Newsletters

Ransomware gang arrest: Chinese police detained two individuals from Hohhot who were involved in ransomware attacks against Chinese organizations. Officials say the group used ChatGPT to optimize the code of their ransomware, which they used to encrypt corporate servers and demand $20,000 in ransom. [Additional coverage in Global Times]

Orgon sentencing: A Colombian judge has sentenced Andres Felipe Cardoso Alvarez to three years and five months in prison. Alvarez was known as Orgon, a member of the Anonymous Colombia hacking group. As part of the group, he launched attacks against a large number of government organizations.

Cyber Toufan wiping spree: The data-wiping spree started by the Cyber Toufan group at the end of November is still going strong. The group has now wiped more than 100 organizations, with the vast majority being based in Israel. Around 40% of the victims were hit after the group compromised their MSP.

Chrome Safety Check: Google has announced that Safety Check, the feature that scans for compromised user passwords, will now continuously run in the background at all times.

Wikipedia Russia shuts down: Wikipedia's Russian edition has shut down after authorities designated its lead editor as a "foreign agent."

Substack Against Nazis: More than 100 Substack editors named "Substack Against Nazis" have signed an open letter asking Substack to remove white supremacy and nazi newsletters hosted on the platform, threatening to leave if the company fails to act.

In this podcast, Patrick Grey and Tom Uren talk about whether election interference will take place in the Taiwanese, US, and Russian elections that are all taking place in 2024. They also look at a ChatGPT-powered online harassment campaign.

FBI disrupts AlphV ransomware: US authorities have hacked and seized server infrastructure operated by the AlphV (BlackCat) ransomware gang. Authorities say they also recovered 500 encryption keys, which they are now offering together with a decrypter to all affected victims. This confirms rumors from last week.

Pig-butchering gang detained: US authorities have unsealed charges against four suspects (detained two) for their role in a sprawling crypto-investment scheme (aka pig butchering) that netted them $80 million.

AI Act: EU authorities have agreed on a first version of the AI Act, a law meant to regulate artificial intelligence development and tools across the EU.

UK sanctions Asian scammers: The UK government has sanctioned nine individuals and five entities for their involvement in trafficking people in Cambodia, Laos, and Myanmar and forcing victims to work in call centers specialized in cyber fraud (also known as "pig butchering scams"). These are the first-ever sanctions levied against online scam operations.

FBI SEC reporting rules: The FBI has published a guide on how companies that suffered a security breach should report their incidents to the SEC and other authorities. The guide comes after a ransomware gang tried to use the confusion around these new rules to put pressure on a victim as part of their ransom negotiations.

The UK government has summoned Russia's ambassador to explain a years-long hacking campaign conducted by one of the FSB's cyber units.

Officials say that FSB hackers targeted politicians and government organizations and attempted to use hacked data to influence and interfere in UK politics.

The UK government statement connects—for the first time—an APT group known as Star Blizzard to Center 18, a cybersecurity division inside Russia's FSB intelligence agency.

There are three major elections taking place in 2024: in Taiwan, the United States and Russia. So, what are the chances that we'll see cyber-enabled disruption campaigns targeting each of these polls? In the case of the upcoming US election it seems inevitable.

Election interference techniques take many forms. At the 'lowest' level are information operations on social media that spread disinformation and propaganda. In the context of an election, these types of operations tend to get lost in the noise.

At the 'highest' level of severity there is the possibility of direct interference in the electoral process: messing with the actual votes. In theory, this could shape the outcome of an election, and even unsuccessful attempts undermine the perceived legitimacy of election outcomes.

An audit of 23 of the largest US federal agencies found that most have failed to implement proper event logging and may be unprepared to respond to cybersecurity incidents, especially during the investigation and remediation phase.

Conducted by the US Government and Accountability Office, the report found that 20 of the 23 agencies did not meet a White House executive order mandating they reached a logging level of EL3 by August 2023.

GAO says that only three agencies reached the proper requirement, while 17 were still at EL0 and had not made any headway toward compliance.

ICANN, the non-profit organization that manages domain names and IP addresses, has launched a new service to help law enforcement agencies and cybersecurity professionals obtain redacted and non-public data on domain owners.

Named the Registration Data Request Service (RDRS), the service works as a ticketing system that interconnects investigators with domain registrars—the smaller organizations that manage each TLD domain space.

The new system is designed to create private communication channels where investigators can file requests with domain registrars in a more centralized fashion.

The Black Basta ransomware gang is believed to have made more than $107 million in ransom payments since the group began operations in early 2022.

The number represents payments made by more than 90 victims of the 329 organizations known to have been hit by the gang.

The largest payment was $9 million, while the average ransom payment was $1.2 million, according to joint research published by blockchain tracking company Elliptic and cyber insurance provider Corvus Insurance.

Cyber security firm Huntress has confirmed what organisations like the NSA have been saying — that 'living off the land' is the new normal.

We've covered the shift towards living off the land techniques (abusing legitimate tools already present in the host environment) by both Russian and Chinese APT actors. A new Huntress report focused on threats to small and medium-sized businesses (SMBs) found more than half of incidents involved LOLbins (living off the land binaries) and were "malware free".

One type of legitimate software that is commonly abused by threat actors to gain and maintain access to targeted environments is remote monitoring and management (RMM) software. Huntress found that 65% of all types of SMB security incidents involved RMM software such as ConnectWise, ScreenConnect, AnyDesk or TeamViewer. These types of software are not detected as malware and their use is often not audited, especially in small organisations.