Newsletters

Russian military intelligence hacking unit Sandworm presents a cyber proliferation risk with its more sensational operations potentially inspiring or acting as a rough blueprint for other actors, Google’s Mandiant unit has warned.

Google's Mandiant recently released a report examining Sandworm, perhaps the world's most notorious state-sponsored group. The report is a useful primer on the most significant Russian cyber activities associated with the country's invasion of Ukraine.

Sandworm, which Mandiant has now dubbed APT44, has been around since 2009 and the US and UK governments formally attribute the group to Unit 74455 of the GRU, Russian military intelligence.  

The US government has imposed entry visa restrictions on 13 individuals involved in the development and sale of commercial spyware.

The visa ban applies to the 13 individuals and their immediate family members, such as spouses and children.

The State Department has not released their names. Sources have told RiskyBiz the names would not be made public due to US laws.

An unidentified threat actor is exploiting a zero-day vulnerability in CrushFTP, an enterprise file-transfer software solution.

CrushFTP released a patch on Friday, hours after it learned of the attacks from the Airbus CERT team. CrowdStrike also confirmed the zero-day later in the day and described the attacks as "targeted."

The zero-day was assigned CVE-2024-4040.

Law enforcement agencies from 19 countries have collaborated to take down a cybercrime service named LabHost that provided tools to easily set up and run phishing pages.

The service launched in late 2021 and was what you would call a PhaaS, or Phishing-as-a-Service platform.

For prices of $179/month and higher, it allowed threat actors to use templates and set up phishing sites imitating a legitimate service.

The foundations for open source software security (OpenSSF) and for the promotion of JavaScript (OpenJS) have jointly warned the takeover of the XZ Utils project (a likely state-backed multi-year effort to subvert an open source project by gaining the trust of the package's maintainer) was probably not an isolated incident. 

The foundations said that several 'credible takeover attempts' had been unsuccessfully launched against JavaScript-related projects.

Their post provides a list of "suspicious patterns" of behaviour that could indicate an attempted social engineering attack. The list isn't wrong, but to some degree it misses the point.

A team of German academics has discovered a crypto vulnerability in PuTTY, an extremely popular SSH and Telnet client for Windows users.

The vulnerability allows attackers who run malicious SSH servers to observe cryptographic signatures and recover a user's private key. This allows attackers to connect to systems where the private keys are being used for authentication.

But the vulnerability main impact is on source code repositories if they've been managed via a client that embeds PuTTY.

Palo Alto Networks has scrambled over the weekend to release a software patch for its firewall devices. The patch is intended to fix a zero-day (CVE-2024-3400) in the GlobalProtect VPN feature of PAN-OS, the firmware that runs on Palo Alto's firewalls.

Security firm Volexity discovered the attacks, which the company attributed to a group it tracks as UTA0218. Palo Alto tracks this as Operation MidnightEclipse.

Volexity described the group as a state-backed threat actor but did not link the group to any country.

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged customers of business analytics company Sisense to rotate all credentials and access tokens linked to the company's tools and services.

The agency said it was responding to a security breach discovered at Sisense by "independent security researchers."

At the time of writing, details about the hack and what exactly happened remain shrouded in mystery, but infosec peeps in the know seem to be treating it as a DEFCON 1 incident.

Multiple recent incidents show state actors violating what Five Eyes countries consider to be acceptable norms of online behaviour. 

Politico reports politicians, officials and journalists working in the UK parliament were subjected to honeypot-style phishing campaigns. Politico's investigation identified six men who were targeted with unsolicited WhatsApp messages.  

And further on in the article:

Google has added a new feature for its Workspace enterprise platform that will require multiple administrators to approve changes to an organization's sensitive settings.

The new Multi-Party Approval feature will roll out in the next two weeks and will be available to any Google Workspace customer with two or more super admin accounts.

Once enabled, all super admins will be required to approve changes made to sensitive Workspace environments, such as changing MFA settings, account recovery steps, and login and session controls. The full list of Workspace settings that will trigger a multi-party approval challenge is available below.