Newsletters

Google's announcement last week that it had disrupted the world's largest residential proxy network, IPIDEA, was welcome news. These networks are key enablers of cybercrime, and Google's action will make a significant dent in the residential proxy ecosystem. 

Residential proxy networks sell the ability to route traffic through home and business IP addresses so attackers can evade IP blocklists. Traffic in these networks is routed through everything from compromised smart devices to home users' computers. Sometimes the home users actually opt in to joining these networks, willingly installing the enabling software to earn "passive income" from their spare bandwidth. Most of the time, however, device owners are unaware. The proxy functionality is pre-loaded on devices or inadvertently installed via malware or trojanised software.

When it comes to IPIDEA, one way it acquired proxies was to pay developers to embed its software into applications via malicious SDKs. These applications would then proxy traffic for IPIDEA in addition to carrying out their main function, typically without the knowledge or consent of end users. 

Plone, a Python-based content management system, has avoided a supply chain attack at the start of this year.

A threat actor inserted malicious code in five of the organization's repositories but the modifications were spotted before they made it to any official release.

The incident was traced back to a single developer's account.

StopICE, an app that lets Americans track the location of US Immigration and Customs Enforcement (ICE) raids, has played down a recent security breach and claims to have linked the hack to "a personal server associated with a CBP agent here in SoCal."

Administrators said this wasn't the first time the same agent tried to hack or disrupt their systems.

The latest incident took place on Friday when users started receiving SMS alerts warning them to uninstall the app.

Cybersecurity firm MicroWorld Technologies, the maker of the eScan antivirus, has fallen victim to a cyberattack after an unidentified threat actor breached its software update infrastructure and deployed malware to customer environments.

The incident took place last week, on January 20, and only lasted for about an hour, according to reports from rival security firms Morphisec and Kaspersky, both of which spotted the malware being delivered to customer systems.

The final payload in the attack was a new backdoor hidden in the Reload.exe file that modified the eScan configuration to disable future updates and established a scheduled task for persistence on the infected host.

The Pall Mall Process, an international effort to reign in abusive commercial spyware, is turning its efforts toward developing opt-in industry standards. 

These kinds of voluntary, non-binding standards are all well and good, but relatively useless without strong government action.

CyberScoop has a good wrap of issues raised at a Chatham House discussion about the process in Washington DC last weekend. The topics included who the rules would apply to, plus "how to incentivize and measure compliance and what to do with companies with a chequered past". 

A cyberattack has wreaked havoc across Russia on Monday after the servers of the Delta smart alarm system went down.

Per reports in local media, car owners using Delta's alarm system couldn't unlock cars or stop active alarms. In some cases, owners couldn't start engines or their engines jammed while driving.

The company confirmed the incident but did not provide other details besides calling it a "large-scale external attack."

The European Parliament has set up a new internal group tasked with investigating the use of spyware across the EU member bloc.

The new intergroup was set up last week in the aftermath of the Paragon spying scandal in Italy by Sandro Ruotolo, an Italian journalist and current member of the European Parliament for the Group of the Progressive Alliance of Socialists and Democrats.

According to WIRED Italy, Ruotolo will be joined by three other MEPs.

Threat actors have mounted a new wave of attacks against Fortinet's FortiGate firewalls using a vulnerability that was improperly patched last month.

Security firm Arctic Wolf says hackers are bypassing Single Sign-On (SSO) authentication using generic usernames, creating their own admin account for future access, and stealing the device's current configuration file.

Since the attacks were first being reported online, Fortinet has confirmed in private emails to some customers that the attackers have found a new way to exploit CVE-2025-59718.

Amid ongoing domestic unrest and a violent government crackdown in Iran, the country’s government imposed an internet blackout. This shutdown, which began on Thursday January 8 is still in effect at time of writing.

During the shutdown some Iranians have been using SpaceX's Starlink satellite service to connect with the outside world. According to the New York Times, this didn't happen by chance. It was the result of deliberate planning:

Compared to domestic ISPs that the Iranian government can force to stop internet access, blocking Starlink is much more difficult. So far the government’s measures have included warnings to the public that possessing Starlink systems is a crime, using drones to find and confiscate terminals, and electronic jamming, possibly using Russian-provided equipment. In addition to jamming the frequencies Starlink operates on, GPS spoofers degrade the service, as terminals rely on accurate location information to direct their antennas correctly. The efforts have proven partly effective.

A threat actor is registering expired web domains in order to take over email servers, reset passwords on abandoned developer accounts, and publish malware on the Canonical Snap Store for Linux packages.

At least two developer accounts have been hijacked using this technique, also known as a domain resurrection attack, namely for Snap packages published using email addresses from storewise.tech and vagueentertainment.com.

According to Linux expert and former Canonical dev Alan Pope, the threat actor behind this campaign is a group he believes are located in Croatia.