Cyber News Roundup for January 10, 2024

/by

This week in cybersecurity news: critical vulnerabilities, ongoing data breaches, and new sanctions highlight the persistent threats facing industries worldwide. From massive outages at Proton and German airports to high-profile breaches by Chinese and Russian threat actors, organizations must remain vigilant. Meanwhile, regulatory updates like the new Cyber Trust label and Apple’s privacy settlement offer a glimpse into the evolving landscape of security and compliance. Let’s take a closer look at the latest developments:

 

Proton recovers from worldwide outage 

The privacy firm Proton is dealing with a massive outage that started at 10:00 a.m. eastern time yesterday, leaving members unable to access ProtonVPN, Mail, Calendar, Drive, Pass, and Wallet. Most services were restored quickly. Proton Mail was restored later at 1:09 p.m., and Calendar was still not available as of the time of this recording. Explanations about the cause of the outage have not yet been delivered. (BleepingComputer)

 

U.S. Treasury breach linked to Silk Typhoon group 

Following up on a story we have been watching these past few weeks, it has now been revealed that the Silk Typhoon APT group were responsible for the Treasury hack. Using stolen Remote Support SaaS API keys through third-party cybersecurity vendor BeyondTrust, it was able to steal data from workstations in the Office of Foreign Assets Control (OFAC), as well as the Treasury Department’s Office of Financial Research. Silk Typhoon’s actual name is Hafnium, is well known for hitting targets in education, healthcare, defense, and non-governmental organizations. The “Typhoon” appellation is a Microsoft convention for labelling Chinese APT groups, the same way Blizzard is used for Russian threat actors, Sleet for North Korean threat actors and Sandstorm for Iranian threat actors. (Dark Reading)

 

Russian ISP confirms Ukrainian hackers “destroyed” its network 

Hacktivists from the Ukrainian Cyber Alliance group, announced on Tuesday they had breached the network of Russian internet service provider Nodex and had wiped its systems after stealing sensitive documents, leaving only “empty equipment without backups.” The hackers showed off screenshots of the ISP’s VMware, Veeam backup, and Hewlett Packard Enterprise virtual infrastructure that were hacked during the breach. (BleepingComputer)

 

CISA adds Ivanti products and ZTA Gateways flaw to its KEV catalog 

The Ivanti Connect Secure Vulnerability, with a CVSS score of 9.0 was added to the agency’s Known Exploited Vulnerabilities catalog alongside ZTA Gateways, also manufactured by Ivanti. They stated, “successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution.” “CVE-2025-0283 could allow a local authenticated attacker to escalate privileges.” Although, as usual, private companies are also urged to update their systems, the KEV addition means that federal agencies must address this vulnerability by January 15. (Security Affairs)

 

Critical RCE Flaw in GFI KerioControl allows remote code execution 

GFI KerioControl is a network security solution that provides firewall functionality and unified threat management capabilities such as threat detection and blocking, traffic control, intrusion prevention, and VPN features. Security researcher Egidio Romano published a writeup of the vulnerability on December 16, and explained that the reflected XSS attack vector can be exploited to perform one-click RCE attacks. Threat intelligence firm Censys says it has observed “almost 24,000 GFI KerioControl instances accessible from the internet, many of which are in Iran. However, it is unclear how many of these are vulnerable.” (Security Week)

 

An industrial networking firm identifies critical vulnerabilities in its cellular routers, secure routers, and network security appliances 
Industrial networking firm Moxa has identified two critical vulnerabilities in its cellular routers, secure routers, and network security appliances. The first flaw (CVE-2024-9138) exploits hardcoded credentials to gain root access, affecting 10 products. The second (CVE-2024-9140) enables OS command injection via input bypass, affecting 7 products and allowing remote exploitation by unauthenticated users. Rated 8.6 and 9.8 on CVSS, the vulnerabilities pose significant risks. Moxa has released patches for many devices and advises minimizing network exposure, limiting SSH access, and using intrusion detection systems for unpatched products. (Cyberscoop)
Staten Island hospital notifies 674,000 people of data breach 
Richmond University Medical Center in Staten Island, New York, is notifying 674,000 individuals that their data may have been compromised during a May 2023 ransomware attack, BankInfoSecurity reports. The hospital said in a notice to Federal regulators last month, “On December 1, 2024, the manual review process determined that at least one of those files contained personal information, including full names and one or more of the following: Social Security numbers, dates of birth, driver’s license numbers or state identification numbers, other government identification numbers, financial account information, credit or debit card information, biometric information, user credentials, medical treatment/diagnosis information, and/or health insurance policy information.” (Bank Info Security)

 

Cyber Trust marks to roll out in 2025 

In 2023, the White House launched an initiative to add Cyber Trust labels to retail packaging for connected devices. This was compared to the equivalent of Energy Star certification to indicate a consumer baseline of cybersecurity best practices. The FCC unanimously approved the label in March. Now, White House officials say the label will start appearing on consumer devices this year. Deputy National Security Adviser for Cyber Anne Neuberger said an upcoming executive order will mandate that the federal government only purchase devices with the Cyber Trust label as of 2027. The program will go off NIST cybersecurity criteria and inform users how long companies plan to provide software updates at the point of purchase. CISA, the FCC, and the Department of Justice will collaborate to oversee and enforce the program. (The Record)

 

CISA says government hack limited to Treasury 

Last week, the US Treasury Department informed lawmakers that state-sponsored Chinese threat actors breached its systems in a “major cybersecurity incident” through its remote support provider BeyondTrust.” After an investigation, CISA announced it found no signs of the breach impacting any other federal agencies. CISA said it will continue to monitor the response to the attack and coordinate with “relevant federal authorities” as needed. Investigators are still looking into the full scope of the Treasury attack but said there was no evidence the threat actors maintained access after the Treasury terminated its BeyondTrust instance. (Bleeping Computer)

 

Philippines targeted by Chinese threat actors 

Bloomberg’s sources say Chinese state-sponsored actors orchestrated a yearlong campaign to penetrate systems of the Philippines’ executive branch, stealing “sensitive” data. However, Department of Information and Communications Technology Secretary Ivan Uy said the attacks did not compromise current data but did obtain “old data from many years ago.” Uy said his department deals with thousands of breach attempts against the government daily and challenges the threat actors to publish details if they obtained relevant data. (Bloomberg, PhilStar)

 

ASUS issues a critical security advisory for several router models 
ASUS has issued a critical security advisory for several router models, highlighting vulnerabilities (CVE-2024-12912 and CVE-2024-13062) in firmware versions 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102. These flaws could allow authenticated attackers to execute arbitrary commands via the AiCloud feature, potentially compromising network security. ASUS has released firmware updates and urges users to update immediately. To enhance security, the company advises using strong, unique passwords and disabling internet-accessible services on older routers. (Cyber Security News)

 

U.S. sanctions China’s Integrity Technology for role in Flax Typhoon attacks 

Following up on a story we covered last September, U.S. officials are now confirming that the Beijing-based Integrity Technology Group provided China’s Ministry of State Security and several Chinese state-backed hacking groups “with infrastructure that allows them to attack multiple victims based in the U.S.” “China-based hackers working for Integrity Tech, known to the private sector as Flax Typhoon, successfully targeted universities, government agencies, telecommunications providers and media organizations in the U.S. and elsewhere,” State Department spokesperson Matthew Miller said on Friday. “The sanctions freeze all U.S. assets of the company and limit the amount of interaction financial institutions can have with it.” (The Record)

 

German airports hit by IT outage 

As reported in Reuters, “German airports were hit by a nationwide IT outage affecting police systems at border control on Friday, causing disruption and longer immigration queues for passengers from outside the European Union’s Schengen travel zone. The Schengen zone consists of 29 European countries that have officially abolished border controls at their mutual borders and placed them under single jurisdiction. The cause of the IT outage is not yet known but major airports including Berlin, Frankfurt, and Dusseldorf report longer waiting times at immigration for non-Schengen passengers. (Reuters)

 

Vulnerability discovered in Nuclei vulnerability scanner 

A high-severity security flaw has been disclosed in ProjectDiscovery’s Nuclei, “a widely used open-source vulnerability scanner that, if successfully exploited, could allow attackers to bypass signature checks and potentially execute malicious code.” Nuclei is designed to “probe modern applications, infrastructure, cloud platforms, and networks to identify security flaws.” According to cloud security firm Wiz, which made the discovery the vulnerability is “rooted in the template signature verification process, which is used to ensure the integrity of the templates made available in the official templates repository.” (The Hacker News)

 

Apple to pay Siri users $20 per device in settlement over privacy violations 

The outcome of a class action suit against Apple sees the company agreeing to pay $95 million to settle accusations that the iPhone maker invaded users’ privacy through its Siri assistant. According to Reuters, the settlement applies “to U.S.-based individuals [who are] current or former owners or purchasers of a Siri-enabled device who had their confidential voice communications with the assistant “obtained by Apple and/or were shared with third-parties as a result of an unintended Siri activation” between September 17, 2014, and December 31, 2024. Eligible individuals can submit claims for up to five Siri devices. Valid claims can receive $20 per device. (The Hacker News)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.