Friday Five: Updates on Chinese Hacking Operations, the Growing Quishing Threat, & More
More information on the hacking of critical infrastructure by Chinese threat actors has been uncovered in the past week, along with a rise in QR code 'Quishing' attacks, concerns over proposed regulations, and more. Get up to speed with it all in this week's Friday Five!
FEDS: CHINESE HACKING OPERATIONS HAVE BEEN IN CRITICAL INFRASTRUCTURE NETWORKS FOR FIVE YEARS BY AJ VICENS
Chinese-sponsored hackers, known as "Volt Typhoon," were found to have infiltrated and remained inside some U.S. critical infrastructure IT networks for at least five years, according to a joint advisory from the FBI, NSA, and CISA. The advisory warns of the hackers' pre-positioning for potential disruptions to operational technology assets. U.S. officials have consistently raised concerns about aggressive Chinese activities in sensitive networks, with this most recent advisory noting the hackers' capability to manipulate HVAC systems and disrupt critical energy and water controls. While there's no evidence of disruption, national security officials are wary of potential disruptive effects during geopolitical tensions or military conflicts.
CHINESE HACKERS FAIL TO REBUILD BOTNET AFTER FBI TAKEDOWN BY SERGIU GATLAN
Chinese hackers from the aforementioned Volt Typhoon group -- also known as Bronze Silhouette -- reportedly failed to revive the KV-botnet recently taken down by the FBI, which was previously used for attacks on critical infrastructure in the United States. After the FBI's dismantling of the botnet, the hackers attempted to rebuild it by exploiting vulnerable devices. Despite targeting thousands of devices, however, security researchers thwarted their efforts by null-routing the entire command-and-control server fleet. The lack of an active C2 server indicates that the KV activity cluster is no longer effectively active.
QR CODE 'QUISHING' ATTACKS ON EXECS SURGE, EVADING EMAIL SECURITY BY ROBERT LEMOS
In the last quarter, email attacks using QR codes have surged, particularly targeting corporate executives and managers. These phishing emails, known as "quishing," can often bypass spam filters and have successfully targeted Microsoft 365 and DocuSign users. The average C-suite executive saw 42 times more phishing attacks using QR codes compared to the average employee. Attackers are exploiting executives' credentials through QR code attacks, with the primary goal being to steal usernames and passwords. While the use of QR code phishing has subsided to some extent since October, it remains a tool for attackers, emphasizing the need for both training and technical controls to protect against such threats. Training employees is crucial, but technical controls are also necessary, given the potential impact of a single failure.
PROPOSED CONTRACTOR CYBER REPORTING RULE SETS A ‘SIGNIFICANTLY PROBLEMATIC’ BAR, INDUSTRY GROUPS SAY BY DAVID DIMOLFETTA
Cybersecurity and technology trade groups are urging federal agencies to reconsider a proposed rule that would heighten requirements for federal contractors reporting cybersecurity incidents. The proposed rule from the Pentagon, GSA, and NASA aims to intensify reporting measures, including the development of a Software Bill of Materials (SBOM) and notification of security incidents within eight hours of discovery. Industry groups argue that the proposed rule grants unprecedented access to contractors' information systems and personnel, constituting a privacy violation. They also express concerns about the SBOM demands, noting misalignment with other federal software regulations and the challenging nature of generating SBOMs for commercial off-the-shelf products. Furthermore, the eight-hour reporting window is deemed by many as too rigorous, lacking sufficient time for comprehensive assessments and confirmation of cyber incidents.
CONTRACTS FEATURING AUTOMATION, BUILT-IN SECURITY CAN BOOST AGENCIES’ CYBER DEFENSES, VA OFFICIALS SAY BY EDWARD GRAHAM
Officials from the Department of Veterans Affairs have stressed automating legacy systems, prioritizing security in vendor contracts, and adopting mature AI tools to boost overall cyber resilience. With the VA overseeing a significant portion of federal civilian IT assets, modernization and increased rigor are essential. They align with CISA's push for "secure-by-design" products, reflecting efforts to enforce security requirements in vendor contracts. However, the introduction of AI poses challenges, including the potential for more sophisticated cyber attacks. Mature AI tools may enhance preventive measures, but adversaries could also refine phishing campaigns. Adoption of AI could help mitigate persistent cyber workforce gaps across the federal government.