Risky Biz News: MSS Now Dominates China's Cyber Activity – Detailed Summary

Episode Title: Risky Biz News: MSS now dominates China's cyber activity
Host: Claire Aird
Prepared by: Catalyn Kimpanu
Release Date: November 15, 2024

1. MSS Dominance in China's Cyber Operations

Overview:
Security firm Sequoia has reported a significant shift in China's cyber activities, indicating that the Ministry of State Security (MSS) now oversees the majority of these operations. This marks a notable decline in activity from the Chinese military's cyber units.

Key Points:

• MSS Leadership: Since at least 2021, the MSS has been the predominant force behind China's cyber initiatives.
• Linked APT Groups: Sequoia associates several Advanced Persistent Threat (APT) groups with the MSS, including APT 10, 30, 31, 40, and 41, along with Mustang, Panda, and Lucky Mouse.
• Private Contractors: Many of these APTs are believed to operate through private contractors under provincial branches of the MSS.

Notable Quote:

"The MSS now accounts for most of China's cyber activity," states Claire Aird at [00:04].

2. Chinese Hack on US Telecommunications Revealed

Overview:
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that Chinese hackers breached a US telecommunications company, exposing sensitive communications of US government officials and political figures.

Key Points:

• Targeted Entities: Among the affected were the Harris and Trump political campaigns.
• Data Compromised: Hackers accessed information regarding US law enforcement requests and surveillance on Chinese spies.
• Ongoing Investigations: Authorities are notifying additional victims as the probe continues.

3. Inc Ransomware Group Targets Hungary’s Defense Agency

Overview:
The ransomware faction known as Inc has infiltrated Hungary's defense procurement agency. While no classified information was reportedly compromised, significant disruption was caused.

Key Points:

• Nature of the Breach: The agency, responsible for military procurement planning, faced operational disruptions.
• Financial Impact: The hack is considered one of the year's major cyber heists, with over $230 million worth of crypto assets stolen from another target.

4. Legal Action Against NSO Group Over Spyware Use

Overview:
A Spanish attorney has initiated a lawsuit against the Israeli spyware manufacturer NSO Group, alleging unauthorized access to his phone.

Key Points:

• Plaintiff Details: Andrew Van Denader, involved in the Catalan independence movement, claims his device was infected with NSO’s Pegasus spyware.
• Legal Representatives: The lawsuit includes NSO’s founders and executives from two affiliate companies.
• Motivation: Van Denader's role advising Catalan political figures during the independence referendum is highlighted as the likely motive for the spyware deployment.

5. Massive Data Leak from Demand Science

Overview:
A staggering leak involving personal data of approximately 122 million users from Demand Science, a data aggregation and enrichment service, has come to light.

Key Points:

• Data Compromised: Included names, business addresses, emails, phone numbers, and social media links.
• Source of Leak: Initially sold on hacking forums earlier in the year and has now expanded in distribution.
• Company Statement: Demand Science attributed the breach to a decommissioned system from which data was exfiltrated.

6. Microsoft Introduces Spoofing Warnings in Exchange

Overview:
In response to a recent email spoofing attack, Microsoft has rolled out a new security feature for Exchange servers aimed at combating phishing attempts.

Key Points:

• Feature Details: A red warning banner will appear on emails identified as coming from spoofed addresses.
• Implementation: Enabled by default in the latest Exchange server updates.
• Background: This measure follows a security patch addressing a spoofing vulnerability disclosed in May.

7. Arrests in Major Cryptocurrency Heists

*a. Wasarex Exchange Hack:

• Incident: A West Bengal man, SK Mesood Alam, was arrested for orchestrating the hack of Indian cryptocurrency exchange Wasarex.
• Method: Created a fraudulent account on Wazirx, which was sold on Telegram to facilitate the attack.
• Impact: Over $230 million in crypto assets were stolen in July, marking it as the year's second-largest crypto heist.

b. South Korean Cryptocurrency Scheme:

• Operation Details: Authorities detained 215 individuals linked to a large-scale cryptocurrency investment scam.
• Scheme Mechanics: The group operated via an investment firm selling 28 crypto tokens through deceptive marketing strategies, including pump and dump tactics.
• Financial Loss: Approximately $230 million defrauded from investors.
• Criminal Proceedings: The group's leader was apprehended in Australia and extradited to South Korea.

8. US Tax Preparation Firms Hacked by Nigerian Nationals

Overview:
The US Department of Justice has charged Matthew Akanda and Kehinda Oyetunji, two Nigerian men, for infiltrating tax preparation companies across the nation.

Key Points:

• Criminal Activities: Theft of taxpayer information and filing of fraudulent tax returns under victims' names.
• Financial Fraud: The pair obtained over $1.3 million through $8.1 million in illegitimate tax refunds over five years.

9. Prolific Swatting and Bomb Threats by American Teenager

Overview:
Alan Fillion, an 18-year-old from Lancaster, California, has pleaded guilty to executing hundreds of swatting and bomb threat incidents across the United States.

Key Points:

• Scale of Offenses: Targeted schools, politicians, courthouses, and religious institutions.
• Operations: Ran "Tor Swats," a service offering swatting operations via Telegram.
• Judicial Outcome: Fillion's actions mark him as one of the most active swatters in American history.

10. Idaho Man Sentenced for Cyber Extortion and Hacking

Overview:
Robert Purbeck, an Idaho resident, received a 10-year prison sentence and three years of supervised release for hacking into the city of Newnan and a medical clinic in Georgia.

Key Points:

• Criminal Acts: Attempted extortion of a Florida orthodontist by threatening to release patient data.
• Online Persona: Operated under the hacker alias "Lifelock."
• Restitution: Ordered to pay over $1 million to his victims.

11. Sitting Ducks DNS Attacks Surge

Overview:
Infoblox has identified over 70,000 domains compromised through the Sitting Ducks DNS attack, affecting a range of high-profile entities.

Key Points:

• Victim Spectrum: Includes well-known brands, non-profits, and government organizations.
• Threat Actors: At least four different groups are implicated in these hijackings.
• Scope: Up to 800,000 domains remain vulnerable to this DNS exploitation method.

12. Malicious QR Codes Target Swiss Citizens

Overview:
Switzerland’s cybersecurity agency has reported an emerging threat where physical letters containing malicious QR codes are being distributed to deceive citizens.

Key Points:

• Deceptive Appeal: Letters mimic the country’s meteorology agency, prompting recipients to install a purported new weather app.
• Malware Payload: The QR codes direct users to download an Android app infected with the Octa 2 banking Trojan.

13. Bitdefender Releases Decryptor for Shrink Locker Ransomware

Overview:
Bitdefender has launched a free tool to aid victims of the Shrink Locker ransomware, which has been active since May.

Key Points:

• Functionality: The decryptor recovers the BitLocker key stolen by the ransomware, restoring access to affected systems.
• Ransomware Mechanics: Utilizes Windows BitLocker encryption to lock users out of their PCs and data.

14. Doppelganger Group Linked to Russian Ministry of Defence

Overview:
A joint investigation by Queryum and Corrective has tied the Doppelganger cyber group to Russia's Ministry of Defence.

Key Points:

• Evidence: Logins to Doppelganger's infrastructure were traced to IP addresses managed by Voyant Telekom, a government-owned ISP.
• Operational Tactics: The group leveraged the Vex Trio cybercrime service to redirect visitors from compromised sites to Russian propaganda portals.

15. Critical Vulnerability in PostgreSQL’s Perl Extension

Overview:
Researchers at Varonis discovered a significant vulnerability within the Perl language extension of the PostgreSQL database, posing severe security risks.

Key Points:

• Vulnerability Impact: Allows unauthenticated attackers to alter sensitive environment variables.
• Potential Exploits: Enables code execution attacks on the host operating system or unauthorized database queries.

16. NIST Faces Backlog in CVE Metadata Updates

Overview:
The National Institute of Standards and Technology (NIST) has updated the National Vulnerability Database (NVD) to include data on actively exploited vulnerabilities from the current year. However, they are grappling with a substantial backlog of Common Vulnerabilities and Exposures (CVEs) lacking metadata.

Key Points:

• Operational Delays: NIST underestimated the backlog, initially aiming to resolve issues by September but extending beyond the year-end.
• Current Status: Backlog continues to grow since February's initial delay.

17. EU Challenges Apple's Geo-Blocking Practices

Overview:
The European Union's Consumer Protection Cooperation Network has directed Apple to cease geo-blocking practices that restrict app store access based on users' country of origin.

Key Points:

• Legal Grounds: Such restrictions violate multiple EU laws mandating equal treatment for users irrespective of their registered country.
• Apple’s Response: Subject to ongoing regulatory scrutiny and potential compliance adjustments.

18. Python Package Index Adopts Digital Attestations

Overview:
The Python Package Index (PyPI) has transitioned to using digital attestations for verifying the authenticity of Python libraries, replacing the longstanding PGPC signature method.

Key Points:

• Digital Attestations: Signed by third parties, offering enhanced security compared to publisher-reliant PGP signatures.
• Adoption: Numerous projects have migrated to the new system, with over 20,000 attestations already published.
• Collaboration: Developed in partnership with security firm Trail of Bits.

Conclusion:
This episode of Risky Biz News, hosted by Claire Aird and prepared by Catalyn Kimpanu, offers a comprehensive overview of the latest developments in cybersecurity, ranging from state-sponsored cyber operations and major data breaches to legal actions against spyware manufacturers and innovations in digital security practices. The episode underscores the evolving landscape of cyber threats and the ongoing efforts by global entities to mitigate risks and enhance security protocols.

For more updates and detailed analyses, subscribe to Risky Biz News and stay informed on the ever-changing cybersecurity terrain.