Newsletters

The Romanian government will hack back the command and control servers of foreign APT groups targeting the country, General Anton Rog, the head of CyberInt, the cyber division of the Romanian Intelligence Service, said this week at an IT conference in Bucharest.

Gen. Rog says the purpose of hack-back operations will be to acquire malware samples, share them with partners, and disrupt operations.

The agency's new approach is part of a new national cybersecurity strategy adopted in December 2021, which also contains an offensive component that would facilitate such operations.

The polite thing to do when your APT operation is discovered by your adversaries is to pack up, go home, and ready your next campaign. What you shouldn't do is escalate in response to discovery, dig in, and turn thousands of expensive email gateway appliances into boat anchors.

But this is exactly what a Chinese APT group did in response to one of its recent campaigns being rumbled.

Last week, Mandiant published a report attributing a recent "wide-ranging campaign" exploiting a Barracuda Email Security Gateway (ESG) vulnerability to a PRC cyberespionage actor it tracks as UNC4841.

Albanian law enforcement raided a refugee camp hosting members of Iranian opposition party Mujahedeen-e-Khalq (People's Mujahedin of Iran, or MEK) on suspicion of operating a "hacker center" that conducted cyber-attacks against foreign institutions.

The raids took place on Tuesday, June 20, and targeted a camp near the city of Manez in Western Albania.

The camp hosts around 3,000 MEK party members that were relocated to Albania in 2013 after their previous camp in Iraq came under attack from Iraqi and Iranian forces.

Microsoft has quietly confirmed that the recent outages of its Outlook, OneDrive, and SharePoint online services were caused by DDoS attacks carried out by a pro-Kremlin group named Anonymous Sudan (Storm-1359 in Microsoft's internal nomenclature).

That's quite the embarrassing statement from one of the world's top three cloud providers that, apparently, can't protect its own services.

In a blog post published late Friday, Microsoft seems to have been caught off guard by the group's choice of attack methodology.

The operators of the LockBit ransomware are believed to have made more than $91 million in ransom payments from more than 1,700 attacks targeting US organizations, according to CISA and the FBI.

The figure covers LockBit's entire lifespan since its official launch in January 2020, but it does not include ransom payments that have not been reported to the FBI or payments made by foreign companies.

Regardless, this puts LockBit right up there with the best-earning ransomware gangs of all time, trailing the likes of Ryuk, REvil, and Darkside. [obviously, based on limited visibility into the ecosystem]

An ODNI report into the US Intelligence Community's use of Commercially Available Information (CAI) has caused quite a stir, but most of the resulting press coverage has missed the forest for the trees.

It is a problem that the IC is using this information without any guiding policy. It is a much, much bigger problem that this information is being collected for sale in the first place.

The report examines how the IC is using CAI, what privacy and civil liberty protections cover its use, and makes recommendations about how this data should be used in the future. It defines CAI as information that can be bought by the public and excludes data that is commercially available only to governments.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive (BOD) and has ordered federal civilian agencies to limit access from the internet to the management interfaces of networking equipment.

The new BOD 23-02 applies to routers, switches, firewalls, VPN servers, proxies, load balancers, and out-of-band server management interfaces such as the iLo and iDRAC.

It applies to management interfaces hosted on a multitude of protocols, ranging from HTTPS to SSH, SMB, RDP, and others.

A Ukrainian hacking group named the Cyber Anarchy Squad has breached the network of Russian telco Infotel JSC and wiped some of its routers and networking devices.

The incident took place last Thursday—June 8—and brought the telco's network to a full stop for 32 hours.

The company confirmed the attack via a short message on its website.

The South Korean National Police Agency says that a North Korean hacking group known as Kimsuky has breached the email accounts of former government officials.

The Kimsuky campaign took place between April and August of last year and targeted 150 current and former South Korean government officials, professors, and defense and national security experts.

Police officials say Kimsuky operators successfully lured nine individuals on phishing pages and stole their login credentials for Google and Naver accounts.

The Australian Signals Directorate (ASD), Australia's signals intelligence and cyber organisation, has opened up to an ABC documentary about a number of its offensive cyber operations.

One of them was "Operation Valley Wolf", ASD's cyber contribution to the safe passage of partner troops through the Tigris river valley to Mosul, then under Islamic State (IS) control. The broad outlines of this operation have been described before, but the documentary provides more colour and detail.

ASD studied IS's electronic communications, which included the use of a variety of encrypted messaging apps including Surespot, Wickr, WhatsApp and Telegram. It used an implant, "Light Bolt", that could be deployed to IS devices without user interaction and three different denial-of-service payloads that would disrupt internet access: "Rickrolling", "Care Bear" and "Dark Wall". These payloads all cut internet access, but with different degrees of permanence.