← Risky Bulletin
Risky Bulletin
Risky Biz News: MSS now dominates China's cyber activity
00:09:26
PLUS: Prolific teenage swatter pleads guilty; Microsoft adds spoofing warning to Exchange; major breach at another data aggregator.
Loading summary
Transcript1 lines
- [00:04]
Claire Aird
The MSS now accounts for most of China's cyber activity. A prolific teenage swatter pleads guilty. Microsoft adds a new email spoofing warning to Exchange and another major breach at a data aggregator. This is Risky Business News, prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 15th of November and this podcast episode is brought to you by Kroll. Find them@kroll.com cyber in today's top story, security firm Sequoia says most Chinese cyber operations are now conducted by China's Ministry of State Security. The company says MSS cyber activity has increased while the once active Chinese military has slowed down considerably. Sequoia says MSS cyber operations have dominated since at least 2021. MSS linked groups include the likes of APT 10, 30, 31, 40 and 41, as well as Mustang, Panda and Lucky Mouse. Many of these APTs have been linked to private contractors operating under provincial MSS branches. In other news, the FBI and CISA have confirmed China's US Telco hack exposed the private communications of some US government officials and political figures. The hackers also copied information about US Law enforcement requests. The statements confirm reports from US media that the hackers targeted the Harris and Trump campaigns and sought information on which Chinese spies were being surveilled by U.S. law enforcement. The FBI and CISA say they're notifying new victims as the investigation continues. The Inc Ransomware group has hacked Hungary's defence procurement agency. Government officials confirmed the hack but said no classified data was compromised. Officials said the agency only manages planning plans for military procurement. A Spanish lawyer has sued Israeli spyware vendor NSO Group for allegedly hacking his phone. The lawsuit was filed in a Barcelona court this week and also names NSOs founders and an executive of two NSO affiliate companies. Lawyer Andrew Van Denader claims he had his phone infected with NSO's Pegasus spyware due to his involvement in the Catalan independence movement. Van denader was one of the lawyers advising Catalan political figures involved in the region's independence referendum. The personal Data of almost 122 million users from the Demand Science Data Aggregation and Enrichment service has leaked, according to security researcher Troy Hunt. The data was sold on hacking forums earlier this year but has now leaked more widely. The company confirmed the hack and claimed the data was taken from a now decommissioned system. The data includes names, business addresses, emails, telephone numbers and social media links. Microsoft will add a red warning at the top of email messages that come from spoofed email addresses. The new warning is enabled by default for all Exchange servers in this month's updates. It's a result of a security patch that fixes an email spoofing attack disclosed in May this year. Police in Delhi have arrested a man from West Bengal over his alleged role in the hack of Indian cryptocurrency exchange Wasarex. Officials say SK Mesood Alam created an account on Wazirx under a false name. The account was then sold on Telegram and used to execute the attack. The company was hacked in July and lost over $230 million worth of crypto assets. The hack is this year's second largest crypto heist. South Korean authorities have detained 215 suspects linked to a major cryptocurrency investment scheme. The group operated as an investment firm that created and sold 28 cryptocurrency tokens. It was led by a YouTuber who advertised the tokens his channel and used a team of marketers to push up prices in a classic pump and dump scheme. Officials say the group defrauded investors of almost $230 million. The group's leader fled to Australia but was arrested and extradited back to South Korea. The Justice Department has charged two Nigerian men with allegedly hacking tax preparation firms across the U.S. officials claim Matthew Akanda and Kehinda Oyetunji stole taxpayer information from the companies and filed fraudulent tax return in their names. The duo filed $8.1 million worth of fraudulent tax refunds and successfully obtained over $1.3 million over a period of five years. An American teenager has pleaded guilty to orchestrating hundreds of bomb threats and swatting attacks across the US Last year Alan Fillion from Lancaster, California swatted and sent bomb threats to hundreds of schools, politicians, courthouses and religious institutions. Officials described the 18 year old as one of the most prolific swatter American history. According to Wired, he also operated Tor Swats, a swatting as a service operation hosted on Telegram. A U.S. judge has sentenced an Idaho man to 10 years in prison and three years of supervised release for hacking the city of Newnan. In a medical clinic in Griffin, Georgia. Robert Purbeck also attempted to extort a Florida orthodontist, threatening to publish the personal data of their patients. Purbeck went online under the hacker name of Lifelock. He was also ordered to pay over $1 million in restitution to his victims. Infoblox says it found over 70,000 domains that were hijacked using the Sitting Ducks attack. Victim domains include well known brands, non profits and government entities. At least four threat actors are involved in the attacks. The domains are now being used to host investment scams, phishing sites and to redirect malicious Traffic. Up to 800,000 domains are known to be vulnerable to sitting ducks, a DNS attack that allows threat actors to hijack misconfigured domains. Switzerland's cybersecurity agency says threat actors are using physical letters to send malicious QR codes to Swiss citizens. The letters claim to be from the country's meteorology agency and invites users to install its new weather app. The QR code leads victims to download and install an Android app infected with the Octa 2 banking Trojan. Bitdefender researchers have released a free decryptor for the Shrink Locker ransomware. The ransomware has been active since May and uses Windows BitLocker to prevent users from accessing their systems. The decryptor allows victims to recover the BitLocker key sent by the ransomware and regain control over their data and PCs. A joint investigation by Queryum and Corrective linked the Doppelganger group to the Russian Ministry of Defence. Researchers say they found records of logins to Doppelganger's infrastructure from IPs operated by Voyant Telekom, an ISP owned by the Russian government that supplies the Ministry of Defence. In addition, Queryum says the Doppelganger group has also used a cybercrime service named Vex Trio to redirect visitors from hacked sites to propaganda portals. Varonis researchers have discovered a vulnerability in the Perl language extension of the PostgreSQL database. The vulnerability allows unauthenticated threat actors to modify sensitive environment variables. Voronis says the vulnerability can be used to enable code execution attacks on the underlying OS or run queries against the database. NIST says it's updated the NVD dataset to include information on all actively exploited vulnerabilities that were reported this year. The agency says it's still dealing with a huge backlog of CVEs that don't include any metadata. The agency says it underestimated the size of the backlog and is unlikely to have everything up to date by the end of the year. NVD entries started backing up in February. In May, NIST promised to have everything fixed by the end of September. It failed. An EU consumer protection agency has told Apple to stop geo blocking app store users based on their country of origin. The Consumer Protection Cooperation Network says Apple's restriction of app and media downloads based on the country in which an Apple account was created is illegal under multiple EU laws. EU rules require that users be treated the same regardless of their home country. The Python Package Index has rolled out support for digital attestations. The new system will replace traditional PGPC signatures, which PYPI has used to verify the authenticity of Python libraries for almost 20 years. Digital attestations are signed by a third party, while older PGP signatures rely solely on the publisher's own cryptographic key pairs. PYPY says several projects have already switched to the new system and more than 20,000 attestations have been published already. Support for digital Attestations was co developed with security firm Trail of Bits and that is all for this podcast edition. Today's show was brought you by our sponsor Kroll. Find them@kroll.com cyber thanks for your company.