Cyber News Roundup for January 3, 2025

/by

Happy New Year! We’re bringing you the first roundup of key cybersecurity developments of the year, highlighting significant breaches, evolving threats, and new regulatory updates. From state-sponsored hacks targeting critical U.S. government systems to the continued vulnerabilities in healthcare and telecom sectors, the cybersecurity landscape remains dynamic and fraught with challenges.

Let’s take a closer look at some of the major stories making headlines:

 

Beijing-linked hackers penetrated U.S. Treasury systems

According to a letter the agency sent from the U.S. Treasury to congressional lawmakers on Monday, a Chinese state-sponsored APT actor was responsible for what is being called “a major incident” that compromised U.S. Treasury Department workstations and classified documents at the Office of Foreign Assets Control (OFAC). The department had been notified on December 8 by BeyondTrust, that “a foreign actor had obtained a security key” that allowed it “to remotely gain access to employee workstations and the classified documents stored on them.” The letter “”did not specify the number of impacted workstations or the kind of documents accessed,” and the agency adds, the compromised service “has been taken offline and at this time there is no evidence indicating the threat actor has continued access to Treasury information.” (The Record)

 

Russian tanker suspected of undersea data cable sabotage 

On yesterday’s episode of Cyber Security Headlines, we mentioned briefly that Finnish authorities seized a Russian ship after it allegedly damaged several submarine cables in the Baltic Sea. The story continues to unfold. The ship seized was the Eagle S, an oil tanker that departed from a Russian port on December 25, and which is suspected of “intentionally dragging its anchor for several miles resulting in the complete severing of multiple cables, including the Estlink 2 power cable and four telecommunications cables.” Authorities from Finland boarded the ship by helicopter, having “identified but not arrested seven suspects.” The ship is being treated as a crime scene on suspicions that it is more than just an oil tanker. A report from the shipping journal Lloyd’s List, describes the Eagle S as “was loaded with spying equipment unusual for a merchant ship, and used to monitor NATO naval and aircraft radio communications, and to drop “sensors-type devices” in the English Channel.” (The Record and Lloyd’s List)

 

Lumen reports says it has locked the Salt Typhoon group out of its network 

More updates in the continuing Salt Typhoon story, following revelations last week that a ninth telecom company had been penetrated by the China-linked APT group Salt Typhoon, Lumen announced this week that the APT group had been ejected from and locked out of the Lumen network. Company spokesperson Mark Molzen told TechCrunch that “an independent forensic analysis confirmed the company ejected the Chinese actors from its network, adding that there is no evidence that customer data was accessed.” (Security Affairs)

 

Proposed updates to HIPAA Security Rule mandate to restore the loss of certain relevant electronic information systems and data within 72 hours
The U.S. Department of Health and Human Services (HHS) has proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to enhance cybersecurity measures within the healthcare sector. These updates aim to strengthen protections for electronic protected health information (ePHI) against increasing cyber threats. Key proposed changes include:
  • Mandatory Implementation Specifications: Eliminating the distinction between “required” and “addressable” specifications, making all implementation specifications mandatory with limited exceptions.
  • Data Restoration Requirements: Mandating the restoration of certain electronic information systems and data within 72 hours following a loss.
  • Enhanced Documentation and Analysis: Requiring comprehensive written documentation of aes, procedures, plans, and analyses, along with regular reviews and updates.
  • Asset Inventory and Network Mapping: Obligating the development and maintenance of a technology asset inventory and a network map that tracks the movement of ePHI, to be updated at least annually or in response to significant changes.
These proposed modifications are part of a broader effort to align HIPAA regulations with current technological advancements and to address the evolving cybersecurity landscape in healthcare. The Notice of Proposed Rulemaking (NPRM) was issued on December 27, 2024, and stakeholders are encouraged to submit comments during the 60-day public comment period following its publication in the Federal Register. (Security Affairs)
Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs
A recent investigation revealed that an unsecured cloud server exposed sensitive location data for 800,000 Volkswagen Group electric vehicles, including models from Volkswagen, Audi, SEAT, and Skoda. Discovered by an anonymous whistle-blower and reported to the Chaos Computer Club (CCC), the data included GPS coordinates and vehicle statuses, enabling the tracking of owners’ movements and routines. Notably, the breach affected various individuals, including German politicians, police officers, and intelligence service employees, with most vehicles located in Europe. The root cause was identified as a misconfiguration within Cariad, Volkswagen’s software division, which has since been addressed to prevent further unauthorized access. (Hack Read)
New details about hijacked Chrome extensions

In another update to a story we brought to you Monday on Cyber Security Headlines, new details have emerged about a phishing campaign targeting Chrome browser extension developers. Although initial reports focused on an extension from security firm, Cyberhavens, subsequent investigations revealed the campaign affected at least 35 extensions collectively used by roughly 2,600,000 people. The attack leverages a phishing email appearing to come from Google and claiming the dev’s extension is in violation of Chrome Web Store policies. Victims are then redirected to an attacker-hosted OAuth application (named “Privacy Policy Extension”) where they are asked to grant permission to manage their Chrome extensions. The attackers then inject data-stealing code into the extension and publish it as a “new” version. The malicious extensions aim to steal user Facebook credentials and have the ability to bypass multi-factor authentication and CAPTCHA mechanisms. Whiler recent reports indicate the campaign started around December 5, 2024, but BleepingComputer identified that related command and control subdomains existed as far back as March 2024. (Bleeping Computer)

 

NATO plans to build satellite links as backups to undersea cables 

Ninety-five percent of global data traffic is carried through undersea fiber optic cables. Because roughly 100 undersea cables get severed each year, NATO is working to improve resilience of this critical infrastructure. Project HEIST (which stands for Hybrid Space-Submarine Architecture Ensuring Infosec of Telecommunications), will enlist engineers to develop smart systems to quickly locate cable breaks and develop protocols to automatically reroute the affected data to satellites. While satellites are the primary backups to undersea cables, their bandwidth is far behind physical connections. Work is underway to upgrade satellites from radio transmissions to lasers, increasing the speed by about 40 times to 200 Gbps. While Starlink satellites already use laser technology, other tech companies, including Amazon, continue to develop their own satellite technology.

Coincidentally, this week, Finnish authorities seized a Russian ship after it allegedly damaged several submarine cables in the Baltic Sea. (Tom’s Hardware and The Record)

 

Air Fryer espionage raises data security concerns

While risks related to smart device hijacking are nothing new, since November, privacy concerns related to use of air fryers has been gaining momentum on tech forums. Modern smart air fryers leverage AI, increasing their ability to collect, and potentially expose personal information. The UK’s Information Commissioner’s Office (ICO), recently released findings showing that certain air fryer models sold in the UK and the U.S. possess the ability to eavesdrop on users through their mobile apps. In response, the ICO plans to introduce new guidelines for manufacturers of AI-powered gadgets. In the meantime users should keep connected device software up to date, secure home Wi-Fi networks with strong passwords and monitor permissions granted to related apps. (Cyber Security Insiders)

 

2024 security lessons

According to an article by Dark Reading there are some key lessons to takeaway as we head into the new year. The threat landscape in 2024 underscored the rise of zero-day exploits, nation-state alliances with cybercriminals, and increasing attacks on critical infrastructure, exposing systemic vulnerabilities in both IT and OT systems. High-profile incidents, including ransomware disruptions to supply chains and espionage targeting telecom networks, highlighted the need for stronger defenses, proactive patch management, and cross-sector collaboration. (Dark Reading)

 

Volkswagen software company Cariad suffers Amazon cloud breach

The breach, discovered by Europe’s largest ethical hacker association, CCC, revealed that sensitive information for 800,000 electric vehicles from brands such as Audi, VW, and Skoda were left exposed on “a poorly secured and misconfigured Amazon cloud storage system.” The data stolen includes GPS coordinates, battery charge levels, and other vehicle status details, but experts warn that such data can be easily “connected to owners’ personal credentials, thanks to additional data accessible through VW Group’s online services.” The data had been vulnerable for months, however, a Cariad representative said that “the exposed data affected only vehicles connected to the internet and had been registered for online services,” and that the data “could only be accessed after bypassing several security mechanisms that required significant time and technical expertise.” An investigation by the German magazine Spiegel shows that the list of affected customers includes German politicians, entrepreneurs, the entire fleet of the Hamburg police force, and even suspected intelligence service employees. (BleepingComputer, Carscoops, Spiegel)

 

HIPAA to be updated with cybersecurity regulations

Further news from Anne Neuberger’s Friday press conference reveals that new cybersecurity rules covering how healthcare institutions protect user data will be proposed under the Health Insurance Portability and Accountability Act. Neuberger described this as the first update to HIPAA’s security rule in over a decade, and will require entities who maintain healthcare data encrypt it. “Healthcare entities also will have to monitor their networks for threats and do compliance checks to see whether they are abiding by the new HIPAA rules.” (The Record)

 

Palo Alto Networks fixes high-severity PAN-OS flaw

This flaw, located in PAN-OS software, and which has a CVE number and a CVSS score of 8.7, could trigger denial-of-service (DoS) on vulnerable devices, allowing an unauthenticated attacker to reboot the firewall by sending a malicious packet through its data plane, forcing the firewall into maintenance mode. The vulnerability affects PAN-OS versions 10.X and 11.X, but can be exploited only if DNS Security logging is enabled. (Security Affairs)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.