Transcript
Claire Aird (0:04)
Sandworm deploys Tor nodes on hacked networks, the UK drops military training for cyber staff, the Salt Typhoon hacking spree continues and Russian APTs adopt device code phishing this is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 17th of February and this podcast episode is brought to you by RADS Security. In today's top story, Russia's Sandworm espionage group is deploying web shells and Tor enabled backdoors as part of an initial access campaign. The technique involves installing Tor hidden services on compromised hosts. Microsoft says the so called shadow link technique allows Sandworm to maintain stealthier access to compromised machines. In other news, Russian APT groups are also abusing device code authentication in recent phishing campaigns. The technique involves tricking victims into authenticating their sessions via authentication flows that are usually reserved for devices like smart TVs, IoT devices or printers. Victims share a one time passcode with the attackers that grants access to their accounts. Security firm Valexity has linked recent attacks to at least three Russian APT groups, including APT 29, a cyber espionage unit inside Russia's SVR intelligence agency. The Salt Typhoon Chinese espionage group is exploiting unpatched Cisco networking devices. According to Recorded Future, the group targeted over 1,000 Cisco devices globally in December and January. Confirmed victims include Telcos in the UK and South Africa. Apple has patched an actively exploited zero day in its iOS mobile operating system. The zero day was used to disable USB restricted mode on a locked device if an attacker had physical access. Apple's patch comes a week after Google. Google also patched a similar zero day that targeted Android's USB interface. Apple credited Bill Marzak of CitizenLab with finding the bug. Dutch police have seized server infrastructure belonging to Russian bulletproof hosting provider zservers. Australia, the US and the UK have also imposed sanctions on Z servers, including its UK front company Xhost. Two administrators and four employees all are Russian nationals. Officials say the service has supported many cybercrime operations, including the infamous Lockbit ransomware gang staying with seizures and European and US law enforcement agencies have seized server infrastructure linked to the eight Base ransomware gang. Thai police detained four Russian nationals linked to the gang. The four suspects were arrested in the city of Phuket earlier this month. The group allegedly ransomed more than 1,000 victims and made over $16 million. The eight base ransomware launched in early 20202023 and was a variant of the older Phobos strain. The Trump administration has put 17 CISA employees who worked on election security on forced leave. According to Cyberscoop, the 17 were members of a CISA team that dealt with election related disinformation. The move comes after the Justice Department disbanded its Foreign Influence Task Force, which also fought foreign disinformation campaigns targeting US elections. The British military has reduced basic military training requirements for new cyber warriors. New recruits are now exempt from the mandatory fitness and weapons training that regular military recruits go through. Officials have dropped the basic training requirement to address a shortage of cyber specialists across its armed forces. At least two Russian disinformation groups are targeting German audiences ahead of the country's upcoming federal elections. The campaign is using deepfakes and fake news sites to push false narratives ahead of the election. The narratives promote far right and pro Kremlin party and attack. Germany's current pro EU government security firm Recorded Future, has linked the activity to two groups tracked as Copy Cop and Doppelganger. This is the first time Russian disinfo groups are known to have targeted Blue sky audiences. Germany's Interior Ministry says foreign states are not specifically prohibited from spreading disinformation in Germany. Officials say this has complicated their response to recent Russian campaigns ahead of the country's election. The ministry says its responses so far have relied on the voluntary assistance of Internet infrastructure operators. Ukraine's military intelligence agency claims to have hacked more than 10,000 computers at Gazprom's main construction contractor, Gaztroiprom. The attack is believed to have impacted Gazprom's ability to build and maintain its oil and gas infrastructure. The hack came amid continuing Ukrainian drone attacks on Russian oil and gas infrastructure. A furry themed hacking group leaked thousands of files from Lexapol, a Texas company that develops training materials for US police and first responders. The leaked documents contain procedures for dealing with armed assailants, managing informants and high speed chase protocols. The group says it leaked the data because there aren't enough hacks against the police. Scammers have used AI voice cloning technology to impersonate Italy's defence minister and request money from the country's richest businessmen to free kidnapped journalists. The scheme targeted the owners of Prada, Armani, Inter Milan, arms manufacturer Beretta and pharma giant Manerini. The targets were asked to transfer 1 million euros to the scammers accounts and at least one victim paid. The Trump administration will swap a high profile Russian cybercriminal for an American teacher detained in Russia. U.S. officials will release Alexander Vinnick, the founder of former cryptocurrency exchange btce. Vinick pleaded guilty to money laundering charges last year, his platform laundered over $4 billion worth of Bitcoin, including ransomware payments. Italian company SIO is behind a spyware strain named spyticus. According to TechCrunch, the company supplies spyware tools to the Italian government. The spyware was found in fake WhatsApp and customer support tool Android Apps, a 2024 Kaspersky report claims there are also iOS, iOS and Windows versions of the spyware. Threat actors are exploiting a new vulnerability in Palo Alto network's firewalls. The attacks began a day after security firm Asset Note published a write up of the bug and Palo Alto released patches. The bug is an NGINX and Apache path confusion vulnerability, leading to an authentication bypass. Chainalysis has linked almost $10 billion worth of crypto assets to online scam gangs. Around 85% of the funds are linked to investment and romance scam operations. The company expects that amount to to $12.4 billion as it uncovers new cryptocurrency addresses in the coming months. And finally, Google is working on a new security feature for Android that will block users from making sensitive changes to their devices during a phone call. Users won't be able to sideload apps or enable device accessibility features during a call. The new feature is designed to counter voice scams and social engineering attacks. The new in call blocks will launch later this year with Android 16. And that is all for this podcast edition. Today's show was brough to you by our sponsor RAD Security. Find them at RAD Security.