Newsletters

Written content from the Risky Business Media team

Risky Biz News: LockBit-Mandiant drama, explained

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Palermo: The IT infrastructure of the city of Palermo, Italy, has been down since last Friday following a cyber-attack.

Maiar hack: DeFi platform Maiar said on Monday that a threat actor exploited a vulnerability on its platform and stole more than $113 million worth of cryptocurrency from its wallets. In a YouTube video published on Tuesday, the platform's CEO said they had already recovered 95% of the stolen funds.

Schulte profile: The New Yorker has a fantastic profile of Joshua Schulte, the former CIA agent behind the WikiLeaks Vault7 leak.

Risky Biz News: Microsoft disrupts Bohrium APT infrastructure

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

"Our DCU investigation found Bohrium targeted customers in the US, Middle East, and India. Targets come from sectors including tech, transportation, government, and education," Hogan-Burney said.

The Microsoft exec said the group's members used fake social media profiles, often posing as recruiters, and lured employees at targeted organizations on one of the 41 malicious sites. Here, they tried to collect their personal information, which they later used in subsequent email attacks that sought to infect the victims with malware.

To date, Microsoft's DCU team has used the US court system to seize domains and server infrastructure from more than two-dozen cybercrime and espionage groups alike.

Risky Biz News: Website defacements and CCTV hacks in Iran

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

In a statement posted on its website, the political group claimed they carried out the attack with the help of "a network of dissidents inside Iran."

MEK said they timed the attack to take place on the eve of Ayatollah Khomeini's death, mourned/celebrated each year across Iran on June 3.

As part of their intrusion, MEK said they also used the compromised servers of the Tehran municipality to send SMS messages to more than 585,000 Iranian phones. The messages read: "Damned be Khomeini, death to Khamenei and Raisi, Hail to Rajavi," according to a video the organization published on YouTube.

Srsly Risky Biz: Thursday June 2

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray, and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber, and founding corporate sponsors CyberCX and Proofpoint.

Hacked documents released last week have shed light on the extent, brutality, and official government support for the PRC's oppression of its Uyghur population. Given the long history of states pretending to be hacktivists, we thought we'd examine the incident to see if there are any red flags a state might be behind the hack.

The documents, released as the Xinjiang Police Files, contain a range of different file types, including transcripts of not-for-publication speeches from Chinese officials, operational directives for police, detainee photos and personal records, and also internal police PowerPoint files. These files were provided to Dr. Adrian Zenz, Director in China Studies at the Victims of Communism Memorial Foundation and a leading researcher of China's Xinjiang re-education camps. Zenz stated on Twitter that the files were provided by an individual who got access "by hacking into Xinjiang police/re-education camp computers" in two separate counties. In a journal article, Zenz expands on how he acquired the files:

Risky Biz News: Russia orders Google to remove Tor Browser from Russian Play Store

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Mirror Protocol hack #2: ...and then the same person who found the first attack found a second one.

Portland falls to BEC: The US city of Portland, Oregon, said it lost $1.4 million to a BEC scammer last month, in April 2022. In a press release last week, city officials said they identified that they sent city funds to the wrong bank account after the threat actor attempted to scam the city a second time.

Hackers-for-hire: Reuters is reporting on a court case where independent journalist Scott Stedman testified that Israeli jailed private detective Aviram Azari worked to hire Indian hackers to carry out espionage operations on behalf of several Russian oligarchs. Azari pleaded guilty last month to working for BellTroX, a New Delhi-based hacker-for-hire company.

Risky Biz News: Threat actor stole data for 100,000 npm users

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Infraud sentence: A 37-year-old named John "Peterelliot" Telusma was sentenced last week to four years in prison. Telusma was a member of the Infraud cyber crime ring, which dabbled in the sale of stolen credit card data.

DOJ goes after BEC actor's funds: The US Department of Justice moved last month to seize almost $4.5 million (151.85 BTC) in funds that are owned by a suspect accused of BEC schemes. Olalkan Jacob Ponle, who went online as "Mr. Woodbery," was charged and arrested in June 2020. As cybersecurity veteran Gary Warner pointed out on Friday, the DOJ intervened to seize the funds after a mysterious entity moved the Bitcoin to a new address.

FBI alert: The FBI said in a PIN alert last week that credentials for US colleges and universities are being widely advertised across Russian cybercrime forums. The agency is now warning organizations about a possible rise in attacks targeting their institutions. The full alert is here: PDF.

Risky Biz News: Microsoft will enable better security defaults for all Azure AD tenants next month

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

Verizon employee breach: A hacker has obtained a database that includes the full name, email address, corporate ID numbers, and phone numbers of hundreds of Verizon employees. Motherboard reported that the threat actor got their hands on the data after tricking a Verizon employee into giving them remote access to their computer.

SpiceJet: Indian low-cost airline SpiceJet said it was hit by an "attempted" ransomware attack on Wednesday that disrupted some of its operations and delayed some flights.

MGM Resorts data dumped: The data of more than 142 million guests who stayed at MGM hotels in the past was released for free on a Telegram channel earlier this week. The data comes from a 2019 security breach, which came to light in early 2020 after a data broker began advertising the data on cybercrime forums.

Srsly Risky Biz: Thursday May 26

Presented by

Tom Uren
Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Adversary states are promoting state-sponsored disinformation and manipulating social media, but some Western liberal democracies — particularly the United States — are poorly placed to respond.

There is evidence that some countries are actively building the infrastructure that's required to launch and sustain disinformation operations. Last week the security company Nisos released a report on the Fronton IoT botnet, which it describes as "a botnet for [the] creation, command, and control of coordinated inauthentic behaviour".

Risky Biz News: Python and PHP libraries hijacked to steal AWS keys

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

RansomHouse: Threat intelligence company CyberInt has published a report on a new data extortion group that was first seen earlier this year and calling itself RansomHouse. The group has one of the longest and more detailed terms of service of any extortion group that was seen operating over the past few years.

DeFi hacks: Threat intel firm BishopFox has a report out reviewing all the DeFi blockchain platform hacks from last year and the main methods used to breach their networks and exfiltrate funds.

jQuery scans: A threat actor is scanning the internet for websites that use the jQuery File Upload plugin, per ISC SANS. The organization believes the threat actor is attempting to fingerprint vulnerable systems in order to exploit security flaws in the plugin and upload malicious files (such as web shells) on web apps still using older versions of the plugin.

Risky Biz News: STAR Labs wins Pwn2Own 2022

Presented by

Catalin Cimpanu
Catalin Cimpanu

News Editor

The researchers who made up STAR Labs' Pwn2Own line-up this year included Daniel Lim Wee Soong (@daniellimws), Poh Jia Hao (@Chocologicall), Li Jiantao (@CurseRed) Ngo Wei Lin (@Creastery), Billy Jheng Bing-Jhong (@st424204), Muhammad Alifa Ramdhan (@n0psledbyte), Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss), Phan Thanh Duy (@PTDuy), and Lê Hữu Quang Linh (@linhlhq).

Although several Pwn2Own hacking contests usually take place throughout the year, the Pwn2Own CanSecWest edition, typically held in Vancouver, Canada, in the spring, is considered the world's premiere hacking competition today—where most top vulnerability researchers come to compete against each other. During CanSecWest, participants can select from a list of desktop and server products that they can hack during 15-minute sessions on stage.

Other Pwn2Own editions also take place throughout the year with a focus on smart devices and smartphones (Tokyo, in the fall), and in recent years even ICS/SCADA industrial equipment (Miami, in the winter).