Detailed Summary of "Risky Bulletin: Public Transport in Tbilisi is Free After Anti-Government Hack"

Podcast Information:

• Title: Risky Bulletin
• Host/Author: risky.biz
• Description: Regular cybersecurity news updates from the Risky Business team.
• Episode: Risky Bulletin: Public Transport in Tbilisi is Free After Anti-Government Hack
• Release Date: January 27, 2025

Introduction

In the January 27, 2025 episode of Risky Bulletin, host Clare Aird delivers a comprehensive update on the latest cybersecurity incidents and developments worldwide. Prepared by Catalyn Kimparnu, the episode covers a range of topics from high-profile hacks to legislative changes in cyber security. Below is a detailed summary of the key discussions, insights, and conclusions from the episode.

1. Tbilisi Public Transport Hack

The episode opens with a significant cybersecurity incident in Georgia's capital, Tbilisi. Anti-government protesters successfully hacked the public transport payment systems, causing widespread disruption.

• Incident Details: On a Friday morning, as commuters were heading to work, hackers compromised ticket scanners and point-of-sale devices. Instead of processing payments, these systems began playing Georgia’s national anthem, the European Union’s anthem, and pro-EU speeches from local politicians (00:04).

• Government Response: In reaction to the hack, local authorities suspended the payment systems, rendering public transport free of charge until normal operations resume. This move aims to maintain public transportation functionality amidst the chaos.

• Political Context: Georgia’s aspirations to join the European Union were stalled in late 2024, sparking three months of persistent protests. This cyberattack underscores the intersection of cybersecurity and political activism in the region.

Notable Quote:

“Local authorities shut down the payment system and made travel free until the hacked systems are restored.” – Clare Aird (00:04)

2. Handala’s Breach of the Israeli Ministry of National Security

The Palestinian hacktivist group Handala made headlines by breaching the Israeli Ministry of National Security.

• Attack Method: Handala sent false missile alerts to thousands of schools and kindergartens via SMS and emergency audio systems. These alerts caused considerable panic before the group erased the compromised systems.

• Group’s Claim: Handala announced that they wiped the system after dispatching the false alerts, demonstrating both their technical capability and their strategic intent to disrupt national security operations.

3. British Museum IT Breach

A former British Museum employee was arrested for a significant cyber intrusion that affected the museum’s operations.

• Breach Impact: The individual accessed and shut down several IT systems, leading to the closure of multiple exhibitions on a Friday. The primary disruption was to the museum’s ticketing system, causing immediate operational challenges.

• Legal Outcome: London police successfully apprehended the suspect, highlighting the legal consequences of insider threats within cultural institutions.

4. Turkey’s Cyber Security Legislation Controversy

Turkey is advancing a new cyber security bill that has sparked debate among political factions.

• Bill Provisions: The proposed legislation aims to establish a National Cyber Security Directorate. Additionally, it includes clauses that criminalize the reporting of unconfirmed security incidents.

• Opposition Concerns: Critics argue that the bill paves the way for an extensive surveillance infrastructure, potentially infringing on free speech and transparency.

Notable Quote:

“The country's opposition claims the bill lays out a legal foundation for a sprawling surveillance apparatus.” – Clare Aird (00:04)

5. United States Vulnerability Equities and Indictments

The U.S. government recently reported on its vulnerability equities process and made notable legal charges related to cyber espionage.

• Vulnerability Disclosure: In fiscal year 2023, the U.S. reported 39 software vulnerabilities to vendors. An unclassified report revealed that 10 of these were previously discovered and retained by intelligence agencies for espionage and offensive operations.

• Legal Actions: The Department of Justice indicted two North Korean nationals for impersonating Westerners to secure employment at U.S. companies, aiding the regime in generating nearly $900,000 over six years. Additionally, two U.S. nationals were charged for operating a laptop farm used to obscure the hackers' locations.

Notable Quote:

“UnitedHealth says that 190 million Americans had their data stolen in the ransomware attack against its Change Healthcare subsidiary last year.” – Clare Aird (00:04)

6. Russian-Backed Disinformation in Germany

Russian disinformation campaigns continue to influence European politics, particularly in Germany.

• Campaign Details: Disinformation groups supporting the German right-wing populist party are linked to the threat actor Storm 1516. This group is allegedly coordinated by John Dugin, a U.S. fugitive turned Kremlin propagandist.

• Financial Backing: German intelligence reports that Russian authorities allocate over $2 billion annually to fund disinformation operations, aiming to sway public opinion and destabilize political landscapes.

7. UnitedHealth’s Change Healthcare Ransomware Attack

UnitedHealth has updated the impact of a ransomware attack on its subsidiary, Change Healthcare.

• Attack Overview: Last February, the AlphaV ransomware gang targeted Change Healthcare, disrupting healthcare payments and prescription services nationwide.

• Data Breach Update: Initially estimated at affecting 100 million users, UnitedHealth now reports that 190 million Americans had their data compromised. The company has notified the majority of those affected, emphasizing the extensive reach of the breach.

Notable Quote:

“Change Healthcare was hit by the AlphaV ransomware gang last February in an incident that caused issues with healthcare payments and prescriptions all over the country.” – Clare Aird (00:04)

8. Femex Crypto Exchange Hack

Femex, a Singapore-based cryptocurrency exchange, fell victim to a substantial cyberattack.

• Attack Details: On a recent Thursday, hackers orchestrated a coordinated assault, stealing $70 million worth of various cryptocurrencies from Femex.

• Operational Impact: In response to the breach, Femex temporarily suspended its operations to address and mitigate the security breach.

• Attribution: Security researchers believe the attack's tactics are reminiscent of methods used by the North Korean hacking group known as Traitor Traitor.

Notable Quote:

“A threat actor has stolen $70 million worth of crypto assets from Singapore based exchange Femex.” – Clare Aird (00:04)

9. No Ones Cryptocurrency Marketplace Theft

A significant theft occurred on the P2P cryptocurrency marketplace, No Ones, on the platform's first day of operation.

• Theft Mechanics: Hackers exploited a vulnerability in No Ones' Solana Bridge, enabling them to siphon off $8 million in crypto assets.

• Money Laundering: The stolen funds were laundered through the Tornado Cash mixing service, complicating efforts to trace and recover the assets.

10. Zyxel Firewalls Reboot Loop Bug

Zyxel firewalls encountered a critical software update bug that has rendered several devices inoperable.

• Affected Products: The issue impacts Zyxel's USG Flex and ATP series devices, causing them to enter a continuous reboot cycle.

• Recovery Measures: Zyxel has indicated that device recovery is possible but requires physical access to connect a serial cable to the firewall, presenting significant downtime challenges.

11. Massive Backdoor Infection via Malware Builder

A surge in infections has been traced back to a cracked malware builder targeting the Xworm remote access Trojan.

• Infection Scope: Over 18,000 users inadvertently installed a backdoor by downloading the malicious builder, which was promoted through online tutorials on YouTube and Telegram.

• Data Compromised: Users attempting to utilize the builder had their browser, Discord, and Telegram data exfiltrated by the attackers.

Notable Quote:

“Users who attempted to use the builder had their browser discord and Telegram data stolen.” – Clare Aird (00:04)

12. Git Credentials Theft via Clone to Leak Bug

Researchers have uncovered a vulnerability that allows attackers to steal Git credentials through malicious repositories.

• Vulnerability Details: Named "Clone to Leak," this bug affects the Git codebase, official GitHub desktop and CLI applications, and various third-party repository managers.

• Discovery: The flaw was identified by researchers at FlatSecurity, emphasizing the need for secure coding practices and vigilant repository management to prevent credential theft.

Conclusion

The January 27, 2025 episode of Risky Bulletin presented a wide array of cybersecurity incidents and developments, highlighting the evolving landscape of cyber threats and defenses. From high-impact ransomware attacks and sophisticated state-sponsored disinformation campaigns to legislative changes and critical software vulnerabilities, the episode underscores the multifaceted nature of cybersecurity challenges faced globally.

Notable Quote:

“That is all for this podcast edition.” – Clare Aird (00:04)

The episode concluded with a nod to the sponsor, RunZero, a company specializing in asset inventory and network visibility, reinforcing the importance of robust cybersecurity measures in mitigating such threats.

Timestamp Reference:

• [00:04] refers to the initial segment where Clare Aird outlines the top stories of the bulletin.