More Salt Typhoon Victims; US Sanctions Chinese Company for Aiding Flax Typhoon; Plan Now for Windows 10 End-of-Support

Almost 12 years ago Presidential Policy Directive 21 identified the Communications Sector as critical “because it provides an 'enabling function' across all critical infrastructure sectors.” However, the various FCC working groups, legislation and voluntary industry/government working groups, have not worked to force needed changes in the sector to maintain basic security hygiene, let alone preparedness against sophisticated attacks.

John Pescatore

If the Salt Typhoon intrusion is this bad then we have a grave problem to solve and none of our communications channels can be trusted. This is not a good scenario. Consider that this is the threat actor we currently have found.

Moses Frost

The attacks leveraged unpatched Cisco and Fortinet gear, and in one case they exploited one privileged account which didn't have MFA and provided access to thousands of routers. CISA is reporting that Volt Typhoon continues to target/infect old Cisco routers to access critical infrastructure. The takeaway being it's time to get proactive on updating your routers/switches, replacing past-service-life devices and requiring all accounts to have MFA. Lock down access to management interfaces and double check you have visibility to access and exploit attempts.

Lee Neely

It’s now clear that the telecom sector, as a group, were not good practitioners of basic cyber hygiene. You know, things like patching, secure configuration, and active monitoring of the network. The government should require the companies to produce a detailed report on what processes were in place, what security tools were active, and what actions were taken after the attack for general release to the public. While most understand the concept of basic cyber hygiene, understanding how the adversary maneuvered and maintained presence can only help defenders.

Curtis Dukes

It would be wonderful if the telcos were the victims here. The victims were those whose conversations were compromised. Congress, the FCC, Law enforcement, and the telcos were all complicit.

William Hugh Murray

The FBI led an effort by multiple agencies to shut down the Flax Typhoon botnet in September 2024, effectively ending their operations. This sanction adds financial impacts to any attempt for them to regain their capabilities. Beware of OFAC sanctions and other regulatory entanglements when considering ransomware payment, you really don't want to get crosswise with them.

Lee Neely

Windows 10 is this generation's Windows XP… We still see Windows XP and Windows 7 being used. This is going to be a long tail nightmare. There will be companies 20 years from now looking for anti malware agent support for this platform. This is also not the year of Linux on the desktop. Sorry everyone — try in 2026.

Moses Frost

Dust off your notes from the Windows XP transition. This will be similar in scope and similarly painful. Any delay will only increase pain and cost.

Johannes Ullrich

As pointed out in the article, upgrading to Windows 11 likely requires a hardware update. Businesses should have been planning for that expense, personal users not so much. If you’re adhering to a cybersecurity framework like the CIS critical security controls, it’s best practice to ensure authorized software is currently supported. Don’t be dinged on the audit.

Curtis Dukes

While October feels a long way from today, make sure you account for the time to not only secure funding for replacement hardware where needed, but also for migration to those new systems, followed by decommissioning of the old. While purchasing extended support is an option, its really just postponing the migration, not a long term fix.

Lee Neely

The short section, “Why Do Jailbreak Techniques Work?” captures the AI security problem in a nutshell. In particular, the phrase that certain computational task “… can strain the model's resources, potentially causing it to overlook or bypass certain safety guardrails.” This is like, after crashing your car into oncoming traffic, saying “Sorry, officer, I smashed through the guardrail because I was computationally overloaded while talking on my cellphone to order dinner.” Misuse detection of AI is in the “stop the simple attacks stage” and there is a lot of work to be done for LLMs to be used safely for more than improved search responses.

John Pescatore

Oh, we have only just begun to see the dangers of these simple LLMs. These current attack techniques feel like the equivalent of the 1990s/early 2000s style buffer overflows. The only difference is that now you yell “AAAA” at the computer instead of typing it. This is a novel way to get the system to tell you how to go about doing something and violate its own directives. We will see more I’m sure.

Moses Frost

So long as we have guardrails, people will try to find ways to bypass them. The trick is understanding the techniques so mitigations can be deployed, if appropriate. LLM Jailbreaks are also referred to as prompt injection, The Bad Likert Judge jailbreak was tested against LLMs from Amazon Web Services, Google, Meta, Microsoft, OpenAI and NVIDIA, which increased the attack success rate by 60% versus other prompt injection techniques. Adding content filters reduced that success rate by an average of 89.2%.

Lee Neely

This is energy going into figuring out how to abuse and misuse LLMs rather than into how to exploit the potential gain in productivity or the policies needed to ease the impact on any workers displaced by those gains.

William Hugh Murray

We need vendors to get proactive on eliminating hard-coded and default credentials, as well as employing ubiquitous input sanitization. CVE-2024-9140, command injection due to improper input sanitization, CVSS 3 score 9.8, can be exploited remotely, but CVE-2024-9138, hard-coded credentials, CVSS 3 score 7.2, requires authentication. The fix is to update to the latest firmware, in addition limit SSH access to trusted devices/networks, don't make these Internet accessible, and use an IDS/IPS to monitor/block exploitation.

Lee Neely

It is 2025, yet vendors are still selling "secure routers" with vulnerabilities relating to a "hard-coded credentials issue." We are well past the stage where vendors need to be held accountable for insecurities in their products.

Brian Honan

The short version is to deploy Nessus Agent 10.8.2 so your agents stay online and get their plugin feeds. Prepare for plugin resets and possible manual installation of the package. You may want to create a package that removes and installs, including registering, the agent from scratch.

Lee Neely

It just proves that even quality companies like Tenable can have a bad day. What you should measure is the transparency and effectiveness of their response; hallmarks of a well led team.

Curtis Dukes

Two ruses are afoot. Not only is the dropper disguised as (a free version of) Telegram Premium, but the source is also an App Store disguised as RuStore. FireScam has a number of capabilities, including designating itself as the primary app updater, which ensures persistence. The best mitigation is to make sure that you're only using vetted app stores. Implement security solutions which detect suspicious permission requests and app behaviors. Make sure your users are wary of apps offering a Premium service for "free."

Lee Neely

Demonstrating that one is a member of the class will cost more than the compensation. The lawyers will be the only real winners.

William Hugh Murray

The trick is really understanding how voice assistants, Siri, Alexa, Google, are operating. While they respond to the wake word, they are an open mic, waiting for their phrase, to include variants they have been trained on. Consider carefully allowing these devices unmuted in areas where sensitive conversations are conducted. Don't forget that many smart TVs/screens now include voice command capabilities, both from the remote and included microphones.

Lee Neely

As is oft said, "data is the new currency." Data can be used to train products (i.e., LLMs) or sold to others for other purposes. My guess is that everyone has experienced at least one unintended Siri activation and, but of course, our conversations are confidential.

Curtis Dukes

I always keep my phone face down to prevent Siri activation… but is it still listening?

Moses Frost

At this point Deloitte is still working to determine the full scope of the breach, and they were the ones who detected the data on the Dark Web. While Deloitte and Rhode Island work out the details and who is in charge of which aspects of the investigation and response, the advice from Governor McKee is good for all of us: implement MFA, secure/freeze & monitor your credit, implement fraud alerts and remain vigilant. One thing I'd add to the list is to make sure that you've not only enabled the anti-spam/filtering/etc. capabilities in your email and EDR systems but also review the settings regularly to make sure you're using the most current/effective options.

Lee Neely

When was the last time you looked closely at your payroll deductions? This attack added small ($100-$245) deductions using fake labels e.g., "DD Mayor" and "DD seguros," which would likely go unnoticed. It would be an interesting exercise to determine not only how difficult it would be to add such a deduction, but also how you could detect it.

Lee Neely

Not a lot of details on the attack, but it serves as a good reminder for everyone to routinely review banking and credit statements for fraudulent charges. These are often the first signs of a compromised account or identity theft.

Curtis Dukes