Newsletters

GitHub is slowly becoming a very dangerous website as more and more threat actors are starting to use it to host and distribute malware disguised as legitimate software repositories.

What started as an infrequent sighting in early 2024 is now at the center of an increasing number of infosec and malware reports.

The tactic is usually the same. A threat actor would take a legitimate repository, add malware to the files—typically an infostealer or a remote access trojan— and then upload the boobytrapped repo back on GitHub.

Amazon Web Services has rolled out a new security feature last week that will help customers prevent a type of attack known as S3 Bucket Namesquatting, or Bucketsquatting.

The attack was first described by cloud engineer Ian Mckay in 2019. It happens when an attacker abuses the predictable naming conventions in AWS bucket names to register buckets that have expired or have been deleted by their original owners.

If traffic still flows to the old buckets, this allows attackers to collect data from internal networks or public-facing apps, leading to serious security incidents.

Aside from one disruptive attack, Iran's cyber retaliation against US and Israeli strikes has been largely missing in action. But there are reasons to believe in the longer term the war will result in an enduring increase in Iran's capacity and appetite for cyber mayhem.

Last week the Iranian state-backed group Handala did claim responsibility for a wiper attack on Michigan-based medical device manufacturer Stryker, and said the attack was partly in retaliation for the US bombing of an all-girls school in Iran. In recent days Handala and a range of other pro-Iranian groups have also claimed a series of hacks targeting Israeli or Middle Eastern organisations.

Although the Stryker attack looks like it is causing serious disruption at the target company itself, trouble at just a single organisation won't trouble senior US policymakers. 

The European Union on Monday imposed sanctions on three hacking groups and two individuals for cyberattacks on its member states.

Sanctions were imposed on Iranian cyber contractor Emennet Pasargad for its hack of French satirical magazine Charlie Hebdo, the 2024 Paris Olympic Games, and a Swedish SMS service.

This is the same group that also meddled in the 2020 US Presidential Election and was later sanctioned three times by the US as well, in 2021, and September and December 2024.

Meta's security team has suspended thousands of accounts last year that were tied to Mexican and other Latin American drug cartels.

The Facebook and Instagram accounts were used to recruit youth for drug trafficking and drug dealing, to advertise drugs, and to organize violence and extortion operations.

Meta says it used AI to detect the coded language typically used by cartels and also to identify photos of drugs posted on its platforms. Human reviewers also confirmed the findings before accounts were removed.

American and European law enforcement agencies have seized the infrastructure of a residential proxy provider named SocksEscort; the latest of such a crackdown against proxy providers over the past years.

The service had been running since 2021 and rented access to more than 369,000 different IP addresses across its lifetime.

According to the FBI, Europol, and Dutch Police, SocksEscort was a front for a malware operation that infected modems and home routers. Lumen's Black Lotus Labs linked it to a botnet it discovered in 2023, named AVRecon.

President Donald Trump's Cyber Strategy contains an ambitious array of worthwhile goals. The administration's actions over the past year, however, directly undermine many of them, barring one. It raises the question: Can aggressive offensive cyber action compensate for lukewarm defensive efforts?

The strategy, released last Friday, one-ups the Biden era equivalent, at least superficially. Rather than five pillars, this one has six:

The strategy's overall vibe is dominated by that first pillar: "Shape Adversary Behaviour". President Trump's foreword describes using cyber power for "disrupting and disorienting our adversaries". He concludes that "American Power will finally stand up in cyberspace". 

The US Senate has confirmed Army Lt. Gen. Joshua M. Rudd as the next leader of US Cyber Command and the National Security Agency.

Gen. Rudd was confirmed in a 71-29 vote on Tuesday.

He will replace Army Lt. Gen. William Hartman, who is serving as interim chief for both agencies.

US President Donald Trump signed a new executive order on Friday directing federal agencies to prioritize a crackdown against foreign scam operations and predatory forms of cybercrime.

Scam-related crimes, such as business email compromise and investment fraud, have been at the top of the FBI's list of most damaging forms of cybercrime for over half-a-decade.

In 2024 alone, Americans lost $12.5 billion to cyber-enabled fraud schemes, a figure that will likely be surpassed when the 2025 numbers come out in April.

A sudden spike in scanning activity for internet-exposed security cameras has been recorded in Israel and countries across the Middle East. The activity has been traced back to a hacking group with ties to the Iranian government.

The scans spiked on Monday, when Iran launched missile and drone strikes in response to an Israeli and US military operation that bombed and killed its political leadership over the weekend.

Security firm Check Point says the scans targeted Hikvision and Dahua security cameras and included attempts to exploit old vulnerabilities. Scans targeted Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus, the exact same countries where Iran carried out kinetic strikes.