🚨 Week 7 Debrief: Salt Typhoon Spies Target US Telecoms, IoT Data Breach Exposes 2.7 Billion, UAE to Launch National Cybersecurity Strategy and more.

This week China-linked APT group Salt Typhoon has breached multiple U.S. telecommunications providers by exploiting unpatched Cisco IOS XE network devices. This sophisticated campaign, active for 1-2 years, has far-reaching implications for global telecommunications security.

Threat actors chained CVE-2023-20198 and CVE-2023-20273 to gain administrator privileges and exfiltrate data, impacting organizations globally. The attackers were able to create accounts with high-level privileges on affected systems, and then combined this with another vulnerability to gain root access and write malicious software onto the file system.

Key Takeaways:

• Critical Vulnerabilities: The attacks exploited two specific Cisco flaws, CVE-2023-20198 and CVE-2023-20273. It is critical that organizations ensure their Cisco IOS XE devices are fully patched to prevent exploitation of these vulnerabilities.

• Global Impact and Targets: The breaches have impacted telecom networks and Internet Service Providers (ISPs) in multiple countries, including the U.S., Italy, South Africa, and Thailand. U.S. telecoms, including Charter Communications and Windstream, were compromised. The group has been active since at least 2019, targeting government entities and telecom companies.

• Persistence and Evasion: The APT group used generic routing encapsulation (GRE) tunnels on compromised Cisco devices to maintain persistence, evade detection, and stealthily exfiltrate data.

• Government and Industry Response: Multiple countries, including the U.S., Australia, Canada, and New Zealand, have issued joint advisories about this threat. The Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2023-20273 to its Known Exploited Vulnerabilities catalog.

• Strategic Espionage: The attackers accessed extensive metadata from targeted Americans, focusing on government and political figures. This suggests a strategic espionage objective aimed at gathering intelligence on key individuals and organizations.

• Risk Exposure: Insikt Group identified over 12,000 Cisco network devices with web UIs exposed to the internet. Organizations should limit the exposure of admin interfaces and non-essential services to the Internet.

• Attribution and Denial: The U.S. government attributes these breaches to a China-linked APT group, Salt Typhoon. The Chinese government denies responsibility for the hacking campaign.

💻 Malware and Vulnerabilities

Microsoft's February 2025 Patch Tuesday addresses 55 flaws including four zero-day vulnerabilities, two of which are actively exploited, and three rated as "Critical". The updates include fixes for elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing vulnerabilities, with critical remote code execution fixes for Microsoft Dynamics 365 Sales, Microsoft Office Excel, and Windows DHCP Server and Windows LDAP.

Here is a list of the critical vulnerabilities addressed in Microsoft's February 2025 Patch Tuesday:

• CVE-2025-21177 Microsoft Dynamics 365 Sales Elevation of Privilege Vulnerability

• CVE-2025-21381 Microsoft Office Excel Remote Code Execution Vulnerability

• CVE-2025-21379 Windows DHCP Server Remote Code Execution Vulnerability

• CVE-2025-21376 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Apple Mitigates Zero-Day Exploit in New Security Update: Apple has released iOS 18.3.1 and iPadOS 18.3.1 to address CVE-2025-24200, a zero-day vulnerability discovered by The Citizen Lab, which is being exploited in the wild. The vulnerability allows a physical attack to disable USB Restricted Mode on a locked device, potentially granting attackers full admin access and the ability to execute software as the owner.

Palo Alto Networks Firewall Vulnerability Exploited Shortly After Disclosure: Threat actors have begun exploiting CVE-2025-0108, an authentication bypass vulnerability in Palo Alto Networks firewalls, just one day after its public disclosure. The vulnerability allows unauthenticated attackers to access the firewall's management interface and execute certain PHP scripts, with exploitation attempts already flagged as malicious.

Chinese Salt Typhoon Spies Exploit Cisco Router Vulnerabilities, Continuing Global Telecom Breaches: Despite high-profile exposure and U.S. sanctions, the Chinese hacking group Salt Typhoon continues to actively breach global telecom networks, including U.S. internet service providers and universities, by exploiting vulnerabilities in the web interfaces of Cisco IOS software to gain control of routers and switches, exfiltrate data, and maintain access via GRE tunnels. The group has targeted over a thousand Cisco devices worldwide.

Murky Ad-Tech World Implicated in Surveillance of US Military Personnel, Exposing Data Broker Vulnerabilities: A Florida-based data broker, Datastream Group, allegedly sourced sensitive location data of US military personnel in Germany from a Lithuanian ad-tech company, Eskimi, potentially offering this data to various government and private interests and highlighting the opaque practices within the online ad surveillance industry, despite denials from Eskimi. The data included 3.6 billion location coordinates logged at millisecond intervals, likely collected via SDKs embedded in mobile apps.

 zkLend Loses $9.5M in Crypto Heist Due to Smart Contract Flaw. Decentralized money lender zkLend suffered a breach where threat actors exploited a rounding error bug in the smart contract mint() function, resulting in the theft of 3,600 Ethereum, worth $9.5 million. The attackers manipulated the "lending_accumulator" to be very large and took advantage of the rounding error during ztoken mint() and withdraw(). zkLend has asked the hacker to return 90% of the stolen Ethereum in exchange for keeping 10% as a whitehat bounty and avoiding legal liability.

📈 Breaches and Incidents

IoT Data Breach Exposes Billions of Records: An IoT data breach has exposed 2.7 billion records by way of an unprotected database associated with Mars Hydro and LG-LED Solutions, containing 13 folders with over 100 million records each, revealing critical vulnerabilities such as unencrypted sensitive logs and weak default passwords that could lead to unauthorized network access and "nearest neighbor" exploits.

Cyberattack Disrupts Newspaper Giant Lee Enterprises: one of the largest newspaper groups in the U.S., reported a cyberattack that led to network shutdowns, which disrupted newspaper printing and delivery. Some publications' websites posted notices about maintenance affecting subscription accounts and E-editions.

Elon Musk's DOGE Website Hacked Within Days of Launch, Exposing Security Lapses and Classified Information: The hastily launched website for Elon Musk's Department of Government Efficiency (DOGE) was hacked within days, with hackers defacing pages and potentially exposing classified staffing information of a U.S. intelligence agency. The site, which claimed to be "maximally transparent", was found to have "tons of errors" and leaked details in the page source code, with experts noting it "feels like it was completely slapped together".

🚨 Threat Intel & Info Sharing

AI Deepfakes Used in Job Application Scam, Raising Concerns Over Remote Hiring Security: A security expert at Vidoc Security Lab was targeted in two separate incidents by fake job applicants using AI-based tools to alter their appearance and generate responses, likely attempting to infiltrate the company to steal source code or sensitive IP, underscoring the increasing sophistication of social engineering tactics and the need for enhanced verification measures in remote hiring processes. The applicants had strong Asian accents and gave canned ChatGPT responses.

North Korean Hackers Employ ClickFix Tactics to Target Global Organizations A North Korean state actor known as Kimsuky is using ClickFix, a social engineering tactic, to compromise organizations by tricking users into executing malicious PowerShell commands with administrator privileges. This campaign, observed since January 2025, targets individuals in international affairs, NGOs, government agencies, and media companies across North America, South America, Europe, and East Asia, potentially leading to data exfiltration via remote access.

Taiwan Leverages AI to Pre-bunk Chinese Disinformation: Enhancing Cybersecurity Defenses: Taiwan is utilizing AI to proactively combat disinformation campaigns originating from China, which have increased by 60% in 2024, by identifying and addressing false narratives on platforms like Facebook, X, and TikTok before they spread online. The AI is also used to moderate discussions with ordinary citizens to identify their concerns about information integrity.

UAE to Launch National Cybersecurity Strategy Following $2 Billion Investment, Prioritizing Innovation and Economic Growth. The UAE's National Cybersecurity Strategy will be officially launched this week, backed by over $2 billion in investments, to keep pace with technological advancements, fortify the country's position in AI and the digital economy, and protect critical infrastructure against an estimated $10 trillion in global losses from cyberattacks. The strategy, built around five key pillars, includes specific goals and initiatives aimed at strengthening the national economy while ensuring a secure digital environment. The Cybersecurity Council is also finalizing policies, such as a cryptography policy, and new cybersecurity standards to enhance institutional compliance.

⚖️ Laws, Policies and Regulations

EBA Updates ICT Risk Management Guidelines Amidst DORA Implementation The European Banking Authority (EBA) has amended its Guidelines on ICT and security risk management measures to align with the Digital Operational Resilience Act (DORA), which introduces harmonized ICT risk management requirements for financial entities. These changes, effective from January 17, 2025, narrow the scope of the guidelines to avoid duplication and provide clarity, focusing on entities covered by DORA and the relationship management of payment service users.

Trump Nominates Sean Cairncross as National Cyber Director, Former RNC Insider to Oversee National Cybersecurity Strategy: Cairncross would be the first major nominee for a top cybersecurity role since the Trump administration took office and would succeed Harry Coker, Jr.

US Treasury Launches Audit into Musk's Team's Access to Payment Systems: Raising Concerns Over Data Security and Constitutional Boundaries. A government watchdog is launching an inquiry into the security of the U.S. Treasury's payments system following complaints about the access granted to Elon Musk's "Doge" team, highlighting potential risks to sensitive data and sparking legal challenges over the team's authority.

The UK's AI Safety Institute has rebranded to the AI Security Institute as the government shifts its AI strategy to focus on serious AI risks with security implications, including malicious cyber-attacks, cyber fraud, and other cybercrimes.

• The name change signifies a shift away from AI ethical issues towards countering AI cyber threats.

• The AI Security Institute will partner with government entities like the Ministry of Defence’s Defence Science and Technology Laboratory and the National Cyber Security Centre (NCSC).

• The UK government refused to sign an international AI declaration due to national security and "global governance" concerns.

• The UK is partnering with AI firm Anthropic to explore how AI can improve public services.

UK Government Consults on Ransomware Reporting and Payment Restrictions: Aiming to Deter Cyber Criminals: The UK government is considering legislation to combat ransomware by reducing payments to criminals, enhancing intelligence on the ransomware payment landscape, and improving understanding of ransomware threats to deter attacks on UK organizations and increase cooperation at the international level. The proposed legislation addresses ransomware, which is malicious software that infects computer systems to prevent access, steal sensitive data, and demand ransom payments, typically in cryptocurrency.

UK Government Launches Cyber Attack Rating System to Combat Rising Cybercrime: The UK government is introducing a new system, led by cyber security chief Ciaran Martin and operated by the Cyber Monitoring Centre (CMC), to rate the severity of cyber incidents on a scale of one to five, with accompanying reports offering recovery advice, in response to over 7,000,000 cyber attacks costing the British economy £27,000,000,000 in 2023. Attacks causing over £100 million in damages and targeting multiple organizations will be assessed, with the goal of improving the UK's response to and recovery from cyber incidents. Examples of recent attacks include a breach against Transport for London costing over £30 million and the theft of 400GB of private data from NHS trusts. Phishing and malware are the most common types of cyber attacks faced by businesses, while denial-of-service attacks can disrupt operations.

Australia Passes Anti-Scam Law, Imposing Stiff Penalties on Tech Companies: Australia's new Scams Prevention Framework law holds social media, banks, and telecom companies accountable for scam activity on their networks, with potential fines up to AU$50 million. The law aims to protect Australian residents from scams and help victims get compensation. In 2023, scams cost Australians AU$2.74 billion.

⚖️ Cybersecurity Start Ups and VCs

Tencent Cloud Expands into Saudi Arabia, Enhancing Middle East Digital Infrastructure with New Cloud Region: Tencent Cloud is launching its first Middle East Cloud Region in Saudi Arabia, featuring two availability zones with full redundancy and advanced cloud services, backed by a commitment of over $150 million in infrastructure, resources, and investment to drive digital transformation across the Middle East and support Saudi Arabia’s Vision 2030. The new cloud region, expected to be operational by 2025, will offer cutting-edge SaaS and PaaS solutions, including advanced analytics, AI, and digital media capabilities.

LEAP 2025 to Showcase Next-Gen Tech Solutions Amidst Saudi Arabia's Vision 2030: LEAP 2025, running from February 9-12 at the Riyadh Exhibition & Convention Centre, will feature 1,800 global tech brands, 680 startups, and 1,000 expert speakers presenting next-generation solutions in sectors like space, gaming, education, and smart cities. This event supports Saudi Arabia’s Vision 2030 goals for economic diversification and technological leadership by encouraging investment in emerging technologies like AI and fintech. A special focus on AI will be present via DeepFest.

📊 Trends, Reports, Analysis

Ex-Google CEO Warns AI Could Enable "Bad Biological Attack": Emphasizing AI's Dual-Use Risk Former Google CEO Eric Schmidt cautioned that AI poses an "extreme risk" due to its potential misuse by hostile entities like North Korea, Iran, or Russia to develop weapons for "a bad biological attack," highlighting the need for government regulation and control over the technology's development. Schmidt also mentioned the need for the West to invest in open source AI models to compete with China.

Ransomware Payments Decline 35% as Attackers Shift Tactics Amid Law Enforcement Pressure: In 2024, ransomware attackers received approximately $813.55 million in payments, a 35% decrease from 2023, driven by increased law enforcement actions and victim refusal to pay. Attackers are shifting tactics, with new ransomware strains emerging from rebranded code and faster operations, targeting smaller to mid-size markets with more modest ransom demands. The decline in the use of mixers may be attributed to the designation of Russia-based exchange Cryptex and the German Federal Criminal Police (BKA)’s seizure of 47 Russian language no-KYC crypto exchanges.

📅 Upcoming Events

🚀 We’re thrilled to welcome to our expert panels at "Third-Party Ecosystem Resilience in a Volatile Cybersecurity Landscape" – a must-attend event for CISOs and executives navigating today’s complex cybersecurity challenges.

This is a limited virtual event tailored for CISOs and executives. It is free to join so register today Form

We hope you enjoyed our email briefing! ☕🥮If you want to sponsor our next edition or advertise on our site, drop us an email [email protected].

Thank you for being a part of our newsletter community and you can be part of the community by joining our LinkedIn Group.