Newsletters

Horny DOD: The Office of the Inspector General for the Department of Defence has found that DOD employees often flaunt rules and install unauthorized apps on government devices, exposing themselves to cybersecurity risks. An audit of DOD employee smartphones has found dating apps, third-party VPNs, cryptocurrency apps, Chinese drone apps, games, and apps related to multi-level marketing schemes installed on DOD devices. The DOD-OIG has recommended that the DOD employees remove the apps, remove access to unmanaged app stores, and require DOD employees to forward a complete list of DOD messages sent via unauthorized messaging apps installed on their work devices so officials can address any possible leaks and risks. [More in Gizmodo]

What a massive surprise: Everyone at RiskyBiz is absolutely shocked that the emails of a UK MP who showed support for Ukraine and were allegedly hacked by Russian intelligence services have reached the hands of a former UK politician peddling pro-Kremlin propaganda like "NATO blew up NordStream 2" and "NATO provoked Russian into invading Ukraine."

Airlock Digital is one of this newsletter's four main supporters and this week's featured sponsor. Earlier this year, in May, Airlock Digital CEO David Cottingham held a product demo with Patrick Gray, the host of the main Risky Business podcast, showing how Airlock's allow-listing product works.

New Ali's Justice (Edalat-e Ali) hack: Iranian hacktivist group Ali's Justice (Edalat-e Ali) has hijacked the signal of Iran's state television channel IRIB on the 44th anniversary of the Iranian Revolution, which took place on Saturday, February 11. The hacktivist group interrupted a speech from Iran President Ebrahim Raisi and replaced it with a call to the Iranian people to withdraw money from government banks and to assemble in new anti-government protests to take place on February 16. The interruption only lasted one minute and was also accompanied by a "Death to Khamenei" slogan.

MSDT EOL: Microsoft has announced the end-of-life for its Microsoft Support Diagnostic Tool, a built-in tool that shipped with many previous Windows versions and would work by launching automatically to diagnose and correct common problems for a variety of Windows features. Microsoft says that starting this year, MSDT will start redirecting users to the Get Help troubleshooting platform, and the MSDT platform will be removed completely in 2025.

CHERIoT: Microsoft has open-sourced CHERIoT, a security-first real-time operating system (RTOS) and software stack for running on embedded devices with under 256 KiB of SRAM. The name stands for Capability Hardware Extension to RISC-V for Internet of Things.

RunZero is one of this newsletter's four main supporters and this week's featured sponsor. The company's main product is its network discovery and asset inventory platform, which can be used to find any managed and unmanaged assets inside a customer's network. To learn more, please check out this runZero product demo below:

PyPI malware: DevSecOps Sonatype has identified four malicious Python libraries hosted on the official PyPI portal. The libraries contained functionality to install other malware, delete the netstat utility, and tamper with SSH keys installed on a system to allow an attacker to connect remotely.

QakNote: We touched in one of our previous editions about the rise in the use of OneNote documents to deliver malware. We had reports on the topic from Proofpoint, WithSecure, OpalSec, and Yoroi. Now, Sophos has one out, too—detailing how the QakBot gang is weaponizing OneNote for its campaigns.

Our initial response to news that a spy balloon was merrily floating its way across the continental United States was scepticism. What could the PRC hope to achieve with a balloon that it couldn't achieve with other intelligence sources, such as space-based collectors?

Well, according to the Chinese government it wasn't a spy balloon at all. In a statement that leaves behind a truly hilarious amount of wiggle room, China's government claimed it was a civilian research airship used for "mainly meteorological" purposes.

The yanks aren't buying it. The US government is adamant that balloon was up to no good.

SperaxUSD crypto-heist: A threat actor exploited a bug in the protocols of the SperaxUSD cryptocurrency service and stole roughly $300,000 from the company.

Vesuvius incident: UK engineering company Vesuvius says it suffered a cybersecurity breach. The company says it shut down affected systems and is working to investigate the incident and restore systems. The company has more than 10,000 employees across the world and is known for its metal and ceramics work and molten metal flow engineering.

RSAWeb ransomware attack: A ransomware attack has been identified as the source of a days-long outage that has impacted the services of South African telco and cloud hosting provider RSAWeb. The incident took place on February 1, and the company took days to fully recover, according to a notification the company sent to its customers. The company says the attack affected its website, internet fiber, mobile, hosting, VoIP, and PBX services. [Press coverage in MyBroadband]

An analysis from OVHcloud's security team initially identified the ransomware as a version of the newly launched Nevada strain. Another report identified it as a version of the Cheerscrypt ransomware—and based on the leaked Babuk ransomware source code.

In the end, both initial assessments proved to be incorrect, and currently, the ransomware strain is tracked as ESXiArgs.

All in all, French cloud hosting provider OVH had a front-row seat to the attacks because France hosted most of the affected servers, hence why France's CERT team was the first agency to spot the outbreak before anyone else.

GoodRx fine: The US Federal Trade Commission has fined GoodRx, a telehealth and prescription drug discount provider, $1.5 million for sharing the personal and health information of its customers with online advertisers. The FTC says that in 2019, GoodRx compiled lists of its users who used their apps or visited their site to purchase particular medications, such as those used to treat heart disease and blood pressure. These lists included a buyer's email address, phone number, and mobile advertising ID. The FTC says GoodRx uploaded these lists to Facebook's ad platform so it could identify its users' real-world profiles and names and then re-advertise its products to the same users with targeted advertising.

Chrome updates: Google has changed how new Chrome releases are coming out. Starting with Chrome 110, Google says it will ship its stable version to a small percentage of users ahead of everyone else. This should technically allow Google to catch issues before they affect all its users during the normally scheduled release.

Tor donations: The Tor Project says it received only $367,674 from user donations last year. The sum represents the lowest sum received from donations over the past three years. The organization said the dip came following the cryptocurrency crash of last year.

Last week the FBI announced the conclusion of a months-long disruption campaign targeting the Hive ransomware group that culminated in the seizure of the group's servers.

Hive was the world's most commonly deployed ransomware strain.

In addition to seizing control of the IT infrastructure that Hive used to communicate with its members, the FBI had been passing decryption keys to Hive victims for several months. From the FBI's press release:

Google did not name the upstream operator by name, but its Fi service uses only two upstream providers, namely T-Mobile and US Cellular, and T-Mobile disclosed a security breach to the SEC earlier this month—so connecting the dots is definitely not rocket science.

While Google told customers they should be wary of possible phishing emails trying to leverage this incident, at least one Reddit user says the email they received from Google Fi also included an additional line notifying them that their Fi service was changed to a new SIM card as part of what looks like a SIM swapping incident. However, this scenario is currently being called into question as, per Google's email, the supposed stolen data would not have been enough to perform a SIM-swapping attack.

GitHub breach: GitHub says that a threat actor breached internal source code repositories and stole two code-signing certificates. The breach took place last year on December 7. GitHub says the certificates were encrypted and password-protected, and as a result, they haven't seen any sign they were misused in the wild. Furthermore, both certificates were about to expire in January and February this year and will become useless to the intruder either way. The breached repositories contained the source code of the GitHub Desktop app and the GitHub Atom code editor. GitHub's security team says it did not find any unauthorized edits to the code, and both apps remain safe to use.

Hive reward: The US State Department is offering a $10 million reward for any information that can reveal the identity and location of members of the recently-disrupted Hive ransomware group or information that could help link the gang's members with a foreign government.

Golden Chickens: Something we missed last August is this eSentire report, where the company claims to have tracked down the person behind the Golden Chickens Malware-as-a-Service (MaaS). eSentire researchers believe the malware's creator (badbullzvenom) is a Moldovan national living in Canada or a Canadian sharing their account with someone in Moldova. The Golden Chickens malware has been linked to attacks carried out by three major threat actors known as FIN6, the Cobalt Group, and Evilnum.

StreamJacking: Guardio Security says it is seeing hundreds of YouTube accounts getting hijacked each day to promote Elon Musk-themed cryptocurrency scams. Researchers say the threat actor behind these attacks, which they are calling StreamHacking, is making as much as $100,000 per day via "donations" and "investments" from gullible cryptocurrency users. In some cases, users are also lured to phishing sites that prompt them for personal data and crypto-wallet passphrases, allowing the threat actor to easily empty out their accounts.