Cybersecurity researchers have warned of a new large-scale campaign that exploits security flaws in AVTECH IP cameras and Huawei HG532 routers to rope the devices into a Mirai botnet variant dubbed Murdoc_Botnet.
The ongoing activity "demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks," Qualys security researcher Shilpesh

Mirai Variant Murdoc_Botnet Exploits AVTECH IP Cameras and Huawei Routers

The US Department of Commerce will prohibit the import of components for connected vehicles from China or Russia, as the US continues to ban technology it sees as potential national security threats.

Source: Hsyn20 via Shutterstock

Smart-vehicle makers are facing supply chain disruption as the US Department of Commerce plans to enforce new regulations banning the import of connected-vehicle technology from China and Russia over cybersecurity fears.

The Commerce Department pursued new regulations after President Biden declared a national emergency over concerns that the United States had become overreliant on China for information and communications technology and services (ICTS). The rule mandates that companies and their suppliers eliminate hardware or software imported from China or Russia in their vehicle connectivity system (VCS) or in their automated driving system (ADS).

It aims to address two concerns: vulnerabilities that would allow a nation-state or criminal organization to implant a backdoor in automotive hardware or software; and the collection of data on US drivers through diagnostic features and other mechanisms, says Yoav Levy, CEO and co-founder of automotive cybersecurity provider Upstream.

"The threat is definitely real," he says. "There are many cases where cars could be hacked — including the safety elements within the cars — and there were many cases where data was stolen or leaked. ... But so far, we haven't seen something like that on a huge scale."

Related:Leveraging Behavioral Insights to Counter LLM-Enabled Hacking

The concerns come as software-defined vehicles (SDVs) shake up the automotive market, while also potentially increasing the cyberattack surface area of automobiles. In the past, vehicle makers created a variety of platforms for their different models, and the number of processors — known as electronic control units (ECUs) — quickly climbed. While the post-pandemic chip shortage slowed the shift to new platforms, manufacturers now aim to quickly reduce the number of ECUs and other hardware needed for the VCS and ADS systems. While current models, for example, can have as many as 130 ECUs, Rivian has already reduced the number of ECUs to seven in its second generation R1 vehicles.

**Wielding the Cyber-Ban Hammer**

Rivian aside, most automobiles have a wide variety of components sourced from China, raising concerns that the United States' reliance on the technologies could allow future compromises.

Banning technology from China and sanctioning Russia is nothing new, says Ivan Novikov, CEO at API security firm Wallarm. The US government has already raised cybersecurity concerns over telecommunications equipment from Huawei, Chinese-made cargo equipment at US seaports, home routers made by Chinese manufacturer TP-Link, and popular social media app TikTok.

Related:Strategic Approaches to Threat Detection, Investigation & Response

"This is kind of the next logical step," he says.

The new commerce regulations will prohibit any "transactions involving VCS hardware and covered software designed, developed, manufactured, or supplied" by people or organizations linked to China or Russia, according to a 213-page final rule, which will be put into effect after months of comments.

Yet, many implementation details remain unclear, Novikov says.

"The open question here is who will enforce the regulations, because the usual enforcement of security requirements and crash \[safety\] tests is under the Department of Transportation," he says. "It's unclear how these two agencies can work together, and how this final DoT requirements or restrictions or controls can work."

**Securing Supply Chains & the Economy?**

The impact on the supply chain will be significant, experts say. The first tier of OEMs — large US and international companies — are not the problem. Their products, however, often come from suppliers that source their own components from Chinese companies, says Alex Oyler, director for North America at industry consultancy SBD Automotive.

It's just one more way that the supply chain is currently undergoing changes, he says. Many carmakers are looking to rewrite their relationships with providers as they move to software-defined vehicles.

Related:Trusted Apps Sneak a Bug Into the UEFI Boot Process

"We're in a bit of a different phase of software-defined vehicle in the sense that OEMs are actually starting to become a lot more prescriptive in the specification of the components that they're sourcing," Oyler says. "It's more of what's called a build-to-print relationship, where they provide not the functional requirements, but requirements for the component architecture — we want this processor, we need this memory, we need this GPU."

The shift to other sources of supply will take years, with the Biden administration allowing carmakers a grace period to comply with the regulations: Software components can no longer be sourced from China and Russia starting with 2027 car models, while by 2030 car models must contain no hardware from prohibited sources.

Making such changes will not be easy, says Upstream's Levy.

"It's not that easy to replace a supplier," he says. "There are financial implications with the supply chain — maybe it's going to be more expensive, or there may be some changes to software that they would need to do for the for the new supplier — an adjustment to the architecture. ... It really depends on what they are actually going to replace."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

US Ban on Automotive Components Could Curb Supply Chain

As the US faces “the worst telecommunications hack in our nation’s history,” by China’s Salt Typhoon hackers, the outgoing FCC chair is determined to bolster network security if it’s the last thing she does.

As the United States scrambles to kick China out of its communications networks, Jessica Rosenworcel, the outgoing Democratic chair of the Federal Communications Commission, says it’s vital for her Republican successor to maintain strong oversight of the telecommunications industry.

The government is still reeling from the Chinese “Salt Typhoon” hacking campaign that penetrated at least nine US telecom companies and gave Beijing access to Americans’ phone calls and text messages and the wiretap systems used by law enforcement. The operation exploited US carriers’ shockingly poor cybersecurity, including an AT&T administrator account that lacked basic security protections.

To prevent a repeat of the unprecedented telecom intrusion, Rosenworcel used the waning days of her FCC leadership to propose new cybersecurity requirements for telecom operators. On Thursday, the commission narrowly voted to approve her proposal. But those rules face a bleak future, with president-elect Donald Trump preparing to take office and control of the FCC transferring to commissioner Brendan Carr, a Trump ally who voted against Rosenworcel’s regulatory plan.

In an interview days before Trump’s inauguration, Rosenworcel is adamant that regulation is part of the answer to America’s telecom security crisis. And she has a stern message for Republicans who think the solution is to let the telecoms police themselves.

“We are wrestling with what has been described as the worst telecommunications hack in our nation's history,” she says. “Either you take serious action or you don't.”

**“The Right Thing to Do”**

Rosenworcel’s plan consists of two steps. First, the FCC formally declared that the 1994 Communications Assistance for Law Enforcement Act (CALEA), which required telecom companies to design their phone and internet systems to comply with wiretaps, also requires them to implement basic cyber defenses to prevent tampering. Next, the FCC proposed requiring a wider range of companies regulated by the commission to develop detailed cyber risk-management plans and annually attest to their implementation.

The outgoing chairwoman describes the rules as a commonsense response to a devastating attack.

“In the United States in 2025, it would shock most consumers to know that our networks do not have minimum cybersecurity standards,” Rosenworcel says. “We're asking the carriers to develop a plan and certify they follow that plan. That's the right thing to do.”

Absent these standards, she adds, “our networks are going to lack the protection they need from nation-state threats like this in the future.”

But Republicans are unlikely to embrace the new regulations on telecom networks. The powerful telecom industry tends to staunchly oppose any new regulations, and Republicans almost always side with the industry in these debates.

Senator Ted Cruz, a Texas Republican who now chairs the Commerce Committee, called Rosenworcel’s plan “a Band-Aid at best and a concealment of a serious blind spot at worst” during a hearing in December.

Carr—who last month called Salt Typhoon “deeply concerning”—voted against Rosenworcel’s proposal, along with his fellow Republican commissioner Nathan Simington. Carr’s office didn’t respond to a request for comment about the new regulations. But he has repeatedly criticized Rosenworcel’s approach to enforcing rules on the telecom industry, accusing her of overreach and warning that the FCC must rein itself in or face pushback from courts.

Once Carr takes over as FCC chairman, he could call a new vote of the commission to rescind Rosenworcel’s regulations. Or he could let Republican lawmakers do it for him—the GOP-controlled Congress is already planning to undo another FCC rule and might be happy to add this one to their list.

Rosenworcel dismisses the idea that her plan is radical. “We are not reinventing the wheel here,” she says. The new cyber requirements would be pegged to existing consensus standards from the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency.

“Voices from the left and the right have called this the worst telecommunications hack in our nation's history,” Rosenworcel says. “It deserves a serious response.”

**Modernizing an Old Law**

One potential challenge facing Rosenworcel’s plan is that it hinges on the 30-year-old CALEA, which says almost nothing about cybersecurity.

Section 105 of the law does require telecoms to ensure that wiretaps “can be activated only in accordance with a court order or other lawful authorization,” which Rosenworcel reads as a requirement to protect telecom networks from unauthorized access. But after the US Supreme Court’s recent ruling that courts shouldn’t defer to agencies as the experts in their policies, the FCC will almost certainly face an industry lawsuit as it tries to implement Rosenworcel’s plan.

Carr may have opposed the proposal in part for that reason. He has repeatedly cheered court decisions invalidating Biden administration tech policies and the FCC’s own previous actions, and in congressional testimony last July, he cited the risk of courtroom setbacks in opposing FCC subsidies for school and library Wi-Fi hot spots (the FCC program that Congress is preparing to invalidate). “Following the Supreme Court’s decision,” he said, “courts will not defer to an FCC decision to read into the Communications Act a grant of authority that Congress did not provide.”

Rosenworcel defends the use of CALEA, saying “we have to step back and look at it from a broader point of view.” Section 105 clearly supports the conclusion that “every telecommunications carrier has a legal obligation to secure their networks against unlawful access and interception,” she argues.

The chairwoman admits that her proposal is “a modern way to think about” CALEA, but she says her staff “worked closely with our general counsel's office” to ensure its legality.

“This is the right and proper interpretation of the law that meets the moment we're in and the threats we face,” she says.

**New Sheriff in Town**

As the Rosenworcel era gives way to the Carr era at the FCC, one open question is how the commission’s relationship with the telecom industry will change, and how that will affect the companies’ commitment to improving cybersecurity.

Businesses typically have friendlier relationships with independent regulators when they’re led by Republicans, who tend to favor hands-off approaches to overseeing their industries. From that perspective, telecom firms—which slammed the FCC for its recently thwarted attempt to reinstate net neutrality—are likely to welcome Carr’s promises to rein in the commission’s “overreach.”

But it is unclear how that shift will affect the incentives driving telecoms’ investments in better cybersecurity practices. Security experts have already expressed concerns about the broader Trump administration’s likely retreat from Biden-era cyber rules for critical infrastructure operators. A similar trend could play out with the FCC in the telecom space.

**Uncertain Future for an Ambitious Agenda**

Even beyond Salt Typhoon’s breach of US telecom systems, there are many questions about how the FCC will tackle cybersecurity after Rosenworcel departs.

“One of the hallmarks of my tenure has been that we put network security and national security front and center,” she says. “I've been in and around the FCC for a long time, and this issue has never had top-tier billing like it has during my time here.”

Rosenworcel’s initiatives included banning Chinese wireless firms from providing services in the US, prohibiting telecom equipment manufacturers linked to foreign adversaries from selling their products in the US, and running a multibillion-dollar program to help US carriers “rip and replace” that risky equipment.

Under Rosenworcel, the FCC also proposed rules to secure the internet’s traffic-routing system, protect undersea cables from tampering, and update 16-year-old data-breach notification procedures; launched a privacy and data protection task force; created a pilot program to help schools and libraries improve their cyber defenses; and fined the major US wireless carriers for selling access to customers’ locations. Most recently, Rosenworcel worked with the White House to launch an FCC-run security labeling program for internet-of-things devices.

The rip-and-replace program is an especially ambitious effort. More than 100 US wireless carriers have reported using equipment made by risky companies like China’s Huawei. But Rosenworcel is confident that the program—which recently received a $3 billion infusion from Congress—is on the right track. “We're doing a good job working with carriers to take this equipment out,” she says.

Rosenworcel isn’t worried that carriers will simply refuse to participate. “If you have this equipment in your networks, you can't get funds from FCC programs,” she says. “Right there, you have a pretty powerful incentive.” She thinks that incentive will be especially strong for the most vulnerable organizations: the small, rural carriers that heavily depend on federal subsidies.

The IoT labeling program, known as the US Cyber Trust Mark, might be even more ambitious, given that its goal is to completely change how consumers and businesses think about the importance of cybersecurity in home appliances. But Rosenworcel says a lot of manufacturers are “very excited” about getting their products tested and marked with the federal seal of approval, because “they see it as a way to differentiate their products in the marketplace.”

As for consumers, Rosenworcel admits that they may not start shopping based on security right away, but she compares the program to Energy Star, which launched in 1992 and is now a household name. “This is an iterative process,” she says. “It's going to create its own momentum over time, and these are just early days.”

While a group of FCC-designated organizations devise specific testing criteria for the program, Rosenworcel is concerned that other countries may leap ahead with their own security labels. South Korea and Singapore signed an agreement in December 2023 to mutually recognize each other’s labels. The US and the European Union are working on similar reciprocity. “There will be a race globally to develop these kind of marks,” Rosenworcel says. “This is an area where I think the US should really invest some time, energy, and effort, because I would like us to lead.”

**Escaping the “Analog Era”**

As she counts down her final days atop the FCC, Rosenworcel is preoccupied with how Salt Typhoon has highlighted alarming vulnerabilities in systems that underpin American prosperity.

“Network security is national security,” she says. “Communications is an input in everything we do in day-to-day life. You don't have health care, manufacturing, energy, transportation, any of it without secure communications.”

Those dependencies have put the US in increasing jeopardy as foreign government hackers exploit these networks’ complexity and inconsistency.

“We have portions \[of networks\] that are gleaming new and operate on internet protocols, and we've got others that are built for the analog era,” Rosenworcel notes. “There are consequences to having networks like this that are overseen by commercial actors … Some equipment and facilities have not been updated.”

Republicans may be tempted to leave it up to the industry to shore up these vulnerabilities. But Rosenworcel says that would be a costly mistake.

“We have a choice to make,” she says. “We take action to prevent this from happening in the future, or we turn the other way, cross our fingers, and hope it never happens again. I like hope, but hope isn't a plan. And when you look at the scope of the threats that we're facing, it would be foolhardy to just rely on hope at this point.”

The FCC’s Jessica Rosenworcel Isn’t Leaving Without a Fight

The sprawling social media and gaming platform says that being considered a Chinese military business must be a mistake.

Source: Cyberstock via Alamy Stock Photo

NEWS BRIEF

Chinese messaging and gaming giant Tencent has been labeled a Chinese military business by the US Department of Defense (DoD).

The move comes on the heels of the US Department of Treasury sanctioning China-based cybersecurity company Integrity Technology Group for its role in computer-intrusion incidents against US critical infrastructure.

With the designation, Tencent cannot supply the US federal government with technology or services. It joins others like Huawei, and was added to the list known as "Section 1260" as part of a group that includes Contemporary Amperex Technology Company (CATL), China Overseas Shipping (COSCO), Changxin Memory Technologies, and Autel Robotics, a drone manufacturer.

The price of Tencent's shares in the US dropped nearly 10% on Jan. 7 after the announcement, accounting for billions in losses, but unlike a sanctioning, the designation does not mean that the firm can't still operate stateside, only that it can't do business with the federal government. A spokesperson for the company said that putting Tencent on the list was "a mistake" and that it is not a military company or supplier to the US federal government. The company also said that, in the long run, being added to the list will have "no impact" on the business and that it will work with the DoD to address the misunderstanding.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Pentagon Adds Chinese Gaming Giant Tencent to Federal Ban

Plus: Google’s U-turn on creepy “fingerprint” tracking, the LockBit ransomware gang’s teased comeback, and a potential US ban on the most popular routers in America.

It’s been a busy year in cybersecurity, but it’s not over yet. This week, we revealed how hackers figured out how to “jailbreak” digital license plates—which are legally issued in at least a couple of states and are valid across the US—allowing them to change the license plate number to basically anything. That means someone with this capability can avoid tolls and tickets, or even change their plate to be the same as their enemy.

While the company that makes the plates, Reviver, makes clear that doing this would be both illegal and a terms-of-service violation, we’re guessing that the people who want to hide their car’s credentials so they can speed all over town aren’t too concerned about that.

Staff at the Cybersecurity and Infrastructure Security Agency are preparing for an uncertain future. Several CISA employees told WIRED that they’re afraid the incoming Trump administration will scrap key programs that they say are keeping Americans safe from cyberattacks and other threats—or that the agency itself could be dismantled.

In recent years, financial scams that involve bilking people out of their cryptocurrency holdings have come to be known by an eye-catching, catch-all name: “pig butchering.” But it’s time for a rebrand, according to officials at Interpol. The term, which is a translation from Chinese and refers to the slow process of fattening up a pig before slaughtering it, was likely created by the scammers themselves. As such, its use could further degrade victims of these scams or shame them into not reporting a crime.

Doing crimes in public is, apparently, all the rage. We took a deep dive into the world of drug dealers who are advertising their goods on open web platforms like Instagram, X, and Snapchat. The practice isn’t new, but authorities in Europe say it’s growing more popular.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**FAA Bans Drones Over Parts of NJ and NY but “Has Not Identified Anything Anomalous”**

The US Federal Aviation Administration said on Thursday that it was temporarily banning drone flights over dozens of critical infrastructure and utility sites in New Jersey and New York “at the request of federal security partners.” The restrictions are set to last 30 days. The announcement comes as panic over reported mysterious drone sightings in the two states has surged in recent weeks. The FAA said in a joint statement with the US Department of Homeland Security, Department of Defense, and FBI on Wednesday that the US government has not found evidence of malicious or unexplained aircraft.

"Having closely examined the technical data and tips from concerned citizens, we assess that the sightings to date include a combination of lawful commercial drones, hobbyist drones, and law enforcement drones, as well as manned fixed-wing aircraft, helicopters, and stars mistakenly reported as drones,” the agencies wrote. "We have not identified anything anomalous and do not assess the activity to date to present a national security or public safety risk over the civilian airspace in New Jersey or other states in the northeast.”

The agencies said that the FBI has received more than 5,000 tips about reported drone sightings in recent weeks that have generated about 100 leads investigated by local, state, and federal officials. None have proved to be problematic or concerning. The mass hysteria is itself creating dangerous conditions, though. The FAA warned on Wednesday that there has been a significant uptick in people pointing lasers at aircraft, which is illegal because it can be dangerous and distracting for pilots.

**Google U-Turn Allows Creepy “Fingerprint” Tracking Next Year**

Back in 2019, Google made its position on the online tracking method called fingerprinting pretty clear. “Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected,” the company said in a blog post. “We think this subverts user choice and is wrong.”

That viewpoint appears to have changed. This week, Google announced that, starting in February 2025, advertisers would be allowed to use fingerprinting. The method is largely hidden and allows online activity to be tracked by building up a profile using characteristics from your device—for instance, your phone type, language settings, timezone, can be combined with other information unique to your setup and identify you.

Google indicated the change in new advertising policies, which will go into force next year. The current version of the policy says fingerprinting is not allowed, while that reference has been scrubbed from the new version. The change drew instant criticism, with the UK’s data regulator, the Information Commissioner’s Office (ICO), saying that “fingerprinting is not a fair means of tracking users online” and it called the U-turn “irresponsible.” The ICO said it is talking to Google about the shift.

**LockBit Teases Potential Comeback as Alleged Developer Faces US Extradition**

Early this year, the notorious Lockbit ransomware group was thoroughly dismantled by a law enforcement operation, called Operation Cronos. The group’s website was taken over, details of its members and their cyberattacks extracted, decryption tools released, and its alleged Russian mastermind identified.

Now, the US government is attempting to extradite Rostislav Panev, an Israeli citizen who it suggested worked as a LockBit developer between 2019 and 2024. According to Ynet news, Panev was arrested in August and it is alleged that he received more than $230,000 in Bitcoin and developed ransomware tools from the gang. According to a complaint unsealed by US officials, Panev said he was regularly paid $10,000 per month for software development. Panev’s lawyers deny the claims.

At the same time, the organizers of the LockBit ransomware claim that they have created a new “4.0” version of their tools and will be “launching” them in February. A post on LockBit’s reincarnated dark-web sites urged potential hackers to sign up. As with many cybercrime groups, LockBit has lied about its activities in the past, and following the humiliation of its disruption, many other cybercriminals may not trust its tattered brand.

**One of America’s Most Popular Router Manufacturers May Be Banned**

Chinese technology company and router maker TP-Link could be banned in the US, a report from The Wall Street Journal this week claimed. Officials at the Defense, Commerce, and Justice departments have launched investigations into the company over potential cybersecurity and national security concerns around its routers. The Commerce Department has reportedly subpoenaed TP-Link, which has more than 60 percent of the US retail market for routers. A ban could reportedly happen next year.

While TP-Link is a Chinese company, its products are sold in the US by a separate California-based business. In October, Microsoft said that TP-Link routers “make up most” of a network of compromised devices that it has detected being used in Chinese hacking campaigns. The news of the potential ban follows the previous bans of Huawei and ZTE equipment and comes as TikTok will challenge its ban before the US Supreme Court in early January.

Mystery Drone Sightings Lead to FAA Ban Despite No Detected Threats

TP-Link is being investigated for alleged predatory pricing practices, which may be driven by ulterior motives.

The US government launched a national security investigation into the popular, Chinese-owned router maker TP-Link, with a potential eye on banning the company’s devices in the United States.

The investigation comes amid heightened tension between the US and the Chinese government, and after a public letter from members of the US House of Representatives this summer that alleged that TP-Link was engaged in predatory pricing practices, driven by ulterior motives, and possibly sponsored by China. US officials noted how TP-Link undercut the competition on price to become the market leader for Small Office/Home Office (SOHO) network appliances.

In doing this, TP-Link managed to grow their market share to 60% of the US retail market for WiFi systems and SOHO routers—from 10% in 2019. And the company reportedly has almost 80% of the US retail market for WiFi 7 mesh systems.

A WiFi 7 Mesh system is the latest advancement in wireless networking, combining the features of WiFi 7 technology with the benefits of mesh networking, which uses multiple nodes that work together to provide uniform WiFi coverage throughout the home, eliminating dead zones.

Because of TP-Link’s original founding in China, claims have been made of a so-called “Huawei playbook,” referring to allegations that Huawei Technologies Co. spies for the Chinese government and that it became a dominant player in the global networking equipment sector on the back of improper state subsidies. Huawei and China both deny these allegations, though.

Nonetheless, the US imposed restrictions that make it harder for Huawei to sell equipment in the US and buy parts from American suppliers.

Perhaps because of this type of scrutiny, TP-Link has made many efforts to distance itself from its Chinese ownership. TP-Link Systems is an entity based in Irvine, California, and no longer affiliated with the Chinese TP-Link Technologies.

Part of the attention paid to TP-Link this year could also be because a Chinese-backed Advanced Persistent Threat (APT) called Volt Typhoon has been using SOHO routers as gateways to get inside sensitive infrastructure. The cybercriminals used the routers to hide the actual origin of malicious attempts to reach inside the utilities and other targets.

But that argument doesn’t make sense since many of those routers were malware-infected NetGear and Cisco SOHO devices that no longer receive updates because they have reached their End-of-Life.

TP-Link said the market share percentages were overstated, but it did recently sign deals with internet service providers (ISPs) who then supply the routers to their customers. In such deals ISPs often rebrand the routers which makes it hard for customers to know which brand and type of router they have.

Representative John Moolenaar, the co-chairman of the US House Select Committee on Strategic Competition between the United States and the Chinese Communist Party—which sent the letter prompting the TP-Link probe—stayed fast in his concerns:

> “Chinese companies that, because of the technology they provide or the supply chains they impact, pose an unacceptable risk to our country’s security.”

Unfortunately, vulnerabilities in routers are very common and hardly ever patched by consumers, because they either don’t know how, or they may not even know that the patches are necessary because they don’t know which router model they have or that patches are available.

This makes it very hard to tell whether a vulnerability was an oversight or an intentional backdoor. This will make it hard for the investigators to find the “loaded gun” they are looking for.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 TP-Link faces US national security probe, potential ban on devices 

The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasn't enforced them. It's unclear if they will help.

In the wake of a widespread telecommunications breach at the hands of China, a US senator is proposing legislation aimed at enforcing cybersecurity standards across the communications industry — but it's unclear how efficacious they could be.

Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, UNC2286) recently overtook Volt Typhoon as China's threat actor du jour, thanks to a year-plus campaign of cyber espionage against at least eight telcos, including AT&T, Verizon, and T-Mobile. Its winnings were remarkable: Not only did the group manage to steal extensive metadata on calls and text messages between ordinary Americans, but they also reportedly accessed and even recorded calls involving high-ranking government officials. Reports from the same time highlighted breaches of both the Trump and Harris campaigns and the Biden administration. They're also active globally.

In the wake of that national security failure, Sen. Ron Wyden (D-Ore.) on Dec. 10 released draft legislation aimed at securing US phone networks. The "Secure American Communications Act" would require the Federal Communications Commission (FCC) to issue new cybersecurity rules for telcos and enforce those that have already been applied based on older legislation.

Related:Lessons From the Largest Software Supply Chain Incidents

"Sen. Wyden deserves credit for putting critical infrastructure security in the spotlight," says Madison Horn, former congressional candidate for Oklahoma's 5th district. She suggests, however, that the proposal is less revolutionary than rhetorical. "His push for stronger cybersecurity standards is important, but let's be clear — most of what he's calling for already exists."

**Has the FCC Been Negligent in Enforcing Telco Security?**

In a press release, Wyden's staff framed his bill not as a major change to the telecommunications industry, but a wake-up call — "to fix \[the FCC's\] own failure to fully implement telecom security requirements already required by federal law."

At issue is Title I, Section 105 of the Communications Assistance for Law Enforcement Act (CALEA), which:

Requires a carrier to ensure that any interception of communications or \[call-identifying information\] access effected within its switching premises can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of a carrier officer or employee acting in accordance with Federal Communications Commission (FCC) regulations.

Wyden's camp argues that this proposition, formulated without specific regard for cyber systems, "required providers to secure their systems from unauthorized interceptions, and gave the FCC the authority to issue regulations to implement this requirement," adding that "in the years since, the FCC has never fully implemented this provision."

Related:Google Launches Open Source Patch Validation Tool

FCC Chairwoman Jessica Rosenworcel agreed, in a draft Declaratory Ruling shared with her fellow commissioners last week. And besides affirming that interpretation of Section 105, Rosenworcel floated a proposal requiring communications services providers (CSPs) to submit annual reports, "attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks." Unlike the newly drafted bill in the Senate, this ruling would take effect immediately if it were adopted.

**What Wyden's Telco Security Bill Misses**

The Secure American Communications Act, similarly, proposes that CSPs conduct, document, and report annual vulnerability testing, and engage with independent auditors for annual assessments of FCC cybersecurity compliance. Above all, the bill proposes that the FCC enforce the spirit of Section 105 by implementing cybersecurity requirements aimed at blocking unauthorized access to these networks.

Related:Large-Scale Incidents & the Art of Vulnerability Prioritization

Are these the steps necessary to prevent the next Salt Typhoon-style attack against American communications?

In Horn's view, "The problem isn’t a lack of rules. Telcos are required to follow FCC rules, NIST standards, and ISO 27001 protocols. They conduct annual cybersecurity certifications, report breaches to multiple agencies — with CISA being a prime example — and manage supply chain risks. The efforts to secure supply chains, especially after Huawei’s impact, have already led to significant regulatory action."

Instead of a lack of rules and regulations, she argues, "It's largely a resources and scaling problem. We’re talking about a US telecommunications network that spans 800,000 miles of fiber-optic cables and 113,000 miles of long-haul fiber routes, not to mention undersea cables and satellite links. Every mile of that network introduces new endpoints and attack surfaces. The real challenge is ensuring the frameworks we already have can be implemented faster, more effectively, and at this monumental scale."

Bulky legacy systems ill-equipped to adapt to new cybersecurity guidelines, insufficient funding for cybersecurity projects, and an insufficient pool of cybersecurity talent nationwide aren't problems that can be fixed with any wave of a pen, either.

"Our adversaries are operating at the speed of war, while we’re moving at the speed of paperwork," she laments. "Attacks like Salt Typhoon don’t succeed because our policies failed — they succeed because our capacity to act didn’t keep pace with the threat."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Efforts to Secure US Telcos Beset by Salt Typhoon Might Fall Flat

Infiltrating other nations' telecom networks is a cornerstone of China's geopolitical strategy, and it's having the unintended consequence of driving the uptake of encrypted communications.

Source: Ar\_TH via Shutterstock

While the US government and at least eight telecommunications firms struggle to defend their networks against the China-sponsored Salt Typhoon group, other nations' telecommunications firms have often been primary targets for advanced persistent threats (APTs) as well.

In 2023, China-linked group Earth Estries — which may overlap with Salt Typhoon — compromised telecommunications firms in the Asia-Pacific (APAC) and the Middle East and North Africa (MENA) regions, as well as the US. In 2022, a Chinese APT group alternatively known as Daggerfly and Evasive Panda infected systems at a telecommunications organization in Africa, installing a backdoor tool known as MgBot. And earlier this year, Chinese APT group Volt Typhoon targeted Singapore's largest telco, Singtel, with attacks, although the company denies any of the probes were successful.

China has made infiltrating other nations' networks a foundation of its geopolitical strategy, and other countries — and their citizens — should consider their networks no longer private, says David Wiseman, vice president of secure communications for cybersecurity firm BlackBerry.

"All countries need to assume they are affected," he says. "The impact \[of these attacks are\] operational in that the government can no longer be confident using traditional phone calls and SMS. This is accelerating the usage of 'over the top' encrypted communications applications for official government communications."

Over-the-top (OTT) applications and services are those that are delivered over the Internet, not through traditional telecommunications systems.

US telecommunications firms — including Verizon, AT&T, and T-Mobile — are struggling to clean their networks and prevent two Chinese groups, Salt Typhoon and Volt Typhoon, from persisting in their systems. Earlier this year, Salt Typhoon gained access to some of the telecom systems used to satisfy wiretap requests, while Volt Typhoon has compromised telecommunications and other critical infrastructure to pre-position ahead of possible region conflict.

Telecommunications infrastructure is one of the most attractive targets for nation-state actors, because they affect all facets of a country's economy and provide in-depth data on its citizens, says Chris Henderson, senior director of threat operations at Huntress, a threat-intelligence firm.

"As telecommunication companies have grown from managing landline infrastructure to being one of the most data-rich organizations, their attractiveness to both for-profit groups and state-sponsored espionage has also grown," he says, adding that they "know more about you than arguably any other organization — they understand where you have been physically located, who you are speaking with, and for how long."

**From Singapore to India and Beyond**

China has long focused on the telecommunication firms of its regional rivals. In 2014, for example, the government of India accused Chinese equipment maker Huawei of hacking the state-owned Bharat Sanchar Nigam Limited (BSNL), after that firm used another Chinese service provider, ZTE, to provision its lines.

In 2023, an investigation by cybersecurity firm Trend Micro found that China-linked Earth Estries targeted at least 20 telecommunications and other infrastructure providers across Southeast and South Asia, South Africa, and Brazil, using a cross-platform backdoor.

Every country should act to defend their telecommunications infrastructure, says BlackBerry's Wiseman. While the success of attacks on Singapore, India, and the US are among the few that have become public, other companies are likely breached and still not aware, he says.

Organizations and citizens should no longer assume that their communications are safe, Wiseman says.

"General harvesting of communication records to build out a continual understanding of changes in command-and-control networks is a key thing that can be done," he says. "More concerning is that since the voice calls of specific people can be listened to along with reading of the SMS messages, there is the potential for more advanced communications manipulation."

**A Boost for Encryption**

The Salt Typhoon attacks may push citizens — and possibly their governments — toward greater use of encryption. While the trend has been for authoritarian governments and security agencies — such as law enforcement and internal security groups — to argue for less encryption, or at least backdoors into encrypted systems, the global attacks on telecommunications technology demonstrate that even nations with well-considered, strict privacy laws are not safe havens, says Gregory Nojeim, senior counsel and director of the security and surveillance project at the Center for Democracy and Technology, a digital-rights group.

"Greater geopolitical tension breeds greater geopolitical incentive to gain access to other countries' communications and that will also incentivize the adoption and use of encryption," Nojeim says. "Hopefully, it will also incentivize the protection of encryption against proposals that would weaken it."

In the US, government agencies such as the FBI have argued for law-enforcement backdoors into telecommunications networks and are calling for workers and citizens to use stronger encryption.

Meanwhile, telecommunications providers — whether private or state-owned — should focus more heavily on security, and their citizens should also adopt encrypted services, BlackBerry's Wiseman says. "Many countries realized this earlier than the US \[and\] started widespread adoption of end-to-end app-based encrypted communications sooner," he says. "The earliest movers were countries that did not have the same level of controls over their telecom network supply chains as the more developed countries."

Most countries in the Global South score lower on rankings of Internet privacy than their peers in North America, Europe, and East Asia. However, lower privacy rights can mean citizens are more likely to use encrypted services, says CDT's Nojeim.

"One lesson of Salt Typhoon is that people who live in democracies can't comfort themselves that their own government won't listen in absent a good reason," he says. "Now they have to be concerned about foreign governments listening in, and the way to prevent that, again, is to use an encrypted service."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Governments, Telcos Ward Off China's Hacking Typhoons

Cybersecurity researchers have discovered a new variant of the Gafgyt botnet that's targeting machines with weak SSH passwords to ultimately mine cryptocurrency on compromised instances using their GPU computational power.
This indicates that the "IoT botnet is targeting more robust servers running on cloud native environments," Aqua Security researcher Assaf Morag said in a Wednesday analysis.

Network Security / Cybercrime

Cybersecurity researchers have discovered a new variant of the **Gafgyt** botnet that's targeting machines with weak SSH passwords to ultimately mine cryptocurrency on compromised instances using their GPU computational power.

This indicates that the "IoT botnet is targeting more robust servers running on cloud native environments," Aqua Security researcher Assaf Morag said in a Wednesday analysis.

Gafgyt (aka BASHLITE, Lizkebab, and Torlus), known to be active in the wild since 2014, has a history of exploiting weak or default credentials to gain control of devices such as routers, cameras, and digital video recorders (DVRs). It's also capable of leveraging known security flaws in Dasan, Huawei, Realtek, SonicWall, and Zyxel devices.

The infected devices are corralled into a botnet capable of launching distributed denial-of-service (DDoS) attacks against targets of interest. There is evidence to suggest that Gafgyt and Necro are operated by a threat group called Keksec, which is also tracked as Kek Security and FreakOut.

IoT Botnets like Gafgyt are constantly evolving to add new features, with variants detected in 2021 using the TOR network to cloak the malicious activity, as well as borrow some modules from the leaked Mirai source code. It's worth noting that Gafgyt's source code was leaked online in early 2015, further fueling the emergence of new versions and adaptations.

The latest attack chains involve brute-forcing SSH servers with weak passwords to deploy next-stage payloads to facilitate a cryptocurrency mining attack using "systemd-net," but not before terminating competing malware already running on the compromised host.

It also executes a worming module, a Go-based SSH scanner named ld-musl-x86, that's responsible for scanning the internet for poorly secured servers and propagating the malware to other systems, effectively expanding the scale of the botnet. This comprises SSH, Telnet, and credentials related to game servers and cloud environments like AWS, Azure, and Hadoop.

"The cryptominer in use is XMRig, a Monero cryptocurrency miner," Morag said. "However, in this case, the threat actor is seeking to run a cryptominer using the --opencl and --cuda flags, which leverage GPU and Nvidia GPU computational power."

"This, combined with the fact that the threat actor's primary impact is crypto-mining rather than DDoS attacks, supports our claim that this variant differs from previous ones. It is aimed at targeting cloud-native environments with strong CPU and GPU capabilities."

Data gathered by querying Shodan shows that there are over 30 million publicly accessible SSH servers, making it essential that users take steps to secure the instances against brute-force attacks and potential exploitation.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Gafgyt Botnet Variant Targets Weak SSH Passwords for GPU Crypto Mining

Cryptocurrency analysts have shed light on an online marketplace called HuiOne Guarantee that's widely used by cybercriminals in Southeast Asia, particularly those linked to pig butchering scams.
"Merchants on the platform offer technology, data, and money laundering services, and have engaged in transactions totaling at least $11 billion," Elliptic said in a report shared with The Hacker News.

Cryptocurrency analysts have shed light on an online marketplace called HuiOne Guarantee that's widely used by cybercriminals in Southeast Asia, particularly those linked to pig butchering scams.

"Merchants on the platform offer technology, data, and money laundering services, and have engaged in transactions totaling at least $11 billion," Elliptic said in a report shared with The Hacker News.

The British blockchain analytics firm said that the marketplace is part of HuiOne Group, a Cambodian conglomerate with links to Cambodia's ruling Hun family and that another HuiOne business, HuiOne International Payments, is actively involved in laundering scam proceeds globally.

According to its website, HuiOne's financial services arm is said to have 500,000 registered users. It also touts Alipay, Huawei, PayGo Wallet, UnionPay, and Yes Seatel as its customers.

Southeast Asian countries like Burma, Cambodia, Laos, Malaysia, Myanmar, and the Philippines have become a breeding ground for pig butchering scams in recent years.

In these schemes, unwitting people from Asia and Africa are enticed with high-paying jobs in the region, only for them to be trapped inside "scam compounds" run by transnational organized crime groups originating from China and coerced into participating in fraudulent activities.

These entail creating fake accounts on social media and dating platforms, and using them to develop romantic relationships with victims and eventually persuade them to invest in non-existent crypto businesses with an aim to siphon their funds.

HuiOne Guarantee, established in 2021, comprises a network of thousands of instant messaging app channels on Telegram that are run by different merchants. While it claims to serve as a marketplace for real estate and cars, Elliptic said that a majority of the goods and services offered are aimed at cyber scam operators.

"The largest category of merchants operating on HuiOne Guarantee are those offering to move and exchange money," the company explained.

"Many of the merchants explicitly offer money laundering services, including accepting payments from victims around the world, transferring it across borders and converting it to other assets including cash, stablecoins, and to Chinese payment apps."

Merchants have also been found advertising software and web development services that facilitate the creation of scam crypto investment websites used in pig butchering scams, as well as marketing tear gas, electric batons and electronic shackles for use by scam compound operators to imprison and torture their workers.

"The value of cryptocurrency received by HuiOne Guarantee and its merchants, and the type of goods and services offered, suggest that it is a key enabler of cyber scam operators in South East Asia," Elliptic said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#huawei