In today’s cybersecurity news…
U.S. soldier arrested for alleged leak of Trump and Harris call logs
In an update to a story we covered in late November on Cyber Security Headlines, authorities have arrested a 20-year-old U.S. Army soldier, Cameron John Wagenius, for allegedly selling “confidential phone records” in online forums last November. KrebsOnSecurity connected Wagenius to the online alias “Kiberphant0m” who claimed to have hacked 15 telecom firms. In November, Kiberphant0m posted what they claimed were AT&T call logs for President-elect Donald Trump and Vice President Kamala Harris. It’s not yet clear if that data was genuine, but AT&T did suffer a major theft of customer data as part of the Snowflake account breaches last year. In his latest report, Krebs spoke with Wagenius’ mother, who confirmed his connection to the Snowflake hacker.
(The Register and The Verge)
Iranian and Russian entities sanctioned for election interference
On Tuesday, the U.S. Office of Foreign Assets Control (OFAC) leveled sanctions against Iran’s Cognitive Design Production Center (CDPC) and Moscow’s Center for Geopolitical Expertise (CGE). OFAC alleged these entities attempted “to stoke socio-political tensions and influence the U.S. electorate during the 2024 U.S. election.” Back in August, Meta said it blocked WhatsApp accounts used by Iranian threat actor, Charming Kitten, to target individuals in several countries, including the U.S. The Treasury Department said the Kremlin has developed “a vast ecosystem of Russian proxy websites, fake online personas, and front organizations that give the false appearance of being independent news sources unconnected to the Russian state.”
Rhode Island’s health benefits data leaked
Following up on a story we brought to you two weeks ago on Cyber Security Headlines, cybercriminals have now leaked data stolen from Rhode Island‘s health benefits system on the dark web. The RIBridges system was designed by consulting firm Deloitte and supports state programs like Medicaid, childcare assistance, long-term care, and HealthSource RI insurance. Deloitte is investigating and has been in contact with the responsible threat actor, Brain Cipher. However, it remains unclear exactly what data was leaked. Governor Daniel McKee said the state is informing impacted individuals with instructions on how to access free credit monitoring. Rhode Islanders are urged to protect their financial information by freezing and monitoring credit, enabling multi-factor authentication, and avoiding phishing scams.
(Security Affairs and Healthcare IT News)
New details about hijacked Chrome extensions
In another update to a story we brought to you Monday on Cyber Security Headlines, new details have emerged about a phishing campaign targeting Chrome browser extension developers. Although initial reports focused on an extension from security firm, Cyberhavens, subsequent investigations revealed the campaign affected at least 35 extensions collectively used by roughly 2,600,000 people. The attack leverages a phishing email appearing to come from Google and claiming the dev’s extension is in violation of Chrome Web Store policies. Victims are then redirected to an attacker-hosted OAuth application (named “Privacy Policy Extension”) where they are asked to grant permission to manage their Chrome extensions. The attackers then inject data-stealing code into the extension and publish it as a “new” version. The malicious extensions aim to steal user Facebook credentials and have the ability to bypass multi-factor authentication and CAPTCHA mechanisms. Whiler recent reports indicate the campaign started around December 5, 2024, but BleepingComputer identified that related command and control subdomains existed as far back as March 2024.
Huge thanks to our sponsor, ThreatLocker
ThreatLocker helps you take a proactive, default-deny approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation are fully supported by their US-based support team.
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit ThreatLocker.com.
Harley-Davidson allegedly targeted by cyber criminals
According to a recent report, a threat actor dubbed “888” claimed in a post on an underground forum that it hacked systems of Harley-Davidson and stole over 66,000 customer records. Harley-Davidson has yet to issue any statement addressing or confirming the incident. 888’s post states that compromised information would include personal details such as names, addresses, emails, and other vehicle-related preferences. The threat actor posted a data sample presumably exfiltrated from the company’s systems or from a third-party vendor.
New “DoubleClickjacking” exploit bypasses protections on major websites
Threat hunters have identified a new vulnerability that allows for account takeovers in almost all major websites. Clickjacking (also called UI redressing) is an attack that tricks users into clicking on a seemingly innocuous web page element (e.g., a button), leading to the deployment of malware or exfiltration of sensitive data. Security researcher Paulos Yibelo explained that DoubleClickjacking takes advantage of a double-click sequence that enables attackers to “seamlessly swap out benign UI elements for sensitive ones in the blink of an eye.” Unfortunately, this new attack bypasses all known clickjacking protections and therefore browser vendors will now need to adopt new standards to defend against it.
NATO plans to build satellite links as backups to undersea cables
Ninety-five percent of global data traffic is carried through undersea fiber optic cables. Because roughly 100 undersea cables get severed each year, NATO is working to improve resilience of this critical infrastructure. Project HEIST (which stands for Hybrid Space-Submarine Architecture Ensuring Infosec of Telecommunications), will enlist engineers to develop smart systems to quickly locate cable breaks and develop protocols to automatically reroute the affected data to satellites. While satellites are the primary backups to undersea cables, their bandwidth is far behind physical connections. Work is underway to upgrade satellites from radio transmissions to lasers, increasing the speed by about 40 times to 200 Gbps. While Starlink satellites already use laser technology, other tech companies, including Amazon, continue to develop their own satellite technology.
Coincidentally, this week, Finnish authorities seized a Russian ship after it allegedly damaged several submarine cables in the Baltic Sea.
(Tom’s Hardware and The Record)
Air Fryer espionage raises data security concerns
While risks related to smart device hijacking are nothing new, since November, privacy concerns related to use of air fryers has been gaining momentum on tech forums. Modern smart air fryers leverage AI, increasing their ability to collect, and potentially expose personal information. The UK’s Information Commissioner’s Office (ICO), recently released findings showing that certain air fryer models sold in the UK and the U.S. possess the ability to eavesdrop on users through their mobile apps. In response, the ICO plans to introduce new guidelines for manufacturers of AI-powered gadgets. In the meantime users should keep connected device software up to date, secure home Wi-Fi networks with strong passwords and monitor permissions granted to related apps.