Risky Bulletin: Russia designates Recorded Future an "undesirable organization" - Risky Bulletin

Summary5 min read

Risky Bulletin Podcast Summary Episode: "Russia designates Recorded Future an 'undesirable organization'"
Host: Claire Aird | Release Date: December 19, 2024

1. Russia Designates Recorded Future as Undesirable

In the episode's opening segment, Claire Aird reports that the Russian government has officially listed cybersecurity firm Recorded Future as an "undesirable organization." This designation stems from the company's collaboration with Ukraine and various foreign intelligence agencies. “The Kremlin cited the company's work with Ukraine and foreign intelligence agencies as the reasons for the listing,” Aird explains at [00:04].

Recorded Future has been pivotal in supporting Ukraine since the onset of Russia’s invasion, alongside industry giants like Microsoft and Cisco Talos. Over the past two years, the firm has released numerous reports unveiling Russia's hacking and influence campaigns and has assisted prosecutors in investigating war crimes. The Russian authorities further allege that Recorded Future collects and analyzes data on Russia’s armed forces, intensifying the strain between the two nations.

2. U.S. Cybersecurity Concerns: SS7 Vulnerabilities Exploited

The bulletin highlights significant cybersecurity threats targeting U.S. citizens through the exploitation of the SS7 protocol. Claire notes, “China, Russia, Iran, and Israel have exploited vulnerabilities in the SS7 protocol to spy on US citizens” ([00:08]). These sophisticated hacks are part of a broader campaign affecting individuals globally.

The U.S. Department of Defense warns that all American telecommunications companies remain vulnerable to SS7 attacks and have yet to implement measures to prevent future breaches. In a related development, China’s CERT accuses a U.S. intelligence agency of hacking two Chinese tech firms in May and August of the previous year. These intrusions exploited Microsoft Exchange vulnerabilities and resulted in the theft of trade secrets.

3. CISA’s New Directives for Federal Agencies

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies secure their Microsoft cloud environments. By February 21st, agencies must inventory and report all cloud infrastructure to CISA. Additionally, starting next year, agencies must utilize CISA’s Scuba tool to audit their Microsoft 365 tenants for common misconfigurations ([00:16]).

CISA has also issued guidelines urging high-ranking government officials to safeguard their mobile devices against escalating cybersecurity threats from foreign adversaries. Recommendations include using end-to-end encrypted communications, FIDO-based authentication, keeping devices and software updated, employing password managers, avoiding VPNs, and setting PINs for telco voicemail.

4. Potential U.S. Ban on TP-Link Products

The U.S. government is contemplating a ban on TP-Link products due to national security concerns. Officials have linked the company’s routers to cyberattacks on U.S. critical infrastructure. “Officials say the company's routers have been linked to cyber attacks against U.S. critical infrastructure,” Aird states ([00:21]). Investigations by the Commerce, Defense, and Justice departments are underway, with a ban expected to be enforced early next year.

5. Malware Incidents: RSPAC JavaScript Utility and Beyond Trust Breach

A notable cybersecurity incident involved the RSPAC JavaScript packaging utility, where a threat actor released a malicious version containing a crypto miner. Despite being available only for a few hours, thousands of developers reportedly downloaded the compromised packages ([00:25]).

In another breach, Beyond Trust, an identity and PAM provider, experienced unauthorized access to its cloud-hosted remote support product. Attackers used a compromised API key to reset passwords during the investigation. Beyond Trust promptly identified and patched two vulnerabilities that allowed attackers to execute code as legitimate users on remote support platforms.

6. Cryptocurrency Thefts: $2.2 Billion Stolen in 2024

Chainalysis reports a staggering $2.2 billion worth of cryptocurrency assets were stolen in the past year, with the majority of hacks occurring in the first half. Decentralized Finance (DEFI) platforms were the primary target, with the largest theft being the $305 million DMM Bitcoin heist in May. Subsequently, DMM ceased operations earlier this month ([00:29]).

7. Legal Actions Against Cybercriminals

In legal news, a U.S. judge sentenced Ukrainian national Mark Sokolowski to five years in prison for creating and distributing the Raccoon Stealer malware. Arrested in the Netherlands on March 20th, authorities had previously believed Sokolowski had perished in the Ukraine conflict. Despite his conviction, other threat actors have taken over the Raccoon Stealer malware, releasing new versions.

Additionally, the U.S. government is pursuing the extradition of Israeli citizen Rostislav Paniev, alleged to have developed components for the Lockbit ransomware gang. Paniev, detained in Haifa in August, is accused of creating modules that sent ransom notes directly to victims' printers.

8. Malicious VSCode Extensions Target Crypto Projects

Researchers have uncovered 18 malicious Visual Studio Code (VSCode) extensions within the official VSCode marketplace. These extensions aim to deploy backdoors on systems of cryptocurrency-related projects. “As soon as the extensions were removed from the VS code marketplace, the attacker uploaded similar malicious projects to the NPM portal,” Claire remarks ([00:34]). This tactic underscores the persistent threat of supply chain attacks in software development environments.

9. Juniper’s Routers Compromised by Mirai Malware

Juniper Networks revealed that threat actors exploited default passwords on its Session Smart routers to deploy Mirai malware. These compromised devices were subsequently used to execute Distributed Denial of Service (DDoS) attacks. Mirai variants have also been found in Digi Ever digital video recorders, which have been end-of-life since 2014 and remain unpatched. Akamai identified a new botnet, Hale Cock, active since September, leveraging Mirai on these legacy devices ([00:40]).

10. Google’s Device Fingerprinting Policy and Privacy Concerns

Google announced that starting next year, advertisers will be permitted to utilize device-based fingerprinting techniques to track users, replacing traditional cookie-based methods. “The new policy is needed to replace cookie based tracking,” Google explains ([00:43]). However, the UK's Information Commissioner’s Office has raised concerns, suggesting the policy might violate privacy laws due to advancements in on-device privacy-preserving technologies.

11. Netflix Fined for GDPR Violations in the Netherlands

In regulatory news, Dutch authorities have imposed a €4.75 million fine on Netflix for violating the General Data Protection Regulation (GDPR). The Dutch Data Protection Agency cited Netflix’s failure to inform consumers about how their personal data was being utilized. In response, Netflix has updated its privacy policy to comply with the regulations ([00:47]).

Conclusion

Claire Aird wraps up the final 2024 edition of Risky Bulletin, wishing listeners a Merry Christmas and a Happy New Year. She informs that the bulletin will resume on January 20th, 2025, continuing to provide vital cybersecurity news and insights.

“And that's our final edition of Risky Business News. Now the risky bulletin for the year. We'll return on the 20th of January with more cybersecurity news. Thanks so much for listening,” concludes Claire ([00:50]).

This summary encapsulates the key discussions and insights from the episode, providing a comprehensive overview for those who missed the podcast.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Russia designates Recorded Future an undesirable organisation. The US prepares to ban TP link, Google will allow device fingerprinting next year and the developer of Raccoon Stealer is sentenced to five years in prison. This is the Risky Bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 20th of December and this is the final bulletin for 2024. The risky bulletin will return on Monday, January 20th next year and we hope you all have a wonderful Christmas and new Year. In today's top story, the Russian government has added cybersecurity firm Recorded Future to its list of undesirable organisations. The Kremlin cited the company's work with Ukraine and foreign intelligence agencies as the reasons for the listing. Russian officials say the company also collects and analyses data on its armed forces. Recorded Future was one of the first security firms to provide aid to Ukraine after Russia's invasion, together with Microsoft and Cisco Talos. Over the past two years, Recorded Future has published numerous reports exposing Russia's hacking and influence operations. It's also helped its prosecutors investigate war crimes. In other news, the U.S. department of Homeland Security says China, Russia, Iran and Israel have exploited vulnerabilities in the SS7 protocol to spy on US citizens. The hacks were part of a campaign that targeted individuals across the world. The US Defence Department says all US telcos are vulnerable to USS7 hacks and have not taken any steps to mitigate future attacks. China's CERT claims a US intelligence agency hacked two local tech companies. The agency allegedly breached a Chinese company in the smart energy and digital information sector in May of last year and a company involved in advanced materials, research and design in August this year. China's CERT says the attackers exploited Microsoft Exchange vulnerabilities in the first intrusion and stole trade secrets during the second. CISA has ordered federal government agencies to secure their Microsoft cloud environments. Federal agencies will be required to inventory and report all their cloud infrastructure to CISA by February 21st. Next year, agencies will also have to run CISA's Scuba tool to audit their Microsoft 365 tenants for common misconfigurations. CISA has also asked high ranking government officials to secure their mobile devices in the face of rising cybersecurity risks from foreign adversaries. The agency published a series of steps and recommendations officials can take to safeguard their devices on Wednesday. The guide urges officials to use end to end encrypted communications, use Fido based authentication and keep their devices and software up to date. It also advises officials to use a password Manager, avoid using VPNs and set a PIN for their telco voicemail. The US government is considering banning TP Link products in the US on national security grounds. Officials say the company's routers have been linked to cyber attacks against U.S. critical infrastructure. According to reports, the Commerce, Defence and Justice departments have all opened investigations into the Chinese company. A ban is expected to be in place early next year. A threat actor has gained access to the RSPAC JavaScript packaging utility and released a malicious version of the tool. According to Socket Security. The malicious version contains a crypto miner. The packages were live for only a few hours but are believed to have been downloaded by thousands of developers. Identity and PAM provider Beyond Trust says a threat actor gained access to cloud hosted instances of its remote support product. The attackers used a compromise API key to reset passwords during the investigation. Beyond Trust identified and patched two vulnerabilities that appear to have been used during the intrusions. The two allowed attackers to run code on behalf of a legitimate user on remote support platforms. Blockchain analysis firm Chainalysis says threat actors stole over $2.2 billion worth of crypto assets last year. Most of the hacks took place in the first half of the year. Most of the funds were stolen from DEFI platforms. This year's biggest hack was the 305 million DMM Bitcoin crypto heist in May. DMM shut down earlier this month. A US judge has sentenced a Ukrainian man to five years in prison for creating and selling the Raccoon Stealer malware. Mark Sokolowski was arrested in the Netherlands in March 20after authorities seized and shut down the Raccoon Stealer operation. Until US authorities announced his arrest. Fellow malware developers thought Sokolovsky had died in the war in Ukraine. Other threat actors have now taken over the Raccoon Stealer malware and have released new versions. The US government is seeking the extradition of an Israeli citizen over his role in developing the Lockbit ransomware. Rostislav Paniev allegedly developed components for the Lockbit gang, including a module that sent hard copy ransom notes to Victims printers. Israeli police detained Paniev in the city of Haifa in August. Investigators allegedly found evidence at his home linking him to Lockbit. Researchers have identified 18 malicious VS code extensions available in the official VSCode marketplace. The extensions attempt to deploy backdoors on the systems of crypto related projects. Reversing Labs says that as soon as the extensions were removed from the VS code marketplace, the attacker uploaded similar malicious projects to the NPM portal. Networking equipment vendor Juniper says that threat actors deployed malware to its session smart routers in a series of attacks last week. Attackers targeted routers that were still using their default passwords to install a version of the Mirai malware. Juniper says the devices were later used to launch DDoS attacks. Mirai also lives on in Digi ever digital video recorders. Akamai said a new botnet named Hale Cock appeared in September which is deploying Mirai on these devices. The Digi Ever devices have been end of life since 2014 and unlikely to ever see patches. Google will allow advertisers to use device based fingerprinting techniques to track users starting next year. The new policy will enter into effect in February. Google says the new policy is needed to replace cookie based tracking. And because on device privacy preserving technologies have matured, the UK's Information Commissioner's Office says the new policy might be illegal. And finally, Dutch authorities have fined Netflix 4.75 million euros for GDPR violations. The Dutch data protection agency says Netflix failed to inform consumers of what it was doing with their personal data. The company has since updated its privacy policy. And that's our final edition of Risky Business News. Now the risky bulletin for the year. We'll return on the 20th of January with more cybersecurity news. Thanks so much for listening.