Newsletters

Russian authorities have arrested three individuals believed to have created and sold the Meduza infostealer.

The suspects were arrested this week in the Moscow metropolitan area, according to Russia's Interior Ministry. A video from the raids is available on the Ministry's media portal.

The Ministry's spokesperson, Irina Volk, said the malware was used in attacks against at least one government network in the Astrakhan region.

The former general manager of a US defence contractor, Peter Williams, has pleaded guilty to selling "eight sensitive and protected cyber-exploit components" to Russian 0day broker Operation Zero*.

The broker claims to buy exploits from developers and resell them to non-NATO buyers, including the Russian government.

Williams, an Australian national, was previously employed by Australia's signals intelligence agency ASD, from around 2007 to the mid-2010s. He later joined Linchpin Labs, which was acquired alongside Azimuth Security to form what eventually became L3Harris Trenchant, the vulnerability and exploit development subsidiary of L3Harris. By the time of his arrest, Williams had become the general manager there.

The company that formed from the remnants of Italian spyware vendor HackingTeam is now allegedly involved in hacking all sorts of private and public sector targets in Belarus and Russia.

Memento Labs has targeted media outlets, universities, research centers, government organizations, financial institutions, and other organizations.

The company operates a spyware platform named Dante, through which it deploys infrastructure, exploits, and its final payload—the LeetAgent implant/agent.

Russian lawmakers are working on a new bill that would require security researchers, security firms, and other white-hat hackers to report all vulnerabilities to the state, in a law that's similar in spirit to a law already in effect in China since 2021.

The bill is currently being discussed among lawmakers, and no official draft is available. It is part of Russia's efforts to regulate its white-hat ecosystem, a process officials began back in 2022.

All previous efforts failed, with the most recent one being knocked down in the Duma in July on the grounds that it did not take into account the special circumstances and needs of reporting bugs in government and critical infrastructure networks.

Apple's latest mobile operating system update, iOS 26, has made a change to a crucial log file that stores evidence of past spyware infections.

According to iPhone forensics and investigations firm iVerify, Apple is now rewriting the shutdown.log file after every device reboot, instead of appending new data at the end.

This is removing older log entries that contain indicators of compromise with spyware families such as NSO's Pegasus and Intellexa's Predator.

The US government must develop a strategy to more effectively use its private sector to scale up offensive cyber activities, according to a new report from Dartmouth's Institute for Security, Technology and Society.

The authors convened 30 experts from government, industry and academia to analyse the current state of play in "offensive cyber" and make recommendations. "Offensive cyber" was defined very broadly as pretty much anything including tool development, acquiring access, espionage and even disruptive or destructive operations. 

The report assumes that US policymakers want both a higher operational tempo of cyber operations and to more effectively take advantage of the country's private sector.  

Security researchers have spotted a second self-propagating worm that hit the DevOps space within the span of a month. The new threat is named GlassWorm and primarily targets the VS Code extensions space.

It is the second such threat after the Shai-Hulud worm that hit the npm JavaScript package repo in mid-September.

GlassWorm was spotted by Koi Security. It was first seen on the unofficial OpenVSX marketplace for VS Code extensions, but later spread to the official Microsoft VS Code store as well.

A convict at a Romanian prison has hacked the country's prisoner management platform in a security breach that has rocked Romania's penitentiary agency.

The incident took place in August and continued through October.

From various reports in Romanian media and a statement released by the national penitentiary police union, the incident appears to have originated in the city of Dej, in Romania's Transilvania region, at a prison hospital complex, where prisoners are sent to treat illnesses and then return to finish their sentence at their normal jails.

F5 (formerly F5 Networks), one of the largest US tech companies and a member of the S&P 500, has disclosed a security breach this week, in an incident that is in contention for the year's biggest hack award.

Details about the breach have been in flux since it was disclosed, so we put together a list with all we know happened so far.

The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat and Adam at the helm!

A recent investigation into a Jakarta-based company shows there are still companies willing to offer unethical surveillance-as-a-service, even as crackdowns on high-profile spyware have really hurt big players.

A collaborative media investigation kicked off by Lighthouse Reports looked at First Wap, a company that began as a mobile phone messaging service in 1999. The company soon pivoted to phone tracking after being asked by an unnamed law enforcement agency to support its counterterrorism efforts. 

First Wap's surveillance product Altamides, short for Advanced Location Tracking and Deception System, exploits vulnerabilities in Signalling System 7 (SS7) to locate phones and even redirect text messages or phone calls. Because it exploits vulnerabilities in phone network protocols, Altamides does not require the deployment of malware to target devices.