---
title: "Spa Email Compromised, X Malicious Redirect, CISA China Cyber, Cybersecurity News  [March 18, 2024] | DuoCircle"
description: "Spa Email Compromised, X Malicious Redirect, CISA China Cyber, Cybersecurity News [March 18."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2024/"
---

Quick Answer

Week ending March 18, 2024 covered: a phishing campaign hijacking the official Spa Grand Prix email account on March 17 to send fans fake €50 voucher links that redirected to a counterfeit ticket portal harvesting banking and personal data, prompting a civil claim and criminal investigation; X (Twitter) link previews showing the final URL after redirects rather than the source link, which threat actors abused to disguise trojanized apps, scams, malware, and crypto-spam channels (e.g., 'Crypto with Harry'); a joint advisory from CISA, NSA, FBI, Canada, the UK, New Zealand, and Australia on the Chinese Volt Typhoon APT and KV botnet activity targeting US OT and critical infrastructure, with logging and central-storage recommendations; a US FTC alert on rising imposter scams (average loss up to $7,000 from $3,000 in 2019), warning that the agency never directs anyone to a Bitcoin ATM, asks for verification codes, or demands gift-card or cash transfers; and Trend Micro's tracking of Chinese APT 'Earth Krahang,' which has compromised 70 organizations across 45 countries since early 2022 (48 government bodies including 10 foreign-affairs ministries) by exploiting CVE-2023-32315 and CVE-2022-21587 and dropping XDealer, RESHELL, and Cobalt Strike.

Spa Email Compromised, X Malicious Redirect, CISA China Cyber, Cybersecurity News \[March 18, 2024\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2024/03/Spa-Email-Compromised-X-Malicious-Redirect-CISA-China-Cyber-Cybersecurity-News-March-18-2024.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-13-of-2024%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Spa%20Email%20Compromised%2C%20X%20Malicious%20Redirect%2C%20CISA%20China%20Cyber%2C%20Cybersecurity%20News%20%20%5BMarch%2018%2C%202024%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-13-of-2024%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-13-of-2024%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-13-of-2024%2F&title=Spa%20Email%20Compromised%2C%20X%20Malicious%20Redirect%2C%20CISA%20China%20Cyber%2C%20Cybersecurity%20News%20%20%5BMarch%2018%2C%202024%5D "Share on Reddit") [ ](mailto:?subject=Spa%20Email%20Compromised%2C%20X%20Malicious%20Redirect%2C%20CISA%20China%20Cyber%2C%20Cybersecurity%20News%20%20%5BMarch%2018%2C%202024%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-13-of-2024%2F "Share via Email") 

![Cybersecurity News](https://media.mailhop.org/duocircle/images/2024/03/email-sending-services-1.jpg) 

This week, we bring you the latest in [cybersecurity](/) that will help you stay a step ahead of the latest threats. From the phishing scam of the Spa Grand Prix and the **malicious telegram links on X** (Twitter) to the latest releases by CISA and the FTC on Chinese threats and impersonation scams. Plus, the details of the ‘Earth Krahang’ threat actor group that has compromised 70 organizations in 45 countries. Stay tuned!

## Spa Grand Prix Email Compromised, Phishing Scam Targets Fans’ Bank Details

[Threat actors hacked](https://www.securityweek.com/cloudflare-hacked-by-suspected-state-sponsored-attacker/) the official account for the Belgian Grand Prix and initiated a phishing scam for the fans, promising **fake vouchers**. 

The Spa Gran Prix will take place in the last week of July this year, and its tickets are sold on the official website. The organizer of the event shared a [statement](https://www.documentcloud.org/documents/24488327-communique-de-presse-spa-gp-identity-theft) that the **official email account was hijacked** on 17 March, and the threat actor behind the attack [sent fake emails](https://www.spiceworks.com/it-security/cyber-risk-management/news/subdomailing-campaign-spf-hijacking-ad-fraud/) to the fans. The email had a phishing link that the fans could follow to receive a €50 ($54.45) voucher.

_However, they did not receive any such voucher and were **redirected to a fake copy** of the official Spa Grand Prix portal that asked for their banking information and personal details_. The officials reacted to the situation within a few hours and sent emails asking the fans **not to click on the links** as it was a [phishing attempt](https://www.theblock.co/post/284339/email-phishing-scam-targeting-blockfi-ftx-creditors-reels-in-millions-and-counting), but an undisclosed number of fans had already been duped. 

The officials say they will **file a civil claim** and have also initiated a criminal investigation for now. 

## Malicious Links Circling X That Redirect You Elsewhere

You must have been left puzzled when [clicking on X links (Twitter links)](https://www.bleepingcomputer.com/news/security/crypto-scammers-abuse-twitter-feature-to-impersonate-high-profile-accounts/) recently, taking you to websites that are **different from the link** shown in the post. 

_Will Dormann, a security researcher, came across the [suspicious links](/phishing-protection/a-guide-to-checking-the-legitimacy-of-a-url/) and [shared](https://twitter.com/wdormann/status/1769946620479562100)_ _how clicking on links will take you to other websites._ He **shared an example** by following a link to “forbes.com” that instead took him to a Telegram account called “**Crypto with Harry**,” a channel that shared bad crypto advice.

So why has this been happening? [External link previews](https://www.gadgets360.com/apps/news/x-elon-musk-twitter-headline-in-link-preview-return-report-4792704) usually show the preview of the first website a link takes you to, but when you click on a **link on X, it tries to determine the final website** that the link will redirect you to and shows that in the post, i.e., the opposite.

When you click on a link, it checks the [HTTP (Hyper Text Transfer Protocol)](https://www.geeksforgeeks.org/http-full-form/) header with the request and assesses it. If it’s from a web browser, the link **redirects to the Telegram account**, but if it’s from a bot or an automated tool, it takes you to the authentic forbes.com article. This is how threat actors behind such links trick users by **displaying deceptive links** that ultimately lead them to malicious or unexpected websites.

[![social phishing](https://media.mailhop.org/duocircle/images/2024/03/SMTP-server-mail.jpg)](https://media.mailhop.org/duocircle/images/2024/03/SMTP-server-mail.jpg)

Threat actors have been using this trick, which could lead you to [trojanize applications](https://www.bleepingcomputer.com/news/security/trojanized-signal-and-telegram-apps-on-google-play-delivered-spyware/), phishing, scams, and even push malware, so it’s best to avoid such links if you’re **using X on mobile**. For PC, **hover the cursor over them** and check the browser’s status bar. 

## CISA Offers Guidance on Protecting Critical Infrastructure from Chinese Cyber Threats

This week, CISA, the NSA, and the FBI warned leaders about critical infrastructures and shared tactics for **protecting systems** against the [Chinese Volt Typhoon threat actor group](https://telecom.economictimes.indiatimes.com/news/internet/all-about-volt-typhoon-the-chinese-hacking-group/107358723). 

_Multiple US government agencies and cybersecurity agencies from Canada, the UK, New Zealand, and Australia shared the report with **defense tips** against attacks of the Volt Typhoon._ The threat actor group has targets and tactics that are different from typical ones, hinting that their goal is to steal [OT (Operational Technology)](https://en.wikipedia.org/wiki/Operational%5Ftechnology) and disrupt **critical infrastructure**.

The document shares guidance and tips for cybersecurity teams, including proper logging measures for access and security stored in central systems. Also, it’s best to check the logs that IT teams maintain, as the logs reveal the **commands used by the threat actors** and may help in detecting system compromise. You can find out the details in the report [here](https://www.cisa.gov/sites/default/files/2024-03/Fact-Sheet-PRC-State-Sponsored-Cyber-Activity-Actions-for-Critical-Infrastructure-Leaders-508c.pdf). 

The Chinese threat actors have also deployed their [KV botnets](https://thehackernews.com/2023/12/new-kv-botnet-targeting-cisco-draytek.html) across offices in the US to **evade detection**. 

## FTC Alert: Con Artists Posing as Agency Staff to Defraud Consumers

The **CISA report** was not the only thing that the government shared this week; another one was the US FTC’s (Federal Trade Commission) warning about [threat actors impersonating](https://www.bleepingcomputer.com/news/security/hackers-impersonate-us-government-agencies-in-bec-attacks/) its employees. 

The FTC has been getting reports from consumers falling victim to scams where the threat actors **posed as FTC’s personnel** to trick the consumers via email, text messages, and phone calls and steal their funds. The average amount scammed via these [FTC impersonation scams](https://www.autoremarketing.com/subprime/ftc-sees-swell-of-fraudsters-impersonating-agency-officials/) has reached $7000 this year, a massive increase from the $3000 that was observed in 2019.

The agency shared guidelines that can help you stay safe, saying the FTC will never “send consumers to a [Bitcoin ATM](https://www.bankrate.com/banking/what-are-bitcoin-atms/#what-are-they), tell them to go buy gold bars, or demand they withdraw cash and take it to someone in person.” The basics are **never to share verification codes**, not to move money under the garb of “protecting it,” **never to answer calls** from scammers that call regarding a [suspicious Amazon purchase](https://www.indiatoday.in/technology/news/story/pune-professor-places-multiple-orders-on-amazon-ends-up-losing-rs-21-lakh-in-scam-2445259-2023-10-06) or activity in your account, and never talk to someone who asks you to go to a Bitcoin ATM. All of these signals mean **you’re the target of a scam** artist. 

They also shared information on **identifying government imposters** and reporting such individuals. You can read about all the guidelines shared by the FTC on their [website](https://consumer.ftc.gov/features/how-avoid-imposter-scams). 

## Chinese ‘Earth Krahang’ Group Targets 70 Organizations in 45 Nations

Earth Krahang is a [Chinese APT (Advanced Persistent Threat) group](https://www.bleepingcomputer.com/news/security/chinese-apt15-hackers-resurface-with-new-graphican-malware/) that has breached nearly 70 organizations and targeted another **116 in 35 different countries**. 

The gang is being monitored by Trend Micro, who [highlighted](https://www.trendmicro.com/en%5Fus/research/24/c/earth-krahang.html) the campaign that started at the **beginning of 2022**. The threat actors have successfully compromised 48 government enterprises, 10 of which are Foreign Affairs ministries. They use **open-source tools** to identify vulnerabilities ([CVE-2023-32315](https://nvd.nist.gov/vuln/detail/CVE-2023-32315) and [CVE-2022-21587](https://nvd.nist.gov/vuln/detail/CVE-2022-21587)) in public-facing servers. Then, they **exploit the flaws** to gain unauthorized access and also use spear-phishing to lure the victims into opening malicious links and attachments.

Once they establish a network presence, the threat actors misuse organizational infrastructure for malicious payloads and target other accounts via [spear phishing](/email-security/spear-phishing-takes-advantage-of-your-employees-trust/). The **emails drop backdoors** to victim systems, spreading their presence. They also build VPN (Virtual Private Network) servers to move laterally within these networks and deploy multiple [malware](/data-privacy/new-zero-click-hack-with-stealthy-root-privilege-malware-targets-ios-users/) like XDealer, RESHELL, and Cobalt Strike for data exfiltration. 

The report shows that the [threat actor group](https://thehackernews.com/2024/03/china-linked-group-breaches-networks.html) might have ties with Earth Lusca since they both share the same C2 (Command and Control) structure. However, it is also possible that they just share the tools and have **different encryption keys**.

[![phishing protection](https://media.mailhop.org/duocircle/images/2024/03/smtp-service-6841.jpg)](https://media.mailhop.org/duocircle/images/2024/03/smtp-service-6841.jpg)

Every day, phishing tactics and techniques are **advancing to new heights**. It’s essential to implement effective [phishing protection](/email/phishing-protection) solutions and conduct [phishing awareness training](/phishing-awareness-training) programs to stay ahead of the threat actors.

## Topics

NewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 3m  Alert: Fix SPF & DKIM Settings For Your Email Forwarding Set Up Through Microsoft o365 SMTP Server Or Your Emails May End Up In Spam  Jul 20, 2021 ](/blog/announcements/alert-fix-spf-dkim-settings-for-your-email-forwarding-set-up-through-microsoft-o365-smtp-server-or-your-emails-may-end-up-in-spam/)[  News 6m  Cyber Security News Update, Week 1 of 2022  Jan 7, 2022 ](/blog/announcements/cyber-security-news-update-week-1-of-2022/)[  News 7m  Cybersecurity News Update, Week 1 of 2023  Jan 1, 2023 ](/blog/announcements/cyber-security-news-update-week-1-of-2023/)[  News 5m  EasyPark Data Breach, Ohio Lottery Cyberattack, GTA 5 Leak, Cybersecurity News \[December 25, 2023\]  Jan 4, 2024 ](/blog/announcements/cyber-security-news-update-week-1-of-2024/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Spa Email Compromised, X Malicious Redirect, CISA China Cyber, Cybersecurity News  [March 18, 2024]","description":"Spa Email Compromised, X Malicious Redirect, CISA China Cyber, Cybersecurity News [March 18.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2024/","datePublished":"2024-03-26T13:07:36.000Z","dateModified":"2025-08-29T14:16:14.000Z","dateCreated":"2024-03-26T13:07:36.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2024/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":1182,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/03/email-sending-services-1.jpg","caption":"Cybersecurity News","width":900,"height":506},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Spa Email Compromised, X Malicious Redirect, CISA China Cyber, Cybersecurity News  [March 18, 2024]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2024/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Spa Email Compromised, X Malicious Redirect, CISA China Cyber, Cybersecurity News  [March 18, 2024]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2024/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Spa Email Compromised, X Malicious Redirect, CISA China Cyber, Cybersecurity News  [March 18, 2024]","description":"Spa Email Compromised, X Malicious Redirect, CISA China Cyber, Cybersecurity News [March 18.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2024/","datePublished":"2024-03-26T13:07:36.000Z","dateModified":"2025-08-29T14:16:14.000Z","dateCreated":"2024-03-26T13:07:36.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2024/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":1182,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/03/email-sending-services-1.jpg","caption":"Cybersecurity News","width":900,"height":506},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```