Newsletters

A Chinese state-sponsored espionage group has compromised and is currently controlling roughly 30% of all Cisco RV320 and Cisco RV325 WAN routers across the internet.

Active infections were spotted by SecurityScorecard's STRIKE Team over the past 37 days, between December 1, 2023, and January 7, 2024.

The routers are infected with and are part of KV, a botnet first spotted by internet infrastructure company Lumen last month. According to Lumen, the same botnet also consists of a large number of DrayTek Vigor routers, NETGEAR ProSAFE firewalls, and Axis security cameras.

A Chinese state-sponsored hacking group has exploited two zero-days in Ivanti Connect Secure VPN appliances (formerly known as Pulse Secure) to gain access to corporate networks.

The zero-days were discovered by American cybersecurity firm Volexity, which attributed the attacks to a group it tracks as UTA0178.

Ivanti has published mitigations and workarounds that customers can apply until firmware patches are released on January 22.

Russia's cyber activities in the Ukraine conflict are increasingly smart, but the country’s cyber leaders apparently still can't resist destructive operations that are flashy, but ultimately counterproductive.

In the smart category, Russia has compromised internet-connected webcams in Ukraine to conduct remote surveillance. On January 2, Ukraine's security service, the SBU, issued a public warning that Russian intelligence services were hacking these devices for espionage purposes. The SBU provided examples of two particular devices that were compromised to redirect viewing angles to show more of the environment, with the footage streamed to YouTube. The SBU believed this surveillance video was used to provide information on targets for long-range strikes, and for damage assessment.

At first glance this type of cyber operation appears modest, as it is not technically sophisticated, the direct impact is low, and the report only mentions two cameras.

A ransomware attack has wreaked havoc inside the network of Tigo, the largest mobile operator and internet service provider in Paraguay.

The incident took place last Thursday, January 4, and impacted the telco's business branch.

Around 300 servers in Tigo's data center were encrypted, according to Miguel Ángel Gaspar, director of the Paraguay Ciberseguro Foundation.

Hackers associated with the Turkish government are conducting new cyber-espionage operations across Europe and the Middle East, according to recent reports from PwC, StrikeReady, and Hunt & Hackett.

Tracked as Sea Turtle (Teal Kurma, Silicon, UNC1326, Cosmic Wolf), the group rose to fame between 2018 and 2020 when it conducted a series of DNS hijacking campaigns that intercepted traffic for Cypriot, Greek, and Iraqi government systems.

Ever since its public ousting in late 2020, the group wound down its DNS hijacking infrastructure, and very little activity has been linked to its operations.

Ransomware gang arrest: Chinese police detained two individuals from Hohhot who were involved in ransomware attacks against Chinese organizations. Officials say the group used ChatGPT to optimize the code of their ransomware, which they used to encrypt corporate servers and demand $20,000 in ransom. [Additional coverage in Global Times]

Orgon sentencing: A Colombian judge has sentenced Andres Felipe Cardoso Alvarez to three years and five months in prison. Alvarez was known as Orgon, a member of the Anonymous Colombia hacking group. As part of the group, he launched attacks against a large number of government organizations.

Cyber Toufan wiping spree: The data-wiping spree started by the Cyber Toufan group at the end of November is still going strong. The group has now wiped more than 100 organizations, with the vast majority being based in Israel. Around 40% of the victims were hit after the group compromised their MSP.

Chrome Safety Check: Google has announced that Safety Check, the feature that scans for compromised user passwords, will now continuously run in the background at all times.

Wikipedia Russia shuts down: Wikipedia's Russian edition has shut down after authorities designated its lead editor as a "foreign agent."

Substack Against Nazis: More than 100 Substack editors named "Substack Against Nazis" have signed an open letter asking Substack to remove white supremacy and nazi newsletters hosted on the platform, threatening to leave if the company fails to act.

In this podcast, Patrick Grey and Tom Uren talk about whether election interference will take place in the Taiwanese, US, and Russian elections that are all taking place in 2024. They also look at a ChatGPT-powered online harassment campaign.

FBI disrupts AlphV ransomware: US authorities have hacked and seized server infrastructure operated by the AlphV (BlackCat) ransomware gang. Authorities say they also recovered 500 encryption keys, which they are now offering together with a decrypter to all affected victims. This confirms rumors from last week.

Pig-butchering gang detained: US authorities have unsealed charges against four suspects (detained two) for their role in a sprawling crypto-investment scheme (aka pig butchering) that netted them $80 million.

AI Act: EU authorities have agreed on a first version of the AI Act, a law meant to regulate artificial intelligence development and tools across the EU.

UK sanctions Asian scammers: The UK government has sanctioned nine individuals and five entities for their involvement in trafficking people in Cambodia, Laos, and Myanmar and forcing victims to work in call centers specialized in cyber fraud (also known as "pig butchering scams"). These are the first-ever sanctions levied against online scam operations.

FBI SEC reporting rules: The FBI has published a guide on how companies that suffered a security breach should report their incidents to the SEC and other authorities. The guide comes after a ransomware gang tried to use the confusion around these new rules to put pressure on a victim as part of their ransom negotiations.

The UK government has summoned Russia's ambassador to explain a years-long hacking campaign conducted by one of the FSB's cyber units.

Officials say that FSB hackers targeted politicians and government organizations and attempted to use hacked data to influence and interfere in UK politics.

The UK government statement connects—for the first time—an APT group known as Star Blizzard to Center 18, a cybersecurity division inside Russia's FSB intelligence agency.