Newsletters

Cyber security firm Huntress has confirmed what organisations like the NSA have been saying — that 'living off the land' is the new normal.

We've covered the shift towards living off the land techniques (abusing legitimate tools already present in the host environment) by both Russian and Chinese APT actors. A new Huntress report focused on threats to small and medium-sized businesses (SMBs) found more than half of incidents involved LOLbins (living off the land binaries) and were "malware free".

One type of legitimate software that is commonly abused by threat actors to gain and maintain access to targeted environments is remote monitoring and management (RMM) software. Huntress found that 65% of all types of SMB security incidents involved RMM software such as ConnectWise, ScreenConnect, AnyDesk or TeamViewer. These types of software are not detected as malware and their use is often not audited, especially in small organisations.

A phishing platform specialized in cryptocurrency thefts has shut down operations after stealing more than $71 million over the past nine months.

Named Inferno Drainer, the platform launched in February this year.

Spotted by Web3 security platform ScamSniffer, the service allowed threat actors to create phishing pages for more than 220 cryptocurrency brands.

An ENISA report on NIS compliance spending has found that roughly 42% of the EU's critical infrastructure and digital service provider operators have signed up for cyber insurance in 2022.

The report notes that while cyber insurance coverage was at 43% in 2020 and just 30% in 2021, the cyber insurance market now appears to be active and developed all over the EU.

Last year, organizations in all member states signed up for cyber insurance compared to previous years, where most of the coverage was clustered in just a handful of member states.

Internet infrastructure company Fastly will block domain fronting on its cloud platform from February 27, 2024.

Fastly now joins a growing list of major cloud companies that have banned domain fronting. The list includes Amazon (banned in 2018), Google (2018),  Microsoft (2022), and Cloudflare (2015).

Domain fronting is a technique to use different domain names on the same HTTPS connection.

We have removed this item because it largely centres on discussion of an article that is subject to a legal action and is no longer published.

The AlphV ransomware group has filed a US Securities and Exchange Commission (SEC) complaint against one of its victims for failing to disclose that it had been breached.

In the words of AlphV's submission, the victim company MeridianLink "failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules".

The Tor Project has removed an estimated 1,000 relay servers from its network, citing their involvement with a for-profit cryptocurrency scheme.

The scheme allegedly promised cryptocurrency tokens for users who set up and ran Tor relays.

In a blog post on Monday, Tor admins said they removed participating servers to protect the integrity and reputation of their project. The removal was subject to a community vote that passed last week.

Turkish security researcher Yunus Çadirci has discovered vulnerabilities in the DIAL protocol and misconfigurations in vendor equipment that can be used to force TVs and other capable devices into forcibly playing an attacker's video content.

The vulnerabilities have been collectively named DIALStranger, and details about the flaws were disclosed for the first time at the Black Hat Middle East and Africa security conference last week.

The DIALStranger flaws were discovered way back in 2019, but Çadirci kept the original report private for four years as the protocol received patches and vendors slowly updated devices.

The US Federal Communications Commission (FCC) has adopted new rules designed to protect US consumers from SIM-swapping attacks and port-out scams.

Under the new rules, US wireless providers are required to use "secure methods of authenticating a customer" when they request porting a SIM card to a new device (aka SIM swapping) or their phone number to a new carrier (aka port-out).

The Commission did not specify what the "secure methods" should be, and it appears the agency is leaving this up to each of the US carriers and their own internal procedures.

Ransomware criminals continue to make hay despite increased government efforts worldwide to clamp down on the ecosystem. What's next?

Last week, the US financial services division of China's biggest bank, the state-owned Industrial and Commercial Bank of China (ICBC), was hit by ransomware that reportedly affected trading in US Treasuries. According to The Financial Times, "the attack prevented ICBC from settling Treasury trades on behalf of other market participants" and that "with its systems compromised, ICBC Financial Services proposed sending a USB stick with trading data to BNY Mellon to help it settle trades". I mean, this is very serious, but lol.

This left ICBC's US unit owing BNY Mellon USD$9bn for unsettled trades, with the subsidiary requiring a capital injection from its parent company to pay the debt. Yikes.

Russian state-sponsored hackers have breached at least 22 Danish companies operating in the country's energy sector.

Denmark's CERT team for the critical infrastructure sector (SektorCERT) described the intrusions as the largest cyber-attack in the country's history.

In a report [Danish PDF, machine-translated English file] published over the weekend, SektorCERT tentatively attributed the attacks to Sandworm, a cyber unit inside Russia's military intelligence service GRU.