Newsletters

In 2024, the number of US investors in the spyware market skyrocketed, and the country became the largest investor by deal count, according to new research from the Atlantic Council. The researchers say these investments undermine US government efforts to control abusive spyware, but we think they present an opportunity to exert more control over the industry. 

Spyware is not inherently bad. Abusive spyware is used to violate human rights, rather than for lawful purposes.

The increase in US investment is a key finding of an update to the Atlantic Council's 2024 Mythical Beasts report. That report mapped the global spyware industry through to the end of 2023. At the time vendors were concentrated in Israel, India and Italy. The US was the third-largest investor by deal count. 

The internet's top AI chatbots provide answers with false claims twice as much as they did last year.

The disinformation rates of the top 10 leading chatbots have doubled, going from 18% in August 2024 to 35% a year later, according to a study from disinformation-fighting group NewsGuard.

Chatbots reproduced false claims on topics such as health, politics, international affairs, companies, and business brands.

The District of Columbia Office of the Attorney General has filed a lawsuit against the largest crypto ATM operator in the US, Athena Bitcoin.

The lawsuit alleges the company knew its Bitcoin ATMs were being used to collect funds from scam victims, but instead of stopping the transfers, it charged large hidden fees and then refused to provide refunds to victims.

Officials say that 93% of all deposits made across the seven Bitcoin ATMs the company operates in DC were the result of scams.

The UK's privacy watchdog highlighted a strange trend in the country where students are increasingly behind the hacks of their own schools.

The UK Information Commissioner's Office says it studied 215 insider-caused breaches in the UK educational sector between 2022 and mid-2024 and found that students were behind 57% of the intrusions.

Where a stolen password was used to breach a school system, students were involved in almost all cases (97%).

The Salesloft Drift breach is a great example of the sprawling impact that a breach of a single service provider can have. Given that modern business models routinely involve software-as-a-service, these kinds of single-compromise-large-blast-radius attacks will become the new norm.

Salesloft's Drift application is an AI chatbot used by companies to convert website visitors into sales leads. Because it is typically integrated into Salesforce, its recent compromise has resulted in the theft of a large volume of Salesforce data from potentially hundreds of organisations. That stolen data also includes authentication tokens for various other services. 

The breach began with the compromise of Salesloft's GitHub account in March. Over three months the threat actor conducted reconnaissance and downloaded content from multiple repositories. The actor, which Google is tracking as UNC6395, then moved to Drift's AWS environment and stole OAuth tokens for Drift's customers.

The US Department of Justice unsealed charges on Tuesday against a major figure in the ransomware underground, a Ukrainian national who was involved in or managed at least seven ransomware platforms.

The charging documents identify Volodymyr Viktorovich Tymoshchuk as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations.

From his role, he coordinated or was involved in the hacks and extortions of more than 250 US organizations, and hundreds more around the world.

Kazakhstan's state-owned oil and gas company KazMunayGas has dismissed a report about a new cyber-espionage group targeting its employees as a planned phishing test.

Published by Indian security firm Seqrite, the report claimed that a new suspected Russian APT group named NoisyBear was targeting Kazakhstan's oil and gas sector.

The report said the hackers used malicious ZIP and LNK files to deploy PowerSploit, a well-known PowerShell-based post-exploitation framework, which also happens to be very popular with pen-testers.

Google has released version 140 of its Chrome browser this week, with support for a new security feature designed to protect server-set cookies from client-side tampering.

The new feature is a cookie prefix, a piece of text added before the names of a browser's cookie files.

Cookie prefixes are different from cookie headers and, in the words of security firm ERNW, are a lesser-known browser security feature that is rarely used by web developers.

Google has announced it is starting a cyber "disruption unit" that will seek out opportunities to proactively disrupt threat actor campaigns. This move reflects increased industry and government appetite for more aggressive private sector approaches and also indicates a sensible incremental step towards government-endorsed private sector hacking. 

Per CyberScoop's coverage:

Google has already been involved in the court-endorsed botnet takedowns of Glupteba in 2021 and BadBox 2.0 in July. To put this in perspective, Microsoft pioneered court-ordered disruption operations way back in 2010 and has been involved in a string of takedowns since then. 

Two YouTube channels named Scammer Payback and Trilogy Media played a crucial role in unmasking and identifying members of a giant scam network that stole more than $65 million from US seniors.

The US Department of Justice used videos posted by the two channels in 2020 and 2021 to identify and then track down the network. Officials arrested 25 of the 28 suspects they identified during this investigation.

The group allegedly used call centers based in India to call US seniors, posing as government officials, bank employees, and tech support agents.