Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label China. Show all posts
Technology
Artificial Intelligence China DeepSeek Garante Italy Technology

Italy Takes Action Against DeepSeek AI Over User Data Risks

 



Italy’s data protection authority, Garante, has ordered Chinese AI chatbot DeepSeek to halt its operations in the country. The decision comes after the company failed to provide clear answers about how it collects and handles user data. Authorities fear that the chatbot’s data practices could pose security risks, leading to its removal from Italian app stores.  


Why Did Italy Ban DeepSeek?  

The main reason behind the ban is DeepSeek’s lack of transparency regarding its data collection policies. Italian regulators reached out to the company with concerns over whether it was handling user information in a way that aligns with European privacy laws. However, DeepSeek’s response was deemed “totally insufficient,” raising even more doubts about its operations.  

Garante stated that DeepSeek denied having a presence in Italy and claimed that European regulations did not apply to it. Despite this, authorities believe that the company’s AI assistant has been accessible to Italian users, making it subject to the region’s data protection rules. To address these concerns, Italy has launched an official investigation into DeepSeek’s activities.  


Growing Concerns Over AI and Data Security  

DeepSeek is an advanced AI chatbot developed by a Chinese startup, positioned as a competitor to OpenAI’s ChatGPT and Google’s Gemini. With over 10 million downloads worldwide, it is considered a strong contender in the AI market. However, its expansion into Western countries has sparked concerns about how user data might be used.  

Italy is not the only country scrutinizing DeepSeek’s data practices. Authorities in France, South Korea, and Ireland have also launched investigations, highlighting global concerns about AI-driven data collection. Many governments fear that personal data gathered by AI chatbots could be misused for surveillance or other security threats.  

This is not the first time Italy has taken action against an AI company. In 2023, Garante temporarily blocked OpenAI’s ChatGPT over privacy issues. OpenAI was later fined €15 million after being accused of using personal data to train its AI without proper consent.  


Impact on the AI and Tech Industry

The crackdown on DeepSeek comes at a time when AI technology is shaping global markets. Just this week, concerns over China’s growing influence in AI led to a significant drop in the U.S. stock market. The NASDAQ 100 index lost $1 trillion in value, with AI chipmaker Nvidia alone suffering a $600 million loss.  

While DeepSeek has been removed from Italian app stores, users who downloaded it before the ban can still access the chatbot. Additionally, its web-based version remains functional, raising questions about how regulators will enforce the restriction effectively.  

As AI continues to make new advancements, countries are becoming more cautious about companies that fail to meet privacy and security standards. With multiple nations now investigating DeepSeek, its future in Western markets remains uncertain.



Read more »
Network Security
Backdoor China Contec Data Breach Healthcare Network Security

Experts Find Hidden Backdoors Inside Chinese Software Stealing Patient Data

Experts Find Hidden Backdoors Inside Chinese Software Stealing Patient Data

Cybersecurity & Infrastructure Security Agency (CISA) in the US rolled out an investigation report concerning three firmware variants used in Contec CMS800, a patient monitoring system used in healthcare facilities and hospitals. 

CIS finds hidden backdoor in Chinese software

Experts found that the devices had a hidden backdoor with a hard-coded IP address, enabling transmission of patient data. This is doable as the devices will start a link to a central monitoring system through a wireless or wired network, as per the product description. 

The agency disclosed the codes that send data to a select IP address. The decoded data includes detailed information- patients, hospital department, doctor’s name, date of birth, admission date, and other details about the device users. 

Details about three flaws

The flaw is filed under “CVE-2025-0626 with a CVSS v4 score of 7.7 out of 10” says Tom’s Hardware, while also talking about two other vulnerabilities “filed under CVE-2024- 12248, which indicates that it could allow an attacker to write data remotely to execute a code” and “CVE-2025-0683, which relates to privacy vulnerability.”

Impact of vulnerabilities

The three cybersecurity flaws can allow threat actors to dodge cybersecurity checks, get access, and also manipulate the device, the FDA says, not being “aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time."

FDA said that Contec Medical Systems is a device manufacturer in China, its products are used in the healthcare industry- clinics, hospitals, etc., in the US and European Union. However, experts found that these can also be bought from eBay for $599. 

About Contec

These devices are also rebranded as Epsimed MN-120, the FDA believes. Contec products are FDA-approved and sold in more than 130 countries. As part of its vulnerability disclosure process, the CISA research team discovered uncovered this flaw. 

The agency has also mentioned that the IP address is not linked with any medical device manufacturer, “Still, it is a third-party university, though it doesn't mention the university, the IP address, or the country it is sending data to,” reports Tom Hardware. 

The CISA has also assessed that the coding was meant to be a substitute update system because it doesn’t include standard update techniques like doing integrity checks or tracking updated versions. Instead, it offers a remote file sent to the IP address. To solve this, the FDA suggests removing the monitoring device from its network and tracking the patient’s physical condition and vital stats.

Read more »
US
China Cyber Security National Security Security States US

US Imposes Ban on Chinese and Russian Tech in Passenger Cars Over Security Risks

 

The United States has introduced a new regulation barring the use of Chinese and Russian technology in passenger vehicles sold domestically, citing national security risks. According to AFP, the ban covers both hardware and software from these countries, forming part of a broader effort to reduce China's influence in critical industries.

Outgoing President Joe Biden initiated the rule after a prolonged regulatory process aimed at tightening controls on foreign-linked technologies. This follows recent debates over restricting drones and other equipment from adversarial nations. Commerce Secretary Gina Raimondo highlighted the growing reliance of modern cars on advanced technology like cameras, microphones, GPS systems, and internet connectivity, which could pose risks if developed using foreign components.

"This is a targeted approach to keep Chinese and Russian-manufactured tech off American roads," said Raimondo.

The rule initially applies to passenger vehicles under 10,001 pounds, with plans to extend it to commercial vehicles, such as buses and trucks, in the future. It prohibits manufacturers with significant ties to China or Russia from selling cars equipped with foreign-made hardware or software for internet connectivity or autonomous driving.

Implementation will occur in two stages:

  • Software ban: Effective from the 2027 model year.
  • Hardware ban: Beginning with the 2030 model year.Imports of such technology from China and Russia will also face restrictions.

The regulation could affect companies like BYD, a Chinese electric vehicle manufacturer operating a facility in California that produces buses and other vehicles. US officials have raised concerns that connected vehicles equipped with foreign technology could be exploited to misuse sensitive data or interfere with critical systems.

National Economic Advisor Lael Brainard warned, "China is attempting to dominate the future of the auto industry," underscoring the need to shield American vehicles from foreign influence.

The new rule aligns with a broader strategy to bolster domestic industries and reduce dependence on foreign technologies. On the same day, President Biden signed an executive order to fast-track the development of AI infrastructure in the US.

"We will not let America fall behind in building the technology that will define the future," Biden stated.

As Biden prepares to leave office, these measures will transition to the administration of President-elect Donald Trump, who takes office next Monday. While it remains uncertain how Trump will handle these policies, significant shifts in strategy are anticipated.
Read more »
TSA
China CISA Cyber Security transport TSA

New TSA Rules to Boost Cybersecurity in Transport






The Transportation Security Administration recently unveiled a proposed rule that would permanently codify cybersecurity reporting requirements in certain segments of U.S. transportation, including pipelines and railroads. This change is set to be permanent after the agency introduced temporary reporting requirements for certain segments last year after a ransomware attack hit Colonial Pipeline, causing fuel shortages along the U.S. East Coast.


Locked In Securely

Since the Colonial Pipeline incident, the Transportation Security Administration has issued a number of temporary rules regarding cybersecurity risks in critical infrastructure. The new proposed rule would bring these temporary rules into permanence and codify a consistent approach throughout transportation on cybersecurity matters. As Administrator Pekoske pointed out, "TSA has been working extremely closely with industry partners to assist in enhancing the cybersecurity resilience of our nation's critical infrastructure."


Key Components of the Proposed Rule

This new law applies to a large scope of pipeline and railroad operators and places restrictions only on some bus companies. Its main emphasis is put on the implementation of cyber risk management plans that shall encompass:

  • Annual Cybersecurity Reviews: These reviews will require assessments and improvements in cyber defences.
  • Vulnerability Assessments: Conduct vulnerability assessments of security weaknesses that have not been remediated. Such assessments shall be conducted either by the covered entity's own personnel or a third party, but such personnel shall have no conflict of interest with respect to the covered entity.
  • Operational Cybersecurity Plans: They would describe the functions of personnel in a cybersecurity company, what is in place to protect critical systems, and procedures in identifying a threat to and responding to it.

Under these proposed regulations, operators would have to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) to receive faster response to and support of a threat.


Impact and Cost

The TSA estimated that the rulemaking would affect about 300 transportation operators-from pipelines, freight railroads, to public transportation agencies. These include 73 freight railroads, 34 public transportation systems, 71 over-the-road bus companies, and 115 pipeline facilities. Compliance and TSA oversight are estimated to cost the industry $2.1 billion over the next ten years.

The TSA attributed the regulations to the emerging threats of cyber attacks posed by nation-state actors and cybercriminals, who often target U.S. infrastructure in efforts to disrupt it and further inflict economic damage. Countries, according to the TSA, "such as Russia and China" were cited as frequent sources of cyberattacks on American critical infrastructure.

The agency's proposal underlines the need for uniform cybersecurity measures to be taken as soon as possible as cyber threats are becoming more advanced: they are now set to use artificial intelligence to deliver faster, undetectable attacks.


Industry Reaction and Flexibility

The proposal takes place on the grounds that the earlier directions were considered too elaborative by the transporters who had imparted them. The TSA will be more agile and results-driven now, allowing the companies to engage themselves in security solutions pertaining to the specific needs of each one.

The proposed rule will be open to comments from the industry until February 5 while reviewing all the responses the TSA will have before finalising the rule. The agency looks forward to providing enhanced cybersecurity and resilience within U.S. surface transportation systems by defeating the increasing cyber threats.


Read more »
Winos4.0
China Hackers malware Windows Winos4.0

Growing Use of Winos4.0 Toolkit Poses New Threat to Windows Users

 



Advanced hacking toolkit Winos4.0 spreads across the globe, security experts warn. Originally reported by Trend Micro, this new toolkit-just like known kits Cobalt Strike and Sliver-was connected to a string of recent cyber attacks in China, having initially spread through fake software downloads. This year, Fortinet reported that the toolkit is also disseminated through game-themed files, which now tends to expand and might pose a risk to a larger user base.


Attack Framework

Winso4.0 is a post-exploitation toolkit: after successfully gaining initial access to a system, the attackers use it for further invasion and domination. First, it was discovered inside the applications downloaded by users who considered it software in their interest, including VPNs or Google Chrome downloads for the Chinese market. Under the aliases Void Arachne or Silver Fox, the attackers entice users with these very popular applications full of malicious components designed to compromise their systems.

New strategies involve attackers using game applications, via which they have broadcasted Winos4.0, again targeting Chinese users mainly. This way, hackers change and utilise attractive downloads to penetrate devices.


Infection Stages

When one of such benign-looking files is downloaded by a victim, the Winos4.0 toolkit initiates a four-phase infection:

1. Stage 1: After installation, a DLL file you.dll, was retrieved from a remote domain. This file installed persistence on the device by setting values in the Windows Registry such that the malware would persist after the system restarts:.

2. Stage 2: At this step, the injected shellcode is loaded to download necessary APIs and communicate with a C2 server, which enables hackers to send commands and retrieve files from the infected device.

3. Stage 3: It fetches more encoded data from the C2 server in a second DLL file named上线模块.dll which saves to the Windows Registry to be used later, apart from updating server addresses to maintain an active link between the malware and its operators.

4. Final Stage: The last stage (login module.dll) will activate all main functions of the toolkit, including detailed system data gathering (like IP address and type of OS), detection of security tools, searching for crypto-wallets, and keeping a hidden backdoor. Through this backdoor connection, hackers can exfiltrate data, execute commands, and sustain their activity monitoring.

 

Evasion Techniques

Winos4.0 already has an inbuilt scanner for the detection of security products, including commercial products by Kaspersky, Avast, Bitdefender, and Malwarebytes. It will then change its behaviour to avoid detection or even quit if the toolkit finds itself running in an environment that is under surveillance. This versatility makes the tool very dangerous when it gets into cybercriminals' hands.

 

Emerging Menace

The fact that the toolkit Winos4.0 is still being used and fine-tuned points towards the growing importance of this toolkit in cyberattack strategies. As explained by Fortinet, it is a versatile and powerful framework "designed for remote control of compromised systems." Ongoing activity like this indicates that Winos4.0 is becoming a tool hackers like to use to gain control over Windows machines.


Preventive Actions

Always ready for downloading is a constant warning from the security experts to users, especially when it comes to free softwares or games which seem popular.

Avoid downloading applications and other forms of files from unknown sources. Even verifying if the software or file is coming from a legitimate source may also save it from infection. Moreover, one's security software must be updated frequently.

Knowing the threats of Winos4.0 would prevent many users from this malicious software by making them aware of this sophisticated malware.


Read more »
Russia
China Cyber Attacks Hacking Netherlands Russia

Russia and China Up Their Cyberattacks on Dutch Infrastructure, Security Report Warns

 


Dutch security authorities have recorded growing cyber threats from state-affiliated Russian and Chinese hackers targeting organisations in the country. The attacks, mostly to gain access to the critical infrastructure, are seen as preparations for future sabotage and for gathering sensitive information, according to a recent report by the Dutch National Coordinator for Security and Counterterrorism (NCTV).


Rise of Non-State Hackers in Support of Government Agendas

The report says cyber attacks can no longer be considered the preserve of state actors: in fact, it turns out that non-state hackers in Russia and China increasingly are joining in. Of course, Russia: for some of the past year's cyber espionage and sabotage, hacktivists--independent hacking groups not officially communicating with the government are said to have conducted parts of this past year. At times, Russian state cyber actors work in conjunction with them, sometimes using their cover for their own operations, sometimes directing them to fit state goals.

China's cyber operations often combine state intelligence resources with academic and corporate collaborations. Sometimes, persons are performing dual roles: conducting research or scientific duties coupled with pushing forward China's intelligence goals. Such close cooperation treads the fine line between private and state operations, introducing an element of complexity to China's cyber strategy.


China's Advancing Sabotage Capabilities

For some years now, Chinese cyber campaigns focused on espionage, particularly those targeting the Netherlands and other allies, have been well known. Recent developments over the past year, however, have found China's cyber strategies getting broader in scope and quite sophisticated. The recent "Volt Typhoon" campaign, attributed to China, was an example of shifting toward actual sabotage, where critical U.S. infrastructure is the chief target. Although Europe is not currently under such threats from Volt Typhoon, the Netherlands remains vigilant based on China's rapid advancements in its cyber capabilities, which will potentially be implemented globally at a later stage.


Cyber/Disinformation Combined Threat

In the Netherlands, there is a national coordinator for security and counterterrorism, Pieter-Jaap Aalbersberg, who underscored that cyber threats frequently act as part of an integrated approach, which includes information operations. Coordinated actions are riskier because the cyber attack and digital influence operation come together to compromise security. Aalbersberg indicated that risks need to be balanced collectively, both from direct cyber threats and other consequences.


Recent Breach in Dutch Police Forces Concerns

Earlier this month, the Dutch national police announced a breach into officers' personal contact details with thousands of officers being involved, including names, telephone numbers, and email. The attackers behind this breach are unknown, although it is believed that this incident is "very likely" to be carried out by a state-sponsored group. Still, no country was indicated.

The Dutch government views such heightened cyber hostility as pushing a stronger defensive response from its measures about the cybersecurity fields, particularly since the threats from Russians and Chinese are still multiplying. This scenario now presents strong appeal in asking for added fortifications at international cooperation and greater action in stopping these mounting operations of said aggressive expansions through cyber warfare.


Read more »
Trafficking
AI generated Deepfake AI tools China Cyber Security Generative AI Pig Butchering Scamming Trafficking

AI Tools Fueling Global Expansion of China-Linked Trafficking and Scamming Networks

 

A recent report highlights the alarming rise of China-linked human trafficking and scamming networks, now using AI tools to enhance their operations. Initially concentrated in Southeast Asia, these operations trafficked over 200,000 people into compounds in Myanmar, Cambodia, and Laos. Victims were forced into cybercrime activities, such as “pig butchering” scams, impersonating law enforcement, and sextortion. Criminals have now expanded globally, incorporating generative AI for multi-language scamming, creating fake profiles, and even using deepfake technology to deceive victims. 

The growing use of these tools allows scammers to target victims more efficiently and execute more sophisticated schemes. One of the most prominent types of scams is the “pig butchering” scheme, where scammers build intimate online relationships with their victims before tricking them into investing in fake opportunities. These scams have reportedly netted criminals around $75 billion. In addition to pig butchering, Southeast Asian criminal networks are involved in various illicit activities, including job scams, phishing attacks, and loan schemes. Their ability to evolve with AI technology, such as using ChatGPT to overcome language barriers, makes them more effective at deceiving victims. 

Generative AI also plays a role in automating phishing attacks, creating fake identities, and writing personalized scripts to target individuals in different regions. Deepfake technology, which allows real-time face-swapping during video calls, is another tool scammers are using to further convince their victims of their fabricated personas. Criminals now can engage with victims in highly realistic conversations and video interactions, making it much more difficult for victims to discern between real and fake identities. The UN report warns that these technological advancements are lowering the barrier to entry for criminal organizations that may lack advanced technical skills but are now able to participate in lucrative cyber-enabled fraud. 

As scamming compounds continue to operate globally, there has also been an uptick in law enforcement seizing Starlink satellite devices used by scammers to maintain stable internet connections for their operations. The introduction of “crypto drainers,” a type of malware designed to steal funds from cryptocurrency wallets, has also become a growing concern. These drainers mimic legitimate services to trick victims into connecting their wallets, allowing attackers to gain access to their funds.  

As global law enforcement struggles to keep pace with the rapid technological advances used by these networks, the UN has stressed the urgency of addressing this growing issue. Failure to contain these ecosystems could have far-reaching consequences, not only for Southeast Asia but for regions worldwide. AI tools and the expanding infrastructure of scamming operations are creating a perfect storm for criminals, making it increasingly difficult for authorities to combat these crimes effectively. The future of digital scamming will undoubtedly see more AI-powered innovations, raising the stakes for law enforcement globally.
Read more »
Temu
China Cyber Security Indonesia Small Businesses Temu

Indonesian Government Asks Apple, Google to Block China's Temu to Safeguard Small Merchants

 

Indonesia has urged Alphabet's Google and Apple to remove Temu, a Chinese fast fashion e-commerce startup, from their app stores in the nation, a minister said earlier this week. 

The decision was intended to safeguard the nation's small and medium-sized businesses from low-cost products offered by PDD Holdings' Temu, communications minister Budi Arie Setiadi told Reuters, despite the fact that authorities are yet to find any transactions involving its residents on the platform.

Temu's quick expansion has drawn criticism from multiple countries for its low-cost business model of sending shipments to customers in China. 

Budi described Temu's business approach as "unhealthy competition," as it connects consumers directly with factories in China to significantly lower prices. "We're not here to safeguard e-commerce, but we do protect small and medium-sized businesses. "There are millions who must be protected," the minister stated.

If Temu makes such a move, Jakarta will likewise block its investment in local e-commerce, according to Budi, who added that he is unaware of any such plan. Additionally, Budi stated that the government intends to ask Shein, a Chinese online retailer, for a similar ban. Last year, Indonesia compelled China's ByteDance social media network TikTok to shut down its online shopfront in order to safeguard the privacy of local users and merchants.

Months later, TikTok agreed to acquire a majority stake in Indonesian digital behemoth GoTo's e-commerce subsidiary in order to maintain its presence in Southeast Asia's largest e-commerce market. On Tuesday, Indonesian e-commerce company Bukalapak.com refuted news of an acquisition by Temu. 

According to an estimate by Google, Singapore state investor Temasek Holdings, and consultancy Bain & Co., Indonesia's e-commerce industry could grow to almost $160 billion by 2030, up from $62 billion in 2023.
Read more »
wiretapping
CALEA China Cybersecurity Data Breach Encryption Hackers Privacy surveillance Telecom wiretapping

China-backed Hackers Breach U.S. Telecom Wiretap Systems, Sparking Security Concerns

 

China-backed hackers infiltrated wiretap systems of multiple U.S. telecom and internet providers, reportedly seeking to collect intelligence on American citizens. This revelation has raised alarm in the security community.

Wiretap systems, required by a 30-year-old U.S. federal law, allow a small number of authorized employees access to sensitive customer data, including internet activity and browsing history. These systems, now compromised, highlight long-standing concerns about their vulnerability.

Security experts had long warned about the risks of legal backdoors in telecom systems. Many saw this breach as an inevitable outcome of such vulnerabilities being exploited by malicious actors. Georgetown Law professor Matt Blaze remarked that this scenario was “absolutely inevitable.”

According to the Wall Street Journal, the hacking group, Salt Typhoon, accessed systems used by major U.S. internet providers like AT&T, Lumen, and Verizon. The group reportedly collected large amounts of internet traffic, and a U.S. government investigation is now underway.

The hackers' goals remain unclear, but experts believe the breach could be part of a larger Chinese effort to prepare for potential cyberattacks in the event of conflict, possibly over Taiwan. The intrusion reinforces the dangers of security backdoors.

Riana Pfefferkorn, a Stanford academic, pointed out that this hack exposes the risks of U.S. wiretap systems, arguing that these measures jeopardize citizens’ privacy rather than protecting them. She advocates for increased encryption as a solution to these vulnerabilities.

The compromised wiretap systems are part of the Communications Assistance for Law Enforcement Act (CALEA), a law enacted in 1994 to help the government access telecom data through lawful orders. However, this system has become a target for hackers and malicious actors.

After 9/11, U.S. surveillance laws expanded wiretapping to collect intelligence, sparking an entire industry dedicated to facilitating these operations. Yet, the extent of government access to private data was only exposed in 2013 by whistleblower Edward Snowden.

Post-Snowden, tech giants like Apple and Google began encrypting customer data to prevent unauthorized access, even from government agencies. However, telecom companies have been slower to follow suit, leaving much U.S. phone and internet traffic vulnerable to wiretapping.

Governments worldwide continue to push for legal backdoors into encrypted systems. In the EU, for example, proposed laws aim to scan private messages for illegal content, raising security concerns among experts.

Signal, the encrypted messaging app, warned of the dangers of backdoors, pointing to the Chinese hacking incident as an example of why such measures pose severe cybersecurity risks. Meredith Whittaker, Signal’s president, stressed that backdoors cannot be restricted to just "the good guys."

Blaze called the CALEA law a cautionary tale, emphasizing the dangers of building security systems with inherent vulnerabilities.
Read more »
Salt Typhoon
China Cyber Attacks Cyberattack Cybersecurity Data Breach FBI Hacking internet providers Routers Salt Typhoon

Chinese Government-Linked Hackers Infiltrate U.S. Internet Providers in 'Salt Typhoon' Attack

 

Hackers linked to the Chinese government have reportedly breached several U.S. internet service providers, according to The Wall Street Journal. Investigators are calling the cyberattack "Salt Typhoon," which occurred just a week after the FBI dismantled another China-backed operation called "Flax Typhoon." That attack targeted 200,000 internet-connected devices such as cameras and routers.

In the Salt Typhoon incident, hackers infiltrated broadband networks to access sensitive information held by internet service providers. Sources close to the matter told WSJ that unlike past attacks focused on disrupting infrastructure, this one seems to be aimed at gathering intelligence. FBI Director Christopher Wray had warned at the Aspen Cyber Summit that China would persist in targeting U.S. organizations and critical infrastructure, either directly or through proxies.

Chinese cyberattacks have been ongoing, but their complexity and precision have escalated, intelligence officials told the WSJ. Earlier this year, Wray described China's hacking program as the largest in the world, surpassing all other major nations combined.

China has denied involvement in these attacks. Liu Pengyu, spokesperson for the Chinese embassy in Washington, accused U.S. intelligence agencies of fabricating evidence linking China to the Salt Typhoon breach.

The WSJ report revealed that investigators are focusing on Cisco Systems routers, though a Cisco spokesperson said there is no evidence of their involvement. Microsoft is also looking into the attack. Lumen Technologies, the parent company of CenturyLink and Quantum Fiber, recently detected malware in routers that could expose customers' passwords but did not specify which ISPs were affected.

Although there's no indication that individual customers’ data was the target, you can take basic precautions:

  • Change your passwords regularly—especially your Wi-Fi router's password.
  • Consider identity theft protection services, which monitor your credit and banking activity.
  • Review your credit reports regularly to catch any suspicious activity.
Read more »
Privacy
China Data Flow Data Governance Global Trade Privacy

EU’s Initiative to Define ‘Important Data’ in China: A Step Towards Global Data Governance


The flow of data across borders is often hampered by varying national regulations. One such challenge is China’s restrictive data export laws, which have left many international businesses grappling with compliance. The European Union (EU) is now stepping up efforts to address this issue, seeking to pin down China on its ambiguous definition of “important data.”

The Importance of Data in Global Trade

Data is a critical asset for businesses, enabling everything from supply chain management to customer relationship strategies. For multinational companies, the ability to transfer data seamlessly across borders is essential for operational efficiency and innovation. However, differing regulatory landscapes can create significant hurdles.

China’s data export laws, particularly the Cybersecurity Law and the Data Security Law, have introduced stringent requirements for data leaving its borders. These laws mandate security assessments and government approvals for the transfer of “important data,” a term that remains vaguely defined. This ambiguity has led to uncertainty and compliance challenges for foreign businesses operating in China.

Cross-Border Data Flow Communication Mechanism

In response to these challenges, the EU has launched the “Cross-Border Data Flow Communication Mechanism.” This initiative aims to engage with Chinese authorities to clarify the definition of “important data” and streamline the data export process for European companies. The goal is to ensure that businesses can continue to operate efficiently while adhering to regulatory requirements.

The mechanism focuses on several key sectors, including finance, pharmaceuticals, automotive, and information and communication technology (ICT). These industries are particularly data-intensive and heavily reliant on cross-border data flows. By addressing the specific needs of these sectors, the EU hopes to mitigate the impact of China’s data export restrictions.

The Challenges of Defining “Important Data”

One of the primary challenges in this endeavor is the lack of a clear and consistent definition of “important data.” China’s laws provide some examples, such as data related to national security, economic stability, and public health, but these categories are broad and open to interpretation. This vagueness creates a compliance minefield for businesses, as they must navigate the risk of inadvertently violating Chinese regulations.

The EU’s efforts to engage with China on this issue are crucial for providing much-needed clarity. By establishing a more precise definition of “important data,” businesses can better understand their obligations and take appropriate measures to comply with the law. This, in turn, will facilitate smoother data flows and reduce the risk of regulatory breaches.

Global Data Governance

The EU’s initiative is not just about resolving a bilateral issue with China; it also has broader implications for global data governance. As data becomes increasingly vital to economic activity, the need for harmonized and transparent regulations is more pressing than ever. The EU’s proactive approach sets a precedent for other regions to follow, encouraging international cooperation on data governance.

Moreover, this initiative highlights the importance of dialogue and collaboration in addressing complex regulatory challenges. By working together, countries can develop frameworks that balance the need for data security with the imperative of economic growth. This collaborative approach is essential for fostering a global digital economy that is both secure and innovative.

Read more »
Technology
China China Government Digital ID digital identification technology Digital Identity Digital system Technology

China’s National Digital ID System Trials Begin Across 80 Internet Service Applications

 

China has initiated trials for its new national digital identification system across more than 80 internet service applications. This move follows the release of draft rules on July 26, with a public review and comment period open until August 25. The proposed system marks a significant step toward enhancing digital security and privacy for Chinese internet users. Internet users can now apply for their national digital ID by logging onto a mobile app called National Web Identification Pilot Version, developed by China’s Ministry of Public Security (MPS). 

This digital ID, which displays the user’s name, a “web number,” and a QR code, requires users to complete several verification steps, including national ID card verification and facial recognition. The digital ID can currently be used on 81 different applications, encompassing 10 public service platforms and 71 commercial apps. Notable platforms participating in the trial include the popular social media provider WeChat, the online shopping service Taobao, and the online recruitment platform Zhaopin. This broad implementation aims to test the ID’s functionality across a diverse range of services, highlighting its potential to streamline user identification and enhance security across various online activities. 

The proposed digital ID, detailed in a draft provision released by the MPS and the Cyberspace Administration of China (CAC), aims to reduce the amount of personal information that internet platforms can collect from their users. The draft rules state that applying for the digital ID is voluntary, offering users the choice to opt-in to this new system. This initiative is part of a broader effort to address privacy concerns and reduce the risk of data leaks, which have been exacerbated by the misuse of the current real-name registration system by some internet platforms. The current real-name registration system has allowed internet platforms to accumulate excessive amounts of personal information, leading to heightened privacy risks. The proposed digital ID system seeks to mitigate these risks by limiting the data collected by platforms. 

By requiring only essential information for verification, the digital ID aims to provide a more secure and privacy-conscious way for users to interact online. In addition to improving privacy, the digital ID system also promises to enhance convenience for users. With a single digital ID, users can seamlessly access multiple services without repeatedly providing personal information. This streamlined process not only simplifies the user experience but also reduces the opportunities for data to be misused or leaked. The trial of the national digital ID system represents a significant step towards addressing privacy issues while streamlining the process of user identification online. By implementing a digital ID, China aims to create a more secure and privacy-conscious internet environment for its users. 

This initiative reflects a growing recognition of the need for robust digital security measures in an increasingly interconnected world. As the public review and comment period progresses, feedback from users and stakeholders will be crucial in refining the digital ID system. The insights gained from this trial will help shape the final implementation, ensuring that the system effectively balances security, privacy, and user convenience. China’s commitment to enhancing digital security and privacy through this national digital ID system sets a precedent that could influence similar initiatives worldwide.
Read more »
User Privacy
China Data protection Digital Rights Privacy User Privacy

From Smartphones to State Security: The Reach of China’s New Surveillance Laws


China’s New Law Expands State Surveillance, Raises Global Concerns

China has enacted new restrictions under its Counter-espionage Law, shocking the international world and raising severe concerns about privacy and human rights. These guidelines, which went into effect on July 1, 2024, provide state security officers broad rights to inspect and search electronic equipment such as smartphones and computers, presumably in the name of national security. 

The "Provisions on Administrative Law Enforcement Procedures of National Security Organs" mark a considerable increase in state monitoring capabilities. Under the new legislation, authorities can now collect "electronic data" from personal devices such as text messages, emails, instant messages, group chats, documents, photos, audio and video files, apps, and log records. This broad mandate effectively converts each citizen's smartphone into a potential source of information for state security authorities.

Loopholes: Easy Searches and Broad Definitions

One of the most concerning downsides to these new regulations is the ease with which state security agents can conduct searches. According to Article 40 of the regulations, law enforcement officers can undertake on-the-spot inspections by just producing their police or reconnaissance cards, with the agreement of a municipal-level state security organ head. In an emergency, these checks can even be conducted without warrants, weakening safeguards against arbitrary enforcement. 

The regulations' ambiguous and sweeping nature is particularly concerning. Article 20 specifies "electronic data" and "audio-visual materials" as evidence that can be utilized in investigations, while Article 41 defines the "person being inspected" as not just the device's owner, but also its holder, custodian, or linked unit. This broad term may subject a wide range of individuals and organizations to examination.

Potential for Abuse and Privacy Invasion

Also, the regulations empower authorities to order individuals and organizations to stop utilizing specific electronic equipment, facilities, and related programs. In circumstances when people refuse to comply with "rectification requirements," state security agencies may seal or seize the gadgets in question. This provision opens the door to possible abuse, allowing the state to effectively muzzle dissenting voices or impede the functioning of organizations it considers harmful. 

The new guidelines also permit the "extraction," collecting, and storage of electronic data for evidence, as well as the seizure of original storage media. This level of penetration into personal data raises major problems regarding the preservation of privacy and confidential information, specifically foreign companies working in China.

Distrust and Limiting Free Expression

While the Ministry of State Security has attempted to soothe concerns by saying that these regulations would target "individuals and organizations related to spy groups" and that "ordinary passengers would not have their smartphones inspected at airports," the provisions' broad language leaves plenty of room for interpretation and potential abuse. 

The adoption of these laws coincides with the Chinese government's wider drive to encourage residents to be watchful against perceived risks to national security, including keeping an eye out for foreign spies in their daily lives. This culture of distrust, combined with additional powers provided to state security institutions, is likely to limit free expression and international participation in China.

Protecting Digital Rights

China's new legislation, which give state security organizations broad rights to examine and confiscate electronic devices, constitute a huge increase in the state's surveillance capabilities and a serious danger to individual privacy and freedom of speech. As the digital dragnet tightens, the international community must remain watchful and push for the protection of fundamental human rights in the digital era. The long-term repercussions of these actions may reach beyond China's borders, establishing a frightening precedent for authoritarian governance in the digital age.

Read more »
Web Shell
China ThinkPHP Vulnerabilities and Exploits Web Shell

Attackers Exploit 2018 ThinkPHP Vulnerabilities to Install ‘Dama’ Web Shells

 

Chinese threat actors are exploiting CVE-2018-20062 and CVE-2019-9082 vulnerabilities in ThinkPHP applications to install Dama, a persistent web shell.

The web shell allows for further exploitation of the compromised endpoints, such as enlisting them as part of the perpetrators' infrastructure to avoid detection in future operations. 

The first indications of this activity date back to October 2023, but according to Akamai analysts tracking it, the malicious behaviour has lately expanded and intensified.

Targeting old flaws

ThinkPHP is a popular open-source framework for developing online appps, particularly in China.

CVE-2018-20062, which was resolved in December 2018, is a vulnerability identified in NoneCMS 1.3 that allows remote attackers to execute arbitrary PHP code by manipulating the filter parameter. 

CVE-2019-9082 affects ThinkPHP 3.2.4 and older, which is used in Open Source BMS 1.1.1. It is a remote command execution issue that was addressed in February 2019.

The two weaknesses are exploited in this campaign to allow attackers to execute remote malware, impacting the underlying content management systems (CMS) on the target endpoints. 

Specifically, the attackers exploit the vulnerabilities to download a text file called "public.txt," which is actually the obfuscated Dama web shell saved as "roeter.php.”

The payload is downloaded from hacked servers in Hong Kong, and the attackers gain remote server control after a simple authentication step with the password "admin." 

According to Akamai, the servers delivering the payloads are infected with the same web shell, implying that compromised systems are being used as nodes in the attacker's infrastructure. 

Mitigation 

Exploiting 6-year-old flaws serves as another reminder of the ongoing issue of inadequate vulnerability management, as attackers in this case use security vulnerabilities that were patched a long time ago. 

The recommended course of action for potentially impacted organisations is to upgrade to the most recent ThinkPHP version, 8.0, which is safe against known remote code execution flaws. 

Akamai further adds that the campaign's targeting reach is vast, including systems that do not use ThinkPHP, implying opportunistic goals.
Read more »
unauthorized disclosures
China cyber attack Cyber Security cyber threat Data Breach data incidents government data breaches MoD data breaches Russia UK national security unauthorized disclosures

400% Increase in MoD Data Breaches Sparks Fears of Cyber Threats from Russia and China

 

Data breaches within the Ministry of Defence (MoD) have surged nearly fivefold over the past five years, raising concerns about the UK's resilience against cyber threats from nations like Russia and China. MoD figures reveal 550 data incidents last year, up from 117 in 2017-18.

Ministers also disclosed that the Information Commissioner’s Office (ICO) is currently investigating three personal data incidents at the MoD. Both the Conservative and Labour parties have prioritized national security in their election campaigns amid global instability and threats from Russia, China, North Korea, and Iran.

Recent warnings suggest the upcoming UK general election could be targeted by cyber attacks and AI deep fakes from hostile states. Many breaches involve unauthorized disclosures by MoD staff, exacerbating concerns about security in a department recently hit by a suspected Chinese cyber attack.

Labour criticized the Conservative government for its “lax approach to cyber security,” promising that a Keir Starmer administration would prioritize the UK's security. However, Prime Minister Rishi Sunak countered by questioning Labour’s national security stance, highlighting Starmer’s past support for Jeremy Corbyn as a potential risk.

Earlier this month, it was revealed that the MoD’s payroll system, managed by contractor SSCL, suffered a major hack attributed to China. Deputy Prime Minister Oliver Dowden, in a letter to shadow Cabinet Office minister Pat McFadden, stated that the Government has enhanced security measures in its procurement processes following this breach.

In 2017-18, the MoD reported 117 data breaches, including unauthorized disclosures, lost equipment or documents, and insecure document disposal. By 2022-23, breaches had risen to 550, with unauthorized disclosures making up the majority. In 2023, the ICO fined the MoD £350,000 after 265 individuals' details were compromised in email breaches following the Taliban’s takeover of Afghanistan.

Defence Minister Andrew Murrison recently confirmed that the ICO has three ongoing investigations into personal data incidents at the MoD. Shadow Defence Secretary John Healey criticized the MoD’s worsening data security record, noting that breaches have tripled over five years, and vowed that a Labour government would enhance the UK’s cyber-security.

Defence Secretary Grant Shapps announced an urgent investigation into the recent MoD payroll cyber attack and a broader review of SSCL’s contracts with the MoD and other Whitehall departments. Dowden emphasized the importance of strengthening domestic cyber resilience to achieve national and international security goals. The Cabinet Office has implemented measures to ensure robust data security requirements in procurement contracts with third-party contractors across Whitehall.
Read more »
Privacy Concern
China Data collection Electric Vehicle Privacy Privacy Concern

Privacy and Security Risks in Chinese Electric Vehicles: Unraveling the Data Dilemma

Privacy and Security Risks in Chinese Electric Vehicles: Unraveling the Data Dilemma

The rapid rise of electric vehicles (EVs) has transformed the automotive industry, promising cleaner energy and reduced emissions. But as we enjoy this automotive transformation, we must also grapple with the intricate web of data collection and privacy concerns woven into these high-tech machines. 

One particular area of interest is Chinese-made EVs, which dominate the global market. This blog post delves into the privacy and security risks associated with these vehicles, drawing insights from a recent investigation.

The Cyber Angle

In 2022, Tor Indstøy purchased a Chinese electric vehicle for $69,000 to accommodate his growing family.

Indstøy had an ulterior motivation for purchasing an ES8, a luxury SUV from Shanghai-based NIO Inc. The Norwegian cybersecurity specialist wanted to investigate the EV and see how much data it collects and transmits back to China.

He co-founded Project Lion Cage with several industry acquaintances to examine his SUV and release the findings.

Since its inception in July 2023, Indstøy and his crew have provided nearly a dozen status reports. These have largely consisted of them attempting to comprehend the enormously complex vehicle and the operation of its numerous components.

The $69,000 Chinese Electric Vehicle Under Scrutiny

In a fascinating experiment, Norwegian cybersecurity researcher Tor Indstøy purchased a $69,000 Chinese electric vehicle—an ES8 luxury SUV manufactured by Shanghai-based NIO Inc. His motive? To dissect the vehicle, uncover its data practices, and shed light on potential risks. 

The project, aptly named “Project Lion Cage,” aims to answer critical questions about data privacy and security in EVs.

The Complexity of EVs: A Data Goldmine

Electric cars are not mere transportation devices; they are rolling data centers. Unlike their gas-powered counterparts, EVs rely heavily on electronic components—up to 2,000 to 3,000 chips per vehicle. 

These chips control everything from battery management to infotainment systems. Each chip can collect and transmit data, creating a vast information flow network within the vehicle.

However, studying EVs is also a challenge. Traditional cybersecurity tools designed for PCs and servers need to improve when dealing with the intricate architecture of electric cars. Researchers like Indstøy face unique challenges as they navigate this uncharted territory.

Privacy Concerns: What Data Lies Beneath?

Indstøy and his team have identified potential areas of concern for the NIO ES8, but no major revelations have been made.

One example is how data gets into and out of the vehicle. According to the researchers, China received over 90% of the communications, which contained data ranging from simple voice commands to the car to the vehicle's geographical location. Other destinations included Germany, the United States, the Netherlands, Switzerland, and others.

Indstøy suggests that the ambiguity of some communications could be a source of concern. For example, the researchers discovered that the car was regularly downloading a single, unencrypted file from a nio.com internet address, but they have yet to determine its purpose.

The Geopolitical Angle

China’s dominance in the EV market raises geopolitical concerns. With nearly 60% of global EV sales happening in China, the data collected by these vehicles becomes a strategic asset. 

Governments worry about potential espionage, especially given the close ties between Chinese companies and the state. The Biden administration’s cautious approach to Chinese-made EVs reflects these concerns.

Read more »
Vulnerabilities and Exploits
China Exploit Hacker Groups Ivanti security flaws Researchers Security Vulnerabilities and Exploits

Researchers Uncover Numerous Chinese Hacker Collectives Exploiting Ivanti Security Vulnerabilities

 

Several threat actors with connections to China have been identified as responsible for exploiting three security vulnerabilities affecting Ivanti appliances. These vulnerabilities are identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

Mandiant, a cybersecurity firm, has been monitoring these clusters of threat actors, identifying them under the names UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Among them, UNC3886, a Chinese hacking group, has been previously known for exploiting zero-day bugs in Fortinet and VMware systems to infiltrate networks.

Financially motivated actors have also been observed exploiting CVE-2023-46805 and CVE-2024-21887, likely for cryptocurrency mining purposes.

UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments," Mandiant researchers said

Post-exploitation activities by these threat actors often involve deploying malicious tools such as the Sliver command-and-control framework, WARPWIRE credential stealer variant, and a new backdoor named TERRIBLETEA, which comes with various functionalities like command execution and keylogging.

UNC5330 has been combining CVE-2024-21893 and CVE-2024-21887 to target Ivanti Connect Secure VPN appliances, leveraging custom malware like TONERJAM and PHANTOMNET for further actions. These include reconnaissance, lateral movement, and compromising LDAP bind accounts for higher privileges.

UNC5337, another China-linked group, has been using CVE-2023-46805 and CVE-2024-218 to infiltrate Ivanti devices since January 2024, deploying a custom malware toolset known as SPAWN. This toolset includes components like SPAWNSNAIL, SPAWNMOLE, SPAWNANT, and SPAWNSLOTH, designed for stealthy and persistent backdoor access.

Mandiant assesses with medium confidence that UNC5337 and UNC5221 might be the same group, highlighting the sophistication of their tools aimed at avoiding detection.

UNC5221 has also been associated with various web shells and a Perl-based web shell called ROOTROT, which is embedded into legitimate files to evade detection. Successful deployment of these shells leads to network reconnaissance and lateral movement, potentially compromising vCenter servers with a Golang backdoor named BRICKSTORM.

Finally, UNC5291, likely associated with another group called UNC3236, has been targeting academic, energy, defense, and health sectors, focusing on Citrix Netscaler ADC initially before shifting to Ivanti Connect Secure devices.

These findings emphasize the ongoing threat posed by edge appliances, with threat actors utilizing a combination of zero-day vulnerabilities, open-source tools, and custom backdoors to evade detection and maintain access to networks for extended periods. access to target systems.
Read more »
UK
China Cyber Attacks data security Digital Personal Data Protection NHS UK

Safeguarding the NHS: Protecting Against Potential Cyber Attacks from China

 

Recent concerns have surfaced regarding the vulnerability of the NHS to cyberattacks, particularly from China. Reports indicate that Beijing-backed actors exploited software flaws to access the personal details of millions of Britons. As experts in cybersecurity, it's crucial to address these fears and provide insights into safeguarding against potential cyber threats. 

The prospect of a cyber attack on the NHS by hostile actors underscores the critical importance of robust cybersecurity measures. With the personal details of 40 million Britons potentially compromised, the stakes are high, and proactive steps must be taken to protect sensitive data and preserve public trust in the healthcare system. 

One of the primary concerns raised by these reports is the exploitation of software flaws to gain unauthorized access to personal information. Vulnerabilities in software systems can provide entry points for cybercriminals to launch attacks, compromising the integrity and security of sensitive data stored within NHS databases. 

Furthermore, the involvement of state-backed actors adds a layer of complexity to the threat landscape. Nation-state cyber-attacks are often sophisticated and well-coordinated, making them particularly challenging to defend against. As such, healthcare organizations must remain vigilant and adopt comprehensive security measures to detect and deter potential threats. To defend against potential cyber attacks from China or any other threat actor, the NHS must prioritize cybersecurity at every level. 

This includes implementing robust security protocols, conducting regular risk assessments, and investing in advanced threat detection and response capabilities. Additionally, healthcare professionals and staff members must receive comprehensive training on cybersecurity best practices to recognize and respond to potential threats effectively. By fostering a culture of security awareness and vigilance, the NHS can strengthen its defenses against cyber attacks and mitigate the risk of data breaches. 

Collaboration and information sharing are also essential components of an effective cybersecurity strategy. By partnering with government agencies, cybersecurity experts, and industry stakeholders, the NHS can stay ahead of emerging threats and leverage collective intelligence to bolster its security posture. 

While the prospect of a cyber attack on the NHS is concerning, it's essential to approach these threats with a proactive and informed mindset. By implementing robust cybersecurity measures, fostering a culture of security awareness, and collaborating with relevant stakeholders, the NHS can enhance its resilience against potential cyber threats and safeguard the personal data of millions of Britons.
Read more »
United States
China Confidential Data Cyber Crime cyber espionage Data Leak United States

Former Google Employee Charged with Stealing AI Secrets

 

A former Google software engineer has been charged with stealing the company's artificial intelligence trade secrets while surreptitiously working for two Chinese companies, the Justice Department announced Wednesday. 

Linwei Ding, a Chinese national, was arrested in Newark, California, for four charges of federal trade secret theft, each punishable by up to ten years in prison. 

Attorney General Merrick Garland announced the case against Ding, 38, at an American Bar Association conference in San Francisco. Garland, along with other law enforcement leaders, has repeatedly warned about the threat of Chinese economic surveillance as well as the national security concerns posed by developments in artificial intelligence and other novel technologies.

“Today’s charges are the latest illustration of the lengths affiliates of companies based in the People’s Republic of China are willing to go to steal American innovation,” FBI Director Christopher Wray noted in a statement. “The theft of innovative technology and trade secrets from American companies can cost jobs and have devastating economic and national security consequences.” 

Google said it came to the conclusion that the employee had stolen "numerous documents" and had referred the case to law enforcement. 

“We have strict safeguards to prevent the theft of our confidential commercial information and trade secrets,” Google spokesman Jose Castaneda explained. “After an investigation, we found that this employee stole numerous documents, and we quickly referred the case to law enforcement. We are grateful to the FBI for helping protect our information and will continue cooperating with them closely.”

Artificial intelligence is the primary battleground for high-tech competitors, and who dominates can have far-reaching commercial and security repercussions. In recent weeks, Justice Department leaders have warned that foreign foes may use AI technologies to target the United States. 

Deputy Attorney General Lisa Monaco stated in a speech last month that the administration's multi-agency Disruptive Technology Strike Force would prioritise AI enforcement, and Wray told a conference last week that AI and other novel technologies had made it easier for attackers to try to interfere with the American political process. 

The indictment, unsealed Wednesday in the Northern District of California, alleges that Ding, who was hired by Google in 2019 and had access to sensitive information regarding the firm's supercomputing data centres, began uploading hundreds of files to a personal Google Cloud account two years ago. 

According to prosecutors, Ding was offered the post of chief technology officer at an early-stage technology business in China that advertised its use of AI technology and gave him a monthly salary of around $14,800, plus an annual bonus and company stock, just weeks after the theft started. The indictment says Ding travelled to China to attend investor meetings and seek funding for the company. 

In January, the FBI filed a search warrant at Ding's house and seized his electronic equipment, followed by an additional warrant for the contents of his personal accounts, which contained more than 500 distinct files of classified data that investigators claim he stole from Google.
Read more »
Vulnerability management
China Cyber Security Cyber Threats Cybersecurity Dutch intelligence espionage FortiGate devices Malware Detection RAT Threat actors Vulnerability management

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices

 

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new strain of malware believed to be orchestrated by the Chinese government. Named "Coathanger," this persistent and highly elusive malware has been identified as part of a broader political espionage agenda, targeting vulnerabilities in FortiGate devices.

In a recent advisory, MIVD disclosed that Coathanger was employed in espionage activities aimed at the Dutch Ministry of Defense (MOD) in 2023. Investigations into the breach revealed that the malware exploited a known flaw in FortiGate devices, specifically CVE-2022-42475.
Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. 
Unlike some malware that relies on new, undisclosed vulnerabilities (zero-day exploits), Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. However, the advisory emphasizes that it could potentially be used in conjunction with future vulnerabilities in FortiGate devices.

Described as stealthy and resilient, Coathanger evades detection by concealing itself through sophisticated methods, such as hooking system calls to evade detection. It possesses the capability to survive system reboots and firmware upgrades, making it particularly challenging to eradicate.

According to Dutch authorities, Coathanger is just one component of a larger-scale cyber espionage campaign orchestrated by Chinese state-sponsored threat actors. These actors target various internet-facing edge devices, including firewalls, VPN servers, and email servers.

The advisory issued by Dutch intelligence underscores the aggressive scanning tactics employed by Chinese threat actors, who actively seek out both disclosed and undisclosed vulnerabilities in edge devices. It warns of their rapid exploitation of vulnerabilities, sometimes within the same day they are made public.

Given the popularity of Fortinet devices as cyberattack targets, businesses are urged to prioritize patch management. Recent reports from Fortinet highlighted the discovery of two critical vulnerabilities in its FortiSIEM solution, emphasizing the importance of prompt patching.

To mitigate the risk posed by Coathanger and similar threats, intelligence analysts recommend conducting regular risk assessments on edge devices, restricting internet access on these devices, implementing scheduled logging analysis, and replacing any hardware that is no longer supported.
Read more »
Subscribe to: Posts (Atom)