Newsletters

The identities of two Iranian cyber groups have been exposed over the course of seven days last week.

The US government linked the Cyber Av3ngers group to six individuals working for the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), while a report from Iran International linked the Black Shadow group to an Iranian IT company named "Raahkarha-ye Fanavari-e Etela'at-e Jahatpardaz" (or Jahatpardaz Information Technology Solutions).

The "doxing" events come as Iranian cyber activity entered a new and more aggressive stage after Iran-backed Hezbollah attacked Israeli territories on October 7 last year.

All journalists take pride in being able to put together smart and intelligible sentences that convey a story. However, three weeks after Invanti disclosed the existence of two zero-days in its Connect Secure VPN appliance, things have become so twisted and convoluted that, at this point, I feel like it's time to bring out the bulleted list format in order to put some order in the ginormous clusterf**k that these zero-days have become.

So, for the sake of clarity—both mine and yours—let's review where things stand with the recent batch of Ivanti zero-days and their exploitation.

Ripple founder hacked: A threat actor has hacked and stolen $112.5 million worth of crypto-assets from Chris Larsen, the co-founder and executive chairman of the Ripple (XRP) cryptocurrency. Larsen confirmed the hack and said that only personal accounts were affected. Even if Ripple Labs accounts were not affected, Ripple's price dropped 5% in the aftermath of the hack. [Additional coverage in CoinTelegraph]

The National Security Agency (NSA) has been embroiled in a US Senator's campaign against intelligence agencies' purchase and use of data obtained illegally by data brokers.

US Senator Ron Wyden, a member of the US Senate Select Committee on Intelligence, is pushing to stop US intelligence agencies buying Americans' personal data obtained illegally by data brokers.

Wyden announced the push in a recent press release in which he announced the release of letters saying the NSA was buying 'internet records' that could reveal what websites Americans visited and the apps they used.

Brazil's Federal Police has detained five members of Grandoreiro, a malware gang specialized in stealing funds from banking customers with a custom-built banking trojan.

The group has been active since 2019 and is believed to have stolen at least $3.9 million from customers at banks in Brazil, Mexico, and Spain.

Brazilian officials say Spanish financial institution CaixaBank identified the Grandoreiro members and worked with Interpol and Spanish police to get them detained.

Federal investigators are warning companies not to delete chats and preserve conversations that have taken place via business collaboration and ephemeral messaging platforms.

In press releases on Friday, the US Department of Justice and the US Federal Trade Commission announced that they updated the language in their preservation letters and specifications—documents they send to companies under federal investigations.

The new language updates evidence preservation procedures to cover modern tech stacks such as Slack, Microsoft Teams, and Signal.

Days after Microsoft revealed a security breach by a Russian state-sponsored hacking group, Hewlett Packard Enterprise disclosed a similar breach at the hands of the same group.

In a document filed with the US Securities and Exchange Commission (SEC), HPE blamed the breach on Midnight Blizzard, a hacking group believed to be one of the cyber units operating inside Russia's Foreign Intelligence Service (SVR).

HPE says the group breached its cloud infrastructure in May of last year.

The Australian, US and UK governments have upped the ante against cybercriminals by launching coordinated sanctions against a single individual involved in a significant extortion attack.

On Tuesday this week, the Australian government announced financial and travel sanctions targeting Aleksandr Gennadievich Ermakov, a Russian national, for his role in the hack of Medibank Private, an Australian health insurance company.

Australia employed its cyber sanctions regime for the first time in this case. On the same day, the US and UK governments sanctioned Ermakov.

Australia, the UK, and the US have sanctioned a Russian national for his role in a ransomware attack on Australian private insurance provider Medibank in October 2022.

Identified as Alexander Ermakov, he is believed to be connected to the REvil ransomware operation, where he allegedly operated under pseudonyms such as GustaveDore, JimJones, Blade_Runner, and aiiis_ermak. Ermakov is believed to be 33 and a resident of Moscow.

Officials say Ermakov was a "pivotal" and "key actor" in REvil's attack on Medibank, considered one of Australia's worst cybersecurity incidents.

Russian state-sponsored hackers have breached Microsoft's internal network and have stolen emails from the company's senior leadership, legal, and cybersecurity teams.

The intrusion began in late November of 2023 and lasted until January 13, when Microsoft kicked the hackers off its network.

The Redmond-based giant attributed the attack to Midnight Blizzard, one of the cyber units inside Russia's Foreign Intelligence Service (SVR).

Following a hearing of the Senate Homeland Security and Governmental Affairs Committee, US lawmakers said they're considering legislation that would make the DHS Cyber Safety Review Board (CSRB) a permanent organization in the US cybersecurity space.

Established in May 2021 through a White House executive order, the CSRB was set up as an analog to the TSA's National Transportation Safety Board (NTSB).

It was established in the aftermath of the SolarWinds supply chain attack as an independent board tasked with investigating cybersecurity-related incidents that affect the US government and issuing recommendations to improve security measures across both the US public and private sectors.