Newsletters

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Welcome back to the first edition of 2022! This edition highlights some of the themes we expect will be important over the coming year — surveillance and exploit dev for hire, ransomware, and supply chain security and resiliency.

Public discussion of mobile exploit and malware developers has so far focussed on a small number of companies (and NSO Group in particular), but this will change in 2022.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

The vulnerability disclosed in the Java Log4j logging library last week is, to put it mildly, quite bad. It also proves we need to pay more attention to little-known but pervasive software in the open source supply chain.

First, let's talk about the actual vulnerability.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

The co-founder and COO of Mitto AG, a Swiss company that sends automated text messages including 2FA codes, has allegedly been selling access to his company's networks to surveillance companies.

Mitto AG sells automated messaging services and has relationships with telcos in more than 100 countries, giving it reach that has attracted major technology companies such as Google, Twitter and WhatsApp as clients. Bloomberg reports Mitto's COO, Ilja Gorelik, secretly allowed multiple surveillance companies to leverage its relationships with telcos to allow them to abuse SS7 (Signalling System 7, a telco signalling protocol) to track devices or perhaps even redirect calls and SMSs.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Despite US indictments, Russian ransomware developers and affiliates appear unaffected and live relatively freely in Russia.

This week the UK's Daily Mail was able to track down Russian Yevgeniy Polyanin at his home in the Siberian city of Barnaul. Polyanin was the subject of a US indictment unsealed earlier this month and is accused of being a ransomware affiliate and extorting over USD$13m from victims.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

It's Thanksgiving week in the USA which means the news tempo has slowed a bit. That means we can dive in and look at some topics that aren't getting as much attention as they deserve. This week we're taking a look at a series of new Chinese laws designed to strengthen its cyber security over time while bolstering state control over technology companies. Come with us on this magical journey through Chinese legislation and regulation! It'll be fun, we promise!

We're looking at three distinct laws here. At the beginning of this month the Chinese government's Personal Information Protection Law (PIPL) came into effect. The PIPL is basically China's answer to the European GDPR (although more stringent) and sets rules regarding how businesses can use and share personal information.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Israel's Government must decide if it values its relationship with the US more than the benefits it gains from playing fast and loose with powerful cyber espionage capabilities.

For many years the interests of the Israeli government and companies that export offensive cyber tools — such as NSO Group in particular, but also Candiru — were aligned.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

A wave of international action against ransomware demonstrates the effectiveness — and the limits — of coordinated action. The actions involved arrests coupled with unsealed indictments, cryptocurrency seizures, cryptocurrency exchange sanctions and multimillion dollar rewards for information about Darkside or REvil leadership and affiliates. Some of these actions will directly affect the ransomware ecosystem, but the doxxing and rewards appear intended to make life deeply uncomfortable for criminals in bullet-proof jurisdictions like Russia.

Europol announced seven ransomware affiliate arrests, five for involvement in REvil/Sodinokibi ransomware and another two for involvement with GandCrab. The arrests occurred around the world: two people in Romania, three in South Korea, one in Kuwait and one in Poland at the request of the US.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

US Cyber Command was involved in a campaign targeting the REvil ransomware gang that resulted in the group scattering. The unofficial attribution to USCYBERCOM, via Ellen Nakashima's report in the Washington Post, should deliver a significant psychological impact to the ransomware scene.

The report says USCYBERCOM used stolen or cracked key material to spin up a fake duplicate of the ransomware crew's Tor .onion server. This spooked the REvil group enough to take a serious look at its infrastructure. From there, it discovered a historical server breach, apparently conducted by a US partner's security agency. This really gave the REvil team the willies.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Espionage efforts that target cloud and managed services to enable access are becoming the new normal.

This week Microsoft announced it had detected further espionage activity from the Russian state actor it calls Nobelium (aka APT29 and Cozy Bear), the one responsible for the Holiday Bear campaign and part of Russia's foreign intelligence service, the SVR.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

In the first possible sign of offensive cyber operations against ransomware crews, REvil's Tor payment portal and data leak site were hijacked. As a result REvil has again shut down its operations for a second time this year, hopefully for good.

REvil first disappeared shortly after its July mass compromise of Kaseya customers, after its leader and spokesperson UNKN disappeared and was presumed dead (or perhaps absconded with the group's money). REvil resumed operations after a couple of months using its previous infrastructure, including the same access keys, but now they've been spooked by someone compromising their servers, apparently in an effort to identify other gang members.