Newsletters

Written content from the Risky Business Media team

Risky Bulletin: CISA & FDA warn of backdoor in patient monitor

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The US government warns that Contec patient monitors contain a backdoor that collects and sends patient data to a remote Chinese IP address and can even secretly download and execute files.

The US Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) published security alerts last week warning hospitals to disconnect devices from the internet.

The backdoor behavior has been confirmed in Contec CMS8000 patient monitors, but officials say the devices are often re-labeled and sold under other names, such as Epsimed MN-120.

Risky Bulletin: Authorities seize Cracked and Nulled cybercrime forums

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Law enforcement agencies from Europe and the US have seized the domains of Cracked and Nulled, two of today's most popular cybercrime forums.

Authorities have seized 12 domains and made two arrests after searches at seven locations across the EU.

The US Justice Department has identified one of the Nulled admins as Lucas Sohn, 29, an Argentinian national residing in Spain.

Risky Bulletin: EU sanctions three GRU hackers

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The European Union has sanctioned three Russian military hackers for their role in cyberattacks against Estonian government agencies in 2020.

Sanctions were levied against Yuriy Denisov, Nikolay Korchagin, and Vitaly Shevchenko.

The three are officers in Unit 29155 in Russia's military intelligence service, also known as the GRU.

Risky Bulletin: Tbilisi public transport goes free after anti-government hack

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Anti-government hackers have defaced payment systems installed in public transport buses in Georgia's capital, Tbilisi, to play pro-European songs and slogans.

The incident took place on Friday morning as residents headed to work.

The ticket scanners and point-of-sale devices played the national anthems of Georgia and the EU, along with pro-EU speeches from local politicians:

Risky Bulletin: Payment card NFC relay attacks spread across Russia

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Russians have lost over 40 million rubles (~$400,000) to a new type of scheme that steals their payment card NFC data and relays it to a remote threat actor, who then empties their accounts.

Russian security firm FACCT says it detected over 400 NFC relay attacks over the past two months alone, suggesting the scheme is gaining popularity with criminal gangs.

NFC cloning and relay attacks were first seen in Czechia in late 2023 and spread to Russian banks in August of last year.

Risky Bulletin: Threat actor impersonates FSB APT for months to target Russian orgs

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

A cyber-espionage group has mimicked the tactics of an FSB-linked APT to target Russian organizations for months.

Named GamaCopy (or Core Werewolf), the group emulated the tactics of Gamaredon (or Armageddon), a cyber-espionage group operated by the Russian FSB intelligence agency from the occupied region of Crimea.

The group's false flag attacks have been taking place since June of last year. The campaign has tricked several security vendors who misattributed attacks to Gamaredon, according to a report from Chinese security firm Knownsec 404.

Risky Bulletin: Looking at Biden's last cyber executive order

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

In its last days in office last week, the Biden administration signed an executive order (EO 14144) with new requirements and standards for strengthening the US' cybersecurity defenses and ecosystem.

This is the administration's second cyber executive order after EO 14028 from May 2021.

Below, we're gonna go over all the main points included in last week's release. The list is going through the EO from top to bottom. Items are not listed based on "importance."

Risky Bulletin: UK proposes ransomware payment ban for public bodies

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Five hacks linked to the DPRK: The US, South Korea, and Japan have linked five 2024 crypto-heists to North Korean hackers. This includes DMM Bitcoin ($308mil), WazirX ($235mil), Upbit ($50mil), Radiant Capital ($50mil), and Rain Management ($16mil).

Synnovius attack fallout: The UK NHS says that a ransomware attack on lab service provider Synnovis last year has had an impact on the health of several patients, including permanent long-term damage in at least two cases. [Additional coverage in Bloomberg]

Fico blames Ukraine for cyberattack: Slovakia's PM Robert Fico has blamed Ukraine for a ransomware attack that crippled its cadastre agency earlier this year. As local media puts it, Fico, who is a known Putin fanboy and a pro-Kremlin propaganda mouthpiece, has cited no evidence.

Risky Bulletin: Over 4,000 backdoors can be hijacked via expired C&C domains

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

PowerSchool data breach: Edu software company PowerSchool says hackers breached its SIS student management platform and stole some student records. The company is notifying affected schools, per a DataBreaches.net report.

Gravy Analytics hack: Hackers claim to have breached Gravy Analytics, a company that aggregates and sells access to app location data. [Additional coverage in 404 Media]

UGKK ransomware attack: Slovakia's Geodesy, Cartography, and Cadastre Authority suffered what appears to be a ransomware attack. [Additional coverage in Finsider.sk]

Risky Bulletin: Chinese hackers breach US Treasury, target OFAC bureau

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Treasury hack: US officials claim that Chinese state-sponsored hackers have breached the US Treasury Department and accessed internal unclassified documents. The hack allegedly took place after hackers initially breached identity service provider BeyondTrust in December last year. The attackers specifically targeted the Office of Foreign Assets Control (OFAC), the office that imposes foreign sanctions. China, as usual, claimed to be innocent and a victim of "groundless claims." [Additional coverage in NPR]

Cyberhaven Chrome extension compromised: A threat actor has phished an employee of security firm Cyberhaven and published a malicious update to the company's official Chrome extension. The update stole cookies from visited sites and uploaded the data to the attacker's server. According to Secure Annex, the malicious code and the attacker's server IP were also found in multiple other Chrome extensions, and the Cyberhaven compromise appears to be part of a larger campaign. At least 36 extensions are believed to have been compromised as part of this operation.

VW data leak: Sensitive information of 800,000 VW Group vehicle owners was found accessible online. The data came from a VW mobile app used by the owners of VW, Audi, Seat, and Skoda-branded EVs. The data contained information on owners and geolocation data that could be used to reconstruct trips, per a Spiegel report.