Newsletters

Written content from the Risky Business Media team

Risky Bulletin: Secret ransomware campaign targeted DrayTek routers for a year

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Threat actors have secretly abused a suspected zero-day in DrayTek routers since August of last year to hack devices, steal passwords, and then deploy ransomware on connected networks.

According to a joint report from Forescout and PRODAFT, the attacks were carried out by a threat actor known as Monstrous Mantis—believed to be linked to the Ragnar Locker ransomware group.

The attacker used the zero-day to extract and crack the passwords of DrayTek Vigor routers and then hand out the credentials to selected collaborators.

Risky Bulletin: Germany's BSI sinkholes BADBOX malware traffic

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Germany's cybersecurity agency has sinkholed internet traffic originating from Germany and going to the command and control servers of the BADBOX malware group.

The malware was first spotted in October of last year by Human Security, a company specialized in detecting advertising fraud.

The BADBOX group assembled a botnet of over 280,000 systems by hiding its malware in malicious Android and iOS apps and inside the firmware of Android TV streaming boxes.

FCC to Demand Telcos Improve Security

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

The US government and lawmakers are scrambling to deal with the ongoing compromise of US telecommunications companies by a Chinese espionage group dubbed Salt Typhoon. 

In the US, the campaign has compromised at least eight telecommunications companies and been ongoing for a year or more. The Cyber Safety Review Board examination of the incident has kicked off, but we already know the rough shape of what has happened. 

At some US telcos, the hackers were able to penetrate the portals used to submit court orders for interception requests, letting them see what phone numbers were being tasked. 

Risky Biz News: Improperly patched Cleo bug exploited in the wild

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The Termite ransomware group is believed to be behind a wave of attacks exploiting an improperly patched vulnerability in Cleo file transfer products.

The attacks started on December 3 and have compromised at least ten organizations, according to security firm Huntress Labs.

The Termite group is exploiting a bug initially patched at the end of October that impacts Cleo file-transfer products such as Harmony, LexiCom, and VLTrader.

Risky Biz News: Greece is close to burying its Predatorgate scandal

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

More than two years after it got caught spying on journalists and political rivals, the Greek government is still working at burying the investigation into what is now known as the Predatorgate scandal.

The incident, which rocked the Greek political scene, came to light in July 2022 when a security team of the European Parliament found traces of the Predator spyware on the phone of Nikos Androulakis, an EU MP and the president of Greece's second-largest opposition party (PASOK).

The surveillance operation was ordered by the ruling government, was conducted by the Greek national intelligence service, the EYP, and allegedly cost €7 million.

Risky Biz News: Declassified documents reveal Russia's election info-ops in Romania

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Romania's national security council (CSAT) has declassified two documents this week that reveal a coordinated propaganda campaign that boosted an obscure far-right and pro-Kremlin candidate into the country's first round of presidential elections.

The campaign, which mostly took place via TikTok, took Calin Georgescu from an unknown candidate who was only polling around 1% a month before the election to the winner of the first presidential election round, where he accounted for almost a quarter of all votes.

The documents did not formally attribute the operation, but in a subsequent statement this week, the US State Department said what every Romanian politician and regular citizen already said and knew—that this was Russia.

How Hack and Leak Shapes Public Policy

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

The 2016 US Presidential race has raised awareness of the role of hack and leak operations in election interference, but there is a far longer history of these operations affecting public policy.     

This week, Reuters reported that a consultancy working for Exxon Mobil was being investigated by the FBI over its alleged role in a hack and leak operation targeting environmental activists.

This is the latest instalment in Chris Bing and Raphael Satter's long-running Reuters investigation into the rise of the hack-for-hire industry and how it has been used to influence legal battles. Per Reuters:

Risky Biz News: Poland arrests former spy chief in Pegasus scandal

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The Polish government has detained and forcibly taken to testify in front of a parliamentary hearing over the former government's use of the Pegasus spyware.

Piotr Pogonowski led Poland's internal security agency, the ABW, from 2016 to 2020.

Under his watch, the agency bought and used the NSO Group's Pegasus spyware to spy on opposition leaders, journalists, and prosecutors investigating government corruption.

Risky Biz News: Russia arrests WazaWaka

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Russian authorities have arrested Mikhail Matveev, a high-profile ransomware affiliate known for his hacker name of WazaWaka.

Matveev's arrest was mentioned in a court case filed in Russia's Kaliningrad exclave, Russian state news agency RIA Novosti [archived] reported on Friday.

He was detained and charged with creating malware. The criminal case specifically mentions that WazaWaka wrote new ransomware in January this year.

Risky Biz News: Tor Project has "urgent need" for 200 new bridges to avoid Russian censorship

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The Tor Project says it urgently needs at least 200 new bridges by the end of December to ensure Russian users can continue accessing the Tor network.

The project says it specifically needs bridges that run the WebTunnel protocol, which disguises connections to Tor networks as mundane web browsing activity.

WebTunnel bridges are harder to detect and censor compared to normal Tor bridges.