The United States’ telecommunications infrastructure has been infiltrated by actors affiliated with China. Some of our nation’s most powerful leaders have been targeted — including President-elect Donald Trump and Vice President-elect JD Vance. This is one of the most severe cybersecurity incidents against telecom the United States has ever been subject to, and — worse yet — it is ongoing. 

Commonly called Salt Typhoon, actors affiliated with China have successfully gained access to at least eight of our nation’s largest communications companies. In fact, federal officials say that no networks have fully removed the threat and that individuals should rely on encrypted messaging platforms in the meantime.

Given the national security implications, one would assume that our government is rushing to secure communications and make sure something like this can’t happen again. Instead, the current administration’s response is to call for regulation and point out industry failures. For example, the Federal Communications Commission has proposed new requirements on carriers, such as expanded legal obligations, and the White House has also amplified this, saying that voluntary measures have proven inadequate. This follows similar calls for regulatory requirements and liability on industry over the past four years.

This is not the time for new regulations, and rushing to implement them would be a massive misstep. There is no shortage of existing federal agencies or authorities pertaining to cybersecurity. Instead, security teams face overlapping and even contradictory security requirements and standards. This places compliance burdens on security practitioners. For example, there have been instances where their time and resources were diverted to responding to government inquiries instead of defending networks.

During a Dec. 11 Senate Commerce Committee hearing, Sen. Ted Cruz, R-Texas, urged federal leaders not to rush new regulations and instead see how they can assist telecom companies in a time of need. That is precisely right. The first priority must be to fully understand how China gained access, what and who is impacted, short- and long-term remedies, and ultimately ensuring this does not happen again.

This is not to say there is no room for security standards and baselines. But what is currently in place should be assessed to determine if there is a way to harmonize our system. This would help security teams ultimately keep their focus on security, help cut down on critical resources being diverted elsewhere, and provide flexibility to decide what is best for their specific company. Rushing new regulations will simply exacerbate the problem and create an ever more complex patchwork of laws. Given Trump’s calls for deregulation and the creation of a Department of Government Efficiency, this is a perfect time to tackle cybersecurity.

Moving forward, there are several realities to account for.

First, no critical infrastructure sector is immune to threats like Salt Typhoon. Nation-state actors, especially China, are constantly getting more sophisticated and looking for new, easy targets. If our largest telecommunications companies faced an incident of this magnitude, then smaller critical infrastructure operators like a local water provider or hospital are certainly at risk, as are operators across all sectors, from health care to energy. This will require a continued effort to better secure critical infrastructure and more work to deter China in the first place.

Second, the federal government has a key role in supporting critical infrastructure. It is unrealistic to think critical infrastructure can defend itself alone against a nation-state actor. The federal government needs to help make the lives of critical infrastructure security teams easier and bolster the resources available to them. With Salt Typhoon in particular, the government should look internally at its own response and at how it could have been improved rather than blaming industry.

Third, we cannot neglect our technology. It is not uncommon to see outdated products embedded in our critical infrastructure or even continued use of products made by foreign adversaries. These weak spots carry cybersecurity challenges, along with national security and privacy concerns. The cost of replacing and updating technology is not trivial, and local and state restrictions make things more difficult. It is ultimately important to modernize our technology over time to best defend against advanced actors.

One thing is for certain: China and other foreign adversaries will continue to try to compromise our critical infrastructure systems and exploit our data. This makes it imperative that government and industry are truly in sync rather than pointing fingers or seeking to add new burdens in a crisis.

Brandon Pugh is the director of the R Street Institute’s cybersecurity and emerging threats team and serves as a cyber law professor in the military. Brian Harrell is a former assistant secretary for infrastructure protection at the U.S. Department of Homeland Security.

“A quarter of cybersecurity leaders want to quit,” hollered the headline of a study sponsored by global cybersecurity company Black Fog. While that is suggestive of stress or morale problems at the higher levels of security teams, the more alarming numbers came later in the press release, below the graphic: 45% of security leaders have used drugs or alcohol to relieve work pressure in the past year, and 69% have “withdrawn from social activities.”

That’s starting to sound more like burnout than stress.

The reason it’s important to distinguish the cause of self-destructive behavior at work is that short-term stress and burnout have different treatments and timelines. According to a journal article by Arno van Dam, 80% of people suffering short-term stress are back at work in six to 12 weeks. Burnout patients, however, take more than a year to recover; one quarter to one half of patients still haven’t recovered after two to four years.

What Is Cybersecurity Burnout?

To discern burnout, it’s helpful to have a standard definition. While the US list of maladies, Diagnostic and Statistical Manual of Mental Disorders (aka the DSM), still doesn’t include work-related burnout as a diagnosis as of version 5, the World Health Organization (WHO) sees it differently. The WHO’s alternative resource, International Statistical Classification of Diseases and Related Health Problems (aka the ICD), has a code for burnout — QD85 — and defined it in the context of work/unemployment problems:

Related:Emerging Threats & Vulnerabilities to Prepare for in 2025

According to the van Dam article, burnout happens when an employee buries their experience of chronic stress for years. The people who burn out are often formerly great performers, perfectionists who exhibit perseverance. But if the person perseveres in a situation where they don’t have control, they can experience the kind of morale-killing stress that, left unaddressed for months and years, leads to burnout. In such cases, “perseverance is not adaptive anymore and individuals should shift to other coping strategies like asking for social support and reflecting on one’s situation and feelings,” the article read.

“I wrestle with burnout pretty regularly, escalated thanks to neurodivergence,” says Ian Campbell, senior security operations engineer at DomainTools. Burnout is also a condition familiar to the neurodivergent, especially autistic people. Autistic burnout, a term used mostly by that community, entails chronic exhaustion, losing the use of skills, and a lowered tolerance for stimuli. The role it might play in the better-known work burnout is unknown, but the similarity of symptoms is interesting.

Related:Name That Toon: Sneaking Around

Campbell sees the interplay from the inside. “Autism, depression, and anxiety are a wickedly effective combination in encouraging burnout. Hyperfocus can lead to working far too much and ignoring work/life balance,” he says. “Depression and anxiety are self-perpetuating, exquisitely engineered to set up feedback cycles hard to break away from, and that can be doubly toxic around work — the depression saying things won’t get better, the anxiety pressing you to work longer, harder, be more useful and less expendable.”

Bryan Kissinger, chief information security officer (CISO) and senior VP at Trace3, adds, “People also need to have the courage to say to their managers or coworkers, ‘Hey, I need a break.'”

Handling Staff Burnout on Security Teams

“Sometimes it’s very challenging” to tell when someone’s burning out, Kissinger says. He tells the story of one employee who kept their stress to themselves until it was almost too late: “They were ready to leave because they were burning out, and I said, ‘This is the first I’ve heard about it. Can we bring on some contractors to help us moderate the workload?'”

Related:How Nation-State Cybercriminals Are Targeting the Enterprise

When asked how he helps his staff fend off burnout, Kissinger describes a hands-on approach. “I audit their day. A lot of people either tend to get roped into things … or volunteer for things,” he says. “What are the one or two things that need to be done today, and what can be done Monday or later next week?”

Jill Knesek, CISO at BlackLine, has a team of about 30 people, and has a quarterly one-on-one with each of them. “I offer more if they want more, and if you want to do monthly or every six weeks, then please do,” she says. “I just try to take the time with each person on the team to make them feel important and empowered. And I know that there’s opportunities for them, even if it’s not maybe what they’re doing today.”

If a person’s team is not supportive of work/life balance, that can exacerbate the issue.

Knesek says, “I want to make sure they know that I know what they’re doing and I care about what they’re doing and I can help guide them. So they feel important, and they feel like the really important things get noticed by leadership.”

How Cyber Staff Handles Work Pressure

“Taking all my holiday was a big help,” says Terence Eden, who moved from civil service to start his own consultancy, Open Ideas, which affords him much more control over his schedule and work/life balance. “And doing it in big chunks, not just a day or two, allowed me to reset.”

Resetting from the buildup of stress is an important part of disrupting the path to burnout, as Knesek knows well. She says, “I encourage my team all the time to make sure their work-life balance is always good. Recharging your batteries is really important, and I am an important representative of that, right? So if I don’t do it and everybody says, ‘Well, Jill never takes [paid time off] but she tells us to do it. But does she really mean that? Because she’s not taking it.'”

Employees sometimes scoff at the wellness programs companies put out as an attempt to keep people healthy. “Most ‘corporate’ solutions — use this app! attend this webinar! — felt juvenile and unhelpful,” Eden says. And it does seem like many solutions fall into the same quick-fix category as home improvement hacks or dump dinner recipes.

Christina Maslach’s scholarly work attributed work stress to six main sources: workload, values, reward, control, fairness, and community. “If any are lacking or out of sync, you may be headed toward exhaustion, cynicism, and the feeling of being ineffective,” said this article presenting a two-minute burnout assessment tool.

An even quicker assessment is promised by the Matches Measure from Cindy Muir Zapata. “The graphic she offered in her paper is a six-point and eight-point spectrum of matches, from unlit, to singed, to burned, to disintegrated,” read an article on HR Dive. A worker looks at the layout of matches and picks the one that shows how burned out they feel.

But Campbell has an idea for how to handle wellness better: “So my first and strongest recommendation to everyone is this: psychotherapy.”

“Professionals will help a lot more than any quick hack to keep you running for another few weeks — therapy allows you to vent out what’s building up, gain insight on your own status and choices, and plan for future burnout occurrences,” he adds. “It doesn’t make everything magically better, but you learn the tools to keep treading water, then tools to swim against counterproductive currents, and more.”

“The time to start learning and building the tool sets is before the burnout hits, or at least before it becomes a true crisis,” he adds.

Hope in a Hopeless Place

If worse comes to worst, and burnout hits, the van Dam article found hope in the study of disaster survivors. No matter how awful the disastrous events they went through, people tend to perceive some good coming from their trauma. This post-traumatic growth falls into three categories of benefits: changes in self-perception, in relationships, and in life philosophy.

The article built on that to posit post-burnout growth as well. “Many former burnout patients report that they have learned from their burnout and that their life is better now than before their burnout,” Campbell explains. “They know better who they are and what is important to them in life; they spend more time with their friends and families; and they changed their priorities. Many former burnout patients allow themselves to enjoy life more and to be happy.”

And again, he has some advice, particularly for the neurodivergent people: hack your needs to make yourself comfortable. “There are a thousand ways to optimize your own senses, and it’s something we as a culture often fail at. Whether you’re neurodivergent, neurotypical, or something else entirely — find the best sensory augments that allow you to work, and the better we’ll all be protecting, hacking, investigating, hunting, and more.”

Volkswagen’s automotive software company, Cariad, exposed data collected from around 800,000 electric cars. The info could be linked to drivers’ names and reveal precise vehicle locations.

Terabytes of Volkswagen customer details in Amazon cloud storage remained unprotected for months, allowing anyone with little technical knowledge to track drivers’ movement or gather personal information.

The exposed databases include details for VW, Seat, Audi, and Skoda vehicles, with geo-location data for some of them being as precise as a few centimeters.

Precise geo-location data

Access to the car data was possible due to Cariad’s incorrect configuration in two IT applications, a company representative told BleepingComputer.

Cariad was informed on November 26 of the issue by the Chaos Computer Club (CCC), the largest organization of ethical hackers in Europe that for more than 30 years has promoted security, privacy, and free access to information.

According to German publication Spiegel, the CCC found out about the vulnerability from a whistleblower and tested the insecure access before informing Cariad and Volkswagen responsible and providing technical details.

In a statement to BleepingComputer, a Cariad representative said that the exposed data affected only vehicles connected to the internet and had been registered for online services.

From the nearly 800,000 vehicles exposed, the researchers found geo-location data for 460,000 cars, for some of them with an accuracy of ten centimeters.

A little over 30 vehicles were part of Hamburg police’s fleet of patrol cars, while others belonged to suspected intelligence service employees, Spiegel says.

The company said that the CCC hackers could access the data only after bypassing several security mechanisms that required significant time and technical expertise.

Additionally, because individual vehicle data was pseudonymized for privacy purposes, the hackers had to combine different data sets to associate the details with a particular user.

However, Spiegel assembled a team of IT experts and journalists who found location details collected from the cars of two German politicians, Nadja Weippert and Bundestag member Markus Grübel, using freely available software.

The tools searched for exposed Cariad assets that contained files with sensitive information, which led to finding a copy of a memory dump from an internal Cariad application.

Inside the memory dump the hackers discovered access keys to a cloud storage instance on Amazon where Cariad saved data collected from Volkswagen Group customers’ vehicles.

Spiegel reports that some data points referred to the longitude and latitude location of the cars when the electric motor was turned off.

Most of the affected vehicles, 300,000 of them, were in Germany but the researchers also found details about cars in Norway (80,000), Sweden (68,000), the United Kingdom (63,000), the Netherlands (61,000), France (53,000), Belgium (68,000), and Denmark (35,000).

Quick fix after responsible disclosure

Cariad told BleepingComputer that its security team reacted quickly to fix the problem and closed access the same day the CCC sent them the report.

CCC representatives confirmed for Spiegel that Cariad’s “technical team responded quickly, thoroughly and responsibly” and that the company reacted within hours of receiving the technical details.

Based on the results of its investigation, Cariad has no evidence suggesting that other parties, except the CCC hackers, had access to the exposed vehicle data or that the information had been misused by a third party.

The company also emphasizes that the CCC only had access to data collected from the vehicles and could not access the cars themselves.

Cariad says that customers of the Volkswagen Group brands can agree to use products and services that require the processing of personal data and can deactivate the option at any time.

However, the company notes that the data collected from the vehicles helps it “provide, develop, and improve digital functions” for its customers as well as create additional benefits.

As an example, the company explains that customers’ charging behavior and habits are anonymized and help optimize future battery generations and charging software.

At the same time, the collected data is stored in the cloud in a way that protects the identity of the customer and their movement with the vehicle.

“The brands in the Volkswagen Group collect, store, transmit and use personal data exclusively within the framework of legal regulations and an existing contractual relationship, legitimate interests or explicit consent from the customer,” Cariad says.

The automotive software company also says that it employs strong data protection practices that include storing data points separately, restrictive access rights, pseudonymization, and anonymization, as well as aggregating and processing data within stated purposes.

Dec 28, 2024Ravie LakshmananVulnerability / Threat Intelligence

A high-severity flaw impacting select Four-Faith routers has come under active exploitation in the wild, according to new findings from VulnCheck.

The vulnerability, tracked as CVE-2024-12856 (CVSS score: 7.2), has been described as an operating system (OS) command injection bug affecting router models F3x24 and F3x36.

The severity of the shortcoming is lower due to the fact that it only works if the remote attacker is able to successfully authenticate themselves. However, if the default credentials associated with the routers have not been changed, it could result in unauthenticated OS command execution.

In the attack detailed by VulnCheck, the unknown threat actors have been found to leverage the router’s default credentials to trigger exploitation of CVE-2024-12856 and launch a reverse shell for persistent remote access.

The exploitation attempt originated from the IP address 178.215.238[.]91, which has been previously used in connection with attacks seeking to weaponize CVE-2019-12168, another remote code execution flaw affecting Four-Faith routers. According to threat intelligence firm GreyNoise, efforts to exploit CVE-2019-12168 have been recorded as recently as December 19, 2024.

“The attack can be conducted against, at least, the Four-Faith F3x24 and F3x36 over HTTP using the /apply.cgi endpoint,” Jacob Baines said in a report. “The systems are vulnerable to OS command injection in the adj_time_year parameter when modifying the device’s system time via submit_type=adjust_sys_time.”

Data from Censys shows that there are over 15,000 internet-facing devices. There is some evidence suggesting that attacks exploiting the flaw may have been ongoing since at least early November 2024.

There is currently no information about the availability of patches, although VulnCheck stated that it responsibly reported the flaw to the Chinese company on December 20, 2024. The Hacker News has reached out to Four-Faith for comment prior to the publication of this story and will update the piece if we hear back.

Amid growing competition and skyrocketing compute requirements necessary to support the next generation of AI models, OpenAI is shaking up its corporate structure – again.

The ChatGPT creator on Thursday outlined its plan to establish a public benefit corporation (PBC), which it argued would clear the way for large-scale investment, hamstrung by its current organizational structure.

Under the new structure, OpenAI plans to convert its for-profit wing into a Delaware-based PBC, which will run and control OpenAI’s operations and business, while its non-profit arm will be responsible for hiring and directing charitable initiatives for healthcare, education, science, and other fields.

The shift reflects OpenAI’s ongoing transition away from its non-profit roots.

Since its founding in 2015 OpenAI’s status as a non-profit corporation has been rather fluid. “In those early days, we thought that progress relied on key ideas produced by top researchers and that supercomputing clusters were less important,” the ChatGPT maker explained in a blog post on Friday.

By 2019, it became clear that massive quantities of compute would be required to achieve OpenAI’s mission of advancing digital intelligence. “We would need far more compute, and therefore far more capital, than we could obtain with donations in order to pursue our mission.” And so in 2019, the AI model builder transitioned to an unorthodox structure, establishing a for-profit business controlled by the non-profit.

This approach aimed to drive profits to provide capped returns to investors and employees, with the remainder being funneled into the overarching non-profit. The change opened the door to massive shareholder investment including Microsoft’s $1 billion investment that same year.

In the five years since this structure was enacted, the AI space has exploded, with OpenAI now facing stiff competition from rival model builders like Anthropic, Meta, and Google.

“The hundreds of billions of dollars that major companies are now investing into AI development show what it will really take for OpenAI to continue pursuing the mission,” the blog post explained. “We once again need to raise more capital than we’d imagined. Investors want to back us, but at this scale of capital, need conventional equity and less structural bespokeness.”

In other words: OpenAI’s corporate structure has become inconvenient given the competitive landscape, and so once again, it’s altering the deal.

OpenAI’s latest structural shift, planned for 2025, will effectively see the for-profit wing take the reins of the AI giant’s operations and business. It’s not clear to what degree the non-profit portion of the outfit will have any meaningful control, though the blog post suggests that it would retain “significant interest in the existing for-profit,” taking the form of shares in the PBC at a valuation that will be “determined by independent financial advisors.”

The new corporate structure comes just months after OpenAI raised $6.6 billion in new funding, which drove its valuation to $157 billion. The funding is expected to further the development of more advanced models, including OpenAI’s o-series of models, which it says demonstrate “new reasoning capabilities.”

But while OpenAI makes the case this latest transition is imperative to the success of the firm going forward, not everyone is a fan of the move. OpenAI has faced ongoing criticism from Elon Musk, who initially funded the model builder before founding rival AI firm xAI. Musk has previously launched legal challenges to OpenAI’s structure, and earlier this month filed for an injunction against the AI firm to prevent it from morphing into an entirely for-profit business.

Bootnote:

Speaking of xAI, the Musk-backed startup raised $6 billion in a series-C funding round this week, which it says will support the expansion of its Colossus supercomputer.

The startup currently plans to expand the machine to 200,000 GPUs with ambitions to eventually grow it to a million accelerators. The machine will power the development of future Grok models as well as its Aurora image-gen models. ®

The White House said Friday that as the U.S. government continues to assess the damage caused by the Salt Typhoon hacks, the breach occurred in large part due to telecommunications companies failing to implement rudimentary cybersecurity measures across their IT infrastructure. 

Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technology, told reporters Friday that the Biden administration has further zeroed on how these companies can improve their cybersecurity, particularly by sharing threat-hunting guides and instructions for hardening of systems. These guides, shared with telecom companies, have unearthed a new victim, bringing the total of affected companies to nine. 

In a previous briefing this month, Neuberger said that while the impacted telecommunications companies are currently working to expel the hackers from their networks, the risk of further breaches remains high until cybersecurity gaps are fully addressed. In Friday’s briefing, she shared more details on some of the flaws that have been uncovered in telecom systems, which allowed the threat actors to carry out their actions. 

In one incident response case, it was found that the attackers, which are believed to be state-affiliated actors from China, obtained credentials to one administrator account that had access to over 100,000 routers. Additionally, the group erased logs of their actions, and the logs that did remain were inadequate for determining the size and scope of the hack. 

“The reality is that from what we’re seeing regarding the level of cybersecurity implemented across the telecom sector, those networks are not as defensible as they need to be to defend against a well-resourced, capable offensive cyber actor like China,” Neuberger said. 

The White House still cannot definitively say the actors have been removed from the telecom networks. Neuberger said the number of individuals directly impacted are “less than 100.” However, she said the Chinese were interested in a large number of individuals that were geo-located in the Washington, D.C. area, with “the goal of identifying who those phones belong to and if they were government targets of interest for follow-on espionage and intelligence collection of communications.” 

The attackers are believed to have targeted the phones and data of President-elect Donald Trump and Vice-president elect JD Vance, among others.

In the aftermath of the breaches, Neuberger said the White House has outlined four areas where telecom companies can improve their cybersecurity: configuration management, vulnerability management, network segmentation, and sector-wide information sharing. She also expressed support for the new rules pushed forth by the Federal Communications Commission that would force telecoms to further harden their networks. 

The White House says these rules would follow similar regulations in Australia and the U.K., which have been in place since 2018 and 2022, respectively. 

“When I talked with our U.K. colleagues and I asked, ‘do you believe your regulations would have prevented the Salt Typhoon attack?’, their comment to me was, ‘we would have found it faster. We would have contained it faster, [and] it wouldn’t have spread as widely and had the impact and been as undiscovered for as long,’ had those regulations been in place,” Neuberger said. “That’s a powerful message.” 

The unprecedented wave of high-profile cyberattacks on US water utilities over the past year has just kept flowing.

In one incident, pro-Iranian hackers penetrated a Pittsburgh-area water utility’s PLC and defaced the touchscreen with an anti-Israel message, forcing the utility to revert to manual control of its water pressure-regulation system. A water and wastewater operator for 500 North American communities temporarily severed connections between its IT and OT networks after ransomware infiltrated some back-end systems and exposed its customers’ personal data. Customer-facing websites and the telecommunications network at the US’s largest regulated water utility went dark after an October cyberattack.

Those were just some of the more chilling stories that have recently sparked fear over the security and physical safety of drinking water and wastewater systems. The cyberattacks have spurred warnings and security guidelines from the Cybersecurity and Infrastructure Security Agency (CISA), the White House, the FBI and the Office of the Director of National Intelligence (ODNI), the Environmental Protection Agency (EPA), and the Water ISAC (Information Sharing and Analysis Center).

Most of the attacks landed on the softest of targets, small water utilities without security expertise and resources, in mainly opportunistic attacks. Meanwhile, cyberattacks on large utilities like Veolia and American Water hit IT, not OT, systems — none of which actually disrupted water services. Overall, the cyberattacks on water appeared to be mainly about “poking around and eroding confidence,” says Gus Serino, president of I&C Secure and a former process control engineer for the Massachusetts Water Resources Authority.

Related:IoT Cloud Cracked by ‘Open Sesame’ Over-the-Air Attack

The race is now on to secure the water sector — especially the smaller more vulnerable utilities — from further cyberattacks. Many larger water utilities already have been “stepping up their game” in securing their OT networks, and others started building out their security infrastructures years ago, notes Dale Peterson, president of ICS/OT security consultancy Digital Bond. “My first client in 2000 was a water utility,” he recalls. “Some [large utilities] have been working on this for a very long time.”

The challenge lies in securing smaller utilities, without overprescribing them with unnecessary and high-overhead security infrastructure. Tools that require expertise and overhead are a nonstarter at sites where there isn’t even dedicated IT support, much less cyber know-how. Peterson argues that government recommendations for sophisticated security monitoring systems are just plain overkill for most small utilities. These tiny outfits have bigger and more tangible priorities, he says, like replacing aging or damaged pipes in their physical infrastructure.

Related:Frenos Takes Home the Prize at 2024 DataTribe Challenge

ICS/OT Cyber-Risk: Something in the Water?

Like other ICS/OT industries, water utilities of all sizes have been outfitting once-isolated programmable logic controller (PLC) systems and OT equipment with remote access, so operators can more efficiently monitor and manage plants from afar — to control water pumps or check alarms, for instance. That has put traditionally isolated equipment at risk.

“They are starting and stopping pumps, setting changes, responding to alarms or failures [in] a system. They remote in to look at SCADA/HMI screens to see what’s wrong or to take corrective action,” explains I&C Secure’s Serino, who works closely with water utilities. He says it’s rare for those systems to be properly segmented, and VPNs are “not always” used for secure remote access.

PLC vendors such as Siemens are increasingly building security features into their devices, but water plants don’t typically run this next-generation gear.

“I have yet to see any secure PLCs deployed” in smaller water sites, Serino says. “Even if there are new PLCs, their security features are not ‘on.’ So if you [an attacker] can get in and get access to the device on that network, you can do whatever you are capable of doing to a PLC.”

Related:20% of Industrial Manufacturers Are Using Network Security as a First Line of Defense

Because many ICS/OT systems integrators that install OT systems traditionally do not also set up security for the equipment and software they install in water utility networks, these networks often are left exposed, with open ports or default credentials. “We need to help integrators making [and installing] SCADA equipment for these utilities make sure they are secured” for utilities, says Chris Sistrunk, technical leader of Google Cloud Mandiant’s ICS/OT consulting practice and a former senior engineer at Entergy. 

Default credentials are one of the most common security weaknesses found in OT networks, as well as industrial devices sitting exposed on the public Internet. The Iranian-based Cyber Av3ngers hacking group easily broke into the Israeli-made Unitronics Vision Series PLCs at the Aliquippa Municipal Water Authority plant (as well as other water utilities and organizations), merely by logging in with the PLCs’ easily discoverable factory-setting credentials.

The good news is that some major systems integrators such as Black & Veatch are working with large water utilities on building security into their new OT installations. Ian Bramson, vice president of global industrial cybersecurity at Black & Veatch, says his team works with utilities that consider security a physical safety issue. “They are looking to build [security] in and not bolt it in,” he explains, to prevent any physical safety consequences from poor cybersecurity security controls.

Cybersecurity Cleanup for Water

Meanwhile, there are plenty of free cybersecurity resources for resource-strapped water utilities, including the Water-ISAC’s top 12 Security Fundamentals and the American Waterworks Association (AWWA)’s free security assessment tool for water utilities that helps them map their environments to the NIST Cybersecurity Framework. Kevin Morley, manager of federal relations for the AWWA and a utility cybersecurity expert, says the tool includes a survey of the utility’s technology and then provides a priority list of the security controls the utility should adopt and address, focusing on risk and resilience.

“It creates a heat map” of where the utility’s security weaknesses and risks lie, he says. That helps arm a utility with a cybersecurity business case in the budget process. “They can go to leadership and say ‘we did this analysis and this is what we found,'” he explains.

There’s also a new cyber volunteer program that assists rural water utilities. The National Rural Water Association recently teamed up with DEF CON to match volunteer cybersecurity experts to utilities in need of cyber help. Six utilities in Utah, Vermont, Indiana, and Oregon encompass the initial cohort for the bespoke DEF CON Franklin project, where volunteer ICS/OT security experts will assess their security posture and help them secure and protect their OT systems from cyber threats.

Mandiant’s Sistrunk, who serves as a volunteer cyber expert for some small utilities, points to three main and basic security steps small (and large) utilities should take to improve their defenses: enact multifactor authentication, especially for remote access to OT systems; store backups offline or with a trusted third party; and have a written response plan for who to call when a cyberattack hits.

Serino recommends a firewall as well. “Get a firewall if you don’t have one, and have it configured and locked down to control data flows in and out,” he says. It’s common for firewalls at a water utility to be misconfigured and left wide open to outgoing traffic, he notes: “If an adversary can get in, they could establish their own persistence and command and control, so hardening up the perimeter” for both outgoing and ingoing traffic is important.

He also recommends centralized logging of OT systems, especially for larger water utilities with the resources to support logging and detection operations: “Have the ability to detect a problem so you can stop it before it reaches the end goal of causing an impact.”

A White House official has added a ninth U.S. telecommunications company to the list of telecoms breached in a Chinese hacking campaign that impacted dozens of countries.

The Salt Typhoon Chinese cyber-espionage group who orchestrated these attacks (also tracked as Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286) is known for breaching government entities and telecom companies throughout Southeast Asia and has been active since at least 2019.

The White House’s deputy national security adviser for cyber and emerging technologies, Anne Neuberger, told reporters today that this new victim was discovered after the Biden administration released guidance to help defenders spot Chinese hackers’ activity in their networks.

“The reality is that China is targeting critical infrastructure in the United States. Those are private sector companies, and we still see companies not doing the basics,” Neuberger said, according to Bloomberg. “That’s why we’re looking forward and saying ‘Let’s lock down this infrastructure.’ And frankly, let’s hold the Chinese accountable for this.”

Neuberger first told reporters during an early December press briefing that the Chinese hacking group had breached eight U.S. telecoms and carriers in dozens of other countries.

The White House official added that “at this time, we don’t believe any classified communications have been compromised,” while a senior CISA official stated that they couldn’t “say with certainty that the adversary has been evicted.”

Since this wave of telecom breaches affecting dozens of countries has been disclosed, CISA has urged senior government officials to switch to end-to-end encrypted messaging apps like Signal to communication interception risks and released guidance to help telecom admins and engineers harden their systems against Salt Typhoon attacks.

Earlier this month, the New York Times reported that the Biden administration will ban China Telecom’s last active U.S. operations in response to Chinese state hackers breaching multiple U.S. telecom carriers. The U.S. government is also considering banning TP-Link routers starting next year if ongoing investigations find that their use in cyberattacks poses a national security risk.

In addition, U.S. Senator Ron Wyden of Oregon announced a new bill to secure the networks of American telecoms, and FCC Chairwoman Jessica Rosenworcel said the agency would act “urgently” to ensure that U.S. carriers are required to secure their infrastructure.

Dec 27, 2024Ravie LakshmananCryptocurrency / Cyber Espionage

North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie.

Contagious Interview (aka DeceptiveDevelopment) refers to a persistent attack campaign that employs social engineering lures, with the hacking crew often posing as recruiters to trick individuals looking for potential job opportunities into downloading malware under the guise of an interview process.

This involves distributing malware-laced videoconferencing apps or npm packages either hosted on GitHub or the official package registry, paving the way for the deployment of malware such as BeaverTail and InvisibleFerret.

Palo Alto Networks Unit 42, which first exposed the activity in November 2023, is tracking the cluster under the moniker CL-STA-0240. It’s also referred to as Famous Chollima and Tenacious Pungsan.

In September 2024, Singaporean cybersecurity company Group-IB documented the first major revision to the attack chain, highlighting the use of an updated version of BeaverTail that adopts a modular approach by offloading its information-stealing functionality to a set of Python scripts collectively tracked as CivetQ.

It’s worth noting at this stage that Contagious Interview is assessed to be disparate from Operation Dream Job, another long-running North Korean hacking campaign that also employs similar job-related decoys to trigger the malware infection process.

The latest findings from Japanese cybersecurity company NTT Security Holdings reveal that the JavaScript malware responsible for launching BeaverTail is also designed to fetch and execute OtterCookie. The new malware is said to have been introduced in September 2024, with a new version detected in the wild last month.

OtterCookie, upon running, establishes communications with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It’s designed to run shell commands that facilitate data theft, including files, clipboard content, and cryptocurrency wallet keys.

The older OtterCookie variant spotted in September is functionally similar, but incorporates a minor implementation difference wherein the cryptocurrency wallet key theft feature is directly built into the malware, as opposed to a remote shell command.

The development is a sign that the threat actors are actively updating their tools while leaving the infection chain largely untouched, a continued sign of the campaign’s effectiveness.

South Korea Sanctions 15 North Koreans for IT Worker Scam

It also comes as South Korea’s Ministry of Foreign Affairs (MoFA) sanctioned 15 individuals and one organization in connection with a fraudulent IT worker scheme orchestrated by its northern counterpart to illegally generate a steady source of income that can be funneled back to North Korea, steal data, and even demand ransoms in some cases.

There is evidence to suggest that the Famous Chollima threat cluster is behind the insider threat operation as well. It’s also called by various names, such as Nickel Tapestry, UNC5267, and Wagemole.

One of the 15 sanctioned individuals, Kim Ryu Song, was also indicted by the U.S. Department of Justice (DoJ) earlier this month for his alleged involvement in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organizations.

Also sanctioned by MoFA is the Chosun Geumjeong Economic Information Technology Exchange Company, which has been accused of dispatching a large number of IT personnel to China, Russia, Southeast Asia, and Africa for procuring funds for the regime by securing freelance or full-time jobs in Western companies.

These IT workers are said to be part of the 313th General Bureau, an organization under the Munitions Industry Department of the Workers’ Party of Korea.

“The 313th General Bureau […] dispatches many North Korean IT personnel overseas and uses the foreign currency earned to secure funds for nuclear and missile development, and is also involved in the development of software for the military sector,” the ministry said.

“North Korea’s illegal cyber activities are not only criminal acts that threaten the safety of the cyber ecosystem, but also pose a serious threat to international peace and security as they are used as funds for North Korea’s nuclear and missile development.”

On Call The biggest days of the festive season may be behind us, but demand for tech support never stops. That’s why each Friday, even this one, The Register shares stories of fixers forced to help flummoxed fools in On Call – the reader-contributed column that celebrates your successes.

This week, we’re revisiting the topic of extremely swift fixes that we raised in November, when a reader claimed to have solved a user’s problem in 8.5 seconds.

Another reader, who we will Regomize as “Barry,” told us he was once called by the user of a greenscreen terminal who, upon returning from a lunch break stretched to unusual length by the need to queue for a bank teller, complained their machine displayed nothing but a “flashing screen.”

Barry got his hands on a replacement and lugged it to the user’s desk.

When he arrived, he saw a blinking cursor in the top left corner of the terminal’s screen.

“I pressed the space bar, and the cursor disappeared, replaced by the login prompt, fixing the problem.”

Barry didn’t claim the tech support world record though – he thinks his fix probably required less that ten seconds, but not much less.

“The user didn’t know a screen saver kicked in after 30 minutes, because she was always back from lunch before it kicked in,” Barry told On Call.

Bank tellers have sadly been largely replaced by IT, so there might be some ironic justice there.

Now let’s meet a reader we’ll Regomize as “Ron” who told us about the time a customer reported half their screen was blank and not working.

Ron quickly realized the customer had managed to adjust the Windows Task Bar so it occupied half of the PC’s display.

“I resized the taskbar, locked it at regular size, and was out the door un under five minutes.”

Ron rates the job as the fastest money he ever made!

Let’s return to the greenscreen age for our final tale of fast fixes. It comes from a reader we’ll Regomize as “Connor” whose customer complained that his terminal would crash every day at around 2:00PM – a massive inconvenience as this customer was a securities trader. Then as now in that industry, any downtime meant dollars down the drain.

After plenty of tests and hardware replacements, no root cause could be found, so one of Connor’s colleagues was dispatched to stake out the machine.

On the second day of watching, the problem became apparent.

The greenscreen age was also the age of reading newspapers printed on actual newsprint – oh, the nostalgia! – and this user spent their lunch hours acquiring and reading both The Wall Street Journal and The Financial Times.

Upon returning from lunch, said user would fold both papers – which in those days could each be a couple of centimeters thick – and toss them onto the back of their terminal.

Which is where the machine’s air vents were located.

As the afternoon wore on, hot air produced by the cathode ray tube could not escape, heat would build up, and the boxes would crash.

“My engineer got a face-full of hot air when he pulled the papers off,” Connor told On Call. “Once the papers were relocated, the problem stopped!”

And once again, despite considerable investment in troubleshooting time, the fix itself took mere seconds.

There can’t be many of you at work today, and hopefully those of you compelled to exchange your labor for currency at this time of year aren’t very busy. So click here to send On Call an email with your story of fast tech support fixes, or the messes you’ve been asked to fix in this festive season, so we can tell your story when we return to work. ®