Newsletters

Revelations that the FBI improperly used data collected for foreign intelligence under Section 702 of the Foreign Intelligence Surveillance Act (FISA) are fueling doubts about whether the authority will be renewed before it expires at the end of the year.

The news of the FBI searches is contained in a declassified court opinion released by the Director of National Intelligence. The opinion, issued in April of last year by the Foreign Intelligence Surveillance Court (FISC), describes the FBI as having a "pattern of broad, suspicionless queries that are not reasonably likely to retrieve foreign intelligence or evidence of crime".

Section 702 allows US intelligence agencies to compel service providers to help conduct targeted surveillance of foreigners outside the US and has been described by US officials as the "crown jewel" of US surveillance programs. The Section 702 amendment was motivated in part by terrorist use of US email service providers in the early 2000s.

The US Treasury has imposed sanctions on five North Korean entities, including a university where the government trains its cyber forces and two cyber units part of its intelligence apparatus.

Sanctions were levied against the Pyongyang University of Automation, which US officials say has trained many of the cyber units of the Reconnaissance General Bureau (RGB)—North Korea's primary intelligence bureau and main agency behind the country's cyber espionage and cyber thefts.

Officials also sanctioned two of the RGB's bureaus—the Technical Reconnaissance Bureau and its subordinate cyber unit, the 110th Research Center.

A cybercrime operation tracked as the Lemon Group has planted malware inside the firmware of almost nine million Android devices sold across the world over the past half-decade.

The group's malware has been found in the OEM firmware images of multiple brands of low-cost Android smartphones.

Trend Micro, which has been tracking the group for years, says it was unable to discover how exactly this was done, but the company suspects the group may be working with insiders at various smartphone factories.

Google says it plans to delete accounts that have been inactive for more than two years.

The company says that while the new policy has entered into effect this week, it will start mass-purging inactive accounts in December. This should give enough time for users to log in and reactivate older or backup accounts.

Google says it plans to first delete accounts that were created and never used again before moving to accounts that saw some activity.

Crimephones are back in the news after a legal challenge against the UK's National Crime Agency's Encrochat operation failed and it emerged that the Calabrian mafia have embraced a secure communications device from a company named No. 1 Business Communication.

The recent news is a good excuse to look back on the recent history of crimephones and the law enforcement operations that have rendered them worse than useless to criminals.

If you're not au fait, "crimephone" is the Risky Business HQ term for dedicated encrypted devices that are marketed in criminal networks to help facilitate illegal activity. Typically these devices offer a hardened (in theory) OS, a pre-loaded encrypted messaging app, can only communicate with other similar devices in a closed network, and are sometimes stripped of extraneous functionality such as GPS, camera and microphone.

The US Justice Department has charged a Russian national named Mikhail Pavlovich Matveev for a series of ransomware attacks across the US, including two attacks against police departments.

Matveev is widely known in infosec circles under his hacker pseudonym of WazaWaka. He has also gone on underground forums under many other nicknames, such as Boriselcin, KAJIT, M1x, Orange, and Uhodiransomwar.

He is a known initial access broker and a former affiliate for ransomware gangs such as Babuk, Conti, Darkside, Hive, and LockBit. He is also one of the founders of RAMP, a notorious dark web cybercrime forum that launched in the spring of 2021.

A reminder that every edition of this newsletter is also available as a podcast:

ABB ransomware attack: Electrification and automation company ABB confirmed last week that it fell victim to a ransomware attack. The incident allegedly took place on May 7 and was the work of the Black Basta gang. The attackers gained access to the company's Windows Active Directory and spread through its internal network. ABB allegedly had to terminate VPN connections with customer networks to prevent the ransomware from spreading further. The attack impacted ABB operations at some of its factories. ABB is one of the world's largest companies and has been a member of the Fortune 500 for more than 25 years.

Discord breach: VoIP and instant messaging service Discord is notifying users of a security breach after a threat actor gained access to the account of a third-party customer support agent. The company says the attacker gained access to the support agent's ticketing queue. This exposed the information for some users with active support requests. Exposed information included email addresses, support messages, and attachments added to any ticket.

The same dark web scanning feature is also one of the security systems that powers a Chrome feature that warns users to change passwords that have appeared in data leak packages.

While the feature will initially roll out to the US market only, Google says it plans to make this available to all users.

The new feature is part of a series of security upgrades [1, 2] announced by the company at its annual I/O developer conference this week. The list also includes:

The joint cybersecurity advisory on Snake, co-authored by the US government and Five Eyes cyber security authorities, is tremendous. It manages to cover the big picture while also drilling in to provide detailed technical information in a very readable way.

Per the report:

The report describes Snake as sophisticated because it is stealthy, modular, runs on different operating systems and is also well built, "with the implant containing surprisingly few bugs given its complexity". Initial versions were called "Uroburos" and included part of the historical illustration of an Uroburos (above) by German philosopher Jakob Böhme.

Officials also formally attributed Snake to Centre 16 of Russia's Federal Security Service (FSB)—marking the first time any foreign government has linked the highly advanced Turla APT to the Russian government.

At the technical level, officials called Snake the FSB's "most sophisticated cyber espionage tool."

Five Eyes agencies say the FSB typically used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists.