Newsletters

Russian state-sponsored hackers have breached at least 22 Danish companies operating in the country's energy sector.

Denmark's CERT team for the critical infrastructure sector (SektorCERT) described the intrusions as the largest cyber-attack in the country's history.

In a report [Danish PDF, machine-translated English file] published over the weekend, SektorCERT tentatively attributed the attacks to Sandworm, a cyber unit inside Russia's military intelligence service GRU.

Malaysian police have dismantled Phishing-as-a-Service provider BulletProftLink and have detained eight suspects, including the platform's main administrator.

The service launched in 2015 and grew to become one of the largest on-demand phishing platforms known to date.

It operated like your regular SaaS platform—but for email phishing gangs. For a $2,000 monthly fee, the service would provide hosting for phishing sites and access to phishing kits, email templates, and tutorials.

The infamous Clop ransomware gang is exploiting a zero-day vulnerability in on-prem SysAid IT automation servers.

The attacks were discovered last week by SysAid's security team, and the company released a software update to patch the exploited bug.

Tracked as CVE-2023-47246, SysAid's team described the zero-day as a "path traversal vulnerability leading to code execution."

Last week, Microsoft announced a “Secure Future Initiative" to improve its ability to cope with increasingly sophisticated cyber security threats.

This reminds us of Microsoft's last security epiphany, the Trustworthy Computing initiative, launched in 2002. Unfortunately, compared to the clarity, focus and commitment of the Trustworthy Computing initiative, this announcement is disappointing.

In a post describing the Secure Future Initiative, Microsoft President and Vice Chair Brad Smith wrote that the new initiative was required because of the "increasing speed, scale and sophistication of cyberattacks".

Chinese state-sponsored hacking operations have undergone a major shift in recent years, with groups growing in sophistication and abandoning noisy and high-volume campaigns for stealthy and extremely targeted attacks.

If you read APT reports for a living—like this newsletter's author—then nothing in the above sentence is new to you.

Over the past two or three years, there have been numerous reports across the infosec industry about how Chinese APT group "XX" or how Chinese APT group "YY" has changed their modus operandi.

The US Treasury has sanctioned a Russian businesswoman named Ekaterina Zhdanova for helping Russian oligarchs and cybercrime gangs evade sanctions and launder stolen cryptocurrency.

Officials say Zhdanova worked as an intermediary in order to obfuscate the real nature of various illegal transactions.

She disguised operations using traditional businesses operating overseas but also used accounts at cryptocurrency platforms that did not enforce anti-money laundering (AML/CFT) controls.

The Forum of Incident Response and Security Teams (FIRST) has officially released a new version of the Common Vulnerability Scoring System (CVSS), the most widely used standard for rating the severity of software vulnerabilities using a score from 1 to 10.

With this week's release, the standard has now reached version 4.0—also more commonly known as CVSSv4.

Work on this new version began years ago and comes after a period of public comments and feedback and after a first CVSSv4 draft was presented in June at the FIRSTcon 2023 security conference.

Groups of young Lapsus$-style hackers are rapidly evolving their tradecraft and aggressively exploiting organisations in ways their victims don't expect.

A new Microsoft report describes the evolution of a group it calls Octo Tempest and charts its increasingly aggressive tactics and the rapid change in its targets. In early 2022, Octo Tempest focused on social engineering and targeting mobile providers to enable SIM-swapping crimes such as cryptocurrency theft, and selling the access gained to other criminals.

However, by early 2023, the group was targeting telecommunications, email and tech service providers, and collaborating with the ALPHV/BlackCat ransomware-as-a-service operation to extort organisations by threatening to leak stolen sensitive data.

The US Securities and Exchange Commission has filed fraud charges against software company SolarWinds and its chief information security officer, Timothy Brown.

The agency says it reviewed internal communications and security assessments and found that SolarWinds lied about its cybersecurity posture to investors for years before it was hacked in 2020.

The SEC says that for at least two years before the hack, the company—through its CISO—had learned and discussed its cybersecurity deficiencies but misrepresented the risks to investors.

A Citrix vulnerability has entered the dangerous stage of mass exploitation as multiple threat actors are compromising unpatched devices all over the internet in a race with each other to steal their session tokens.

Known as CitrixBleed and tracked as CVE-2023-4966, the vulnerability impacts Citrix ADC and Citrix NetScaler, which are extremely complex networking devices used in large enterprise and government networks in multiple roles, such as gateways, proxies, caching, VPN servers, and a bunch of other stuff.

The vulnerability allows threat actors to send junk data to the Citrix OpenID component that will crash and leak a part of the device's memory. The bad part is that, in some cases, this memory may contain session tokens that attackers can collect and then bypass authentication and access the device. For a more technical explanation, check this write-up from Assetnote researchers.