Risky Bulletin Podcast Summary Episode: "Russia designates Recorded Future an 'undesirable organization'"
Host: Claire Aird | Release Date: December 19, 2024

1. Russia Designates Recorded Future as Undesirable

In the episode's opening segment, Claire Aird reports that the Russian government has officially listed cybersecurity firm Recorded Future as an "undesirable organization." This designation stems from the company's collaboration with Ukraine and various foreign intelligence agencies. “The Kremlin cited the company's work with Ukraine and foreign intelligence agencies as the reasons for the listing,” Aird explains at [00:04].

Recorded Future has been pivotal in supporting Ukraine since the onset of Russia’s invasion, alongside industry giants like Microsoft and Cisco Talos. Over the past two years, the firm has released numerous reports unveiling Russia's hacking and influence campaigns and has assisted prosecutors in investigating war crimes. The Russian authorities further allege that Recorded Future collects and analyzes data on Russia’s armed forces, intensifying the strain between the two nations.

2. U.S. Cybersecurity Concerns: SS7 Vulnerabilities Exploited

The bulletin highlights significant cybersecurity threats targeting U.S. citizens through the exploitation of the SS7 protocol. Claire notes, “China, Russia, Iran, and Israel have exploited vulnerabilities in the SS7 protocol to spy on US citizens” ([00:08]). These sophisticated hacks are part of a broader campaign affecting individuals globally.

The U.S. Department of Defense warns that all American telecommunications companies remain vulnerable to SS7 attacks and have yet to implement measures to prevent future breaches. In a related development, China’s CERT accuses a U.S. intelligence agency of hacking two Chinese tech firms in May and August of the previous year. These intrusions exploited Microsoft Exchange vulnerabilities and resulted in the theft of trade secrets.

3. CISA’s New Directives for Federal Agencies

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies secure their Microsoft cloud environments. By February 21st, agencies must inventory and report all cloud infrastructure to CISA. Additionally, starting next year, agencies must utilize CISA’s Scuba tool to audit their Microsoft 365 tenants for common misconfigurations ([00:16]).

CISA has also issued guidelines urging high-ranking government officials to safeguard their mobile devices against escalating cybersecurity threats from foreign adversaries. Recommendations include using end-to-end encrypted communications, FIDO-based authentication, keeping devices and software updated, employing password managers, avoiding VPNs, and setting PINs for telco voicemail.

4. Potential U.S. Ban on TP-Link Products

The U.S. government is contemplating a ban on TP-Link products due to national security concerns. Officials have linked the company’s routers to cyberattacks on U.S. critical infrastructure. “Officials say the company's routers have been linked to cyber attacks against U.S. critical infrastructure,” Aird states ([00:21]). Investigations by the Commerce, Defense, and Justice departments are underway, with a ban expected to be enforced early next year.

5. Malware Incidents: RSPAC JavaScript Utility and Beyond Trust Breach

A notable cybersecurity incident involved the RSPAC JavaScript packaging utility, where a threat actor released a malicious version containing a crypto miner. Despite being available only for a few hours, thousands of developers reportedly downloaded the compromised packages ([00:25]).

In another breach, Beyond Trust, an identity and PAM provider, experienced unauthorized access to its cloud-hosted remote support product. Attackers used a compromised API key to reset passwords during the investigation. Beyond Trust promptly identified and patched two vulnerabilities that allowed attackers to execute code as legitimate users on remote support platforms.

6. Cryptocurrency Thefts: $2.2 Billion Stolen in 2024

Chainalysis reports a staggering $2.2 billion worth of cryptocurrency assets were stolen in the past year, with the majority of hacks occurring in the first half. Decentralized Finance (DEFI) platforms were the primary target, with the largest theft being the $305 million DMM Bitcoin heist in May. Subsequently, DMM ceased operations earlier this month ([00:29]).

7. Legal Actions Against Cybercriminals

In legal news, a U.S. judge sentenced Ukrainian national Mark Sokolowski to five years in prison for creating and distributing the Raccoon Stealer malware. Arrested in the Netherlands on March 20th, authorities had previously believed Sokolowski had perished in the Ukraine conflict. Despite his conviction, other threat actors have taken over the Raccoon Stealer malware, releasing new versions.

Additionally, the U.S. government is pursuing the extradition of Israeli citizen Rostislav Paniev, alleged to have developed components for the Lockbit ransomware gang. Paniev, detained in Haifa in August, is accused of creating modules that sent ransom notes directly to victims' printers.

8. Malicious VSCode Extensions Target Crypto Projects

Researchers have uncovered 18 malicious Visual Studio Code (VSCode) extensions within the official VSCode marketplace. These extensions aim to deploy backdoors on systems of cryptocurrency-related projects. “As soon as the extensions were removed from the VS code marketplace, the attacker uploaded similar malicious projects to the NPM portal,” Claire remarks ([00:34]). This tactic underscores the persistent threat of supply chain attacks in software development environments.

9. Juniper’s Routers Compromised by Mirai Malware

Juniper Networks revealed that threat actors exploited default passwords on its Session Smart routers to deploy Mirai malware. These compromised devices were subsequently used to execute Distributed Denial of Service (DDoS) attacks. Mirai variants have also been found in Digi Ever digital video recorders, which have been end-of-life since 2014 and remain unpatched. Akamai identified a new botnet, Hale Cock, active since September, leveraging Mirai on these legacy devices ([00:40]).

10. Google’s Device Fingerprinting Policy and Privacy Concerns

Google announced that starting next year, advertisers will be permitted to utilize device-based fingerprinting techniques to track users, replacing traditional cookie-based methods. “The new policy is needed to replace cookie based tracking,” Google explains ([00:43]). However, the UK's Information Commissioner’s Office has raised concerns, suggesting the policy might violate privacy laws due to advancements in on-device privacy-preserving technologies.

11. Netflix Fined for GDPR Violations in the Netherlands

In regulatory news, Dutch authorities have imposed a €4.75 million fine on Netflix for violating the General Data Protection Regulation (GDPR). The Dutch Data Protection Agency cited Netflix’s failure to inform consumers about how their personal data was being utilized. In response, Netflix has updated its privacy policy to comply with the regulations ([00:47]).

Conclusion

Claire Aird wraps up the final 2024 edition of Risky Bulletin, wishing listeners a Merry Christmas and a Happy New Year. She informs that the bulletin will resume on January 20th, 2025, continuing to provide vital cybersecurity news and insights.

“And that's our final edition of Risky Business News. Now the risky bulletin for the year. We'll return on the 20th of January with more cybersecurity news. Thanks so much for listening,” concludes Claire ([00:50]).

This summary encapsulates the key discussions and insights from the episode, providing a comprehensive overview for those who missed the podcast.