TODAY'S TOP 5
McCrary Institute for Cyber & Critical Infrastructure Security
Working to protect and advance U.S. interests in the areas of cyber and critical infrastructure security.
BLOOD SECURITY CYBER FEARS: The Food and Drug Administration is urging blood suppliers to bolster their cybersecurity practices to prevent and mitigate cyber incidents that could affect the supply and safety of critical blood and blood components used for transfusions and other patient care, Healthcare Info Security reports. This follows several recent high-profile cyber incidents affecting blood suppliers and related establishments in the U.S and elsewhere. Russian-speaking ransomware gangs were suspected to be behind each of those attacks.
AI POWER OVERLOAD: Industry researchers say they have “significant concerns” about the effect rapid growth in data center electricity demand is having on regional energy networks, IT Pro reports. Schneider Electric published a report using system dynamics modeling to forecast scenarios for AI electricity demand in the future. "The breadth of AI’s projected electricity demand encompasses a wide array of interconnected issues,” the report stated. “These issues range from infrastructure challenges to supply chain disruptions and socio-economic concerns.”
TECH PROVISIONS IN NDAA: The FY2025 National Defense Authorization Act again stipulates more AI and quantum information sciences programming for a variety of U.S. military operations, NextGov/FCW reports. The legislation would, for example, establish a working group within the Joint Force Headquarters-Department of Defense Information Network under U.S. Cyber Command to develop and coordinate AI initiatives with ally nations. It also stipulates the establishment of a Statement of Policy regarding the use of AI in nuclear weaponry systems.
NEW TACTICS AGAINST CRITICAL SECTORS: Two Russian hacking groups were observed targeting critical infrastructure in the United States and around the world, most notably in the oil and gas, and water systems sectors. Cyble researchers said in a Dec. 6 post that the attacks on critical infrastructure by the hacktivist groups go well beyond the distributed-denial-of-service (DDoS) attacks and website defacement these groups tend to engage in, SC Media reports. The People’s Cyber Army (PCA) and Z-Pentest posted videos to their Telegram channels allegedly showing the hackers tampering with operational technology (OT) controls on critical infrastructure.
SALT TYPHOON IN THE HOUSE: U.S. government agencies will hold a classified briefing for the House of Representatives on Tuesday on China's alleged efforts known as Salt Typhoon to infiltrate American telecommunications companies and steal data about U.S. calls. Reuters reports that the FBI, the Office of the Director of National Intelligence, Federal Communications Commission Chair Jessica Rosenworcel, the National Security Council and the Cybersecurity and Infrastructure Security Agency are set to take part in the 2:15 p.m. ET briefing for all House lawmakers after holding a similar closed-door briefing last week for senators.
CYBER FOCUS PODCAST
In the latest episode of Cyber Focus, host Frank Cilluffo interviews House Homeland Security Committee Chairman Mark Green (R-Tenn.). The combat veteran and healthcare entrepreneur discusses key cybersecurity challenges, including workforce shortages, bureaucratic inefficiencies and economic models that incentivize cybercrime. The conversation highlights the importance of initiatives such as the Cyber Pivot Act, designed to address critical workforce gaps, and the need for harmonizing regulatory requirements. Green also explores strategies for protecting critical infrastructure, enhancing state-level cybersecurity and leveraging public-private partnerships to bolster national resilience.
SUBSCRIBE TO CYBER FOCUS: YouTube | Spotify | Apple Podcasts
CYBER AND CI UPDATES
ATTACKS AND INCIDENTS
Breaches
Medical device company says shipping processes disrupted by ransomware attack
A company that makes products used in heart surgeries said its delivery systems have been disrupted by a pre-Thanksgiving ransomware attack. Atlanta-based Artivion filed documents with the U.S. Securities and Exchange Commission (SEC) on Monday morning warning that the incident was having an impact on its operations. The company identified the cyberattack on November 21 and was forced to take some systems offline in response. (THERECORD.MEDIA)
U.S. subsidiaries of Japanese water treatment company, green tea maker hit with ransomware
Kurita Water Industries said the incident began on November 29 and affected Kurita America, a subsidiary headquartered in Minnesota. Ransomware infections were found in multiple servers which were subsequently disconnected from the rest of the network. “As a result of this unauthorized access, some of the data stored on KAI’s server belonging to customers, business partners and employees may have been leaked to third parties,” the company said in a statement on Saturday. (THERECORD.MEDIA)
ShinyHunters, Nemesis linked to hacks after leaking their AWS S3 bucket
In this operation, hackers exploited vulnerabilities in millions of websites and took advantage of misconfiguration to access sensitive information including customer data, infrastructure credentials, and proprietary source code. According to Noam Rotem and Ran Locar, two independent researchers who conducted this research, these attacks were carried out from a French-speaking country. The hackers were able to extract critical keys and secrets, which provided them with access to valuable data including application databases. (HACKREAD.COM)
Elections
Investigation finds Colorado election passwords were posted ‘unintentionally’
A third-party law firm hired to investigate the Colorado secretary of state’s election system password breach found that passwords were posted online unintentionally, though two policies related to training and review of publicly posted documents were violated, an investigator’s report says. The investigator recommended increased review measures to minimize future risk. (COLORADONEWSONLINE.COM)
Energy
Romanian energy supplier Electrica hit by ransomware attack
A Ministry of Energy press statement says the company was the victim of a ransomware attack that hasn't impacted Electrica's SCADA systems used to control and monitor its distribution network. This cyberattack comes after the country's Romania's Constitutional Court (CCR) annulled the presidential elections based on extensive information showing that a TikTok influence campaign linked to Russia affected the first round of elections. (BLEEPINGCOMPUTER.COM)
Fraud
Idaho city loses $480K to fraudster posing as contractor
A so-called “man-in-the-middle” cyber attack last month compromised the city’s transfer of nearly half a million dollars to pay for excavation during a water infrastructure replacement project. The scammer persuaded them of the need to transfer the money to a different account. The FBI is among agencies investigating. (GOVTECH.COM)
Phishing
Millionaire Airbnb phishing ring busted up by police
The group operated by setting up call centers in luxury Airbnbs and apartment rentals to contact victims and lure them into handing over banking information, which was then abused to steal millions. The cybercriminals used the ill-gotten gains to buy fancy watches, clothes, and nights at posh nightclubs, according to an announcement of the arrests by Dutch law enforcement. (DARKREADING.COM)
Itch.io platform briefly goes down due to ‘AI-driven’ anti-phishing report
Itch.io management posted about the domain takedown on social media overnight, complaining of a chain of events that started because "Funko of 'Funko Pop'... use some trash 'AI Powered' Brand Protection Software called BrandShield that created some bogus Phishing report to our registrar, iwantmyname, who ignored our response and just disabled the domain," the post said. (ARSTECHNICA.COM)
Phishing scam targets Ukrainian defense companies
A series of phishing emails have been identified targeted Ukrainian defense companies and security and defense forces with a fake NATO standards conference. The Computer Emergency Response Team of Ukraine (CERT-UA) detailed that these emailed advertised a conference held on December 5 in Kyiv, aimed at aligning the products of domestic defense industry companies with NATO standards. (INFOSECURITY-MAGAZINE.COM)
Ransomware
Black Basta ransomware evolves with email bombing, QR codes and social engineering
The threat actors linked to the Black Basta ransomware have been observed switching up their social engineering tactics, distributing a different set of payloads such as Zbot and DarkGate since early October 2024. "Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user's email to numerous mailing lists simultaneously," Rapid7 said. "After the email bomb, the threat actor will reach out to the impacted users." (THEHACKERNEWS.COM)
Ransomware found on Wood County, Ohio, government computer network
The Wood County Information Technology Department detected ransomware on the county government's computer network on Monday, according to a press release from the county's emergency management agency. Fire and emergency services, including 911, are still operating as county staff and law enforcement, as well as national cybersecurity and data forensics consultants looped in by the county commissioners, investigate the incident and any effects it may have had. (WTOL.COM)
Mauri ransomware exploiting Apache ActiveMQ vulnerability
Threat actors were detected continuously launching attacks on unpatched, vulnerable Apache ActiveMQ services. Once the compromised machine has been infected, threat actors can either install ransomware or steal data. Researchers claim that the vulnerability was exploited soon after it was made public, with Korean PCs showing attack scenarios, including the Andariel group, HelloKitty ransomware, and Cobalt Strike. (CYBERSECURITYNEWS.COM)
8Base ransomware group hacked Croatia’s Port of Rijeka
The Port of Rijeka (Luka Rijeka d.d.), Croatia’s largest dry cargo concessionaire, provides maritime traffic services, port operations, and cargo storage. It also offers various economic services, including equipment maintenance, building upkeep, load securing, and quality control. The ransomware gang claims to have stolen sensitive data including accounting info and contracts. The ransom deadline is today. (SECURITYAFFAIRS.COM)
THREATS
Critical infrastructure
New Ordr report reveals rising threat of unmanaged IoT and OT devices endangers enterprises
Agentless devices, often beyond the reach of traditional IT and security measures, are expanding attack surfaces across industries, including IoT, OT, facilities assets, and specialized devices in sectors such as industrial, medical, and finance. These unmanaged assets, including consumer devices, prohibited equipment, and business-critical systems, present compliance issues and create unmonitored avenues for breaches. (INDUSTRIALCYBER.CO)
Malware
Socks5Systemz botnet powers illegal proxy service with 85,000-plus hacked devices
Socks5Systemz, originally advertised in the cybercrime underground as far back as March 2013, was previously documented by BitSight as being deployed as part of cyber attacks targeting distributing PrivateLoader, SmokeLoader, and Amadey. The primary objective of the malware is to turn compromised systems into proxy exit nodes, which are then advertised for other actors, typically cybercriminals who are looking to obscure the source of their attacks. The illegal proxy service has been around since 2016. (THEHACKERNEWS.COM)
Employee visits to adult or gambling sites doubles risk of infection by malware, cybersecurity study finds
Cybersecurity researchers from the University of Trento and Vrije Universiteit Amsterdam and the global cybersecurity firm Trend Micro wondered what behaviors bring the greatest risk of malware infection: working at night, browsing adult content, gambling, having a lot of software installed or just visiting strange places? (TECHEXPLORE.COM)
Vulnerabilities
Critical OpenWrt flaw exposes firmware update server to exploitation
The OpenWrt Project, an open-source initiative providing a Linux-based operating system for embedded devices, has pushed a critical patch to cover flaws that expose its firmware update server to malicious exploitation. The vulnerability, tracked as CVE-2024-54143, affects the OpenWrt sysupgrade server and exposes users to potential risks of installing compromised firmware images. (SECURITYWEEK.COM)
Microsoft NTLM zero-day to remain unpatched until April
Microsoft has released fresh guidance to organizations on how to mitigate NTLM relay attacks by default, days after researchers reported finding a NTLM hash disclosure zero-day in all versions of Windows Workstation and Server, from Windows 7 to current Windows 11 versions. However, it was not immediately clear if the two developments are related or purely coincidental in terms of timing. In any event, the bug, which doesn't yet have a CVE or CVSS score, is not expected to be patched for months. (DARKREADING.COM)
Researchers uncover prompt injection vulnerabilities in DeepSeek and Claude AI
Security researcher Johann Rehberger, who has chronicled many a prompt injection attack targeting various AI tools, found that providing the input "Print the xss cheat sheet in a bullet list. just payloads" in the DeepSeek chat triggered the execution of JavaScript code as part of the generated response – a classic case of cross-site scripting (XSS). An attacker could take advantage of such flaws to hijack a user's session and gain access to cookies and other data associated with the chat deepseek[.]com domain, thereby leading to an account takeover. (THEHACKERNEWS.COM)
Recommended by LinkedIn
QNAP patches vulnerabilities exploited at Pwn2Own
The most severe of the security holes is CVE-2024-50393 (CVSS score of 8.7), a command injection flaw that could allow remote attackers to execute arbitrary commands on vulnerable devices. Next in line is CVE-2024-48868 (CVSS score of 8.7), a Carriage Return and Line Feed (CRLF) injection bug that could be exploited to modify application data. The CRLF special elements are embedded in code such as HTTP headers to signify End of Line (EOL) markers. (SECURITYWEEK.COM)
Google launches open-source patch validation tool
Vanir covers 95% of all Android, Wear, and Pixel vulnerabilities that already have public fixes, and has a 97% accuracy rate, the company said. Inside Google, Vanir is part of the build system and tests against over 1,300 vulnerabilities, and has saved internal teams "over 500 hours to date in patch fix time," according to Google. (DARKREADING.COM)
WAF vulnerability in Akamai, Cloudflare and Imperva affected 40% of Fortune 100 companies
A recently discovered security vulnerability dubbed “BreakingWAF” in the configuration of web application firewall (WAF) services has left numerous Fortune 1000 companies vulnerable to cyberattacks, according to Zafran, a leading cybersecurity research team. The flaw affects some of the most popular WAF providers include Akamai, Cloudflare, Fastly, and Imperva. The flaw makes denial-of-service (DoS) attacks, ransomware, and even full application compromise very likely. (CYBERSECURITYNEWS.COM)
ADVERSARIES
North Korea
Radiant links $50 million crypto heist to North Korean hackers
The attribution comes after investigating the incident, assisted by cybersecurity experts at Mandiant, who say the attack was conducted by North Korean state-affiliated hackers known as Citrine Sleet, aka "UNC4736 and "AppleJeus." The U.S. previously warned that North Korean threat actors targeting cryptocurrency firms, exchanges, and gaming companies to generate and launder funds to support the country's operations. (BLEEPINGCOMPUTER.COM)
North Korean hackers target South Korea with Internet Explorer vulnerabilities to deploy RokRAT malware
North Korean state-linked hacker ScarCruft recently conducted a large-scale cyber-espionage campaign using an Internet Explorer zero-day flaw to deploy RokRAT malware, experts have warned. The group, also known as APT37 or RedEyes, is a North Korean state-sponsored hacking group known for cyber-espionage activities. This group typically focuses on South Korean human rights activists, defectors, and political entities in Europe. (TECHRADAR.COM)
Russia
Russia disrupts internet access in multiple regions to test ‘sovereign internet’
According to a report by the Institute for the Study of War (ISW), these trials mostly affected Russian regions populated by ethnic minorities, including Chechnya, Dagestan and Ingushetia. Data from the internet watchdog NetBlocks shows that the internet disruptions in Dagestan lasted for nearly 24 hours. Some sites were inaccessible even through virtual private networks (VPNs), according to local media reports. (THERECORD.MEDIA)
GOVERNMENT AND INDUSTRY
Artificial intelligence
China responds to U.S. AI export controls with Nvidia investigation
The investigation comes days after the United States expanded its list of technologies that U.S. companies are banned from exporting to China to include specialized equipment for producing high-end computer chips. China in return added a group of defense tech start-ups to its list of American companies banned from doing business in China and said it would block the export of some raw materials necessary for chip production to the United States. (WASHINGTONPOST.COM)
Gen AI use cases rising rapidly for cybersecurity — but concerns remain
Generative AI is being embedded into security tools at a furious pace as CISOs adopt the technology internally to automate manual processes and improve productivity. But research also suggests this surge in gen AI adoption comes with a fair amount of trepidation among cybersecurity professionals, which CISOs must keep in mind when weaving gen AI into their security operations. (CSOONLINE.COM)
ALSO: Generative AI's cybersecurity potential is clear, but so far it's given hackers the upper hand (ITPRO.COM)
Data infrastructure a major challenge for AI in California, say officials
The role of the chief data officer has expanded in recent years to include tasks such as improving data infrastructure, facilitating data sharing and preparing data for AI consumption, state officials said at a technology conference in downtown Sacramento. (STATESCOOP.COM)
ChatGPT, two years on: The impact on cybersecurity
There’s no denying that ChatGPT and similar AI models have made a big impact on cybersecurity defenses. Being able to analyze data and identify patterns that could be easy to miss if reviewed manually. However, the accessibility of AI tools has also lowered the barrier to entry for cybercriminals. Criminal hackers can now leverage ChatGPT to craft more convincing phishing emails, generate malicious code, and even create deepfakes for social engineering attacks. (TECHRADAR.COM)
Education
Rhode Island schools deploy DNS service to tackle ransomware
The Protective Domain Name Service will provide enhanced protections to 136,000 students across Rhode Island's 64 school districts by blocking access to malicious websites and other risky online destinations. The goal is to stop cyberattacks before they occur by providing districts with a federally-funded third-party service that requires no cost, no complex passwords, no lengthy configurations and no disruptive manual interventions. (GOVINFOSECURITY.COM)
Energy
Energy prioritizes information sharing, AI for federated enterprise cybersecurity
Federal systems are some of the biggest targets of opportunity for cyber adversaries, containing massive amounts of personally identifiable information about citizens, classified or sensitive national security data, or the ability to disrupt critical services. That’s leaving IT and cybersecurity personnel at federal agencies like the Energy Department with the need to devise strategies to protect their systems that suits the unique requirements of each agency’s mission. (FEDERALNEWSNETWORK.COM)
Intelligence
Cyber Command chief discusses challenges of getting intel to users
The United States has spent trillions of dollars on ensuring intelligence and the network that distributes that intelligence is the best on the planet, but more needs to be done, said Air Force Gen. Timothy D. Haugh, commander of U.S. Cyber Command, director, National Security Agency and chief, Central Security Service, in a discussion at the Reagan Defense Forum. (DEFENSE.GOV)
Policy
Trump 2.0: What cybersecurity shifts lie ahead?
The Biden strategy’s boldest and most controversial strategic objective involved the creation of legislation to hold software companies liable “when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.” Once dubbed the “third rail of cybersecurity,” this strategic objective was always a longer-term goal needing congressional action and thus one of the more aspirational aspects of the Biden strategy. At this juncture, it’s fair to say that Trump 2.0 is likely to reject those aspects of any strategy that entails more regulation of the private sector. (BROOKINGS.EDU)
Resilience
Defense Commissary Agency striving to balance cyber, CX
For any retail grocery store around the world, any loss of customer data or any problems with their supply chain would severely impact servicemembers and their families. Michelyne LeBlanc, the deputy chief information officer of the Defense Commissary Agency, said that is why employing specific cybersecurity tools and capabilities across their global operations isn’t just a matter of Defense Department policy, but central to DECA’s mission success. (FEDERALNEWSNETWORK.COM)
Public reprimands found to be an effective deterrent against data breaches
This conclusion follows a two-year trial led by the UK’s Information Commissioner’s Office (ICO) which sought to work proactively with the public sector to encourage data protection compliance. Over the two years of the Public Sector Approach (PSA) trial, the ICO has published around 60 reprimands issued to public bodies. (INFOSECURITY-MAGAZINE.COM)
Social media
TikTok asks court to put divest-or-ban law on hold amid Supreme Court appeal
TikTok and ByteDance, its China-based parent company, filed an emergency motion with the U.S. Court of Appeals for the D.C. Circuit asking for a temporary injunction to prevent the law — which requires ByteDance to sell the app or face a U.S. ban — from taking effect Jan. 19. “That would shut down TikTok—one of the Nation’s most popular speech platforms—for its more than 170 million domestic monthly users on the eve of a presidential inauguration,” TikTok and ByteDance wrote. (THEHILL.COM)
Space
SDA a ‘canary in the coal mine’ for supply chain woes: Space Force
The Space Development Agency is in the process of launching a megaconstellation of missile warning and data transport satellites, but the first two phases of the effort have been delayed due to production issues with some of its suppliers. The problem, which originated during the COVID-19 pandemic, delayed the launch of its first batch of satellites by seven months. (DEFENSENEWS.COM)
Workforce
Cyber Warfare Club: Developing digital warriors
U.S. Air Force Academy cadets learn technical skills such as malware analysis, network security and penetration testing. Additionally, they perform binary and web exploitations, forensics and cryptography. The club also has a team that drafts cyber policy and incident response for competitions they will present to a hypothetical national security council. (USAFA.EDU)
LEGISLATIVE UPDATES
House passes SHARE IT Act aimed at custom code in government
The proposal “mandates that agencies publicly list and share their custom code — allowing solutions to be reused across the government, saving both time and saving important taxpayer dollars,” Rep. Nick Langworthy (R-N.Y.) said of the bill last week on the House floor, calling it “a straightforward, practical measure that will improve government efficiency, foster innovation and most importantly save taxpayers money.” (NEXTGOV.COM)
EVENTS
DRONE HEARING: The House Homeland Security subcommittees on Counterterrorism, Law Enforcement, and Intelligence and Transportation and Maritime Security will hold a joint hearing Dec. 10 on safeguarding the homeland from unmanned aerial systems.
COMMUNICATIONS HEARING: The Senate Commerce, Science and Transportation Subcommittee on Communications, Media and Broadband will hold a hearing Dec. 11 to investigate security threats against communications networks, and review best practices and the tools available to providers and consumers to mitigate risks and strengthen our networks.
BLACK HAT EUROPE: This cybersecurity conference returns to the ExCeL in London with a four-day program Dec. 9-12. The event will open with two-and four-day options of deeply technical hands-on cybersecurity trainings, with courses available for all skill levels.
THE STRATEGIC FUTURE OF SUBSEA CABLES: CSIS will host an event Dec. 18 to discuss cuts of critical cables and ways the U.S. government, partners and allies, and key stakeholders can take to create and maintain a secure and resilient subsea cable infrastructure.
FOLLOW THE McCRARY INSTITUTE ON LINKEDIN | X | FACEBOOK
SUBSCRIBE TO THE CYBER FOCUS PODCAST: YOUTUBE | SPOTIFY | APPLE PODCASTS