Welcome to the Breach Report

Welcome to the initial launch of the Breach Report, a special cybersecurity newsletter from the creators of Cybersecurity Careers Blog.

Breach Report will focus on the latest cybersecurity news, career headlines, and feature content from our blog.

We understand your limited time, so we’re thankful you’ve signed up for our newsletter. We’ll deliver timely newsletter updates as the news and tech industry never sleeps.

Our Top Story: China has been hacking U.S. critical infrastructure for 5 years

If you follow any social media cybersecurity accounts of the FBI, NSA, or CISA organizations, you may have noticed a flurry of activity about ‘Volt Typhoon.’ Volt Typhoon is the advanced persistent group name assigned by Microsoft, affiliated with the Chinese Communist Party. The group has a long track record of cyber espionage, data exfiltration, and living off the land (LOTL) techniques.

In a joint briefing, the FBI, NSA, and CISA announced that China and its Volt Typhoon state-sponsored group have hacked and been within U.S. critical infrastructure for five years. The trio released an informational PDF on the operation it uncovered (PDF link), stating that it has detected China’s presence in U.S. communications, energy, transportation systems, and water/wastewater systems sectors.

National security representatives are concerned about China’s “disruptive effects in the event of potential geopolitical tensions and/or military conflicts,” according to the briefing.

The briefing urges critical infrastructure organizations to apply the mitigations in this advisory and to hunt for similar malicious activity across its operational technology (OT) and information technology (IT) infrastructure.

CISA has provided a guide for detecting and mitigating living off the land techniques for U.S. organizations to utilize as best practices.

Most notoriously, a massive living off-the-land operation by Volt Typhoon was exposed in May 2023 when it leveraged small office and home office (SOHO), routers, VPNs, and networking equipment to establish command and control (C2) across Guam and other U.S. territories.

23andMe Breach: It gets worse for the failing DNA company

23andMe, once worth over $6 billion, is now at risk of being delisted from the NASDAQ stock exchange and is trading at under 72 cents as of February 8, 2024. It’s a stunning reversal for Anne Wojcicki, chief executive of 23andMe and sister of Susan Wojcicki – the former chief executive of YouTube until 2023. Anne was previously married to Google co-founder Sergey Brin, and divorced in 2015. Between those three, 23andMe had deep pockets and tech ‘street cred’ that undoubtedly helped their initial launch in Silicon Valley take off.

In its initial launch, the Wall Street Journal reports that 23andMe had “spit parties” amongst Silicon Valley and Hollywood elites. The parties aimed to make sharing privacy-invasive information like your unique DNA fashionable to share with a tech startup.

Despite raising over $1.4 billion in venture capital, the company has spent nearly 80%.

But financial troubles aren’t the main woes for the company. In case you missed it, 23andMe was breached in October 2023 and slow-rolled its admissions of how bad the breach was.

Hackers accessed the initial 14,000 targeted 23andMe accounts using a credential stuffing technique, leveraging previously leaked account credentials from other unaffiliated breaches. This technique hopes that some of the leaked credentials from another data breach are re-used on other popular platforms.

The hackers were right: about 14,000 account credentials were re-used on 23andMe. Once the hackers compromised the initial tranche of accounts, they could pivot to gain access to the personal information of over 6.9 million 23andMe customers who opted into the DNA Relatives feature.

It’s an epic crash for a company once touted as the next big thing for Silicon Valley health tech startups. But we’ve seen this narrative backfire before.

Current Cybersecurity Headlines

New from our blog:

• 10 InfoSec Tools You Must Learn

• Microsoft Makes Azure OpenAI Service Available in Azure Government

• Why Passkeys are Replacing Passwords

• Ghidra Reverse-Engineer Malware Tool Updated to 11.0.1

New from our favorite blogs and journalists:

• Microsoft’s AI will delete its own answers before your eyes (404Media)

• The Viral Smart Toothbrush Botnet Story is Not Real (404media)

• Feds: Chinese hacking operations have been in critical infrastructure networks for five years (Cyberscoop)

• FCC bans AI-generated voices, grants states legal authority (Statescoop)

• U.S. Offers $10 Million Bounty for Info Leading to Arrest of Hive Ransomware Leaders (The Hacker News)

• Hackers Exploit Job Boards, Stealing Millions of Resumes and Personal Data (The Hacker News)

• New Fortinet RCE bug is actively exploited, CISA confirms (Bleeping Computer)

• ExpressVPN bug has been leaking some DNS requests for years (Bleeping Computer)

• Can a $10 Raspberry Pi break your PC’s disk encryption? It’s complicated. (Ars Technica)

• Google debuts more powerful “Ultra 1.0” AI model in rebranded “Gemini” chatbot (Ars Technica)