Newsletters

The Australian, US and UK governments have upped the ante against cybercriminals by launching coordinated sanctions against a single individual involved in a significant extortion attack.

On Tuesday this week, the Australian government announced financial and travel sanctions targeting Aleksandr Gennadievich Ermakov, a Russian national, for his role in the hack of Medibank Private, an Australian health insurance company.

Australia employed its cyber sanctions regime for the first time in this case. On the same day, the US and UK governments sanctioned Ermakov.

Australia, the UK, and the US have sanctioned a Russian national for his role in a ransomware attack on Australian private insurance provider Medibank in October 2022.

Identified as Alexander Ermakov, he is believed to be connected to the REvil ransomware operation, where he allegedly operated under pseudonyms such as GustaveDore, JimJones, Blade_Runner, and aiiis_ermak. Ermakov is believed to be 33 and a resident of Moscow.

Officials say Ermakov was a "pivotal" and "key actor" in REvil's attack on Medibank, considered one of Australia's worst cybersecurity incidents.

Russian state-sponsored hackers have breached Microsoft's internal network and have stolen emails from the company's senior leadership, legal, and cybersecurity teams.

The intrusion began in late November of 2023 and lasted until January 13, when Microsoft kicked the hackers off its network.

The Redmond-based giant attributed the attack to Midnight Blizzard, one of the cyber units inside Russia's Foreign Intelligence Service (SVR).

Following a hearing of the Senate Homeland Security and Governmental Affairs Committee, US lawmakers said they're considering legislation that would make the DHS Cyber Safety Review Board (CSRB) a permanent organization in the US cybersecurity space.

Established in May 2021 through a White House executive order, the CSRB was set up as an analog to the TSA's National Transportation Safety Board (NTSB).

It was established in the aftermath of the SolarWinds supply chain attack as an independent board tasked with investigating cybersecurity-related incidents that affect the US government and issuing recommendations to improve security measures across both the US public and private sectors.

Not only are cyber espionage groups likely based in China using living-off-the-land techniques to operate stealthily, they are adopting techniques that make post-discovery eviction more difficult.

Two separate campaigns reported in recent weeks illustrate the different techniques actors believed to be associated with the PRC are using. In one campaign, a group that had been operating slowly and discreetly switched to large-scale device exploitation and used various persistence mechanisms to 'dig in' once it was discovered.

In the second campaign, the actor concerned used compromised end-of-life devices in a botnet to relay command and control communications.

A cybercrime operation is believed to have infected at least 172,000 smart TVs and set-top boxes with malware that carries out DDoS attacks.

Named Bigpanzi, the group has been active since at least 2015 and appears to target Spanish and Portuguese-speaking users across Latin America.

According to Chinese security firm QiAnXin, Bigpanzi built its botnet through social-engineering tactics, such as spreading apps to view pirated content, apps to enhance TV viewing experiences, and backdoored firmware updates.

A Chinese state-sponsored espionage group has compromised and is currently controlling roughly 30% of all Cisco RV320 and Cisco RV325 WAN routers across the internet.

Active infections were spotted by SecurityScorecard's STRIKE Team over the past 37 days, between December 1, 2023, and January 7, 2024.

The routers are infected with and are part of KV, a botnet first spotted by internet infrastructure company Lumen last month. According to Lumen, the same botnet also consists of a large number of DrayTek Vigor routers, NETGEAR ProSAFE firewalls, and Axis security cameras.

A Chinese state-sponsored hacking group has exploited two zero-days in Ivanti Connect Secure VPN appliances (formerly known as Pulse Secure) to gain access to corporate networks.

The zero-days were discovered by American cybersecurity firm Volexity, which attributed the attacks to a group it tracks as UTA0178.

Ivanti has published mitigations and workarounds that customers can apply until firmware patches are released on January 22.

Russia's cyber activities in the Ukraine conflict are increasingly smart, but the country’s cyber leaders apparently still can't resist destructive operations that are flashy, but ultimately counterproductive.

In the smart category, Russia has compromised internet-connected webcams in Ukraine to conduct remote surveillance. On January 2, Ukraine's security service, the SBU, issued a public warning that Russian intelligence services were hacking these devices for espionage purposes. The SBU provided examples of two particular devices that were compromised to redirect viewing angles to show more of the environment, with the footage streamed to YouTube. The SBU believed this surveillance video was used to provide information on targets for long-range strikes, and for damage assessment.

At first glance this type of cyber operation appears modest, as it is not technically sophisticated, the direct impact is low, and the report only mentions two cameras.

A ransomware attack has wreaked havoc inside the network of Tigo, the largest mobile operator and internet service provider in Paraguay.

The incident took place last Thursday, January 4, and impacted the telco's business branch.

Around 300 servers in Tigo's data center were encrypted, according to Miguel Ángel Gaspar, director of the Paraguay Ciberseguro Foundation.