MI5 warns that China uses LinkedIn to recruit and compromise lawmakers
WhatsApp feature can extract 3.5B users' phone numbers, Police raid KT for allegedly hiding breach evidence, Beijing rumors cost TP-Link $1B, LG Energy Solution was hit by a cyberattack, Airlines won't sell passenger data to the US, Toronto schools weren't prepared for PowerSchool breach, much more
Get your message, announcement, or white paper in front of thousands of cyber leaders, policy makers, and decision-makers for little more than the cost of an annual Metacurity subscription. Click the button below to find out more about our sponsorship options.
Britain’s domestic intelligence agency warned that China has been using headhunters on LinkedIn and other covert operatives in an effort to recruit and compromise lawmakers and parliamentary staff members.
The warning came just two months after a political scandal erupted in Britain over the collapse of an espionage case against a parliamentary researcher and a teacher accused of funneling sensitive information to Beijing.
The espionage alert from the agency, MI5, warned lawmakers that the Chinese foreign intelligence service, the Ministry of State Security, had been secretly targeting members of Parliament, government staff members, political consultants, economists, and think tank employees.
“China is attempting to recruit and cultivate individuals with access to sensitive information about Parliament and the U.K. government,” Dan Jarvis, the security minister, said in a statement in the House of Commons.
“This activity involves a covert and calculated attempt by a foreign power to interfere with our sovereign affairs,” he said, adding that the British government “will take all necessary measures to protect our national interest, our citizens and our democratic way of life.”
The alert identified two headhunters — Amanda Qiu, the chief executive of BP-YR Executive Search, a company in Beijing, and Shirly Shen of Internship Union, based in Hong Kong — as two “civilian recruitment headhunters” that it said had been used by the Ministry of State Security to target people in Britain.
Neither Ms. Qiu nor Ms. Shen immediately responded to requests for comment sent on LinkedIn.
“The headhunters are typically China-based individuals who make initial contact with a target before referring them to an officer,” the MI5 alert said.
In a statement, the Chinese Embassy in London said: “These claims by the U.K. side are pure fabrication and malicious slander." (Michael D. Shear / New York Times)
Related: GOV.UK, Chinese Embassy, BBC News, The Guardian, Al Jazeera, The Register, The Telegraph, Financial Times, Digital Journal, Sky News, Mirror, Irish News, Associated Press, Politico
A group of Austrian researchers at the University of Vienna has shown it's possible to use a WhatsApp feature to look up phone numbers and extract 3.5 billion users’ phone numbers from the messaging service.
For about 57 percent of those users, they also found that they could access their profile photos, and for another 29 percent, the text on their profiles. Despite a previous warning about WhatsApp's exposure of this data from a different researcher in 2017, they say, the service's parent company, Meta, still failed to limit the speed or number of contact discovery requests the researchers could make by interacting with WhatsApp's browser-based app, allowing them to check roughly a hundred million numbers an hour.
The result would be “the largest data leak in history, had it not been collated as part of a responsibly conducted research study,” the researchers said.
The researchers say they warned Meta about their findings in April and deleted their copy of the 3.5 billion phone numbers. By October, the company had fixed the enumeration problem by enacting a stricter “rate-limiting” measure that prevents the mass-scale contact discovery method the researchers used. But until then, the data exposure could have also been exploited by anyone else using the same scraping technique. (Andy Greenberg / Wired)
Related: GitHub, PCWorld, The Tech Portal, WebProNews, Social Media Today, iDrop News, 9to5Mac, StartupNews.fyi, TechTimes
Korean police raided telco KT’s offices in Seoul and Gyeonggi Province as part of an investigation into a recent data breach at the mobile carrier.
The anti-corruption and economic crime investigation team at the Gyeonggi Nambu Provincial Police said the raids were underway at three locations, including KT’s offices in Pangyo, Gyeonggi Province, and Bangbae-dong, Seocho District, Seoul.
In August, the US-based cybersecurity outlet Phrack reported that KT's servers had been breached, and lawmakers later raised suspicions that KT had disposed of the affected servers.
In response, the Ministry of Science and ICT asked the police to investigate whether KT had submitted false documents and concealed evidence. (KBS World)
Related: Korean Herald, KoreaJoongAng Daily, Yonhap News, Chosun Biz
Researchers for Google Cloud's Mandiant report that an Iran-nexus threat actor tracked as UNC1549 and known for espionage has been targeting organizations in the aerospace sector.
Mandiant says that since the middle of last year, UNC1549 has targeted organizations in aerospace, aviation, and defense using a sophisticated approach.
Sometimes, attackers would craft spear-phishing attacks designed to steal credentials or deliver malware to the target. Other times, UNC1549 would first compromise a third-party supplier or business partner and then exploit that trust to go after the main target.
The actor also uses sophisticated post-exploitation tactics, such as stealing source code to use for lookalike domains in future spear-phishing campaigns and abusing service ticketing systems to trick employees into giving up sensitive credentials.
Additionally, UNC1549 would use a series of custom tools both to open backdoors and to maintain persistence. Some tools the research highlighted include a C++ backdoor for communicating with command-and-control (C2) infrastructure tracked as Twostroke; custom tunneller Lightrail; shell command executor, system info enumerator, and file manager Deeproot; and a tool named DCSyncer.Slick, which mimics the legitimate DCSync Active Directory replication feature to "extract NTLM password hashes directly from the domain controllers," Mandiant wrote.
To avoid defenses, attackers would delete utilities and other forensic artifacts. They also "repeatedly used SSH reverse tunnels from victim hosts back to their infrastructure, a technique that helped hide their activity from [endpoint detection and response] agents installed on those systems." (Alexander Culafi / Dark Reading)
Related: Google Cloud, Austin Larsen on LinkedIn, Iran International, BankInfoSecurity
California-based TP-Link Systems says it may take a sales hit of more than $1 billion because of erroneous reports that the networking company’s technology has been “infiltrated” by Beijing.
In a lawsuit, TP-Link claims its competitor, Netgear Inc., orchestrated a smear by planting false claims with journalists and internet influencers with the goal of scaring off customers.
Closely held TP-Link, which makes wireless routers, alleges in a complaint that Netgear’s campaign “threatens injury to well over a billion dollars in sales” and violates a 2024 settlement of a patent fight. That accord, in which TP-Link agreed to pay Netgear $135 million, includes a provision that the public company promises not to disparage its rival, according to the suit in Delaware federal court.
The suit comes as TP-Link faces growing scrutiny in Washington over national-security issues. US lawmakers from both parties have expressed concern that Chinese hackers could exploit TP-Link’s wireless equipment following a series of attacks on its routers. (Kate O'Keeffe and Jef Feeley / Bloomberg)
Related: Heise Online
South Korea-based LG Energy Solution said it recently identified a cyberattack and is currently implementing security measures to address the situation.
“The attack targeted a specific overseas facility, and we have confirmed that the headquarters and other facilities were not affected,” the spokesperson said. The company has facilities on multiple continents, including eight in North America.
“The impacted facility is now operating normally after the recovery measures were taken, and we are conducting security operations and investigations as a precautionary measure.”
The spokesperson did not respond to further questions about the nature of the incident.
LG Energy Solution is a subsidiary of Korean multinational LG and earned $17.5 billion in 2024 through its work supplying batteries to car makers.
On Monday, the Akira ransomware gang added the company to its leak site, claiming to have stolen 1.7 terabytes of data that included corporate documents, databases of employee information, and more.
On November 13, the FBI released an updated notice on the ransomware gang, warning that the hackers are believed to have claimed more than $244 million in ransomware proceeds. (Jonathan Greig / The Record)
Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.
If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!
Airlines Reporting Corporation (ARC), a data broker owned by major US airlines, will shut down a program in which it sold access to hundreds of millions of flight records to the government and let agencies track people’s movements without a warrant, according to a letter from ARC.
ARC says it informed lawmakers and customers about the decision earlier this month. The move comes after intense pressure from lawmakers and 404 Media’s months-long reporting about ARC’s data-selling practices. The news also comes after 404 Media reported on Tuesday that the IRS had searched the massive database of Americans' flight data without a warrant. (Joseph Cox / 404 Media)
Related: The Record, AirInsight, Migrant Insider, PYOK
An investigation determined the Greater Toronto Area school boards impacted by a cyberattack late last year did not have “reasonable measures” to prevent unwanted access to personal information they collected and lacked “necessary oversight” to monitor PowerSchool’s obligations.
The Toronto District School Board (TDSB) experienced a data breach between Dec. 22 and 28, 2024, after PowerSchool—a cloud-based program used to store student and staff information—experienced a “cybersecurity incident” and a “threat actor” had demanded ransom.
There were several other school boards across the GTA that were impacted by the cybersecurity incident, including the Durham District School Board, Peel District School Board, and York Regional District School Board. (Alex Arsenych / CTV News)
Related: IPC.on.ca, Global News, The Canadian Press, Edmonton Journal
Researchers at ESET report that a China-linked threat actor tracked as PlushDaemon is hijacking software update traffic using a new implant called EdgeStepper in cyberespionage operations.
Since 2018, PlushDaemon hackers have targeted individuals and organizations in the United States, China, Taiwan, Hong Kong, South Korea, and New Zealand with custom malware, such as the SlowStepper backdoor.
PlushDaemon has compromised electronics manufacturers, universities, and a Japanese automotive manufacturing plant in Cambodia. ESET's telemetry indicates that since 2019, the threat actor has relied on malicious updates to breach target networks.
The attackers gain access to routers by exploiting known vulnerabilities or weak admin passwords, install the EdgeStepper implant, and then redirect software-update traffic to their own infrastructure.
Developed in Golang and compiled as an ELF binary, EdgeStepper works by intercepting DNS queries and redirecting them to a malicious DNS node after confirming that the domain is employed for delivering software updates, ESET researchers explain.
ESET's report includes technical details for all the newly uncovered malware as well as a set of indicators of compromise for files, IP addresses, and domains that PlushDaemon used in attacks that deployed the EdgeStepper network implant. (Bill Toulas / Bleeping Computer)
Related: Help Net Security, We Live Security
Researchers at runtime security company Oligo say that a global campaign dubbed ShadowRay 2.0 hijacks exposed Ray Clusters by exploiting an old code execution flaw to turn them into a self-propagating cryptomining botnet.
Developed by Anyscale, the Ray open-source framework allows building and scaling AI and Python applications in a distributed computing ecosystem organized in clusters, or head nodes.
According to Oligo, a threat actor they track as IronErn440 is using AI-generated payloads to compromise vulnerable Ray infrastructure that is reachable over the public internet.
They say that the malicious activity goes beyond cryptocurrency mining, and in some cases, it includes data and credentials theft, as well as deploying distributed denial-of-service (DDoS) attacks.
Oligo researchers found that an old critical vulnerability tracked as CVE-2023-48022 was exploited in both campaigns. The security issue did not receive a fix as Ray was designed to run in a trusted environment described as a "strictly-controlled network environment."
However, the researchers say that there are more than 230,000 Ray servers available on the internet, a massive spike from "the few thousand we observed during our initial ShadowRay discovery."
Since there’s no available fix for CVE-2023-48022, Ray users are recommended to follow the vendor-recommended “best practices” when deploying their clusters.
Anyscale has also published an update on the topic after the first ShadowRay campaign was discovered, listing several recommendations, which include deploying Ray in a secure, trusted environment. (Bill Toulas / Bleeping Computer)
Related: Oligo, CyberScoop, The Register, Anyscale
National Cyber Director Sean Cairncross previewed at the Aspen Cyber Summit the contours of the administration’s cyber strategy, saying it would focus heavily on countering foreign adversaries and reducing regulatory burdens on industry.
Like its Biden administration predecessor, the new cyber strategy will be accompanied by an action plan that lists lines of effort under six pillars of activity. “It’s going to be a short statement of intent and policy,” Cairncross said.
One of the pillars will focus on shaping the behavior of Russia, China, ransomware gangs, and other adversaries by imposing costs when they attack the U.S. In emphasizing the need for consequences, Cairncross repeated a frequent criticism of the government’s approach to cyber defense, saying policymakers have failed to deter adversaries’ malicious cyber activity.
Partnering with the private sector will form another key pillar of the administration’s cyber agenda. Cairncross said the government wants industry’s help in identifying unnecessary or overly burdensome cybersecurity regulations that could be eliminated or modified. The administration will also ensure that critical infrastructure industries understand the government’s security priorities — what Cairncross described as “the things that we would like to see protected.” Simplifying regulations, he said, would help companies “free up those resources to protect those assets.”
The Trump administration is also focused on growing the U.S. cyber workforce to fill hundreds of thousands of vacant jobs. A new workforce initiative will unite businesses, venture capitalists, universities, and vocational schools. (Eric Geller / Cybersecurity Dive)
Related: Wall Street Journal, Cybersecurity Dive, The Record, The Register, Meritalk
Sen. Mike Rounds (R-SD) said letting the Cybersecurity Information Sharing Act of 2015, which enables cyber threat sharing among organizations and with the US government, could waste government efforts to find vulnerabilities, since companies would no longer be able to discuss these issues without fear of legal repercussions.
The discussion from Rounds and another leading senator on the issue, Gary Peters (D-MI), at the Aspen Cyber Summit also suggested the path forward to a permanent reauthorization is anything but clear.
Peters and Rounds are the sponsors of a bill to re-up the law, known as CISA 2015, for 10 years with no changes other than its name — the preferred route for the Trump administration. (Tim Starks / CyberScoop)
In his first public comments about the breach, Phillip Swagel, the director of the nonpartisan Congressional Budget Office, told lawmakers at an oversight hearing before the House Budget Committee that the “sophisticated cyberattack” against his agency two weeks ago has been contained and there is currently no “further evidence of unauthorized access to CBO email.”
Swagel said the investigation is “extensive and ongoing” as the agency receives assistance from both federal security partners and private sector security specialists.
He stressed that as more information becomes available about the nature of the attack — including “the threat actor’s activities” and what can be done to strengthen CBO’s systems — he will provide lawmakers updates “in a closed-door setting.”
He warned that sharing some things during a public hearing “might hinder remediation or investigation” but insisted that CBO is now “operating as normal … without interruption.” (Katherine Tully-McManus / Politico)
Related: The Record
Best Thing of the Day: It Wasn't a Cyberattack
A widespread Cloudflare outage yesterday was triggered by a change to one of our database systems' permissions, which caused the database to output multiple entries into a “feature file” used by our Bot Management system.
Worst Thing of the Day: Not That There Is Anything Wrong About Being Anti-Police
The legendary hacker conference Hackers on Planet Earth (HOPE) says it was “banned” from St. John’s University, the venue where it has held the last several HOPE conferences, because someone told the university the conference had an “anti-police agenda.”
Closing Thought
