Newsletters

A recent CISA report and a series of tweets from Equinix threat intel analyst Will Thomas made me realize that quite a few infosec and adjacent cybersecurity experts are not fully aware that paying ransoms to a rising ransomware crew named RansomHub carries quite a high risk of breaking US sanctions.

The group launched in February 2024, when it started advertising its Ransomware-as-a-Service offering in underground hacking forums.

They got incredibly lucky because, just three weeks later, law enforcement agencies across the globe dismantled LockBit, which was, at the time, the largest RaaS platform on the market.

No intro in this edition since I was traveling over the weekend.

Risky Business is now on YouTube with video versions of our main podcasts. Below is our latest weekly show with Pat and Adam at the helm!

Ukraine hacks Gazprom contractors: Ukraine's military intelligence agency GUR claims to have hacked Gazstroyprom, Gazprom's main construction contractor. GUR hackers have allegedly wiped over 120 servers and more than 10,000 computers. The attack is believed to have impacted Gazprom's ability to build and maintain its oil and gas infrastructure. The hack comes as Ukraine continues to bomb Russian oil and gas infrastructure using drones. [Additional coverage in UNN]

Apple has refused to obey a UK Government order to provide access to encrypted iCloud data in the latest failure by authorities to mitigate the proliferation of 'warrant proof' encryption.

The Washington Post revealed the existence of the UK Government order, known as a Technical Capability Notice (TCN), last week: 

The TCN is designed to preserve lawful access to cloud data stored with Apple's Advanced Data Protection, which was rolled out as an opt-in service in November 2022. The service effectively locks Apple (and law enforcement) out of a user's iCloud storage by encrypting it with keys that only that user can access. 

A threat actor has compromised the AdsPower browser platform and injected malicious code that modified third-party crypto wallet extensions and stole user funds.

The breach took place on January 21 and went undetected for three days before the company removed the code and forcibly uninstalled all the targeted extensions from users' browsers.

According to SlowMist founder Yu Xian, the code worked as a backdoor that extracted mnemonic recovery phrases and private keys from the wallet extension and sent them to an attacker's server.

Reactions to the rise of Chinese AI company DeepSeek have so far focused on its economic and geopolitical implications, but the company's models will also provide Chinese cyber espionage actors with their own indigenous capabilities. 

The company made headlines in January when it released its 'R1' Large Language Model (LLM), which boasts performance comparable to the latest LLMs from US companies such as OpenAI and Anthropic. DeepSeek was able to train and run its model at a considerably lower cost than its rivals, so it charges about 95% less for API access than OpenAI or Anthropic do for comparable models.  

However, last week the Italian government banned DeepSeek from operating in the country and this week the Australian government banned DeepSeek from government devices. 

Kaspersky researchers have discovered a new crypto-stealer that has found its way into both the iOS and Android app stores.

Named SparkCat, the trojan takes photos from the phone's gallery and scans them with an OCR module to extract text that may appear in any of the images.

The malware looks for text that resembles mnemonic phrases in different languages, which may indicate the photo might be a screenshot of a cryptocurrency wallet recovery phrase.

The US government warns that Contec patient monitors contain a backdoor that collects and sends patient data to a remote Chinese IP address and can even secretly download and execute files.

The US Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) published security alerts last week warning hospitals to disconnect devices from the internet.

The backdoor behavior has been confirmed in Contec CMS8000 patient monitors, but officials say the devices are often re-labeled and sold under other names, such as Epsimed MN-120.

Law enforcement agencies from Europe and the US have seized the domains of Cracked and Nulled, two of today's most popular cybercrime forums.

Authorities have seized 12 domains and made two arrests after searches at seven locations across the EU.

The US Justice Department has identified one of the Nulled admins as Lucas Sohn, 29, an Argentinian national residing in Spain.

The European Union has sanctioned three Russian military hackers for their role in cyberattacks against Estonian government agencies in 2020.

Sanctions were levied against Yuriy Denisov, Nikolay Korchagin, and Vitaly Shevchenko.

The three are officers in Unit 29155 in Russia's military intelligence service, also known as the GRU.

Anti-government hackers have defaced payment systems installed in public transport buses in Georgia's capital, Tbilisi, to play pro-European songs and slogans.

The incident took place on Friday morning as residents headed to work.

The ticket scanners and point-of-sale devices played the national anthems of Georgia and the EU, along with pro-EU speeches from local politicians: