Cyber Intelligence Weekly

Cyber Intelligence Weekly (January 19, 2025): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight our Incident Response Planning & Tabletop Exercise practice.

From assessing your current capabilities to creating and testing detailed response plans, we provide the expertise and support you need to minimize downtime and mitigate impact. So you can focus on what you do best, your business.

Learn more:

Learn more: https://lnkd.in/exryhzQW

Away we go!

1.  Hackers Exploit Amazon S3 Buckets Using Encryption Tools in Ransom Scheme

Cybercriminals, dubbed "Codefinger" by Halcyon researchers, have started exploiting Amazon Web Services (AWS) Simple Storage Service (S3) buckets, leveraging AWS's own server-side encryption with customer-provided keys (SSE-C) to lock users out of their data. This emerging ransomware tactic has been observed in two incidents since December, targeting AWS-native software developers. By stealing account credentials and encryption keys, attackers encrypt data and demand ransom payments to release the keys.

What sets this method apart is its innovative use of a legitimate AWS feature to secure data in a way that becomes irretrievable without the attackers’ cooperation. Victims are further pressured with threats to delete their files within seven days if the ransom isn’t paid. The technique highlights a new evolution in ransomware capabilities, raising concerns among cybersecurity experts about its potential to spread among other threat actors.

AWS responded to these incidents by stating that it actively notifies affected customers when exposed keys are identified and applies mitigation measures to minimize risks without disrupting operations. The company also emphasized the importance of best practices, such as avoiding storing credentials in source code or configuration files, to protect against these attacks.

Halcyon warned that the tactic could soon gain traction among ransomware groups, urging AWS customers to take proactive steps to safeguard their storage environments. While S3 buckets have long been a target due to frequent misconfigurations leading to data breaches, this latest trend represents a more sophisticated exploitation of cloud security tools, underscoring the need for heightened vigilance in cloud storage management.

CLOUD SECURITY CORNER

Google “Perpetual Hack” Technique Steals Passwords and MFA

Thank you for checking out our new cloud security tip of the week in our new Cloud Security Corner, brought to you by our very own, Stephen Dyson!

Security researchers have identified a new campaign, dubbed “Perpetual Hack.” Threat actors are targeting advertisers in a scheme to steal advertiser account information to clone legitimate advertisements and create malicious advertisements used to subsequently harvest user credentials. The Threat Actors impersonate Google Ads and direct the legitimate advertisers to fake login pages. The diagram below shows the common “Perpetual Hack” campaign steps targeting advertisers.

 

Users who click on malicious advertisements and use sign-in-with-Google authentication have multifactor authentication (MFA) bypassed resulting in the potential theft of sensitive data stolen including user credentials and session tokens.

While the methodology of this type of attack is almost as old as Google Search itself, this new campaign is seen as a new extreme in its speed and scope creating an ever-expanding pool of compromised advertisers that can be used to create malicious advertisements. For more details of the attack and related indicators of compromise (IOC), MalwareBytes researchers have released a full report. Additionally, Google has been reaching out to impacted advertisers to assist them in gaining access to their accounts and removing the cloned advertising pages.

2.   U.S. Treasury Sanctions Chinese Entities for Salt Typhoon Cyberattacks

The U.S. Department of the Treasury has imposed sanctions on Sichuan Juxinhe Network Technology Co. Ltd., a cybersecurity firm based in Sichuan, China, and Yin Kecheng, a Shanghai-based cyber actor linked to China’s Ministry of State Security (MSS). These entities are accused of direct involvement in the Salt Typhoon hacking campaign, which compromised data from at least nine U.S. telecommunications companies and breached Treasury Department systems. The campaign, attributed to China-backed actors, highlights growing vulnerabilities in critical U.S. infrastructure.

The sanctions block U.S. individuals and entities from conducting business with the sanctioned parties. While the practical economic impact may be minimal due to their location in China, officials assert that these measures aim to disrupt operations and expose malicious activities. Treasury Deputy Secretary Adewale O. Adeyemo emphasized the importance of holding cybercriminals accountable and strengthening defenses against future threats, particularly in the financial sector.

The Salt Typhoon campaign represents a significant escalation in China’s cyber operations, targeting sensitive telecommunications and internet service provider data since 2019. The campaign even accessed call data of high-profile U.S. government officials, underscoring the breadth of the operation. In response, the Federal Communications Commission (FCC) has proposed updated cybersecurity requirements for telecommunications carriers, including annual certifications of risk management plans.

This marks the latest in a series of sanctions by the U.S. government against Chinese entities involved in cyber campaigns. Over the past year, several prominent Chinese firms have faced penalties for their roles in cyber espionage and ransomware operations. Treasury officials, alongside federal agencies, are working to address these escalating threats by enhancing cybersecurity policies and advocating for legislative changes to better protect critical infrastructure and sensitive information.

3.  U.S. Removes Malware Linked to Chinese Hackers in Global Operation

The U.S. Department of Justice (DOJ) announced the successful removal of malware, known as "PlugX," from over 4,200 computers infected by hackers allegedly backed by the Chinese government. This malware, reportedly developed and deployed by groups referred to as "Mustang Panda" and "Twill Typhoon," was used for espionage and data theft targeting systems in the U.S., Europe, Asia, and even Chinese dissident groups. The operation marked a significant collaboration between U.S. authorities, French law enforcement, and the cybersecurity firm Sekoia.io.

PlugX, a malicious tool deployed since at least 2014, was installed via compromised USB devices and used to control infected systems. French cybersecurity experts identified and took control of the malware's command-and-control infrastructure in 2023. Working alongside these international partners, the FBI obtained court authorization to remotely delete the malware from affected U.S.-based devices without disrupting their legitimate operations.

DOJ officials emphasized the importance of proactive measures to protect cybersecurity, lauding the partnerships that enabled this cross-border initiative. Assistant Attorney General Matthew Olsen highlighted the operation’s role in countering nation-state cyber threats, describing it as part of a broader strategy to safeguard U.S. systems.

This effort underscores the evolving threat landscape posed by state-sponsored hacking campaigns. While the malware has been eradicated from these systems, the DOJ and FBI are continuing their investigation into Mustang Panda’s activities. Officials urge individuals and organizations to use antivirus software, keep systems updated, and report suspected infections to the FBI’s Internet Crime Complaint Center.

 

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?