Newsletters

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.

In our latest demo, Brett Winterford and Harish Chakravarthy demonstrate to host Patrick Grey how Okta can be used for passwordless authentication. These phishing resistant authentication flows — even if they are not rolled out to all users — can also be used as a high-quality signal of phishing attempts that can be used to trigger automated follow-on actions.

This Reddit post is a stellar example of unintentional "play stupid games, win stupid prizes" hilarity. The original poster, Suspendedbankaccs1, is baffled as to why their HSBC, Santander and Barclays bank accounts have been suspended.

RailYatri leak: The personal details of more than 31 million Indians is currently on sale on an underground hacking forum. The seller claims the data belongs to RailYatri, a ticket-booking app used by India's national railway. A government official told the Hindustan Times they are currently investigating the incident.

Virgin Media incident: Virgin Media Television broadcasts were impacted across Ireland after the company discovered an "unauthorised attempt to access [their] systems." According to Ireland's national television RTE, as a result of the attack, Virgin Media aired recorded programming on several channels on Monday, such as Virgin Media 3, 4, More, and VMTV Player.

DOD leak: The US Department of Defense has leaked sensitive emails after it left one of its Azure servers exposed on the internet without a password. According to TechCrunch, the server hosted internal mailboxes for US Special Operations Command, or USSOCOM, the US military unit tasked with conducting special military operations. Some of the emails exposed in the incident also contained SF-86 questionnaires used by DOD employees to apply for security clearances.

Ukraine cyber incident stats: The Ukrainian government says it recorded 2.8 times more cyber incidents throughout 2022 than in 2021. Officials say they registered 415 distinct cyber incidents throughout the year, most connected to Russia's military invasion.

Fines for SORM disobedience: The Russian Duma is working on a law that will introduce turnover-based fines for local telco providers that fail to install its SORM traffic monitoring system. SORM, initially introduced in the 90s, is special equipment installed in the telco's backend network that logs internet and telephony traffic and allows Russian law enforcement and intelligence services to search through the data. SORM is already mandatory for all Russian telcos, but no penalty was specified for companies that failed to implement it or refused to have the equipment working, which has been the case with the smaller operators. The fines will range from 0.001 to 0.003% of a telco's annual revenue, according to Russian news outlet Vedomosti.

Centralized database of fraudsters: Elvira Nabiullina, the head of the Central Bank of Russia, wants to create a centralized database of fraudsters to improve the security of Russian banks and their customers. We wonder if Mrs. Nabiullina's "centralized database" will also include all the Russian cybercrime groups and money launderers operating within Russia's borders.

"It is kind of a weird joint publication given that it talks about 'recently conducted malicious cyber activities' but then goes on to mention examples as far back as July 2021," Stefan Soesanto, a Senior Cyber Defence Researcher at the Center for Security Studies at the Swiss Federal Institute of Technology (ETH) in Zurich, tells RiskyBizNews.

"On the one hand, this read to me as a stern reminder but also fairly desperate attempt by CERT-EU and ENISA to appeal to European public and private sector organizations.

"On the other hand, it was great to see all these past incidents being re-highlighted and Chinese threat actors being mentioned in the context of 'sustained activity'," Soesanto adds.

Last week we covered the Chinese spy balloon and noted that several previous balloons had apparently transited the US without being detected. The US commander of NORAD said the US military "did not detect these threats" and described the lack of visibility as a "domain awareness gap".

We speculated that defence contractors would be lining up to close this gap, but in news that will no doubt sadden the growth team at Lockheed Martin, the USA was able to tune up its existing detections to identify balloon-like objects. A US official told the Washington Post that adjustments to filters on various sensors closed the gap:

When you look, you find, and this has led to a string of objects being found and shot down. At time of writing, the US military has now downed three additional objects over the US and Canada since our last edition. It's not clear exactly what these craft were but given the sheer number of balloons launched every year they probably aren't of any intelligence significance (and certainly not alien spacecraft) but were downed because of the potential threat they posed to civilian air traffic.

Horny DOD: The Office of the Inspector General for the Department of Defence has found that DOD employees often flaunt rules and install unauthorized apps on government devices, exposing themselves to cybersecurity risks. An audit of DOD employee smartphones has found dating apps, third-party VPNs, cryptocurrency apps, Chinese drone apps, games, and apps related to multi-level marketing schemes installed on DOD devices. The DOD-OIG has recommended that the DOD employees remove the apps, remove access to unmanaged app stores, and require DOD employees to forward a complete list of DOD messages sent via unauthorized messaging apps installed on their work devices so officials can address any possible leaks and risks. [More in Gizmodo]

What a massive surprise: Everyone at RiskyBiz is absolutely shocked that the emails of a UK MP who showed support for Ukraine and were allegedly hacked by Russian intelligence services have reached the hands of a former UK politician peddling pro-Kremlin propaganda like "NATO blew up NordStream 2" and "NATO provoked Russian into invading Ukraine."

Airlock Digital is one of this newsletter's four main supporters and this week's featured sponsor. Earlier this year, in May, Airlock Digital CEO David Cottingham held a product demo with Patrick Gray, the host of the main Risky Business podcast, showing how Airlock's allow-listing product works.

New Ali's Justice (Edalat-e Ali) hack: Iranian hacktivist group Ali's Justice (Edalat-e Ali) has hijacked the signal of Iran's state television channel IRIB on the 44th anniversary of the Iranian Revolution, which took place on Saturday, February 11. The hacktivist group interrupted a speech from Iran President Ebrahim Raisi and replaced it with a call to the Iranian people to withdraw money from government banks and to assemble in new anti-government protests to take place on February 16. The interruption only lasted one minute and was also accompanied by a "Death to Khamenei" slogan.

MSDT EOL: Microsoft has announced the end-of-life for its Microsoft Support Diagnostic Tool, a built-in tool that shipped with many previous Windows versions and would work by launching automatically to diagnose and correct common problems for a variety of Windows features. Microsoft says that starting this year, MSDT will start redirecting users to the Get Help troubleshooting platform, and the MSDT platform will be removed completely in 2025.

CHERIoT: Microsoft has open-sourced CHERIoT, a security-first real-time operating system (RTOS) and software stack for running on embedded devices with under 256 KiB of SRAM. The name stands for Capability Hardware Extension to RISC-V for Internet of Things.

RunZero is one of this newsletter's four main supporters and this week's featured sponsor. The company's main product is its network discovery and asset inventory platform, which can be used to find any managed and unmanaged assets inside a customer's network. To learn more, please check out this runZero product demo below:

PyPI malware: DevSecOps Sonatype has identified four malicious Python libraries hosted on the official PyPI portal. The libraries contained functionality to install other malware, delete the netstat utility, and tamper with SSH keys installed on a system to allow an attacker to connect remotely.

QakNote: We touched in one of our previous editions about the rise in the use of OneNote documents to deliver malware. We had reports on the topic from Proofpoint, WithSecure, OpalSec, and Yoroi. Now, Sophos has one out, too—detailing how the QakBot gang is weaponizing OneNote for its campaigns.

Our initial response to news that a spy balloon was merrily floating its way across the continental United States was scepticism. What could the PRC hope to achieve with a balloon that it couldn't achieve with other intelligence sources, such as space-based collectors?

Well, according to the Chinese government it wasn't a spy balloon at all. In a statement that leaves behind a truly hilarious amount of wiggle room, China's government claimed it was a civilian research airship used for "mainly meteorological" purposes.

The yanks aren't buying it. The US government is adamant that balloon was up to no good.

SperaxUSD crypto-heist: A threat actor exploited a bug in the protocols of the SperaxUSD cryptocurrency service and stole roughly $300,000 from the company.

Vesuvius incident: UK engineering company Vesuvius says it suffered a cybersecurity breach. The company says it shut down affected systems and is working to investigate the incident and restore systems. The company has more than 10,000 employees across the world and is known for its metal and ceramics work and molten metal flow engineering.

RSAWeb ransomware attack: A ransomware attack has been identified as the source of a days-long outage that has impacted the services of South African telco and cloud hosting provider RSAWeb. The incident took place on February 1, and the company took days to fully recover, according to a notification the company sent to its customers. The company says the attack affected its website, internet fiber, mobile, hosting, VoIP, and PBX services. [Press coverage in MyBroadband]