Newsletters

The number of human-operated ransomware attacks has more than doubled over the past year, Microsoft said in its yearly Digital Defense Report.

The term "human-operated ransomware" refers to certain intrusions where the ransomware is deployed manually rather than using automated scripts.

During these intrusions, one or more members of the ransomware group manually connect to a breached network and run commands in a terminal to make sure scripts execute with the proper parameters, data is exfiltrated without errors, and files are encrypted correctly.

A group of more than 50 tech experts and organizations have signed an open letter asking EU officials to rethink Article 11 of the upcoming EU Cyber Resilience Act.

The article introduces a mandatory requirement for all software vendors to disclose vulnerabilities to the ENISA, the EU's cybersecurity agency, within 24 hours of becoming aware of in-the-wild exploitation. ENISA will then relay this information to national CSIRT teams and stock market watchdogs across its member states.

The open letter's signatories argue that the CRA's Article 11—in its current form, at least—greatly expands the number of organizations that will have first-hand and real-time immediate knowledge of actively exploited vulnerabilities, which, in turn, increases the risks to product vendors, their customers, and the general public.

The US National Security Agency (NSA) is creating a new Artificial Intelligence Security Center to develop secure AI for use in defence and national security. The Center will also work to maintain the US's AI advantage by protecting against intellectual property (IP) theft.

The Director of NSA and US Cyber Command, General Paul Nakasone, announced the creation of the new centre in a speech at the National Press Club in Washington DC.

In his speech Nakasone pithily described AI security as "about protecting AI systems from learning, doing and revealing the wrong thing", before listing some goals of the new centre:

Ransomware groups are exploiting recently disclosed vulnerabilities in TeamCity and WS_FTP servers to breach corporate networks and ransom organizations.

The attacks are exploiting CVE-2023-42793 and CVE-2023-40044.

The first is an authentication bypass and RCE vulnerability that can allow threat actors to take full control of JetBrains TeamCity CI/CD servers. Once on the development pipeline, threat actors can pivot to other resources on a company's internal or cloud network, from where ransomware gangs can do extensive damage.

A critical vulnerability impacting more than 3.5 million Exim email servers has remained unpatched for more than 15 months in one of the most egregious instances of vulnerability disclosure snafus in recent history.

Tracked as CVE-2023-42115, the vulnerability is a no-authentication remote code execution with a severity rating of 9.8/10.

It is one of six vulnerabilities that were disclosed by Trend Micro's Zero-Day Initiative (ZDI) to the Exim project in June 2022.

Cybersecurity agencies from Japan and the US have issued a joint security  advisory about a Chinese APT group that is hacking the overseas subsidiaries of US and Japanese companies and then pivoting to their corporate headquarters.

Known as BlackTech (Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda), the group targets internet-facing routers as their entry point into victim networks.

To maintain access, the group hot-patches the router firmware with a modified version that bypasses security features and contains a built-in SSH backdoor to maintain future access.

Teenage hackers have breached systems at Caesars Entertainment and MGM Resorts International, two large US resort, entertainment and gaming companies. These incidents showcase how hacking groups comprising young people using Lapsus$-style techniques are becoming one of the greatest cyber security threats to organisations.

Both hacks had significant impact.

Caesars Entertainment reportedly paid a ransom of USD$15m after the group stole personal information from its loyalty program database, including driver licence and social security numbers. The organisation’s SEC filing uses a form of words that we suspect will become standard when paying a data extortion ransom:

The US Cybersecurity and Infrastructure Security Agency released on Monday the first version of the Hardware Bill of Materials (HBOM), a framework meant to mitigate supply chain risks for hardware/physical products.

The framework is inspired and is meant to be a complement to SBOM, a similar framework that CISA has been pushing to software vendors since the Log4Shell incident in late 2021.

Under the new HBOM framework, hardware vendors are expected to produce an HBOM file that will contain information on all physical components used in a product.

China's Ministry of State Security (MSS) published an extremely rare official statement on its WeChat account last week formally accusing the US National Security Agency of hacking and maintaining access to servers at Huawei's headquarters since 2009.

The statement is the first time the Chinese government has confirmed the NSA's Huawei hack—first reported by the New York Times and Der Spiegel back in 2014.

Based on documents from the Snowden leaks, the two reports cover Shotgiant, an NSA operation to compromise Huawei's network.

North Korean hackers known as the Lazarus Group have stolen $54 million from the CoinEx cryptocurrency exchange.

The hack took place on Tuesday, September 12. In a statement, CoinEx said the hackers identified a leak of some of its private keys and used them to steal Ether, Tron, and Matic assets from some of the company's hot wallets.

The company didn't formally link the hack to North Korea, but a blockchain investigator named ZachXBT found that some of CoinEx's stolen funds were sent to the same address that is storing funds stolen from the recent hack of the Stake.com crypto-gambling site.