Chinese state-sponsored threat actors hacked the U.S. Treasury Department after breaching a remote support platform used by the federal agency.

In a letter sent to lawmakers and seen by the New York Times, the Treasury Department warned lawmakers it was first notified of the breach on December 8th by its vendor BeyondTrust.

BeyondTrust is a privileged access management company that also offers a remote support SaaS platform that can be used to access computers remotely.

“Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” reads the letter seen by the New York Times.

“In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident.”

Earlier this month, BleepingComputer reported that BeyondTrust had been breached, with threat actors gaining access to some of the company’s Remote Support SaaS instances.

As part of this breach, the threat actors utilized a stolen Remote Support SaaS API key to reset passwords for local application accounts and gain further privileged access to the systems.

After investigating the attack, BeyondTrust discovered two zero-day vulnerabilities,  CVE-2024-12356 and CVE-2024-12686, that allowed threat actors to breach and take over Remote Support SaaS instances.

As the Treasury Department was a customer of one of these compromised instances, the threat actors were able to use the platform to access agency computers and steal documents remotely.

After BeyondTrust detected the breach, they shut down all compromised instances and revoked the stolen API key.

The letter says that the FBI and CISA assisted in the investigation into the Treasury Department breach, and there is no evidence that the Chinese threat actors still have access to the agency’s computers now that the compromised instances were shut down.

Chinese state-sponsored threat actors named “Salt Typhoon” have also been linked to recent hacks of nine U.S. telecommunication companies, including Verizon, AT&T, Lument, and T-Mobile. The threat actors are believed to have breached telecom firms in dozens of other countries.

The threat actors utilized this access to target the text messages, voicemails, and phone calls of targeted individuals, and to access wiretap information of those under investigation by law enforcement.

Since this wave of telecom breaches, CISA has urged senior government officials to switch to end-to-end encrypted messaging apps like Signal to reduce communication interception risks.

The U.S. government reportedly plans to ban China Telecom’s last active U.S. operations in response to the telecom hacks.

BleepingComputer sent further questions to the State Department about the breach but has not received a reply yet.

Dec 30, 2025Ravie LakshmananCybersecurity / Hacking News

Every week, the digital world faces new challenges and changes. Hackers are always finding new ways to breach systems, while defenders work hard to keep our data safe. Whether it’s a hidden flaw in popular software or a clever new attack method, staying informed is key to protecting yourself and your organization.

In this week’s update, we’ll cover the most important developments in cybersecurity. From the latest threats to effective defenses, we’ve got you covered with clear and straightforward insights. Let’s dive in and keep your digital world secure.

⚡ Threat of the Week

Palo Alto Networks PAN-OS Flaw Under Attack — Palo Alto Networks has disclosed a high-severity flaw impacting PAN-OS software that could cause a denial-of-service (DoS) condition on susceptible devices by sending a specially crafted DNS packet. The vulnerability (CVE-2024-3393, CVSS score: 8.7) only affects firewalls that have the DNS Security logging enabled. The company said it’s aware of “customers experiencing this denial-of-service (DoS) when their firewall blocks malicious DNS packets that trigger this issue.”

🔔 Top News

• Contagious Interview Drops OtterCookie Malware — North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie. The malware, likely introduced in September 2024, is designed to establish communications with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It’s designed to run shell commands that facilitate data theft, including files, clipboard content, and cryptocurrency wallet keys.
• Cloud Atlas Continues its Assault on Russia — Cloud Atlas, a hacking of unknown origin that has extensively targeted Russia and Belarus, has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting “several dozen users” in 2024. The attacks employ phishing emails containing Microsoft Word documents, which, when opened, trigger an exploit for a seven-year-old security flaw to deliver the malware. VBCloud is capable of harvesting files matching several extensions and information about the system. More than 80% of the targets were located in Russia. A lesser number of victims have been recorded in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.
• Malicious Python Packages Exfiltrate Sensitive Data — Two malicious Python packages, named zebo and cometlogger, have been found to incorporate features to exfiltrate a wide range of sensitive information from compromised hosts. Both the packages were downloaded 118 and 164 times each, before they were taken down. A majority of these downloads came from the United States, China, Russia, and India.
• TraderTraitor Behind DMM Bitcoin Crypto Heist — Japanese and U.S. authorities officially blamed a North Korean threat cluster codenamed TraderTraitor (aka Jade Sleet, UNC4899, and Slow Pisces) for the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024. The attack is notable for the fact that the adversary first compromised the system of an employee of Japan-based cryptocurrency wallet software company named Ginco under the pretext of a pre-employment test. “In late-May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack,” authorities said.
• WhatsApp Scores Legal Victory Against NSO Group — NSO Group has been found liable in the United States after a federal judge in the state of California ruled in favor of WhatsApp, calling out the Israeli commercial spyware vendor for exploiting a security vulnerability in the messaging app to deliver Pegasus using WhatsApp’s servers 43 times in May 2019. The targeted attacks deployed the spyware on 1,400 devices globally by making use of a then zero-day vulnerability in the app’s voice calling feature (CVE-2019-3568, CVSS score: 9.8).

‎️‍🔥 Trending CVEs

Heads up! Some popular software has serious security flaws, so make sure to update now to stay safe. The list includes — CVE-2024-56337 (Apache Tomcat), CVE-2024-45387 (Apache Traffic Control), CVE-2024-43441 (Apache HugeGraph-Server), CVE-2024-52046 (Apache MINA), CVE-2024-12856 (Four-Faith routers), CVE-2024-47547, CVE-2024-48874, and CVE-2024-52324 (Ruijie Networks)

📰 Around the Cyber World

• ScreenConnect Used to Deploy AsyncRAT — Microsoft has revealed that cybercriminals are leveraging tech support scams to deploy AsyncRAT through the remote monitoring and management (RMM) software ScreenConnect, the first time that ScreenConnect is used to deploy malware, instead of as a persistence or lateral movement tool. The company also said threat actors are using SEO poisoning and typosquatting to deploy SectopRAT, an infostealer used to target browser information and crypto wallets. The disclosure comes as Malwarebytes disclosed that criminals are employing decoy landing pages, also called “white pages,” that utilize AI-generated content and are propagated via bogus Google search ads. The scam involves attackers buying Google Search ads and using AI to create harmless pages with unique content. The goal is to use these decoy ads to then lure visitors to phishing sites for stealing credentials and other sensitive data. Malvertising lures have also been used to distribute SocGholish malware by disguising the page as an HR portal for a legitimate company named Kaiser Permanente.
• AT&T, Verizon Acknowledge Salt Typhoon Attacks — U.S. telecom giants AT&T and Verizon acknowledged that they had been hit by the China-linked Salt Typhoon hacking group, a month after T-Mobile made a similar disclosure. Both the companies said they don’t detect any malicious activity at this point, and that the attacks singled out a “small number of individuals of foreign intelligence interest.” The breaches occurred in large part due to the affected companies failing to implement rudimentary cybersecurity measures, the White House said. The exact scope of the attack campaign still remains unclear, although the U.S. government revealed that a ninth telecom company in the country was also a target of what now appears to be a sprawling hacking operation aimed at U.S. critical infrastructure. Its name was not disclosed. China has denied any involvement in the attacks.
• Pro-Russian Hacker Group Targets Italian Websites — Around ten official websites in Italy were targeted by a pro-Russian hacker group named Noname057(16). The group claimed responsibility for the distributed denial-of-service (DDoS) attacks on Telegram, stating Italy’s “Russophobes get a well deserved cyber response.” Back in July, three members of the group were arrested for alleged cyber attacks against Spain and other NATO countries. Noname057(16) is one of the many hacktivist groups that have emerged in response to the ongoing conflicts in Ukraine and the Middle East, with groups aligned on both sides engaging in disruptive attacks to achieve social or political goals. Some of these groups are also state-sponsored, posing a significant threat to cybersecurity and national security. According to a recent analysis by cybersecurity company Trellix, it’s suspected that there’s some kind of an operational relationship between Noname057(16) and CyberArmyofRussia_Reborn, another Russian-aligned hacktivist group active since 2022. “The group has created alliances with many other hacktivist groups to support their efforts with the DDoS attacks,” Trellix said. “However, the fact that one of the previous CARR administrators, ‘MotherOfBears,’ has joined NoName057(16), the continuous forwarding of CARR posts, and previous statements, suggest that both groups seem to collaborate closely, which can also indicate a cooperation with Sandworm Team.”
• UN Approves New Cybercrime Treaty to Tackle Digital Threats — The United Nations General Assembly formally adopted a new cybercrime convention, called the United Nations Convention against Cybercrime, that’s aimed at bolstering international cooperation to combat such transnational threats. “The new Convention against Cybercrime will enable faster, better-coordinated, and more effective responses, making both digital and physical worlds safer,” the UN said. “The Convention focuses on frameworks for accessing and exchanging electronic evidence, facilitating investigations and prosecutions.” INTERPOL Secretary General Valdecy Urquiza said the UN cybercrime convention “provides a basis for a new cross-sector level of international cooperation” necessary to combat the borderless nature of cybercrime.
• WDAC as a Way to Impair Security Defenses — Cybersecurity researchers have devised a new attack technique that leverages a malicious Windows Defender Application Control (WDAC) policy to block security solutions such as Endpoint Detection and Response (EDR) sensors following a system reboot. “It makes use of a specially crafted WDAC policy to stop defensive solutions across endpoints and could allow adversaries to easily pivot to new hosts without the burden of security solutions such as EDR,” researchers Jonathan Beierle and Logan Goins said. “At a larger scale, if an adversary is able to write Group Policy Objects (GPOs), then they would be able to distribute this policy throughout the domain and systematically stop most, if not all, security solutions on all endpoints in the domain, potentially allowing for the deployment of post-exploitation tooling and/or ransomware.”

🎥 Expert Webinar

1. Don’t Let Ransomware Win: Discover Proactive Defense Tactics — Ransomware is getting smarter, faster, and more dangerous. As 2025 nears, attackers are using advanced tactics to evade detection and demand record-breaking payouts. Are you ready to defend against these threats? Join the Zscaler ThreatLabz webinar to learn proven strategies and stay ahead of cybercriminals. Don’t wait—prepare now to outsmart ransomware.
2. Simplify Trust Management: Centralize, Automate, Secure — Managing digital trust is complex in today’s hybrid environments. Traditional methods can’t meet modern IT, DevOps, or compliance demands. DigiCert ONE simplifies trust with a unified platform for users, devices, and software. Join the webinar to learn how to centralize management, automate operations, and secure your trust strategy.

🔧 Cybersecurity Tools

• LogonTracer is a powerful tool for analyzing and visualizing Windows Active Directory event logs, designed to simplify the investigation of malicious logons. By mapping host names, IP addresses, and account names from logon-related events, it creates intuitive graphs that reveal which accounts are being accessed and from which hosts. LogonTracer overcomes the challenges of manual analysis and massive log volumes, helping analysts quickly identify suspicious activity with ease.
• Game of Active Directory (GOAD) is a free, ready-to-use Active Directory lab designed specifically for pentesters. It offers a pre-built, intentionally vulnerable environment where you can practice and refine common attack techniques. Perfect for skill-building, GOAD eliminates the complexity of setting up your own lab, allowing you to focus on learning and testing various pentesting strategies in a realistic yet controlled setting.

🔒 Tip of the Week

Isolate Risky Apps with Separate Spaces — When you need to use a mobile app but aren’t sure if it’s safe, protect your personal data by running the app in a separate space on your phone. For Android users, go to Settings > Users & Accounts and create a Guest or new user profile.

Install the uncertain app within this isolated profile and restrict its permissions, such as disabling access to contacts or locations. iPhone users can use Guided Access by navigating to Settings > Accessibility > Guided Access to limit what the app can do. This isolation ensures that even if the app contains malware, it cannot access your main data or other apps.

If the app behaves suspiciously, you can easily remove it from the separate space without affecting your primary profile. By isolating apps you’re unsure about, you add an extra layer of security to your device, keeping your personal information safe while still allowing you to use the necessary tools.

Conclusion

This week’s cybersecurity updates highlight the importance of staying vigilant and prepared. Here are some simple steps to keep your digital world secure:

• Update Regularly: Always keep your software and devices up-to-date to patch security gaps.
• Educate Your Team: Teach everyone to recognize phishing emails and other common scams.
• Use Strong Passwords: Create unique, strong passwords and enable two-factor authentication where possible.
• Limit Access: Ensure only authorized people can access sensitive information.
• Backup Your Data: Regularly backup important files to recover quickly if something goes wrong.

By taking these actions, you can protect yourself and your organization from emerging threats. Stay informed, stay proactive, and prioritize your cybersecurity. Thank you for joining us this week—stay safe online, and we look forward to bringing you more updates next week!

AT&T, Verizon, and Lumen Technologies confirmed that Chinese government-backed snoops accessed portions of their systems earlier this year, while the White House added another, yet-unnamed telecommunications company to the list of those breached by Salt Typhoon.

The digital intrusion, which has been called the​ “worst telecom hack in our nation’s history,” gave Beijing-backed spies the “capability to geolocate millions of individuals” and “record phone calls at will,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, told reporters.

In a statement emailed to The Register, AT&T said the foreign spies compromised “a small number” of its customers in the espionage campaign and added that the PRC-backed crew had since been kicked out of its networks.

“We detect no activity by nation-state actors in our networks at this time,” an AT&T spokesperson said. 

“Based on our current investigation of this attack, the People’s Republic of China targeted a small number of individuals of foreign intelligence interest,” the statement added. “In the relatively few instances in which an individual’s information was impacted, we have complied with our notification obligations in cooperation with law enforcement.”

AT&T continues to monitor its networks and work with government officials, other telecom firms, and cybersecurity experts on the investigation, the spokesperson said.

Verizon also confirmed that the Chinese intruders had accessed “a small number of high-profile customers in government and politics.” A spokesperson told The Register that it notified these customers, and has since “contained the cyber incident brought on by this nation-state threat actor.”

An unnamed, “highly respected” cybersecurity company has also confirmed the containment, the Verizon spokesperson added.

According to the operator’s chief legal officer, Verizon partnered with federal law enforcement, national security agencies, other telecom partners, and security firms upon detecting the network activity.

“We have not detected threat actor activity in Verizon’s network for some time, and after considerable work addressing this incident, we can report that Verizon has contained the activities associated with this particular incident,” Verizon’s Chief Legal Officer Vandana Venkatesh told The Register.

Finally, Lumen Technologies, another one of the firms reportedly breached in the attack, told us that it has also booted the Chinese attackers out of its systems, and said it found “no evidence” that customer data was accessed.

“An independent forensics firm has confirmed Salt Typhoon is no longer in our network,” a spokesperson told The Register. “In addition, our federal partners have not shared any information that would suggest otherwise.”

T-Mobile’s security boss previously spoke to The Register about the espionage campaign and said it thwarted successful attacks on its systems “within a single-digit number of days.”

9 telecom firms compromised, White House says

The companies’ admissions come as a top White House official added another unnamed firm to the breach, bringing the total thus far to nine. Neuberger previously said eight had been compromised. Only three — AT&T, Verizon, and T-Mobile US — have confirmed the intrusion.

We believe a large number of individuals were affected by geolocation and metadata of phones; a smaller number around actual collection of phone calls and texts

“The Chinese gained access to networks, essentially had broad and full access,” Neuberger told reporters. “We believe that’s why they had the capability to geolocate millions of individuals, to record phone calls at will, because they had that broad access.”

In one instance, the spies broke into an admin account that then gave them access to more than 100,000 routers, she added. “So, when the Chinese compromised that account, they gained that kind of broad access across the network,” Neuberger said. “That’s not meaningful cybersecurity to defend against a nation-state actor.” 

The White House doesn’t yet have a number on how many total people were affected by the breach, she added. 

“We believe a large number of individuals were affected by geolocation and metadata of phones; a smaller number around actual collection of phone calls and texts,” Neuberger said. “And I think the scale we’re talking about is far larger on the geolocation; probably less than 100 on the actual individuals.”

Following the intrusion, the White House emphasized the inadequacy of voluntary cybersecurity measures against nation-state threats. The Federal Communications Commission (FCC) launched a public rule proposal requiring basic cybersecurity practices for telecom carriers. The commissioners are expected to vote on the rule by January 15.

In addition to the FCC’s own efforts, US Senator Ron Wyden (D-OR) has also proposed legislation that would require the FCC to issue binding rules for telecom systems.

Plus, according to Neuberger, all of the nine telecom CEOs whose companies were hacked have signed on to the government’s 60-day Enduring Security Framework.

This public-private effort aims to put in place minimum cybersecurity practices that have been agreed upon by intelligence officers, CISA, the FBI, and telecom security experts. ®

Thousands of industrial routers from a Chinese telecommunications equipment manufacturer are vulnerable to a post-authentication vulnerability, with indications it is already being exploited in the wild to infect devices with Mirai malware.

On Dec. 27, VulnCheck detailed the vulnerability, tracked as CVE-2024-12856, wherein an attacker can leverage default credentials in Four-Faith F3x24 and F3x36 routers to remotely inject commands into the operating system. 

Meanwhile, a malicious IP was observed attempting to leverage the vulnerability. VulnCheck Chief Technology Officer Jacob Baines wrote that his team identified the same user agent referenced in a November blog by DucklingStudio attempting to use the vulnerability to deploy a different malware payload.

Baines also posted a video demonstration of the flaw being exploited on X.

The vulnerability appears to be connected to the spread of a variant of Mirai, the infamous malware and botnet known to target Internet of Things devices. DucklingStudio used a honeypot to detect the malware on Nov. 9, and an update on Dec. 28 explicitly connected it to the listed CVE for Four-Faith’s industrial routers.

Variants of Mirai —first observed in 2016 and originally written by a group of teenagers to create botnets — remain one of the most popular forms of malware attacking IoT devices worldwide. According to Zscaler, Mirai was identified in over a third of all IoT malware attacks between June 2023 and May 2024, far outpacing other malware families, while more than 75% of blocked IoT transactions were linked to the malicious code.

VulnCheck wrote up a rule for detecting instances of infected routers using the open-source threat detection tool Suricata:

According to Censys, there are at least 15,000 connected routers potentially vulnerable to the flaw, and VulnCheck left open the possibility that additional router products may be affected. The National Institute of Standards and Technology’s National Vulnerability Database lists the severity of the bug at 7.2 and notes that firmware version 2.0 (and possibly others) allows for authenticated and remote command injection attacks over HTTP.

The listed CVE does not yet include details about patching or remediation. Baines noted in his blog that VulnCheck notified Four-Faith of the vulnerability and affected routers on Dec. 20, and directed further questions about remediation to the company. Four-Faith did not return a request for comment sent through its website prior to publication.

According to the company’s website, Four-Faith is headquartered in Xiamen, a city in the Southeastern province of Fujian, China. It specializes in manufacturing industrial routers, Internet of Things devices, modems and other wireless communications technologies, and claims to have exported its technologies to over 100 countries.

COMMENTARY

Cybersecurity insurance is the fastest-growing segment of the global insurance market, and there’s a good reason for that. Cybersecurity has become one of the most critical requirements for organizations of all types — from small business to large corporation — as cyber threats remain constant. 

Unsurprisingly, cyber-insurance rates increased substantially from 2018 to 2022. Though overall cyber-insurance premiums began to decrease in 2023, many organizations are still seeing their rates rise.

Costs Are Increasing — for Those Able to Get Insured

The cyber-insurance industry is maturing just as quickly as cyber threats are growing in quantity, scale, and sophistication. As payouts and annual premiums increase, coverage limits are becoming more restrictive.

In a 2023 survey of US organizations, “79% saw insurance costs increase, with 67% facing an increase of 50-100%.” Smaller companies, with fewer than 250 employees, were more likely to be denied coverage than large businesses (28% versus 8%). The primary reason small businesses were rejected was their lack of security protocols.

The good news is that the work you do to strengthen your organization’s overall security posture and identity hygiene is also the work that will satisfy many of the compliance requirements underwriters are looking for — resulting in better security protections and better insurance coverage and premiums.

Tips to Ensure Affordable Cybersecurity Protection

Self-assess: To help with the process, proactively self-assess your risk profile and ask yourself the hard questions before the underwriters do. Conduct a thorough self-assessment of your current cybersecurity posture, identifying strengths and weaknesses.

This process has two main benefits: 

Don’t underestimate risks: Make sure not to underestimate your company’s or industry’s risks. Everyone is vulnerable to cyberattacks, not just traditional high-risk sectors such as financial services. In recent years, we’ve seen cyber incidents across many verticals, including healthcare, energy, and retail.

Insurance providers categorize rates based on industry-specific risks, comparing you to your peers in the process. Understand your sector’s unique vulnerabilities — even if you haven’t had to worry about them in the past—and be prepared to demonstrate how you’re addressing them. 

Know your coverage limits: That leads me to my next piece of advice — understand your coverage limits. Thoroughly review the limits, sublimits, and exclusions in your policy. Pay close attention to what the coverage provides in terms of the full scope of potential losses, including third-party liabilities and regulatory fines. You can often negotiate terms, including specific clauses and deductibles, during the process.

Not all policies are the same. Many insurance providers focus on particular verticals or demographics. They each have different views of risk and leverage a range of data points to make their decisions. Do your research on individual providers to find the best fit for your organization so regularly review your policy. The threat landscape is always changing, and the coverage you need may evolve along with it. Conduct periodic reviews of your policy well ahead of your renewal term date to make sure it is still meeting your needs.

Understand your requirements: It’s important to pay attention to the compliance requirements. Many policies explicitly call out compliance requirements. Failing to meet these standards can result in having your claims denied. Carefully assess your policy’s requirements to verify that you are fulfilling them.

When engaging with insurance providers, be ready to show your work. Demonstrate the effectiveness of your security controls, particularly those related to identity hygiene. If you’re renewing your policy, show how you’ve matured your approach to cyber-risk since your last assessment. What tangible improvements have you made? What products are you using to automate processes?

Focus on areas that underwriters prioritize, such as privileged access management and credential protection. Quantify your progress by highlighting reductions in accounts with administrative access or new requirements for regular password updates. Providers are looking for year-over-year maturity — moving from ad hoc, manual approaches to clean, consistent, automated, and sustainable hygiene practices. Be sure that you are getting full credit for your hard work.

Conclusion

As cyber threats continue to evolve, so must our approach to mitigating them. Bolster your cybersecurity posture in a holistic manner — self-assessing your risk profile, addressing vulnerabilities, and striving for continuous improvement — and you can better safeguard your organization against threats and control your cyber-insurance costs.

Prepare for increasingly rigorous risk assessments from providers moving forward. Underwriters now have access to extensive data about cyber threats and protections. Expect them to ask more granular questions and do deeper inspections into the efficacy of controls, especially those around identity-related risks, such as privileged access and credential theft. Anticipate their questions, and be prepared with comprehensive, up-to-date answers.

Cyber insurance should augment your cybersecurity strategy, not replace it. Prioritize implementing robust, ongoing cyber practices that protect your organization.

Microsoft is forcing .NET developers to quickly update their apps and developer pipelines so they do not use ‘azureedge.net’ domains to install .NET components, as the domain will soon be unavailable due to the bankruptcy and imminent shutdown of CDN provider Edgio.

Specifically, the domains “dotnetcli.azureedge.net” and “dotnetbuilds.azureedge.net” will be taken offline in the next few months, which could break the functionality of projects relying on the domains.

This includes developers using .NET installers residing on the affected domains, organizations using GitHub Actions or Azure DevOps with custom pipelines using those domains, Docker and script users with files and code referencing the retired domains, and more.

“We maintain multiple Content Delivery Network (CDN) instances for delivering .NET builds. Some end inazureedge.net. These domains are hosted by edg.io, which will soon cease operations due to bankruptcy. We are required to migrate to a new CDN and will be using new domains going forward,” explains Microsoft.

“It is possible that azureedge.net domains will have downtime in the near-term. We expect that these domains will be permanently retired in the first few months of 2025.”

Microsoft recommends that potentially impacted developers search their code, scripts, and configurations for references to azureedge.net and dotnetcli.blob.core.windows.net and replace them with builds.dotnet.microsoft.com.

During the transition, the new domains will be catered by a combination of Edgio, Akamai, and Azure Front Door, as Microsoft works on solidifying the final distribution model with other CDN providers.

CI/CD teams need to ensure GitHub Actions (actions/setup-dotnet) and Azure DevOps tasks are updated to versions supporting the new domains, while updates for Azure DevOps Server are expected in early 2025.

Additionally, given that new CDN domains will now be used, even when configurations are auto-updated, firewalls need to be set to allow traffic from the new locations (builds.dotnet.microsoft.com and ci.dot.net). 

The tech giant notes that the timing is quite unfortunate, as impacted users are requested to take action during the holidays when most IT teams are understaffed.

When asked why Microsoft can’t simply transfer the domains and continue using them, Rich Lander, Program Manager of .NET at Microsoft, said it was not possible.

“We asked the same question. We were told that this option wasn’t being made available. We don’t have more information on that,” explained Lander.

The answer is confusing as Microsoft’s Scott Hanselman confirmed that Microsoft already obtained ownership of the domains, stating that “no other party will ever have access to use these domains.”

By owning the domains and preventing their reuse, the chances of a supply chain compromise for those not migrating their applications are minimal. However, it still doesn’t explain the sudden rush to migrate domains and the risks of operational disruptions.

If you’re impacted, you can follow the issue more closely and access status updates on this GitHub page.

BleepingComputer contacted Microsoft with questions about this .NET domain migration but has not received a reply at this time.

Dec 30, 2025Ravie LakshmananCybersecurity / Compliance

The United States Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has proposed new cybersecurity requirements for healthcare organizations with an aim to safeguard patients’ data against potential cyber attacks.

The proposal, which seeks to modify the Health Insurance Portability and Accountability Act (HIPAA) of 1996, is part of a broader initiative to bolster the cybersecurity of critical infrastructure, the OCR said.

The rule is designed to strengthen protections for electronic protected health information (ePHI) by updating the HIPAA Security Rule’s standards to “better address ever-increasing cybersecurity threats to the healthcare sector.”

To that end, the proposal, among other things, requires organizations to conduct a review of the technology asset inventory and network map, identify potential vulnerabilities that could pose a threat to electronic information systems, and establish procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.

Other notable clauses include carrying out a compliance audit at least once every 12 months, mandating encryption of ePHI at rest and in transit, enforcing the use of multi-factor authentication, deploying anti-malware protection and removing extraneous software from relevant electronic information systems.

The Notice of Proposed Rulemaking (NPRM) also necessitates that healthcare entities implement network segmentation, set up technical controls for backup and recovery, as well as perform vulnerability scanning at least every six months and penetration testing at least once every 12 months.

The development comes as the healthcare sector continues to be a lucrative target with ransomware attacks, not only posing financial risk but also putting lives at stake by disrupting access to diagnostic equipment and critical systems that contain patient medical records.

“Healthcare organizations collect and store extremely sensitive data, which likely contributes to threat actors targeting them in ransomware attacks,” Microsoft noted in October 2024. “However, a more significant reason these facilities are at risk is the potential for huge financial payouts.”

“Healthcare facilities located near hospitals that are impacted by ransomware are also affected because they experience a surge of patients needing care and are unable to support them in an urgent manner.”

According to data compiled by cybersecurity company Sophos, 67% of healthcare organizations were hit by ransomware in 2024, up from 34% in 2021. The root cause behind a majority of these incidents have been traced back to exploited vulnerabilities, compromised credentials, and malicious emails.

Furthermore, 53% of healthcare organizations that had data encrypted paid the ransom to restore access. The median ransom payment was at $1.5 million.

The increase in the rate of ransomware attacks against the healthcare entities has also been complemented by longer recovery times, with only 22% of victims fully recovering from an attack in a week or less, a significant drop from 54% in 2022.

“The highly sensitive nature of healthcare information and need for accessibility will always place a bullseye on the healthcare industry from cybercriminals,” Sophos CTO John Shier said. “Unfortunately, cybercriminals have learned that few healthcare organizations are prepared to respond to these attacks, demonstrated by increasingly longer recovery times.”

Last month, the World Health Organization (WHO), a United Nations agency focused on global public health, characterized the ransomware attacks on hospitals and healthcare systems as “issues of life and death” and called for international cooperation to combat the cyber threat.

Image: Shutterstock, Dreamansions.

KrebsOnSecurity.com turns 15 years old today! Maybe it’s indelicate to celebrate the birthday of a cybercrime blog that mostly publishes bad news, but happily many of 2024’s most engrossing security stories were about bad things happening to bad guys. It’s also an occasion to note that despite my publishing fewer stories than ever this past year, we somehow managed to attract near record levels of readership (thank you!).

In case you missed any of them, here’s a recap of 2024’s most-read stories. In January, KrebsOnSecurity told the story of a Canadian man who was falsely charged with larceny and lost his job after becoming the victim of a complex e-commerce scam known as triangulation fraud. This can occur when you buy something online — from a seller on Amazon or eBay, for example — but the seller doesn’t actually own the item for sale. Instead, they purchase the item using stolen payment card data and your shipping address. In this scam, you receive what you ordered, and the only party left to dispute the transaction is the owner of the stolen payment card.

Triangulation fraud. Image: eBay Enterprise.

March featured several investigations into the history of various people-search data broker services. One story exposed how the Belarusian CEO of the privacy and data removal service OneRep had actually founded dozens of people-search services, including many that OneRep was offering to remove people from for a fee. That story quickly prompted Mozilla to terminate its partnership with OneRep, which Mozilla had bundled as a privacy option for Firefox users.

A story digging into the consumer data broker Radaris found its CEO was a fabricated identity, and that the company’s founders were Russian brothers in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites.

Radaris repeatedly threatened to sue KrebsOnSecurity unless that publication was retracted in full, alleging that it was replete with errors both factual and malicious. Instead, we doubled down and published all of the supporting evidence that wasn’t included in the original story, leaving little room for doubt about its conclusions. Fittingly, Radaris now pimps OneRep as a service when consumers request that their personal information be removed from the data broker’s website.

Easily the longest story this year was an investigation into Stark Industries Solutions, a large, mysterious new Internet hosting firm that materialized when Russia invaded Ukraine. That piece revealed how Stark was being used as a global proxy network to conceal the true source of cyberattacks and disinformation campaigns against enemies of Russia.

The homepage of Stark Industries Solutions.

Much of my summer was spent reporting a story about how advertising and marketing firms have created a global free-for-all where anyone can track the daily movements and associations of hundreds of millions of mobile devices, thanks to the ubiquity of mobile location data that is broadly and cheaply available.

Research published in September explored the dark nexus between harm groups and cybercrime communities consumed with perpetrating financial fraud. That analysis found an increasing number of young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others.

One focus of that story was a Canadian cybercriminal who used the nickname Judische. Identified by the Mandiant as one of the most consequential threat actors of 2024, Judische was responsible for a hacking rampage that exposed private information on hundreds of millions of Americans.  That story withheld Judische’s real name, but the reporting came in handy in late October when a 25-year-old Canadian man named Connor Riley Moucka was arrested and charged with 20 criminal counts connected to the Snowflake data extortions.

A surveillance photo of Connor Riley Moucka, a.k.a. “Judische” and “Waifu,” dated Oct 21, 2024, 9 days before Moucka’s arrest. This image was included in an affidavit filed by an investigator with the Royal Canadian Mounted Police (RCMP).

In November, KrebsOnSecurity published a profile of Judische’s accomplice — a hacker known as Kiberphant0m — detailing how Kiberphant0m had left a trail of clues strongly suggesting that they are or recently were a U.S. Army soldier stationed in South Korea.

My reporting in December was mainly split between two investigations. The first profiled Cryptomus, a dodgy cryptocurrency exchange allegedly based in Canada that has become a major payment processor and sanctions evasion platform for dozens of Russian exchanges and cybercrime services online.

How to Lose a Fortune with Just One Bad Click told the sad tales of two cryptocurrency heist victims who were scammed out of six and seven figures after falling for complex social engineering schemes over the phone. In these attacks, the phishers abused at least four different Google services to trick targets into believing they were speaking with a Google representative, and into giving thieves control over their account with a single click. Look for a story here in early 2025 that will explore the internal operations of these ruthless and ephemeral voice phishing gangs.

Before signing off for 2024, allow me to remind readers that the reporting we’re able to provide here is made possible primarily by the ads you may see at the top of this website. If you currently don’t see any ads when you load this website, please consider enabling an exception in your ad blocker for KrebsOnSecurity.com. There is zero third-party content on this website, apart from the occasional Youtube video embedded as part of a story. More importantly, all of our ads are static images or GIFs that are vetted by me and served in-house directly.

Fundamentally, my work is supported and improved by your readership, tips, encouragement and, yes, criticism. So thank you for that, and keep it coming, please.

Here’s to a happy, healthy, wealthy and wary 2025. Hope to see you all again in the New Year!

Interview Now that criminals have realized there’s no need to train their own LLMs for any nefarious purposes – it’s much cheaper and easier to steal credentials and then jailbreak existing ones – the threat of a large-scale supply chain attack using generative AI becomes more real.

No, we’re not talking about a fully AI-generated attack from the initial access to the business operations shutdown. Technologically, the criminals aren’t there yet. But one thing LLMs are getting very good at is assisting in social engineering campaigns. 

And this is why Crystal Morin, former intelligence analyst for the US Air Force and cybersecurity strategist at Sysdig, anticipates seeing highly successful supply chain attacks in 2025 that originated with an LLM-generated spear phish. 

When it comes to using LLMs, “threat actors are learning and understanding and gaining the lay of the land just the same as we are,” Morin told The Register. “We’re in a footrace right now. It’s machine against machine.”

Sysdig, along with other researchers, in 2024 documented an uptick in criminals using stolen cloud credentials to access LLMs. In May, the container security firm documented attackers targeting Anthropic’s Claude LLM model. 

While they could have exploited this access to extract LLM training data, their primary goal in this type of attack appeared to be selling access to other criminals. This left the cloud account owner footing the bill — at the hefty price of $46,000 per day related to LLM consumption costs.

Digging deeper, the researchers discovered that the broader script used in the attack could check credentials for 10 different AI services: AI21 Labs, Anthropic, AWS Bedrock, Azure, ElevenLabs, MakerSuite, Mistral, OpenAI, OpenRouter, and GCP Vertex AI.

We’re in a footrace right now. It’s machine against machine

Later in the year, Sysdig spotted attackers attempting to use stolen credentials to enable LLMs. 

The threat research team calls any attempt to illegally obtain access to a model “LLMjacking,” and in September reported that these types of attacks were “on the rise, with a 10x increase in LLM requests during the month of July and 2x the amount of unique IP addresses engaging in these attacks over the first half of 2024.”

Not only does this cost victims a significant amount of money, according to Sysdig, but this can run more than $100,000 per day when the victim org is using newer models like Claude 3 Opus. 

Plus, victims are forced to pay for people and technology to stop these attacks. There’s also a risk of enterprise LLMs being weaponized, leading to further potential costs.

2025: The year of LLM phishing?

In 2025, “the greatest concern is with spear phishing and social engineering,” Morin said. “There’s endless ways to get access to an LLM, and they can use this GenAI to craft unique, tailored messages to the individuals that they’re targeting based on who your employer is, your shopping preferences, the bank that you use, the region that you live in, restaurants and things like that in the area.”

In addition to helping attackers overcome language barriers, this can make messages sent via email or social media messaging apps appear even more convincing because they are expressly crafted for the individual victims. 

“They’re going to send you a message from this restaurant that’s right down the street, or popular in your town, hoping that you’ll click on it,” Morin added. “So that will enable their success quite a bit. That’s how a lot of successful breaches happen. It’s just the person-on-person initial access.”

She pointed to the Change Healthcare ransomware attack – for which, we should make very clear, there is no evidence suggesting it was assisted by an LLM – as an example of one of 2024’s hugely damaging breaches. 

In this case, a ransomware crew locked up Change Healthcare’s systems, disrupting thousands of pharmacies and hospitals across the US and accessing private data belonging to around 100 million people. It took the healthcare payments giant nine months to restore its clearinghouse services following the attack.

It will be a very small, simple portion of the attack chain with potentially massive impact

“Going back to spear phishing: imagine an employee of Change Healthcare receiving an email and clicking on a link,” Morin said. “Now the attacker has access to their credentials, or access to that environment, and the attacker can get in and move laterally.”

When and if we see this type of GenAI assist, “it will be a very small, simple portion of the attack chain with potentially massive impact,” she added.

While startups and existing companies are releasing security tools and that also use AI to detect and prevent email phishes, there are some really simple steps that everyone can take to avoid falling for any type of phishing attempt. “Just be careful what you click,” Morin advised.

Think before you click

Also: pay close attention to the email sender. “It doesn’t matter how good the body of the email might be. Did you look at the email address and it’s some crazy string of characters or some weird address like name@gmail but it says it’s coming from Verizon? That doesn’t make sense,” she added. 

LLMs can also help criminals craft a domain with different alphanumerics based on legitimate, well-known company names, and they can use various prompts to make the sender look more believable. 

Even voice-call phishing will likely become harder to distinguish because of AI used for voice cloning, Morin believes.

“I get, like, five spam calls a day from all over the country and I just ignore them because my phone tells me it’s spam,” she noted.

“But they use voice cloning now, too,” Morin continued. “And most of the time when people answer your phone, especially if you’re driving or something, you’re not actively listening, or you’re multitasking, and you might not catch that this is a voice clone – especially if it sounds like someone that’s familiar, or what they’re saying is believable, and they really do sound like they’re from your bank.”

We saw a preview of this during the run-up to the 2024 US presidential election, when AI-generated robocalls impersonating President Biden urged voters not to participate in the state’s presidential primary election.

Since then, the FTC issued a $25,000 reward to solicit ideas on the best ways to combat AI voice cloning and the FCC declared AI-generated robocalls to be illegal.

Morin doesn’t expect this to be a deterrent to criminals. 

“If there’s a will, there’s a way,” she opined. “If it costs money, then they’ll figure out a way to get it for free.” ®

Ukrainian national Mark Sokolovsky was sentenced Wednesday to five years in federal prison for his role in operating Raccoon Infostealer malware, which infiltrated millions of computers worldwide to steal personal data.

According to court documents, Sokolovsky, 28, was integral to operations that allowed the leasing of Raccoon Infostealer for $200 per month, payable via cryptocurrency. Users predominantly deployed this malware through phishing schemes to extract data from unsuspecting victims. The stolen data included log-in credentials, financial information, and other personal records, often used for financial crimes or sold on cybercrime forums.

Raccoon Infostealer, a potent tool in the cybercriminal arsenal, was dismantled by international law enforcement, alongside Sokolovsky’s arrest, in March 2022. In October 2022, a grand jury indicted Sokolovsky — also known as “Photix,” “raccoonstealer,” and “black21jack77777” —  for charges including conspiracy to commit fraud, money laundering, and aggravated identity theft. He was extradited from the Netherlands to the U.S. in February. 

In a plea deal reached in October, Sokolovsky agreed to forfeit $23,975 and pay restitution of at least $910,844.61. His actions were linked to compromising over 52 million user credentials, which facilitated fraud, identity theft, and ransomware attacks affecting victims worldwide.

U.S. Attorney Jaime Esparza for the Western District of Texas described Sokolovsky as a pivotal figure in an international conspiracy that enabled amateurs to commit significant cybercrimes.  He praised the teamwork of international law enforcement in capturing Sokolovsky and promised to keep working hard to fight cybercrime.

The Raccoon Infostealer had reportedly claimed to cease operations in March 2022 following the death of a developer in the Russian invasion of Ukraine. However, reports suggested a resurgence of the malware by June 2022.