Newsletters

Written content from the Risky Business Media team

Risky Biz News: AU, UK, US sanction Russian behind Medibank ransomware attack

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Australia, the UK, and the US have sanctioned a Russian national for his role in a ransomware attack on Australian private insurance provider Medibank in October 2022.

Identified as Alexander Ermakov, he is believed to be connected to the REvil ransomware operation, where he allegedly operated under pseudonyms such as GustaveDore, JimJones, Blade_Runner, and aiiis_ermak. Ermakov is believed to be 33 and a resident of Moscow.

Officials say Ermakov was a "pivotal" and "key actor" in REvil's attack on Medibank, considered one of Australia's worst cybersecurity incidents.

Risky Biz News: SVR hackers breach Microsoft, steal emails from the security team

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Russian state-sponsored hackers have breached Microsoft's internal network and have stolen emails from the company's senior leadership, legal, and cybersecurity teams.

The intrusion began in late November of 2023 and lasted until January 13, when Microsoft kicked the hackers off its network.

The Redmond-based giant attributed the attack to Midnight Blizzard, one of the cyber units inside Russia's Foreign Intelligence Service (SVR).

Risky Biz News: Congress considers making CSRB permanent and more independent and transparent

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Following a hearing of the Senate Homeland Security and Governmental Affairs Committee, US lawmakers said they're considering legislation that would make the DHS Cyber Safety Review Board (CSRB) a permanent organization in the US cybersecurity space.

Established in May 2021 through a White House executive order, the CSRB was set up as an analog to the TSA's National Transportation Safety Board (NTSB).

It was established in the aftermath of the SolarWinds supply chain attack as an independent board tasked with investigating cybersecurity-related incidents that affect the US government and issuing recommendations to improve security measures across both the US public and private sectors.

PRC: Not Stealthy, Just Annoying

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

Not only are cyber espionage groups likely based in China using living-off-the-land techniques to operate stealthily, they are adopting techniques that make post-discovery eviction more difficult.

Two separate campaigns reported in recent weeks illustrate the different techniques actors believed to be associated with the PRC are using. In one campaign, a group that had been operating slowly and discreetly switched to large-scale device exploitation and used various persistence mechanisms to 'dig in' once it was discovered.

In the second campaign, the actor concerned used compromised end-of-life devices in a botnet to relay command and control communications.

Risky Biz News: Cybercrime crew infects 172,000 smart TVs and set-top boxes

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

A cybercrime operation is believed to have infected at least 172,000 smart TVs and set-top boxes with malware that carries out DDoS attacks.

Named Bigpanzi, the group has been active since at least 2015 and appears to target Spanish and Portuguese-speaking users across Latin America.

According to Chinese security firm QiAnXin, Bigpanzi built its botnet through social-engineering tactics, such as spreading apps to view pirated content, apps to enhance TV viewing experiences, and backdoored firmware updates.

Risky Biz News: Chinese APT hacks 30% of Cisco RV320/325 routers

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

A Chinese state-sponsored espionage group has compromised and is currently controlling roughly 30% of all Cisco RV320 and Cisco RV325 WAN routers across the internet.

Active infections were spotted by SecurityScorecard's STRIKE Team over the past 37 days, between December 1, 2023, and January 7, 2024.

The routers are infected with and are part of KV, a botnet first spotted by internet infrastructure company Lumen last month. According to Lumen, the same botnet also consists of a large number of DrayTek Vigor routers, NETGEAR ProSAFE firewalls, and Axis security cameras.

Risky Biz News: Chinese APT exploits two Pulse Secure zero-days

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

A Chinese state-sponsored hacking group has exploited two zero-days in Ivanti Connect Secure VPN appliances (formerly known as Pulse Secure) to gain access to corporate networks.

The zero-days were discovered by American cybersecurity firm Volexity, which attributed the attacks to a group it tracks as UTA0178.

Ivanti has published mitigations and workarounds that customers can apply until firmware patches are released on January 22.

Russia's Cyber War Gets Smarter… And Dumber

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

Russia's cyber activities in the Ukraine conflict are increasingly smart, but the country’s cyber leaders apparently still can't resist destructive operations that are flashy, but ultimately counterproductive.

In the smart category, Russia has compromised internet-connected webcams in Ukraine to conduct remote surveillance. On January 2, Ukraine's security service, the SBU, issued a public warning that Russian intelligence services were hacking these devices for espionage purposes. The SBU provided examples of two particular devices that were compromised to redirect viewing angles to show more of the environment, with the footage streamed to YouTube. The SBU believed this surveillance video was used to provide information on targets for long-range strikes, and for damage assessment.

At first glance this type of cyber operation appears modest, as it is not technically sophisticated, the direct impact is low, and the report only mentions two cameras.

Risky Biz News: Ransomware wrecks Paraguay's largest telco

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

A ransomware attack has wreaked havoc inside the network of Tigo, the largest mobile operator and internet service provider in Paraguay.

The incident took place last Thursday, January 4, and impacted the telco's business branch.

Around 300 servers in Tigo's data center were encrypted, according to Miguel Ángel Gaspar, director of the Paraguay Ciberseguro Foundation.

Risky Biz News: Turkish APT group Sea Turtle returns

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Hackers associated with the Turkish government are conducting new cyber-espionage operations across Europe and the Middle East, according to recent reports from PwC, StrikeReady, and Hunt & Hackett.

Tracked as Sea Turtle (Teal Kurma, Silicon, UNC1326, Cosmic Wolf), the group rose to fame between 2018 and 2020 when it conducted a series of DNS hijacking campaigns that intercepted traffic for Cypriot, Greek, and Iraqi government systems.

Ever since its public ousting in late 2020, the group wound down its DNS hijacking infrastructure, and very little activity has been linked to its operations.