US Treasury Breached Using Stolen BeyondTrust Key; Feeling Aftershocks of Salt Typhoon Intrusion; Security Update to HIPAA Proposed

The US Department of the Treasury informed legislators that 'on December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.' The BeyondTrust incident was reported in December (covered in NB 26.97 on December 20, 2024). While BeyondTrust revoked the compromised key upon learning of the incident, 'potentially anomalous behavior' was detected several days before. Current analysis attributes the attack to a state-sponsored threat actor with ties to China.

The White House has confirmed that a ninth telecommunications company was affected by Salt Typhoon; the firm has not been identified. Deputy National Security Advisor for Cyber Anne Neuberger told reporters that the Salt Typhoon intrusions allowed the threat actors to geolocate millions of people and record phone conversations. According to Nextgov's overview of the situation, at least 80 organizations are believed to be affected by the malicious cyber activity attributed to China's state-sponsored Salt Typhoon threat actor group, and over the past few months, several hundred organizations have been notified that they could be at risk of compromise. Salt Typhoon has been concentrating largely on telecommunications companies, but the hundreds notified of potential risk include organizations in other sectors as well. Some of the flaws the group exploits have been known since 2018; while fixes are available, some of the notified organizations have not applied the patches.

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will publish a Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information in the Federal Register on Monday, January 6, 2025. The notice proposed rule comes in response to a 'significant increase in cyberattacks and common compliance deficiencies' and will be the first update to HIPAA in more than a decade.

On December 23, US President Joe Biden signed into law a bill that requires federal agencies to share custom source code with each other. The Source Code Harmonization And Reuse in Information Technology or SHARE IT Act aims to reduce redundant spending on custom code that can serve functions at multiple agencies. Exemptions include classified code, code used in national security systems, and code that would present privacy risks if it were shared.

Authorities in Finland have seized a Russian ship suspected of dragging its anchor for 60 miles and severing submarine cables in the Baltic Sea on December 25. The damaged equipment includes the Estlink 2 power cable and four telecommunications cables. FinlandÕs national Bureau of Investigation has also begun questioning crew members. Authorities are also examining equipment found onboard the ship.

An apparent distributed denial-of-service (DDoS) attack disrupted operations at Japan Airlines (JAL) on December 26. When JAL became aware of the situation, they shut down a router that was causing problems, temporarily suspending same-day ticket sales. The incident delayed some domestic and international flights; normal services resumed later the same day.

Palo Alto Networks has released updates to address a high-severity denial-of-service vulnerability in their PAN-OS firewall software. According to the company, the flaw 'allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.' The vulnerability has been actively exploited. Users are urged to update to PAN-OS 10.1.15, PAN-OS 10.2.14, PAN-OS 11.1.5, PAN-OS 11.2.3; Palo Alto Networks is not releasing an update for PAN-OS 11.0 as it reached end-of-life in November 2024.

A high-severity OS command injection vulnerability affecting certain models of Four-Faith industrial routers is being actively exploited. The issue affects Four-Faith router models F3x24 and F3x36. Successful exploitation requires that the attacker is able to authenticate; the danger lies in unchanged default credentials. The issue was detected by researchers at VulnCheck, who notified Four-Faith and their own customers of their findings on December 20. According to data gathered by Censys, there are more than 15,000 vulnerable internet-facing Four-Faith devices.

The Apache Software Foundation has released updates to address a critical SQL injection vulnerability in Apache Traffic Control. The flaw lies in the Traffic Ops component of Apache Traffic Control versions 8.0.0 and 8.0.1; the issue does not affect Apache Traffic Control 7.0.0 before 8.0.0. The vulnerability can be exploited by a privileged user with "admin", "federation", "operations", "portal", or "steering" roles. Users are urged to update to Apache Traffic Control version 8.0.2.

The SlowMist security team investigated reports of a phishing campaign that used phony Zoom invitations as bait. In one case, when the message recipient clicked on the maliciously-crafted meeting link, malware was downloaded which resulted in the theft of millions of dollars' worth of cryptocurrency. SlowMist analysis revealed that the attackers are likely based in Russia and that 'they have been targeting victims and using the Telegram API to monitor whether anyone clicked the download button on the phishing page.'