espionage activities have targeted various U.S. sectors, including government agencies and private enterprises. Notable incidents include the 2015 breach of the Office of Personnel Management, where the personal data of millions of federal employees was compromised, and the theft of trillions in intellectual property from approximately 30 multinational companies by the Chinese state actor APT 41. Despite substantial evidence linking these cyberattacks to Chinese state-sponsored groups, Beijing consistently denies involvement. This strategy allows China to evade direct accountability and counter allegations by accusing accusers of harboring anti-China biases. Such denials deflect international criticism while enabling the continuation of strategic cyber operations aimed at economic and political gains.
Fake 7-Zip Vulnerability Prank on Social Media Sparks Confusion
Bottom Line Up Front (BLUF): A social media user on X, claiming to be @NSA_Employee39, falsely claimed to have released a zero-day arbitrary code execution (ACE) vulnerability for the popular file compression software 7-Zip. Security experts and the developer of 7-Zip quickly debunked the claim as fake, leaving the motives behind the post unclear.
Analyst Comments: While this incident may appear trivial, it underscores the challenges of misinformation in cybersecurity. False vulnerability claims can waste valuable resources, distract professionals from genuine threats, and undermine trust in open-source projects like 7-Zip. Moreover, such pranks can serve as testing grounds for gauging community responses, potentially paving the way for more sophisticated disinformation campaigns in the future. Increased vigilance and clear communication from developers are essential to mitigate the impacts of these false alarms.
FROM THE MEDIA: On December 30, 2024, a social media user using the handle @NSA_Employee39 claimed to have discovered a zero-day vulnerability in 7-Zip. The alleged exploit, shared via Pastebin, enabled arbitrary code execution by exploiting a buffer overflow in the software’s LZMA stream. Despite initial intrigue, no one could reproduce the exploit, and experts quickly labeled the code as non-functional. Igor Pavlov, the developer of 7-Zip, addressed the claim directly on the software’s forum, dismissing it as a fabrication. "This report on Twitter is fake," Pavlov stated, emphasizing that no such vulnerability exists in the software. Cybersecurity experts echoed this sentiment, questioning the motivations behind the hoax. The incident gained attention for its odd timing during the holiday season and misleading presentation. Some speculated that the user sought attention or engagement on the platform, as they promised to release more "zero-days" throughout the week. The prank underscores the importance of verifying vulnerability disclosures through trusted channels and maintaining skepticism toward unverifiable online claims.
READ THE STORY: The Record
Salt Typhoon: Chinese Spies Breach U.S. Telecom Networks, White House Responds
Bottom Line Up Front (BLUF): Chinese state-sponsored hackers, identified as "Salt Typhoon," infiltrated major U.S. telecom providers, including AT&T, Verizon, and Lumen Technologies. The intrusions enabled the geolocation of millions of individuals and the interception of calls. The White House has labeled this breach one of the most significant in U.S. telecom history, prompting regulatory and legislative responses.
Analyst Comments: The attackers exploited administrative accounts to gain broad access, highlighting weaknesses in identity management and access controls. The scale of data exposure, especially geolocation data and call interceptions, emphasizes the need for more substantial industry-wide cybersecurity standards. U.S. regulatory measures, such as the FCC’s proposed cybersecurity rules, are essential but may require significant implementation time. The breach’s implications extend beyond national security, potentially disrupting trust in telecom providers.
FROM THE MEDIA: Salt Typhoon, a Chinese state-sponsored hacking group, breached networks of U.S. telecom providers, including AT&T, Verizon, and Lumen Technologies, earlier this year. The hackers gained extensive access, allowing geolocation tracking of millions of individuals and the ability to record calls. The White House confirmed the breaches, describing them as a severe threat to national security. AT&T acknowledged the compromise of a few customers, primarily individuals of foreign intelligence interest. Verizon reported similar impacts, with high-profile government and political customers affected. Both companies stated that the intrusions have been contained, with no evidence of ongoing malicious activity. Lumen Technologies confirmed the breach but found no signs of customer data being accessed.
READ THE STORY: The Register
Chrome Extensions Hacked in Wide-Scale Attack, Over 600,000 Users Affected
Bottom Line Up Front (BLUF): A sophisticated phishing campaign has compromised at least 16 popular Chrome browser extensions, exposing over 600,000 users to credential theft and data exfiltration. Malicious code was injected into the extensions after targeting their developers via phishing emails, allowing attackers to steal cookies, tokens, and sensitive user data.
Analyst Comments: The compromise of trusted extensions underscores the importance of stricter developer account security, more robust extension review processes, and user awareness. Given the campaign’s apparent longevity and scale, more extensions may still be vulnerable, calling for immediate security audits. Organizations should consider endpoint monitoring to detect and mitigate risks from compromised extensions already in use.
FROM THE MEDIA: The attack campaign began with a phishing scheme targeting Chrome browser extension developers. Developers received fraudulent emails, purportedly from Google Chrome Web Store Developer Support, claiming the imminent removal of their extensions due to policy violations. Victims were directed to grant permissions to a malicious OAuth application, enabling attackers to upload modified extensions. Cyberhaven, a cybersecurity firm, was the first known victim on December 24, when its browser extension was compromised. Malicious code was added to communicate with a command-and-control (C&C) server hosted at cyberhavenext[.]pro, which enabled the theft of cookies, tokens, and user data. Further investigation revealed additional compromised extensions, including popular tools like “Reader Mode,” “Search Copilot AI Assistant,” and “VPNCity.”
READ THE STORY: THN
IBM’s $6.4 Billion HashiCorp Acquisition Under U.K. Antitrust Scrutiny
Bottom Line Up Front (BLUF): IBM’s planned $6.4 billion acquisition of HashiCorp is under review by the U.K.’s Competition and Markets Authority (CMA) for potential impacts on competition in the cloud services market. The regulator has set an initial deadline for February 2025 to determine if the deal warrants a deeper investigation.
Analyst Comments: This scrutiny highlights the growing regulatory focus on consolidation in the cloud sector, where dominant players increasingly shape the competitive landscape. If the CMA raises concerns, IBM may face delays or restrictions on the merger, potentially impacting its strategy to expand its cloud and AI offerings. The outcome of this review will also set a precedent for how major acquisitions in the tech space are assessed amidst intensifying antitrust enforcement globally.
FROM THE MEDIA: The U.K.’s Competition and Markets Authority announced an initial review of IBM’s acquisition of HashiCorp, a $6.4 billion deal initially agreed upon in April 2024. Interested parties have until January 16 to submit feedback, with the CMA expected to decide by February 25 whether to approve the transaction or move to a more comprehensive investigation. IBM has positioned the acquisition as a strategic move to bolster its cloud and AI capabilities, gaining access to HashiCorp’s suite of cloud infrastructure tools and its 4,400-strong client base. The deal involves IBM paying the San Francisco-based firm $35 per share in cash. The U.S. Federal Trade Commission also requested additional information from IBM and HashiCorp earlier this year, signaling parallel stateside regulatory interest. These reviews come as competition regulators worldwide increase scrutiny of the cloud services market. The U.K. watchdog has announced plans to advance its broader investigation into cloud services early next year, reflecting growing concerns over market dominance by major technology firms.
READ THE STORY: WSJ
Telegram Blocks Russian State Media Channels Across Europe Amidst Escalating Censorship Debate
Bottom Line Up Front (BLUF): Channels belonging to major Russian state-owned media outlets have been blocked in several EU countries, including Poland, Belgium, and Italy, due to violations of local laws. Moscow has strongly criticized the move, accusing the EU of political censorship and threatening retaliatory measures.
Analyst Comments: Blocking state-backed channels underscores the challenges of balancing free expression with preventing propaganda. Moscow’s likely retaliation could deepen the digital information divide and fuel the propaganda war, heightening tensions between Russia and the West. The move raises broader questions about the power of social media platforms to influence political narratives and their responsibilities in regulating state-sponsored content.
FROM THE MEDIA: Access to Russian state-run media channels, including RIA Novosti, Izvestia, and Rossiya 1, has been restricted in multiple European countries. Users in these regions attempting to access the channels are informed that the content is unavailable due to local law violations. While neither European officials nor platform representatives have officially commented, Russian media confirmed the blocks and criticized them as politically motivated censorship. Moscow has condemned the restrictions, calling them a violation of journalistic rights and threatening to impose symmetrical retaliatory measures. Russian authorities view the blocks as part of a broader effort by the EU to undermine Kremlin-controlled media, which have previously been sanctioned for spreading propaganda.
READ THE STORY: The Record
Items of interest
Exploiting JWT Vulnerabilities: A Penetration Tester’s Guide
Bottom Line Up Front (BLUF): JSON Web Tokens (JWTs) are widely used for secure communication between services, but misconfigurations can expose them to vulnerabilities. Exploitation techniques such as algorithm confusion, key tampering, and replay attacks demonstrate the risks of weak JWT implementation. Tools like jwt_tool and Burp Suite extensions help identify these weaknesses during penetration testing.
Analyst Comments: JWT vulnerabilities highlight the consequences of insufficient cryptographic and implementation safeguards. Common issues, such as accepting the none algorithm or failing to verify key integrity, demonstrate systemic gaps in token security. These flaws are exacerbated in complex, multi-service environments like Single Sign-On (SSO). Exploiting JWTs often involves tampering with claims, headers, or signing algorithms, underscoring the importance of rigorous token validation and key management. Regular audits and hardened token policy adoption can prevent breaches compromising sensitive data and authentication processes.
FROM THE MEDIA: JWT misconfigurations often expose systems to critical vulnerabilities. For instance:
Algorithm Confusion:
Changing the algorithm from RS256 (asymmetric) to HS256 (symmetric) allows attackers to use the server’s public key as a symmetric secret for token signing. This issue can lead to complete authentication bypasses if not mitigated.None Algorithm Exploit:
Setting thealgfield tononein the JWT header allows attackers to skip signature verification entirely. This flaw persists in outdated implementations despite being addressed in modern libraries.JWKS Spoofing and Path Traversal:
Modifying thejkuorkidheaders to reference attacker-controlled URLs can result in remote key injection or directory traversal. Such exploits often enable server-side request forgery (SSRF) or unauthorized file access.Replay Attacks in Multi-Service Systems:
Cross-service token replay occurs when tokens generated for one client are accepted by another, often due to inadequate audience validation. This can compromise accounts across interconnected applications.
Tools like jwt_tool simplify exploitation by automating vulnerability discovery and payload crafting. Burp Suite extensions, such as JSON Web Tokens and SignSaboteur, provide integrated options for modifying JWTs during testing. Regular validation of cryptographic algorithms, token claims, and expiry policies is essential to mitigate these risks.
READ THE STORY: HackTricks
{JWT}.{ Misuse}. & Abuse (Video)
FROM THE MEDIA: JWTs are an incredibly flexible tool that makes life easier for developers because they are standardized, widely supported, and include essential security features by default. However, like any powerful tool, JWTs can be dangerous when used incorrectly, or for unintended purposes. In this talk, I aim to shine a light on common JWT misuse and abuse. I'll start by briefly describing JWTs and everyday use cases for them. I'll then present real-world scenarios of misuse and abuse from applications that I've tested as a consultant and written as an engineer.
Operation Clairvoyance: How APT Groups Spy on the Media Industry (Video)
FROM THE MEDIA: Cyber espionage actors have demonstrated great interest in the media industry. These actors seem to like to see Taiwan's daily activities through the "eyes" of these media companies and journalists. During Taiwan's intense 2022, we saw more and more Advanced Persistent Threat (APT) groups infiltrate Taiwan's media industry. In our observation, the media has become the first non-government target of those APT groups.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.