CISO Talk by James Azar
CyberHub Podcast
🎙️ Ivanti Zeroday Abused by China, US Foreign Investment Review Breached by China, TikTok Ban Looms, Modern Cyber Attacks
0:00
Current time: 0:00 / Total time: -17:14
-17:14

🎙️ Ivanti Zeroday Abused by China, US Foreign Investment Review Breached by China, TikTok Ban Looms, Modern Cyber Attacks

China is attacking the United States as Biden exits and Trump prepares to take a more hawkish approach, TikTok Ban looms, and Modern Phishing Scams

Good morning, Security Gang! Welcome to the CyberHub Podcast for Monday, January 13, 2025. I’m James Azar, and we have a packed episode today, covering everything from Chinese cyber-espionage to TikTok’s looming U.S. ban.

Grab your coffee and join me for a deep dive into the latest cybersecurity news, key breaches, and trends shaping our industry.

Personal Update: SANS GCIP Certification Accomplished

First off, a personal milestone—I’ve officially passed the SANS GCIP certification! It’s my first major cert in cybersecurity, and it’s been a long time coming. I started this journey to deepen my understanding of the NERC CIP framework for critical infrastructure. After taking the class back in September during my trip to Las Vegas, I finally crossed the finish line. I’ll share more insights about the certification process in future episodes, but for now, cheers to hard work paying off!

Chinese Hackers Breach U.S. Treasury Offices

We begin with a significant breach affecting the U.S. Department of Treasury. Despite initial reports claiming only a limited breach, CNN revealed on Friday that attackers gained access to multiple Treasury offices, including the Committee on Foreign Investments in the United States (CFIUS) and the Office of Foreign Assets Control (OFAC). These offices oversee trade and economic sanctions—a critical national security function.

The breach was carried out by Chinese threat actors known as Silk Typhoon (also called Hafnium), using the BeyondTrust remote support SaaS API key to infiltrate Treasury networks. This espionage campaign aims to gather intelligence on sanctions enforcement, particularly targeting Chinese individuals and businesses.

From a geopolitical perspective, China’s actions indicate preparations for anticipated sanctions by the incoming U.S. administration. Their efforts to strengthen BRICS as an alternative to Western financial institutions pose a strategic challenge that the U.S. is keen to counter.

Ivanti Exploits Linked to Chinese Cyber Spies

Next, we discuss Ivanti’s ongoing issues with Chinese cyber spies exploiting vulnerabilities in their systems. Despite the company's resilience, it remains a critical target due to the difficulty of replacing its firewalls and VPN appliances.

Google’s Mandiant team linked two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, to Chinese threat group UNC5337, part of the broader UNC5221. These vulnerabilities include a critical stack-based buffer overflow that allows remote code execution. Ivanti’s continued customer base underscores the challenges organizations face in implementing effective rip-and-replace strategies for legacy systems.

TikTok U.S. Ban Approaches

The U.S. Supreme Court heard arguments on the impending TikTok ban, set to take effect on January 19. The ban is likely to be upheld, despite concerns about the government’s power to shut down a business.

While TikTok’s ties to China raise legitimate security concerns, there are also fears that this precedent could be weaponized against other businesses in the future. ByteDance, TikTok’s parent company, has resisted efforts to sell the platform to a U.S. entity. The implications of this ban are massive, especially for content creators who rely on TikTok for their livelihood. The debate continues, but the shutdown is looming.

PayPal Phishing Campaign

A new phishing campaign targeting PayPal users is making headlines. Fortinet discovered that attackers are sending legitimate-looking payment requests to victims, tricking them into logging into fake PayPal portals. Once users log in, their credentials are compromised, and attackers gain control of their accounts.

This campaign leverages genuine PayPal URLs to bypass security checks, making it harder for users to distinguish between real and fake requests. The attackers exploit Microsoft 365’s free domain registration to set up convincing email addresses. Security teams should include this phishing campaign in their internal awareness training to help employees recognize and avoid these scams.

Share

Fake CrowdStrike Job Offers

Threat actors are now impersonating CrowdStrike in a sophisticated phishing campaign targeting job seekers. These fake job offers direct recipients to malicious sites disguised as CRM applications. Once downloaded, the malware installs a crypto miner on the victim’s system.

The executable, written in Rust, installs XMRig, a well-known crypto mining software. This attack highlights the increasing creativity of cybercriminals, who are now targeting job seekers to exploit their systems.

Telefonica Security Breach

Spanish telecom giant Telefonica confirmed a security breach affecting its ticketing system. The breach exposed customer data, internal ticketing details, and other sensitive information, which was subsequently posted on a hacking forum.

Telefonica operates in 12 countries with over 104,000 employees. The breach is currently under investigation, but this incident reinforces the need for robust security measures, even for large, established companies.

California Marijuana Dispensary Breach

California-based marijuana dispensary Thizzy experienced a data breach in November, exposing customers’ IDs and passports. The breach affected customers across multiple locations, including San Francisco, Alameda, and Modesto.

The breach notice stated that an organized cybercrime group targeted Thizzy’s retail locations, compromising sensitive customer information. This incident highlights that no industry is immune to cyber threats, and businesses must prioritize data security to protect their customers.

CISA’s Cyber Hygiene Report

CISA reported a 201% increase in critical infrastructure organizations enrolling in its Cyber Hygiene Service. This program offers vulnerability scans to help organizations improve their cybersecurity posture.

The report shows significant improvements across key performance areas, including reducing exploitable services, strengthening encryption, and limiting OT connections to the public internet. This progress demonstrates the positive impact of CISA’s efforts in enhancing cybersecurity resilience.

Russian Nationals Arrested for Crypto Mixing

The U.S. Department of Justice announced the arrest of three Russian nationals accused of operating crypto mixers Blender and Sinbad. These services were allegedly used by North Korea’s Lazarus Group to launder stolen cryptocurrency.

Two of the suspects were arrested on December 1, though their exact location remains undisclosed. The third suspect is still at large. The takedown involved cooperation with law enforcement agencies in the Netherlands and Finland, demonstrating the global effort to combat cybercrime.

Action Items for Cybersecurity Teams

  1. Review Access Controls – Ensure your organization’s API keys and remote access tools are secure and monitored.

  2. Educate Staff on Phishing – Share information on the PayPal and CrowdStrike phishing campaigns in internal newsletters.

  3. Patch Avanti Vulnerabilities – If your organization uses Avanti products, verify that the latest patches are applied.

  4. Strengthen Email Security – Implement SPF, DKIM, and DMARC protocols to reduce phishing risks.

  5. Monitor Emerging Threats – Stay updated on evolving threats, especially those targeting critical infrastructure.

  6. Encourage Cyber Hygiene – Consider enrolling in CISA’s Cyber Hygiene Service to identify and mitigate vulnerabilities.

  7. Prepare for Regulatory Changes – Track developments in TikTok’s legal battle and the potential implications for other platforms.

Thank you for tuning in to today’s CyberHub Podcast. Let’s stay vigilant, stay informed, and most importantly, stay cyber safe!

Thanks for reading CISO Talk by James Azar! This post is public so feel free to share it.

Share

Discussion about this podcast