Newsletters

Law enforcement agencies from 11 countries have disrupted the LockBit ransomware operation in the most thorough and coordinated takedown of a cybercrime portal that has been seen to date.

As part of what they codenamed Operation Cronos, officials seized LockBit server infrastructure, froze cryptocurrency wallets holding past ransoms, released decryption tools, arrested members, filed additional charges, and imposed international sanctions.

The operation began months ago and was led by the UK's National Crime Agency (NCA). The agency claims it infiltrated the gang's servers, mapped out infrastructure, collected encryption keys, and accessed the LockBit backend, where admins and affiliates collected stats about attacks and negotiated with victims.

ENEA, a Sweden-based telecom security firm, claims it reproduced a user fingerprinting technique advertised and sold by Israeli spyware vendor NSO Group.

Named MMS Fingerprinting, the technique can collect information on a target's smartphone and operating system just by sending an MMS message.

NSO Group claims no user interaction is needed besides knowing the target's phone number.

Microsoft has released this week an optional servicing update that rotates digital certificates used by the Secure Boot feature.

The update is likely to unclench some sphincters in the IT administration and cybersecurity community, as the certificates were set to expire in 2026.

Once the certificates expired, Windows systems where Secure Boot was enabled would have failed to boot. The issue would have also impacted some Linux systems that use Microsoft certificates for their bootloader, such as Ubuntu.

A new report turns a harsh spotlight onto the commercial surveillance industry that markets spyware reportedly used by bad actors to target human rights defenders, dissidents and other 'high risk' users.

Published by Google's Threat Analysis Group (TAG), the report and accompanying blog describes what it calls a "lucrative industry" that sells governments and "nefarious actors" the ability to exploit vulnerabilities in consumer devices.

The report states that while spyware vendors point to their tools' "legitimate use in law enforcement and counterterrorism," analysis from Google and researchers from the University of Toronto’s Citizen Lab and Amnesty International uncovers the use of spyware against "high risk users" such as journalists, human rights defenders, dissidents and opposition party politicians.

South Korean researchers have cracked the encryption scheme used by the Rhysida ransomware and have released a decrypter that can allow victims to recover files without paying the ransom.

The decrypter is available through the website of South Korea's cybersecurity agency (KISA) and is based on a white paper published by academics from Kookmin University and KISA members.

The decryption tool works only for Windows systems and exploits a weakness in the ransomware's cryptographically secure pseudo-random number generator (CSPRNG). This is an algorithm that takes data from a local PC to generate a random number that is then used to create an encryption key that Rhysida uses to encrypt a victim's files.

An international law enforcement operation has led to the capture of two individuals believed to have created and operated Warzone RAT, a Malware-as-a-Service operation that has been running since at least 2019.

Authorities have detained Daniel Meli, a 27-year-old from Malta, and Prince Onyeoziri Odinakachi, a 33-year-old from Nigeria.

Meli allegedly created and sold the Warzone RAT through its official website at warzone.ws. Odinakachi allegedly worked as a customer support, providing help to the malware's buyers.

Ransomware gangs made out like bandits last year, collecting an estimated $1.1 billion worth of cryptocurrency via ransomware payments, according to blockchain tracking company Chainalysis.

The number is at an all-time high for ransomware operations and is almost double 2022's figure when experts saw only $567 million going to ransom payments.

The 2022 dip can be attributed to Russia's invasion of Ukraine, which disrupted relations in the cybercriminal underground as gangs shuffled members or some operations were "redirected/hijacked" towards hacktivism or cyber espionage.

The US is grappling with Chinese cyber actors who appear to be building the capability to disrupt critical infrastructure during a potential military conflict. 

In late-breaking news, the US agencies responsible for cyber security and critical infrastructure have released an advisory about the group known as Volt Typhoon. 

The advisory states [emphasis added]:

The US government has restricted visas for individuals involved in the development and misuse of commercial spyware.

The Department of State says commercial spyware has facilitated repression and enabled human rights abuses.

"Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases. Additionally, the misuse of these tools presents a security and counterintelligence threat to U.S. personnel," Secretary of State Antony Blinken said in a statement.

The identities of two Iranian cyber groups have been exposed over the course of seven days last week.

The US government linked the Cyber Av3ngers group to six individuals working for the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), while a report from Iran International linked the Black Shadow group to an Iranian IT company named "Raahkarha-ye Fanavari-e Etela'at-e Jahatpardaz" (or Jahatpardaz Information Technology Solutions).

The "doxing" events come as Iranian cyber activity entered a new and more aggressive stage after Iran-backed Hezbollah attacked Israeli territories on October 7 last year.