Newsletters

Following a hearing of the Senate Homeland Security and Governmental Affairs Committee, US lawmakers said they're considering legislation that would make the DHS Cyber Safety Review Board (CSRB) a permanent organization in the US cybersecurity space.

Established in May 2021 through a White House executive order, the CSRB was set up as an analog to the TSA's National Transportation Safety Board (NTSB).

It was established in the aftermath of the SolarWinds supply chain attack as an independent board tasked with investigating cybersecurity-related incidents that affect the US government and issuing recommendations to improve security measures across both the US public and private sectors.

Not only are cyber espionage groups likely based in China using living-off-the-land techniques to operate stealthily, they are adopting techniques that make post-discovery eviction more difficult.

Two separate campaigns reported in recent weeks illustrate the different techniques actors believed to be associated with the PRC are using. In one campaign, a group that had been operating slowly and discreetly switched to large-scale device exploitation and used various persistence mechanisms to 'dig in' once it was discovered.

In the second campaign, the actor concerned used compromised end-of-life devices in a botnet to relay command and control communications.

A cybercrime operation is believed to have infected at least 172,000 smart TVs and set-top boxes with malware that carries out DDoS attacks.

Named Bigpanzi, the group has been active since at least 2015 and appears to target Spanish and Portuguese-speaking users across Latin America.

According to Chinese security firm QiAnXin, Bigpanzi built its botnet through social-engineering tactics, such as spreading apps to view pirated content, apps to enhance TV viewing experiences, and backdoored firmware updates.

A Chinese state-sponsored espionage group has compromised and is currently controlling roughly 30% of all Cisco RV320 and Cisco RV325 WAN routers across the internet.

Active infections were spotted by SecurityScorecard's STRIKE Team over the past 37 days, between December 1, 2023, and January 7, 2024.

The routers are infected with and are part of KV, a botnet first spotted by internet infrastructure company Lumen last month. According to Lumen, the same botnet also consists of a large number of DrayTek Vigor routers, NETGEAR ProSAFE firewalls, and Axis security cameras.

A Chinese state-sponsored hacking group has exploited two zero-days in Ivanti Connect Secure VPN appliances (formerly known as Pulse Secure) to gain access to corporate networks.

The zero-days were discovered by American cybersecurity firm Volexity, which attributed the attacks to a group it tracks as UTA0178.

Ivanti has published mitigations and workarounds that customers can apply until firmware patches are released on January 22.

Russia's cyber activities in the Ukraine conflict are increasingly smart, but the country’s cyber leaders apparently still can't resist destructive operations that are flashy, but ultimately counterproductive.

In the smart category, Russia has compromised internet-connected webcams in Ukraine to conduct remote surveillance. On January 2, Ukraine's security service, the SBU, issued a public warning that Russian intelligence services were hacking these devices for espionage purposes. The SBU provided examples of two particular devices that were compromised to redirect viewing angles to show more of the environment, with the footage streamed to YouTube. The SBU believed this surveillance video was used to provide information on targets for long-range strikes, and for damage assessment.

At first glance this type of cyber operation appears modest, as it is not technically sophisticated, the direct impact is low, and the report only mentions two cameras.

A ransomware attack has wreaked havoc inside the network of Tigo, the largest mobile operator and internet service provider in Paraguay.

The incident took place last Thursday, January 4, and impacted the telco's business branch.

Around 300 servers in Tigo's data center were encrypted, according to Miguel Ángel Gaspar, director of the Paraguay Ciberseguro Foundation.

Hackers associated with the Turkish government are conducting new cyber-espionage operations across Europe and the Middle East, according to recent reports from PwC, StrikeReady, and Hunt & Hackett.

Tracked as Sea Turtle (Teal Kurma, Silicon, UNC1326, Cosmic Wolf), the group rose to fame between 2018 and 2020 when it conducted a series of DNS hijacking campaigns that intercepted traffic for Cypriot, Greek, and Iraqi government systems.

Ever since its public ousting in late 2020, the group wound down its DNS hijacking infrastructure, and very little activity has been linked to its operations.

Ransomware gang arrest: Chinese police detained two individuals from Hohhot who were involved in ransomware attacks against Chinese organizations. Officials say the group used ChatGPT to optimize the code of their ransomware, which they used to encrypt corporate servers and demand $20,000 in ransom. [Additional coverage in Global Times]

Orgon sentencing: A Colombian judge has sentenced Andres Felipe Cardoso Alvarez to three years and five months in prison. Alvarez was known as Orgon, a member of the Anonymous Colombia hacking group. As part of the group, he launched attacks against a large number of government organizations.

Cyber Toufan wiping spree: The data-wiping spree started by the Cyber Toufan group at the end of November is still going strong. The group has now wiped more than 100 organizations, with the vast majority being based in Israel. Around 40% of the victims were hit after the group compromised their MSP.

Chrome Safety Check: Google has announced that Safety Check, the feature that scans for compromised user passwords, will now continuously run in the background at all times.

Wikipedia Russia shuts down: Wikipedia's Russian edition has shut down after authorities designated its lead editor as a "foreign agent."

Substack Against Nazis: More than 100 Substack editors named "Substack Against Nazis" have signed an open letter asking Substack to remove white supremacy and nazi newsletters hosted on the platform, threatening to leave if the company fails to act.