Issue #30 | February, 2025
Something for your eyes and ears
We are excited to announce that Alice in Supply Chains now has a podcast version hosted by Alexandre Sieira and Adrian Sanabria ! It’s available on Apple Music, Spotify, Amazon Music, and YouTube, so make sure to give it a listen (or watch it on compatible platforms).
Through monthly episodes, the Alice in Supply Chains Podcast will provide interesting discussions and expert takeaways based on the latest news found in this very newsletter. You’ll get additional analysis from our hosts to stay informed and ahead on all things related to TPCRM.
As for this month’s newsletter, you’ll find the usual: updates on stories we covered in the past, incidents, security research, and surveys — all involving third-party cyber risk management.?
Enjoy!
Chinese hackers broke into 400-plus treasury PCs, report says
Last month, we recommended checking out the media coverage about a breach into BeyondTrust’s network. As the company has the US Treasury as one of its clients, it soon became clear that the intruders had reached government networks after gaining a foothold inside BeyondTrust.
Bloomberg has had access to an internal report suggesting the intruders broke into over 400 desktops and laptops belonging to the Treasury. The information by Bloomberg is paywalled, but, for what we had access, their behavior indicates that the intruders were especially interested in files related to sanctions, international affairs, and intelligence:
Chinese state-sponsored hackers who breached the US Treasury Department got into more than 400 laptop and desktop computers, taking particular interest in the machines of staff and senior leaders focused on sanctions, international affairs and intelligence, according to an agency report reviewed by Bloomberg News.
The hackers accessed employee usernames and passwords, as well as more than 3,000 files on unclassified personal computers, the report said.
BeyondTrust updated its page about the incident to say that its investigation is complete as of January 17 after finding that 17 organizations were affected. Since this number is small relative to their customer base, this could be an indication that the attacks were targeted intelligence collection, and not financially motivated.
It makes sense that the attackers would be interested in information regarding sanctions. Sanctions are a recurring measure to curb hacker groups and have taken an important role in the trade conflicts between the US and China. A Chinese company and an individual believed to be linked to the Treasury hackers were already sanctioned in response to the incident.
At least some of the hacks into the US telecom companies, which are also believed to have been carried out by Chinese actors, are now “contained.” On the other hand, the language in Verizon’s incident page could be worrying from a privacy perspective, as it suggests that ISPs are collecting more data than most assume.
Some nuance is warranted. While many people have been criticizing the technology and platforms put in place for legal wiretaps and surveillance on the grounds that this kind of system gives more power to attackers, researchers have repeatedly found issues (here’s an example) of vulnerabilities and weaknesses in telecom infrastructure and protocols. Having misgivings about capabilities that can be used against us is valid, but we shouldn’t forget about the primary issues that allow intruders to access privileged systems in the first place.
Cybersecurity Dive has an update on the Rhode Island incident, which was one of the major stories in our previous newsletter. At least 709,000 people are believed to have been impacted, and the state began mailing notification letters to the victims.
Last month’s newsletter also mentioned that the Clop ransomware group was exploiting a vulnerability in software suites developed by Cleo for enterprise file transfers. While very similar to other mass hacks carried out by the group, some were skeptical. It’s still not clear what is going on, as several firms are disputing the breaches.
The Change Healthcare incident, now a year-old story, also got an update: parent company UnitedHealth confirmed that 190 million Americans were affected by the breach, which is about 55% of the entire population. Nevertheless, The HIPAA Journal notes that existing regulations could severely limit HIPAA-related fines to UnitedHealth, with the maximum penalty being possibly as low as $2 million.
Meanwhile, DJI, which is facing a possible ban in the US, released a firmware update for its drones that no longer prevents them from entering “no-fly zones.” Instead, the drone will send a warning to the user. The company listed a few reasons for doing this to avoid giving the impression it’s retaliating against the US government. We’ll have to wait and see if the US government agrees.
While we’re talking updates regarding bans, it’s worth noting that CNBC published a somewhat lengthy piece about TP-Link, which could also face a ban. Furthermore, as you might already know, the TikTok ban was delayed.
The last update is about MGM Resorts, which was hacked in 2023 by a ransomware group. The company agreed to pay US$45 million to the victims of both that breach and another one that happened in 2019. Additional perspectives are available from Cohen Milstein, the law firm representing MGM.
LinkedIn accused of using private messages to train AI
This section will cover some general news stories from last month, beginning with a lawsuit alleging that LinkedIn shared private messages with other companies to train AI models:
It alleges that in August last year, the world’s largest professional social networking website “quietly” introduced a privacy setting, automatically opting users in to a programme that allowed third parties to use their personal data to train AI.
It also accuses the Microsoft-owned company of concealing its actions a month later by changing its privacy policy to say user information could be disclosed for AI training purposes.
It has already been demonstrated that AI models can occasionally produce near-exact copies of the data used to train them (it’s among the arguments made by the New York Times against OpenAI), so this effectively means that users might be at risk of having their messages leaked — not only by any companies that supposedly received the data but also by the finalized AI model they were used to train. This is relevant for corporate TPCRM - most HR recruitment teams use LinkedIN to find and exchange messages and resumés with candidates, which often contain sensitive or personal data.
In other Microsoft news, the company announced a change to .NET install links after one of their vendors (a Content Delivery Network) went bankrupt.
The Lawfare Daily podcast discussed the tech supply chain and its relationship with national security in a recent episode with Peter Hyun, Acting Chief of the Enforcement Bureau at the Federal Communications Commission (FCC) until the end of the Biden administration.
The American Banker ran a story on third-party risk after Capital One’s five-day outage. Fortune offers additional coverage.
The last few links in this section have some opinions and commentary. Henry Scott-Green published a post on LinkedIn arguing that “SOC2 is a joke.” He points out that any company can get the certification with a week of work and it provides little protection to the actual data.
Kymberlee Price quipped that “cybersecurity for small and midsized companies is a myth” when mentioning her own talk on LinkedIn. She argues that the practice of gating security features behind enterprise pricing that SMBs can’t afford creates risks for the whole ecosystem and even impacts national security, an idea that also resonates with Wendy Nather concept of the security poverty line. Wendy, who spoke at the Tenchi Conference - Shaping the Future of Cyber Risk Management in 2024, delivered an insightful lecture on the security poverty line. During the conference, she also sat down for an engaging interview with Tenchi Insight’s host, Nycholas Szucko , where she expanded on her lecture.
Finally, two analysts from PA Consulting came up with the “Top CISO Focuses for Navigating Cybersecurity in 2025.” Third-party risk makes an appearance as a concern for “Operational Resilience.”
Outage at government contractor, leak at location data broker: incidents round-up
We begin our incidents section with the news about an outage at Conduent, a government IT contractor for many states in the US:
A recent outage affecting the government technology contractor Conduent was due to a cyberattack that compromised the company’s operating systems.?
A Conduent spokesperson told Recorded Future News the company recently “experienced an operational disruption due to a third-party compromise” of one of their operating systems.
A little comment: calling a breach a “third-party compromise” can be quite ambiguous nowadays. In the past, this phrasing could simply mean that an unauthorized party accessed a system, but the fact we have so many vendor incidents today makes this kind of description problematic. Does this mean a third party was compromised? To TechCrunch, the company initially did not even confirm a system compromise. One way or another, they are a government contractor, so this is still a third-party incident.
Early in January, 404 Media covered a threat that hackers could leak data from Gravy Analytics, a location data broker. Unacast, Gravy Analytics’ parent company, later told the Norwegian government that its data had been hacked. Forbes adds that the link might have created risks for gay people’s safety, as one of their customers is an app for the LGBTQ+ community. Alon Gal analyzed a sample of the data and published his findings — the data could have been collected by SDKs embedded in mobile apps and other sources. EFF released a report showing how private data ends up moving around thanks to bidding in online behavioral advertising, and Gravy Analytics is mentioned as well.
Another major incident involves PowerSchool, a school records software that supports more than 60 million students in the United States. Per TechCrunch, it’s believed that hackers stole all historical student and teacher data, and the company is trusting that criminals deleted everything. Due to the scale of the incident, it made headlines in some mainstream publications, like USA Today. Additional coverage is available from K12TechPro and Bleeping Computer, and TechCrunch has a follow-up overview.?
Sekoia published a technical report on a campaign that targeted developers to compromise 36 Chrome extensions. A shorter summary is available from BankInfoSecurity. The extensions, which collectively had some 2.6 million users, were modified by the attacker to steal credentials from at least a few services (ChatGPT and Facebook are mentioned in Sekoia’s report). It’s worth noting that this incident comes after Google restricted the functionality of extensions with Manifest V3 — supposedly for security reasons — but the hack used malicious OAuth flow for an authorized application, thus bypassing the developer’s MFA.
Zagg, a phone accessories brand, is informing customers that their data was leaked due to a breach at BigCommerce, their e-commerce provider. Bleeping Computer, which reported this story, also reported in January that the personal data of guests staying at well-known hotels like Marriott, Hilton, and Hyatt were leaked due to a breach at Otelier, a hotel management platform.
Meanwhile, Bank of America revealed that a third-party software provider suffered a breach where someone gained unauthorized access to records belonging to 414 customers. Italian certificate authority InfoCert disclosed a similar incident after a breach at a supplier that managed customer registrations. Up to 5.5 million customers could be affected.
There are a couple of incidents involving critical infrastructure from the UK that warrant some attention. ISP TalkTalk is investigating a possible breach, while Nominet, a domain registry from the UK, disclosed an incident related to the Ivanti VPN hacks.
Rostelecom, a Russian telecom operator, is investigating a cyberattack on a contractor. Due to the current circumstances in the country, we might not get the full picture of what is going on. A data dump was published by a hacker group calling itself “Silent Crow,” the same group that leaked data belonging to Rosreestr, Russia’s real estate registry.
Ukrainian media also reported that the country’s Defense Ministry conducted a “significant cyberattack” against MegaFon, another Russian telecom operator. As a reminder, these are relevant to us here because many businesses and citizens rely on critical infrastructure operators and often don’t have many options to manage this risk today.
Lastly, insurance and employee benefits provider MetLife denied being a victim of the RansomHub group. IT services and consulting firm Atos also issued a denial after a hack was claimed by Space Bears.
Government news: change in administration in the US and incoming regulations around the world
We have a recurring section dedicated to government affairs and regulations without discussing politics, but that’s a bit difficult when the United States just went through a change in administration. Maybe you’re interested in hearing that an alleged former member of The Com might be inside the government now — we have covered incidents involving The Com in the past, after all. Still, those matters are not usually covered in this section, because we prefer to talk about decisions and not about the people making them.
Nevertheless, future policy remains uncertain for now, and most of the articles in mainstream outlets talk about people, either because they’re leaving or joining the government. For example, the FCC announced it would require carriers to secure networks in response to the recent telecom hacks:
Following recent reports involving an intrusion by foreign actors into U.S. communications networks, FCC Chairwoman Jessica Rosenworcel today announced the agency has taken action to safeguard the nation’s communications systems from real and present cybersecurity threats, including from state-sponsored cyber actors from the People’s Republic of China.
However, Rosenworcel left the FCC soon after this announcement. A similar CISA announcement about Strengthening America’s Resilience Against the PRC Cyber Threats has an “Archived Content” notice, while the Cyber Safety Review Board was dismantled, at least for the time being.
FBI director Christopher Wray also stepped down to be replaced and took the opportunity to give an interview with his opinions on the biggest threats to the US: China and their hacking operations against critical infrastructure. Not long after this interview was published, Ars Technica reported that the FBI sent a command to force the Chinese PlugX malware to delete itself from compromised machines.
Still, there are a few regulations we think we should pay attention to. The Department of Health and Human Services proposed new cybersecurity rules to address supply-chain hacks and AI. The Department is accepting comments on the proposal until March 7th.
The Department of Commerce’s Bureau of Industry and Security (“BIS”) is also accepting comments on proposed rules for securing the supply chain for commercial unmanned aircraft systems (“UAS” – or drones, basically). See more at the BIS website.
Meanwhile, the Federal Trade Commission took action against GoDaddy for “alleged lax data security” for its website hosting services. The FTC wants the company to “establish a comprehensive data security program.”
In the Senate, a bipartisan bill aims to address national security risks stemming from modems and routers. Aptly named the ROUTERS Act, the bill is noteworthy for covering consumer devices rather than being exclusive to the equipment used by major providers.
Finally, the Financial Industry Regulatory Authority (FINRA), the self-regulatory organization for brokerage firms and exchange markets in the United States, released its Annual Regulatory Oversight Report with a new chapter for third-party risk. Although FINRA already had an advisory on the subject, this addition to the report shows that the topic is gaining attention.
AROUND THE WORLD
Researchers disclose ransomware tactic targeting Amazon cloud environments
A threat actor known as “Codefinger” is employing a new ransomware that targets Amazon cloud users. The concept, explained in a technical write-up from Halcyon, involves Amazon’s native server-side encryption. There’s no known method to recover the data — aside from a working backup, as usual:
Threat actor Codefinger abuses publicly disclosed AWS keys with permissions to write and read S3 objects. By utilizing AWS native services, they achieve encryption in a way that is both secure and unrecoverable without their cooperation.
While SSE-C has been available since 2014, this appears to be a novel use of the feature by ransomware operators. Halcyon has identified two victims in recent weeks (neither were Halcyon customers at time of the attacks) who were impacted by this attack, underscoring its severity and the need for immediate action by organizations utilizing Amazon S3.
AWS published a blog post about “Preventing unintended encryption of Amazon S3 objects,” and press coverage is available from Forbes. An interesting discussion (including references to previous research) is available in an X thread started by vx-underground.
DeepSeek shaking the AI world is outside the scope of the newsletter, but the fact that Wiz researchers discovered an exposed database is very relevant to us. Many AI companies are startups, but the fact that AI is meant to handle large datasets — often storing private information — means that such mistakes could be very problematic for businesses that decide to use their services. This only impacted DeepSeek's own app and API, which also happens to be hosted in China. It would have been a better option to have downloaded and used their open weights model on your own infrastructure, or use the services of one the western large cloud providers that did this for you already.?
ESET published an in-depth research piece on PlushDaemon, an APT group that compromised a Korean VPN provider back in May 2024. The article goes into great detail about the backdoor that was used in the campaign and how the installer was modified to include it.
Next, the team at Arctic Wolf wrote a post breaking down a campaign dubbed Console Chaos that targeted exposed management interfaces of FortiGate firewalls. This turned out to be related to a new vulnerability that was patched by Fortinet. Coverage is available from TechCrunch. Though it seems unrelated to this campaign, a hacking group dumped a dataset containing configurations for 15,000 FortiGate firewalls.
The last security research we have to share this month comes from Truffle Security, which found that malicious actors can buy domains from defunct companies and use OAuth to gain access to SaaS accounts. While this is a good reminder about the importance of managing data through its entire life cycle (including how it is discarded), it can be a tough problem for companies doing business with vendors that may no longer be around in the future – after all, there is no one to comply with data removal quests at a company that no longer exists.?
Multiple surveys suggest over half of organizations struggle with third-party incidents
The World Economic Forum released the Global Cybersecurity Outlook 2025 with many interesting data points about the cybersecurity landscape. According to their survey, supply chain challenges are the biggest barriers for cyber resilience in most large organizations:
Of large organizations, 54% identified supply chain challenges as the biggest barrier to achieving cyber resilience. The increasing complexity of supply chains, coupled with a lack of visibility and oversight into the security levels of suppliers, has emerged as the leading cybersecurity risk for organizations. Key concerns include software vulnerabilities introduced by third parties and propagation of cyberattacks throughout the ecosystem.
The report is 49 pages long and has a lot of information, so it’s worth a look.
Also worth a look is a report released by the French data protection agency. It’s only available in French, so you might want to use a translation service — or you can check out some comments made by Alexandre Sieira, our CTO. The gist is that a few recurring flaws, often at third parties, are to blame for many breaches.
Check Point also released its yearly report, titled State of Global Cyber Security 2025. The company identified a 179% increase in weekly cyberattacks against the hardware and semiconductor industries and a 109% increase in attacks targeting the software industry. Many of these companies are part of the technology supply chain, so this is further evidence that attacks against third parties are on the rise. A news article covering the report is available from Digit.
Insurance Business published an article about the 2025 ORX Horizon and Cyber Horizon reports, which found that global financial services firms list cybercrime as their top risk (for the fourth consecutive year). Third-party compromise was mentioned as an “emerging” risk, with 92% of firms ranking it among their top five concerns for the next 12 months.
Lastly, an article titled “Third-Party Vendors Are the Supply Chain’s Ignored Vulnerability” at HackerNoon shares that 52% of organizations encountered at least one incident originating at a third-party vendor, according to a survey carried out by Hexnode.
We have two more bonus links as a reward for those who followed us to the end. The newsletter will be back next month, but remember to check our podcast if you’re interested in more commentary in the meantime. See you soon!
Cybersecurity Disclosure Overview: A Survey of Form 10-K Cybersecurity Disclosures by S&P 100 Companies We mentioned a survey of SEC filings last month, but the Harvard Law School Forum on Corporate Governance released a paper on the subject as well. They go into a bit more detail about how companies deal with specific requirements. One of the many findings:
The substantial majority of companies note the implementation of an incident response plan or procedures (87%), and nearly all companies (96%) describe the use of audits, drills, and/or tabletop exercises to test incident preparedness and the company’s incident response processes.
MasterCard DNS Error Went Unnoticed for Years A security researcher found and reported a DNS error at Mastercard, but the company did not approve of a LinkedIn post that made the issue public. It appears we are still struggling with disclosure disagreements.
From June 30, 2020 until January 14, 2025, one of the core Internet servers that MasterCard uses to direct traffic for portions of the mastercard.com network was misnamed. MasterCard.com relies on five shared Domain Name System (DNS) servers at the Internet infrastructure provider Akamai [DNS acts as a kind of Internet phone book, by translating website names to numeric Internet addresses that are easier for computers to manage].