Newsletters

Crypto-hack #1: Users of the SpiritSwap and QuickSwap cryptocurrency platforms were redirected to phishing sites over the weekend when trying to access the platforms' legitimate domains. Both companies confirmed that the incidents took place after threat actors socially-engineered GoDaddy employees into transferring ownership of the domains. The hijacks lasted for a few hours before both companies managed to regain control over their official websites. While the platforms tried to warn users via social media and other channels, several users had their accounts hacked and emptied by the attackers.

Crypto-hack #2: However, this wasn't the only incident that took place over the weekend. About the same time as the SpiritSwap and QuickSwap incidents, a threat actor also deployed a malicious ad via the CoinZilla advertising platform. The script appeared on sites like CoinGecko, DEXTools, and Etherscan and prompted users to grant the attacker access to their Metamask wallets. CoinZilla confirmed the incident shortly after and said that the malicious ad was only live for "less than an hour" before they took it down.

Report on Real-Time Bidding: The Irish Council for Civil Liberties has published a report on Real-Time Bidding (RTB), the process at the heart of the modern online advertising industry. The report called RTB "the biggest data breach ever recorded" because it tracks and shares what people view online and their real-world location. The report discovered that a regular US citizen has their data and location tracked 747 times per day, on average, while in the EU, where there are stricter privacy regulations, users get their data tracked only 376 times per day. Some good coverage from Natasha Lomas in TechCrunch.

Ransomware in Zambia: The Central Bank of the Republic of Zambia said it suffered a cybersecurity incident on May 9 that crippled some of its services. Sources tell Risky Business News that the incident was an attack carried out by the Hive ransomware gang. In a tweet on Friday, the bank said that it recovered from the attack and that "affected systems have since been restored."

Anonymous in Sri Lanka: A report from Rest of World highlights that attempts from the Anonymous hacktivist collective to support the societal protests in Sri Lanka last week have resulted in the group hacking government portals and leaking the personal data of the same people they were trying to protect, exposing them to a huge risk of falling victims to spam, malware, and cybercrime.

Italy, Russia, Eurovision: Italian police said on Sunday that it blocked cyberattacks by pro-Russian hacktivist group Killnet that attempted to disrupt the final and semifinals of the Eurovision song contest, Reuters reported. This year's contest was held in Turin, Italy.

Musk's comments come after Starlink has intervened to provide more than 10,000 Starlink satellite terminals to the Ukrainian military after Viasat equipment stopped working just as Russian troops were crossing into Ukraine. Those terminals have been used to provide internet connectivity in areas of war, where Ukrainians have used them to record and document Russia's war crimes. But more than anything, the Starlink terminals have been crucial for military operations, with Ukrainian forces heavily relying on reconnaissance drones linked to Starlink terminals to scout Russian troops and send targeting information to nearby artillery units.

And Russia has been well aware of Starlink's crucial role in the war's development. While they have been able to knock out and hijack ground-based ISP infrastructure, Starlink has been largely operational for all the war's duration, being well out of Russia's missile range.

The country's frustration with Musk reached its peak point on Monday when Roscosmos chief Dmitry Rogozin sent out a message to Russian media via his Telegram channel, threatening that Musk would be held "accountable as an adult" and that he can't play the fool anymore for his role in the Ukrainian war.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

In a court settlement with the American Civil Liberties Union (ACLU), controversial facial recognition technology company Clearview AI agreed to not sell access to its facial recognition database of over 10 billion images to private companies or individuals in the US (although selling the use of its algorithm alone is ok).

The ACLU, which brought the case under a US state law, the Illinois Biometric Information Privacy Act, described the settlement as a "big win", although Clearview's lawyers also managed to claim victory, writing in a statement:

CCC privacy warning: Germany's Chaos Computer Club, one of the largest hacker communities in the world, published a blog post on Tuesday [in German] warning their members about the EU's plan to screen all IM/chat messages. Euractiv has obtained and broken down a copy of the EU's proposed plans—meant to combat child pornography.

Pentagon hates data brokers: And now for an oxymoron from the US government on data brokers and privacy. For starters, the US DoD has put out a call to the private sector for solutions to protect its military and civilian personnel from data tracking and data brokers that can amass vast quantities of information about its staff.

ICE loves data brokers: But on the same note, the ICE absolutely loves data brokers, according to a recent report. Academics from Georgetown University said that they've discovered that the ICE has used data brokers to bypass US judicial, legislative, and public oversight and build a surveillance system capable of tracking most US citizens.

But the attack on Costa Rica was not the only one that hit a LATAM country, Brett Callow, a threat analyst and ransomware expert at Emsisoft, told Risky Business News over the weekend.

"The US public sector has long been ransomware gangs' target of choice, but that may be changing. While attacks in countries like Costa Rica and Peru may not offer the same ROI, the increasing number of successes by US and European LEAs may make them seem like a safer choice," Callow told us, referring to the fact that many ransomware gangs may now be avoiding the US and Western Europe after a series of recent seizures, arrests, prison time sentences, and even bounties.

AGCO attack: AGCO, one of the largest manufacturers of agricultural equipment in the US, was hit by ransomware on Friday. The company said the attack affected operations at some of its production facilities, and dealers said tractor sales had been stalled during the crucial planting season. The attack came on cue and only three weeks after the FBI published an alert [PDF] about ransomware gangs looking to disrupt the US agriculture sector during the spring planting season.

Alcohol supply in Russia: A series of DDoS attacks carried out by Ukraine's IT Army on EGAIS, a government system used to control and regulate alcohol production in Russia, is apparently causing production delays and supply chain issues across the country. According to Russian "alcohol" media (because that's apparently a thing), alcohol factories and warehouses are very dependent on the EGAIS system, which they use to control supply volumes and avoid overstocking, and some beer factories had to temporarily shut down operations because of EGAIS being down.

Passwordless goes mainstream: Apple, Google, and Microsoft announced on Thursday plans to expand support for the FIDO standards inside their core products. At a technical, support for "passwordless" logins will mean that devices from the three companies will be able to handle a FIDO sign-in credential (referred to as a passkey) that will be stored on their devices. This passkey will be used when users want to sign up or log into mobile apps or websites. Instead of a password, their devices will provide this cryptographic-secure passkey instead. The FIDO Alliance said that the passkey wouldn't be shared unless users prove they are in control of the device by authenticating with a PIN, face scan, fingerprint, or even another nearby device (such as a smartphone). In a press release, the FIDO Alliance said it expects Apple, Google, and Microsoft devices and services to start supporting these new FIDO passkeys within the next year.

GitHub goes full 2FA: GitHub took steps on Wednesday to bolster the security of its ecosystem. The company announced that it will require all users who contribute code on projects hosted on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023. According to the company, only 16.5% of current GitHub users have 2FA enabled, which is in itself a large adoption rate, compared to Twitter, where only 2.3% of users use 2FA.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray, and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber, and founding corporate sponsors CyberCX and Proofpoint.

A new Microsoft report has taken a comprehensive look at how Russia is using cyber operations in its invasion of Ukraine.

There are two clear takeaways. The Russians have launched lots of operations, including nearly 40 destructive attacks, so there has been an active cyber component to this war (despite some mainstream reporting). But it's also clear that these cyber operations have not much changed the progress of the war. Microsoft writes the various attacks "have had an impact in terms of technical disruption of services and causing a chaotic information environment, but Microsoft is not able to evaluate their broader strategic impact".

Crippling cyberattacks: Cyber-attacks have crippled the activities of Onleihe, a popular German online book library service, Sixt, a German car sharing and car rental service, and Massy Stores, Trinidad's largest supermarket chain. The library's catalog has been offline for days; Sixt had to take car reservations using pen and paper on Friday; while several of Massy's stores are still closed following an incident last week. In addition, a ransomware attack has also forced the Kellogg Community College in Michigan to close its university campus and cancel classes on Monday and Tuesday this week.

Gaming cheaters go brr: Gaming cheat maker Aimware was hacked in 2019, and this data has now leaked into the public domain. It was added to Have I Been Pwned this week and will most likely be used to track down cheaters in games like Counter-Strike, Call of Duty, and PUBG.

K8s goes to the Sigstore: Kubernetes v1.24 was released this week; the first version of the Kubernetes system that supports Sigstore, a system for cryptographically signing software releases against supply chain attacks.

Indian data breach law: The Indian government passed an update to its Information Technology Act last week, requiring companies to report cybersecurity incidents to India's CERT team within six hours of when they occur. In addition, all cloud, VPS, and VPN providers will also have to record the names, emails, and IP addresses of all their subscribers, data that they must archive for at least five years. The new update is set to go into effect at the start of July.

French Muslim leak: French prosecutors opened a criminal investigation against Fdesouche—a French far-right website—after the site published the personal data of French Muslims last September. The leak allegedly contained the data of more than 100 individuals, such as Muslim activists, journalists, and imams. According to the French edition of the Huffington Post, this was the second leak published by Fdesouche after the organization published the email addresses and phone numbers of people working with organizations aiding migrants and refugees back in 2017.

Kronos fallout: Multiple class-action lawsuits have been filed over the month of April against some of the largest US companies that relied on the Kronos timekeeping apps to keep track and pay employees. Kronos (aka UKG) got hit by ransomware in December 2021 and took months to recover, causing long delays in employee payments. The company is the subject of several class-action lawsuits filed last year and in early January. But now, companies like PepsiCo, Mercedes-Benz, DHL, Frito-Lay, the Giant supermarket chain, call center giant Sitel Group, and the Cargill and Sodexo food corporations have all been sued for (still) unpaid wages related to the Kronos incident. As Zack Needles writes for BenefitsPro, this new wave of class-action lawsuits brings a new twist to ransomware-related mitigation, especially for attacks against large companies, where the legal consequences may now also start to impact their customers in the case of a super slow and bad recovery/response plan.