Issue #29 | January, 2025
Welcome, 2025
With updates on the U.S. telecom hacks, government espionage accusations, and product bans, Alice in Supply Chains is starting 2025 in high gear.
It’s a fact that the turn of the year is something of a symbolic event — life is a continuous flow, after all. Still, we must take any opportunity we can to reflect on what we are doing and ask if and how we should refocus our efforts to improve.
Many businesses are finalizing their plans for the year, but perhaps there’s still some wiggle room for last-minute adjustments — considering the scenarios and the advice we’re sharing with you could be the best approach.
As usual, there’s a round-up of cybersecurity incidents involving third parties and critical service providers, as well as sections for surveys and government policy. The fifth section is a mix of opinion and cybersecurity research, with an interesting headline that asks whether we should focus on traditional “APTs” when cybercrime is already very much an advanced threat.
We hope you enjoy!
Telecom hack and other updates: ‘Chinese hackers are deep inside America’s telecoms networks’
The US telecom hack garnered widespread interest, as is evident by the many headlines published by several media outlets. The Economist’s take is paywalled, but it has an excellent summary in the very first paragraph:
News hack began trickling out in September, but the American government waited weeks to confirm the reports. Only this month did it begin briefing members of Congress and the media. Officials say a Chinese hacking group dubbed Salt Typhoon compromised at least eight of America’s telecoms networks. The intruders stole the call-record metadata of a “large number” of Americans. They gained access to the wiretap requests of security agencies—meaning they could work out if any Chinese spies or agents were under American surveillance.
A follow-up from The Recorded Future clears up some of the information concerning the impact on the law enforcement wiretap system (Communications Assistance to Law Enforcement Act — CALEA), stating that it was only “one of several targets,” since the companies were breached through different vectors. Considering that Proofpoint recently revealed that threat actors targeted ISPs with a spear phishing campaign that used a document about BGP Flapping as a decoy, it’s unwise to focus on CALEA as the only path to snooping on user communications.
CSO Online focused on Salt Typhoon, the threat actor believed to be behind the hacks, calling the group a “serious supply chain risk to most organizations.” Forbes has a different angle on how the hack might have affected political campaigns, revealing that Apple denied help to Harris’s campaign staff. Specifically, they wanted to extract a system image — a necessary step to preserve evidence before restoring a device and a common practice in digital forensics.
While encryption is often a complication for extracting system images, it seems to be the best option for secure communications. Security agencies from the Five Eyes countries released a joint advisory urging citizens and businesses to use encryption (the advisory is available as a PDF and on CISA’s website).
It’s worth noting that many people throughout the world already use encrypted apps like WhatsApp and Signal, but some services may default to relying on SMS to deliver messages when the recipient does not have an account. The advisory, however, goes into best practices regarding VPN encryption and disabling less secure network protocols.
Now, on to updates regarding other stories. Snowflake, which was at the core of a mass incident that hit several companies and didn’t have a policy to enforce MFA until 2024, announced it will block single-factor password authentications entirely by November 2025. While it’s unfortunate that this step was not taken more proactively, it is nonetheless a good example of a vendor setting decent security requirements based on a deeper understanding of the risks (an understanding that, in this case, had to come from their customers’ data being stolen).
The Termite ransomware gang has claimed responsibility for the Blue Yonder incident we reported last month. The company hasn’t been very transparent, to say the least. Termite’s download site hosts almost 700 GB of data linked to Blue Yonder.
TechRadar has a small update on the LastPass hack from 2022 — the hacker is still using the stolen credentials to breach accounts. While most of the known violations are related to cryptocurrency services, this might be just because those breaches are easier to track due to how blockchains work.
Nebraska Attorney General Mike Hilgers filed a lawsuit against Change Healthcare over their February 2024 ransomware incident. It’s possible that other states will join him now that some of the legwork is done, but we’ll have to wait and see.
Lastly, the U.S. Cyber Trust Mark program was officially launched soon after UL was named “lead administrator” for the program. The Cyber Trust Mark is administered by the Federal Communications Commission (FCC) and aims to inform consumers about the security of connected devices such as home cameras and baby monitors. Some manufacturers will be unable to obtain the trust mark, so it will also function as a “soft ban” on products that the government isn’t willing to remove from the market.
BeyondTrust incident hits US Treasury: breaches round-up
An attacker gained access to an API key for BeyondTrust Remote Support, allowing them to reset passwords.
The cybersecurity vendor initially detected anomalous activity on one customer instance of Remote Support SaaS on Dec. 2, according to the updated blog. Three days later, the company determined multiple customers were impacted, suspended those instances and revoked the compromised API key.
BeyondTrust says a “limited number” of customers were impacted, but the incident garnered mainstream media attention after the US Treasury came forward as one of the victims. The Treasury also blamed Chinese hackers for the campaign, which could indicate the Treasury and a few others were the targets all along — and BeyondTrust turned out to be the shortest path. However, CISA stated that the Treasury was the only federal agency hit by the attack, so it is unclear if the attackers had other targets in mind.
The Clop ransomware gang has claimed responsibility for another mass data theft campaign using a zero-day vulnerability in a business file transfer application. The group targeted software developed by Cleo (Harmony, VLTrader, and LexiCom). As noted by Bleeping Computer, Clop was behind the hacks involving Accellion (recently rebranded Kiteworks) FTA, SolarWinds Serv-U, GoAnywhere MFT, and MOVEit Transfer. While The Register initially noted that researchers were questioning if Clop was really behind this latest campaign, the group is already extorting over 60 victims.
Cybernews found an open cloud storage bucket containing data generated by WotNot, a customized AI chatbot builder. As expected, some of the data belonged to their customers and their users’ interactions with the custom bots, and Cybernews reported finding passports, medical records, and other documents in the dataset. WotNot said the bucket was storing data linked to their free tier, which would imply no major customers were affected, but there does not appear to be a list of victims. According to the published timeline, the company took two months to close the bucket after being notified.
Care1, a Canadian AI company, also left exposed a database containing almost 5 million medical records. Care1 offers software that aims to help optometrists, which has now indirectly leaked data belonging to their patients. Also in Canada, a province reported that a third-party provider responsible for collecting overdue fines has been hit by a cyberattack, but no impacts were disclosed.
Healthcare services provider Citadel of Northbrook filed a notice of data breach with the Attorney General of New Hampshire over an incident at one of its vendors, PointClickCare. The unusual activity was discovered by the vendor in July, but the incident was only disclosed in late November.
ENGlobal, a provider of engineering and professional services to the energy sector, disclosed a ransomware attack. We couldn’t find any reports of their clients being affected, but the company noted that “only essential business operations” remained available.
Another company in the energy sector, Duke Energy Florida, is just now notifying customers about a months-old data leak.
Signzy, an online ID verification firm from India that offers “know your customer” (KYC) services, was hit by a cyberattack, according to TechCrunch. The company provides services to over 600 financial institutions worldwide, but it’s not yet known if any customer data was stolen.?
Finally, Bitcoin ATM operator Byte Federal disclosed a data breach that compromised the personal information of 58,000 customers. The company was hit by a known vulnerability in GitLab (Byte Federal used a self-hosted environment) and is not offering identity theft or credit monitoring services to the victims.
Incident in Rhode Island linked to breach downplayed by Deloitte
This case is a bit interesting. RIBridges, a system used in Rhode Island to manage public assistance programs, suffered a ransomware attack by Brain Cipher:
Rhode Island is warning that its RIBridges system, managed by Deloitte, suffered a data breach exposing residents’ personal information after the Brain Cipher ransomware gang hacked its systems. […]
The incident was discovered on December 5, 2024, and following an evaluation by Deloitte, it is considered very likely that hackers stole files containing personally identifiable information and other data.
In response, the government opened a toll-free hotline to provide information to citizens. Governor Dan McKee urged potential victims to take precautions, such as enabling multi-factor authentication and signing up for monitoring services. Authorities were expecting the stolen data to be released online following the ransomware extortion threats. The government’s website has an advisory about the incident.
The data is believed to contain sensitive information, but the government has yet to determine the full list of victims.
As you just read in the excerpt above, RIBridges is managed by a vendor — Deloitte. Local media reports (as the one linked above) noted the absence of Deloitte staff from the state government’s press briefings, but the story gets even more strange. The incident first came to light after Brain Cipher put the stolen data on their leak site, but Deloitte denied the hack, stating “only one customer was affected.”?
This single customer was Rhode Island, but it would take a week for that to become clear. Their denial to Cyber Security News is dated December 7, but Rhode Island says they were only notified of the hack on December 13. Were they so slow to notify their “single client” after learning about the breach?
This raises a few other questions. Should vendors deny incidents when only one customer was affected by a breach? Is denial even the right approach if it’s not strictly “your” data that has been impacted? Do you want your vendors to deny a breach when your data is at stake??
Deloitte might have tried to quell any fears about customer data being at risk, but we are not sure if that’s the right approach.
领英推荐
US government to ban China Telecom and TP-Link, China accuses US of hacking
U.S. authorities are considering a ban on the sale of TP-Link internet routers, according to a paywalled Wall Street Journal, but alternative coverage is available from CBS. It appears the government has two issues with the brand — whether the products are secure, and whether they are too cheap.
The U.S. is considering banning the sale of TP-Link internet routers, which are made in China, over concerns the home devices pose a security risk, the Wall Street Journal reported.
Authorities may ban the popular routers, which were linked to Chinese cyberattacks, as early as next year when President-elect Donald Trump takes office, according to the report. […]
The Justice Department is investigating whether the routers’ relatively low price violates a law stipulating that companies can’t sell goods for less than the cost of production, the WSJ reported, citing a person familiar with the matter.
Analysis from Adrian Sanabria , with additional perspective on the cybersecurity standpoint, is available on LinkedIn. Still, the move seems to be motivated by the recent telecom hacks, as the government also sent a letter to China Telecom, giving them a month to respond to concerns regarding its access to data traffic in the United States. China has responded by accusing the United States of hacking and stealing tech secrets.
The political takeaway appears to be that the U.S. stance on China is not going to change much with the next administration.
On that note, Breaking Defense reports that the Pentagon’s Cybersecurity Maturity Model Certification Program (CMMC) is likewise safe from the promised deregulation efforts. The CMMC requires a certain base security level for vendors to the Pentagon that is subject to an external audit.
The Office of the Comptroller of the Currency (OCC) released its Semiannual Risk Perspective report (PDF), warning that operational risk is rising due to technological advancements and an expanded cyberattack surface from third parties. The OCC recently issued a cease-and-desist order against USAA Federal Savings Bank over several “deficiencies,” with the order’s Article IX being dedicated to third-party oversight and risk management in shared services.
The Commodity Futures Trading Commission showed similar concern regarding third-party service providers in a recent public meeting, adopting a recommendation that should see system safeguards for DCOs (derivatives clearing organizations) extended to service providers.
The New York State Attorney General secured $550,000 from HealthAlliance due to a data leak that impacted 240,000 patients in the state. The OAG found that the company “did not address a weakness in its system that was raised by one of its vendors.”
In the United Kingdom, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) are requesting comments on a new regulation that aims to “create a structured framework for financial services firms to report operational incidents and material third-party relationships.” For those who wish to read it or submit comments, Consultation Paper 17/24 is available on the Bank of England’s website.
We’re ending this section with the story on how Zoom is seeking to settle a Securities and Exchange Commission (SEC) privacy probe by agreeing to pay a $18 million fine. As Mashable notes, the company already settled a class-action lawsuit for $85 million and agreed to implement a comprehensive security program to settle with the FTC for making misleading claims about its encryption.
‘Why biasing advanced persistent threats over cybercrime is a security risk’
The term Advanced Persistent Threat (APT) was coined to differentiate run-of-the-mill cybercrime activity from state actors motivated to attack specific targets with cutting-edge tactics and ingenuity, but Selena Larson from Proofpoint argues that seeing cybercrime as rudimentary or less deserving of attention creates risks for businesses:
It’s time to rethink what the cybersecurity industry considers ‘advanced persistent threats’ (APTs). The word ‘advanced’ says it all: these government-backed hackers are considered better, more important, more worthy of money and attention. But if this was ever true, it’s not true anymore. […]
The reality is that most organisations are at a far greater risk of being targeted by cybercriminals than state intelligence agencies.
It’s not just about how cybercrime activity far exceeds the comparatively small number of incidents caused by state actors, either. The article details how cybercrime tactics have evolved over time, incorporating targeted social engineering and technical approaches that were once exclusive to traditional APT groups.
Despite the potential impact and sophistication of cybercrime being much higher now, Larson argues that the cyber threat intelligence industry potentially has a bias towards APT espionage because many professionals in this space come from a national security background. Due to this, defenders have been missing opportunities to disrupt many of the most immediate threats to businesses worldwide.
For third-party cyber risk management programs, understanding what we need our partners to be prepared for is extremely valuable. If their cybersecurity efforts are biased towards less plausible threats, or threats that are completely different from those you have identified as a priority, this mismatch can leave exploitable gaps.
Kami Vaniea, an associate professor of computer engineering at the University of Waterloo, warns that more frequent — and disruptive — tech outages are on the way, thanks to the rising complexity of cyber supply chains.?
While we keep these thoughts in mind, we have some research on vulnerabilities and attacks to share. Check Point explains how cybercriminals use Google Calendar to bypass email security policies — essentially, they use Calendar’s feature to share a calendar and have Google forward their malicious content on their behalf. Brian Krebs has the story of how a firefighter lost $500,000 in cryptocurrency due to a similarly fake email sent using Google Forms.
The Hackers News has the story about how a cybersecurity company found a backdoor in Web3.js, a popular npm library for interacting with Solana, a blockchain platform. The code is believed to have been injected into the package after attackers employed spear phishing to steal credentials from a developer. MFA did not prevent this attack.
Finally, two new issues were found in Azure. Palo Alto researchers detailed “Dirty DAG,” a vulnerability in the Data Factory Apache Airflow integration, while Datadog shows how to read secrets with Azure Key Vault access policies, thanks to a privilege escalation scenario that Microsoft addressed by updating its documentation. Microsoft classified Dirty DAG as low severity, and did not think Datadog’s findings constitute a vulnerability at all — we shall see if anyone loses their bonuses over these decisions.
76% of cyberattacks in the mining sector linked to supplier access
A survey published by Claroty found that 76% of cyberattacks in the mining sector are linked to access credentials granted to third-party suppliers:
Growing challenges cybersecurity leaders in the mining and materials sector faced in 2024 were particularly in safeguarding cyber-physical systems (CPS) such as operational technology (OT), IoT, and building management systems (BMS). […]
On the origins of these cyberattacks, 76% of respondents identified third-party supplier access to the CPS environment as a source, with 41% reporting five or more attacks originating from such access.
An article at the Loadstar, a website that focuses on the traditional meaning of “supply chain” (i.e., logistics) cites many data sources to reach the conclusion that fear of cyber attack outweighs investment in security along the supply chain — meaning that companies in this sector, which provide services to many businesses across the globe, are not investing as much in their cybersecurity, despite knowing about the risks. As usual, the solution might have to come from those who hire their services and enforce policies for third-party risk.
To help with that, Liminal released a Market and Buyer’s Guide for Third-Pary Risk Management. Among other things, it notes that automation for TPRM is on the rise and is now viewed as essential by 82% of organizations. Meanwhile, traditional risk management practices are failing, with 69% of respondents reporting misleading responses on questionnaires.
BreachRx decided to sift through the SEC database related to incident reporting and found that the Commission received 71 fillings in the first 11 months of the new rule being in effect. CEO Andy Lunsford told Cybersecurity Dive that many of the fillings have boilerplate language and do not provide much useful information. The 154 fillings regarding cyber risk management and governance also used “nearly identical and generic terms.”
SailPoint published a report stating that 46% of financial institutions had a data breach in the past 24 months. This is relevant to us for a few reasons: every business needs to work with financial institutions, and many financial institutions are struggling to integrate their environments with fintech startups and other providers. According to the report, third-party access and identities are a significant concern.
The Electronic Frontier Foundation (EFF) published a blog post listing the “the worst, weirdest, most impactful data breaches” of 2024. Many of their highlights involve third-party issues or misuse of third-party technologies, including their top pick — Snowflake.
Last but not least, we’d like to point you to our blog post where we added up the numbers linked to breaches involving third parties in 2024. We found that 1.36 billion individuals were affected by these breaches (although it’s almost certain that some people were impacted by more than one breach and multiple times). It’s still a large number, and it shows we need to do better when it comes to managing third-party risk.
There’s still one bonus link for those of you who made it this far, but this is where we end our first edition of 2025. We wish you a great year, and hope to see you again next month!
Hart Rossman, VP of global services security at AWS, told TechCrunch that the new service is designed to help security teams combat account takeovers, breaches, ransomware attacks, and other corporate intrusions along these lines.