US Tiktok ban, Salt and Twill, over Half billion in crypto stolen

Hello! ArvinF is your editor for F5 SIRT This Week in Security covering January 12-18, 2025 and this is my first edition for 2025. I wish you all a secured, prosperous and successful rest of the year! I picked interesting and informative security news and I hope you find them educational. Stay Safe and Secured!

Credit to the original authors of the articles.

As always, if this is your first TWIS, you can always read past editions. We also encourage you to check out all of the content from the F5 SIRT

US SC orders to Tiktok - divest or ban. Ban, it seems?

"The US Supreme Court has upheld a law requiring TikTok to either divest from its Chinese parent ByteDance or face a ban in the United States. The decision eliminates the final legal obstacle to the federal government forcing a shutdown of the platform for US users on January 19..

Protecting Americans from Foreign Adversary Controlled Applications Act (PFACAA) doesn't infringe upon the First Amendment rights of TikTok users.

As written, the act is about protecting Americans from Chinese data collection and has nothing to do with constraining free speech, SCOTUS said.

There is no doubt that, for more than 170 million Americans, TikTok offers a distinctive and expansive outlet for expression, means of engagement, and source of community," the court wrote in its decision. "But Congress has determined that divestiture is necessary to address its well-supported national security concerns regarding TikTok's data collection practices and relationship with a foreign adversary.

Current administration officials, speaking to the press on condition of anonymity, have said the outgoing President doesn't intend to enforce the ban, leaving the matter for President-elect to deal with upon taking office the day after the blockade is set to take effect.

That is to say, it'll be up to new administration to oversee the real-world implementation of the law, and how the app will be banned, given that TikTok hasn't been successfully sold off in time."

Governments will protect their citizen's from unauthorized tracking and access to their data used and shared in applications thru laws, diplomatic efforts and cyber security. This news has been ongoing for a while and with the new US administration coming in, we will see updates on this.  

Clock ticking for TikTok as US Supreme Court upholds ban
https://www.theregister.com/2025/01/17/scotus_upholds_tiktok_ban/

https://regmedia.co.uk/2025/01/17/scotus-tiktok-decision.pdf

 

Twill Typhoon PlugX plugged

"The FBI, working with French cops, obtained nine warrants to remotely wipe PlugX malware from thousands of Windows-based computers that had been infected by Chinese government-backed criminals, according to newly unsealed court documents.

The Feds had been tracking a crew called Mustang Panda, aka Twill Typhoon, for years, and claimed the Beijing-linked team had broken into “numerous government and private organizations” in the US, Europe, and Indo-Pacific region.

French law enforcement and Sekoia[.]io, a France-based private cybersecurity company, were able to pull the plug on PlugX, and shut down the operation, in 2023 after Sekoia compromised the system behind the lone IP address used by Mustang Panda to remotely control computers infected with the software nasty.

According to the Feds, the People’s Republic of China paid Mustang Panda to, among other computer intrusion services, provide malware including PlugX.

The crew used a version of PlugX that allowed the miscreants to remotely access and control infected machines, steal files, and deploy additional malware. As detailed in the unsealed application for a search and seizure warrant to wipe the software from people's Microsoft Windows PCs

This variant of PlugX malware spreads through a computer’s USB port, infecting attached USB devices, and then potentially spreading to other Windows-based computers that the USB device is later plugged into. Once it has infected the victim computer, the malware remains on the machine (maintains persistence), in part by creating registry keys which automatically run the PlugX application when the computer is started. Owners of computers infected by PlugX malware are typically unaware of the infection.

That move came after Sophos documented the USB-hopping PlugX earlier that year. Devices behind 45,000 IP addresses in the US alone had attempted to connect to that one remote-control server since its takedown, we're told.

Then in August 2024, the US Justice Department and FBI went to court to obtain nine warrants authorizing the deletion of PlugX from machines in America, which was then carried out. The last of these warrants expired on January 3, and in total, the operation wiped PlugX from about 4,258 US-based systems.

As we understand it, the Feds tested a self-destruct command built into PlugX that would remove the malicious code from infected machines, and then remotely ran that command on infected PCs to erase the software. The command was issued from a server using the IP address previously used to control the bots that was seized by the French.

According to the FBI, this self-delete command did the following:

  1. delete the files created by the PlugX malware on the victim computer,
  2. delete the PlugX registry keys used to automatically run the PlugX application when the victim computer is started,
  3. create a temporary script file to delete the PlugX application after it is stopped,
  4. stop the PlugX application, and
  5. run the temporary file to delete the PlugX application, delete the directory created on the victim computer by the PlugX malware to store the PlugX files, and delete the temporary file from the victim computer."

The PlugX malware was delivered thru USB infection. For the common folks, an innocent looking USB drive may look harmless, however, these malware infected USB drives can deliver tools threat actors will use of further exploitation and propagation if carelessly used. IT Security training and infomercials would have helped initial victims of this USB delivered malware by educating and reminding them to simply not plug in USB drives to corporate or personal computers as they should be suspicious of these devices as it could contain malware. Here is a snippet of a video of a penetration tester noting high success rate of victims of plugging in USB drives with malware baited by scattering them around a target organization or simply putting it in an envelope with the name of the unsuspecting victim (name found thru nameplate on the victim's desk) - https://youtu.be/6i-84wqc_qU?t=306. As a reminder, be suspicious of USB devices lying around - either in public or in the workplace - don't plug it in your devices - and organizations should have IT Security policy in handling such devices. 

FBI wipes Chinese PlugX malware from thousands of Windows PCs in America
https://www.theregister.com/2025/01/14/fbi_french_cops_boot_chinas/

https://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed

https://www.tribunal-de-paris.justice.fr/sites/default/files/2024-07/2024-07-24%20-%20CP%20d%C3%A9mant%C3%A8lement%20botnet%20d%27espionnage%20plugX.pdf

https://blog.sekoia.io/plugx-worm-disinfection-campaign-feedbacks/

DOJ, FBI remove malware from thousands of infected computers
https://www.youtube.com/watch?v=o_Z_3EqX5aw

"How Does PlugX Work?
The ultimate goal of any RAT is to remotely control affected devices with a wide range of capabilities, which in PlugX’s case has typically included rebooting systems, keylogging, managing critical system processes, and file upload/downloads. One technique PlugX heavily relies on is dynamic-link library (DLL) sideloading to infiltrate devices. This technique involves executing a malicious payload that is embedded within a benign executable found in a data link library (DLL) [1]. The embedded payload within the DLL is often encrypted or obfuscated to prevent detection.

What’s more, a new variant of PlugX was observed in the wild across Papua New Guinea, Ghana,     Mongolia, Zimbabwe, and Nigeria in August 2022, that added several new capabilities to its toolbox."

https://darktrace.com/blog/plugx-malware-a-rats-race-to-adapt-and-survive

 

Salt Typhoon's trail

"Beijing's Salt Typhoon cyberspies had been seen in US government networks before telcos discovered the same foreign intruders in their own systems, according to CISA boss Jen Easterly.

Speaking at a Foundation for Defense of Democracies (FDD) event on Wednesday, the agency director said her threat hunters detected the Chinese government goons in federal networks before the far-reaching espionage campaign against people's telecommunications providers had been found and attributed to Salt Typhoon.

"We saw it as a separate campaign, called it another goofy cyber name, and we were able to, based on the visibility that we had within the federal networks, connect some dots," and tie the first set of snoops to the same crew that burrowed into AT&T, Verizon, and other telecoms firms' infrastructure, Easterly noted.

By compromising those telcos – specifically, the systems that allow the Feds to lawfully monitor criminal suspects – Salt Typhoon had the capability to geolocate millions of subscribers, access people's internet traffic, and record phone calls at will.

This visibility into federal government networks, combined with private-industry tips coming into CISA, led to the FBI and other law enforcement agencies obtaining court-approved access to Salt-Typhoon-leased virtual private servers. 

"That then led to cracking open the larger Salt Typhoon piece," Easterly said.

Still, she cautioned, "what we have found is likely just the tip of the iceberg" when it comes to Chinese intrusions into American critical infrastructure."

China's Salt Typhoon spies spotted on US govt networks before telcos, CISA boss says
https://www.theregister.com/2025/01/15/salt_typhoon_us_govt_networks/

 

Medusa $600k demand 

"Another year and yet another UK local authority has been pwned by a ransomware crew. This time it's Gateshead Council in North East England at the hands of the Medusa group.

The council confirmed that police were investigating the "cybersecurity incident" on January 15, a few short hours after Medusa placed "stolen" documents on its data leak site.

Gateshead said the attackers gained access to its systems on January 8, that officers have been working on the case since then, and that some personal data "has been infringed."

Medusa uploaded a 31-page slideshow on its site comprising various documents it claims to have stolen from Gateshead council. A cursory examination shows personally identifiable information (PII) in the form of full names, email addresses, home and mobile phone numbers, home addresses, employment histories, and more.

"Protecting the public is our top priority and I want to reassure our residents and stakeholders we take such situations extremely seriously."

Residents were advised to be vigilant to potential phishing attempts and other fraudulent activity. They were also told to review passwords to ensure they are strong and unique, and to change them if there are signs of compromise.

Medusa's site indicates that it's demanding a $600,000 ransom payment for the deletion of data, although security experts routinely warn that criminals' promises to delete data are rarely genuine."

Medusa ransomware group claims attack on UK's Gateshead Council
https://www.theregister.com/2025/01/17/gateshead_council_cybersecurity_incident/

 

Star Blizzard credential phishing expeditions

"Star Blizzard, a prolific phishing crew backed by the Russian Federal Security Service (FSB), conducted a new campaign aiming to compromise WhatsApp accounts and gain access to their messages and data, according to Microsoft.

The group's credential phishing expeditions typically go after government, diplomatic, and defense policy targets — specifically with an eye on officials and researchers whose work involves Russian policy and assistance to Ukraine. This one, we're told, was unique in that it attempted to compromise WhatsApp accounts via emails inviting victims to join a fake WhatsApp group.

"This is the first time we have identified a shift in Star Blizzard's longstanding tactics, techniques, and procedures (TTPs) to leverage a new access vector," Redmond disclosed in new threat intelligence on Thursday.

Star Blizzard is also tracked as Callisto Group and Coldriver. This particular campaign, similar to earlier efforts, begins with an email impersonating a US government official. What's new is that it includes a QR code inviting recipients to join a WhatsApp group on "the latest non-governmental initiatives aimed at supporting Ukraine NGOs.""

Russia's Star Blizzard phishing crew caught targeting WhatsApp accounts
https://www.theregister.com/2025/01/16/russia_star_blizzard_whatsapp/

 

$659 million stolen by blockchain bandits 

"North Korean blockchain bandits stole more than half a billion dollars in cryptocurrency in 2024 alone, the US, Japan, and South Korea say.

The sum of stolen assets totaled a little more than $659 million across five major incidents, although just two contributed a large portion of that.

The BitcoinDMM crypto exchange was raided for $308 million in May 2024 – the biggest haul of the five heists - by a group tracked by law enforcement agencies as TraderTraitor.

To pull it off, the North Korean attackers upended their usual playbook of seeking employment at Western organizations and assumed the role of recruiter. 

The attack on Indian crypto exchange WazirX also raked in a pretty penny for Kim's crew – $235 million to be precise. 

Mere months after the BitcoinDMM attack, WazirX was hit in July and according to Arkham data, by September North Korea had laundered most of the stolen assets using the Tornado Cash mixer service.

The FBI said in September, around the time it started noticing a significant uptick in North Korea's targeting of the crypto industry: "North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen. Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea's determination to compromise networks connected to cryptocurrency assets."

Crypto klepto North Korea stole $659M over just 5 heists last year
https://www.theregister.com/2025/01/15/north_korea_crypto_heists/ 

These news on Twill Typhoon, Salt Typhoon, Medusa, Star Blizzard and TraderTraitor compromising governments, running campaigns to take control specific target accounts, holding hostage respective countries citizen's data for ransom, stealing large amounts of crypto is a result of missing security protections in government, telco and financial organization's infrastructure, gaps in security training and identifying security incidents and responding to it and security flaws in executing critical processes and operations. As defenders, we must be more vigilant in implementing security roadblocks, apply more security scrutiny in our interactions with our peers, customers and common folks and ensure we are following security best practices when executing tasks and guiding our peers on security related concerns. If something is a miss on a critical process and we think it might be a loophole, voice it out and share it with relevant process owner and security teams to have it reviewed and corrected. Keep systems up to date and implement mitigations and protections to make it harder and ultimately prevent attempts of exploitation. As seen many times, a small crack in the perimeter defense of organizations is a potential entry point of malicious threat actors.      

 

CVE-2022–40684 haunting Fortinet 

"Fortinet has confirmed that previous analyses of records leaked by the Belsen Group are indeed genuine FortiGate configs stolen during a zero-day raid in 2022.

The leaked data includes IP addresses, configurations (including firewall rules), and passwords – some of which were in plain text, according to infosec watcher Kevin Beaumont, who first covered Belsen's data dump.

Beaumont also said the leak appeared to contain files related to around 15,000 Fortinet devices, organized by country of origin. The vendor didn't comment on the scale of the incident.

The researcher advised customers to be vigilant of possible exploitation, even if they patched back in 2022. If patches were applied after October 2022, when CVE-2022–40684 was exploited as a zero-day, then there could still be a chance that their configs were lifted.

Fortinet's take was a little more light-touch, confirming the majority of devices affected by the vulnerability have since been patched.

"If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization's current config or credential detail in the threat actor's disclosure is small," it said on Thursday.

"We continue to strongly recommend that organizations take the recommended actions, if they have not already, to improve their security posture."

Fortinet: FortiGate config leaks are genuine but misleading
https://www.theregister.com/2025/01/17/fortinet_fortigate_config_leaks/

https://doublepulsar.com/2022-zero-day-was-used-to-raid-fortigate-firewall-configs-somebody-just-released-them-a7a74e0b0c7f

When there is a critical CVE in one of your systems, it is best to update/upgrade them as soon possible, ideally, do not expose management interfaces to the public internet and ensure that only trusted users and networks have access to these systems. The data dump of compromised devices opens up identified organizations to possible exploitation attempts. If there is suspicion of compromised systems, user accounts passwords or configuration, follow your organization's security incident response process.

Published Jan 21, 2025
Version 1.0
No CommentsBe the first to comment