Newsletters

Law enforcement agencies have doxed, charged, and sanctioned the administrator of the LockBit ransomware operation.

Officials say the LockBit admin—known as LockBitSupp—is a 31-year-old Russian national named Dimitry Yuryevich Khoroshev from the city of Voronezh in Southwest Russia.

On Tuesday, the US Justice Department unveiled a 26-count indictment in Khoroshev's name, claiming he personally pocketed more than $100 million from LockBit ransom payments. That's about a fifth of all LockBit ransom payments.

Microsoft has re-committed to prioritizing security, in a sign the company fears the reputational damage it stands to incur after a duo of facepalm-worthy hacks it suffered over the past year.

Back in November, Microsoft announced the Secure Future Initiative (SFI), a somewhat generic plan to overhaul the company's cloud security. The pinky promise to improve security came after a Chinese state-sponsored group hacked Microsoft in June and pivoted to US government networks.

A month later, in December, Microsoft revealed that days after its SFI announcement—by a stroke of irony—it also got hacked by Russian hackers, which then proceeded to steal data from its internal email server, including from executives and its security team (gasp!).

Reports on interesting and puzzling malware strains are quite rare in infosecland, where most of the time, you're bound to read about cryptominers, Mirai clones, and the same 5-6 malware loaders and infostealers over and over again.

This week, Lumen's Black Lotus Labs team published a report on a new malware strain named Cuttlefish that they found on both SOHO and enterprise-grade routers.

The interesting part about the report was that Cuttlefish appears to have been designed to work as a traffic interception system on the infected devices.

This week the US Federal Communications Commission (FCC) levied nearly USD$200m in fines against the country's largest mobile telecommunications providers for selling customers' location data  without their consent.

The FCC says each of the telcos involved—Verizon, AT&T, Sprint and T-Mobile—sold customer location data to aggregators despite a 2007 regulation that required them to obtain consent from customers to do so. The aggregators then resold the data to third-party location-based service providers. In one example, aggregators shared AT&T customer location data with 88 third party entities directly or indirectly. They shared location data from other telcos with similar numbers of third parties. 

Some carriers argue they shouldn't be fined because they discontinued the practice in 2019. This is an appealing argument at first glance, but the FCC started these investigations  after a 2018 New York Times article showed the data was being abused by a Missouri sheriff. We're not sure companies should be let off the hook just because they stop a troubling practice when it receives unwelcome public attention. 

Academics, security, and privacy researchers have proposed a new standard for the management of privacy policies and consumer rights.

The new standard is named privacy.txt and was inspired by similar solutions like robots.txt, security.txt, and ads.txt.

Just like the aforementioned, it is designed to be hosted in a website's root (/) or "/.well-known" directory and provide instructions to both users and automated systems about a company's privacy policies and user data controls.

Belarusian hacktivist group the Cyber Partisans claims to have hacked Belarus' national intelligence agency, the Belarusian KGB.

The group says it breached the agency in the fall of 2023 and exfiltrated data from its official website.

The intrusion went undetected for months until earlier this year, when the KGB put its website into maintenance mode—in which it remained to this day.

A suspected state-backed hacking group is exploiting two zero-days in Cisco ASA security appliances as part of a campaign targeting government networks globally.

Cisco confirmed the attacks earlier this week when it also released patches for the two zero-days.

The company linked the attacks to a group it tracks as UAT4356. Cisco says the group has also targeted perimeter network devices from other vendors, as well as Microsoft Exchange email servers.

Russian military intelligence hacking unit Sandworm presents a cyber proliferation risk with its more sensational operations potentially inspiring or acting as a rough blueprint for other actors, Google’s Mandiant unit has warned.

Google's Mandiant recently released a report examining Sandworm, perhaps the world's most notorious state-sponsored group. The report is a useful primer on the most significant Russian cyber activities associated with the country's invasion of Ukraine.

Sandworm, which Mandiant has now dubbed APT44, has been around since 2009 and the US and UK governments formally attribute the group to Unit 74455 of the GRU, Russian military intelligence.  

The US government has imposed entry visa restrictions on 13 individuals involved in the development and sale of commercial spyware.

The visa ban applies to the 13 individuals and their immediate family members, such as spouses and children.

The State Department has not released their names. Sources have told RiskyBiz the names would not be made public due to US laws.

An unidentified threat actor is exploiting a zero-day vulnerability in CrushFTP, an enterprise file-transfer software solution.

CrushFTP released a patch on Friday, hours after it learned of the attacks from the Airbus CERT team. CrowdStrike also confirmed the zero-day later in the day and described the attacks as "targeted."

The zero-day was assigned CVE-2024-4040.