Newsletters

The German government says Chinese APTs are hijacking SOHO routers, NAS devices, and smart home automation systems to conduct cyber-espionage operations.

The hacked devices are used as a giant mesh of proxies that relay and hide the origin of the attack.

Chinese cyber-espionage groups like APT15 (Vixen Panda, Ke3chang) and APT31 (Zirconium, Judgement Panda) have been observed utilizing the tactic, according to a security advisory published by the German Federal Office for the Protection of the Constitution (BfV) last week. A Google Translate machine-translated version of the alert is here.

An anonymous researcher has sifted through the changelogs of open-source projects and obtained CVE identifiers for old bugs that experts say may not be security flaws.

All the fake CVEs were obtained on August 22nd, and all were filed for open-source projects.

According to a list compiled by Chainguard at RiskyBusiness' request, 138 CVEs were filed in projects such as cURL, PostgreSQL, Python, the Netwide Assembler, ImageMagick, and many smaller libraries.

Fears that proposed amendments to the UK's Investigatory Powers Act will prevent vendors from issuing software updates are overblown.

Early last month the UK government opened a consultation period on proposed changes to its Investigatory Powers Act (IPA), the legislation that governs law enforcement and intelligence agencies’ use of intrusive investigatory powers such as telco-mediated lawful interception.

The IPA has been in force since 2016 when it combined existing statutory powers granted to UK authorities into a single piece of legislation. It also strengthened approval and oversight processes, with use of the most intrusive powers requiring a 'double-lock' approval from a government minister and an independent judicial commissioner.

The FBI has seized server infrastructure that hosted the Qakbot botnet and mass-uninstalled the malware from infected systems.

Also known as Qbot and Pinkslipbot, the botnet has been active since 2008. It initially launched as a banking trojan but changed to operating as a "loader" in the mid-2010s, infecting systems via malspam campaigns and then selling access to infected systems to other cybercrime groups.

Over the past three years, Qakbot has served as an initial entry point for many ransomware attacks. Groups that have worked with Qakbot include the likes of Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta.

Seven malicious packages have been found and removed from Crates, the official package repository for the Rust programming language, marking the second time malware has been found on the portal. [This is the first-known incident, if anyone's curious.]

The packages were discovered by DevSecOps company Phylum, which described them as showing "the hallmarks of early preparations for a broader campaign."

All seven packages were initially published with no content and then received incremental updates over a few days with suspicious code.

In a joint Risky Business and Geopolitics Decanted feature interview, Patrick Gray and Dmitri Alperovitch spoke with Ilia Vitiuik, the Head of the Department of Cyber and Information Security of the Security Service of Ukraine (SBU) about how Ukraine has countered Russia's cyber operations.

Vitiuk described Russian cyber operations against Ukraine as a "cyber war" with destructive campaigns against Ukraine starting in 2014, eight years before the full-scale invasion. Significant destructive cyber operations he cited included NotPetya, electricity network attacks in 2015 and 2016 and a less well-known attempt to cause a train collision by interfering with a railroad control system.

Vitiuk said these incidents motivated Ukraine to improve its cyber security.

Hackers have used a zero-day vulnerability in the WinRAR file compression utility to install malware on user devices and steal funds from stock and cryptocurrency trading accounts.

The zero-day was discovered by security researchers from Group-IB, who spotted the attacks while investigating a DarkMe malware campaign.

Researchers tracked the earliest exploits to April this year.

South Korea's National Intelligence Service (NIS) has found malicious code embedded in the chips of weather-measuring instruments made in China and used by the Korean Meteorological Administration.

The malicious code was described as a "spy chip" that can eavesdrop on its surroundings and "steal information through radio frequencies," South Korean TV network Channel A reported this week.

A representative for the Korean Meteorological Administration told KBS, South Korea's national broadcaster, that the malicious code was found four months ago but didn't elaborate on how it was discovered.

As the US private space sector is growing into a global behemoth and as Starlink shows the crucial role private satellite networks can play in a military conflict, the US government is urging companies to bolster their defenses against foreign sabotage and espionage.

Three US intelligence agencies—the FBI, the National Counterintelligence and Security Center, and the US Air Force Office of Special Investigations—published a joint security advisory [PDF] last week describing the type of threats the commercial space industry could face from foreign intelligence agencies.

Officials warn of hacks, malicious insiders, employee recruitment efforts, and misleading investments and business partnerships.

PowerShell Gallery, the official repository for the PowerShell scripting language, contains (still-unfixed) design flaws that can be abused by threat actors for typosquatting and impersonation attacks.

Discovered by cloud security firm AquaSec, these issues can be weaponized in supply chain attacks to trick developers into downloading and running malicious PowerShell packages on their systems or inside enterprise applications.

The first issue researchers found was that PSGallery does not come with any kind of protection against typosquatting, allowing threat actors to register packages that mimic the names of more successful PowerShell modules just by adding punctuation inside the name.