CyberBakery Chronicles

Welcome to this week’s edition of CyberBakery Chronicles, your trusted source for the latest news in digital security. Whether you're an enthusiastic novice or a seasoned expert, our insightful content aims to keep you informed and engaged.

CyberBakery Chronicles

Your Weekly Cybersecurity Update (03 Jan 2025)

  • Chinese government hackers have breached the U.S. Treasury Department's systems.
  • A whistleblower has discovered unencrypted location data for 800,000 Volkswagen electric vehicles (EVs).
  • Cyber attack on Italy's Foreign Ministry, airports claimed by pro-Russian hacker group
  • Cybercriminals Exploit Chrome Web Store to Infect Millions of Users
  • Malicious Packages Found on Python Package Index and VSCode Marketplace

Chinese government hackers have breached the U.S. Treasury Department's systems.

In early December 2024, Chinese state-sponsored hackers infiltrated the U.S. Treasury Department’s systems by exploiting a vulnerability in a third-party security service provided by BeyondTrust. The breach, detected on December 8, allowed attackers to access unclassified documents and remotely control certain workstations. Upon discovery, the compromised service was promptly taken offline, and there is currently no evidence suggesting continued unauthorised access.

Incident Details:
Discovery: BeyondTrust detected suspicious activity on December 2 and identified the breach by December 5. The Treasury was informed on December 8, and the compromised service was taken offline.
Method: The attackers obtained an API key for a cloud-based technical support service, which enabled them to remotely access workstations and override server security.
Accessed Data: The hackers accessed unclassified documents from several workstations. There is no evidence indicating continued access to Treasury systems or information.

Response and Investigation:

The Treasury Department is actively collaborating with the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and various other intelligence agencies to investigate a recent security breach. This comprehensive investigation aims to thoroughly assess the potential impacts of the incident. As a precautionary measure, the compromised service has been taken offline and will remain unavailable while further actions and analyses are conducted.

This breach is part of a troubling pattern of cyberattacks linked to state-sponsored actors from China, who have been specifically targeting sensitive information within U.S. government departments. Earlier in 2024, a coordinated effort by Chinese hackers resulted in the unauthorised access of email accounts belonging to officials in both the Departments of Commerce and State, raising significant security concerns.

In light of the allegations, the Chinese embassy in Washington, D.C., has firmly denied any involvement, calling for all parties to maintain a "professional and responsible attitude" when discussing and classifying cyber incidents. This statement highlights the ongoing tensions surrounding cybersecurity and international relations.


A whistleblower has discovered unencrypted location data for 800,000 Volkswagen electric vehicles (EVs).

A significant data breach exposed sensitive information for approximately 800,000 electric vehicles (EVs) from the Volkswagen Group, including brands such as Volkswagen, Audi, Seat, and Skoda. The breach, attributed to a misconfiguration by Volkswagen’s software subsidiary, Cariad, left unencrypted location data and personal details accessible online for several months.

© Volkswagen

Details of the Breach:
• Scope:
The exposed data encompassed precise location information for about 460,000 vehicles, with geolocation accuracy reaching up to 10 centimeters for Volkswagen and Seat models. Additionally, personal details such as owners’ names, email addresses, and phone numbers were accessible. 
• Discovery: A whistleblower alerted the German publication Der Spiegel and the Chaos Computer Club (CCC) to the vulnerability. Investigations revealed that the data was stored on an unsecured Amazon cloud server, making it publicly accessible without authentication. 
• Affected Parties: The breach impacted a diverse group, including politicians, business leaders, law enforcement personnel, and potentially intelligence service employees, raising significant privacy and security concerns. 

Response and Mitigation:

Upon notification, Cariad promptly addressed the misconfiguration, securing the exposed data. The company stated that no sensitive information, such as passwords or payment details, was compromised and assured customers that no further action was required on their part.

Conclusion

This incident underscores the critical importance of robust data security measures, especially as modern vehicles become increasingly connected and reliant on software. The exposure of precise location data and personal information poses significant risks, including potential physical security threats, identity theft, and unauthorized surveillance.


Cyber attack on Italy's Foreign Ministry, airports claimed by pro-Russian hacker group

On December 28, 2024, approximately ten official Italian websites, including those of the Foreign Ministry and Milan’s Linate and Malpensa airports, were temporarily disrupted by a cyberattack. The pro-Russian hacker group Noname057(16) claimed responsibility for the attack, describing it as a response to Italy’s perceived “Russophobia.”

This cyberattack is part of a broader pattern of politically motivated cyber activities by pro-Russian groups targeting countries supporting Ukraine. Such incidents highlight the ongoing cyber threats faced by nations involved in geopolitical conflicts and underscore the importance of robust cybersecurity defences.

Details of the Attack:

  • Method: The attack was identified as a Distributed Denial of Service (DDoS) attack, where hackers overwhelm a network with excessive data traffic to paralyse it.
  • Duration: Italy’s cybersecurity agency responded promptly, mitigating the attack’s impact in less than two hours.
  • Impact on Services: Despite the temporary website outages, flight operations at Milan’s airports were not disrupted, and their mobile applications remained functional.

Noname057(16) is a pro-Russian hacker group known for targeting public institutions and strategic sectors in NATO countries that support Ukraine. As part of their cyber activities aligned with Russian interests, they have previously conducted similar attacks.

Italian authorities, including the cybersecurity agency and national cybersecurity police, are investigating the incident. Foreign Minister Antonio Tajani acknowledged the attack, noting it was the third on the Foreign Ministry within three days, and emphasized efforts to enhance cybersecurity measures within the ministry and across Italian embassies.


Cybercriminals Exploit Chrome Web Store to Infect Millions of Users

A sophisticated cyberattack has compromised at least 35 Chrome browser extensions, potentially exposing over 2.6 million users to data theft and credential stealing.

The campaign began with a phishing attack targeting a Cyberhaven employee. The attackers were granted access to their Chrome Web Store account, which allowed them to inject malicious code into the Cyberhaven extension, which was subsequently downloaded by numerous users.

Further investigation revealed that this was not an isolated incident. Multiple other extensions, including popular tools for AI assistance, VPNs, and video recording, were also compromised, likely through similar phishing attacks.

These malicious extensions collected user data, including cookies, access tokens, and potentially even sensitive financial information. Some extensions even contained code designed to steal Facebook login credentials.

Attacks like these highlight the growing threat of compromised browser extensions. As these extensions often have broad access to user data and browsing activity, they can be a significant entry point for cybercriminals.

Users are advised to exercise caution when installing browser extensions, carefully vetting their source and checking for any suspicious activity. Developers are also urged to implement strong security measures to protect their accounts and prevent unauthorised access.

This ongoing campaign underscores the importance of vigilant security practices in the ever-evolving threat landscape of online activity.


Malicious Packages Found on Python Package Index and VSCode Marketplace

Cybersecurity researchers have discovered malicious packages uploaded to the Python Package Index (PyPI) and the Visual Studio Code Marketplace. These packages, disguised as legitimate tools for cryptocurrency development and productivity, were designed to steal sensitive information from developers' systems.

The malicious PyPI packages, named "zebo" and "cometlogger," were downloaded hundreds of times before being removed. These packages contained code to steal keystrokes, capture screenshots, and exfiltrate sensitive data, including credentials from popular platforms like Discord, Steam, and Instagram.

Similarly, researchers identified malicious VSCode extensions that targeted cryptocurrency developers and Zoom users. These extensions, often with names resembling legitimate tools, downloaded and executed malicious payloads.

Typosquatting and Fake Reviews

Attackers employed typosquatting techniques, creating packages with names that closely resembled legitimate ones, such as "@typescript_eslinter/eslint" instead of "typescript-eslint." They also inflated download numbers and used fake reviews to make these malicious packages appear more trustworthy.

Impact and Recommendations:

This incident highlights the growing threat of supply chain attacks targeting software development ecosystems. Developers are urged to exercise extreme caution when downloading and installing packages from online repositories.

Key recommendations include:

  • Thoroughly vetting all packages before installation.
  • Checking the source and reputation of the developer.
  • Regularly auditing development environments for potential threats.

This incident is a stark reminder of the importance of maintaining a strong security posture throughout the entire software development lifecycle.


Quick favour: Let’s spread the value! If you find this newsletter useful, don’t keep it to yourself. 👉 Share it with friends and colleagues who could benefit from it.

Remember, one share could spark insight, ignite inspiration, or lead to a breakthrough for someone else.

Let’s make 2025 the year of shared knowledge and community growth.