Top Stories of the Week: 12/14/2024-12/20/2024
Cybersecurity measures in the NDAA, a major supply-chain attack on security experts, and new federal cloud security mandates are central to this week’s top stories.
Yearlong Supply-Chain Attack Targeting Security Pros Steals 390K Credentials
by Dan Goodin
A year-long supply-chain attack by threat group MUT-1244 targeted security researchers via Trojanized open-source software and spear phishing. The attackers used NPM and GitHub packages, like '@0xengine/xmlrpc' and 'yawpp,' to deploy stealthy malware disguised as legitimate tools. The malware stole credentials, SSH keys, and sensitive data, infecting dozens of devices and installing cryptomining software. It also leveraged phishing emails targeting researchers on arXiv, pretending to offer CPU microcode updates. Over 390,000 WordPress credentials were compromised in the attack.
Congress Approves 2025 NDAA With Important Cyber Provisions
The FY2025 National Defense Authorization Act (NDAA) advanced to President Biden’s desk with $895.2 billion in defense funding and a strong cybersecurity focus. Domestically, $3 billion of the budget will aim to replace Chinese telecom gear, address spyware risks, and evaluate DOD mobile device security. The NDAA mandates strategies for securing multi-cloud environments, integrating AI in national security, and creating an NSA-led AI security center. While proposals for a formal Pentagon Cyber Force were scaled back, broader cyber threats were addressed, including securing U.S. airspace and combating foreign disinformation. Notably, measures on Section 702 surveillance oversight were excluded, drawing criticism from privacy advocates.
CISA Delivers New Directive to Agencies on Securing Cloud Environments
by Matt Bracken
The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 25-01, mandating federal civilian agencies to enhance cloud security practices. Agencies must inventory their cloud instances, deploy SCuBA assessment tools by April 2025, and implement SCuBA baselines by June 2025. The directive aims to address risks from evolving cloud-based cyber threats and promote consistent federal cloud security. CISA emphasized collaboration with CIOs, CISOs, and pilot agencies, noting no specific triggering incident but reflecting SCuBA’s maturity. Continuous monitoring and adherence reporting are required, with annual inventory updates starting in 2025. CISA affirmed its commitment to reducing cyber risks across the federal enterprise.
Microsoft Teams Vishing Spreads Darkgate RAT
DarkGate RAT has adopted a new attack method via vishing, where attackers exploit Microsoft Teams to trick victims into downloading remote access tools like AnyDesk. Researchers at Trend Micro uncovered this multistage attack, which began with phishing emails and escalated through a fraudulent Teams call. Once connected, the attacker installed DarkGate, enabling remote control, system data collection, and malicious command execution. Active since 2017, DarkGate has advanced capabilities, including credential theft and payload delivery. Experts recommend employee training, third-party vetting, multifactor authentication, and whitelisting secure tools to mitigate these threats.
US Government Urges High-Ranking Officials to Lock Down Mobile Devices Following Telecom Breaches
by Carly Page
The U.S. government is advising senior officials to enhance device security due to ongoing Chinese breaches of major telecom providers. CISA recommends using advanced security features like Apple’s Lockdown Mode to reduce attack surfaces on iPhones, along with switching to end-to-end encrypted messaging apps such as Signal. Officials are urged to adopt encryption for safer communications, as it prevents data interception, and to implement phishing-resistant multi-factor authentication and telecom-level account PINs to guard against SIM-swapping attacks. CISA stresses the importance of these measures to protect sensitive information.
