Welcome reader to your CybersecurityHQ report

Brought to you by:

Cypago - Enterprise-grade Cyber GRC Platform

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

Chinese Hackers Breach US Telecom Systems

As we reported last week, a major story in the Wall Street Journal (WSJ) claimed that Chinese hackers gained access to telecom systems the US federal government uses for wiretapping. These companies included AT&T, Verizon, and Lumen Technologies—all of which were called in front of a bipartisan group of US lawmakers on Friday to answer questions.

The group includes House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA), Representative Frank Pallone (D-NJ), Representative Bob Latta (R-OH), and Representative Doris Matsui (D-CA).

In a statement on the hearing, the lawmakers said, “We are concerned by the recent reports of a massive breach of AT&T, Verizon, and Lumen’s communications networks by Chinese hackers. These types of breaches are increasing in frequency and severity, and there is a growing concern regarding the cybersecurity vulnerabilities embedded in U.S. telecommunications networks. The Committee needs to understand better how this incident occurred and what steps your company is taking to prevent future service disruptions and secure your customers’ data.”

If confirmed that China was able to access material that the federal government was wiretapping, it would stand as one of the larger hacks in recent memory. In particular, it could uncover widespread surveillance on Chinese targets—a potentiality not lost on national security personnel. That access might have lasted months, though the exact timing is not yet known.

Why do we think it could be bad? The WSJ claims its national security sources have called the breach “potentially catastrophic.” A provocative phrase.

For its part, the Chinese government said it has no knowledge of the operation that the WSJ described, but they warned that the US had “concocted a false narrative” about Chinese hacking in the past. A spokesman for the Chinese Embassy went so far as to say, “The US intelligence community and cyber security companies have been secretly collaborating to piece together false evidence and spread disinformation about so-called Chinese government’s support for cyberattacks against the United States… In fact, China is one of the main victims of cyberattacks.”

China's National Computer Virus Emergency Response Center (CVERC) has released a steady stream of reports claiming that this and related hacks are made up to cover US espionage. A recent report by CVERC says, “There’s ironclad evidence that they blame other countries through the misleading traceability attribution analysis of the stealth toolkit to carry out False Flag operations and cover up their own malicious cyberattacks.”

Volt Typhoon, a precursor to the group the WSJ reported on, has been accused by the FBI’s director as preparing to undo the US military’s ability to mobilize—going much further than gathering tidbits of information here and there. Or, as Mandian chief analyst John Hultquist has told reporters, “This actor is not doing the quiet intelligence collection and theft of secrets that has been the norm in the U.S. They are probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down.”

The CCP-linked threat actor’s latest variant, called Salt Typhoon, likely gained access to US telecom giants through compromised Cisco routers.

Whatever the investigation uncovers, this will likely continue to be a major cybersecurity story throughout the end of the year. We’ll keep you updated right here each Thursday.

Wayback Machine is Back Online

The digital library Internet Archive is back online in read-only mode, and the Wayback Machine is up and running. This is after the 900 billion website archive was down for multiple days thanks to hackers hitting the organization with DDoS attacks.

Why hack the Internet Archive? The threat actor(s)—under the moniker SN_Blackmeta— publicly claimed that, “they are under attack because the archive belongs to the USA…” which supports the “genocide that is being carried out by the terrorist state of Israel.”

The Internet Archive, a non-profit organization, is not affiliated with the US government. In fact, it has been fending off lawsuits from major companies throughout its lifespan—leading to a counter-theory that the hacktivist logic of the event is cover for a corporate attack. The Internet Archive’s list of recent enemies that would fit this description is impressive. In 2020, the Internet Archive was sued by Hachette Book Group, Penguin Random House, HarperCollins and Wiley for its digital lending practices. Then in 2023, Universal Music Group, Sony Music, and Concord sued the organization for $621 million for copyright infringement.

Whoever it was that attacked the Internet Archive (and for whatever reason), they did it through DDoS attacks using the Mirai botnet to self-propagate on Linux devices. Researchers have narrowed down one of the culprit devices to a home entertainment system and IoT product.

It’s a bizarre chapter in hacking history. More details will no doubt continue to emerge.

OilRig Ramps Up Gulf Cyberattacks

The Iran-linked cyberespionage group OilRig, also known as APT34, has ramped up cyberattacks targeting government entities in the Gulf, particularly in the UAE, according to new research by Trend Micro.

Active since 2014, OilRig is aligned with Iranian interests and focuses on critical infrastructure, deploying sophisticated new tools in its attacks. Recent operations involve exploiting Microsoft Exchange servers, using a newly observed backdoor to steal credentials.

The group leverages tools like Ngrok for tunneling traffic and CVE-2024-30088 to escalate privileges. They also abuse a password filter policy to capture clear-text passwords, sending stolen credentials via compromised government email servers. OilRig has been observed using this access for potential supply chain attacks, with Trend Micro warning of further phishing attempts.

Upgrade your subscription for exclusive access to member-only insights and services.

Upgrade to paid

CISA Warns: Exploit SolarWinds Flaw

CISA recently added a SolarWinds Web Help Desk (WHD) vulnerability, CVE-2024-28987, to its Known Exploited Vulnerabilities (KEV) catalog, citing its active exploitation in the wild.

This critical flaw (CVSS score of 9.1) involves hardcoded credentials, allowing remote, unauthenticated attackers to modify sensitive data within WHD. SolarWinds first addressed the flaw in August 2023 after issuing two hotfixes to resolve a related vulnerability, CVE-2024-28986, which also allowed remote code execution.

However, the initial hotfix caused functionality issues, leading to further patching efforts. Security engineer Zach Hanley highlighted that 830 WHD instances are exposed, primarily in the state, local, and education sectors.

CISA's October warning urges federal agencies to patch the flaw by November 5 under Binding Operational Directive 22-01. The agency also flagged a Firefox zero-day (CVE-2024-9680) and a Windows kernel bug (CVE-2024-30088) exploited by Iranian cyberespionage groups.

All organizations are advised to prioritize patching these vulnerabilities.

Intel Faces Security Scrutiny in China

Intel is facing fresh scrutiny in China as the Cybersecurity Association of China (CSAC) urged a security review of the U.S. chipmaker’s products, alleging the company poses a risk to national security. Although CSAC isn’t a government entity, its close ties to the Chinese state suggest potential implications for Intel’s business in the region. The group’s claims, posted on WeChat, accuse Intel’s processors, including Xeon chips, of vulnerabilities and backdoors allegedly exploited by the U.S. National Security Agency.

This comes amid escalating tensions between the U.S. and China over chip-related restrictions, with China already barring U.S.-based Micron Technology's products last year. A similar move against Intel could have significant financial fallout, as the company generated over a quarter of its revenue from China in 2023. Intel has not yet responded to the allegations, but the situation could further strain U.S.-China tech relations.

Sudanese Brothers Charged for DDoS Attacks

The U.S. Department of Justice has charged two Sudanese brothers, Ahmed and Alaa Omer, for orchestrating a widespread wave of Distributed Denial-of-Service (DDoS) attacks under the guise of the hacktivist group Anonymous Sudan. The attacks, which targeted critical infrastructure, included hospitals in multiple countries, Israel's missile alert system, and digital services, causing significant disruptions. Their actions were ideologically motivated, with an extremist nationalist agenda, and often served as a for-profit cyberattack service.

U.S. prosecutors have leveled severe charges against the brothers, including attempts to cause physical harm and death, with one facing the possibility of life imprisonment. Anonymous Sudan’s operations came to a halt after law enforcement actions earlier this year, though the group had used novel DDoS techniques, leveraging virtual private servers with fraudulent credentials. The group’s involvement in targeting healthcare facilities and defense systems underscores the growing threat of hacktivism and its potential real-world impact.

Passkeys: The Future of Authentication

Passkeys, a secure and user-friendly alternative to passwords, have rapidly gained traction over the last two years. Spearheaded by the FIDO Alliance, passkeys aim to replace traditional passwords with a more secure and seamless solution. At this year's Authenticate Conference in Carlsbad, two major developments are pushing passkeys closer to mainstream adoption.

The first is the Credential Exchange Protocol (CXP), a new standard that allows users to securely transfer passkeys between different platforms, addressing concerns of vendor lock-in. The second is the launch of Passkey Central, a resource hub offering tools, guides, and metrics to help organizations implement passkeys more easily.

Both initiatives highlight the industry's growing collaboration to phase out passwords. FIDO Alliance CEO Andrew Shikiar notes, “We’re addressing key usability challenges and making it easier for companies to transition to passkeys, reducing the dependence on passwords for good.” These efforts mark a significant step forward for digital security.

Iranian Hackers Target Critical Infrastructure

Iranian cyber actors have spent the past year aggressively targeting critical infrastructure sectors using brute force and other sophisticated hacking techniques, according to a joint advisory from the U.S., Canada, and Australia. The advisory, released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, highlights cyberattacks against healthcare, government, IT, engineering, and energy organizations. Iranian hackers are suspected of attempting to steal credentials and sensitive information, potentially selling it to other cybercriminals for broader exploitation.

Tactics include "push bombing," a method that overwhelms multi-factor authentication systems, forcing accidental user approvals. Once inside, the attackers conduct reconnaissance on compromised networks, securing further access. The advisory warns organizations to monitor for repeated failed logins, suspicious MFA alerts, and logins from unfamiliar locations, urging enhanced security protocols. This warning comes on the heels of a Microsoft report identifying Iran as a key cyber threat actor alongside Russia and China.

Interesting Read

CISO Burnout: 93% Cite Stress

A new report from BlackFog lays out a grim reality: 24% of CISOs or IT security decision makers are actively looking to leave their position. Beyond that, 54% are open to leaving.

And for those looking to leave, 93% say it’s all because of stress. 

The research looks into why cybersecurity positions are so stressful and how companies can make their teams feel more supported. 

But when we see the day-to-day life in these positions, it’s easy to see why (something readers probably resonate with). The numbers are staggering:

• 98% say they work more weekly hours than they are contracted for (on average, 9 extra hours a week)

• 15% say they are working more than 16 hours over their contracted time

Adding to these major difficulties is the ongoing rise of ransomware and the introduction of AI-powered attacks.

The impact on mental health for cybersecurity professionals is taking its toll. Almost half of respondents say they use drugs or alcohol to manage stress.

Maybe it’s time to focus more on reducing stress in the field. The first step is understanding data, like the kind promulgated by this BlackFog report.

Twitter Highlights

Stay Safe, Stay Secure.

The CybersecurityHQ Team