Newsletters

The operators of the LockBit ransomware are believed to have made more than $91 million in ransom payments from more than 1,700 attacks targeting US organizations, according to CISA and the FBI.

The figure covers LockBit's entire lifespan since its official launch in January 2020, but it does not include ransom payments that have not been reported to the FBI or payments made by foreign companies.

Regardless, this puts LockBit right up there with the best-earning ransomware gangs of all time, trailing the likes of Ryuk, REvil, and Darkside. [obviously, based on limited visibility into the ecosystem]

An ODNI report into the US Intelligence Community's use of Commercially Available Information (CAI) has caused quite a stir, but most of the resulting press coverage has missed the forest for the trees.

It is a problem that the IC is using this information without any guiding policy. It is a much, much bigger problem that this information is being collected for sale in the first place.

The report examines how the IC is using CAI, what privacy and civil liberty protections cover its use, and makes recommendations about how this data should be used in the future. It defines CAI as information that can be bought by the public and excludes data that is commercially available only to governments.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive (BOD) and has ordered federal civilian agencies to limit access from the internet to the management interfaces of networking equipment.

The new BOD 23-02 applies to routers, switches, firewalls, VPN servers, proxies, load balancers, and out-of-band server management interfaces such as the iLo and iDRAC.

It applies to management interfaces hosted on a multitude of protocols, ranging from HTTPS to SSH, SMB, RDP, and others.

A Ukrainian hacking group named the Cyber Anarchy Squad has breached the network of Russian telco Infotel JSC and wiped some of its routers and networking devices.

The incident took place last Thursday—June 8—and brought the telco's network to a full stop for 32 hours.

The company confirmed the attack via a short message on its website.

The South Korean National Police Agency says that a North Korean hacking group known as Kimsuky has breached the email accounts of former government officials.

The Kimsuky campaign took place between April and August of last year and targeted 150 current and former South Korean government officials, professors, and defense and national security experts.

Police officials say Kimsuky operators successfully lured nine individuals on phishing pages and stole their login credentials for Google and Naver accounts.

The Australian Signals Directorate (ASD), Australia's signals intelligence and cyber organisation, has opened up to an ABC documentary about a number of its offensive cyber operations.

One of them was "Operation Valley Wolf", ASD's cyber contribution to the safe passage of partner troops through the Tigris river valley to Mosul, then under Islamic State (IS) control. The broad outlines of this operation have been described before, but the documentary provides more colour and detail.

ASD studied IS's electronic communications, which included the use of a variety of encrypted messaging apps including Surespot, Wickr, WhatsApp and Telegram. It used an implant, "Light Bolt", that could be deployed to IS devices without user interaction and three different denial-of-service payloads that would disrupt internet access: "Rickrolling", "Care Bear" and "Dark Wall". These payloads all cut internet access, but with different degrees of permanence.

Microsoft has identified the threat actor behind the recent exploitation of MOVEit file-transfer servers as our "old friend," the Clop cybercrime group.

Clop itself confirmed its involvement in the attacks in responses to email inquiries sent to Reuters and BleepingComputer reporters.

If the name sounds familiar, this is the same Russian cybercrime group that has previously exploited vulnerabilities in FTA Accellion and Fortra GoAnywhere, two other popular file-transfer appliances.

Communications platform Twilio will automatically reconfigure customer accounts in a crackdown against SMS traffic pumping schemes.

The company will block customers from sending SMS messages to countries the user has no previous history, and the country is known to be a source of SMS traffic pumping schemes.

The change will occur in three weeks, on June 21, 2023, according to emails Twilio has sent customers.

Russia's FSB intelligence service claims to have uncovered a US intelligence operation that hacked the Apple smartphones of "diplomatic missions and embassies in Russia."

The operation allegedly targeted thousands of devices, including the devices of Russian citizens and diplomatic representatives from NATO countries, the post-Soviet bloc, Israel, China, and South Africa.

The attacks exploited a vulnerability in Apple smartphones.

Reports that a state-sponsored PRC cyber actor could be pursuing capabilities to disrupt US critical infrastructure are causing a stir.

This eye-catching nugget is contained within a Microsoft report about a group it calls Volt Typhoon. Microsoft thinks, with "moderate confidence", that Volt Typhoon's campaign is "pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises".

The statement actually feels a bit out of place in the report as it doesn't contain any evidence that backs up the assessment. The report says that Volt Typhoon "typically focuses on espionage and information gathering", although it has "targeted critical infrastructure organisations in Guam and elsewhere in the United States". Microsoft says that in this campaign, affected organisations "span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors".