Newsletters

Verizon employee breach: A hacker has obtained a database that includes the full name, email address, corporate ID numbers, and phone numbers of hundreds of Verizon employees. Motherboard reported that the threat actor got their hands on the data after tricking a Verizon employee into giving them remote access to their computer.

SpiceJet: Indian low-cost airline SpiceJet said it was hit by an "attempted" ransomware attack on Wednesday that disrupted some of its operations and delayed some flights.

MGM Resorts data dumped: The data of more than 142 million guests who stayed at MGM hotels in the past was released for free on a Telegram channel earlier this week. The data comes from a 2019 security breach, which came to light in early 2020 after a data broker began advertising the data on cybercrime forums.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Adversary states are promoting state-sponsored disinformation and manipulating social media, but some Western liberal democracies — particularly the United States — are poorly placed to respond.

There is evidence that some countries are actively building the infrastructure that's required to launch and sustain disinformation operations. Last week the security company Nisos released a report on the Fronton IoT botnet, which it describes as "a botnet for [the] creation, command, and control of coordinated inauthentic behaviour".

RansomHouse: Threat intelligence company CyberInt has published a report on a new data extortion group that was first seen earlier this year and calling itself RansomHouse. The group has one of the longest and more detailed terms of service of any extortion group that was seen operating over the past few years.

DeFi hacks: Threat intel firm BishopFox has a report out reviewing all the DeFi blockchain platform hacks from last year and the main methods used to breach their networks and exfiltrate funds.

jQuery scans: A threat actor is scanning the internet for websites that use the jQuery File Upload plugin, per ISC SANS. The organization believes the threat actor is attempting to fingerprint vulnerable systems in order to exploit security flaws in the plugin and upload malicious files (such as web shells) on web apps still using older versions of the plugin.

The researchers who made up STAR Labs' Pwn2Own line-up this year included Daniel Lim Wee Soong (@daniellimws), Poh Jia Hao (@Chocologicall), Li Jiantao (@CurseRed) Ngo Wei Lin (@Creastery), Billy Jheng Bing-Jhong (@st424204), Muhammad Alifa Ramdhan (@n0psledbyte), Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss), Phan Thanh Duy (@PTDuy), and Lê Hữu Quang Linh (@linhlhq).

Although several Pwn2Own hacking contests usually take place throughout the year, the Pwn2Own CanSecWest edition, typically held in Vancouver, Canada, in the spring, is considered the world's premiere hacking competition today—where most top vulnerability researchers come to compete against each other. During CanSecWest, participants can select from a list of desktop and server products that they can hack during 15-minute sessions on stage.

Other Pwn2Own editions also take place throughout the year with a focus on smart devices and smartphones (Tokyo, in the fall), and in recent years even ICS/SCADA industrial equipment (Miami, in the winter).

New Deadbolt ransomware attacks: Taiwanese IoT maker QNAP published a security alert on Thursday warning of a new wave of attacks using the Deadbolt ransomware against its network-attached storage (NAS) devices. The company said the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly the TS-x51 series and TS-x53 series.

Ransomware academic study: A recent academic study on the landscape of ransomware payments has found that the operators of RaaS (Ransomware-as-a-Service) portals are better at laundering their funds than the smaller commodity ransomware crews. According to researchers, RaaS operators are more strict in their laundering patterns and prefer bitcoin mixers or (now-sanctioned) cryptocurrency exchanges over exchanges that adhere to KYC/AML regulations, typically used by the smaller commodity ransomware crews.

Ransomware initial access trends: A recent report published by cybersecurity firm Group-IB has found that many ransomware gangs prefer to use vulnerabilities in unpatched network devices as the preferred way to gain access to victim networks. In addition, the same report found that the average ransom demand grew by 45% to reach $247,000/attack last year in 2021. [Coverage of the report in Bleeping Computer]

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

The Biden administration is in the process of drafting an executive order to restrain data transfers to foreign adversaries like China. According to Reuters, the order as drafted would give Attorney General Merrick Garland the authority to review and potentially block transactions involving the sale or transfer of data.

An effective executive order would be a good first step, but what comes next?

Crypto-hack #1: Users of the SpiritSwap and QuickSwap cryptocurrency platforms were redirected to phishing sites over the weekend when trying to access the platforms' legitimate domains. Both companies confirmed that the incidents took place after threat actors socially-engineered GoDaddy employees into transferring ownership of the domains. The hijacks lasted for a few hours before both companies managed to regain control over their official websites. While the platforms tried to warn users via social media and other channels, several users had their accounts hacked and emptied by the attackers.

Crypto-hack #2: However, this wasn't the only incident that took place over the weekend. About the same time as the SpiritSwap and QuickSwap incidents, a threat actor also deployed a malicious ad via the CoinZilla advertising platform. The script appeared on sites like CoinGecko, DEXTools, and Etherscan and prompted users to grant the attacker access to their Metamask wallets. CoinZilla confirmed the incident shortly after and said that the malicious ad was only live for "less than an hour" before they took it down.

Report on Real-Time Bidding: The Irish Council for Civil Liberties has published a report on Real-Time Bidding (RTB), the process at the heart of the modern online advertising industry. The report called RTB "the biggest data breach ever recorded" because it tracks and shares what people view online and their real-world location. The report discovered that a regular US citizen has their data and location tracked 747 times per day, on average, while in the EU, where there are stricter privacy regulations, users get their data tracked only 376 times per day. Some good coverage from Natasha Lomas in TechCrunch.

Ransomware in Zambia: The Central Bank of the Republic of Zambia said it suffered a cybersecurity incident on May 9 that crippled some of its services. Sources tell Risky Business News that the incident was an attack carried out by the Hive ransomware gang. In a tweet on Friday, the bank said that it recovered from the attack and that "affected systems have since been restored."

Anonymous in Sri Lanka: A report from Rest of World highlights that attempts from the Anonymous hacktivist collective to support the societal protests in Sri Lanka last week have resulted in the group hacking government portals and leaking the personal data of the same people they were trying to protect, exposing them to a huge risk of falling victims to spam, malware, and cybercrime.

Italy, Russia, Eurovision: Italian police said on Sunday that it blocked cyberattacks by pro-Russian hacktivist group Killnet that attempted to disrupt the final and semifinals of the Eurovision song contest, Reuters reported. This year's contest was held in Turin, Italy.

Musk's comments come after Starlink has intervened to provide more than 10,000 Starlink satellite terminals to the Ukrainian military after Viasat equipment stopped working just as Russian troops were crossing into Ukraine. Those terminals have been used to provide internet connectivity in areas of war, where Ukrainians have used them to record and document Russia's war crimes. But more than anything, the Starlink terminals have been crucial for military operations, with Ukrainian forces heavily relying on reconnaissance drones linked to Starlink terminals to scout Russian troops and send targeting information to nearby artillery units.

And Russia has been well aware of Starlink's crucial role in the war's development. While they have been able to knock out and hijack ground-based ISP infrastructure, Starlink has been largely operational for all the war's duration, being well out of Russia's missile range.

The country's frustration with Musk reached its peak point on Monday when Roscosmos chief Dmitry Rogozin sent out a message to Russian media via his Telegram channel, threatening that Musk would be held "accountable as an adult" and that he can't play the fool anymore for his role in the Ukrainian war.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

In a court settlement with the American Civil Liberties Union (ACLU), controversial facial recognition technology company Clearview AI agreed to not sell access to its facial recognition database of over 10 billion images to private companies or individuals in the US (although selling the use of its algorithm alone is ok).

The ACLU, which brought the case under a US state law, the Illinois Biometric Information Privacy Act, described the settlement as a "big win", although Clearview's lawyers also managed to claim victory, writing in a statement: