This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Quincy Castro, CISO, Redis
Missed the live show? Check it out on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Beijing-linked hackers penetrated U.S. Treasury systems
According to a letter the agency sent from the U.S. Treasury to congressional lawmakers on Monday, a Chinese state-sponsored APT actor was responsible for what is being called “a major incident” that compromised U.S. Treasury Department workstations and classified documents at the Office of Foreign Assets Control (OFAC). The department had been notified on December 8 by BeyondTrust, that “a foreign actor had obtained a security key” that allowed it “to remotely gain access to employee workstations and the classified documents stored on them.” The letter “”did not specify the number of impacted workstations or the kind of documents accessed,” and the agency adds, the compromised service “has been taken offline and at this time there is no evidence indicating the threat actor has continued access to Treasury information.”
Cybersecurity company’s Chrome extension hijacked for data theft
Cyberhaven is a data loss prevention company based in Palo Alto. On December 24 it suffered a breach as a result of “a successful phishing attack on an administrator account for the Google Chrome store.” This resulted in at least five Chrome extensions being compromised by threat actors who injected information stealer code though a malicious version of the Cyberhaven extension. Cyberhaven’s customers include Snowflake, Motorola, Canon, Reddit, and AmeriHealth, as well as many others. Cyberhaven’s internal security team removed the malicious package within an hour of its detection.
New details about hijacked Chrome extensions
In another update to a story we brought to you Monday on Cyber Security Headlines, new details have emerged about a phishing campaign targeting Chrome browser extension developers. Although initial reports focused on an extension from security firm, Cyberhavens, subsequent investigations revealed the campaign affected at least 35 extensions collectively used by roughly 2,600,000 people. The attack leverages a phishing email appearing to come from Google and claiming the dev’s extension is in violation of Chrome Web Store policies. Victims are then redirected to an attacker-hosted OAuth application (named “Privacy Policy Extension”) where they are asked to grant permission to manage their Chrome extensions. The attackers then inject data-stealing code into the extension and publish it as a “new” version. The malicious extensions aim to steal user Facebook credentials and have the ability to bypass multi-factor authentication and CAPTCHA mechanisms. Whiler recent reports indicate the campaign started around December 5, 2024, but BleepingComputer identified that related command and control subdomains existed as far back as March 2024.
Russian tanker suspected of undersea data cable sabotage
On yesterday’s episode of Cyber Security Headlines, we mentioned briefly that Finnish authorities seized a Russian ship after it allegedly damaged several submarine cables in the Baltic Sea. The story continues to unfold. The ship seized was the Eagle S, an oil tanker that departed from a Russian port on December 25, and which is suspected of “intentionally dragging its anchor for several miles resulting in the complete severing of multiple cables, including the Estlink 2 power cable and four telecommunications cables.” Authorities from Finland boarded the ship by helicopter, having “identified but not arrested seven suspects.” The ship is being treated as a crime scene on suspicions that it is more than just an oil tanker. A report from the shipping journal Lloyd’s List, describes the Eagle S as “was loaded with spying equipment unusual for a merchant ship, and used to monitor NATO naval and aircraft radio communications, and to drop “sensors-type devices” in the English Channel.”
(The Record and Lloyd’s List)
Huge thanks to our sponsor, ThreatLocker
ThreatLocker helps you take a proactive, default-deny approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation are fully supported by their US-based support team.
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit ThreatLocker.com.
Volkswagen software company Cariad suffers Amazon cloud breach
The breach, discovered by Europe’s largest ethical hacker association, CCC, revealed that sensitive information for 800,000 electric vehicles from brands such as Audi, VW, and Skoda were left exposed on “a poorly secured and misconfigured Amazon cloud storage system.” The data stolen includes GPS coordinates, battery charge levels, and other vehicle status details, but experts warn that such data can be easily “connected to owners’ personal credentials, thanks to additional data accessible through VW Group’s online services.” The data had been vulnerable for months, however, a Cariad representative said that “the exposed data affected only vehicles connected to the internet and had been registered for online services,” and that the data “could only be accessed after bypassing several security mechanisms that required significant time and technical expertise.” An investigation by the German magazine Spiegel shows that the list of affected customers includes German politicians, entrepreneurs, the entire fleet of the Hamburg police force, and even suspected intelligence service employees.
(BleepingComputer, Carscoops, Spiegel)
Large-scale supply chain attack using generative AI now possible, says researcher
Crystal Morin, former intelligence analyst for the US Air Force and cybersecurity strategist at Sysdig, says she anticipates “seeing highly successful supply chain attacks in 2025 that originated with an LLM-generated spear phish.” This is because cybercrime groups know they do not need to train their own LLMs, when they can steal credentials and then jailbreak existing ones. She states that this is not pointing to a fully AI-generated attack leading to business operations shutdown, but instead the focus will be on more sophisticated social engineering campaigns. She calls spear phishing and social engineering her greatest security concern for 2025.”
Iranian and Russian entities sanctioned for election interference
On Tuesday, the U.S. Office of Foreign Assets Control (OFAC) leveled sanctions against Iran’s Cognitive Design Production Center (CDPC) and Moscow’s Center for Geopolitical Expertise (CGE). OFAC alleged these entities attempted “to stoke socio-political tensions and influence the U.S. electorate during the 2024 U.S. election.” Back in August, Meta said it blocked WhatsApp accounts used by Iranian threat actor, Charming Kitten, to target individuals in several countries, including the U.S. The Treasury Department said the Kremlin has developed “a vast ecosystem of Russian proxy websites, fake online personas, and front organizations that give the false appearance of being independent news sources unconnected to the Russian state.”