Newsletters

Security updates are being shipped out to mobile operators across the world to fix vulnerabilities in more than two billion eSIMs.

The vulnerabilities impact Kigen's eUICC (embedded Universal Integrated Circuit Card), a software package provided to mobile network operators to support eSIM technology.

eSIMs allow mobile operators to ship a software-based SIM to a device. The technology is mainly used for issuing temporary SIMs to travelers and to add mobile connectivity to IOT devices that can't fit a SIM card slot.

A small number of key individuals are organising the activities of the group known as Scattered Spider, according to researchers at security firms. If it's true, there is hope that targeted approaches might bring some respite from the group's carnage. 

Scattered Spider is responsible for a number of significant, high-impact hacks that have left many victim organisations struggling to recover, sometimes for months. The group first achieved notoriety in 2023 for the hacks of Caesars Entertainment and MGM Resorts International. Since May this year the group is believed to have struck retailers in the UK and the US, insurance companies, and then airlines in quick succession. Overall, it's responsible for the compromise of hundreds of companies since 2022. It is financial cybercrime's apex predator. 

Its cybercrime activity is characterised by the use of highly effective social engineering to gain initial access to victims. This is followed up by brutally efficient post-compromise activities to steal data, deploy ransomware and cause mayhem in double-quick time.

More than one million users have installed browser extensions that turn their browsers into proxies for a web scraping botnet.

The extensions contain a library named Mellowtel that waits for users to go inactive, disables page security protections, and then loads a remote website inside a hidden iframe. The parsed/scraped website is then sent to a remote URL for analysis.

SecureAnnex found the Mellowtel library in 245 extensions for Chrome, Edge, and Firefox.

Chinese security firm QiAnXin claims it discovered a new cyber-espionage group targeting China's high-tech sectors and operating out of North America.

QiAnXin's PanGu and RedDrip teams presented their findings at the CYDES security conference in Malaysia last week and published a technical report on GitHub on Friday.

Researchers describe the new NightEagle group (aka APT-Q-95 and APT-C-78) as extremely stealthy and very sophisticated.

The Hunters International ransomware operation has shut down and promised to release free decryption keys for all past victims.

The group announced the shutdown in a message posted on its dark web leak site on Thursday, July 3, after removing all past victims.

The operation launched at the end of 2023 and was a rebrand of the Hive ransomware, which had its infrastructure seized earlier that year.

US authorities and security firms have spent the last few weeks pumping out non-stop warnings about an increased threat of Iranian cyber attacks targeting US critical infrastructure. At the time of writing these attacks have not materialised. Given the US has already dropped very real bombs, we think Iran has good reason to avoid escalatory cyber attacks.

Disruptive cyber attacks can be useful because they cause harm and they are also hard to stop or deter. Iranian groups have carried out these kinds of irritating attacks in the past. But there's a caveat. These types of attacks are useful and worthwhile before bickering between states escalates to armed conflict.

Back in December 2023, for example, an Iran-linked group calling itself the Cyber Av3ngers disrupted water facilities across the US by hacking Israeli-made Unitronics programmable logic controllers. These devices are important because they are used to control and monitor operations at water processing plants. Still, in this case, the incidents were annoying rather than destructive or disastrous. 

The US Treasury Department has sanctioned the Aeza Group, a well-known provider of bulletproof web hosting services for malware, disinformation campaigns, and dark web marketplaces.

Sanctions were levied on the main company, three subsidiaries, its three owners, and a fourth high-ranking executive. They cover:

Officials have linked Aeza Group's server infrastructure to the Lumma, Meduza, and RedLine infostealers, the BianLian ransomware, and the BlackSprut dark web drugs marketplace.

Individuals associated with a large cluster of hackers known as Scattered Spider (Muddled Libra, UNC3944) are targeting companies in the aviation and transportation sectors.

The group, which was previously very active in 2023 and had some members arrested in 2024, saw a resurgence in activity this year.

It returned with a bang with attacks that targeted UK retail chains, moved to go after US retailers, and then targeted US insurance businesses before a new change in targets this month.

Phishing gangs are abusing a little-known Microsoft Exchange Online feature to send malicious emails to Microsoft 365 tenants and their employees.

The feature is named Direct Send and allows hardware devices inside a company's network to use the Exchange Online server to send emails. It is typically used by printers and scanners to send scanned documents via email or by phone or video conferencing applications to send invites and reminders to participants.

Direct Send is basically an endpoint that can be accessed via a smart host URL that has the format of tenantname.mail.protection.outlook.com.

A new report from the Atlantic Council suggests the US needs to strengthen its exploit development pipeline if it wants to remain competitive in cyberspace. 

That report, Crash (exploit) and burn, compares how the 0day supply chain approaches differ between China and the United States. 

The author interviewed security researchers, national security and intelligence officials, and senior leaders from offensive hacking and vulnerability research companies in the Five Eyes countries.