Newsletters

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

A wave of international action against ransomware demonstrates the effectiveness — and the limits — of coordinated action. The actions involved arrests coupled with unsealed indictments, cryptocurrency seizures, cryptocurrency exchange sanctions and multimillion dollar rewards for information about Darkside or REvil leadership and affiliates. Some of these actions will directly affect the ransomware ecosystem, but the doxxing and rewards appear intended to make life deeply uncomfortable for criminals in bullet-proof jurisdictions like Russia.

Europol announced seven ransomware affiliate arrests, five for involvement in REvil/Sodinokibi ransomware and another two for involvement with GandCrab. The arrests occurred around the world: two people in Romania, three in South Korea, one in Kuwait and one in Poland at the request of the US.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

US Cyber Command was involved in a campaign targeting the REvil ransomware gang that resulted in the group scattering. The unofficial attribution to USCYBERCOM, via Ellen Nakashima's report in the Washington Post, should deliver a significant psychological impact to the ransomware scene.

The report says USCYBERCOM used stolen or cracked key material to spin up a fake duplicate of the ransomware crew's Tor .onion server. This spooked the REvil group enough to take a serious look at its infrastructure. From there, it discovered a historical server breach, apparently conducted by a US partner's security agency. This really gave the REvil team the willies.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Espionage efforts that target cloud and managed services to enable access are becoming the new normal.

This week Microsoft announced it had detected further espionage activity from the Russian state actor it calls Nobelium (aka APT29 and Cozy Bear), the one responsible for the Holiday Bear campaign and part of Russia's foreign intelligence service, the SVR.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

In the first possible sign of offensive cyber operations against ransomware crews, REvil's Tor payment portal and data leak site were hijacked. As a result REvil has again shut down its operations for a second time this year, hopefully for good.

REvil first disappeared shortly after its July mass compromise of Kaseya customers, after its leader and spokesperson UNKN disappeared and was presumed dead (or perhaps absconded with the group's money). REvil resumed operations after a couple of months using its previous infrastructure, including the same access keys, but now they've been spooked by someone compromising their servers, apparently in an effort to identify other gang members.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

The Biden White House's ransomware summit kicked off today and it wasn't the empty stunt we expected it to be.

We had been wondering what prompted officials from the Netherlands, UK and Australia to signal a more aggressive, military and intelligence agency-backed response to the ransomware threat, and now we know: They were sharpening up their policy positions ahead of the White House-coordinated meeting.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Keyword and geofence warrants that tap into the panopticon of Google's data holdings feel a bit creepy, but these searches can be both targeted and proportional. They are a valuable investigative tool and should have oversight and limits applied to them rather than being banned.

Geofence warrants provide law enforcement with details of devices (and hence potential suspects) at the scene of a crime at a specific time. These warrants have been used extensively to identify participants in the January 6 Capitol riots and are increasingly common — Google received over 11,000 of these warrants in 2020.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Chinese firms are so closely interlinked with the Chinese government that they cannot be trusted in critical infrastructure. The release of two Canadians held by China immediately after Huawei CFO Meng Wanzhou struck a plea deal and returned to China, proves it.

"Huawei Princess" Meng Wanzhou, Huawei founder Ren Zhengfei's daughter, had been under house arrest in her two Vancouver mansions for three years as the US sought her extradition in relation to Huawei's alleged sanction-breaking dealings with Iran. Two Canadian citizens, Michael Kovrig and Michael Spavor (often referred to as the two Michaels) were detained in China in apparent retaliation nine days after Meng was arrested in Canada in December 2018.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

The censorship battle between tech companies and illiberal governments is kicking off in earnest, and so far the tech firms are being completely pantsed.

The cold, hard fact is state power trumps technology companies' content policies. This week we saw this truth in action when Russian authorities forced tech platforms to take down apps and content promoting jailed Russian opposition leader Aleksei Navalny's election-related efforts.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

It's counterintuitive, but it's likely the booming number of 0day exploits being captured in the wild is good news.

Security Week has documented 66 0days exploited in the wild so far this year; 15 targeted iOS and macOS, 20 affected Microsoft products including Exchange, Office, the Windows print spooler, etc. Just this week Google, Apple and Microsoft all patched 0days that were being actively exploited.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Apple has backflipped on its plan to implement on-device scanning for known Child Sexual Abuse Material (CSAM) with the introduction of iOS15.

"Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features," a company release read.