Newsletters

It is currently unknown who is behind the Moldova Leaks website, but Litvinenco said his ministry has already started a formal investigation into the hack, which will also look at the Minister of Internal Affairs, which the official said has the technical capabilities to obtain such conversations at its disposal—suggesting that investigators don't rule this out as an insider attack.

But even if this could be the work of some hacker-for-hire mercenary group, several infosec figures believe this is the work of Russia's GRU agency, which has executed hack-and-leak operations in the past to push Russia's political interests abroad.

And as a former part of the Soviet Union, Russia has quite an interest in keeping Moldova under its sphere of influence and not letting it align with the EU and Romania.

O'Neil's statement came on the same day that the AFP issued a press release identifying the Medibank hackers as being located "in Russia."

"We believe we know which individuals are responsible but I will not be naming them," said AFP Commissioner Reece Kershaw. "What I will say is that we will be holding talks with Russian law enforcement about these individuals."

After years during which law firms, cyber-insurance providers, and even security firms and law enforcement have closed their eyes during ransomware negotiations and allowed victims to pay ransom demands in order to placate attackers, these criminal cartels have grown their operations and intensified attacks feedings on profits but also on a sense of invincibility.

DDOS attacks on election day: Some websites operated by the Mississippi state government were knocked offline during the US midterm elections on Tuesday following DDOS attacks claimed by pro-Russian hacktivist groups. None of the attacked websites were involved in the vote and vote counting process.

Not a cyber-attack: Officials from Suffolk County in the state of New York dismissed rumors of a cyber-attack on their infrastructure on Tuesday, on election night, after some election workers had to collect voting tallies on memory cards and drive to a central office to upload the results on state computer servers. Officials said this happened because "electronic security measures put in place to protect elections systems from cyber attacks had overtaxed and slowed an older operating system," which initially made election authorities believe they were the victim of a cyber-attack.

Cyber.org Range expands nationwide: A Louisiana pilot program called Cyber.org Range—designed to teach K-12 students cybersecurity skills—announced it would expand to all 50 US states after receiving funding, including from the US Cybersecurity and Infrastructure Security Agency.

Medibank update: In an update on its data breach disclosure, Australian private health insurance provider Medibank said the personal information of more than 9.7 million Australians was stolen in a ransomware attack last month. The company said it does not plan to pay the threat actor's ransom demand. A ransomware gang known as BlogXX (believed to be a subgroup of the older REvil gang) took credit for the intrusion and data theft.

Cyber-attack cripples Mexico's transportation system: According to a report, Mexico's transportation ministry has stopped issuing new permits, license plates, and driver's licenses for commercial truck operators until December 31 because of a cyberattack that hit the IT infrastructure of the Secretariat of Infrastructure, Communications and Transport (SICT) in late October. (via DataBreaches.net)

Pando crypto-heist: DeFi platform Pando said it was the target of a hack last Saturday when a threat actor tried to steal more than $70 million worth of cryptocurrency from the platform's wallets. The company said it managed to freeze $50 million of the stolen funds, but the attacker successfully stole more than $21.8 million of its funds. Pando said the hacker used an Oracle attack against one of its protocols and is still hoping to negotiate with the attacker to return some of the stolen funds.

Solend crypto-heist: DeFi platform Solend said it lost $1.26 million worth of cryptocurrency following an Oracle attack on its platform, targeting the Hubble (USDH) currency.

Successful defense: In a post-mortem, pNetwork said it successfully defended an attack on its pGALA token.

DSB cyber-attack: Danish train operator DSB said that the disruptions to some of its trains over the previous weekend were the result of a cyber-attack on the infrastructure of one of its IT subcontractors.

Group-IB and Orange researchers said that while the group used basic phishing attacks and off-the-shelf remote access trojans to gain an initial foothold in their victim's networks, OPERA1ER has exhibited both restraint and patience.

Some intrusions lasted months, as the group moved laterally across bank systems while they observed and mapped the internal network topology before springing their attack.

Rustam Mirkasymov, Head of Group-IB's Threat Research in Europe, told RiskyBizNews that the group typically waited and sought to identify and compromise bank systems that handled money transfers.

A caveat up front: The Daily Mail is not the most reliable newspaper, and the hack has not yet been independently confirmed by other sources, although it hasn't been denied either. The broad outline of the claims are that the phone was hacked some months ago and sensitive messages compromised, including to international foreign ministers about the war in Ukraine and also to Kwasi Kwarteng, a friend of Truss who subsequently became Chancellor of the Exchequer. According to The Daily Mail's report, after the hack was discovered, Prime Minister Johnson and the Cabinet Secretary suppressed the news.

Matt Tait, aka PwnAllTheThings on Twitter, has written up a decent analysis of the story including an examination of why it might have been published now, the bona fides of the authors, and the possible motivations of sources. His conclusion: there are some red flags, but it could be true, and he goes on to examine the implications of the hack of a minister's phone.

Regardless of the underlying truth, The Daily Mail story highlights an uncomfortable reality — politicians absolutely need to use phones nowadays even though phones are insecure.

The leaked chat logs reveal several things. The first is the names of core members in charge of the Yanluowang RaaS and their identities on cybercrime forums.

The second is that the Yanluowang ransomware gang began operations in October 2021, which is around the same time Broadcom's Symantec first reported on their activities.

Third is that the gang and its members are really bad at coding, which now explains why Kaspersky researchers were able to find a vulnerability in its encryption algorithm and release a free decrypter back in April. And if that wasn't bad enough, the leaker also shared a screenshot allegedly containing the ransomware's decryption routine source code.

Amazon server leak: Amazon said there was a "deployment error" with one of its Amazon Prime analytics servers that was left exposed online without a password for more than two weeks and leaked 215 million entries containing pseudonymized user data. According to TechCrunch, which first reported on the leak, the leaked data contained the name of the show or movie that a user was streaming, on what device it was streamed, Prime subscription details, and network quality.

Aurubis attack: Aurubis, the second-largest copper producer in the world, disclosed a cybersecurity incident on Friday in what the company described as "apparently part of a larger attack on the metals and mining industry." The company said the incident didn't impact its production or environmental protection systems at smelter sites.

Telegram gets a one-day block in Russia: Russia's telecommunications watchdog, the Roskomnadzor, blocked Telegram's t.me short URL on Saturday after a copy of a video was uploaded on the platform containing instructions on how Russian soldiers could surrender to the Ukrainian Armed Forces, once deployed in Ukraine. The URL was not in Roskomnadzor's blocklist on Sunday, suggesting the block was lifted after only one day.

The new "number matching" feature works to protect accounts by showing a number inside the push notification message received by account owners. Even if the user clicks "yes/approve" by accident, the attacker won't be able to log in without entering this number as well, which most attackers would not be able to do.

Microsoft announced this feature earlier this year—after Lapsus$ compromised its network—but a similar number matching feature has also been available in other secure authentication providers like Cisco Duo, Okta, and others.

However, it must be mentioned that this technique is not foolproof, and attackers who contact employees posing as IT staff have been known to extract these numbers from employees in some attacks. But if you're forcing employees into MFA that rely on push notifications, it's better to have numbers matching enabled than not. Either way, if FIDO-based MFA is an option, better use that, as that form of cryptographic device-based authentication is not vulnerable to MFA fatigue attacks.