Chinese Cyber Espionage Leveraging Open Source VPNs

Articles related to Cybercrime,
Fraud Management & Cybercrime,
Incident & Breach Response.

Breaking: Ransomware Hackers Hurdle Baguettes for Data

By Anviksha More (AnvikshaMore)
• November 7, 2024

Each week, Information Security Media Group compiles a report on cybersecurity incidents and breaches occurring globally. This week highlighted notable activity from Chinese cyberespionage groups leveraging SoftEther VPN. An emerging Italian hacking scandal appears to involve the Vatican and Israeli connections. In addition, the FBI has issued warnings regarding high-pressure data requests, Okta resolved a significant authentication bug, Google plans to enforce multifactor authentication, and hackers exploited zero-day vulnerabilities within PTZOptics cameras. A Mexican airport operator chose not to pay ransomware demands while a French multinational faced bizarre ransom requests—specifically, demands for baguettes. Moreover, the city of Columbus, Ohio, has begun notifying 500,000 individuals about a significant data breach. Simultaneously, Germany is moving forward with legislation to protect white-hat hackers, the Italian data protection authority reprimanded a prominent bank, and Ireland recorded a relatively steady year for cyber incidents.

Relevant Reads: Explore The Expert Guide to Mitigating Ransomware & Extortion Attacks.

Recent research from ESET has revealed that Chinese hacking groups are increasingly employing SoftEther VPN as their primary tool for espionage. The open-source VPN, designed to bypass firewalls under the guise of legitimate HTTPS traffic, has garnered attention from several state-aligned threat actors, including Flax Typhoon and Gallium. Of particular interest is the MirrorFace group, which has recently expanded its targeting beyond Japan, showcasing its capability by attacking EU diplomatic organizations.

The report underscores not only the growing sophistication of these groups but also highlights Russian threat actors, particularly Gamaredon, who continue to evolve their malicious tools, including a new PowerShell tool designed to facilitate encrypted payload delivery via Telegram. Such advancements reflect a notable trend towards increased operational efficiency and stealth in cybercrime tactics.

An ongoing investigation into the Milan-based firm Equalize has revealed its alleged involvement in hacking activities for various international clients, including the Vatican and Israeli intelligence. Following the arrest of four individuals in October, Italian authorities have alleged that the firm improperly accessed governmental databases, creating dossiers aimed at blackmailing influential figures. Classified as a breach of government trust, this scandal invites close scrutiny as more details emerge linking high-profile clients to the firm.

The FBI has reported an alarming trend where criminals are exploiting compromised government email accounts to execute deceptive “emergency data request” scams against private corporations. The prices for access to these malicious tactics underscore the urgent need for companies to critically assess and verify any emergency requests they receive, in line with the tactics outlined in the MITRE ATT&CK framework, including initial access and social engineering.

An unusual vulnerability identified in Okta’s authentication systems has been patched, which previously allowed attackers to bypass security measures through long usernames, particularly those exceeding 52 characters. This incident occurred during periods when user credentials were cached, indicating weaknesses in their authentication processes that could potentially expose users to significant risks, following techniques described in the MITRE ATT&CK framework.

In a significant move to enhance security, Google announced it will mandate multifactor authentication for all Google Cloud users by the end of 2025, a step designed to fortify user accounts against growing cyber threats. This phased rollout emphasizes the importance of adopting layered security measures and reflects an industry-wide shift towards more resilient cybersecurity practices.

Recent reports indicate that hackers are actively exploiting two zero-day vulnerabilities in PTZOptics cameras used in sectors such as healthcare and government. The vulnerabilities (CVE-2024-8956 and CVE-2024-8957) expose critical authentication weaknesses and remote command execution capabilities, highlighting the ongoing risks associated with neglected security updates in embedded devices.

The Mexican airport operator Grupo Aeroportuario del Centro Norte, known as OMA, confirmed a ransomware attack that exposed sensitive information yet opted not to pay the ransom. The situation reflects the rising trend of organizations resisting ransom demands while simultaneously strengthening their cybersecurity posture in the face of escalating threats.

In an unusual twist, the Hellcat ransomware gang has allegedly infiltrated Schneider Electric’s project tracking system, claiming to have stolen substantial data and demanding a ransom in baguettes. This unconventional method of negotiation not only exemplifies the evolving landscape of ransomware tactics but also underscores the need for organizations to remain vigilant and adequately prepare their incident response plans.

The city of Columbus, Ohio, has begun notifying half a million residents about potential data exposure following a ransomware attack linked to the Rhysida group. With allegations of compromised personal information including sensitive identifiers, this incident signifies an alarming trend in public sector cybersecurity vulnerabilities.

The German Federal Ministry of Justice is proposing laws aimed at protecting ethical hackers from legal repercussions when identifying and disclosing system vulnerabilities. This legislative move illustrates a growing recognition of the critical role security researchers play in enhancing national cybersecurity defenses.

Italy’s data protection authority has criticized Intesa Sanpaolo for downplaying a serious data breach that exposed sensitive information of numerous high-profile clients, including government officials. This incident raises concerns about the integrity of customer data and the bank’s accountability in handling such breaches.

Reports reveal a significant increase in cyber incidents within Ireland, with the National Cyber Security Center recording 721 confirmed cases in the past year. While the majority of incidents remained at moderate severity, the situation underscores the complexities of the evolving cyber threat landscape.

Other Notable News from Last Week

Reported by Information Security Media Group’s Akshaya Asokan and David Perera.