For more than a year, hackers from a Chinese state-backed espionage group maintained backdoor access to a popular software mapping tool by turning one of its own features into a webshell, according to new research from ReliaQuest.

In a report published Tuesday, researchers said that Flax Typhoon — a group that has been spying on entities in the U.S., Europe and Taiwan since at least 2021 — has had access for more than a year to a private ArcGIS server. To achieve and maintain that access, the group leveraged “an unusually clever attack chain” that allowed them to both blend in with normal traffic and maintain access even if the victim tried to restore their system from backups.

ArcGIS, made by Esri, is one of the most popular software programs for geospatial mapping and used widely by both private organizations and government agencies. Like many programs, however, it relies on backend servers and various other technical infrastructure to fully function.

For example, many ArcGIS users will use what is known as a Server Object Extension (SOE), which allows you to create service operations to extend the base functionality of map or image services” and implement custom code, according to ArcGIS documentation.

The attackers found a public-facing ArcGIS server connected to another private backend server used by the program to perform computations. They compromised a portal administrator account for the backend server and deployed a malicious extension, instructing the public-facing server to create a hidden directory to serve as the group’s “private workspace.” They also locked off access to others with a hardcoded key and maintained access long enough for the flaw to be included in the system’s backup files.

In doing so, the Chinese hackers effectively weaponized ArcGIS, turning it into a webshell to launch further attacks, and mostly did so using the software program’s own internal processes and functionality.

ReliaQuest researchers wrote that by structuring their requests to appear as routine system operations, they were able to evade detection tools, while the hardcoded key “prevented other attackers, or even curious admins, from tampering with its access.”

Infecting the backups, meanwhile, gave Flax Typhoon an insurance plan if their presence ultimately was discovered.

“By ensuring the compromised component was included in system backups, they turned the organization’s own recovery plan into a guaranteed method of reinfection,” ReliaQuest researchers claimed. “This tactic turns a safety net into a liability, meaning incident response teams must now treat backups not as failsafe, but as a potential vector for reinfection.”

This continues a consistent trend around Flax Typhoon’s behavior observed by researchers: the group’s propensity for quietly turning an organization’s own tools against itself rather than using sophisticated malware or exploits.

In 2023, Microsoft’s threat intelligence team detailed what it described as Flax Typhoon’s “distinctive” pattern of cyber-enabled espionage. The group was observed achieving long-term access to “dozens” of organizations in Taiwan “with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks.”

Earlier this year, the U.S. Treasury Department placed economic sanctions on Integrity Technology Group, a Beijing company the agency says has provided technical support and infrastructure for Flax Typhoon cyberattacks, including operating a massive botnet taken down by the FBI last year.

That may be why ReliaQuest researchers emphasized that the true threat revealed by their research isn’t about Esri or any specific vendor or their product. The real worry is that most enterprise software relies on the same kind of third-party applications and extensions that Flax Typhoon exploited to hijack an ArcGIS server. The same vulnerability exists wherever an external tool needs access that can be turned against the user when compromised.

“When a vendor has to rewrite its own security guidelines, it proves the flawed belief that customers treat every public-facing tool as a high-risk asset,” they wrote. “This attack is a wake-up call: Any entry point with backend access must be treated as a top-tier priority, no matter how routine or trusted.”

The post Flax Typhoon can turn your own software against you appeared first on CyberScoop.

When security researchers issued warnings about the Salesloft Drift issues last month, two prominent cybersecurity companies found themselves facing the same threat — but their stories ended up unfolding in different ways. 

Okta and Zscaler, among the larger players in the identity management space, were among the more than 700 Drift customers targeted in what has become one of the most significant supply chain attacks of the year.   Within a week of Google security researchers’ warning about the incident, which targeted the widespread theft of Salesforce customer data, both companies went to work in figuring out how bad the damage would be.  

The companies had very different experiences. While Okta’s security measures thwarted any lasting damage, Zscaler wasn’t as lucky, having to deal with unauthorized access of both customer and internal company data. Same threat actor. Same timeline. Opposite outcomes.

The divergence in incidents and responses offers a rare opportunity to understand how a cybersecurity strategy works in action. CyberScoop spoke with the security leaders of both companies to learn about how the attack went down from those directly in its crosshairs, and lessons learned that could bolster defenses of their companies and others going forward.

From warning to incident

Salesloft hasn’t publicly released a comprehensive root-cause analysis into the attack, but initial results of its investigation revealed a threat group gained access to its GitHub account as far back as March. The group, which Google tracks as UNC6395, achieved lateral movement and set up workflows in the Salesloft application environment before it accessed Drift’s Amazon Web Services environment and obtained OAuth tokens used by Drift customers. 

Those tokens allowed the threat group to access and steal data from separate platforms integrated with Drift, an AI chat agent primarily used by sales teams. Google said the “widespread data theft campaign” occurred during a 10-day period in mid-August. Nearly 40 companies, including more than 20 cybersecurity vendors, have publicly disclosed they were caught up in the attack spree.

Zscaler received its first security alert from Salesforce a week after the data theft concluded, warning the security vendor that unauthorized IP addresses were using the application programming interface (API) for its Drift OAuth token. Zscaler immediately revoked the token, “even though it didn’t really matter by that point,” said Sam Curry, the company’s chief information security officer.

The damage was already done. Data on a large number of Zscaler’s customers was exposed, including names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from some support cases. 

IP limitations for defense

Since Okta uses Drift, it proactively hunted for signs of compromise when threat intel experts started warning about an issue with the service. The company found a “short burst of attempts” to use Drift tokens from locations outside of the manually configured IP range it set up for security purposes, David Bradbury, Okta’s chief security officer, told CyberScoop.

That control blocked the attack and kept Okta’s Drift integrations secure. Yet, many companies don’t take that approach because setting IP restrictions for API calls is a manual and often laborious process requiring input and support from every vendor in the supply chain. 

“If we can put our minds to these problems, we can come up with solutions so that you can implement IP restrictions in a matter of clicks, rather than in a matter of days and weeks of continuous testing, and investigation and discovery,” Bradbury said.

Okta’s investigation revealed a seemingly automated threat campaign. “They were not persistent,” Bradbury said. “The hypothesis that we have at the moment is that there was a single significant script that was engineered that hit all of these all at once and pulled down all of this information in a series of events.”

Zscaler’s compromise was particularly frustrating given the timing: the company had already stopped using Drift in July, a decision completely unrelated to security — and made before any indicators of the attack campaign came to light. 

“That OAuth token that was being used with [Drift] was still active,” Curry said. “It was due to be retired by the end of August,” he added, describing that decision as a deliberate delay to make sure the token was fully disconnected and no longer in use. 

Token theft cause remains a mystery

Salesloft hasn’t explained how the threat group accessed its GitHub account, nor how it accessed Drift’s AWS environment and ultimately obtained customers’ OAuth tokens. 

“I don’t actually know how they got the tokens out. I just know they did,” Curry said. “As for how they store it, I don’t know internally, except that they passed our security questionnaire and probably hundreds, if not thousands of others” for third-party risk management, he added. 

Okta also doesn’t know how the threat group accessed its Salesloft Drift OAuth token. That information would have to come from Salesloft, Bradbury said.

“The internet is connected by some very brittle, small pieces of information — these tokens that we constantly talk about, these combinations of letters and numbers in files that ultimately provide access to all of the applications that we use,” he said. 

“Those tokens need to be stored somewhere, and sadly there are mechanisms in place right now which doesn’t necessitate actually tying these tokens directly to something — to prevent their reuse,” Bradbury added. 

Most SaaS applications implement tokens and authentication in rather rudimentary means. “They’re doing what’s easy and what works, and what works is once you’ve granted access you’re actually storing these tokens somewhere,” he said. 

Lessons learned for collective defense

While their experiences in the wake of the Salesloft Drift attacks were quite different, Bradbury and Curry shared similar reflections and took many like-minded lessons from the third-party compromise that impacted hundreds of companies. 

“APIs are becoming a new highway of access that we need more control over, and we need better control of collectively,” Curry said. “APIs get wider in terms of what you can do with them, and you need the ability to monitor them and to put preventative controls on them to look for behavioral changes.”

Zscaler learned another lesson the hard way — the importance of limiting IP address ranges for API queries, and rotating tokens more frequently. 

“For me, this wake-up call is saying API is a new attack-and-control plane that’s far more exposed than most people realize from just a simple risk exercise,” Curry said.

“There are no small vendors in an API-connected world. It’s just like — if you think about border security — there’s no small and insignificant ports of entry,” he added. “They all use the same highway systems.”

Bradbury, who is expectedly pleased Okta wasn’t impacted by this malicious campaign, can’t help but feel frustrated because he believes there are better, more secure methods to protect unauthorized token use. The central issue in this supply-chain attack could have been avoided with Demonstrating Proof of Possession (DPoP), a mechanism that can constrain token use to a specific client and prevent the use of stolen tokens, he said. 

Once attackers steal tokens that can be reused without restriction, disastrous consequences await all, Bradbury added. 

“We need to see more SaaS vendors actually prioritizing security features on their roadmap, not just the features that will result in customer growth and revenue,” he said. 

Security leaders have an important role to play in demanding these changes from their vendors. “It’s about time that we started to use our collective ambitions to raise the bar for security to actually hold our vendors accountable,” Bradbury said. 

Curry is taking a similar forward-looking approach. “Let’s learn from one another, instead of bayoneting the wounded,” he said. 

“After the fact, in the cold light of day, we’ll all look at what happened,” Curry added. “I’m not interested in blame at this point. I’m interested in better security.”

The post Security leaders at Okta and Zscaler share lessons from Salesloft Drift attacks appeared first on CyberScoop.

GitHub will implement local publishing with mandatory 2FA, granular tokens that expire after seven days, and trusted publishing.

The post GitHub Boosting Security in Response to NPM Supply Chain Attacks  appeared first on SecurityWeek.

The packages were injected with malicious code to harvest secrets, dump them to a public repository, and make private repositories public.

The post Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit appeared first on SecurityWeek.

Designed to intercept cryptocurrency transactions, the malicious code reached 10% of cloud environments.

The post Highly Popular NPM Packages Poisoned in New Supply Chain Attack appeared first on SecurityWeek.

The Committee on Foreign Investment in the United States just published its 2024 report, revealing once again that shielding U.S. tech from risky foreign investments was a critical focus for the interagency group that reviews investments in the United States for national security risks. But as U.S.-China tensions further intensify, bolstering these reviews is even more important for national security — and getting it wrong all the more damaging.

When President Trump took office again in January, he signed an executive order “fast-tracking” investments from (unspecified) allied and partner countries — in other words, expediting their CFIUS reviews — as a way to accelerate the funding of U.S. advanced tech and other businesses. It’s an idea with some merit.

Yet, CFIUS remains plagued by procedural problems, far beyond the screening of allied investments, that impact the rigor, transparency, and ultimate efficacy of its national security reviews. These issues make a CFIUS shakeup an opportune moment to evaluate the U.S. government’s broader strategy for screening investments into U.S. technologies. Policymakers should ensure CFIUS has a more rigorous analysis of risks, a more nuanced focus on China, and greater transparency — all of which will help U.S. tech security and with competition against Beijing in the coming years.

President Ford created what is now CFIUS in 1975 through executive order, making it 50 years old this year. In subsequent administrations, president after president kept it around as a matter of executive policy, and Congress statutorily authorized the Committee in 2007. The idea was that certain non-U.S. investments in U.S. companies could potentially enable foreign adversaries — such as, at the time, the USSR — to infiltrate supply chains, steal trade secrets, or even sabotage operations. This could target anything from U.S. energy infrastructure to steel plants for tanks.

As described in my upcoming book on U.S. national security governance of technology, CFIUS had a tech focus from its earliest days, such as handling concerns in the 1980s about Japanese investments in semiconductors. But as time went on, its tech focus grew substantially. CFIUS received authorities in 2018 to evaluate how foreign investments impact sensitive U.S. data and technologies. It forced a Chinese buyer to sell the gay dating app Grindr back to U.S. owners. And it even opened a 2019, pre-ban-debate investigation into TikTok. The current Committee structure puts the Treasury Department at the helm, working with departments from State to Defense, to parse these risks and recommend whether to block, approve, undo, or put security conditions on transactions.

Today, as its newest report says, CFIUS spends a substantial amount of time looking at risks to U.S. technology. Outside of real estate transactions, which CFIUS also reviews, 53% of companies that sent a “covered notice” to CFIUS in 2024 — alerting the group in detail of a potentially relevant investment — came from the “Finances, Information, and Services” sector, up from 50% in 2023. This category includes companies in telecommunications, computing infrastructure, data processing, and professional, scientific, and technical services. 

But the Committee is even more tech-focused than the numbers suggest: companies can also submit shorter filings to CFIUS — simpler “declarations” typically intended for less risky investments — not counted in these numbers. And companies not in tech, per se, can receive CFIUS scrutiny for a tech-related issue, such as a health insurer with sensitive data taking a non-U.S. investment.

The latest report also clarifies that CFIUS is highly focused on China. Investments from China motivated more covered notices in 2024 than investments from any other country — including from other adversaries such as Iran and Russia, which counted for none. Shorter declarations, meanwhile, were led by investments from Japan, Canada, France, and the United Kingdom. (China’s domination of covered notices but not shorter declarations may suggest Chinese investors prefer providing more information to CFIUS up front to — in their minds — make the U.S. security review timeline more predictable.)

Combined, these new data points illuminate the challenges at hand in the coming years.

CFIUS has powers to look at a broad sweep of investment activities. These range from acquisitions of big American firms to influential minority stakes in Bay Area startups to transactions involving national security-critical technologies — like AI models, space communications systems, and biotech applications. 

CFIUS has a substantial focus on Chinese investments, which the intelligence community has repeatedly said create opportunities for Beijing to steal U.S. technologies. And it must screen U.S. allied and partner investments that could create risks, too (including due to, say, Chinese front companies in Japan or Russian ones in the U.K.).

Despite this broad, consequential activity, CFIUS is often described as a “black box.” Companies complain it’s difficult to understand and therefore navigate; congressional overseers have told me repeatedly in recent years that they want better insights into CFIUS’s activity on AI, chips, China, and more, including to inform decisions about whether it needs more funding. 

Unlike other tech and national security regulatory programs, CFIUS additionally appears to lack an adequately standardized framework to identify and mitigate national security risks. Methodology sounds boring. But a rigorous, standardized risk process is the difference between identifying the right risks and working to address them — and acting in good faith but getting distracted, going down rabbit holes, inflating unlikely scenarios, and pulling focus from the highest priority risks.

The new administration — or a future one — and Congress should push CFIUS toward a more standardized, rigorous risk management process. This could include a White House-led effort to better synchronize risk mitigations across CFIUS-involved agencies or creating robust frameworks for issues like investors’ access to company-held data, software source code, or technical schema.

Related, CFIUS should work to resist the ever-growing D.C. temptation to label all China-related activity “a risk,” taking a reductive view of the threat landscape. It should instead apply more nuance to areas that present minimal, mitigatable risk versus areas that present outsized risk to U.S. technologies or data (such as with the later-undone Grindr acquisition).

Lastly, more transparency into U.S. investment security reviews would help companies, the public, overseers, and national security at once. No, CFIUS should not alert the press every time a company considers a merger or funding round — that’s proprietary and should be kept that way. And it relies on classified insights within the government to assess risks, too.

But Congress can and should compel the Committee to provide greater insights into its activities than only the statistics in its annual reports. Making its generalized risk criteria a bit clearer to companies — for instance, what areas concern it most and how it thinks about mitigations for risky investments — could help lower compliance costs without tipping off U.S. adversaries with too much detail. It could help congressional overseers better ensure the interagency team is focused on the right issues, including with tech and China, and can get briefings that protect company trade secrets but provide more details about security issues and reviews.

Increasing CFIUS’s transparency is also a win for the public. As CFIUS launches investigations that impact widely used communications and other technologies — TikTok being the chief example — transparency is both vital in a democracy and helpful to inform public debate. And as competition with China intensifies, investment security reviews will prove a critical vector for protecting business innovation, securing U.S. supply chains, and bolstering long-term security.

Justin Sherman is the founder and CEO of Global Cyber Strategies, a D.C.-based research and advisory firm, and the author of “Navigating Technology and National Security.

The post The U.S. should bolster investment reviews to combat China appeared first on CyberScoop.

President Donald Trump’s pick to lead the Cybersecurity and Information Security Agency told senators Thursday that he would prioritize evicting China from the U.S. supply chain, and wouldn’t hesitate to ask for more money for the shrunken agency if he thought it needed it.

“If confirmed it will be a priority of mine to remove all Chinese intrusions, exploitations or infestation into the American supply chain,” Sean Plankey told Rick Scott, R-Fla., at his confirmation hearing before the Homeland Security and Governmental Affairs Committee. Scott had asked Plankey about reports of Chinese infiltration of U.S. energy infrastructure.

Should he be confirmed for the role, Plankey is set to arrive at an agency that has had its personnel and budget slashed significantly under Trump, a topic of concern for Democratic senators including the ranking member on the panel vetting him, Gary Peters of Michigan. Peters asked how he’d handle the smaller CISA he’s inherited while still having a range of legal obligations to fulfill.

“One of the ways I’ve found most effective when you come in to lead an organization is to allow the operators to operate,” Plankey said. “If that means we have to reorganize in some form or fashion, that’s what we’ll do, I’ll lead that charge. If that means we need a different level of funding than we currently have now, then I will approach [Department of Homeland Security Secretary Kristi Noem], ask for that funding, ask for that support.”

Under questioning from Sen. Richard Blumenthal, D-Conn., about whether he believed the 2020 election was rigged or stolen, Plankey, like other past Trump nominees, avoided answering “yes” or “no.” 

At first he said he hadn’t reviewed any cybersecurity around the 2020 election. He then said, “My opinion on the election as an American private citizen probably isn’t relevant, but the Electoral College did confirm President Joe Biden.” 

Blumenthal pressed him, saying his office was supposed to be above politics, and asked what Plankey would do if Trump came to him and falsely told him the 2026 or 2028 elections were rigged. 

“That’s like a doctor who’s diagnosing someone over the television because they saw them on the news,” Plankey answered.

Chairman Rand Paul, R-Ky., rebutted Blumenthal, saying “CISA has nothing to do with the elections.” But Sen. Josh Hawley, R-Mo., later asked Plankey about CISA’s “important” role in protecting election infrastructure, and asked how he would make the line “clear” between past CISA disinformation work that Republicans have called censorship and cybersecurity protections.

Plankey answered that Trump has issued guidance on the protection of election security infrastructure like electronic voting machines, and it’s DHS’s job “to ensure that it is assessed prior to an election to make sure there are no adversarial actions or vulnerabilities in it,” something he’d focus on if Noem tasked CISA with the job.

Plankey said he would not engage in censorship — something his predecessors staunchly denied doing — because “cybersecurity is a big enough problem.” His focus would be on defending federal networks and critical infrastructure, he said. To improve federal cybersecurity, he said he favored “wholesale” revamps of federal IT rather than smaller fixes.

The Center for Democracy and Technology said after Plankey’s hearing it was concerned about how CISA would approach election security.

“CISA has refused to say what its plans are for the next election, and election officials across the country are flying blind,” said Tim Harper, senior policy analyst on elections and democracy for the group. “If CISA is abandoning them, election officials deserve to know so they can make plans to protect their cyber and physical infrastructure from nation-state hackers. Keeping them in the dark only helps bad actors.”

Plankey indicated support for the expiring State and Local Cybersecurity Grant Program, as well as the expiring 2015 Cybersecurity and Information Sharing Act, both of which are due to sunset in September.

Paul told reporters after the hearing that he planned to have a markup of a renewal of the 2015 information sharing law before the September deadline, with language added to explicitly prohibit the Cybersecurity and Infrastructure Security Agency from any censorship.

Plankey’s nomination next moves to a committee vote, following an 11-1 vote last month to advance the nomination of Sean Cairncross to become national cyber director. Plankey’s nomination would have another hurdle to overcome before a Senate floor vote, as Sen. Ron Wyden, D-Ore., has placed a hold on the Plankey pick in a bid to force the administration to release an unclassified report on U.S. phone network security.

“The Trump administration might not have been paying attention, so I’ll say it again: I will not lift my hold on Mr. Plankey’s nomination until this report is public. It’s ridiculous that CISA seems more concerned with covering up phone companies’ negligent cybersecurity than it is with protecting Americans from Chinese hackers,” Wyden said in a statement to CyberScoop. “Trump’s administration won’t act to shore up our dangerously insecure telecom system, it hasn’t gotten to the bottom of the Salt Typhoon hack, and it won’t even let Americans see an unclassified report on why it’s so important to put mandatory security rules in place for phone companies.”

The post Plankey vows to boot China from U.S. supply chain, advocate for CISA budget appeared first on CyberScoop.