Newsletters

A suspected Iranian APT group has conducted a wide-ranging password spray attack against the Microsoft 365 accounts of governments and private sector organizations across the Middle East.

While password spraying campaigns are a dime a dozen, this one stood out to Check Point researchers because it targeted Israeli and UAE municipalities that were hit by Iranian drone and missile strikes.

The campaign started in early March, just as Iran began mustering its comeback after initial US and Israeli strikes that killed Iranian leader Ali Khamenei and tens of high-ranking government, military,  and intelligence officials in late February.

Apple has added a secret security feature to macOS to warn users about possible ClickFix attacks.

The feature was silently added to macOS 26.4, released last week.

It works by showing a popup on the screen whenever a user tries to copy-paste commands from a browser into the Terminal window.

NOTE: This newsletter was (initially) sent to Seriously Risky Business subscribers instead of Risky Bulletin subscribers by accident. If you are receiving this newsletter for a second time, that's why. Sorry!

The Russian government is working on a law that would require all mobile operators to use a custom domestically-developed encryption algorithm for the country's 5G mobile network.

If the bill passes, all phones sold in Russia going forward will have to support the NEA-7 algorithm or they will not be able to connect to Russian mobile networks.

In a Senate hearing last week FBI director Kash Patel said the Bureau is buying data that can be used to track Americans. The risk that the federal government could abuse purchased data was previously theoretical, but now feels more immediate. Lawmakers should act to protect Americans' civil liberties.  

When specifically asked about buying location data, Patel said the Bureau purchases information, "that's consistent with the Constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us". 

We have seen US local law enforcement agencies using this kind of data to track people, but this is new for the FBI. In 2023, the Bureau's Director at the time, Christopher Wray, said it had once used commercial location data in a national security pilot program but had no further plans to use it. 

The CEO of a major spyware vendor says he is being scapegoated by the Greek government and is willing to testify and spill the beans on their illegal surveillance operations.

Intellexa CEO Tal Dillian is pissed out of his mind after a Greek court sentenced him, his wife, and two executives to more than 126 years in prison last month on generic charges of "violating the confidentiality of telephone communications."

The sentence is related to a major Greek political scandal known in Greece as Predatorgate, which this newsletter first covered back in December 2024.

GitHub is slowly becoming a very dangerous website as more and more threat actors are starting to use it to host and distribute malware disguised as legitimate software repositories.

What started as an infrequent sighting in early 2024 is now at the center of an increasing number of infosec and malware reports.

The tactic is usually the same. A threat actor would take a legitimate repository, add malware to the files—typically an infostealer or a remote access trojan— and then upload the boobytrapped repo back on GitHub.

Amazon Web Services has rolled out a new security feature last week that will help customers prevent a type of attack known as S3 Bucket Namesquatting, or Bucketsquatting.

The attack was first described by cloud engineer Ian Mckay in 2019. It happens when an attacker abuses the predictable naming conventions in AWS bucket names to register buckets that have expired or have been deleted by their original owners.

If traffic still flows to the old buckets, this allows attackers to collect data from internal networks or public-facing apps, leading to serious security incidents.

Aside from one disruptive attack, Iran's cyber retaliation against US and Israeli strikes has been largely missing in action. But there are reasons to believe in the longer term the war will result in an enduring increase in Iran's capacity and appetite for cyber mayhem.

Last week the Iranian state-backed group Handala did claim responsibility for a wiper attack on Michigan-based medical device manufacturer Stryker, and said the attack was partly in retaliation for the US bombing of an all-girls school in Iran. In recent days Handala and a range of other pro-Iranian groups have also claimed a series of hacks targeting Israeli or Middle Eastern organisations.

Although the Stryker attack looks like it is causing serious disruption at the target company itself, trouble at just a single organisation won't trouble senior US policymakers. 

The European Union on Monday imposed sanctions on three hacking groups and two individuals for cyberattacks on its member states.

Sanctions were imposed on Iranian cyber contractor Emennet Pasargad for its hack of French satirical magazine Charlie Hebdo, the 2024 Paris Olympic Games, and a Swedish SMS service.

This is the same group that also meddled in the 2020 US Presidential Election and was later sanctioned three times by the US as well, in 2021, and September and December 2024.

Meta's security team has suspended thousands of accounts last year that were tied to Mexican and other Latin American drug cartels.

The Facebook and Instagram accounts were used to recruit youth for drug trafficking and drug dealing, to advertise drugs, and to organize violence and extortion operations.

Meta says it used AI to detect the coded language typically used by cartels and also to identify photos of drugs posted on its platforms. Human reviewers also confirmed the findings before accounts were removed.