Newsletters

New numbers released at the end of last week suggest that US NIST is unlikely to make any significant progress in addressing a backlog of unprocessed vulnerabilities at the National Vulnerability Database (NVD).

The backlog began in February when NIST analysts slowed down the rate at which they were processing and enriching NVD entries, releasing many CVEs with little to no information about the nature of the security flaw, severity scores, and fixed or vulnerable software versions.

The slowdown had a major impact on the vulnerability management section of the cybersecurity community, which was relying on these entries to help inform customers about which bugs to patch first.

The Secure Boot system on more than 800 motherboard models across 10 different vendors is basically useless now after an extremely sensitive cryptographic key was accidentally leaked online last year.

The key was leaked via a now-removed GitHub repository in 2023 and discovered earlier this year by firmware security firm Binarly.

It allegedly came from an (unnamed) Original Device Manufacturer (ODM), which in turn received it from American Megatrends International (AMI), a company known for developing BIOS/UEFI products.

A team of Chinese academics has discovered a new type of DNS attack that impacts almost a quarter of all open DNS resolvers running on the internet.

Named TuDoor, the attack uses malformed DNS packets to trigger logic errors inside DNS software. The attack specifically targets the part of the DNS resolver that prepares DNS responses for user queries.

Academics say they can use a quick succession of malformed packets to poison a DNS resolver's cache, cause a denial of service, or increase a server's resource consumption.

An eye-opening report describes a cyber crime supply chain with connections to Chinese organised crime, illegal online gambling, money laundering, human trafficking and even sponsorships with European sports teams.

Infoblox, the security firm that authored the report, said this supply chain was controlled by a single actor it calls Vigorish Viper. The main purpose of the enterprise was to facilitate illegal online gambling for residents of what the report calls 'Greater China'. (This term isn't defined in the report, but from our reading of it we think it includes mainland China, Hong Kong, and Macau, but not Taiwan).  

Infoblox said the supply chain was organised into multiple entities performing different functions to "shield the operators from scrutiny and legal consequences". In OPSEC terms, Vigorish Viper compartmentalises its operations so the disruption of any single entity (such as a money launderer, hosting provider or payment service) by law enforcement action does not cripple the entire operation. 

In January this year, Russian hackers used a novel piece of ICS malware to cut the heating and hot water to over 600 apartment buildings in the city of Lviv, Ukraine.

The incident is believed to have impacted apartment blocks in Lviv's Sykhiv residential area. More than 100,000 people are believed to have been left without heating for almost two days as one of the city's heating providers, Lvivteploenergo, restored service.

The attack used a malware strain named FrostyGoop, according to a report released by industrial security firm Dragos this week.

Around 8.5 million Windows systems went down on Friday in one of the worst IT outages in history.

The incident was caused by a faulty configuration update to the CrowdStrike Falcon security software that caused Windows computers to crash with a Blue Screen of Death (BSOD).

Since CrowdStrike Falcon is an enterprise-centric EDR, the incident caused crucial IT systems to go down in all the places you don't usually want them to go out.

Russian authorities have allegedly arrested a member of the Trickbot cybercrime gang in Moscow this week.

According to a report from Russian news channel Baza, authorities have detained a 37-year-old man named Fedor Andreev on the morning of July 15 in a house in South Moscow.

Andreev was allegedly detained based on an Interpol red notice issued by Germany in May.

Western cyber security agencies are co-authoring reports with an increasing number of overseas agencies into Chinese cyber activity. And China doesn't seem to like it. 

The Australian Signals Directorate last week issued an advisory co-authored with German, Korean and Japanese intelligence, cyber security and law enforcement agencies, as well as the standard Five Eyes agencies that regularly contribute to advisories.

The advisory documented two successful compromises of Australian organisations and resulting investigations by the Australian Cyber Security Centre (ACSC). 

A Russian cybercrime group named Konfety has orchestrated a massive ad fraud operation that found and utilized a novel way to disguise its malicious apps and ad traffic.

The group's operations were discovered by researchers from HUMAN Security, a company specialized in detecting bot attacks and advertising fraud.

HUMAN says the Konfety group operates out of Russia and poses as an ad network company behind an advertising SDK named CaramelAds.

At least four cryptocurrency platforms hosting their domains on Squarespace have been hit by DNS hijacks over the past week.

The Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains reported losing control over their official websites on Thursday and Friday last week.

The hijackers pointed the domains to malicious servers hosting wallet-draining phishing kits.