Newsletters

Written content from the Risky Business Media team

Hacktivists Strike At Ransomware's Soft Underbelly

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

A purported group of pro-Ukrainian cyber activists, the Ukrainian Cyber Alliance, has disrupted an active ransomware gang, known as Trigona, by hacking and deleting the group's servers.

If a group of hacktivists can compromise a ransomware gang, these gangs are certainly susceptible to operations run by better organised and resourced state cyber outfits.

While the hacktivists’ actions will hurt, this is probably a speed hump for Trigona rather than an enduring disruption. The group claims that it will return quickly.

Risky Biz News: 1Password joins the list of Okta victims

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Password management service 1Password has joined the list of companies that have been impacted by a recent security breach at identity provider Okta.

1Password becomes the third company known to be affected by the Okta breach—after BeyondTrust and Cloudflare.

The Okta incident is the second major hack the company disclosed after a January 2022 incident when 366 companies had their Okta environments accessed.

Risky Biz News: Cisco IOS XE hackers are hiding their tracks as patches come out

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Over the past three days—since our last newsletter edition—the situation around the latest zero-day attacks targeting Cisco IOS XE devices has drastically changed, and we feel the need to cover it in our featured section and provide a short summary of what has been going on.

Although these attacks have been taking place since at least September 28, news of this campaign came out last Monday, on October 16, when Cisco revealed the existence of a zero-day tracked as CVE-2023-20198 in the web administration panel of its IOS XE operating system.

The zero-day allowed threat actors to create an admin account with the highest level of privileges on devices that had their WebUI panel exposed on the internet.

Risky Biz News: Two ransomware gang websites go puff!

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Two ransomware gangs have had their dark web server infrastructure disrupted this week in two extremely different circumstances, with hacktivists wiping the servers of the Trigona gang and law enforcement seizing RagnarLocker's infrastructure a day later.

The first to fall was Trigona, a ransomware operation that began operations in June of last year.

In Facebook and Twitter posts, a group of pro-Ukrainian hacktivists named the Ukrainian Cyber Alliance said they hacked the backend servers supporting Trigona's operations.

Mature Organisations Still a Security Horror Show

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

CISA and NSA have published a joint advisory on the most common misconfigurations experienced in cases across federal and state governments, the defence industrial base and critical infrastructure operators.

You would expect to see well configured networks at these organisations, but the CISA/NSA advisory says these misconfigurations occurred even in networks with "mature cyber postures". The list is made up of 101-level problems:

The report describes these misconfigurations as "systemic weaknesses across many networks". Given that getting these settings right is 'basic cyber hygiene', these misconfigurations shouldn't exist in an organisation with a mature cyber posture.

Risky Biz News: Mysterious APT compromises Asian government's secure USBs

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

A mysterious APT group has compromised secure USB drives used by an Asian country's government to safely store and physically transfer data between sensitive government systems.

Spotted by Kaspersky, the attacks took place in early 2023. While the security firm has not attributed the operation to any particular APT group or state, the campaign is extremely likely to be Chinese in origin. Chinese APT groups—such as Camaro Dragon, Temp.Hex, UNC4191, Mustang Panda, and Troppic Trooper—have used USB drives as a way to distribute malware across the APAC region for the past several years, and some of these campaigns have been recently seen in Africa and Europe as well.

But while previous campaigns targeted your run-of-the-mill USB thumb drives, Kaspersky says this campaign targeted "a specific type of a secure USB drive" used by that country's government agencies.

Risky Biz News: Israel warns citizens of security camera hack risk

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

In the face of an escalating military conflict with Hamas and Hezbollah forces, the Israeli government has asked citizens to secure home security cameras or shut them down completely, fearing the devices could be hacked and used for espionage and intelligence collection.

In a memo on Friday, Israel's National Cyber Directorate has asked camera owners to change their passwords, enable two-factor authentication if present, and enable automatic security updates.

If camera owners can't change any of their settings, officials have urged owners to either cover camera lenses or shut down devices completely.

Risky Biz News: Microsoft takes NTLM behind the shed

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Microsoft has announced plans to disable support for the NTLM authentication protocol in a future version of Windows 11.

Even if Microsoft has not put out a hard cut-off date, this is good news regardless, as it sets the stage for the protocol to be removed after 30 years of use.

Short for New Technology LAN Manager, the protocol was introduced in 1993 with the release of Windows NT 3.1. It was the primary user authentication protocol until Windows 2000, when it was replaced by Kerberos.

Bringing Humanitarian Law to Cyber War

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

It is hard to care about hacktivism when the news from Israel and Gaza is so bleak, but there has been a flurry of activity from both camps since the conflict erupted.

Cyber attacks reported so far include the DDoSing of both Israeli and Palestinian websites and the leaking of stolen documents and credentials from Israeli-related sites. While these actions generally made little difference to events on the ground, some attacks attempted to disrupt Israel's response to Hamas rocket attacks.

Per Wednesday's edition of Risky Business News:

Risky Biz News: Microsoft deprecates VBScript

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Microsoft has deprecated VBScript, a powerful scripting language that has been part of the Windows operating system since 1998.

VBScript has been made a "Feature on Demand" (FoD), and Microsoft plans to remove it completely in a future version of Windows.

As a FoD, Microsoft says VBscript will be preinstalled on Windows OS images but not enabled by default.