Newsletters

Reports that a state-sponsored PRC cyber actor could be pursuing capabilities to disrupt US critical infrastructure are causing a stir.

This eye-catching nugget is contained within a Microsoft report about a group it calls Volt Typhoon. Microsoft thinks, with "moderate confidence", that Volt Typhoon's campaign is "pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises".

The statement actually feels a bit out of place in the report as it doesn't contain any evidence that backs up the assessment. The report says that Volt Typhoon "typically focuses on espionage and information gathering", although it has "targeted critical infrastructure organisations in Guam and elsewhere in the United States". Microsoft says that in this campaign, affected organisations "span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors".

An Iranian hacktivist group calling itself "Uprising till Overthrow" has breached the Iranian President's Office and has leaked a large collection of classified documents.

According to a press release posted on the website of exiled opposition party MEK, the group claims to have taken control of more than 120 servers and over 1,300 computers inside the President's Office internal network.

The group claims to have had full control over the entire network, to the point they were able to decrypt classified material and encrypted communications from the past several years.

The Python Software Foundation has taken several actions to improve the security and privacy of the official Python Package Index (PyPI) following a series of incidents over the past few weeks.

Plans are currently underway to enable two-factor authentication (2FA) for PyPI accounts and to reduce the instances where the PyPI portal needs to store a user's IP address.

All accounts that maintain a Python library on the PyPI portal must set a 2FA method by the end of the year or have their access to some PyPI features limited.

Microsoft and the NSA have discovered a new Chinese APT group targeting critical infrastructure organizations in the United St.

Named Volt Typhoon, the group has been active since mid-2021 and has gone under the radar due to a focus on stealth in its intrusions.

Operators rely almost exclusively on living-off-the-land and hands-on-keyboard techniques to avoid detection.

Revelations that the FBI improperly used data collected for foreign intelligence under Section 702 of the Foreign Intelligence Surveillance Act (FISA) are fueling doubts about whether the authority will be renewed before it expires at the end of the year.

The news of the FBI searches is contained in a declassified court opinion released by the Director of National Intelligence. The opinion, issued in April of last year by the Foreign Intelligence Surveillance Court (FISC), describes the FBI as having a "pattern of broad, suspicionless queries that are not reasonably likely to retrieve foreign intelligence or evidence of crime".

Section 702 allows US intelligence agencies to compel service providers to help conduct targeted surveillance of foreigners outside the US and has been described by US officials as the "crown jewel" of US surveillance programs. The Section 702 amendment was motivated in part by terrorist use of US email service providers in the early 2000s.

The US Treasury has imposed sanctions on five North Korean entities, including a university where the government trains its cyber forces and two cyber units part of its intelligence apparatus.

Sanctions were levied against the Pyongyang University of Automation, which US officials say has trained many of the cyber units of the Reconnaissance General Bureau (RGB)—North Korea's primary intelligence bureau and main agency behind the country's cyber espionage and cyber thefts.

Officials also sanctioned two of the RGB's bureaus—the Technical Reconnaissance Bureau and its subordinate cyber unit, the 110th Research Center.

A cybercrime operation tracked as the Lemon Group has planted malware inside the firmware of almost nine million Android devices sold across the world over the past half-decade.

The group's malware has been found in the OEM firmware images of multiple brands of low-cost Android smartphones.

Trend Micro, which has been tracking the group for years, says it was unable to discover how exactly this was done, but the company suspects the group may be working with insiders at various smartphone factories.

Google says it plans to delete accounts that have been inactive for more than two years.

The company says that while the new policy has entered into effect this week, it will start mass-purging inactive accounts in December. This should give enough time for users to log in and reactivate older or backup accounts.

Google says it plans to first delete accounts that were created and never used again before moving to accounts that saw some activity.

Crimephones are back in the news after a legal challenge against the UK's National Crime Agency's Encrochat operation failed and it emerged that the Calabrian mafia have embraced a secure communications device from a company named No. 1 Business Communication.

The recent news is a good excuse to look back on the recent history of crimephones and the law enforcement operations that have rendered them worse than useless to criminals.

If you're not au fait, "crimephone" is the Risky Business HQ term for dedicated encrypted devices that are marketed in criminal networks to help facilitate illegal activity. Typically these devices offer a hardened (in theory) OS, a pre-loaded encrypted messaging app, can only communicate with other similar devices in a closed network, and are sometimes stripped of extraneous functionality such as GPS, camera and microphone.

The US Justice Department has charged a Russian national named Mikhail Pavlovich Matveev for a series of ransomware attacks across the US, including two attacks against police departments.

Matveev is widely known in infosec circles under his hacker pseudonym of WazaWaka. He has also gone on underground forums under many other nicknames, such as Boriselcin, KAJIT, M1x, Orange, and Uhodiransomwar.

He is a known initial access broker and a former affiliate for ransomware gangs such as Babuk, Conti, Darkside, Hive, and LockBit. He is also one of the founders of RAMP, a notorious dark web cybercrime forum that launched in the spring of 2021.