Tuesday, Jan 07, 2025 // (IG): BB // GITHUB // SGM Jarrell
Yellen Warns China of Severe Repercussions Over Potential Support to Russia in Ukraine War
Bottom Line Up Front (BLUF): U.S. Treasury Secretary Janet Yellen warned China of "significant consequences" if it provides material support to Russia in its war against Ukraine. The warning came during a virtual meeting with Chinese Vice Premier He Lifeng, where Yellen also raised concerns about China's alleged cyber activities and non-market practices that harm U.S. businesses.
Analyst Comments: Yellen’s direct message signals the U.S.'s firm stance on limiting Chinese support for Russia, aiming to prevent economic or logistical reinforcement amid the ongoing conflict in Ukraine. This aligns with U.S. sanctions strategies designed to weaken Russia’s war effort by targeting foreign entities that could bypass restrictions. The inclusion of grievances regarding cyber intrusions and economic practices in the meeting indicates that the U.S. seeks a broader strategy to address multiple areas of contention with China. Given China’s careful diplomatic balancing, the U.S.'s approach underscores the potential for further geopolitical strain if China shifts closer to Russia in military support or through indirect economic assistance.
FROM THE MEDIA: During a virtual meeting with Chinese Vice Premier He Lifeng, U.S. Treasury Secretary Janet Yellen emphasized the "significant consequences" that Chinese companies could face if they provide material support to Russia in its war against Ukraine. This statement, issued by the U.S. Treasury Department, reflects the U.S.'s intent to deter any actions that might bolster Russia's military or economic capabilities. In addition to concerns about Russian support, Yellen expressed discontent over cyber activities allegedly linked to Chinese state-sponsored actors, highlighting their detrimental impact on U.S.-China relations. She also addressed concerns regarding China's economic practices, which the U.S. perceives as unfair and harmful to American businesses. Yellen’s warning reflects the Biden administration’s broader foreign policy goals to isolate Russia while reinforcing economic pressure on entities that could aid its war efforts. The meeting’s outcome signals potential diplomatic friction if China maintains or intensifies its ties with Russia amid heightened U.S. scrutiny and sanctions.
READ THE STORY: Eastern Herald
EAGERBEE Malware Variant Targets ISPs and Governments with Enhanced Backdoor Capabilities
Bottom Line Up Front (BLUF): The latest variant of the EAGERBEE malware framework, attributed to the threat group CoughingDown, has been observed targeting ISPs and government entities in the Middle East and East Asia. The malware's enhanced backdoor capabilities enable remote access, process management, and stealthy in-memory operations, leveraging vulnerabilities such as ProxyLogon (CVE-2021-26855) for deployment.
Analyst Comments: The evolution of EAGERBEE highlights the increasing sophistication of cyber espionage frameworks used by state-sponsored actors. The framework’s modular, memory-resident architecture enables stealthy post-exploitation activities, evading traditional detection mechanisms. Notably, the group's use of unpatched vulnerabilities in widely deployed systems such as Exchange servers underscores the ongoing need for timely patch management and network segmentation. Connections to broader Chinese-aligned campaigns, such as Crimson Palace and QSC, suggest that EAGERBEE's operators are part of a coordinated effort aimed at high-value intelligence collection, including military and political data. This incident illustrates a broader trend where advanced persistent threat (APT) groups refine their tools for both espionage and strategic pre-positioning.
FROM THE MEDIA: The EAGERBEE malware, first documented by Elastic Security Labs and linked to REF5961, has evolved with new components that enhance its remote access and system control capabilities. The latest attacks, attributed to CoughingDown, demonstrate the use of sophisticated plugins for file manipulation, process exploration, network connection listing, and service management. According to Kaspersky, the malware’s architecture allows the attackers to load and unload plugins in real-time, depending on their objectives. The EAGERBEE backdoor operates entirely in memory, a tactic that boosts its stealth capabilities and evades endpoint detection. The malware was observed being deployed using the ProxyLogon vulnerability to install web shells, which then executed command instructions, activating the backdoor. Once deployed, the malware exfiltrates system information, such as NetBIOS domain names, memory usage, and locale settings, to a remote server.
READ THE STORY: THN // PoC: CVE-2021-26855
US Sanctions on Chinese Cyber Firm Spark Diplomatic Clash
Bottom Line Up Front (BLUF): The U.S. sanctioned Chinese cybersecurity firm Integrity Technology Group for allegedly orchestrating a botnet attack targeting critical infrastructure worldwide. The Chinese government condemned the move, accusing the U.S. of weaponizing cybersecurity claims and vowed to defend its national interests.
Analyst Comments: The sanctions reflect a growing U.S. effort to disrupt cyber operations linked to Chinese state-backed actors. Accusations against Integrity Technology Group for its involvement in the "Flax Typhoon" botnet highlight concerns over vulnerabilities in global networks and the potential impact on critical infrastructure. Beijing’s sharp response may foreshadow further tensions in cyberspace, where attribution disputes and accusations are intensifying. U.S. actions also raise questions about how China might retaliate, especially given past instances of reciprocal cyber measures. The incident underscores the need for stronger international frameworks to address cyber conflict without escalating geopolitical strife.
FROM THE MEDIA: China has condemned the recent U.S. sanctions against Integrity Technology Group, alleging that Washington is "vilifying" Beijing under the guise of cybersecurity concerns. The U.S. State Department linked the firm to a botnet campaign known as “Flax Typhoon,” which allegedly compromised government, telecom, and academic networks worldwide. The FBI and National Security Agency reported that the botnet included over 260,000 compromised devices across six continents. The Justice Department had previously taken steps in September to dismantle parts of the network. Despite China's claims of opposition to hacking, U.S. officials argue that the scale and complexity of the attack suggest state-backed involvement. The Chinese Embassy described the accusations as "groundless" and accused the U.S. of hypocrisy, labeling it the “master of cyberattacks.”
READ THE STORY: The Hill
Chinese Botnet Campaign Breaches U.S. Telecom Giants, Sparks Urgent Security Calls
Bottom Line Up Front (BLUF): The Salt Typhoon cyber espionage campaign, linked to Chinese state-backed hackers, has reportedly breached additional U.S. telecom firms, including Charter Communications, Consolidated Communications, and Windstream. The expanding list of affected companies highlights the vulnerabilities within U.S. critical communication networks and has prompted federal agencies to issue urgent advisories on system hardening and encryption.
Analyst Comments: The continuous expansion of the Salt Typhoon attack underscores China’s persistent focus on communications infrastructure, a strategic asset in cyber conflict scenarios. The compromise of major U.S. telecom firms, including AT&T, Verizon, and potentially others, raises the risk of China gaining surveillance and data manipulation capabilities across key networks. The exploitation of vulnerabilities in Cisco and Fortinet devices to gain privileged access suggests that outdated network defenses remain a critical issue for telecom providers. China’s shift from traditional espionage to more preemptive network positioning could indicate preparations for potential disruptive operations. This wave of breaches has also intensified calls for regulatory oversight and urgent defensive measures within the U.S. telecom sector.
FROM THE MEDIA: Chinese state-sponsored group Salt Typhoon has reportedly breached several additional U.S. telecom firms, adding Charter Communications, Consolidated Communications, and Windstream to an already significant list of affected companies. This follows confirmed breaches of AT&T, Verizon, and Lumen Technologies. The Wall Street Journal report claims that attackers exploited unpatched vulnerabilities in Cisco and Fortinet network devices to gain unauthorized access. In at least one case, attackers used a high-level network management account without multi-factor authentication to access over 100,000 routers, potentially enabling data exfiltration and traffic redirection to China. The White House confirmed that nine U.S. telecom firms have been targeted, but details on specific victims remain ambiguous. In response to the breaches, CISA has advised government officials to use end-to-end encrypted messaging apps like Signal to mitigate interception risks. Additionally, federal agencies have reiterated the importance of patching vulnerabilities and enforcing strict access controls to prevent unauthorized entry.
READ THE STORY: TechRadar // DR
CISA Affirms Limited Federal Impact Amid Treasury Cyberattack Investigation
Bottom Line Up Front (BLUF): The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed no broader federal impact from the Treasury Department cyberattack linked to Chinese state-sponsored threat actors. The attack leveraged a compromised API key from BeyondTrust's Remote Support SaaS system to infiltrate unclassified systems. In parallel, Chinese cyber aggression against Taiwan and Southeast Asia has escalated, targeting critical sectors through advanced tactics.
Analyst Comments: CISA's assurance of containment within the Treasury Department indicates effective incident management but also underscores systemic vulnerabilities in third-party SaaS solutions. The attack demonstrates China's strategic focus on U.S. critical infrastructure, employing living-off-the-land (LotL) techniques and leveraging supply chain weaknesses. Simultaneously, reports of Chinese cyber campaigns in Taiwan and the Philippines reveal a broader geopolitical cyber strategy aimed at gathering intelligence, destabilizing governments, and positioning for potential conflict escalation.
FROM THE MEDIA: The U.S. Treasury Department was breached in a December 2024 incident attributed to Chinese hackers exploiting BeyondTrust’s Remote Support SaaS. The adversary leveraged an API key to gain access to unclassified systems, prompting swift containment measures by CISA, which confirmed no impact on other federal agencies. BeyondTrust stated that no new customers were affected beyond initial reports. Concurrently, Chinese state-aligned APT groups intensified their activities in Asia. APT41 reportedly penetrated the executive branch of the Philippine government, extracting sensitive data related to South China Sea disputes. Taiwan’s National Security Bureau reported 906 cyber incidents in 2024, a 21% increase from 2023. The tactics included DDoS attacks, ransomware, and deepfake-driven disinformation targeting government and private sectors. Taiwanese cybersecurity officials highlighted coordinated campaigns to erode public confidence, with cyberattacks coinciding with PLA military drills.
READ THE STORY: THN
Security Concerns Surrounding CATL’s U.S. Operations
Bottom Line Up Front (BLUF): CATL, the global leader in lithium-ion battery manufacturing, is closely linked to China’s geopolitical ambitions. Concerns include data security, critical infrastructure vulnerabilities, and supply chain risks due to CATL’s integration into U.S. battery and EV sectors.
Analyst Comments: CATL’s expansion into the U.S. raises red flags about data handling, grid security, and potential coercion. These concerns mirror past alarms about Huawei’s telecom dominance. If left unchecked, CATL’s access to sensitive systems could grant China undue leverage, with implications beyond the automotive industry. A strategic policy response is critical to mitigate these risks and protect national security interests.
FROM THE MEDIA: In recent years, CATL’s partnerships with U.S. companies like Dominion Energy and Primergy have led to increased integration into the U.S. electrical grid. Despite bipartisan concerns, the company’s projects remain largely unchecked by federal oversight. Critics warn that Chinese laws require CATL to share data with the Chinese government, raising fears that data collected from U.S. charging stations and battery management systems could be accessed for espionage purposes. Similar to Huawei’s influence in 5G networks, CATL could shape industry standards and slow U.S. innovation. The broader concern is supply chain manipulation, as seen during the COVID-19 pandemic when China withheld critical medical supplies. CATL’s dominance in battery production could similarly affect U.S. electric vehicle and energy sectors if tensions escalate.
READ THE STORY: FDD
NOTE:
The integration of Chinese-manufactured power systems into U.S. critical infrastructure raises legitimate concerns about national security. One reason is that Chinese laws, such as the National Intelligence Law, require companies to cooperate with government requests for information or assistance. This has led to fears that sensitive operational data from power systems could potentially be accessed by Beijing. In a worst-case scenario, such as a geopolitical conflict, these systems could theoretically be exploited to disrupt critical services like electricity grids or communications networks.
Recent events have reinforced these concerns. The "Volt Typhoon" cyber operation—believed to be a Chinese state-sponsored campaign—showed how adversaries could infiltrate critical networks and lie in wait, potentially using this access to hamper U.S. military mobilization during a crisis. While experts note that not all Chinese-manufactured components are an immediate risk, the possibility of cyber espionage and infrastructure sabotage remains a significant consideration in supply chain security discussions.
Intel’s Struggles in the Chip Market Reflect Broader Industry Shifts
Bottom Line Up Front (BLUF): Intel is facing unprecedented challenges as it loses market share in critical areas like data centers, AI chips, and mobile processors. With key competitors such as AMD, ARM, Nvidia, and even tech giants like Amazon and Microsoft developing custom chips, Intel’s dominance in the CPU market is slipping. Structural issues, leadership changes, and market shifts toward energy-efficient custom silicon contribute to Intel's declining position.
Analyst Comments: The erosion of Intel's data center dominance due to ARM-based custom chips indicates a paradigm shift in cloud computing and AI hardware. Competitors like AMD’s emphasis on performance efficiency have reshaped customer priorities, leaving Intel struggling to catch up. The removal of CEO Pat Gelsinger underscores the urgency for Intel to rethink its strategy. Future pivots may include spinning off manufacturing operations to better compete with fab-centric firms like TSMC or repositioning as a key player in custom silicon.
FROM THE MEDIA: Despite retaining 75% of the x86 CPU market for data centers, Intel's revenue in this sector has been eclipsed by AMD, signaling a troubling reversal. Amazon, Microsoft, and Google have transitioned to ARM-based custom designs for over half of their data center CPUs, citing improved efficiency and customization. Intel reported a $16 billion quarterly loss due to costly efforts to transform into a contract manufacturer and compete with TSMC’s cutting-edge fabs. The removal of CEO Pat Gelsinger in December underscores the company’s turmoil as interim leadership aims to stabilize operations. Meanwhile, Intel maintains a 76% share in the desktop and notebook CPU market, but its diminishing role in the AI and data center space threatens future profitability.
READ THE STORY: WSJ
Russia Blames Telecom Network Failure for Widespread Internet Outage
Bottom Line Up Front (BLUF): A significant internet outage disrupted access to major online platforms across Russia, affecting services from Google to local banking systems. Russia’s internet regulator, Roskomnadzor, attributed the issue to a network failure within a telecom provider.
Analyst Comments: This incident underscores the fragility of Russia’s internet infrastructure and raises questions about the country’s reliance on a central regulatory framework. Some speculate that the outage could be part of ongoing tests of Russia's "sovereign internet" capabilities. These tests aim to isolate the nation’s digital ecosystem but may inadvertently cause service disruptions. The timing of this outage, alongside recent geopolitical tensions, could indicate a more significant attempt to assert control over digital communications. If these network failures become frequent, it may erode public trust in domestic service providers and increase interest in using VPNs and alternative technologies to maintain online access. The incident also highlights the potential risks to international companies operating in Russia, especially as local restrictions on foreign digital services tighten.
FROM THE MEDIA: Roskomnadzor announced that the internet disruptions affecting services such as Google, VKontakte, and banking platforms had been resolved. Downdetector data indicated a spike in reports, with disruptions concentrated in Moscow and linked primarily to Russia’s largest mobile operator, MTS. However, MTS declined to comment on the incident. The outage impacted both mobile and cable internet, as well as television services. While Roskomnadzor refrained from identifying the telecom provider involved, the widespread nature of the incident fueled concerns that it may have been linked to ongoing efforts to test Russia's sovereign internet infrastructure. In December 2024, a similar disruption occurred when authorities attempted to disconnect certain regions from the global network as part of a resilience test. Users were temporarily unable to access popular apps like Google, Telegram, and Yandex, reflecting the broader digital crackdown to enforce Russia’s tech regulations.
READ THE STORY: The Record
New Orleans Attacker Used Meta Smart Glasses to Plan New Year’s Day Massacre
Bottom Line Up Front (BLUF): Shamsud-Din Jabbar, a US Army veteran, used Meta’s camera-equipped smart glasses for reconnaissance before a deadly attack in New Orleans on New Year’s Day. Though he wore the glasses during the attack, he did not livestream the event, according to the FBI.
Analyst Comments: This incident demonstrates the dual-use nature of wearable technology like smart glasses, which can enable both convenience and misuse. The growing adoption of augmented reality (AR) wearables raises concerns about privacy and security, particularly when these devices are used for surveillance. The ease of integrating AI-driven facial recognition with wearable tech could exacerbate the risk of "weaponized" surveillance. Organizations developing wearable technologies must prioritize privacy safeguards and partner with regulators to mitigate misuse.
FROM THE MEDIA: The FBI revealed that Jabbar used Meta’s smart glasses for surveillance as he biked around the French Quarter in New Orleans before the January 1 attack. The glasses, capable of capturing video hands-free, were used during at least two trips to New Orleans, with one trip in late October 2024 involving a two-day reconnaissance effort. During a press conference, the FBI played a video recorded during Jabbar’s October trip, showing his use of the glasses to document his surroundings. Despite wearing the glasses on the day of the attack, officials confirmed that Jabbar did not stream his actions live. Meta, the manufacturer of the glasses, has yet to comment. This incident highlights concerns raised in October 2024 by researchers who demonstrated how Meta’s glasses could be used for instant doxxing by pairing them with AI tools. The researchers warned that minimal coding experience is needed to create automation scripts that can generate profiles of individuals captured on camera. The event underscores ongoing privacy debates surrounding AR wearables, as incidents like these call for more robust safety measures and oversight from tech companies.
READ THE STORY: The Register
Moxa Warns of Critical Security Flaws in Cellular and Secure Routers
Bottom Line Up Front (BLUF): Moxa has issued alerts regarding two critical vulnerabilities affecting its cellular routers, secure routers, and network security appliances. These flaws could allow attackers to escalate privileges or execute unauthorized commands. Patches are available for several impacted models, though some products require direct contact with Moxa technical support for mitigation.
Analyst Comments: The identified vulnerabilities pose a significant risk to organizations utilizing Moxa’s network devices, especially if these devices are accessible via the internet. The CVE-2024-9138 vulnerability, involving hard-coded credentials, enables privilege escalation, potentially allowing attackers to gain root-level control over affected devices. Meanwhile, CVE-2024-9140 permits command injection through improper input handling, allowing unauthorized actions. The lack of available patches for some devices, such as the NAT-102 series, increases the urgency for organizations to apply compensating controls like network isolation and access restrictions. Given the widespread usage of Moxa products in critical infrastructure sectors, unpatched systems could be exploited for espionage, service disruption, or data theft. This highlights the importance of adhering to strict device-hardening measures and maintaining robust patch management protocols.
FROM THE MEDIA: Moxa has issued a security advisory regarding two critical vulnerabilities affecting its cellular routers, secure routers, and network appliances. The first vulnerability, CVE-2024-9138 (CVSS 8.6), involves hard-coded credentials that can enable an authenticated attacker to gain root-level access, potentially resulting in system compromise, unauthorized modifications, or service disruption. The second vulnerability, CVE-2024-9140 (CVSS 9.3), allows attackers to bypass input restrictions using special characters, enabling unauthorized command execution. Security researcher Lars Haulin identified the flaws, which affect popular Moxa products, including the EDR-810, EDR-8010, NAT-102, OnCell G4302-LTE4, and TN-4900 series. Firmware patches are available for many affected devices, such as version 3.14 for several product lines. However, some devices, including the NAT-102 and TN-4900 series, require direct support from Moxa for resolution.
READ THE STORY: THN
Items of interest
FireScam Malware Disguised as Telegram Premium App Targets Android Users
Bottom Line Up Front (BLUF): A newly discovered Android malware, FireScam, disguises itself as a Telegram Premium app to monitor users' notifications, text messages, and app activity. Distributed via a phishing site mimicking Russia’s RuStore, it leverages Firebase services for data exfiltration, making detection challenging.
Analyst Comments: The FireScam malware highlights the growing sophistication of phishing campaigns targeting Android devices. By exploiting trusted platforms like Firebase for command-and-control (C2) communication, attackers can blend in with legitimate app activity. This approach makes traditional network monitoring less effective. Security teams should focus on behavioral analysis to detect unusual app behavior and employ zero-trust principles for mobile access. The use of GitHub-hosted phishing sites underscores the need for stricter app repository monitoring.
FROM THE MEDIA: Cyfirma researchers identified FireScam being distributed through a GitHub.io-hosted phishing website imitating the Russian app store RuStore. The site drops a malicious installer named ru[.]store[.]installer, which installs as GetAppsRu[.]apk. After installation, the malware requests extensive permissions to access installed apps, modify storage, and manage app updates. By designating itself as the "update owner," FireScam prevents legitimate app updates and maintains persistence. The malware intercepts sensitive data, such as text messages, app notifications, clipboard content, and USSD responses, which may include bank account balances and transaction details. This data is exfiltrated to a Firebase Realtime Database, filtered for valuable information, and later removed to avoid detection. The malware also registers for Firebase Cloud Messaging (FCM) notifications, enabling attackers to issue remote commands, download additional payloads, and execute actions without user interaction. Cyfirma noted that this technique enhances the malware's resilience by making its activity appear as legitimate app communications.
READ THE STORY: The Register
Infostealer Malware is WICKED (Video)
FROM THE MEDIA: Infostealer malware refers to a type of malicious software specifically designed to steal sensitive information from infected systems. This type of malware typically focuses on collecting data such as usernames, passwords, financial details, or other personally identifiable information (PII). The information is often transmitted back to the attacker for malicious use, such as identity theft, financial fraud, or espionage.
Dark Web Dumpster Diving (Hunting Infostealer Malware) (Video)
FROM THE MEDIA: Hunting for Infostealer Malware involves a proactive approach to identifying, analyzing, and mitigating infections related to infostealer threats in your network or on specific devices. Given the nature of infostealer malware, which often targets sensitive data like passwords, banking information, and corporate credentials, it’s crucial to employ several techniques and tools to detect its presence and reduce the risk of further compromise.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.