Newsletters

This week's release is Guacamaya's fourth since March and it has also compromised mining and oil companies and government offices in a number of different countries. In each case it releases data via Enlace Hacktivista, a website that documents hacker history, and/or via Distributed Denial of Secrets. Each release is accompanied by a statement, sometimes a video, that documents the hacking process and, once, even a poem.

The Ukraine IT Army also claimed some success this week and claims to have hacked the personal data of mercenaries from the Russian Wagner Group.

This week The Record published a comprehensive overview of the Belarusian Cyber Partisans, covering the group's founding, some of its successful operations and also interviews with its spokesperson Yuliana Shemetovets. This newsletter has covered the activities of the Belarusian Cyber Partisans several times, and an early episode of our Between Two Nerds podcast discussed how the Cyber Partisans evolved to become a very effective group.

American Airlines breach: American Airlines disclosed a security breach last week in a breach notification letter [PDF] filed with the Montana OAG. The airline said the breach occurred in July this year after a threat actor gained access to several employee email accounts. These accounts contained documents with the personal data of some of the airline's past customers, such as names, email addresses, home addresses, phone numbers, and travel documents information.

Gag order in Albania: The Albanian government has put a gag order on local press to prevent them from reporting any stories sourced from documents that were stolen and recently leaked by Iranian hackers.

Ransomware attack on Bosnia's government: Officials from Bosnia and Herzegovina are investigating a cyberattack that has crippled the operations of the country's parliament for more than two weeks, in what experts say bears all the hallmarks of a classic ransomware attack.

"The attacker had access to my admin account, probably through session hijacking (bypassing password and 2fa)," the admin also added.

KiwiFarms said that while information from the site's log suggests that a user database export operation performed by the intruder might have failed, registered users should still assume that their data might have been compromised through another means.

The incident sparked quite a wave of panic among the site's users, most of whom now fear that their real identities could be revealed through the stolen data, which is a very plausible scenario for those who did not practice good OpSec when registering on the site.

Azure Code Signing: Microsoft gave software developers a preview this week of an upcoming tool named Azure Code Signing, an Azure service that makes it easier to cryptographically sign code and apps.

Disable IE policy: Microsoft also released a new policy this week that will allow organizations to permanently disable the Internet Explorer browser right now and not have to wait for a future Microsoft update to do so.

Avast acquires "I don't care about cookies": Antivirus maker Avast has acquired "I don't care about cookies," a popular browser extension that hides cookie popups on internet websites.

To be clear, Iran has been subject to destructive cyber attacks, but the context surrounding these attacks is very different.

Jason Brodsky, policy director at United Against Nuclear Iran told Seriously Risky Business that the Stuxnet attack was justified because the Iranian nuclear program had "advanced to such a state… beyond any plausible civilian justification". Brodsky agreed that there had been attacks on Iranian rail and fuel infrastructure in the case of the (likely) Israeli-led Predatory Sparrow campaign, "but viewing these operations in the context of the chain of attacks which triggered them is important". In other words, you reap what you sow.

"Iran has also been actively seeking to harm civilians in its cyberattacks — with the attempted operation against Boston Children's Hospital, which the FBI director called one of the most despicable he had ever seen in June 2021. That is not to mention attacks on Israel's water infrastructure which could have poisoned innocent Israelis. The cyberattacks targeting Iran do not even come close to those operations."

Philippine Airlines data breach: Philippine Airlines, the country's state-owned airline travel company, said this week that data of some of its past travelers has been stolen after a ransomware attack on Accelya, a third-party IT provider that PAL uses its frequent flyer program. PAL travelers who joined its frequent flyer program between 2015 to 2017, the company told CNN Philippines.

U-Haul data breach: Moving and rental space company U-Haul disclosed a security breach last week after the company said it found that hackers compromised a customer contract search tool and used it to access customers' names and driver's license information. This marks the company's second breach after a first one disclosed back in 2017 [PDF].

Cisco data breach: After it disclosed a security breach last month on August 10, Cisco said in an update this week that the incident was the result of "an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators." The company posted this update after the Yanluowang gang took credit for the attack and added Cisco-related data on its leak site.

The second attack not only comes after Albania cut diplomatic ties with Iran and expunged its embassy officials from the country but also after NATO and its individual members also issued stern statements condemning Iran's actions as a violation of international cyber norms since the attack also impacted civilian infrastructure.

The stern statements were also followed on Friday by economic sanctions imposed by the US Treasury against Iran's Ministry of Intelligence and Security (MOIS) and its leader Esmail Khatib, Iran's minister of intelligence, who US officials said ordered the operation.

In a statement published on Twitter, Iran's Mission to the EU accused NATO and its members of hypocrisy because they remained silent when Iran was the victim of cyberattacks against its infrastructure and nuclear facilities (most likely referring to the Predatory Sparrow and Stuxnet attacks). In addition, Iran accused NATO of harboring terrorists, referring to Albania hosting members of MEK, an Iranian political opposition party that was moved to a camp in Albania at the request of the US government after the Tehran regime proclaimed it a terrorist organization and started hunting and imprisoning its members. As Mandiant and Microsoft explained in their reports, Albania hosting MEK members was the main reason Iran carried out its July attack.

Rama gave Iranian diplomats 24 hours to close the embassy and leave the country. While the Iranian government denied being involved in the attack, NATO, the White House, and the UK government published statements in support of the Albanian government and its attribution of the attack to the Tehran regime.

The US called Iran's attack on its NATO ally a "troubling precedent" and promised to "take further action to hold Iran accountable."

But while Iranian officials might deny any involvement, the proof is in the pudding, and, in this case, the pudding is the malware used in the July 15 attack, which both Mandiant and Microsoft have linked back to multiple past instances of Iranian cyber-espionage operations and tooling.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

After significant community pressure, Cloudflare has dropped Kiwi Farms, a decade-old website notorious for planning and executing harassment campaigns targeting transgender and other marginalised people.

Kiwi Farms is a terrible website. NBC reporter Ben Collins has done some excellent reporting on the site, which he says "extremist researchers warned me not to cover because publicising it would be dangerous".

Is the Chinese government also trying to pay back the US for doxing some of its operators? Because they've missed the entire point, and by a mile. The US has doxed and criminally indicted Chinese APT members for engaging in theft of intellectual property from private entities, for their own profits, outside the realm of normal espionage collection activities. That IP has often been forwarded to private or state-owned Chinese companies, who later entered markets they had no business being in, with practically zero investment in R&D.

What is the Chinese government saying with these silly reports? That the US is hacking targets of legitimate military and surveillance interest? Yeah! No s***, Sherlock! That's how cyber-espionage works. It would be a dereliction of duty if the US (or the cybersecurity agency of any other country) didn't keep an eye on China, the world's largest economy that has been heavily investing in its military while also showing signs of growing aggression towards neighboring states like Taiwan and India.

If this is the best the Chinese government can do in terms of attribution and exposing foreign APTs, this says a lot about the state of its defensive cybersecurity capabilities and the health of its cybersecurity market.