Newsletters

Acer confirms hack: Taiwanese hardware vendor Acer has confirmed a security breach after a hacker began selling more than 160GB of data they stole from one of the company's servers. According to the seller, an individual going by the name of Kernelware, the stolen data includes details about the Acer BIOS, confidential presentations, product documentation, ROM, and other binary files. Acer says the files originated from a server for repair technicians.

Facebook's LLaMA leak: LLaMA (Large Language Model Meta AI), a collection of large language models developed internally at Meta, was leaked on 4chan last week, marking the first time when a major tech company's proprietary AI model has leaked in full. Prior to the leak, Meta, Facebook's parent company, had provided access to the LLaMA model to select researchers from the AI community. While the leaker hid their identity using the "llamanon" 4chan username, AnalyticsIndiaMag notes that the LLaMA torrent file contained a unique identifier that would, theoretically, allow Meta to track down who received and leaked the files. Motherboard reported that Meta did not deny or confirm the leak, nor has it taken any steps to have the torrent removed.

LaunchZone crypto-heist: The LaunchZone cryptocurrency portal announced this week a compensation plan for users who lost funds in a hack that took place at the end of February. At the time, the company lost $700,000 following an exploit against one of its contracts that drained around 80% of the funds from its liquidity pools.

In this Risky Business demo, Tines CEO and co-founder Eoin Hinchy demonstrates the Tines no-code automation platform to host Patrick Gray.

Australia's critical infrastructure plan: Australia's Cyber and Infrastructure Security Centre (CISC) has published its Critical Infrastructure Resilience Strategy and Plan, a guide to help secure Australia's critical infrastructure interests from 2023 to 2028.

Australia and UK sign spam cooperation memorandum: Australia and the UK's privacy watchdogs have signed a joint memorandum of understanding to coordinate their efforts against nuisance calls and spam messaging.

T-Mobile's alleged 100+ breaches: An analysis of multiple Telegram channels reveals that three threat actors have claimed to have breached T-Mobile's backend network more than 100 times throughout 2022. According to infosec reporter Brian Krebs, many of these breaches have been carried out by threat actors who provide account hijacking services and who needed access to T-Mobile's network to execute SIM-swapping attacks. Most of the breaches appear to have been carried out by phishing T-Mobile employees and gaining access to their internal accounts.

Polish tax portal attacks: Polish officials have blamed Russian hackers for DDoS attacks that have taken down the government's national tax-filing portal this week.

Russia fines Wikipedia: The Russian government has fined the Wikimedia Foundation, the organization behind the Wikipedia portal, 2 million rubles (~$27,000) for failing to delete "misinformation" about the Russian military and its invasion... oops... special operation in Ukraine. This marks the third fine Wikipedia has received in Russia since the country's invasion of Ukraine, according to Reuters. Wikipedia said the recent fine was related to articles on its Russian language portal related to Russian Invasions of Ukraine (2022), Battle for Kyiv, War Crimes during the Russian Invasion of Ukraine, Shelling of Mariupol Hospital, Bombing of the Mariupol Theater, and the Massacre in Bucha.

Signal says it will pull out of the UK market if the country's Online Safety Bill forces it to weaken its encryption. Signal won't be asked to weaken its encryption, but it may well be asked to make other compromises.

Meredith Whittaker, president of the Signal Foundation nonprofit, told the BBC that the organisation "would absolutely, 100% walk" if forced to weaken the privacy of its messaging system.

Although the UK's proposed Online Safety Bill aims to make the internet safer (here is a good background overview) it has received its fair share of criticism over time. Advocates of strong encryption are particularly concerned about sections that give the regulator the power to tell companies that they must "use accredited technology to identify CSEA [child sexual exploitation and abuse] content, whether communicated publicly or privately by means of the service, and to swiftly take down that content". (The Act also covers terrorism-related content like beheading videos etc. Grim.)

Unlike the IRA and Russia's other internet troll farms and influence operations, Ghostwriter works on a higher level. Operations are timed and planned to coincide before or during important political events or military exercises, often requiring public rebuttals and clarifications from the targeted governments or politicians.

Researchers say because the group mixes both cyber (hacking) and psyop (influence) components, the group has gone under the radar for many years and has yet to be fully understood. Their theory blames the West's confusion about who's supposed to investigate GhostWriter. Is it a country's cybersecurity or its intelligence agency? Is it the private infosec community, or is Ghostwriter official government spook business?

As the researchers point out, this confusion and lack of understanding of the level where GhostWriter operates had allowed the group to run around for four years between 2016 and 2020 before people caught on to what they were doing and that the group existed.

Exchange scanning update: Microsoft has updated the guidelines for scanning Exchange servers for malware, and the company is now advising the scanning of additional directories. These folder locations were previously used by antivirus solutions, but Microsoft says it has seen malware campaigns abuse these directories to hide their malware.

Signal would leave the UK: Megan Whittaker, the president of the Signal secure messaging service, has told the BBC the company plans to leave the UK market if the country passes the controversial Online Safety Bill. The bill, which is currently receiving pushback from both the private sector and local politicians, would require tech companies to scan encrypted messaging apps for child sexual abuse material (CSAM).

More Twitter layoffs: Twitter fired last week its democracy and national security lead, Neema Singh Guliani, which kind of explains why that entire network's trending section is just state-run propaganda campaigns these days. Other layoffs followed at Twitter over the weekend too.

Russian local officials called the incident "a provocation by supporters of the Kyiv regime."

The Russian Ministry of Emergency Situations confirmed the hack in a Telegram post, but they did not share any info on the attack or any attribution.

This is not the first time suspected Ukrainian hackers have hacked Russian radio stations. In June 2022, one such hacker hijacked Kommersant's FM radio to blast the Ukrainian anthem and anti-war songs, forcing the company to temporarily shut down its air programming and broadcast solely via the internet for a few hours.

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.

In our latest demo, Brett Winterford and Harish Chakravarthy demonstrate to host Patrick Grey how Okta can be used for passwordless authentication. These phishing resistant authentication flows — even if they are not rolled out to all users — can also be used as a high-quality signal of phishing attempts that can be used to trigger automated follow-on actions.

This Reddit post is a stellar example of unintentional "play stupid games, win stupid prizes" hilarity. The original poster, Suspendedbankaccs1, is baffled as to why their HSBC, Santander and Barclays bank accounts have been suspended.

RailYatri leak: The personal details of more than 31 million Indians is currently on sale on an underground hacking forum. The seller claims the data belongs to RailYatri, a ticket-booking app used by India's national railway. A government official told the Hindustan Times they are currently investigating the incident.

Virgin Media incident: Virgin Media Television broadcasts were impacted across Ireland after the company discovered an "unauthorised attempt to access [their] systems." According to Ireland's national television RTE, as a result of the attack, Virgin Media aired recorded programming on several channels on Monday, such as Virgin Media 3, 4, More, and VMTV Player.

DOD leak: The US Department of Defense has leaked sensitive emails after it left one of its Azure servers exposed on the internet without a password. According to TechCrunch, the server hosted internal mailboxes for US Special Operations Command, or USSOCOM, the US military unit tasked with conducting special military operations. Some of the emails exposed in the incident also contained SF-86 questionnaires used by DOD employees to apply for security clearances.

Ukraine cyber incident stats: The Ukrainian government says it recorded 2.8 times more cyber incidents throughout 2022 than in 2021. Officials say they registered 415 distinct cyber incidents throughout the year, most connected to Russia's military invasion.

Fines for SORM disobedience: The Russian Duma is working on a law that will introduce turnover-based fines for local telco providers that fail to install its SORM traffic monitoring system. SORM, initially introduced in the 90s, is special equipment installed in the telco's backend network that logs internet and telephony traffic and allows Russian law enforcement and intelligence services to search through the data. SORM is already mandatory for all Russian telcos, but no penalty was specified for companies that failed to implement it or refused to have the equipment working, which has been the case with the smaller operators. The fines will range from 0.001 to 0.003% of a telco's annual revenue, according to Russian news outlet Vedomosti.

Centralized database of fraudsters: Elvira Nabiullina, the head of the Central Bank of Russia, wants to create a centralized database of fraudsters to improve the security of Russian banks and their customers. We wonder if Mrs. Nabiullina's "centralized database" will also include all the Russian cybercrime groups and money launderers operating within Russia's borders.