Newsletters

A team of Chinese academics has discovered a new type of DNS attack that impacts almost a quarter of all open DNS resolvers running on the internet.

Named TuDoor, the attack uses malformed DNS packets to trigger logic errors inside DNS software. The attack specifically targets the part of the DNS resolver that prepares DNS responses for user queries.

Academics say they can use a quick succession of malformed packets to poison a DNS resolver's cache, cause a denial of service, or increase a server's resource consumption.

An eye-opening report describes a cyber crime supply chain with connections to Chinese organised crime, illegal online gambling, money laundering, human trafficking and even sponsorships with European sports teams.

Infoblox, the security firm that authored the report, said this supply chain was controlled by a single actor it calls Vigorish Viper. The main purpose of the enterprise was to facilitate illegal online gambling for residents of what the report calls 'Greater China'. (This term isn't defined in the report, but from our reading of it we think it includes mainland China, Hong Kong, and Macau, but not Taiwan).  

Infoblox said the supply chain was organised into multiple entities performing different functions to "shield the operators from scrutiny and legal consequences". In OPSEC terms, Vigorish Viper compartmentalises its operations so the disruption of any single entity (such as a money launderer, hosting provider or payment service) by law enforcement action does not cripple the entire operation. 

In January this year, Russian hackers used a novel piece of ICS malware to cut the heating and hot water to over 600 apartment buildings in the city of Lviv, Ukraine.

The incident is believed to have impacted apartment blocks in Lviv's Sykhiv residential area. More than 100,000 people are believed to have been left without heating for almost two days as one of the city's heating providers, Lvivteploenergo, restored service.

The attack used a malware strain named FrostyGoop, according to a report released by industrial security firm Dragos this week.

Around 8.5 million Windows systems went down on Friday in one of the worst IT outages in history.

The incident was caused by a faulty configuration update to the CrowdStrike Falcon security software that caused Windows computers to crash with a Blue Screen of Death (BSOD).

Since CrowdStrike Falcon is an enterprise-centric EDR, the incident caused crucial IT systems to go down in all the places you don't usually want them to go out.

Russian authorities have allegedly arrested a member of the Trickbot cybercrime gang in Moscow this week.

According to a report from Russian news channel Baza, authorities have detained a 37-year-old man named Fedor Andreev on the morning of July 15 in a house in South Moscow.

Andreev was allegedly detained based on an Interpol red notice issued by Germany in May.

Western cyber security agencies are co-authoring reports with an increasing number of overseas agencies into Chinese cyber activity. And China doesn't seem to like it. 

The Australian Signals Directorate last week issued an advisory co-authored with German, Korean and Japanese intelligence, cyber security and law enforcement agencies, as well as the standard Five Eyes agencies that regularly contribute to advisories.

The advisory documented two successful compromises of Australian organisations and resulting investigations by the Australian Cyber Security Centre (ACSC). 

A Russian cybercrime group named Konfety has orchestrated a massive ad fraud operation that found and utilized a novel way to disguise its malicious apps and ad traffic.

The group's operations were discovered by researchers from HUMAN Security, a company specialized in detecting bot attacks and advertising fraud.

HUMAN says the Konfety group operates out of Russia and poses as an ad network company behind an advertising SDK named CaramelAds.

At least four cryptocurrency platforms hosting their domains on Squarespace have been hit by DNS hijacks over the past week.

The Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains reported losing control over their official websites on Thursday and Friday last week.

The hijackers pointed the domains to malicious servers hosting wallet-draining phishing kits.

Apple has sent this week a new batch of notifications about possible infections with mercenary spyware to iPhone users across 98 countries.

This was the company's second wave of notifications it sent this year after a first round back in April.

The new "mercenary spyware" notifications are Apple's older "state-sponsored attacks" alerts the company was sending in previous years.

The US Department of Justice has taken down a Twitter botnet operated by Russian news organization RT that was used to spread Kremlin propaganda on a large scale across Europe and the US.

According to court documents, the botnet consisted of at least 968 accounts and was operated by an editor-in-chief from RT's Moscow headquarters.

The botnet was established in early 2022, shortly after Russia's invasion of Ukraine, and its main role was to spread disinformation and favorable Russian narratives about the war.