Newsletters

The FBI has seized server infrastructure that hosted the Qakbot botnet and mass-uninstalled the malware from infected systems.

Also known as Qbot and Pinkslipbot, the botnet has been active since 2008. It initially launched as a banking trojan but changed to operating as a "loader" in the mid-2010s, infecting systems via malspam campaigns and then selling access to infected systems to other cybercrime groups.

Over the past three years, Qakbot has served as an initial entry point for many ransomware attacks. Groups that have worked with Qakbot include the likes of Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta.

Seven malicious packages have been found and removed from Crates, the official package repository for the Rust programming language, marking the second time malware has been found on the portal. [This is the first-known incident, if anyone's curious.]

The packages were discovered by DevSecOps company Phylum, which described them as showing "the hallmarks of early preparations for a broader campaign."

All seven packages were initially published with no content and then received incremental updates over a few days with suspicious code.

In a joint Risky Business and Geopolitics Decanted feature interview, Patrick Gray and Dmitri Alperovitch spoke with Ilia Vitiuik, the Head of the Department of Cyber and Information Security of the Security Service of Ukraine (SBU) about how Ukraine has countered Russia's cyber operations.

Vitiuk described Russian cyber operations against Ukraine as a "cyber war" with destructive campaigns against Ukraine starting in 2014, eight years before the full-scale invasion. Significant destructive cyber operations he cited included NotPetya, electricity network attacks in 2015 and 2016 and a less well-known attempt to cause a train collision by interfering with a railroad control system.

Vitiuk said these incidents motivated Ukraine to improve its cyber security.

Hackers have used a zero-day vulnerability in the WinRAR file compression utility to install malware on user devices and steal funds from stock and cryptocurrency trading accounts.

The zero-day was discovered by security researchers from Group-IB, who spotted the attacks while investigating a DarkMe malware campaign.

Researchers tracked the earliest exploits to April this year.

South Korea's National Intelligence Service (NIS) has found malicious code embedded in the chips of weather-measuring instruments made in China and used by the Korean Meteorological Administration.

The malicious code was described as a "spy chip" that can eavesdrop on its surroundings and "steal information through radio frequencies," South Korean TV network Channel A reported this week.

A representative for the Korean Meteorological Administration told KBS, South Korea's national broadcaster, that the malicious code was found four months ago but didn't elaborate on how it was discovered.

As the US private space sector is growing into a global behemoth and as Starlink shows the crucial role private satellite networks can play in a military conflict, the US government is urging companies to bolster their defenses against foreign sabotage and espionage.

Three US intelligence agencies—the FBI, the National Counterintelligence and Security Center, and the US Air Force Office of Special Investigations—published a joint security advisory [PDF] last week describing the type of threats the commercial space industry could face from foreign intelligence agencies.

Officials warn of hacks, malicious insiders, employee recruitment efforts, and misleading investments and business partnerships.

PowerShell Gallery, the official repository for the PowerShell scripting language, contains (still-unfixed) design flaws that can be abused by threat actors for typosquatting and impersonation attacks.

Discovered by cloud security firm AquaSec, these issues can be weaponized in supply chain attacks to trick developers into downloading and running malicious PowerShell packages on their systems or inside enterprise applications.

The first issue researchers found was that PSGallery does not come with any kind of protection against typosquatting, allowing threat actors to register packages that mimic the names of more successful PowerShell modules just by adding punctuation inside the name.

New clues discovered by threat intelligence analysts suggest that the Lockbit ransomware group may be having technical difficulties, which have contributed to the operation losing some of its top affiliates over the past months.

According to a report published by Analyst1's Jon DiMaggio, the Lockbit gang is having problems publishing and leaking victim data on its dark web leak site.

The gang has run out of server storage, DiMaggio says. It often claims that a victim's files have been published, but the files can't be downloaded.

The DHS Cyber Safety Review Board (CSRB) has picked up the unenviable task of investigating the security practices of US cloud service providers and plans to use the recent breach of Microsoft email systems as the figurehead of an upcoming report.

The CSRB may have couched its press release as a generic investigation of cloud security providers, but it is, without a doubt, an investigation into Microsoft's carelessness when it comes to its cloud infrastructure, which underpins a vast section of the US government's IT systems.

The CSRB investigation was announced two weeks after Sen. Ron Wyden asked the DHS—together with the FTC and DOJ—to investigate Microsoft's "lax cybersecurity practices" that led to the breach in the first place.

Russian internet users are reporting that VPN clients using the OpenVPN and WireGuard protocols have stopped working as of this week.

The unofficial ban has been reported primarily by users of Russian mobile internet operators, such as Beeline, Megafon, MTS, Tele2, Tinkoff, and Yota.

OpenVPN and WireGuard traffic does not appear to be blocked on landline connections and especially on business accounts, where they're most likely to be used by the few foreign companies still doing business in Russia.