alt=Department of the Treasury building exterior, showcasing its classical architecture and prominent entrance.
Cyber security
2025-01-02 Post a Comment

US Treasury hacked: Are China and the US stepping up their cyberwar?

Department of the Treasury calls cyberattack a ‘major incident’, accuses China-backed hackers.

By Sarah Shamim

The United States Department of the Treasury on Monday blamed China for breaching its network and gaining access to information that includes unclassified documents.

Beijing has denied the allegation, calling it “groundless”.

Keep reading

list of 4 items

end of list

The alleged hacking comes weeks after Beijing accused Washington of carrying out two cyberattacks on Chinese technology firms.

With Washington and Beijing trading blame, we assess the history of cyberwarfare between the world’s two largest economies and whether it has intensified.

Who hacked the US Treasury Department?

The US Treasury Department accused Chinese state-sponsored hackers of breaking into its system this month and accessing employee workstations and unclassified documents.

The department said the hackers gained access by overriding a security key used by third-party cybersecurity provider BeyondTrust, which provides technical support remotely to Treasury employees.

The Treasury Department made these details public on Monday in a letter to the US Congress. The attack was caused by “a China-based Advanced Persistent Threat (APT) actor”, the letter said.

The department, however, did not specify the number of workstations compromised, the nature of the files, the exact timeframe of the hack and the confidentiality level of the stations compromised.

On December 8, Treasury was alerted about a hack by BeyondTrust. The BBC reported that BeyondTrust first suspected unusual activity on December 2 but took three days to determine it was hacked.

How did the US Treasury Department respond?

The department said there is no evidence that the hackers still have access to department information and the compromised BeyondTrust has been taken offline.

It is assessing the impact of the hack with the assistance of the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The hack is being investigated as a “major cybersecurity incident”.

The department’s letter to Congress added that supplemental information about the attack would be sent to US lawmakers in 30 days.

“Over the last four years, Treasury has significantly bolstered its cyber defence, and we will continue to work with both private and public sector partners to protect our financial system from threat actors,” a spokesperson for the department said in a separate statement.

How has China responded?

China has denied the department’s accusations, and its Ministry of Foreign Affairs said Beijing condemns all forms of hacker attacks.

“We have stated our position many times regarding such groundless accusations that lack evidence,” ministry spokesperson Mao Ning was quoted as saying by the AFP news agency.

A spokesperson for the Chinese embassy in the US, Liu Pengyu, denied the department’s allegations. “We hope that relevant parties will adopt a professional and responsible attitude when characterising cyber-incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations,” he said, according to a BBC report.

“The US needs to stop using cybersecurity to smear and slander China and stop spreading all kinds of disinformation about the so-called Chinese hacking threats.”

Are the US and China ramping up cyberattacks against each other?

While the US has blamed China for cyberattacks over the years, Beijing has also accused Washington of hacking its critical cyber-infrastructure in recent years.

Here’s a brief timeline of recent cyberattacks claimed by the two nations:

On December 18, China’s National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT/CC) released a statement saying two US cyberattacks since May 2023 tried to “steal trade secrets” from Chinese technology firms.

On December 5, US Deputy National Security Adviser Anne Neuberger said a Chinese hacking group called Salt Typhoon had obtained communications of senior US government officials but classified information was not compromised.

A month earlier, on November 13, the FBI and CISA said they had uncovered a broad cyberespionage campaign carried out by China-linked hackers.

The US alleged that the hackers had compromised “private communications of a limited number of individuals”. While it did not specify who these individuals were, they were “primarily involved in government or political activity”, the FBI and CISA said.

Weeks before the US elections in November, the FBI launched an investigation after reports alleged Chinese hackers had targeted mobile phones of President-elect Donald Trump and Vice President-elect JD Vance as well as people associated with Kamala Harris, the Democratic presidential candidate in the race.

In July 2023, US tech giant Microsoft said the China-based hacking group Storm-0558 breached email accounts at about 25 organisations and government agencies. The breached accounts included those belonging to US Department of State staff.

In March, the US and United Kingdom accused China of carrying out a sweeping cyberespionage campaign that allegedly hit millions of people, including lawmakers, journalists and defence contractors. The two countries slapped sanctions on a Chinese company after the incident. A month before, US authorities said they had dismantled a China-sponsored hacker network called Volt Typhoon.

In response, China called the charges “completely fabricated and malicious slanders”.

In March 2022, China said it experienced a series of cyberattacks that mostly traced back to US addresses. Some were also traced back to the Netherlands and Germany, according to CNCERT/CC.

 

Video Duration 3 minutes 57 seconds
  • Now Playing

    Video Duration 03 minutes 57 seconds
    China cyber-attacks: Beijing calls UK & US accusations 'groundless'

    China cyber-attacks: Beijing calls UK & US accusations ‘groundless

Why are cyberattacks launched?

State-sponsored actors are regularly accused of launching cyberattacks against adversaries that range from state institutions to politicians and activists. They aim to gain unauthorised access to confidential data and trade secrets or disrupt economies and critical infrastructure.

Advertisement

“The US and China have had a history of using cyberdefence to further their national security aims,” Rebecca Liao, the Co-Founder and CEO at web3 protocol Saga, told Al Jazeera.

“While espionage against state actors is an accepted practice, the US has protested against China’s rampant cyberattacks against US commercial entities,” said Liao, who was a member of President Joe Biden’s 2020 and Hillary Clinton’s 2016 presidential campaigns, advising on China, technology and Asia economic policy.

“It is obviously not diplomatically wise to build a track record of resorting to espionage. That’s why Beijing has been so swift to deny all allegations.”

With the development of digital technology, cyberattacks are on the rise worldwide, according to the German Institute for International and Security Affairs (SWP). Data from the SWP shows that cyberattacks went up from 107 in 2014 to 723 in 2023.

Cyberattacks are also carried out by individuals or organised groups who want to steal data and money.

How can countries protect themselves from cyberattacks?

The US and China “should spearhead a treaty on the responsible use of the cyberspace”, wrote researchers Asimiyu Olayinka Adenuga and Temitope Emmanuel Abiodun from the Political Science Department at Nigeria’s Tai Solarin University in an article published this year.

They cited the example of the treaties signed between the US and Soviet Union as a result of the Strategic Arms Limitations Talks, SALT I and SALT II, in 1972 and 1979. The two Cold War superpowers signed the treaties to establish US-Soviet stability by limiting their production of nuclear weapons.

In their article, the Tai Solarin researchers added that there is a need for further technological development, particularly in quantum computing, that will make it harder to execute cyberattacks.

Victor Atkins, a fellow with the Indo-Pacific Security Initiative of the US think tank Atlantic Council, wrote in a February article that the US “should launch an expansive new multilateral cyber threat intelligence sharing coalition in the Indo-Pacific” to combat cyberattacks from China.

“A decade ago, there were some suggestions about convening an international body around cybersecurity to come up with standards or codes of conduct that participating nations would abide by,” Liao, the tech expert, said.

“However, none of these efforts have yielded fruit, and it is up to each individual country to protect against cyberattacks.”

Governments currently are working on developing cybersecurity infrastructure such as firewalls to protect themselves from cyberattacks such as hacking.

An article published by the University of Miami added that countries employ other practices to counter cyberthreats. These include testing these cyberthreats in a simulated environment. “Cyber teams constantly undergo training exercises, similar to the military,” the article said.

 

read more
alt=Weekly intelligence report titled "CPRI," summarizing key insights and data for strategic decision-making.
Cyber security
2024-12-30 Post a Comment

30th December – Threat Intelligence Report

TOP ATTACKS AND BREACHES

  • The Clop ransomware gang exploited a zero-day vulnerability (CVE-2024-50623) in Cleo’s Secure File Transfer products and is extorting 66 companies following alleged data theft. The attackers have given the victims 48 hours to initiate ransom negotiations before publicly disclosing their identities. This incident mirrors Clop’s previous exploitation of zero-day flaws in platforms like Accellion FTA, GoAnywhere MFT, and MOVEit Transfer.

Check Point Harmony Endpoint, Threat Emulation and IPS provide protection against this threat (Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.* ; Cleo Arbitrary File Upload (CVE-2024-50623))

  • Pittsburgh Regional Transit (PRT) experienced a ransomware attack last week, resulting in service disruptions to its rail system and customer service operations. While transit services have resumed normal operations, certain rider services, such as processing ConnectCards, remain affected. The investigation, involving law enforcement and cybersecurity experts, is ongoing, with no confirmation yet regarding data theft or the group responsible for the attack.
  • Cyberhaven has been a victim of a cyber-attack that resulted in distribution of a malicious update for its Chrome browser extension. The compromised extension was able to exfiltrate users’ sensitive information, including authenticated sessions and cookies.
  • Cariad, Volkswagen’s automotive software subsidiary, exposed data from 800,000 electric cars, including sensitive geo-location information, due to misconfigured IT applications. The exposed data included details of vehicles from VW, Seat, Audi, and Skoda, with precise locations for 460,000 cars and pseudonymized user data. The Chaos Computer Club identified the vulnerability, enabling access to terabytes of unprotected customer information stored in Amazon cloud storage.
  • Japan Airlines has resumed to normal activity following a cyberattack that caused delays in domestic and international flights. The attack involved a sudden surge in network traffic, indicative of a distributed denial-of-service (DDoS) attack, affecting data communication with external systems. No customer information was leaked, and flight safety remained uncompromised.
  • ZAGG Inc., a consumer electronics accessories maker, has disclosed a data breach resulting in the exposure of customers’ payment card information. The breach occurred between October and November 2024, due to malicious code injected into the FreshClick app, a third-party application provided by their e-commerce platform, BigCommerce.
  • The European Space Agency’s (ESA) official merchandise store was hacked, causing it to display a fake payment page designed to steal customer payment card details.

VULNERABILITIES AND PATCHES

  • A critical SQL injection vulnerability (CVE-2024-45387), rated 9.9 on the CVSS scale, has been identified in Apache Traffic Control versions 8.0.0 and 8.0.1. The flaw allows privileged users with specific roles to execute arbitrary SQL commands in the database via crafted PUT requests. The issue has been patched in version 8.0.2.

Check Point IPS provides protection against this threat (Apache Traffic Control SQL Injection (CVE-2024-45387))

  • A critical vulnerability (CVE-2024-52046) with a maximum CVSS score of 10.0, has been discovered in Apache MINA, a Java network application framework. The flaw arises from the ObjectSerializationDecoder’s use of Java’s native deserialization protocol without adequate security measures, enabling attackers to execute remote code by sending malicious serialized data.
  • Palo Alto Networks has disclosed an actively exploited Denial of Service (DoS) vulnerability (CVE-2024-3393) affecting PAN-OS software. The flaw allows unauthenticated attackers to send malicious packets that force affected firewalls into reboot or maintenance mode, disrupting firewall protection. The issue impacts devices with DNS Security logging enabled and has been patched in versions PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, and 11.2.3.
  • A high-severity OS command injection vulnerability (CVE-2024-12856) has been identified in Four-Faith router models F3x24 and F3x36. Exploitation via default credentials may enable unauthenticated OS command execution. Over 15,000 internet-facing devices are at risk, with evidence suggesting active exploitation since at least early November 2024.

Check Point IPS provides protection against this threat (Four-Faith F3x Series Command Injection (CVE-2024-12856))

THREAT INTELLIGENCE REPORTS

  • Researchers have observed “OtterCookie”, a new malware used in the North Korean-associated Contagious Interview campaign. This financially motivated campaign targets a broad range of victims and is active in Japan. OtterCookie communicates via Socket.IO, executes shell commands to exfiltrate sensitive data, including cryptocurrency keys, and uses clipboard data collection to enhance its capabilities.
  • Researchers have identified heightened activity by the Paper Werewolf (aka GOFFEE) cluster, conducting at least seven campaigns targeting Russian organizations since 2022. Using phishing PowerShell and PowerRAT, and emails with malicious macros, the group conducts espionage and destructive ops, including disabling IT infrastructure and changing account credentials. The arsenal includes custom implants, reverse shells, and malicious IIS modules for credential harvesting.
  • Researchers have analyzed the increased activity from botnets like the Mirai variant “FICORA” and the Kaiten variant “CAPSAICIN,” which exploit long-standing vulnerabilities in D-Link devices to execute malicious commands via the HNAP interface.
read more
alt=A person wearing a hoodie is focused on using a laptop computer in a casual setting.
Cyber security
2024-12-30 Post a Comment

Tech Ransomware is 35 years old and now a billion-dollar problem. Here’s how it could evolve

thumbnail

Ryan Browne
Key Points
  • Dating back to the 1980s, ransomware is a form of malware used by cybercriminals to lock files on a person’s computer and demand payment to unlock them.
  • The technology — which officially turned 35 in December — has come a long way, with criminals now able to spin up ransomware much faster and deploy it across multiple targets.
  • Experts expect ransomware to evolve even further, with modern-day cloud computing tech, artificial intelligence and geopolitics shaping its future.
As the ransomware industry evolves, experts are predicting hackers will only continue to find more and more ways of using the technology to exploit businesses and individuals.
As the ransomware industry evolves, experts are predicting hackers will only continue to find more and more ways of using the technology to exploit businesses and individuals.
Seksan Mongkhonkhamsao | Moment | Getty Images

Ransomware is now a billion-dollar industry. But it wasn’t always that large — nor was it a prevalent cybersecurity risk like it is today.

Dating back to the 1980s, ransomware is a form of malware used by cybercriminals to lock files on a person’s computer and demand payment to unlock them.

The technology — which officially turned 35 on Dec. 12 — has come a long way, with criminals now able to spin up ransomware much faster and deploy it across multiple targets.

Cybercriminals raked in $1 billion of extorted cryptocurrency payments from ransomware victims in 2023 — a record high, according to data from blockchain analysis firm Chainalysis.

Experts expect ransomware to continue evolving, with modern-day cloud computing tech, artificial intelligence and geopolitics shaping the future.

How did ransomware come about?

The first event considered to be a ransomware attack happened in 1989.

A hacker physically mailed floppy disks claiming to contain software that could help determine whether someone was at risk of developing AIDs.

However, when installed, the software would hide directories and encrypt file names on people’s computers after they’d rebooted 90 times.

It would then display a ransom note requesting a cashier’s check to be sent to an address in Panama for a license to restore the files and directories.

The program became known by the cybersecurity community as the “AIDs Trojan.”

“It was the first ransomware and it came from someone’s imagination. It wasn’t something that they’d read about or that had been researched,” Martin Lee, EMEA lead for Talos, the cyber threat intelligence division of IT equipment giant Cisco, told CNBC in an interview.

“Prior to that, it was just never discussed. There wasn’t even the theoretical concept of ransomware.”

The perpetrator, a Harvard-taught biologist named Joseph Popp, was caught and arrested. However, after displaying erratic behavior, he was found unfit to stand trial and returned to the United States.

How ransomware has developed

Since the AIDs Trojan emerged, ransomware has evolved a great deal. In 2004, a threat actor targeted Russian citizens with a criminal ransomware program known today as “GPCode.”

The program was delivered to people via email — an attack method today commonly known as “phishing.” Users, tempted with the promise of an attractive career offer, would download an attachment which contained malware disguising itself as a job application form.

Once opened, the attachment downloaded and installed malware on the victim’s computer, scanning the file system and encrypting files and demanding payment via wire transfer.

Then, in the early 2010s, ransomware hackers turned to crypto as a method of payment.

Ransomware attacks could get worse next year, says TrustedSec's David Kennedy

watch now
VIDEO04:39
Ransomware attacks could get worse next year, says TrustedSec’s David Kennedy

In 2013, only a few years after the creation of bitcoin, the CryptoLocker ransomware emerged.

Hackers targeting people with this program demanded payment in either bitcoin or prepaid cash vouchers — but it was an early example of how crypto became the currency of choice for ransomware attackers.

Later, more prominent examples of ransomware attacks that selected crypto as the ransom payment method of choice included the likes of WannaCry and Petya.

“Cryptocurrencies provide many advantages for the bad guys, precisely because it is a way of transferring value and money outside of the regulated banking system in a way that is anonymous and immutable,” Lee told CNBC. “If somebody’s paid you, that payment can’t be rolled back.”

CryptoLocker also became notorious in the cybersecurity community as one of the earliest examples of a “ransomware-as-a-service” operation — that is, a ransomware service sold by developers to more novice hackers for a fee to allow them to carry out attacks.

“In the early 2010s, we have this increase in professionalization,” Lee said, adding that the gang behind CryptoLocker were “very successful in operating the crime.”

What’s next for ransomware?

As the ransomware industry evolves even further, experts are predicting hackers will only continue to find more and more ways of using the technology to exploit businesses and individuals.

By 2031, ransomware is predicted to cost victims a combined $265 billion annually, according to a report from Cybersecurity Ventures.

'Fully acceptable' now that you have to use AI in your cyber defense, Darktrace's Mike Beck says

watch now
VIDEO03:48
‘Fully acceptable’ now that you have to use AI in your cyberdefense: Darktrace

Some experts worry AI has lowered the barrier to entry for criminals looking to create and use ransomware. Generative AI tools like OpenAI’s ChatGPT allow everyday internet users to insert text-based queries and requests and get sophisticated, humanlike answers in response — and many programmers are even using it to help them write code.

Mike Beck, chief information security officer of Darktrace, told CNBC’s “Squawk Box Europe” there’s a “huge opportunity” for AI — both in arming the cybercriminals and improving productivity and operations within cybersecurity companies.

“We have to arm ourselves with the same tools that the bad guys are using,” Beck said. “The bad guys are going to be using the same tooling that is being used alongside all that kind of change today.”

But Lee doesn’t think AI poses as severe a ransomware risk as many would think.

“There’s a lot of hypothesis about AI being very good for social engineering,” Lee told CNBC. “However, when you look at the attacks that are out there and clearly working, it tends to be the simplest ones that are so successful.”

Targeting cloud systems

A serious threat to watch out for in future could be hackers targeting cloud systems, which enable businesses to store data and host websites and apps remotely from far-flung data centers.

“We haven’t seen an awful lot of ransomware hitting cloud systems, and I think that’s likely to be the future as it progresses,” Lee said.

We could eventually see ransomware attacks that encrypt cloud assets or withhold access to them by changing credentials or using identity-based attacks to deny users access, according to Lee.

Geopolitics is also expected to play a key role in the way ransomware evolves in the years to come.

“Over the last 10 years, the distinction between criminal ransomware and nation-state attacks is becoming increasingly blurred, and ransomware is becoming a geopolitical weapon that can be used as a tool of geopolitics to disrupt organizations in countries perceived as hostile,” Lee said.

“I think we’re probably going to see more of that,” he added. “It’s fascinating to see how the criminal world could be co-opted by a nation state to do its bidding.”

Another risk Lee sees gaining traction is autonomously distributed ransomware.

“There is still scope for there to be more ransomwares out there that spread autonomously — perhaps not hitting everything in their path but limiting themselves to a specific domain or a specific organization,” he told CNBC.

Lee also expects ransomware-as-a-service to expand rapidly.

“I think we will increasingly see the ransomware ecosystem becoming increasingly professionalized, moving almost exclusively towards that ransomware-as-a-service model,” he said.

But even as the ways criminals use ransomware are set to evolve, the actual makeup of the technology isn’t expected to change too drastically in the coming years.

“Outside of RaaS providers and those leveraging stolen or procured toolchains, credentials and system access have proven to be effective,” Jake King, security lead at internet search firm Elastic, told CNBC.

“Until further roadblocks appear for adversaries, we will likely continue to observe the same patterns.”

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights