Newsletters

The abuse has been rampant and hard to miss. Cybersecurity firms like Proofpoint, Sophos, WithSecure, McAfee, Perception Point, OpalSec, S2W, InQuest, Yoroi, K7, and Trustwave [1, 2] have all published reports in recent weeks covering the OneNote abuse—by both cybercrime and APT groups alike.

Until now, OneNote's default behavior has been to show a warning to users that opening the embedded file could be damaging to their computers.

Starting mid-April and continuing throughout the year, Microsoft says it plans to update the OneNote app across its platforms and block the execution of embedded files altogether. Instead of the popup warning users about the embedded file, OneNote would show one telling them the file will not be executed at all.

A Shodan search returns more than 245,000 3CX VoIP IPBX servers, just to give you an idea of how popular the 3CX system is.

As for 3CX, well, it's not good. At all. First, they didn't detect the intrusion for months. Second, when several antivirus products started detecting their clients as malicious, they repeatedly claimed it was just false positives, over and over again, without investigating further. When 4-5 different vendors see the same thing, it's probably a indicator you should look at your app. Third, some customers said that when they went to 3CX's customer support with CrowdStrike's findings, they were asked to "open a support ticket at £75 per incident." That's just... not what people wanted to hear.

The company did eventually confirm the incident in a blog post and promised to release new clean desktop client versions. Until then, 3CX recommended that customers use its web-based PWA app instead.

A professional association for military cyber professionals, the MCPA, is calling on Congress to establish a 7th branch of the armed services, a US Cyber Force.

The formal request, a single page, is a bit light on and the justification is contained in a single paragraph:

That's it, and we are not convinced.

France bans recreational apps from govt devices: The French government has banned public officials from installing any type of "recreational apps" on their work phones. The ban covers TikTok but also other social media applications. The French government cited national security concerns for imposing the ban. More in the government's press release [PDF].

Bug bounty bill stalls in Russia: A proposed law to legalize white-hat bug bounty programs in Russia has hit a roadblock following criticism filed by the FSB intelligence agency, according to Vedomosti.

Iran receives Russian cyber-weapons: The Russian government is supplying advanced cyber weapons to Iran. The deal is part of an exchange where Iran has provided Russia with drones and ammunition to be used in its war in Ukraine. Sources who spoke with the WSJ [non-paywall] say the Tehran regime has received advanced software to hack the phones and systems of dissidents and adversaries. In addition, Russia has provided Iran with equipment and software for internet censorship and allow Tehran officials to monitor, intercept, redirect, or degrade the mobile communications of its citizens.

Synacktiv's team members for this year's contest included Eloi Benoist-Vanderbeken, David Berard, Vincent Dehors, Tanguy Dubroca, Thomas Bouzerar, and Thomas Imbert.

Besides the $530,000 and the Master of Pwn trophy, Synacktiv will also receive a Tesla Model 3 car—as part of an agreement between the contest organizers (the Zero-Day Initiative) and Tesla.

All in all, Synacktiv went home with more than half of the prizes awarded at Pwn2Own this year—$1,035,000 and a car.

Chinese security products for Russia: As part of the recent high-level meetings between Russian and Chinese officials in Moscow this week, the two governments signed several treaties of cooperation, including on cybersecurity topics. According to Russian news outlet Octagon Media, China will provide Russia with "test system firewalls" that can be used to protect against cyber attacks and help disconnect the country from the global internet network. These systems will be deployed in Russia's largest urban centers, such as Moscow, St. Petersburg, Kazan, Vladivostok, Grozny, and other cities with over one million in population. In addition, the two governments have also agreed that their intelligence services cooperate on "cybersecurity issues," although details are obviously not public on what this can mean.

Russia has dumb IT idea again: The Federal Service for Technical Export Control, an agency inside the Russian Ministry of Defense, is exploring the idea of forcing Russian critical infrastructure operators to block their email servers from interacting with foreign IP addresses. The "galaxy brain" idea, reported by Kommersant, will most likely lead to some hilarious situations where legitimate emails and alerts won't get delivered, likely leading to technical outages and missed communications with customers and contractors.

UK healthcare cybersecurity strategy: The UK government has published a cybersecurity strategy for the healthcare and social care sector. The strategy focuses on five pillars: (1) focusing on the greatest risks and harms; (2) defending as one; (3) establishing a cyber culture and a cyber workforce; (4) building secure systems; and (5) exemplary response and recovery.

In addition to Wagner, Prigozhin controls other state-linked companies such as a large catering business and the Internet Research Agency, which used social media to interfere with the 2016 US Presidential election. At various times he's been described as a close confidant of Vladimir Putin, although that closeness has probably been overstated in most public reporting.

The investigation into his business empire's IT operations, fueled by an analysis of the stolen documents, was published by Dossier Center, a Russian transparency initiative funded by exiled Russian opposition figure Mikhail Khodorkovsky.

The expose (English translation here) based on the leaked documents makes for remarkable reading. There's the substance of the documents — he's apparently been keeping two sets of accounting books, for example — and then there's the meta revelations about how Prighozin's organisation approaches security. Its approach to infosec is, to put it one way, extremely not great.

Both the clear web and dark web versions of BreachForums went down on Monday, and it was initially believed the downtime was most likely caused by Baphomet's attempts to move the site to new servers.

This was, however, not the case. In a follow-up message posted on Tuesday, Baphomet said BreachForums would shut down for good because the site "is not safe anymore."

Baphomet says that while migrating the site, they found evidence that "the glowies" (aka government agents) gained access to Pompompurin's machine and had accessed some CDN servers that were part of the BreachForums backend.

GitHub stars black market: DevOps company Dagster has a deep dive into how to spot projects that have bought GitHub stars off the black market.

Safe npm: DevOps company Socket has released what it calls "safe npm," a security wrapper for the npm package manager utility that pauses installations whenever it detects a malicious or risky package.

NordVPN goes FOSS: NordVPN has open-sourced its Linux VPN client, Libtelio, a networking library used across NordVPN apps, and Libdrop, a library used to share files over Meshnet.

ChipMixer: US and European law enforcement authorities have taken down ChipMixer, a dark web-based cryptocurrency mixing service. Officials say the portal launched in 2017 and has helped criminal groups launder more than $3 billion worth of assets. As part of the operation, officials took control of servers in Germany, seized Bitcoin worth €44 million, and charged the service's owner, Minh Quốc Nguyễn, a 49-year-old man from Hanoi, Vietnam. Below are some of the funds ChipMixer processed through the years, per the US DOJ:

ViLE members charged: The US government has charged two members of the ViLE hacking crew that broke in May 2022 into a law enforcement portal operated by the US Drug Enforcement Administration (DEA). US officials say that Sagar Steven Singh, who went online as Weep, and Nicholas Ceraolo, known as Convict, used the stolen passwords of US and foreign police officers to access the portal. The duo collected personal data and extorted victims for money, threatening to release their personal information on the internet. In addition, US officials say Singh and Ceraolo also used the portal to file fake emergency requests with US tech companies in order to deanonymize online accounts and identify future extortion victims. According to KrebsOnSecurity, doxes would typically be posted on Doxbin, a doxing site where both suspects were allegedly staff members. US authorities arrested Singh this week while Ceraolo remains at large.

NFT hackers on the hook: A Florida judge has ruled in favor of a plaintiff who had their NFTs stolen by hackers in December 2021. The judge ruled that the unidentified hackers must pay the plaintiff $971,291 worth of USDT (Tether), plus interest, for the NFT assets they stole. The case marks the first instance where a judge issues a default judgement against NFT hackers, giving victims the means to recover stolen funds once the hackers are identified. [Read more in Decrypt]