information security

National Security at Risk Amid Chinese and Iranian Cyber Operations

Recent cyber incidents involving Chinese and Iranian threat actors highlight the growing intersection of cyber espionage with geopolitical tensions. China’s Salt Typhoon group has infiltrated U.S. telecom infrastructure, compromising wiretap systems used for lawful surveillance, while Iranian attackers are aggressively targeting healthcare organizations to disrupt services and exfiltrate sensitive data. These attacks expose critical vulnerabilities in national infrastructure, demanding immediate strategic and technical responses to mitigate risks.

A Target on U.S. Telecoms
Salt Typhoon, a group linked to China’s Ministry of State Security, recently executed a sophisticated cyberattack on U.S. telecom giants, including AT&T, Verizon, and Lumen Technologies. The attackers gained access to wiretap systems—platforms intended to support law enforcement investigations. This breach poses several critical risks:

National Security Threats: Access to wiretap systems could allow Chinese actors to monitor U.S. intelligence operations or disrupt surveillance efforts against Chinese nationals and corporations.
Privacy Risks: Wiretap warrants contain sensitive information on ongoing investigations, making this breach a severe privacy violation for citizens and entities under surveillance.

This attack also reflects a broader trend in China’s cyber strategy: a focus on intelligence collection over disruption. The incident has prompted U.S. lawmakers to call for updated regulations that enforce stringent security standards for telecom providers, warning that backdoors intended for legitimate surveillance are prone to exploitation by state-sponsored hackers.

Healthcare Under Siege
While China’s focus has been on telecommunications, Iranian threat actors have targeted the healthcare sector. These attacks aim to exfiltrate patient data, disrupt hospital operations, and potentially deploy ransomware.

Healthcare systems are particularly vulnerable due to a reliance on outdated infrastructure and limited cybersecurity investments. Such attacks threaten not only patient privacy but also lives, as they can delay critical medical care during emergencies. Given the sensitivity of healthcare data, the fallout from these intrusions could include legal liabilities under HIPAA regulations, reputational damage, and the erosion of public trust in healthcare providers.

Strategic Takeaways and Recommendations
These attacks reveal that no industry—whether telecom or healthcare—is immune to nation-state cyber operations. It is essential for organizations to take proactive steps, including:

Implementing Zero Trust Models: Zero Trust enforces strict verification of every access request, regardless of whether it originates from inside or outside the organization’s network. This model ensures that all users, devices, and systems must continuously authenticate and validate authorization for each interaction. By applying least-privilege principles and continuous monitoring, Zero Trust helps prevent attackers from gaining unrestricted access or moving laterally within the environment if a single system is compromised.
Strengthening Regulatory Compliance: Healthcare and telecom providers must exceed baseline compliance requirements to stay ahead of evolving threats.
Collaborating Across Sectors: Strong collaboration among public institutions, private industry, and vendors is essential for identifying and mitigating advanced persistent threats. Sharing intelligence, resources, and expertise ensures a more coordinated response to emerging cyber risks while enhancing the resilience of all stakeholders.
Proactive Monitoring and Incident Response: Real-time monitoring through Security Information and Event Management (SIEM) solutions provides critical visibility by collecting and correlating security event logs across systems. While SIEM tools alert teams to potential intrusions, timely intervention requires security analysts to act on these alerts, preventing damage from escalating.

Conclusion
The recent activities by Salt Typhoon and Iranian actors serve as stark reminders of the importance of cybersecurity across all critical sectors. These incidents underscore the need for robust defenses and close collaboration between public and private entities to ensure national resilience. Organizations that adopt forward-thinking strategies—such as zero trust architectures—will be better positioned to protect their assets and data amid rising geopolitical tensions.

Massive Data Breach Exposes Millions As MOVEit Vulnerability Exploited

In recent weeks, a major data breach caused by the exploitation of a vulnerability in the popular file transfer tool MOVEit, by Progress Software, has led to the compromise of sensitive personal information belonging to millions of individuals and a growing number of companies, universities, and government entities and agencies. This alarming breach has affected numerous organizations across various sectors, highlighting the urgent need for enhanced cybersecurity measures. In this Security Advisory nGuard will cover an overview of MOVEit, who is behind the attack, detail the extent of the damage caused by the vulnerability, and offer mitigation strategies to address the issue.

MOVEit and the Vulnerability:
MOVEit Transfer, developed by Progress Software, is an enterprise file transfer tool widely used by organizations for secure information exchange. Unfortunately, hackers have recently targeted a vulnerability within MOVEit, resulting in a series of data breaches. The attacks have been attributed to the Cl0p ransomware gang, a group that operates as a ransomware-as-a-service provider. Cl0p’s tactics include the exploitation of software vulnerabilities and employing double-extortion techniques, where stolen data is held hostage unless a ransom is paid.
The vulnerability in MOVEit Transfer allows hackers to gain unauthorized access to sensitive data during file transfers. By leveraging this vulnerability, the Cl0p gang has been able to infiltrate multiple organizations and compromise the security of their data.
There are multiple CVEs associated with the software:

Extent of the Breach and Affected Individuals and Organizations:
The impact from the MOVEit vulnerability has been far-reaching and has impacted a wide range of individuals and organizations. So far, more than 15.5 million individuals have been affected and the list of organizations is growing each day. The following is a list of some of the major organizations affected:

U.S. Department of Energy
Ernst & Young
Siemens Energy
Government of Nova Scotia
British Airways
Oregon Driver’s License Holders: Approximately 3.5 million individuals.
Louisiana Residents: Roughly 6 million individuals.
California Public Employees’ Retirement System (CalPERS) Members: About 770,000 individuals.
Genworth Finance Clients: Between 2.5 and 2.7 million individuals.
Wilton Reassurance Insurance Customers: Approximately 1.5 million individuals.
Tennessee Consolidated Retirement System Beneficiaries: More than 170,000 individuals.
Talcott Resolution Customers: Over half a million individuals.
National Student Clearinghouse: Potentially significant breach in terms of numbers, impacting numerous educational institutions across the United States.
U.S. Universities and Schools: Numerous universities have fallen victim to the breach including UCLA, University of Rochester, and Johns Hopkins.
U.S. Department of Health and Human Services (HHS): More than 100,000 individuals affected, according to congressional notifications.
Banks, Consultancy and Legal Firms, Energy Giants, and more: Cl0p’s leak site includes numerous additional victims.

The consequences extend beyond individuals, with several notable organizations falling victim to the breach. The University of California-Los Angeles (UCLA), which used MOVEit Transfer to transfer files across campus and to other entities, is among the victims. UCLA spokesperson Margery Grey confirmed the university’s collaboration with the FBI and external cybersecurity experts to investigate the matter. She also stated that impacted individuals have been notified.

Mitigating the Vulnerability:
Given the severity and widespread impact of the MOVEit vulnerability, it is crucial for organizations to take immediate steps to mitigate risks and protect their sensitive data. Here are some recommended strategies:

Update and Patch: Promptly update MOVEit Transfer and apply the latest security patches released by Progress Software. Regularly checking for updates ensures that known vulnerabilities are addressed, significantly reducing the risk of exploitation.
Conduct Regular Vulnerability Scanning: With nGuard Vulnerability Management, your organization’s Internet perimeter or internal networks are continuously tested for new vulnerabilities. This provides your organization an effective and timely way to manage your security posture on an ongoing basis.
Conduct Regular Security Audits: Perform comprehensive security audits to identify potential vulnerabilities within your networks and file transfer systems. This includes conducting penetration tests and vulnerability assessments to proactively identify and address weak points.
Implement Multifactor Authentication (MFA): Enforce MFA for accessing file transfer systems to enhance authentication security. Requiring additional verification methods such as biometrics or one-time passwords (OTP), or acceptance of push notifications the risk of unauthorized access is significantly reduced.
Employee Awareness and Training: It is critical to promote a top-down approach to the culture of cybersecurity awareness among employees by providing regular training sessions on identifying and responding to threats. These training sessions should include ongoing social engineering assessments. Educate staff on best practices for securely sharing sensitive information.
Incident Response Planning: Develop a robust incident response plan that outlines steps to be taken in the event of a data breach. This includes establishing clear lines of communication, involving relevant stakeholders, and implementing recovery procedures to minimize damage and downtime. nGuard has years of experience helping customers create thorough and detailed incident response plans and information security policies custom tailored to their environments, needs, and particular GRC requirements and security standards.
Collect Proper Logs: Have a proper Security Information and Event Management (SIEM) tool that collects, analyzes and correlates security event data from various sources to detect and respond to potential cybersecurity threats. This helps organizations improve overall security posture by providing real-time monitoring, threat intelligence, and incident response capabilities.

The MOVEit vulnerability has led to a significant data breach affecting millions of individuals and numerous organizations across various sectors. As the list of victims continues to grow, it is crucial for organizations to take proactive steps to mitigate new vulnerabilities. By following the mitigation provided, organizations can fortify their defenses and safeguard sensitive information from malicious actors. The battle against cyber threats requires collective efforts and ongoing awareness to ensure integrity and security.

TWIC: Barracuda Alert, Fortinet Patch, and VMware ESXi Exploit

In this week’s edition of TWIC (This Week in Cybersecurity), we delve into the most significant stories and developments in the cybersecurity landscape. This week, we’re focusing on three major incidents involving Barracuda, Fortinet, and VMware ESXi.

Barracuda Urges Immediate Replacement of Vulnerable Appliances
Barracuda Networks, a leading provider of cloud-enabled security solutions, has issued an urgent call to its customers to replace vulnerable email security gateway (ESG) appliances immediately. This follows the disclosure of a critical security flaw, which has been exploited since October 2022. The vulnerability existed in a module which initially screens the attachments of incoming emails. Despite a patch being issued last month, Barracuda recommends replacing the compromised appliances as the safest course of action. Three different malware strains have been discovered to date on a subset of appliances allowing for persistent backdoor access, and evidence of data exfiltration was identified on a subset of impacted appliances.

Fortinet’s Patched Critical Flaw May Have Been Exploited
Fortinet recently patched a critical flaw in its FortiOS SSL VPN. However, there are indications that this vulnerability may have already been exploited in attacks impacting various sectors, including government and manufacturing. The heap-based buffer overflow, pre-authentication vulnerability affects FortiOS and FortiProxy SSL-VPN and can allow unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests. Fortinet found the flaw in an audit of its SSL-VPN platform after the rampant exploitation of another vulnerability, CVE-2022-42475 — which upon discovery was a zero-day bug — in January.

Chinese Cyberspies Caught Exploiting VMware ESXi Zero-Day
A Chinese cyberespionage group, known as UNC3886, has been observed exploiting a zero-day vulnerability in VMware ESXi to escalate privileges on guest virtual machines. The group has been using malicious vSphere Installation Bundles (VIBs) to install backdoors on ESXi hypervisors and gain command execution, file manipulation, and reverse shell capabilities since September 2022. The group’s malicious actions would impact VMware ESXi hosts, vCenter servers, and Windows virtual machines (VM). The cyberspies also used installation scripts to deploy malicious VIBs to hosts, and exploited CVE-2023-20867 to execute commands and transfer files from the compromised ESXi host to and from guest VMs, without authentication and without a trace.

Conclusion
The cybersecurity landscape is constantly evolving, with new threats and vulnerabilities emerging on a regular basis. These incidents involving Barracuda, Fortinet, and VMware ESXi underscore the importance of maintaining robust security measures and staying abreast of the latest developments.

At nGuard, we offer a range of services designed to help businesses navigate these challenges. Our Cyber Security Incident Response service is equipped to provide immediate assistance in the face of potential security incidents, helping to manage and mitigate risks effectively. Our Vulnerability Management service is designed to identify and manage vulnerabilities in your systems, ensuring that your network remains secure against a variety of threats. Furthermore, our Managed Event Collection service provides continuous monitoring and detection capabilities, enabling swift identification and response to malicious activities in your network.

Remember, in the realm of cybersecurity, staying informed and taking proactive measures is key. At nGuard, we’re committed to helping you navigate the ever-evolving cybersecurity landscape. Contact us today to learn more about how we can assist you in securing your organization.

Don’t Let Zero-Day Vulnerabilities Spoil Your Holidays

In this article, we will be discussing several recent developments in cybersecurity. First, we will cover the FortiOS SSLVPN Buffer Overflow, a vulnerability that allows attackers to execute arbitrary code on affected devices. Next, we will discuss new Atlassian security flaws, which have been discovered in several of the company’s popular software tools. We will also examine the issue of JSON requests bypassing Web Application Firewalls and how this can leave systems vulnerable to attacks. Finally, we will discuss Apple’s efforts to patch iPhone and iPad Zero-Days, which are vulnerabilities that have not yet been publicly disclosed. These topics highlight the ongoing importance of staying vigilant and taking steps to protect against emerging threats in the digital landscape.

FortiOS SSL-VPN Heap-Based Buffer Overflow Discovered

FortiGuard Labs has published a critical advisory warning of a heap-based buffer overflow vulnerability in FortiOS SSL-VPN. This may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. The vulnerability is assigned the number FG-IR-22-398, has a CVSSv3 9.3 rating and has been confirmed to be exploited in the wild. FortiGuard Labs has included the indicators of compromise (IOCs) for FortiOS administrators to review the integrity of their systems. It is recommended that organizations upgrade to an unaffected version of FortiOS and follow FortiGuard’s advice to review existing systems for signs of compromise. To stay on top of new vulnerabilities like this, nGuard recommends having, at a minimum, quarterly vulnerability scans conducted on your internal and external environments. In addition, to get a full view of what an attacker could do if they gain access to your network, annual internal and external penetration testing is recommended.

Security Flaws Discovered in Atlassian Products

CloudSEK researchers have identified a flaw in Atlassian products Jira, Confluence, and BitBucket that could be exploited by threat actors to take over corporate Jira accounts. The researchers found that even if a password is changed with 2FA enabled, cookies are not invalidated and only expire when a user logs out or after 30 days. As a result, threat actors can restore Jira, Confluence, Trello, or BitBucket sessions using stolen cookies, even if they do not have access to the multi-factor authentication or one-time PIN required for 2FA. With over 10 million users across 180,000 companies, including 83% of Fortune 500 firms, Atlassian products are widely used, and threat actors are actively exploiting the flaw to compromise enterprise Jira accounts. CloudSEK is releasing a free tool that allows companies to check if their compromised computers and Jira accounts are being advertised on dark web marketplaces. Additionally, conducting a web application penetration test can help discover vulnerabilities with session cookies and other areas, using the OWASP Top 10 as the foundation of the assessment.

Web Application Firewalls Bypassed by JSON Requests

Researchers at Claroty have discovered that web application firewalls (WAFs) from Amazon Web Services, Cloudflare, F5, Imperva and Palo Alto are vulnerable to malicious requests that use the JavaScript Object Notation (JSON) format to obfuscate database commands and escape detection. This technique allows attackers to access and potentially change data as well as compromise the application. The researchers found that WAFs do not understand commands written in JSON, while major SQL databases do. This allows attackers to forward malicious requests to the back-end database without detection. WAFs are widely used to protect against application attacks, but they are not foolproof. A 2020 survey found that 40% of security professionals claimed at least half of application attacks had bypassed the WAF. This research shows that even if you have security devices in place, they can be bypassed. nGuard can find the vulnerabilities within your web applications before an attacker can by performing a web application penetration test.

Apple Send Updates to Patch New Zero-Day

Apple has released security updates for iOS, iPadOS, macOS, tvOS, and Safari to address a zero-day vulnerability that could result in the execution of malicious code. The issue, which has been given the code name of CVE-2022-42856, has been described as a type of confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content. This could lead to arbitrary code execution, with Apple saying it is aware of a report that the issue may have been actively exploited against versions of iOS released before iOS 15.1. It is thought that the issue involved social engineering or a watering hole attack, with the devices being infected when visiting a rogue or legitimate-but-compromised domain via the browser. The company has addressed the issue with improved state handling.

TWiC | Hackers Keep up the Pressure Over the Holidays

Over the past few weeks, we have seen some interesting stories develop in the world of cyber security. It seems that attackers are not slowing down for the holiday season, with LastPass revealing yet another security breach, Killnet boasting of a DDoS attack targeting Musk’s Starlink services and the U.S. banning Chinese telecom companies. nGuard examines these new developments in this week’s security advisory.

Killnet Gloats About DDoS Attacks Downing Starlink, White House
Starlink services were disrupted last week, and it may have been caused by a hacking organization called Killnet. The group is notorious for making all of its communications public on Telegram. After digging into the reports of a massive DDoS attack, Trustwave discovered that many Starlink customers complained about service disruptions on Reddit. Other groups like Anonymous and Halva have also claimed responsibility for participating in the DDoS attack, although Killnet appears to be the main culprit here.

LastPass Reveals Another Security Breach
According to the CEO of LastPass, the popular password manager has been breached again. This company investigated unusual activity involving a third-party cloud storage service that it uses with its parent company, GoTo. A hacker was able to access some of the password managers’ source code using information obtained from a previous security breach. It is highly likely that the attacker was limited to the development environment but they had access to “certain elements” of customer information. The company maintains that no password information was divulged because it remains encrypted.

U.S. Banned Chinese Telecom & Surveillance Cameras That Pose National Security Threat
The U.S. has placed multiple Chinese-based firms on a ban list after they were identified as national security threats. The U.S. has decided to ban the import and sale of equipment from Huawei, ZTE, Hytera Communications, Hikvision, Dahua, Pacific Network Corp, along with its subsidiary ComNet (USA) LLC, and China Unicom (Americas) Operations Limited. FCC Chairwoman Jessica Rosenworcel said, “The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here.”

In order to access sensitive data and disrupt important services, attackers constantly work behind the scenes to discover and exploit flaws in software. A high priority should be given to protecting your organization from malicious actors at all times. Continual penetration testing and vulnerability management can help you close security holes in your environment. Your employees can stay on top of their game by receiving security awareness training and participating in social engineering simulations. With nGuard, you can enhance your organization’s security posture and prevent data breaches.