Newsletters

The joint cybersecurity advisory on Snake, co-authored by the US government and Five Eyes cyber security authorities, is tremendous. It manages to cover the big picture while also drilling in to provide detailed technical information in a very readable way.

Per the report:

The report describes Snake as sophisticated because it is stealthy, modular, runs on different operating systems and is also well built, "with the implant containing surprisingly few bugs given its complexity". Initial versions were called "Uroburos" and included part of the historical illustration of an Uroburos (above) by German philosopher Jakob Böhme.

Officials also formally attributed Snake to Centre 16 of Russia's Federal Security Service (FSB)—marking the first time any foreign government has linked the highly advanced Turla APT to the Russian government.

At the technical level, officials called Snake the FSB's "most sophisticated cyber espionage tool."

Five Eyes agencies say the FSB typically used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists.

New York crypto-legislation: New York Attorney General Letitia James submitted a bill last week that would introduce a slew of regulations for cryptocurrency platforms active in the state. If approved, James says the bill will introduce the strongest and most comprehensive set of regulations on cryptocurrency companies across any US state. Among the bill's most interesting points are mandatory know-your-customer (KYC) provisions for cryptocurrency platforms and a ban on cryptocurrency exchanges from issuing and trading in their own tokens. Cryptocurrency companies would also be banned from using terms like "stablecoins" unless such digital assets are backed 1:1 with US currency. The bill also mandates that crypto exchanges reimburse customers who were victims of fraud, the same rules that have been active in the banking sector for years.

RTF anniversary: On the two-year anniversary of its launch, the Ransomware Task Force says its efforts to get governments and the private sector to act against ransomware attacks are finally coming to fruition. The non-profit says that 92% of the 48 recommendations the organization made in 2021 have seen some action, with more than half seeing significant progress, "including through legislation and policy adoption." More in the organization's overview report and press conference (embedded below). [Additional coverage in Decipher]

Material Security co-founder Ryan Noon demos Material Security's email security solution to Risky Business podcast host Patrick Gray.

FTC proposes ban on Facebook monetizing youth data: The US Federal Trade Commission has proposed barring Meta from monetizing children's data. FTC officials say the company violated a 2020 privacy order in regard to its Facebook Messenger for Kids service. The agency says Meta misled parents about their ability to control with whom their children communicated through the Messenger Kids app and misrepresented the access some app developers had to children's data.

40+ orgs sign open letter: More than 40 leading pro-privacy organizations have signed an open letter to urge governments around the globe "not to follow the path of authoritarian governments like Russia and Iran" and defend encryption, privacy, and press freedom. Organizations that have signed the letter include the Tor Project, Mozilla, Proton, Threema, Tutanota, the Document Foundation, and Mullvad, among many others.

Discord changes username format: Instant messaging service Discord plans to change the format of its user accounts and move away from the "username#code" format to the classic @username system typically used by Twitch and Twitter. The company plans to prompt users over the coming weeks to choose a unique username. The move is expected to lead to a rise in the prices of Discord accounts sold on hacking forums, where OG accounts are highly-valued.

Some interesting research has been published lately on cyber-enabled influence operations. Unsurprisingly, different countries — Iran, China, and even the UK — are taking different approaches here.

Firstly, Iran is taking a "fake it till you make it" approach. A Microsoft Threat Intelligence report this week describes how the new standard practice for Iranian state actors is to combine cyber operations with influence operations in what it calls "cyber-enabled influence operations".

Microsoft defines these types of operations as ones that combine "computer network operations with messaging and amplification in a coordinated and manipulative fashion to shift perceptions, behaviours, or decisions by target audiences to further a group or a nation’s interests and objectives". An operation might include, say, a website defacement coupled with publication and amplification on social media such as Telegram and Twitter.

Nine money laundering sites seized: US and Ukrainian authorities have seized nine cryptocurrency exchanges. Officials said the websites were advertised on private hacker forums and had been used to launder the profits of online scams and cybercrime operations. Officials say they seized servers in the US, Ukraine, and across Europe that helped host the portals. The nine exchanges are 24xbtc.com, 100btc.pro, pridechange.com, 101crypta.com, uxbtc.com, trust-exchange.org, bitcoin24.exchange, paybtc.pro, and owl.gold.

Operation SpecTor: Europol has confirmed that the sudden shutdown of the Monopoly dark web marketplace in December 2021 was the result of a law enforcement takedown orchestrated by German police. Almost 16 months after the initial takedown, Europol says intelligence gathered by German authorities allowed law enforcement agencies across nine countries to detain 288 of the market's vendors and seize more than €50 million in cash and virtual currencies, more than 850 kg of drugs, and 117 firearms. Europol says the arrests are part of Operation SpecTor, the agency's most successful operation against dark web markets to date.

KEV update: CISA has updated its KEV database with three new vulnerabilities that are currently being actively exploited. The first is a vulnerability in TP-Link routers (CVE-2023-1389) that was discovered at last year's Pwn2Own hacking content and is now exploited by a Mirai botnet. The second is a variation (CVE-2021-45046) of the Log4Shell vulnerability in the Apache Log4j2 component. And the last is a security flaw (CVE-2023-21839) in Oracle WebLogic servers that was patched in January and is now abused for initial access.

Speaking at CoinDesk's Consensus conference last week, Chainalysis CEO Michael Gronager says he believes the hack-and-leak are real because the hacker didn't send small transactions that would have gone unnoticed but burned more than $300,000 of Bitcoin in the process.

"Our hypothesis is that the OP_RETURN sender did this to make the discovery of the transactions, and the accusations associated with them, more likely," the company also wrote in a report.

Three of the 986 Bitcoin addresses that received funds were previously known to have been used by Russian intelligence in past operations, such as for the SolarWinds hack and to lease servers for the DCLeaks website.

Brazil bans Telegram: A Brazilian judge has temporarily suspended access to the Telegram app in the country. Government officials say Telegram failed to cooperate with a law enforcement investigation and provide information to police about neo-Nazi chat groups hosted on its service. Brazilian ISPs are already blocking access to the app, and Apple and Google were ordered to block access to the app in their stores for Brazilian users. [Additional coverage in ABC News]

US National Cybersecurity Strategy: The White House is expected to announce a roadmap to implement its new National Cybersecurity Strategy later this summer, Acting National Cyber Director Kemba Walden said this week at the RSA security conference. [Additional coverage in CybersecurityDive]

Hawaii censorship law will go: The US state of Hawaii is preparing to repel a Cold War-era law that can allow the governor or a simple mayor to suspend all "electronic media transmissions" during a state crisis. Lawmakers say they fear the law's generic language could lead to situations where state officials could abuse it to suspend all electronic communications, including internet content such as social media posts and emails. The push to have the law repelled has been led by the Hawaii Association of Broadcasters, which fears the law could be abused to silence media outlets. Hawaii lawmakers say the law has never been invoked. [Additional coverage in the Associated Press]

The 3CX supply chain attack this March was enabled by a prior supply chain attack against a company named Trading Technologies. We're not that surprised that the supply chain hackers did other supply chain hacking. If anything, we think the real angle here is what this incident teaches us about North Korea's expansive targeting priorities and operations.

Trading Technologies, a company that facilitates futures trading, was compromised some time in 2021 and the firm's X_Trader software package trojaned. Even though X_Trader had already been discontinued, the malicious version remained available on the firm's website and a 3CX employee subsequently downloaded and installed it on their personal computer. The attackers/operators used this access to steal the employee's work credentials which granted them administrator-level access to 3CX systems.

Mandiant has attributed the activity to a financially-motivated North Korean APT group it calls UNC4736.

The vulnerability—tracked as CVE-2023-29552—allows an attacker to send a small request to an SLP server that is then bounced toward a victim's network at a much larger size.

This trick is used by threat actors to execute "reflected DDoS attacks," and in the case of SLP, researchers say the protocol's amplification factor is a whopping 2200x, which ranks SLP as the protocol with the third largest amplification factor ever observed.

Because of the protocol's huge output potential for DDoS attacks, both Cloudflare and Netscout expect " the prevalence of SLP-based DDoS attacks to rise significantly in the coming weeks" as threat actors learn to exploit it.