US Supreme Court backs TikTok law, WazirX freezes $3m in USDT, and other cybersecurity developments

We gathered the week’s most important cybersecurity news.

Crypto exchange WazirX freezes $3 million in stolen funds

Indian cryptocurrency exchange WazirX traced and froze $3 million in USDT from funds stolen in a July 2024 hack, Decrypt reports.

The asset freeze comes amid an ongoing restructuring and restitution effort. The exchange plans to resume trading by February.

In a joint statement, the US, Japan and South Korea blamed North Korea’s Lazarus Group for the breach. Earlier, Elliptic analysts pointed to North Korea.

US Supreme Court upholds law enabling possible TikTok ban

TikTok failed to persuade the US Supreme Court to block a law that could ban the app in the country if Chinese owner ByteDance remains in control, CNN reports.

The House of Representatives passed the bill in spring 2024. Authorities deemed TikTok a national-security risk over potential transfers of Americans’ data to the Chinese government.

The law takes effect on January 19, but it does not mandate an immediate shutdown. ByteDance can still sell the app to a US or other foreign company. President-elect Donald Trump can also pause the ban for 90 days.

Meanwhile in the EU, privacy-rights nonprofit None of Your Business filed six complaints against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi over unlawful transfers of Europeans’ data to China and violations of the GDPR. The complaints were submitted to authorities in Greece, Italy, Belgium, the Netherlands and Austria.

Tunnelling-protocol bugs threaten 4.2 million internet hosts

More than 4.2 million internet hosts, including VPN servers and private home routers, are exposed to compromise due to vulnerabilities in tunnelling protocols IPIP/IP6IP6, GRE/GRE6, 4in6 and 6in4. The findings were presented by researchers at KU Leuven in Belgium together with Top10VPN.

Misconfigured systems accept tunnelled packets without verifying the sender’s identity. This lets attackers intercept them for DoS attacks and DNS spoofing, and to gain access to internal networks and IoT devices. Vulnerable hosts can also be abused as one-way proxies for anonymous cybercrime.

Most potential victims are concentrated in China, France, India, Australia, the US and Russia.

Configs for 15,000 FortiGate devices leaked on the dark web

A new hacker group, Belsen Group, published FortiGate firewall configurations for more than 15,000 unique devices. Cybersecurity expert Kevin Beaumont flagged the release.

The 1.6GB archive is organised by country and IP address. It contains VPN credentials with passwords, some stored in clear text, as well as FortiGate configurations with private keys and firewall rules.

The leak is likely linked to a 2022 zero-day. It still exposes a large volume of sensitive information about network defences.

Separately, Fortinet reported that a recently discovered firewall vulnerability is being used to breach corporate networks. Organisations are advised to disable management access on public interfaces.

Biden signs order to bolster US cybersecurity

US President Joe Biden signed an executive order to strengthen the country’s cybersecurity, streamlining sanctions against hacking groups targeting federal agencies and critical infrastructure.

The order also foresees acceptance of digital IDs to combat cybercrime and fraud, the use of AI, and additional investment to harden internal systems.

Days earlier, the OFAC imposed sanctions on North Korean front companies Korea Osong Shipping Co and Chonsurim Trading Corporation, as well as their presidents Chong In Chol and Son Kyong Sik, for revenue from illicit remote IT work schemes. The list also included:

• the Chinese company Liaoning China Trade, which supplied electronic equipment to Department 53 of North Korea’s Ministry of National Defense;
• hacker Yin Kechen, linked to the Salt Typhoon group, and Chinese cybersecurity firm Sichuan Juxinhe Network Technology Co.

Chinese PlugX backdoor removed from thousands of US computers

The FBI removed the Chinese PlugX malware from 4,258 computers and networks across the country. It has been used for cyber-espionage and remote access since at least 2008.

Initially, several hacker groups used PlugX to target government, defence, technology and political organisations in Asia, before spreading it worldwide.

The malware offers extensive capabilities, including system reconnaissance, file upload/download, keylogging and command execution.

Google OAuth flaw opened access to abandoned accounts

Truffle Security CEO Dylan Ayrey found that if attackers purchase a domain previously owned by a startup, Google’s OAuth login can be used to recreate the email accounts of former employees.

? Today we are announcing a new Oauth bug that affects millions of accounts

TLDR: Google’s OAuth login doesn’t protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees

? full blog ??https://t.co/PqIe6Gqkn9 pic.twitter.com/2ARayVDDV5

— Truffle Security (@trufflesec) January 13, 2025

The recreated identities do not give new owners access to past messages on communications platforms, but they do allow sign-ins to services such as Slack, Notion, Zoom, ChatGPT and various HR tools.

According to Ayrey, OAuth issues a unique, persistent identifier for each user at login, despite changes in domain ownership or email address.

He first reported the flaw to Google on September 30, 2024. As of January 14, 2025, it remained unpatched.

Also on ForkLog:

• Apple disabled AI notification summaries after fakes.
• A crypto-project founder sued the US Attorney General.
• A lawsuit will be filed against Pump.fun on behalf of investors who lost “significant sums”.
• Malware attacks via Telegram grew by 2,000% in two months.
• Cryptocurrencies worth $40.9bn were involved in illicit activity.
• US authorities will return to Bitfinex the stolen 94,643 BTC.
• Prosecutors sought up to 10 years in prison for Bitmama.
• The fraudulent online market Huione Guarantee’s turnover exceeded $24bn.
• Sony’s Soneium project was accused of blocking “undesirable” assets.
• Russia opened a case over illegal crypto exchange via the Rapidpay payment system.
• Hackers stole 143 ETH via a transaction simulation.
• New York’s Attorney General will issue NFTs for crypto fraudsters.
• Data of 7 million OpenSea users was posted online.
• The Litecoin X account promoted a fake memecoin.
• Wolf Capital’s head pleaded guilty to a $9.4m crypto scam.

What to read this weekend?

A round-up of cybercriminal schemes to watch in 2025.