Newsletters

Southeast Asian organised crime groups operating cyber-enabled scam compounds are becoming more sophisticated and going global, according to a new report from the UN Office of Drugs and Crime (UNODC). This threat will need concerted and swift political action to counter it. 

We've written about the nexus of cyber-enabled scams, trafficked persons and forced labour, money laundering, and the rise of massive criminal service marketplaces since 2023. Governments are fighting back against the syndicates, so they're now expanding into new countries that lack the capacity to deal with transnational crime of this scale. Without decisive action these groups will be able to dig in and corrupt the countries they move into. 

The gangs in question run industrial-scale scam centres known as "boiler rooms" or "pig-butchering farms", typically using forced labour. This week's UN report estimates the workforce involved is "comprised of hundreds of thousands of trafficked victims and complicit individuals".

An unidentified threat actor is targeting Russian military personnel with spyware hidden in Android geo-mapping apps in what seems to be a campaign designed to spy on Russian military movements and positions.

The spyware is hidden inside legitimate versions of Alpine Quest, a mobile app used by Russian troops to coordinate operations in Ukraine.

According to Russian security firm Dr.Web, which spotted the campaign, the poisoned apps are spread via Telegram channels advertising a pirated PRO version of the app and even through some Russian Android app portals.

Hackers are abusing a little known Zoom feature to take control of their victims' computers to install malware and steal cryptocurrency.

The feature is named "Remote Control" and is part of Zoom's accessibility suite, where it was included for users with various disabilities to allow other users in the same meeting to control their PC.

Since at least this year, a cybercrime group named ELUSIVE COMET has incorporated this secret Zoom feature into their social engineering attacks and has successfully stolen millions of US dollars worth of crypto assets from their victims.

The Royal Thai Armed Forces and the Royal Thai Police ran an online harassment and doxing campaign against anti-government dissidents.

The campaign doxed victims and asked followers to report them to the police, which then happily launched investigations.

The secretive attacks came to light after Thai MP Chayaphon Satondee leaked confidential police documents online at the end of March.

Founding CISA director Chris Krebs has been forced out of a senior executive position at SentinelOne by a presidential memorandum that targeted him by name. It's an extraordinary attack on a former public servant that makes Americans less safe.

President Donald Trump's memo last week ordered a federal investigation into Krebs and revoked his security clearance. It also targeted his employer by suspending all clearances held by SentinelOne employees. Krebs was chief intelligence and public policy officer there and has been a regular guest on the Risky Business podcast. 

While anecdotally there is broad support for Krebs, most cyber security firms have not stuck their heads above the parapet this week. It's disappointing, but we understand why. Unlike the legal profession, which has also been targeted by the Trump administration, the industry has no oath tying them to uphold the Constitution and the rights of citizens. There is no vital interest that they must defend. Most organisations feel there is simply more to lose than there is to gain.

The CA/Browser Forum passed a ballot to reduce the maximum validity of TLS certificates from the current 398 days to just 47 days by 2029.

The ballot passed without opposition, with 28 votes in favor and five abstainers.

The reduction will take place across three phases between March next year and March 2029.

A Chinese cyber-espionage group named MirrorFace (aka Earth Kasha, APT10) is abusing the Windows Sandbox virtual environment to hide the execution of its malware on infected systems.

Attacks incorporating Windows Sandbox have been taking place since 2023 and represent the first known case of Windows Sandbox abuse since its release in December 2018.

As the name hints, the feature allows Windows users to start an isolated sandbox where they can temporarily install/test apps and then shut down the virtual environment without impacting the main OS and their data.

Security firms, open-source experts, and academics are warning about a new supply chain vector they're calling slopsquatting.

The technique's name is a combination of terms like AI slop and typosquatting.

It revolves around the increasing use of AI coding tools to generate blocks of source code that may sometimes make their way into production systems.

The politically-motivated dismissal of the head of both NSA and US Cyber Command will be extremely damaging to the agencies, their relationships with allies and for US national security.

General Timothy Haugh was sacked last Thursday from his leadership positions at NSA and Cyber Command after a far-right conspiracy theorist urged his removal in a meeting with President Donald Trump. The NSA's civilian deputy, Wendy Noble, was also removed together with five National Security Council Staff. Per The Washington Post:

On X, Loomer claimed Trump responded to her call for the firings:

An unnamed hacker (or maybe a hacker group, who knows) has leaked internal data from Media Land, one of today's largest bulletproof web hosting providers.

The leaked files contain information on the company's past customers, what type of services they contracted, and what was hosted on the platform.

Threat intel firm Prodaft believes the attacker is the same threat actor that hacked and leaked internal chats from the BlackBasta ransomware group in mid-February.