Risky Bulletin: Cl0p returns - Risky Bulletin

Summary6 min read

Risky Bulletin: Cl0p Returns - Episode Summary

Release Date: December 18, 2024

Introduction

In the latest episode of Risky Bulletin, hosted by risky.biz and presented by Catalyn Kimpanu, Claire Aird delivers an in-depth update on the state of cybersecurity as of December 18, 2024. This episode, titled "Cl0p Returns," covers a wide array of topics, including ransomware attacks, corporate cybersecurity maneuvers, legal actions, government investigations, and emerging threat landscapes. Below is a comprehensive summary capturing all the critical discussions, insights, and conclusions from the episode.

1. Ransomware Resurgence: The Return of Cl0p

At the outset [00:04], Claire Aird reports that the notorious Cl0p ransomware gang has resurfaced, taking credit for recent attacks on the Clio file transfer service. Initially, another group named Termite was suspected, but Cl0p has since claimed responsibility. Aird notes, “The Klopp ransomware gang has taken credit for the attacks against Clio file transfer service,” highlighting their tactic of deleting older victim data to accommodate new stolen information.

2. CISA’s Pre-Ransomware Notification Initiative

A significant portion of the episode delves into CISA’s Pre-Ransomware Notification Initiative. Claire states, “CISA has sent over 2,000 pre ransomware attack alerts this year,” emphasizing the agency's proactive approach in alerting U.S. organizations about potential ransomware threats. Launched in March 2023, the program leverages tips from the private sector to detect early ransomware activities, allowing victims to take preventive measures before data is compromised or encrypted. Nearly two-thirds of these notifications were issued within the current year, underscoring the increasing prevalence of ransomware threats.

3. Corporate Moves in the Cybersecurity Arena

a. Acquisition of Paragon Solutions by AE Industrial Partners

Claire highlights a major acquisition: “US private investment company AE Industrial Partners will acquire Israeli spyware maker Paragon Solutions for $900 million,” with half paid in cash and the remainder contingent on future profitability milestones. Paragon Solutions is recognized for its Graphite mobile spyware tool, indicating a strategic move to bolster AE Industrial Partners' portfolio in the spyware market.

b. BlackBerry’s Sale of Cylance to Arctic Wolf

In another significant corporate shift, BlackBerry has sold its Cylance security division to Arctic Wolf for $160 million in cash. Claire remarks, “BlackBerry has sold its Cylance security division... when it was trying to pivot from smartphones into cybersecurity,” highlighting the drastic decrease from the $1.4 billion acquisition cost in 2018. This sale reflects BlackBerry's strategic repositioning within the cybersecurity sector.

4. Legal Actions and Law Enforcement Efforts

a. Sentencing of Florent Curtail in France

Claire reports, “A French court has sentenced cybersecurity professional Florent Curtail to a two-year suspended prison sentence,” for his role as a negotiator for the Everest ransomware gang. Additionally, Curtail was fined €13,000 and barred from cybersecurity roles for five years. Notably, the court's decision was lenient compared to the five-year prison term prosecutors had initially sought.

b. Massive Arrests in Nigeria’s Cyber Scam Crackdown

In international law enforcement news, “Nigerian authorities arrested 792 suspects last week” during a raid on a seven-story cyber scam compound in Lagos. Among those detained were 148 Chinese nationals and 40 Filipinos. These suspects were identified as low-level operatives involved in romantic scams, where they engaged victims in fake relationships before defrauding them through fake investments in cryptocurrencies and other schemes.

5. Government Investigations and Policy Developments

a. EU’s Investigation into TikTok’s Election Interference

A pivotal segment covers the European Commission’s investigation into TikTok concerning election interference. Claire explains, “EU officials say the Chinese company failed to detect a foreign interference campaign that targeted Romania's presidential election last month.” This interference led Romania’s Supreme Court to annul the election round results, marking a first in EU history. The investigation will scrutinize TikTok's recommendation algorithms and its management of political advertisements. Simultaneously, TikTok is combating an anti-EU disinformation campaign attributing election cancellations to EU officials like Ursula von der Leyen.

b. US Commerce Department Targets China Telecom

In U.S. policy news, Claire states, “The US Commerce Department has issued a preliminary ruling that China Telecom's American division is a threat to national security.” This ruling is a precursor to a potential ban of the company’s operations in the U.S., as part of a broader response to the widespread compromise of American telco networks by Chinese hackers. China Telecom has been given 30 days to respond to this preliminary ruling.

6. Security Breaches and Data Exposure

a. Telekom Namibia Breached by Hunters International

Claire reports that “A ransomware gang has breached the network of Telekom Namibia, the country's largest telecommunications provider.” The group, identifying themselves as Hunters International, has threatened to publish nearly half a million stolen files, escalating the impact of the breach on Namibia’s largest telecom operator.

b. Meta Faces Multi-Jurisdictional Fines

The episode covers significant fines imposed on Meta for past security breaches. Claire details, “US social media company Meta has been fined twice for security breaches,” with specific penalties including a €251 million fine in Ireland for the 2018 Facebook "View As" feature bug exposing 29 million users’ data, and a $50 million fine in Australia related to its failure to detect the Cambridge Analytica scandal. These fines underscore the ongoing regulatory pressures on major tech firms regarding data protection.

7. Spyware Deployment and Surveillance Tactics

a. Serbian Security Service’s Use of Android Spyware

A concerning development involves the Serbian security service, with Claire noting, “The Serbian security service has allegedly deployed a novel piece of Android spyware to phones belonging to local journalists and dissidents.” According to Amnesty International, this spyware, NovaSpy, was installed using Cellebrite hacking tools, potentially exploiting a zero-day vulnerability in Qualcomm drivers. In response, Serbia’s BIA security service has dismissed Amnesty’s report as meaningless.

8. Emerging Threat Actor Campaigns

a. Malware Campaigns Targeting YouTube Creators

Claire highlights a sophisticated threat actor campaign targeting YouTube channel owners: “A threat actor is targeting popular YouTube channel owners with fake brand collaborations and sponsorships to infect them with malware.” This campaign aims to hijack YouTube channels and siphon off their profits, affecting over 200,000 content creators since July.

b. Hiatus RAT Botnet Exploits Vulnerabilities in Security Devices

The Hiatus RAT botnet continues its operations by exploiting outdated vulnerabilities in security cameras and video recording systems, particularly in Five Eyes countries. Claire mentions, “The Hiatus RAT botnet was discovered in 2022 and is believed to be a Chinese reconnaissance operation against Western networks,” targeting devices from brands like Dahua, Chiang Mai, and Hikvision since March.

9. Terminology in Cybersecurity Scams

a. Interpol’s Call to Change Scam Terminology

In closing, Claire relays Interpol’s recommendation to eliminate the term “peg butchering” when referring to online scams and their victims. She states, “Interpol wants people to stop using the term peg butchering to refer to online scams and their victims,” explaining that the term is stigmatising and dehumanising. Instead, Interpol suggests using “romance baiting” as a more respectful and accurate descriptor of such scams.

Conclusion

This episode of Risky Bulletin provides a thorough exploration of the current cybersecurity landscape, highlighting the persistent threats posed by ransomware gangs like Cl0p, the proactive measures by agencies like CISA, significant corporate movements within the cybersecurity market, and the ongoing legal and policy challenges faced globally. From large-scale breaches and sophisticated spyware deployments to regulatory fines and nuanced discussions on scam terminology, Claire Aird ensures that listeners are well-informed about the complexities and evolving nature of cybersecurity threats and defenses.

For those who missed the episode, this summary encapsulates the critical points and provides valuable insights into the multifaceted world of cybersecurity as of late 2024.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
CISA has sent over 2,000 pre ransomware attack alerts this year. BlackBerry sells Cylance for a huge loss, a US investment firm acquires an Israeli spyware maker and the Klopp gang takes credit for the Clio hacks This is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 18th of December the Klopp ransomware gang has taken credit for the attacks against Clio file transfer service. Initial reports claimed another ransomware operation named Termite was behind the attacks. Klopp says it's deleting older victims data to make space for new stolen data. CISA sent over 2,000 ransomware warnings to US organisations this year. The notifications were sent by the Pre Ransomware Notification Initiative, which CISA launched in March 2023. The program uses tips from the private sector to det early ransomware activity and notify victims before their data is stolen or encrypted. Almost two thirds of the notifications were sent this year. Apple allegedly refused to help the Harris presidential campaign investigate the hack of two staffers iPhones, according to a Forbes report. The company declined to help obtain raw images of the phone's operating systems to assist the campaign's investigation. Apple declined to help even though the phone's owners provided their consent. The devices are instead being investigated by security firm Iverify. The Serbian security service has allegedly deployed a novel piece of Android spyware to phones belonging to local journalists and dissidents. According to Amnesty International. The spyware was deployed after police gained physical access to the devices while the victims were being interrogated. The cops allegedly used Cellebrite hacking tools to unlock the phones and manually install the NovaSpy spyware. Amnesty and Google believe the Cellebrite tools may have used a zero day in Qualcomm drivers to deploy the spyware. Serbia's BIA security service called the Amnesty report meaningless. US private investment company AE Industrial Partners will acquire Israeli spyware company Paragon Solutions. Ae will pay $900 million with half paid in cash and the rest based on future profitability milestones. The company is known for developing a mobile spyware tool named Graphite. BlackBerry has sold its Cylance security division to cybersecurity firm Arctic Wolf for $160 million in cash. The company acquired Cylance in 2018 for $1.4 billion when it was trying to pivot from smartphones into cybersecurity. A French court has sentenced cybersecurity professional Florent Curtail to a two year suspended prison sentence for acting as a negotiator for the Everest ransomware gang Curtail was also fined 13 and banned from working in cyber security roles for five years. The court's decision is below the five year prison sentence prosecutors had asked for earlier this year. Nigerian authorities arrested 792 suspects last week in a raid on a seven storey cyberscam compound in Lagos. 148 Chinese and 40 Filipinos were among those detained. Officials say the suspects were low level pawns in a larger online scam ring. They initiated romantic chats with victims and then handed off the conversation to someone overseas to execute the actual scam. The European Commission has opened an investigation into the election risks posed by TikTok. EU officials say the Chinese company failed to detect a foreign interference campaign that targeted Romania's presidential election last month. Romania's Supreme Court ruled the influence campaign was unlawful and annulled the election round results, a first for the EU. The investigation will focus on TikTok's recommendation algorithm and its handling of political ads. As the EU was announcing its investigation, TikTok was crawling with another anti EU disinformation campaign, claiming that EU chief Ursula von der Leyen ordered Romania to cancel its election. The US Commerce Department has issued a preliminary ruling that China Telecom's American division is a threat to national security. The preliminary ruling is one of the steps towards banning the company from operating in the U.S. china Telecom was given 30 days to respond. The ban comes as the U.S. government is dealing with a widespread compromise of its telco networks by Chinese hackers. A ransomware gang has breached the network of Telekom Namibia, the country's largest telecommunications provider. The incident took place last week and officials have confirmed the breach. A group named Hunters International took credit for the attack and is now threatening to publish almost half a million stolen files. Nebraska Attorney General Mike Hilges has brought a lawsuit against Change Healthcare over the company's February ransomware attack. Officials claim the company failed to protect consumer data. Attorney General Hilges says the company ran outdated and poorly segmented IT systems, that its incident response was inadequate and it failed to notify consumers quickly enough. Hilges says the incident exposed the personal information of hundreds of thousands of Nebraskans and also caused disruptions to the state's healthcare facilities. Nebraska is the first state to sue Change Healthcare, although the company is facing a class action lawsuit. Already, US social media company Meta has been fined twice for security breaches. The company was fined 251 million euros in Ireland and $50 million in Australia. The Irish fine is for a 2018 security breach when a bug in the Facebook View as feature exposed the 29 million users data. The fine in Australia is related to the company's failure to det the Cambridge Analytica scandal. A threat actor is targeting popular YouTube channel owners with fake brand collaborations and sponsorships to infect them with malware. The goal of the campaign is to hijack their YouTube channels and steal their profits. The campaign has been taking place since July and has targeted over 200,000 content creators so far. The operators of the hiatus Rat botnet are targeting old vulnerabilities in security cameras and video recording systems. The campaign started in March and targets networks in five eyes countries. The FBI says the campaign targeted Dahua, chiang Mai and Hikvision devices. The Hiatus RAT botnet was discovered in 2022 and is believed to be a Chinese reconnaissance operation against Western networks. And finally, Interpol wants people to stop using the term peg butchering to refer to online scams and their victims. The agency says the term is stigmatising, dehumanising and shames victims. The term comes from scammers who refer to victim as pigs who need to be fattened up through fake romance or friendships before butchering them by convincing them to invest in fake cryptocurrency or other schemes. Interpol has suggested romance baiting as an alternative, and that is all for this podcast edition. Thanks for your company.