Threat actors, pirate-style, are trying to bury the Treasury.

In a letter to lawmakers on Dec. 30, a US Treasury official said the department believes China-based state-sponsored threat actors remotely accessed workstations and unclassified documents from the institution. The reported way in—a compromised security key of a third-party tool—provides instructive security examples across industry, according to pros who spoke with IT Brew.

“If the US Treasury Department, via one of its third-party vendors, can’t shore up its own defenses, I think that just goes to highlight how challenging it is for organizations through the whole range of sizes, from SMEs through to global multinational corporations,” Ian Birdsey, partner and cyber and data protection disputes specialist at global law firm Clyde & Co, told IT Brew. “I think there is very much a lesson for everyone to take away here, that this is a case of when, not if.”

Third-party time. The December letter shared that a threat actor used a stolen key from identity-management vendor BeyondTrust “to override the service’s security, remotely access certain Treasury [departmental office] user workstations, and access certain unclassified documents maintained by those users.”

Read the rest here.—BH

New reports show that most companies who disclosed a cyber incident to the SEC last year were tight-lipped when it came to specific details.

It has been a little more than a year since the SEC’s controversial cybersecurity incident disclosure rule went into effect. The rule, which requires public companies to disclose a cybersecurity incident to the SEC within four days after it is deemed material, was intended to boost disclosure consistency and transparency among investors. However, while more companies disclosed cyber incidents after the rule was enforced, the details provided in the filings were limited.

Living in a not-so material world. According to a 2024 Paul Hastings report that examined 75 disclosures from 48 public companies between December 2023 and October 2024, there was a 60% uptick in the number of cyber incidents disclosed after the SEC’s cyber disclosure rule was enforced. However, less than 10% of the disclosed incidents had a description of the material impact of the incident. Michelle A. Reed, a lead author of the report and co-chair of Paul Hasting’s data privacy and cybersecurity practice, told IT Brew that the findings reflect companies’ concerns around SEC enforcement related to failing to disclose given the “squishiness” around materiality.

Keep reading here.—BM

Security researchers are exposing corruption, and the abuse of trust is happening at the highest levels of email attachment.

IT pros have seen threat actors cleverly corrupting documents so they sneak past email security gateways. What happens next? The application recovers the document and its malicious contents.

Analysts from malware-analyzing service ANY.RUN shared research in December 2024 demonstrating how attackers are able to deliberately change the structure of archives and Office documents.

“The attackers corrupt files only to a certain point, so that they still can be recovered by their native applications (e.g., WinRAR for .zip and Word for .docx). When a user opens a corrupted file with its native application, such as Microsoft Word, the application’s recovery features repair the file, revealing the hidden malicious content,” Stas Gaivoronskii, ANY.RUN malware analyst, wrote in an email to IT Brew.

ANY.RUN shared attack details (and a demo of how the tactic works with a Word doc).

• Manipulating document components, attackers create corrupted files that are then successfully put back together again, Humpty Dumpty-style, by the application.
• A targeted user opens the attachment and clicks, “Yes” to the built-in recovery option.
• The method works, according to ANY.RUN, for a “simple” reason: Most antimalware tools do not have the recovery functionality found in apps like Word, which prevents some detectors from accurately identifying the type of corrupted file.
• ANY.RUN shared one example of a recovered file featuring a “View Document” phishing link.

Chris Campbell, senior VP, CISO, and head of technology at Bitsight, sees the tactic as an advancement of earlier evasion tactics like detecting virtual machines, attaching payloads that begin idle and execute later, and password-protecting a file.

Read more here.—BH