Newsletters

A team of academics has found a way to remotely turn any Bluetooth-capable device into an AirTag tracker.

The technique is named nRootTag and abuses how Apple's FindMy network indexes AirTags and searches for tracked or lost devices.

In normal circumstances, when a user pairs an AirTag to their account, Apple takes the AirTag's Bluetooth signal and generates a cryptographic private-public key pair. When the user wants to find the AirTag's location, the FindMy network queries for the public key associated with that Bluetooth signal and then notifies the owner of its location.

The Trump administration has sent memos to CISA and US Cyber Command instructing cybersecurity staff to stop treating Russian hackers as a threat and halt operations targeting Russia.

Both orders were issued around two weeks ago but were only first reported publicly on Friday.

In the first order, Defense Secretary Pete Hegseth ordered Cyber Command to shut down any operations targeting Russia.

Israeli hacking tools maker Cellebrite has banned the Serbian government from using its products, citing misuse of its technology.

The company's decision comes after an Amnesty International report last December accused Serbian law enforcement of using Cellebrite tools to unlock phones and install spyware on the devices of anti-government dissidents and journalists.

Amnesty says this usually happened while victims were being interrogated by police. Their phones were taken away and then returned to them with spyware installed.

The Financial Times has reported that Peter Navarro, one of President Trump's closest advisors, is pushing for the US to remove Canada from the Five Eyes intelligence alliance.

Trump has said he wants to make Canada the 51st American state amid a tariff dispute. Per the FT:

Navarro did not respond to Financial Times requests for comment, but denied pushing the idea after the article was published. Per The Hill: 

Signal Foundation president Meredith Whittaker says the secure messaging app will leave Sweden if the government there passes a new surveillance bill.

The Swedish government is scheduled to discuss a bill next month that would force communication providers to allow police and security services access to message content.

Whittaker told Swedish national public television SVT that adding such a backdoor would undermine its entire network and users across the world, not just in Sweden.

North Korean hackers have stolen over $1.5 billion worth of crypto assets from Bybit, the world's second-largest cryptocurrency exchange.

The incident represents the largest crypto-heist in history (and the largest heist of any kind as well) and is almost 2.5 times larger than the previous leader—the theft of $625 million from the Ronin Network in April 2022.

The hack took place on Friday, February 21, and is considered one of the most complex crypto-heists ever pulled.

Internal strife and conflicts appear to have led to the implosion of another successful Ransomware-as-a-Service platform—this time, BlackBasta, one of last year's most active ransomware groups.

Everything came crashing down last week when one of the BlackBasta members leaked the group's internal Matrix chat logs on the dark web.

The leaker said they shared the data after one of the BlackBasta affiliates launched brute-force attacks targeting Russian banks—a move the leaker didn't agree with because they feared it would trigger an aggressive response from Russian authorities.

US Senator Mark Warner has floated an idea to deal with Salt Typhoon's compromise of US telecommunications networks, basically telling China: get out of our networks or we'll hack yours.

Essentially, Warner’s comments imply that the threat of US hacking could force an understanding between the two nations to stay out of each other's telcos. 

However, we believe the US would be better off just pulling the trigger on its own, similar campaign if it hasn't already. 

A recent CISA report and a series of tweets from Equinix threat intel analyst Will Thomas made me realize that quite a few infosec and adjacent cybersecurity experts are not fully aware that paying ransoms to a rising ransomware crew named RansomHub carries quite a high risk of breaking US sanctions.

The group launched in February 2024, when it started advertising its Ransomware-as-a-Service offering in underground hacking forums.

They got incredibly lucky because, just three weeks later, law enforcement agencies across the globe dismantled LockBit, which was, at the time, the largest RaaS platform on the market.

No intro in this edition since I was traveling over the weekend.

Risky Business is now on YouTube with video versions of our main podcasts. Below is our latest weekly show with Pat and Adam at the helm!

Ukraine hacks Gazprom contractors: Ukraine's military intelligence agency GUR claims to have hacked Gazstroyprom, Gazprom's main construction contractor. GUR hackers have allegedly wiped over 120 servers and more than 10,000 computers. The attack is believed to have impacted Gazprom's ability to build and maintain its oil and gas infrastructure. The hack comes as Ukraine continues to bomb Russian oil and gas infrastructure using drones. [Additional coverage in UNN]