Newsletters

Cybersecurity agencies from Japan and the US have issued a joint security  advisory about a Chinese APT group that is hacking the overseas subsidiaries of US and Japanese companies and then pivoting to their corporate headquarters.

Known as BlackTech (Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda), the group targets internet-facing routers as their entry point into victim networks.

To maintain access, the group hot-patches the router firmware with a modified version that bypasses security features and contains a built-in SSH backdoor to maintain future access.

Teenage hackers have breached systems at Caesars Entertainment and MGM Resorts International, two large US resort, entertainment and gaming companies. These incidents showcase how hacking groups comprising young people using Lapsus$-style techniques are becoming one of the greatest cyber security threats to organisations.

Both hacks had significant impact.

Caesars Entertainment reportedly paid a ransom of USD$15m after the group stole personal information from its loyalty program database, including driver licence and social security numbers. The organisation’s SEC filing uses a form of words that we suspect will become standard when paying a data extortion ransom:

The US Cybersecurity and Infrastructure Security Agency released on Monday the first version of the Hardware Bill of Materials (HBOM), a framework meant to mitigate supply chain risks for hardware/physical products.

The framework is inspired and is meant to be a complement to SBOM, a similar framework that CISA has been pushing to software vendors since the Log4Shell incident in late 2021.

Under the new HBOM framework, hardware vendors are expected to produce an HBOM file that will contain information on all physical components used in a product.

China's Ministry of State Security (MSS) published an extremely rare official statement on its WeChat account last week formally accusing the US National Security Agency of hacking and maintaining access to servers at Huawei's headquarters since 2009.

The statement is the first time the Chinese government has confirmed the NSA's Huawei hack—first reported by the New York Times and Der Spiegel back in 2014.

Based on documents from the Snowden leaks, the two reports cover Shotgiant, an NSA operation to compromise Huawei's network.

North Korean hackers known as the Lazarus Group have stolen $54 million from the CoinEx cryptocurrency exchange.

The hack took place on Tuesday, September 12. In a statement, CoinEx said the hackers identified a leak of some of its private keys and used them to steal Ether, Tron, and Matic assets from some of the company's hot wallets.

The company didn't formally link the hack to North Korea, but a blockchain investigator named ZachXBT found that some of CoinEx's stolen funds were sent to the same address that is storing funds stolen from the recent hack of the Stake.com crypto-gambling site.

Last week, Microsoft released its latest report into how its services were compromised by a China-based actor it called Storm-0558. It's an eye opening document that raises some red flags about Microsoft's security culture.

To summarise the incident briefly, Storm-0558 used a Microsoft Account (MSA) signing key to gain access to the email accounts of individuals in businesses and in government departments including the US Department of State and the US Department of Commerce. For several reasons this hack should not have worked, yet Storm-0558 was able to take advantage of multiple flaws in Microsoft processes to achieve its objectives.

From the perspective of someone who has worked in high-security environments, some of these flaws are absolutely bewildering.

The Cybersecurity and Infrastructure Security Agency (CISA) has announced it is providing free access to its official Vulnerability Scanning (VS) service to the operators of public US water and wastewater utilities.

The VS service has been running for years but has been previously available to federal civilian agencies only.

The service will help water utilities identify internet-exposed systems and see if they are vulnerable to known security bugs.

Microsoft will phase out the use of third-party printer drivers in Windows in favor of a new and more secure interface.

"In the near future, Windows will default to a new print mode that disables 3rd party drivers for printing," said Microsoft security engineer Johnathan Norman.

"That new system will have quite a few big security improvements, which we plan to detail in a future blog post."

The US and UK governments have revealed the real-world identities and imposed sanctions on 11 additional members of the Trickbot/Conti cybercrime operation. The new sanctions come after both governments doxed and sanctioned seven members earlier this year in February.

The new batch includes:

This adds to the February batch of sanctioned Trickbot/Conti members, which includes:

A harrowing new UN report describes how hundreds of thousands of trafficked people are forced into working in online scam operations.

These operations cover the gamut from online fraud such as romance scams and fake cryptocurrency investment schemes to illegal gambling. They take place in online scam centres known as "boiler rooms" or "pig-butchering farms".

The human toll is staggering. The report says that at least 120,000 people across Myanmar and 100,000 in Cambodia are thought to be forced to work on online scams. The report cites Myanmar's military coup, ongoing violence and breakdown in the rule of law as significant factors in the proliferation of boiler rooms in the country.