The CISA and FBI have issued an advisory detailing a sophisticated cyberespionage campaign by state-sponsored Chinese hackers that…

The CISA and FBI have issued an advisory detailing a sophisticated cyberespionage campaign by state-sponsored Chinese hackers that has successfully infiltrated US telecommunications networks.

The US government has exposed a large-scale cyberespionage campaign launched by Chinese state-sponsored hackers. This campaign is mainly targeting critical telecommunications infrastructure in the United States and has resulted in the theft of sensitive data, including call records and private communications of individuals involved in government and political activities.

It is worth noting that this security advisory follows just a month after China’s Salt Typhoon group was accused of hacking AT&T and Verizon, allegedly accessing sensitive wiretap data.

According to the advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), Chinese state-sponsored actors have successfully compromised the networks of multiple telecommunications providers.

> _“Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders.”_
> 
> CISA – FBI

One of the most concerning aspects is the possible impact of this attack on US national security. By targeting telecommunications providers, hackers can gain a trove of sensitive information, including communications between government officials, military personnel, and other high-value targets. The compromised data could be used for intelligence gathering, blackmail, or other malicious purposes.  

The advisory states that the US government has taken steps to mitigate the threat posed by this cyberespionage campaign. CISA and the FBI are working closely with affected telecommunications providers to identify and address vulnerabilities. Additionally, the US government is urging individuals and organizations to take steps to protect themselves from cyber threats. 

****The China Threat****

While the United States is known for targeting Chinese infrastructure, China has also emerged as a persistent threat to US critical infrastructure, with state-sponsored hacking groups repeatedly targeting key sectors.

Last month, Chinese hacking group Salt Typhoon (aka GhostEmperor, FamousSparrow, and Earth Estries) breached the systems of major US telecom companies AT&T, Verizon, and Lumen Technologies, potentially compromising wiretap systems used in criminal investigations. 

Another Chinese state-sponsored threat actor Volt Typhoon hacked Singapore-based Singtel a few days back, probably in preparation for attacks against US wireless carriers, Bloomberg reported. 

Considering the extensive implications of such persistent threats, telecommunications providers must invest in advanced security technologies and train their employees to recognize/respond to cyber threats. Additionally, international cooperation is essential to combat cybercrime and hold cybercriminals accountable.

1.  **United Airlines Hacked by Chinese Group Behind The OPM Breach**
2.  **Chinese SMS Phishing Group Hits iPhone Users in India Post Scam**
3.  **China Hacked Federal Deposit Insurance Corporation with Malware**
4.  **Five Eyes Accuses Chinese APT40 for Hacking Government Networks**
5.  **Critical Vulnerabilities Expose Nearly 1 Million DrayTek Routers Globally**

CISA and FBI: Chinese Hackers Compromised US Telecom Networks

If the government truly wants to protect the US's most vital assets, it must rethink its cybersecurity policies and prioritize proactive, coordinated, and enforceable measures.

Jeffrey Wells, Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

November 14, 2024

6 Min Read

Source: Sergey Borisov via Alamy Stock Photo

COMMENTARY

The recent revelations about the Salt Typhoon cyber-espionage group breaching major US telecommunications companies, including Verizon, AT&T, and Lumen Technologies, lay bare a systemic vulnerability in America's approach to cybersecurity. This incident is not just an isolated attack; it's an indictment of the US government's inadequate response to the increasing cyber threats posed by state-backed entities like China. Despite years of warnings and multiple high-profile breaches, the government's cybersecurity posture remains reactionary, fragmented, and underwhelming.  

**The Critical Failures in US Cybersecurity Strategy**

Salt Typhoon's targeting of systems used for government intelligence collection, including those integral to surveillance and wiretapping capabilities, is a brazen assault on America's most sensitive digital infrastructure. It exposes a critical flaw: the lack of robust, proactive measures to secure such vital systems. How did a foreign state-backed group infiltrate and potentially remain undetected in these systems for months? The answer lies in insufficient federal oversight, underinvestment in cutting-edge defenses, and an overreliance on private companies to self-police. 

US telecom giants have historically enjoyed light regulatory oversight, often lobbying for fewer obligations and responsibilities. The government, in turn, has adopted a laissez-faire approach, trusting these corporations to manage their cybersecurity. This model is fundamentally flawed. When private entities prioritize profits over robust security measures, it opens the door for adversaries like Salt Typhoon to exploit weak points. The compromised systems at Verizon, AT&T, and Lumen Technologies illustrate the risks of letting corporations with such immense national security implications operate without stringent and enforceable cybersecurity standards. 

**Lawmakers' Outrage: Too Little, Too Late**

In the wake of the Salt Typhoon breach, US lawmakers have begun demanding answers from the affected companies, calling for greater accountability and urging federal regulators to impose stricter standards. While this post-breach outrage may seem like a strong response, it's another chapter in the reactive cycle that defines American cybersecurity policy. Rather than addressing systemic vulnerabilities before they are exploited, federal agencies and lawmakers are again playing catch-up. 

The reality is that sophisticated state-backed actors like Salt Typhoon have likely been probing and compromising critical US infrastructure for years, undetected and unchallenged. The question is not just why this breach happened but why the US government consistently finds itself responding after the fact. The issue goes beyond the individual companies breached — this pattern reflects a more significant failure in Washington to develop a proactive, cohesive, well-resourced cybersecurity strategy.

**The Illusion of Federal Oversight**

Federal authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), are reportedly investigating the extent of these breaches. However, these investigations often lack the teeth and reach necessary to effect real change. Despite the resources and expertise within agencies like CISA, they are limited in their power to enforce compliance or impose significant penalties on corporations that fail to meet cybersecurity benchmarks. This hands-off approach only emboldens adversaries who know that American companies are not adequately protected and that the government's response mechanisms are limited. 

Further, the fragmented nature of federal oversight complicates a comprehensive defense strategy. With multiple agencies sharing responsibility — yet lacking a unified and coordinated approach — gaps in response capabilities are inevitable. The breaches at Verizon, AT&T, and Lumen Technologies should serve as a wake-up call: The current oversight model is failing to keep pace with the sophistication of state-backed cyber threats. 

**The Need for a Paradigm Shift**

The US must abandon its outdated and ineffective approach to cybersecurity regulation to address these vulnerabilities. Here are key steps the government should take: 

*   Mandatory federal standards and penalties: Telecom companies are critical to national security. They must be held to federal standards that are not just recommendations but legal obligations, with meaningful penalties for non-compliance. The government cannot leave the protection of such vital infrastructure to the discretion of profit-driven entities. 
    
*   A unified cyber defense agency: The United States must streamline its response by creating a centralized agency with the power and authority to coordinate and enforce cybersecurity measures across the public and private sectors. The current patchwork of agencies is insufficient in an era where cyber threats know no borders or jurisdictions. 
    
*   Investment in advanced detection and response capabilities: The government must invest heavily in advanced technologies that provide real-time monitoring and automated response capabilities. Relying on companies to detect and report breaches months after they occur is unacceptable when adversaries can inflict catastrophic damage in seconds. 
    
*   Active cyber deterrence: The US must adopt a more aggressive cyber-deterrence strategy. The current approach of merely investigating breaches after the fact does not dissuade adversaries. It's time for the government to develop and deploy offensive cyber capabilities that signal a clear and present cost for any attempt to infiltrate US systems. 
    

**The Cost of Complacency**

The Salt Typhoon breach is just the latest chapter in a series of cyber-espionage incidents that have exposed the inadequacies of the US cybersecurity framework. If this pattern of complacency and reactionary policy continues, it won't be long before another attack not only compromises intelligence-gathering capabilities but potentially cripples critical infrastructure. The stakes are too high for lawmakers and federal agencies to continue operating with the exact amount of inertia and neglect. 

If Washington truly wants to protect the nation's most vital assets, it must rethink its cybersecurity policies and prioritize proactive, coordinated, and enforceable measures. Otherwise, the US will continue to react to — rather than prevent — attacks that undermine its national security and global standing. 

Don't miss the free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

Jeffrey Wells is a distinguished cybersecurity, technology, and geopolitical risk leader with over 35 years of experience. His expertise is crucial in addressing cyber threats with significant geopolitical and security implications. Wells is a Visiting Fellow at George Mason University's Cyber and Tech Center (CTC) and a Truman National Security Project Defense Council Fellow.

He has extensive experience helping organizations design and operationalize cyber resiliency strategies, programs, incident response, and instituting business continuity worldwide.

As a founding partner of the NIST's National Cybersecurity Center of Excellence and a Visiting Fellow at the National Security Institute, Jeffrey is proficient in deploying and operationalizing cybersecurity standards and best practices in the full spectrum of IT/OT and infrastructure ecosystems.

Washington's Cybersecurity Storm of Complacency

Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on…

Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on macOS. Learn how this advanced persistent threat (APT) is evading detection and the steps you can take to protect yourself.   

Cybersecurity researchers at Group-IB report that the North Korean state-backed **APT Lazarus group**, is now deploying a new macOS trojan called “RustyAttr.” This malware, along with a new evasion technique, lets Lazarus carry out its operations while remaining undetected.

Since May 2024, the Lazarus Group has been employing a technique that hides malicious code within the extended attributes (EAs) of files on macOS systems, utilizing the RustyAttr trojan. Extended attributes are hidden data containers attached to files, enabling the storage of additional information beyond standard attributes such as size or creation date.

This method is particularly tricky because these attributes are invisible by default in applications like Finder or Terminal. However, using the .xattr command, attackers can easily access and exploit this hidden data.

In 2020, **Bundlore adware** used a similar technique to hide its payload in resource forks which stored structured data on older macOS systems, researchers noted in the **blog post** shared with Hackread.com.

The possible attack scenario involves a legitimate-looking malicious application, built using the Tauri framework. It displays **fake PDF files** related to job opportunities or cryptocurrency, a theme consistent with Lazarus. 

For your information, the Tauri framework is a web-based tool for creating lightweight desktop applications, enabling developers to use HTML, CSS, JavaScript, and Rust for front and backend, respectively, to execute malicious scripts.

The shell scripts reveal two types of decoys: one fetches a PDF file from a file hosting service, containing questions related to game project development and funding, and the other displays a dialogue stating that the app does not support the specified version, while a web request to the staging server processes in the background. The malicious script is hidden within a custom extended attribute named “test”. 

The application leverages a JavaScript file named “preload.js” to interact with the hidden script. This JavaScript code, using **Tauri’s functionalities**, retrieves the script from the extended attribute and executes it. 

Example of one of the malicious PDF files pushing a fake job advert (Via Group-IB)

“Interestingly, the next behaviour is as follows – if the attribute exists, no user interface will be shown whereas, if the attribute is absent, the fake webpage will be shown,” the researchers revealed.

The malicious components are hidden within the extended attributes, making them invisible to antivirus scanners. The applications were initially signed with a leaked certificate (revoked by Apple now) but remained unnotarized, bypassing another layer of possible detection.

While the researchers haven’t identified any confirmed victims yet, they believe Lazarus might be experimenting with this technique for future attacks. This discovery is important because it’s a completely new tactic, not yet documented in the MITRE ATT&CK framework, a standard reference for attack techniques.

The Lazarus group’s sophistication and continuous expansion of tactics show their efforts to evade detection and compromise systems. To stay safe, verify the source and legitimacy of files before downloading or executing them, and avoid downloading harmless content like PDFs without checking even if it appears legitimate.

Keep **macOS Gatekeeper** on as it prevents the execution of untrusted applications. Lastly, utilize advanced threat intelligence solutions to remain aware of emerging threats and develop effective protection strategies.

1.  **Fake North Korean IT Workers Infiltrate Western Firms**
2.  **North Korean Hackers Team Up with Play Ransomware**
3.  **N Korean hackers stole $1.7 billion from crypto exchanges**
4.  **North Korean Hackers Drop Linux Malware for ATM Cashouts**
5.  **SnatchCrypto attack hits DeFi, Blockchain Firms with backdoor**

Lazarus Group Targets macOS with RustyAttr Trojan in Fake Job PDFs

Less-experienced users of Microsoft's website building platform may not understand all the implications of the access controls in its low- or no-code environment.

Source: IB Photography via Alamy Stock Photo

Untold millions of sensitive records and personal data are exposed on the open Web right now, thanks to missing or misconfigured access controls in websites built with Microsoft Power Pages.

Power Pages, born in 2022 from PowerApps Portals, is Microsoft's low-code website building platform. It is commonly used to design externally facing sites, such as portals for employees and retailers, or event registration or management sites. Back when it was released to the general public, Microsoft bragged that it already served more than 100 million monthly active website users, in industries as diverse as high tech and healthcare, education, finance, manufacturing, and government.

Alongside its suite of easy, drag-and-drop tools and features, Power Pages comes fitted with role-based access controls, which developers can use to define the data any given user can access. But as Aaron Costello, chief of software-as-a-service (SaaS) security research at AppOmni, recently discovered, many sites simply aren't implementing these controls correctly, if at all.

The result: Vast swaths of sensitive information, from sites around the Web, are available right now to anyone who cares to look for it.

**Misconfigured Power Pages**

Power Pages sites use Microsoft's cloud-based relational database, Dataverse, to store structured data. To protect that data, developers can call upon a variety of access controls.

First and most obvious are site-level settings, which define whether and how users need to authenticate and register accounts on a site.

The next tier down is table-level controls. With these, site administrators can define which kinds of users can perform what actions on what data.

The most granular of Power Pages access controls apply at the level of Dataverse columns. One notable tool Power Pages offers at this level is "masking," where site admins can obfuscate certain categories of data, like the first five digits of Social Security numbers listed in a given column.

The problem is that admins aren't always making use of these three rungs of access controls, if any at all. As a result, accessing the data on their sites is "very, very trivial," Costello says. "Once you understand \[what's going on\], it's just a matter of going to these URLs."

"Typically what happens is that instead of granting someone the ability to view their own data, they've actually granted them the ability to view all data. As a result, excessive amounts of information — often sensitive — is exposed to each user," he explains.

Some sites grant even anonymous users "global access" to read data from tables, for example, and not one website Costello probed in his research implemented any sort of column-level security. Other sites restrict certain data to authenticated users, but undermine that protection by allowing anyone from the Web to register and authenticate themselves.

Costello only probed websites hosted by organizations with cybersecurity disclosure policies — those which might be more amenable to hearing about their lacking security postures. Even with that limitation, he ultimately discovered 5 million to 7 million exposed records from a wide array of Power Pages websites.

One large business service provider, for example, leaked personal information belonging to 1.1 million employees of the UK's National Health Service (NHS). The data included employees' telephone numbers, email addresses, home addresses, and more.

**An Industrywide Issue**

As Costello is quick to point out, "In previous research, I discussed the exact same kind of issue in other popular SaaS platforms, such as Salesforce, ServiceNow, and NetSuite. And those are all platforms that have different use cases. I wouldn't say that this is by any means a unique problem to Power Pages. What this comes down to isn't the product itself, but more so a misunderstanding of its access controls."

When it comes to warning users about landmines, Power Pages does quite well. "When you do misconfigure data to be accessible by anyone, you get warning banners popping up on your page in a variety of different places, Costello adds. "So Microsoft really does their best to make organizations aware of what they're doing is dangerous. However, organizations are choosing to ignore the warning signs."

Besides negligence, the frequency of Power Pages misconfigurations might theoretically be explained by the demographics of its audience. By their nature, low- and no-code platforms are more attractive to less technical users, who may be less well-versed in matters of cybersecurity.

"If you're someone who is not technical, and you're just dragging and dropping buttons and forms to design a page, you may not be the type of person who has an understanding of what access controls are even necessary," Costello posits. Or, perhaps, the ease of designing a low- or no-code site might ease the more careful, analytical parts of one's brain. "Low-code platforms do typically lend a false sense of security," he says.

Dark Reading has reached out to Microsoft for comment on this story.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Power Pages Leak Millions of Private Records

Experts expect Donald Trump’s next administration to relax cybersecurity rules on businesses, abandon concerns around human rights, and take an aggressive stance against the cyber armies of US adversaries.

For American companies grousing about new cybersecurity rules, spyware firms eager to expand their global business, and hackers trying to break AI systems, Donald Trump’s second term as president will be a breath of fresh air.

For nearly four years, president Joe Biden’s administration has tried to make powerful US tech firms and infrastructure operators more responsible for the nation’s cybersecurity posture, as well as restrict the spread of spyware, apply guardrails to AI, and combat online misinformation. But when Trump takes office in January, he will almost certainly eliminate or significantly curtail those programs in favor of cyber strategies that benefit business interests, downplay human-rights concerns, and emphasize aggressive offense against the cyber armies of Russia, China, Iran, and North Korea.

“There will be a national security focus, with a strong emphasis on protecting critical infrastructure, government networks, and key industries from cyber threats,” says Brian Harrell, who served as the Cybersecurity and Infrastructure Security Agency’s assistant director for infrastructure security during Trump’s first term.

From projects whose days are numbered to areas where Trump will go further than Biden, here is what a second Trump administration will likely mean for US cybersecurity policy.

**Full Reversal**

The incoming Trump administration is likely to scrap Biden’s ambitious effort to impose cyber regulations on sectors of US infrastructure that currently lack meaningful digital-security safeguards. That effort has borne fruit with railroads, pipelines, and aviation but has hit hurdles in sectors like water and health care.

Despite mounting cyberattacks targeting vital systems—and despite this year’s Republican Party platform promising to “raise the security standards for our critical systems and networks”—conservatives are unlikely to support new regulatory mandates on infrastructure operators.

There will be “no more regulation without explicit congressional authorization,” says James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies.

Harrell says “more regulation will be dismantled than introduced.” Biden’s presidency was “riddled with new cyber regulation” that sometimes confused and overburdened industry, he adds. “The new White House will be looking to reduce regulatory burdens while streamlining smart compliance.”

This approach may not last, according to a US cyber official who requested anonymity to discuss politically sensitive issues. “I think they’ll eventually recognize that the efforts focused on regulation in cyber are needed to ensure the security of our critical infrastructure.”

“Regulation is the only tool that works,” Lewis says.

Some Biden cyber rules might be overturned in court, now that the Supreme Court has eliminated the deference that judges previously gave to agencies in disputes over their regulations. John Miller, senior vice president of policy at the Information Technology Industry Council, a major tech trade group, says it’s also possible that Trump officials “might not wait for the courts” to void those rules.

Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, predicts that the Trump administration will emphasize cooperation and incentives in its efforts to protect vulnerable industries. He points to a House GOP plan for water cybersecurity standards as an example.

Trump’s election also likely spells doom for CISA’s work to counter mis- and disinformation, especially around elections. After Trump lost the 2020 election, he fired CISA’s first director for debunking right-wing election conspiracy theories, and the conservative backlash to anti-misinformation work has only grown since then.

In 2022, Trump outlined a “free speech policy initiative” to “break up the entire toxic censorship industry that has arisen under the false guise of tackling so-called ‘mis-’ and ‘dis-information.’” Elon Musk, the billionaire owner of Tesla, SpaceX, and X whom Trump has tapped to colead a “government efficiency” initiative, enthusiastically shared the plan last week.

CISA has already dramatically scaled back its efforts to combat online falsehoods following a right-wing pressure campaign, but Trump appointees are almost certain to smother what remains of that mission. “Disinformation efforts will be eliminated,” Montgomery predicts.

Harrell agrees that Trump would “refocus” CISA on core cyber initiatives, saying the agency’s “priorities have mistakenly bordered on social issues lately.”

Also likely on the chopping block: elements of Biden’s artificial intelligence safety agenda that focus on AI’s social harms, like bias and discrimination, as well as Biden’s requirement for large AI developers to report to the government about their model training.

“I expect the repeal of Biden’s executive order on AI, specifically because of its references to AI regulation,” says Nick Reese, a director of emerging technology policy at the Department of Homeland Security under Trump and Biden. “We should expect a change in direction toward less regulation, which would mean less compulsory AI safety measures.”

Trump is also unlikely to continue the Biden administration’s campaign to limit the proliferation of commercial spyware technologies, which authoritarian governments have used to harass journalists, civil-rights protesters, and opposition politicians. Trump and his allies maintain close political and financial ties with two of the most prolific users of commercial spyware tools, Saudi Arabia and the United Arab Emirates, and he showed little concern about those governments’ human-rights abuses in his first term.

“There’s a high probability that we see big rollbacks on spyware policy,” says Steven Feldstein, a senior fellow in the Carnegie Endowment for International Peace’s Democracy, Conflict, and Governance Program. Trump officials are likely to care more about spyware makers’ counterterrorism arguments than about digital-rights advocates’ criticisms of those tools.

Spyware companies “will undoubtedly receive a more favorable audience under Trump,” Feldstein says—especially market leader NSO Group, which is closely affiliated with the Trump-aligned Israeli government.

**Dubious Prospects**

Other Biden cyber initiatives are also in jeopardy, even if their fates are not as clear.

Biden’s National Cybersecurity Strategy emphasized the need for greater corporate responsibility, arguing that well-resourced tech firms must do more to prevent hackers from abusing their products in devastating cyberattacks. Over the past few years, CISA launched a messaging campaign to encourage companies to make their products “secure by design,” the Justice Department created a Civil Cyber-Fraud Initiative to prosecute contractors that mislead the government about their security practices, and White House officials began considering proposals to make software vendors liable for damaging vulnerabilities.

That corporate-accountability push is unlikely to receive strong support from the incoming Trump administration, which is almost certain to be stocked with former business leaders hostile to government pressure.

Henry Young, senior director of policy at the software trade group BSA, predicts that the secure-by-design campaign will “evolve to more realistically balance the responsibilities of governments, businesses, and customers, and hopefully eschew finger pointing in favor of collaborative efforts to continue to improve security and resilience.”

A Democratic administration might have used the secure-by-design push as a springboard to new corporate regulations. Under Trump, secure-by-design will remain at most a rhetorical slogan. “Turning it into something more tangible will be the challenge,” the US cyber official says.

**Chipping Away at the Edges**

One landmark cyber program can’t easily be scrapped under a second Trump administration but could still be dramatically transformed.

In 2022, Congress passed a law requiring CISA to create cyber incident reporting regulations for critical infrastructure operators. CISA released the text of the proposed regulations in April, sparking an immediate backlash from industry groups that said it went too far. Corporate America warned that CISA was asking too many companies for too much information about too many incidents.

Trump’s election could throw a wrench in CISA’s ambitious incident-reporting plans. New appointees at the White House, DHS, and CISA itself could force agency staff to rewrite the rules to be more industry-friendly, exempting entire swaths of critical infrastructure or eliminating requirements for companies to report certain data. Trump’s team has months to revise the final rule before its required publication in late 2025.

BSA’s Young expects Trump’s team to scale back the regulations, which he says “take a very broad view of the authority CISA believes Congress granted it.”

The current rule is “particularly vulnerable to a court challenge” because it exceeds Congress’s intent, ITI’s Miller warns, and Trump’s team “may direct CISA to scale it back” if the agency doesn’t “proceed cautiously” on its own.

**New Urgency**

One area where Trump might pick up the baton from the Biden administration is the government’s use of military hacking operations and its response to foreign adversaries’ cyberattacks.

Under Biden, the military’s US Cyber Command has scaled up its overseas hacker-hunting engagements with allies. But Republicans have pressed Biden to respond more muscularly to Chinese, Russian, and Iranian hacks, and Trump is likely to embrace that approach—particularly after picking representative Mike Waltz, an advocate for cyberattacks on Russia, North Korea, and Mexican cartels, as his national security adviser.

“A much more aggressive stance will be taken against China, which is sorely needed,” Harrell says, predicting that Chinese hackers penetrating US critical infrastructure “will be held to account.”

Montgomery agrees that Trump may “adopt a more aggressive approach” to national cyber defense, including giving the National Guard “a more significant role” in protecting domestic infrastructure.

Montgomery also says he expects more frequent and more muscular offensive operations by Cyber Command, which Trump elevated to a full combatant command during his first term. He predicts the Trump administration will “look more favorably” on creating a separate military cyber service, which the Biden administration opposed, and “take a more skeptical view” of the joint leadership of Cyber Command and the National Security Agency, which the Biden administration supported.

Trump could also harness other tools to constrain China, including authorities he created during his first term to block the use of risky technology in the US. “The Trump administration will look at the full set of policy levers when deciding how to push back on China in cyberspace,” says Kevin Allison, a consultant on geopolitics and technology.

More Spyware, Fewer Rules: What Trump’s Return Means for US Cybersecurity

APT Wirte is doing double duty, adding all manner of supplemental malware to gain access, eavesdrop, and wipe data, depending on the target.

Source: Christophe Coat via Alamy Stock Photo

A longstanding threat actor affiliated with Hamas has been conducting espionage against governments across the Middle East and destructive wiper attacks in Israel.

"Wirte" is a 6 1/2-year-old advanced persistent threat (APT) working to support Hamas' political agenda. Check Point Research identifies it as a subgroup of the Gaza Cybergang (aka Molerats), which is also thought to overlap with TA402.

In recent weeks and months, Wirte has leveraged the Gaza war to spread phishing attacks against government entities spread across the region. It has also been carrying out wiper attacks in Israel. "It shows that Hamas still has cyber capabilities, even with the ongoing war," says Sergey Shykevich, threat intelligence group manager at Check Point.

**Wirte's Spying and Wiping Attacks**

Wirte attacks are not particularly unique or sophisticated. A PDF in an email might contain a link directing targets to a file for download, named in some way to lend it legitimacy (e.g., "Beirut — Developments of the War in Lebanon 2"). The file will contain a lure document, one or more legitimate executables, and the malware.

To upgrade this infection chain, Wirte has sometimes made use of the IronWind loader, starting in October 2023. IronWind uses a complex, multistage infection chain to drop malware, with the goal of frustrating analysis. It employs geofencing, and reflective loaders that run code directly in memory, rather than on the disk, where it might otherwise be spotted by antivirus software.

In an espionage-focused attack, the end of this chain might bring the open source penetration testing framework "Havoc." Havoc enables persistent access to a compromised machine, useful for establishing remote control, performing lateral movement, stealing data, and more.

In February and October 2024, by contrast, Wirte campaigns climaxed with the deployment of a wiper called "SameCoin."

Last month, Wirte puppetted the email address of a legitimate Israeli reseller of ESET software. Its lure message — sent to hospitals, municipal governments, and others — warned recipients that "Government-based attackers may be trying to compromise your device!" and included a download link. The link first tried to connect to the website for Israel's Home Front Command, a wing of the Israel Defense Forces (IDF) responsible for protecting civilians. Its site is accessible only to those within Israel, so if the redirection succeeded, the attack would proceed.

Next, a downloaded zip file dropped and decrypted a pro-Hamas wallpaper JPG, a propaganda video, a tool designed to enable lateral movement within targeted networks, and the SameCoin wiper.

Still image from a political video spread in the SameCoin campaign; Source: @NicoleFishi19 on X

**What Wirte Wants**

Wirte spying has crossed into Egypt and Saudi Arabia, but its favored targets appear to be from Jordan and the Palestinian Authority (PA), the government entity that oversees parts of the West Bank and is controlled by Fatah, Hamas's primary political rival within Palestine. For the most part, this has remained consistent in its half-dozen-year history.

Wirte has evolved somewhat is in its approach to Israel. And in this way, it has also mirrored other Palestinian threat actors.

"Before the war, it was focused mostly on espionage, and stealthy persistence in networks," Shykevich explains. This is in stark contrast to its latest wave of loud wiper attacks, for example, which were timed to begin on Oct. 7, the one-year anniversary of Hamas's Operation Al-Aqsa Flood, the terror attack that killed more than 1,000 Israelis and led to the capture of nearly 250 more.

"Now, it has become more and more about making \[breaches\] public, showing the data, the destruction. The focus is more and more on hack-and-leak operations, and how they can use cyber capabilities to try to shape a narrative."

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

PRESS RELEASE

WATERLOO, ON, Oct. 31, 2024 /PRNewswire/ -- OpenText (NASDAQ: OTEX), (TSX: OTEX), has revealed its highly anticipated "Nastiest Malware of 2024" list, spotlighting the year's most notorious cyber threats. Now in its seventh year, OpenText's cybersecurity experts have identified the most relentless and adaptive malware trends impacting industries worldwide. This year, ransomware aimed at critical infrastructure takes center stage, highlighting an urgent call for reinforced security to protect vital services. In response, organizations are projected to increase their cybersecurity investments by 14.3% in 2024, reaching more than $215 billion.

Once again, ransomware group LockBit secures the #1 spot as the nastiest malware of the year. Known for its resilience and relentless pursuit of critical targets, LockBit has successfully dodged multiple law enforcement crackdowns. According to the FBI's 2023 2023 Internet Crime report, LockBit was reported in 175 attacks on critical infrastructure, underscoring its staying power and adaptability. The ongoing standoff between the FBI and LockBit shows the gritty persistence of today's ransomware market and its growing sophistication. For several months now, the battle for dominance between the FBI and LockBit has highlighted the persistence of the ransomware market and how as technology evolves these threats continually lurk in the shadows.    

"Ransomware attacks on critical infrastructure are on the rise, and cybercriminals are increasingly using artificial intelligence to develop highly personalized threats, which significantly endangers national security and public safety," said Muhi Majzoub, EVP and Chief Product Officer, OpenText. "However, the increased attention on ransomware and cybersecurity is encouraging, as more organizations are proactively prioritizing cybersecurity investments. This commitment highlights their dedication to safeguarding essential services from evolving threats." The 2024 list showcases how adaptive and innovative each ransomware is, but also how well these threats push boundaries. With their malicious capabilities and evasiveness, these cybercriminals continue to find new ways to surpass our darkest expectations.

2024's Nastiest Malware Hall of Infamy: 

1.  LockBit: This ransomware-as-a-service (RaaS) heavyweight leads the pack again, unfazed by FBI efforts to take it down. LockBit's aim? Target one million businesses before calling it quits, solidifying its spot as a top ransomware menace in 2024.
    
2.  Akira: A fresh and ferocious entry, Akira brings a splash of '80s aesthetics to the dark web, quickly climbing the ranks with ruthless encryption tactics and swift deployment. It's especially active in healthcare, manufacturing, and finance, cementing itself as a go-to Ransomware-as-a-Service (RaaS) model for affiliates.
    
3.  RansomHub: Rumored to be a descendant of the Black Cat (ALPHV) group, RansomHub burst onto the scene targeting high-profile organizations. After attacking Planned Parenthood, this group made headlines by stealing and ransoming sensitive patient data, threatening public exposure.
    
4.  Dark Angels: Known for its laser-focused, high-impact attacks on top-tier targets, Dark Angels doesn't hold back. Using advanced infiltration methods, they've secured ransom payments as high as $75 million, leaving their mark on one of the year's biggest Fortune 50 attacks.
    
5.  Redline: Not ransomware but still formidable, Redline Stealer specializes in stealing credentials and sensitive information with skillful evasion tactics, making it a persistent headache across various sectors.
    
6.  Play Ransomware: Making waves with high-profile attacks, Play Ransomware is as versatile as it is relentless. From targeting public and private sectors to exploiting FortiOS vulnerabilities and RDP servers, this group keeps victims on their toes with ever-evolving techniques.
    

Want the full rundown? Visit the OpenText Cybersecurity Community, view the infographic, and join us for our "Nastiest Malware Webinar" to dive deeper into this year's findings and stay ahead of emerging threats!

About OpenText Cybersecurity  
OpenText Cybersecurity provides comprehensive security solutions for companies and partners of all sizes. From prevention, detection and response to recovery, investigation and compliance, our unified/end-to-end platform helps customers build cyber resilience via a holistic security portfolio. Powered by actionable insights from our real-time and contextual threat intelligence, OpenText Cybersecurity customers benefit from high-efficacy products, compliant experience and simplified security to help manage business risk.

About OpenText   
OpenText™ is the leading Information Management software and services company in the world.  We help organizations solve complex global problems with a comprehensive suite of Business Clouds, Business AI, and Business Technology.  For more information about OpenText (NASDAQ/TSX: OTEX), please visit us at www.opentext.com.

Connect with us:

OpenText CEO Mark Barrenechea's blog  
Twitter | LinkedIn 

Certain statements in this press release may contain words considered forward-looking statements or information under applicable securities laws. These statements are based on OpenText's current expectations, estimates, forecasts and projections about the operating environment, economies, and markets in which the company operates. These statements are subject to important assumptions, risks and uncertainties that are difficult to predict, and the actual outcome may be materially different. OpenText's assumptions, although considered reasonable by the company at the date of this press release, may prove to be inaccurate and consequently its actual results could differ materially from the expectations set out herein. For additional information with respect to risks and other factors which could occur, see OpenText's Annual Report on Form 10-K, Quarterly Reports on Form 10-Q and other securities filings with the SEC and other securities regulators. Readers are cautioned not to place undue reliance upon any such forward-looking statements, which speak only as of the date made. Unless otherwise required by applicable securities laws, OpenText disclaims any intention or obligations to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise. Further, readers should note that we may announce information using our website, press releases, securities law filings, public conference calls, webcasts and the social media channels identified on the Investors section of our website (https://investors.opentext.com). Such social media channels may include the Company's or our CEO's blog, Twitter account or LinkedIn account. The information posted through such channels may be material. Accordingly, readers should monitor such channels in addition to our other forms of communication.

OpenText Cybersecurity Unveils 2024's Nastiest Malware

The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.

Source: u3d via Shutterstock

China's APT41 threat group is using a sophisticated Windows-based surveillance toolkit in a cyber-espionage campaign targeting organizations in South Asia.

The malware adds to the already broad portfolio of malicious tools that the threat actor has deployed in recent years and makes APT41 an even more pernicious threat to targeted enterprises.

**Optimized Plug-ins**

Researchers at BlackBerry, among the many who are tracking the threat actor, spotted the new malware toolkit earlier this year and have dubbed it "DeepData Framework." Their analysis showed it to be a highly modular toolkit that supports as many as 12 separate plug-ins, each one optimized for a specific malicious function.

Four of the plug-ins steal communications from WhatsApp, Signal, Telegram, and WeChat. Another three are rigged to steal and exfiltrate system information, Wi-Fi network data, and information on all installed applications on the compromised system — including names and installation paths. Three DeepData plug-ins steal information related to browsing history and cookies; they also grab passwords from Web browsers, Baidu storage services, FoxMail, and other cloud services, and other information like user emails and contact lists in Microsoft Outlook. The remaining two plug-ins enable theft of audio files from compromised systems.

Blackberry researchers chanced upon DeepData when conducting an investigation of "LightSpy," an iOS implant that they have tracked APT41 using in an ongoing and wide-ranging mobile espionage campaign against targets in India and South Asia. Their analysis showed DeepData to have a similar design to LightSpy in that both have a core module and support for multiple data theft plug-ins.

Significantly, DeepData appears to be a malware toolkit that the attackers are manually interacting with after compromising a target and gaining access. "The \[command and control\] address is also specified as a command line argument, as are the requested plugins to be run or data to extract," Blackberry's research and intelligence team said in a blog post this week. "The implication of this execution method is that it must be done manually, sans a script or some other bundling distribution."

**Surveillance Powers Continue to Grow**

DeepData adds to APT41's already formidable surveillance and cyber espionage capabilities. The malicious framework is an example of the constantly emerging threats that organizations have to deal with when trying to mitigate threats from advanced persistent threat groups and nation-state bad actors. "Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering," BlackBerry said. Since first deploying LightSpy in 2022, the threat actor has methodically and strategically bulked up its capabilities to intercept communications and steal data in total stealth, BlackBerry said.

APT41 is a known threat actor that security vendors and researchers have been variously tracking as Winnti, WickedPanda, Barium, Wicked Spider, and other names. Some vendors consider APT41 to be a collection of smaller subgroups collectively working at the behest of, or on behalf of the Chinese government. The group's mandate appears to be very broad, based on its targets and the kind of campaigns it has conducted in recent years.

Most recently, researchers tied APT41 to attacks targeting global logistics and utilities companies, and to a campaign that targeted research entities in Taiwan. Over the years, the group has stolen data from a wide range of organizations, including intellectual property and trade secrets from healthcare organizations, media and entertainment companies, government agencies, automative firms, retailers, energy companies, pharmaceutical companies, and others. Its activities prompted a US government investigation and subsequent indictment of five alleged members of APT41 back in 2020. Its victims have spanned Europe, Asia, and North America.

The group's latest South Asian campaign appears aimed at politicians, journalists, and political activists in the region, according to BlackBerry. "Organizations of all sizes, particularly those in targeted regions, should treat this threat as a high priority and implement comprehensive defensive measures."

The company's recommended mitigation measures include blocking the group's known C2 infrastructure, monitoring networks and devices for unexpected audio recording activities, using secure communications for transmitting data, and deploying the detection rules that BlackBerry has released for DeepData components.  

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Toolkit Vastly Expands APT41's Surveillance Powers

PRESS RELEASE

(Paris, France) – October 31, 2024 – As counterfeiting represents a global issue for brands and societies alike, Cypheme, a pioneering French company focused on AI-powered anti-counterfeiting solutions, today announced that Vrai AI, its AI anti-counterfeit technology that can detect fake products based on just a picture of a specific detail of a product or label, purely with visual analysis, is now available to brands worldwide. This ground-breaking artificial intelligence, which is perfect for companies across multiple verticals (i.e.: jewelry, pharmaceuticals, electronics, fashion, etc.), is easy to implement and only requires the use of a smartphone to keep a brands’ reputation and customers safe.

Lacoste, a world-renowned fashion brand, is the first company to pioneer the use of this technology, marking a major milestone in the worlds of AI development, the fashion industry and the global fight against counterfeiting. Already, Cypheme’s ground-breaking solution has achieved a near perfect level of accuracy of 99.7% for Lacoste, helping them easily identify fake products and remove them from the market.

By incorporating Cypheme’s powerful technology, which examines microscopic visual details of a specific feature of the product, the AI can differentiate a real from a fake, much in a way similar to a human expert. No modification of the product, no special label, or hidden marker is needed. For Lacoste, Cypheme uses the famous and iconic crocodile logo to identify fakes among a wide variety of Lacoste products. This represents an unprecedented technological leap in the fight against counterfeiting that could play a major part in solving or mitigating crisis linked to the criminal activity across multiple regions and sectors.

For certain types of products, however, the use of Cypheme’s “Noise Print Label,” a proprietary fingerprint anti-counterfeit label that protects every product it is affixed on, is also available. Noise Print is an anti-copy label that utilizes an advanced set of algorithms powered by an artificial neural network that verifies a product’s authenticity. However, it doesn’t stop there. Noise Print can also help trace back the origin points where fake products are known to be made.

“Today, according the European Union Agency for Law Enforcement Cooperation, counterfeiting represents 2.5% of the world’s trade, or $461 billion, and puts low-quality goods on the market, generating risks for health, well-being, security and safety,” explains Hugo Garcia-Cotte, CEO, Cypheme. “Implementing anti-counterfeiting technologies helps brands combat piracy, secure operations, enhance revenue and improve customer engagement, however they do not stop at just that, they have a much larger impact, helping shape safer societies overall.”

About Cypheme  
Cypheme is a pioneering French company focused on AI-powered anti-counterfeiting solutions. With their AI technology, Vrai AI, they aim to make counterfeit trade an unattractive activity for all people of the world. Cypheme’s technology is used in many different industries and countries to safeguard people from the negative impact of fake goods. For more information, visit https://www.cypheme.com/.

Lacoste First to Use AI-Powered Anti-counterfeiting Solution

The consolidation folds Cybereason's endpoint detection and response (EDR) platform into Trustwave's managed security services offerings, such as managed detection and response (MDR).

Source: nespix via Adobe Stock Photo

Managed services provider Trustwave and endpoint detection and response (EDR) company Cybereason announced a definitive merger agreement on Tuesday. The merger reflects the market appetite for integrated cybersecurity solutions, as seen in Check Point's acquisition of Cyberint earlier this year.

Trustwave and Cybereason will "function independently but collaborate strategically on value-added services and capabilities," the companies said in a statement. Cybereason has a significant presence in Japan and Europe, and Trustwave is strong in the Americas and Australia.

The combined company portfolio will span managed detection and response, EDR, offensive security, security research, digital forensics and incident response, and threat intelligence services. Trustwave and Cybereason have complementary product offerings in EDR, email security, and database security.

For example, Cybereason can offer "combined EDR and MDR solutions," said Eric Gan, chairman and CEO of Cybereason said, a statement.

Together, Trustwave and Cybereason will focus on strengthening client consulting services and managed detection and response (MDR) capabilities to develop an all-in-one solution with Cybereason's EDR for midmarket organizations, as well as help customers integrate and optimize Microsoft Security. A primary areas for strategic investment is a purpose-built AI that can detect known and unknown threats with greater speed and accuracy.

Singtel acquired Trustwave in 2015 for $770 million; it sold the company to MC² Security Fund, a private equity fund sponsored by The Chertoff Group, in January of this year for $205 million. Cybereason has raised over $850 million to date from a variety of investors.

SoftBank, Cybereason's largest shareholder, will remain as the majority investor. Trustwave's current owner and MC² Security Fund will remain as a channel partner and strategic adviser.

Financial details of the merger were not disclosed. The transaction is expected to close in early 2025, pending customary closing conditions and regulatory approvals.

Tag

#intel