Newsletters

Written content from the Risky Business Media team

Risky Biz News: Russia hacked 22 Danish critical infrastructure companies

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Russian state-sponsored hackers have breached at least 22 Danish companies operating in the country's energy sector.

Denmark's CERT team for the critical infrastructure sector (SektorCERT) described the intrusions as the largest cyber-attack in the country's history.

In a report [Danish PDF, machine-translated English file] published over the weekend, SektorCERT tentatively attributed the attacks to Sandworm, a cyber unit inside Russia's military intelligence service GRU.

Risky Biz News: Malay officials take down BulletProftLink, one of the largest PhaaS providers

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Malaysian police have dismantled Phishing-as-a-Service provider BulletProftLink and have detained eight suspects, including the platform's main administrator.

The service launched in 2015 and grew to become one of the largest on-demand phishing platforms known to date.

It operated like your regular SaaS platform—but for email phishing gangs. For a $2,000 monthly fee, the service would provide hosting for phishing sites and access to phishing kits, email templates, and tutorials.

Risky Biz News: Clop is coming after your SysAid servers

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The infamous Clop ransomware gang is exploiting a zero-day vulnerability in on-prem SysAid IT automation servers.

The attacks were discovered last week by SysAid's security team, and the company released a software update to patch the exploited bug.

Tracked as CVE-2023-47246, SysAid's team described the zero-day as a "path traversal vulnerability leading to code execution."

Microsoft Should Look to the Past for Its Security Future

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

Last week, Microsoft announced a “Secure Future Initiative" to improve its ability to cope with increasingly sophisticated cyber security threats.

This reminds us of Microsoft's last security epiphany, the Trustworthy Computing initiative, launched in 2002. Unfortunately, compared to the clarity, focus and commitment of the Trustworthy Computing initiative, this announcement is disappointing.

In a post describing the Secure Future Initiative, Microsoft President and Vice Chair Brad Smith wrote that the new initiative was required because of the "increasing speed, scale and sophistication of cyberattacks".

Risky Biz News: Chinese APTs evolve towards stealth, zero-day abuse

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Chinese state-sponsored hacking operations have undergone a major shift in recent years, with groups growing in sophistication and abandoning noisy and high-volume campaigns for stealthy and extremely targeted attacks.

If you read APT reports for a living—like this newsletter's author—then nothing in the above sentence is new to you.

Over the past two or three years, there have been numerous reports across the infosec industry about how Chinese APT group "XX" or how Chinese APT group "YY" has changed their modus operandi.

Risky Biz News: US sanctions Russian woman for laundering money for Ryuk gang, Russian elites

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The US Treasury has sanctioned a Russian businesswoman named Ekaterina Zhdanova for helping Russian oligarchs and cybercrime gangs evade sanctions and launder stolen cryptocurrency.

Officials say Zhdanova worked as an intermediary in order to obfuscate the real nature of various illegal transactions.

She disguised operations using traditional businesses operating overseas but also used accounts at cryptocurrency platforms that did not enforce anti-money laundering (AML/CFT) controls.

Risky Biz News: New CVSSv4 vulnerability scoring system is out

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The Forum of Incident Response and Security Teams (FIRST) has officially released a new version of the Common Vulnerability Scoring System (CVSS), the most widely used standard for rating the severity of software vulnerabilities using a score from 1 to 10.

With this week's release, the standard has now reached version 4.0—also more commonly known as CVSSv4.

Work on this new version began years ago and comes after a period of public comments and feedback and after a first CVSSv4 draft was presented in June at the FIRSTcon 2023 security conference.

When Good Cyber Security Leads to Violence

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

Groups of young Lapsus$-style hackers are rapidly evolving their tradecraft and aggressively exploiting organisations in ways their victims don't expect.

A new Microsoft report describes the evolution of a group it calls Octo Tempest and charts its increasingly aggressive tactics and the rapid change in its targets. In early 2022, Octo Tempest focused on social engineering and targeting mobile providers to enable SIM-swapping crimes such as cryptocurrency theft, and selling the access gained to other criminals.

However, by early 2023, the group was targeting telecommunications, email and tech service providers, and collaborating with the ALPHV/BlackCat ransomware-as-a-service operation to extort organisations by threatening to leak stolen sensitive data.

Risky Biz News: SEC charges SolarWinds and its CISO

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The US Securities and Exchange Commission has filed fraud charges against software company SolarWinds and its chief information security officer, Timothy Brown.

The agency says it reviewed internal communications and security assessments and found that SolarWinds lied about its cybersecurity posture to investors for years before it was hacked in 2020.

The SEC says that for at least two years before the hack, the company—through its CISO—had learned and discussed its cybersecurity deficiencies but misrepresented the risks to investors.

Risky Biz News: CitrixBleed vulnerability goes from bad to disastrous

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

A Citrix vulnerability has entered the dangerous stage of mass exploitation as multiple threat actors are compromising unpatched devices all over the internet in a race with each other to steal their session tokens.

Known as CitrixBleed and tracked as CVE-2023-4966, the vulnerability impacts Citrix ADC and Citrix NetScaler, which are extremely complex networking devices used in large enterprise and government networks in multiple roles, such as gateways, proxies, caching, VPN servers, and a bunch of other stuff.

The vulnerability allows threat actors to send junk data to the Citrix OpenID component that will crash and leak a part of the device's memory. The bad part is that, in some cases, this memory may contain session tokens that attackers can collect and then bypass authentication and access the device. For a more technical explanation, check this write-up from Assetnote researchers.