Newsletters

The US Department of Justice has unsealed charges against five suspected members of the Scattered Spider hacking group.

The five include four Americans and one British citizen.

Three of the five are confirmed to be in custody. Evans was arrested this week, Buchanan in June, and Urban in January.

A new report describes the evolution of China's cyber capabilities over the past 30 years, including the incorporation of independent hacktivists into state-linked groups and the rise of the Ministry of State Security (MSS) as a hacking force. Most interestingly, the report examines the reorganisation of the People's Liberation Army (PLA) and the decline in reports of operations linked to the country's military hackers since 2017. 

The report, from security firm Sekoia, describes three primary state actors that carry out cyber operations for the Chinese Communist Party (CCP): the MSS, the PLA and the Ministry of Public Security (MPS).

Several years ago, the PLA was China's major cyber espionage actor. Mandiant's groundbreaking 2013 report, for example, linked the operations of a prolific actor it dubbed APT1 to a specific element in the PLA's General Staff Department, Unit 61398. Mandiant said the unit was responsible for stealing hundreds of terabytes of data from nearly 150 organisations spanning 20 major industries, and tied the organisation to a specific 12-storey building in Shanghai. 

At its Ignite developer conference this week, Microsoft announced a new feature for its Windows 11 operating system that will allow admins to remotely fix PCs with booting issues.

The company developed the feature as a way to tackle future cases like the CrowdStrike incident that crashed over 8.5 million PCs in July this year.

The new feature is named Quick Machine Recovery and will allow a company's IT administrators to tap into the Windows Update system to deliver fixes for boot-related bugs that normally require physical access to a machine.

Details of a zero day vulnerability in Palo Alto Networks software and a design flaw in a Fortinet product were published on Friday—every IT engineer's favorite day for emergency security procedures.

The zero-day impacts Palo Alto Networks firewall appliances, while the design weakness affects Fortinet's Windows VPN client.

The Palo Alto zero-day is believed to be related to an alleged exploit sold on the Exploit hacking forum earlier this month.

Security firm Sekoia says most Chinese cyber operations are now conducted by China's Ministry of State Security. The ministry is one of the big three Chinese government bodies with offensive cyber capabilities, alongside the People's Liberation Army (PLA) and the Ministry of Public Safety (MPS).

MSS cyber activity has increased while the once-active Chinese military has slowed down considerably. Sekoia says MSS cyber operations have dominated since at least 2021.

Activity from PLA-linked APTs like BlackTech, Naikon, Tonto Team, and Tick has gone down, while more MSS-linked groups have emerged, such as APT10, APT31, APT40, APT41, Mustang Panda, and Lucky Mouse.

Predicting Trump’s second-term moves is a mug’s game, but here’s our best guess: cybersecurity policy initiatives will be sensible but unambitious, while the intelligence community (IC) will be asked to carry out bold—and maybe even bonkers—operations.

This is based on our examination of Trump's first term which, from a narrow cyber security perspective, was just fine. 

In 2017, for example, Trump issued an executive order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, and expanded on this in 2018 with the release of a National Cyber Strategy. These were both sensible efforts, not as ambitious as the Biden administration's 2023 strategy, but entirely appropriate for the time. 

Ten of the 15 most frequently exploited vulnerabilities last year were initially zero-days, CISA said in a joint report published with cybersecurity agencies from Five Eyes countries on Tuesday.

This includes ifamous zero-days, such as the one that forced Barracuda to tell customers to replace all ESG appliances, the zero-day used in the MOVEit hacking spree, and the CitrixBleed vulnerability.

Because zero-days dominated last year's Top 15, 2023 marks the first time CISA's Top Exploited Vulnerabilities list is dominated by new CVEs.

The European Union has told Chinese e-commerce giant Temu to follow consumer protection laws or face major fines.

The EU says Temu uses fake discounts, pressure selling tactics, forced gamification, and fake reviews to trick users into buying products from its online marketplace.

The company also allegedly displays incomplete or incorrect information about consumers' rights to return goods and receive their refund backs, and also hides contact details so customers cannot file complaints.

Russia's internet watchdog agency, the Roskomnadzor, has blocked traffic to Cloudflare-hosted websites that use the new Encrypted Client Hello (ECH) technology.

Users in Russia and abroad started reporting issues with accessing a large number of websites on Wednesday, November 6.

Roskomnadzor, through its Center for Monitoring and Control of Public Communications Networks department, says it took the decision after Cloudflare enabled ECH by default for customer accounts in October.

Cybersecurity firm Sophos' counterintelligence efforts against malicious actors targeting its firewall products will set new standards for acceptable and desirable behaviour from vendors.

Last week, Sophos released details of an evolving, five-year effort to counter China-based groups targeting its firewalls. The report details the cut and thrust between Sophos and a loose collection of Chinese hacking groups, and how each responded and adapted to the others' actions. 

The saga started in 2018 with the compromise of a computer driving a wall-mounted display at Cyberoam, an Indian subsidiary of Sophos. This breach appeared mundane, but pulling on the string revealed that the actor had compromised other machines on Cyberoam's network with a sophisticated rootkit. Wired reports that "in retrospect, the company believes that initial intrusion was designed to gain intelligence about Sophos products that would enable follow-on attacks on its customers".