Newsletters

Written content from the Risky Business Media team

Risky Biz News: Prigozhin troll farms in limbo following Wagner mutiny

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Several Russia-based news outlets are reporting that Yevgeny Prigozhin is shutting down his Patriot media company in the aftermath of his failed mutiny at the head of the Wagner PMC last month.

The Patriot media group is a holding company for a dozen of Russian-language propaganda and fake news sites, such as RIA FAN, Politika Segodnya (Politics Today), Ekonomika Segodnya (Economics Today), Nevskiye Novosti (Nevsky News), and Narodnye Novosti (People's News). It is also the holding company for the Internet Research Agency—Russia's infamous "troll farm" linked to multiple instances of election interference across the world.

Prigozhin has allegedly fired all employees and plans to shut down all news sites. All this information comes from Patriot media group insiders, and Prigozhin has not made a formal statement or has been seen or heard from since leaving Russia for Belarus.

Risky Biz News: New hacker extradition battle begins between the US and Russia

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Authorities in Kazakhstan have decided to kick a hornet's nest and arrested Nikita Kislitsin, the top executive for Russian cybersecurity firm FACCT—the former Russian branch of Group-IB, which split from its parent company earlier this year.

Kislitsin was detained following an international arrest warrant issued by the United States. US authorities are seeking his extradition in relation to a case where he's accused of selling login credentials for Formspring accounts way back in 2012.

All of this happened on June 22. Six days later, on June 28, a Moscow court issued an arrest warrant in absentia in Kislitin's name on some mysterious hacking charge. No details provided.

SEC vs SolarWinds 2: This Time it's Personal

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

SolarWinds executives have been formally warned by the US Securities and Exchange Commission that it plans to bring enforcement actions against them over the 2020 supply chain attack that involved compromise of the company's Orion software platform.

In its SEC filing this week, SolarWinds announced that "certain current and former executive officers and employees of the Company, including the Company’s Chief Financial Officer and Chief Information Security Officer received 'Wells Notices'". A Wells Notice indicates that SEC staff have recommended the commission pursue a civil enforcement action against the recipients because the SEC believes they may have broken US federal securities laws.

The filing doesn't make it exactly clear what the executives are thought to have done wrong, but SolarWinds' last quarterly report provides some clues. Back in October 2022, the company as a whole received its own Wells Notice, which alleged "violations of certain provisions of the U.S. federal securities laws with respect to our cybersecurity disclosures and public statements, as well as our internal controls and disclosure controls and procedures".

Risky Biz News: Move aside RowHammer, the RowPress attack is here

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Back in 2014, a new attack named RowHammer upended the memory market and forced chip makers to rethink how they were manufacturing and what type of security features they were baking into DRAM chips.

The RowHammer attack—and all its variations—used super-fast read-write operations directed at a row of memory cells inside a DRAM chip to generate electrical disturbances that altered or corrupted data in nearby rows.

Throughout the years, chip vendors started placing memory rows at larger distances between each other and added software-level protections to detect when apps were accessing memory rows at super-high rates.

Risky Biz News: EU sanctions Russian cybersecurity firms

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The European Union has issued its 11th package of sanctions against Russia for its invasion of Ukraine. Issued last Friday, the sanctions list was expanded with 71 individuals and 33 entities, including five Russian cybersecurity and IT companies such as Positive Technologies, NTC Vulcan, Echelon, Iteranet, and Poisk-IT.

EU officials say the companies provide IT services to support the activity of Russian intelligence services, such as developing hacking tools and data collection and analysis.

The biggest name on the list is Positive Technologies, one of Russia's largest cybersecurity companies. This is the second time the company has been sanctioned. It was also sanctioned by the US Treasury in April 2021 for providing hacking tools to the FSB and using its security conference as an FSB and GRU recruiting hub.

Risky Biz News: Romania to hack-back foreign APTs

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The Romanian government will hack back the command and control servers of foreign APT groups targeting the country, General Anton Rog, the head of CyberInt, the cyber division of the Romanian Intelligence Service, said this week at an IT conference in Bucharest.

Gen. Rog says the purpose of hack-back operations will be to acquire malware samples, share them with partners, and disrupt operations.

The agency's new approach is part of a new national cybersecurity strategy adopted in December 2021, which also contains an offensive component that would facilitate such operations.

China's Barracuda Hacks Were Just Plain Rude

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

The polite thing to do when your APT operation is discovered by your adversaries is to pack up, go home, and ready your next campaign. What you shouldn't do is escalate in response to discovery, dig in, and turn thousands of expensive email gateway appliances into boat anchors.

But this is exactly what a Chinese APT group did in response to one of its recent campaigns being rumbled.

Last week, Mandiant published a report attributing a recent "wide-ranging campaign" exploiting a Barracuda Email Security Gateway (ESG) vulnerability to a PRC cyberespionage actor it tracks as UNC4841.

Risky Biz News: Albania raids Iranian MEK camp for running a "hacker center"

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Albanian law enforcement raided a refugee camp hosting members of Iranian opposition party Mujahedeen-e-Khalq (People's Mujahedin of Iran, or MEK) on suspicion of operating a "hacker center" that conducted cyber-attacks against foreign institutions.

The raids took place on Tuesday, June 20, and targeted a camp near the city of Manez in Western Albania.

The camp hosts around 3,000 MEK party members that were relocated to Albania in 2013 after their previous camp in Iraq came under attack from Iraqi and Iranian forces.

Risky Biz News: Microsoft embarrassingly admits it got DDoSed into the ground by Anonymous Sudan

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Microsoft has quietly confirmed that the recent outages of its Outlook, OneDrive, and SharePoint online services were caused by DDoS attacks carried out by a pro-Kremlin group named Anonymous Sudan (Storm-1359 in Microsoft's internal nomenclature).

That's quite the embarrassing statement from one of the world's top three cloud providers that, apparently, can't protect its own services.

In a blog post published late Friday, Microsoft seems to have been caught off guard by the group's choice of attack methodology.

Risky Biz News: LockBit gang made $91 million from US attacks

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The operators of the LockBit ransomware are believed to have made more than $91 million in ransom payments from more than 1,700 attacks targeting US organizations, according to CISA and the FBI.

The figure covers LockBit's entire lifespan since its official launch in January 2020, but it does not include ransom payments that have not been reported to the FBI or payments made by foreign companies.

Regardless, this puts LockBit right up there with the best-earning ransomware gangs of all time, trailing the likes of Ryuk, REvil, and Darkside. [obviously, based on limited visibility into the ecosystem]