Full Report
For the latest discoveries in cyber research for the week of 6th January, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Check Point elaborated on the US Treasury Department cyber-attack that compromised employee workstations and classified documents. The breach, attributed to a China state-sponsored threat actor, involved unauthorized remote access using a security […] The post 6th January– Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Global Intelligence Summary (Week of Jan 6)
## Executive Summary
This summary aggregates multiple high-profile incidents occurring during the week of January 6th, involving state-sponsored attacks against the US Treasury, widespread DDoS attacks against Japanese infrastructure (NTT Docomo), and a significant data breach at a UK photography company (DEphoto). Attack vectors ranged from exploiting critical vulnerabilities in third-party remote access software to large-scale infrastructure disruption via DDoS and sophisticated software supply chain compromises against web extensions and CRM providers.
## Incident Details
- **Discovery Date:** Varied (Intelligence reported week of Jan 6)
- **Incident Date:** Varied
- **Affected Organization:** US Treasury Department, NTT Docomo, DEphoto, various French municipalities, Atos (alleged), ReutOne customers.
- **Sector:** Government, Telecommunications, Photography/E-commerce, Tech/Software, Municipal Services.
- **Geography:** US, Japan, UK, France, Israel.
## Timeline of Events
### Initial Access
- **Date/Time:** Varied
- **Vector:** Exploitation of critical vulnerabilities in BeyondTrust remote support software (CVE-2024-12356, CVE-2024-12686).
- **Details:** A China state-sponsored actor gained unauthorized remote access to US Treasury Department employee workstations.
### Lateral Movement
- **Details:** (Specific lateral movement details are not fully detailed for the Treasury breach, only the initial access via the vendor tool is confirmed.)
### Data Exfiltration/Impact
- **US Treasury:** Compromise of employee workstations and classified documents.
- **DEphoto:** Exfiltration of personal information of over 500,000 customers, including over 15,000 records containing full payment card information.
- **NTT Docomo:** 12 hours of disruption to services including news, video streaming, mobile payments, and webmail via DDoS.
- **French Cities:** DDoS attacks affecting 23 municipal websites, causing temporary outages.
### Detection & Response
- **Detection:** Detection varied across incidents. In the case of the US Treasury, compromise was likely discovered via internal auditing or anomaly detection stemming from the BeyondTrust exploitation.
- **Response Actions:** Not fully detailed for all incidents, but DEphoto began notifying affected customers of the data leak.
## Attack Methodology
*Note: This section synthesizes methodologies across the reported incidents, as not all incidents provided full kill-chain details.*
| Stage | Method/Technique Summary | Associated Incident(s) |
| :--- | :--- | :--- |
| **Initial Access** | Exploitation of unpatched vulnerabilities (CVE-2024-12356, CVE-2024-12686) in third-party software (BeyondTrust). Supply chain injection via malicious software updates in CRM provider (ReutOne). | US Treasury, ReutOne / Handala |
| **Persistence** | Hijacking and replacing legitimate Chrome browser extensions with malicious versions by compromising developer credentials. | Chrome Extension Campaign |
| **Lateral Movement** | *(Data not explicitly detailed for primary incidents)* | - |
| **Data Exfiltration** | Direct access and theft of customer payment card information and PII (DEphoto). Data collection via malicious updates (ReutOne). | DEphoto, ReutOne / Handala |
| **Impact** | Distributed Denial of Service (DDoS) causing service outages. Ransomware claims (dismissed in the case of Atos). | NTT Docomo, French Municipalities, Atos (alleged) |
## Impact Assessment
- **Financial:** Potential costs associated with breach notification, regulatory fines, and remediation for DEphoto. Unknown operational costs for NTT Docomo and French cities.
- **Data Breach:** Full unredacted payment card data (15,000+ records) and PII (500,000+ records) stolen from DEphoto. Compromise of classified documents at the US Treasury. Personal data exfiltrated from ReutOne customers (Israel, France, Ukraine).
- **Operational:** 12-hour disruption to critical services for Japan's largest mobile carrier (NTT Docomo). Temporary website outages for 23 French municipality sites.
- **Reputational:** Significant negative impact for DEphoto announcing the loss of payment data, and potential damage to confidence in the US Treasury's security posture.
## Indicators of Compromise
*Note: Specific IoCs for the reported incidents were not provided in a defanged format; general threat IoCs associated with related malware families are not included here per strict summary constraints.*
## Response Actions
- **Containment:** (Specific actions not detailed for most primary incidents.)
- **Eradication:** (Not detailed.)
- **Recovery:** NTT Docomo worked to restore services over 12 hours. DEphoto began customer notification procedures.
## Lessons Learned
1. **Third-Party Risk Management (TPRM):** Exploitation through a third-party vendor (BeyondTrust) highlights the critical importance of vendor security posture validation, especially for tools that grant remote access.
2. **Software Supply Chain Integrity:** Compromise of widely used applications (Chrome extensions) and B2B service providers (ReutOne) remains a potent vector for wide impact.
3. **DDoS Resilience:** Critical service providers must maintain robust DDoS protection to ensure continuity of core services.
## Recommendations
1. **Strict Vulnerability Patch Management:** Prioritize patching systems exposed to remote access tools immediately following vendor advisories, especially those related to critical CVEs like those found in the BeyondTrust software.
2. **Payment Data Segmentation:** Encrypt and compartmentalize sensitive payment data storage, ensuring full cardholder data is not stored unredacted, reducing the impact of data exfiltration events like the one at DEphoto.
3. **Supply Chain Monitoring:** Implement controls to monitor updates and integrity checks for critical, widely deployed software components (e.g., browser extensions, developer tools).