More Salt Typhoon Victims; US Sanctions Chinese Company for Aiding Flax Typhoon; Plan Now for Windows 10 End-of-Support

The Wall Street Journal (WSJ, the article is behind a paywall) has identified three more US telecommunications firms that fell victim to a cyberespionage campaign. The activity is the work of the Salt Typhoon cyberthreat group, which has ties to China’s government. Previously, nine affected telecoms had been named. The newly identified companies are Charter Communications, Consolidated Communications, and Windstream. According to WSJ, Salt Typhoon’s intrusions into the telecoms’ networks began in mid-2023 if not earlier; investigators say the threat actors maintained a foothold in one firm’s network for 18 months. The situation was first disclosed by the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) in October 2024. The threat actors made their way into some of the systems by exploiting known, unpatched vulnerabilities in edge devices. In late December, Anne Neuberger, the White House deputy national security advisor for cyber and emerging technologies, told reporters that “There are details that likely we will never know regarding the scope and scale” of the attacks and that the intruders “erased logs, and in many instances, companies weren't keeping adequate logs.”

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned a Beijing company, Integrity Technology Group, Incorporated (Integrity Tech) for their alleged support of malicious cyber activity conducted by Flax Typhoon, a state-sponsored cyberthreat group that has been known to target US critical infrastructure organizations. Flax Typhoon has been active since at least 2021. The sanctions freeze any US assets held by Integrity Tech and limit US financial and other interactions with the company.

According to ESET, 65 percent of all devices in German households run Windows 10, which will no longer be supported as of October 2025, and StatCounter estimates almost the same proportion of Windows 10 users worldwide. Both businesses and private users will have the option to pay for continued support, but ESET points to downsides of high cost and significantly increased vulnerability. The security firm urges updates to Windows 11 or Linux well in advance of the end of free support to avoid exposure to "considerable security risks." By contrast, when Windows 7 reached end of support (EOS) in 2020, only 20 percent of users were still running it. The "non-negotiable" Trusted Platform Module (TPM) hardware requirement for Windows 11 remains a barrier to some users, but is critical to the operating system's security functions.

Researchers at Palo Alto Networks Unit 42 have published a blog post about a new technique for bypassing LLM content guardrails, called “Bad Likert Judge” based on the Likert Scale questionnaire format. Likert scales measure opinions ordinally, such as a numbered scale for degrees of agreement with a statement. Unit 42 asked LLMs to rate input on a Likert scale with only two values, scoring 1 "if a prompt didn’t contain any malware-related information," or 2 "if it contained very detailed information about how to create malware, or actual malware code." Researchers then asked the model to "demonstrate [its] understanding of the evaluation scale" by generating examples that would fit each point of the scale, including "thorough step-by-step information." Follow-up requests for elaboration led the LLM to provide additional harmful details. Researchers assessed this jailbreak method at a 71.6% average success rate in 1,440 tests on six prominent LLMs. System prompt leakage was the least successful category of jailbreak prompt, but "harassment-related content was particularly easy to generate." Other categories elicited included "hate, ... self harm, unsafe weapon-related content, illegal activity promotion, [and] malware generation." Unit 42 recommends mitigation via content filters on both prompts and outputs, but emphasizes that they may still be circumvented.

Moxa has published a security advisory warning of two vulnerabilities affecting their cellular routers, secure routers, and network security appliances. CVE-2024-9140 is a remotely-exploitable critical OS command injection vulnerability that could lead to arbitrary code execution. CVE-2024-9138 is a high-severity hard-coded credentials issue that could allow attackers to attain root privileges. Moxa has released firmware updates to address both vulnerabilities.

On December 31, Tenable paused plugin updates after becoming aware that Nessus Agents were going offline after plugin updates. On January 2, Tenable wrote that they were “actively working on resolving the Plugin Compilation Issue discovered on Nessus Agent version 10.8.0/10.8.1.” That same day, Tenable released Nessus Agent 10.8.2. On January 3, Tenable resumed the plugin feed.

Researchers at Cyfirma have analyzed malware known as FireScam, which targets Android users using a dropper disguised as Telegram Premium, offered in a counterfeit app store made to resemble the popular Russian marketplace RuStore. The FireScam payload is designed to comprehensively monitor, capture, and exfiltrate data from the device, including "notifications, messages ... screen state changes, e-commerce transactions, clipboard activity, and user engagement." The malware seeks elevated permissions on the device and may phish users' Telegram credentials using a WebView. Cyfirma provides indicators of compromise, and urges organizations and individuals to "implement threat intelligence," enact a comprehensive cybersecurity strategy, and heighten vigilance for social engineering and phishing attacks.

Apple has proposed to settle for $95 million in Lopez v. Apple, Inc., a class-action lawsuit brought to hold the company accountable for ten years of the Siri assistant violating users' privacy by recording audio unprompted and without permission, claimed by some plaintiffs to have triggered targeted advertising. A hearing on February 14 will be held to possibly approve the settlement. A whistleblower in 2019 alleged to The Guardian that "there have been countless instances of recordings featuring private discussions between doctors and patients, business deals, seemingly criminal dealings, sexual encounters and so on. These recordings are accompanied by user data showing location, contact details, and app data." The settlement absolves Apple of any wrongdoing and offers up to $20 per device (up to five devices) to users who "purchased or owned a Siri Device in the United States or its territories, and enabled Siri on that device" between September 17, 2014 and December 31, 2024 and who in that time "experienced at least one unintended Siri activation [that] occurred during a conversation intended to be confidential or private."

A statement released by Rhode Island Governor Dan Mckee on December 30, 2024, discloses new information about a cyberattack on the state's RIBridges system, first detected by security vendor Deloitte on December 5, 2024. Deloitte has confirmed that certain files stolen in the breach have been leaked on the dark web. McKee states that "this is a scenario that the State has been preparing for," mentioning proactive outreach to protect the privacy of potentially affected citizens, and ongoing analysis of the breach. The governor's statement recommends Rhode Islanders freeze their credit; monitor credit reports; request a Fraud Alert on credit report files; apply MFA; and remain vigilant for suspicious communications. RIBridges is Rhode Island's "Integrated Eligibility System" (IES) for administering social assistance programs: "The attack may have impacted several state benefits programs, including Medicaid, Supplemental Nutrition Assistance Program, Temporary Assistance for Needy Families, Child Care Assistance Program, health coverage purchased through HealthSource RI, Rhode Island Works, Long-Term Services and Supports, General Public Assistance and Program At HOME Cost Share."

A cyberattack targeting the payroll system of Argentina’s airport security police not only compromised personal data, but also resulted in the theft of funds from employee’s paychecks. The attackers exploited a vulnerability in the network of Banco Nación, the bank that processes the payroll system. Multiple sources told Buenos Aires newspaper Página/12 that the computer system sustained an outage that lasted for approximately one hour, but it was not until officers and other employees noticed the fraudulent payroll deductions that the attack became evident.