Loading summary
Claire Aird
Sandworm deploys Tor nodes on hacked networks, the UK drops military training for cyber staff, the Salt Typhoon hacking spree continues and Russian APTs adopt device code phishing this is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 17th of February and this podcast episode is brought to you by RADS Security. In today's top story, Russia's Sandworm espionage group is deploying web shells and Tor enabled backdoors as part of an initial access campaign. The technique involves installing Tor hidden services on compromised hosts. Microsoft says the so called shadow link technique allows Sandworm to maintain stealthier access to compromised machines. In other news, Russian APT groups are also abusing device code authentication in recent phishing campaigns. The technique involves tricking victims into authenticating their sessions via authentication flows that are usually reserved for devices like smart TVs, IoT devices or printers. Victims share a one time passcode with the attackers that grants access to their accounts. Security firm Valexity has linked recent attacks to at least three Russian APT groups, including APT 29, a cyber espionage unit inside Russia's SVR intelligence agency. The Salt Typhoon Chinese espionage group is exploiting unpatched Cisco networking devices. According to Recorded Future, the group targeted over 1,000 Cisco devices globally in December and January. Confirmed victims include Telcos in the UK and South Africa. Apple has patched an actively exploited zero day in its iOS mobile operating system. The zero day was used to disable USB restricted mode on a locked device if an attacker had physical access. Apple's patch comes a week after Google. Google also patched a similar zero day that targeted Android's USB interface. Apple credited Bill Marzak of CitizenLab with finding the bug. Dutch police have seized server infrastructure belonging to Russian bulletproof hosting provider zservers. Australia, the US and the UK have also imposed sanctions on Z servers, including its UK front company Xhost. Two administrators and four employees all are Russian nationals. Officials say the service has supported many cybercrime operations, including the infamous Lockbit ransomware gang staying with seizures and European and US law enforcement agencies have seized server infrastructure linked to the eight Base ransomware gang. Thai police detained four Russian nationals linked to the gang. The four suspects were arrested in the city of Phuket earlier this month. The group allegedly ransomed more than 1,000 victims and made over $16 million. The eight base ransomware launched in early 20202023 and was a variant of the older Phobos strain. The Trump administration has put 17 CISA employees who worked on election security on forced leave. According to Cyberscoop, the 17 were members of a CISA team that dealt with election related disinformation. The move comes after the Justice Department disbanded its Foreign Influence Task Force, which also fought foreign disinformation campaigns targeting US elections. The British military has reduced basic military training requirements for new cyber warriors. New recruits are now exempt from the mandatory fitness and weapons training that regular military recruits go through. Officials have dropped the basic training requirement to address a shortage of cyber specialists across its armed forces. At least two Russian disinformation groups are targeting German audiences ahead of the country's upcoming federal elections. The campaign is using deepfakes and fake news sites to push false narratives ahead of the election. The narratives promote far right and pro Kremlin party and attack. Germany's current pro EU government security firm Recorded Future, has linked the activity to two groups tracked as Copy Cop and Doppelganger. This is the first time Russian disinfo groups are known to have targeted Blue sky audiences. Germany's Interior Ministry says foreign states are not specifically prohibited from spreading disinformation in Germany. Officials say this has complicated their response to recent Russian campaigns ahead of the country's election. The ministry says its responses so far have relied on the voluntary assistance of Internet infrastructure operators. Ukraine's military intelligence agency claims to have hacked more than 10,000 computers at Gazprom's main construction contractor, Gaztroiprom. The attack is believed to have impacted Gazprom's ability to build and maintain its oil and gas infrastructure. The hack came amid continuing Ukrainian drone attacks on Russian oil and gas infrastructure. A furry themed hacking group leaked thousands of files from Lexapol, a Texas company that develops training materials for US police and first responders. The leaked documents contain procedures for dealing with armed assailants, managing informants and high speed chase protocols. The group says it leaked the data because there aren't enough hacks against the police. Scammers have used AI voice cloning technology to impersonate Italy's defence minister and request money from the country's richest businessmen to free kidnapped journalists. The scheme targeted the owners of Prada, Armani, Inter Milan, arms manufacturer Beretta and pharma giant Manerini. The targets were asked to transfer 1 million euros to the scammers accounts and at least one victim paid. The Trump administration will swap a high profile Russian cybercriminal for an American teacher detained in Russia. U.S. officials will release Alexander Vinnick, the founder of former cryptocurrency exchange btce. Vinick pleaded guilty to money laundering charges last year, his platform laundered over $4 billion worth of Bitcoin, including ransomware payments. Italian company SIO is behind a spyware strain named spyticus. According to TechCrunch, the company supplies spyware tools to the Italian government. The spyware was found in fake WhatsApp and customer support tool Android Apps, a 2024 Kaspersky report claims there are also iOS, iOS and Windows versions of the spyware. Threat actors are exploiting a new vulnerability in Palo Alto network's firewalls. The attacks began a day after security firm Asset Note published a write up of the bug and Palo Alto released patches. The bug is an NGINX and Apache path confusion vulnerability, leading to an authentication bypass. Chainalysis has linked almost $10 billion worth of crypto assets to online scam gangs. Around 85% of the funds are linked to investment and romance scam operations. The company expects that amount to to $12.4 billion as it uncovers new cryptocurrency addresses in the coming months. And finally, Google is working on a new security feature for Android that will block users from making sensitive changes to their devices during a phone call. Users won't be able to sideload apps or enable device accessibility features during a call. The new feature is designed to counter voice scams and social engineering attacks. The new in call blocks will launch later this year with Android 16. And that is all for this podcast edition. Today's show was brough to you by our sponsor RAD Security. Find them at RAD Security.
Risky Bulletin: Sandworm Deploys Tor Nodes on Hacked Networks Hosted by Risky.biz | Released on February 16, 2025
In this episode of Risky Bulletin, host Claire Aird provides a comprehensive overview of the latest developments in cybersecurity. The episode covers a wide range of topics, including espionage activities by Russian and Chinese threat actors, significant software vulnerabilities, ransomware operations, government policy changes, and advancements in security technologies.
Overview: Russia's Sandworm espionage group has intensified its cyber operations by deploying web shells and Tor-enabled backdoors as part of an initial access campaign. This sophisticated technique involves installing Tor hidden services on compromised hosts, allowing Sandworm to maintain stealthier access to infiltrated systems.
Key Points:
Notable Quote:
"Russia's Sandworm espionage group is deploying web shells and Tor enabled backdoors as part of an initial access campaign."
— Claire Aird [00:04]
Overview: Russian Advanced Persistent Threat (APT) groups are exploiting device code authentication mechanisms in recent phishing attempts. This method deceives victims into authenticating their sessions through flows typically reserved for devices like smart TVs, IoT devices, or printers, inadvertently granting attackers access to their accounts.
Key Points:
Notable Quote:
"Victims share a one time passcode with the attackers that grants access to their accounts."
— Claire Aird [00:04]
Overview: The Salt Typhoon espionage group, associated with Chinese intelligence, continues its hacking spree by targeting unpatched Cisco networking devices. Their campaign has impacted over 1,000 Cisco devices globally during December and January, with confirmed victims in the UK and South Africa's telecommunications sectors.
Key Points:
Notable Quote:
"Salt Typhoon Chinese espionage group is exploiting unpatched Cisco networking devices."
— Claire Aird [00:04]
Overview: Both Apple and Google have released patches for actively exploited zero-day vulnerabilities affecting their mobile operating systems. Apple's zero-day allowed attackers with physical access to disable USB restricted mode on locked iOS devices, while Google's vulnerability targeted Android's USB interface.
Key Points:
Notable Quote:
"Apple has patched an actively exploited zero day in its iOS mobile operating system."
— Claire Aird [00:04]
Overview: Dutch authorities have seized server infrastructure belonging to the Russian bulletproof hosting provider Zservers. This action follows sanctions imposed by Australia, the US, and the UK on Zservers and its UK front company Xhost. The service has been implicated in supporting numerous cybercrime operations, including the Lockbit ransomware gang.
Key Points:
Notable Quote:
"Dutch police have seized server infrastructure belonging to Russian bulletproof hosting provider zservers."
— Claire Aird [00:04]
Overview: European and US law enforcement agencies have taken action against the Eight Base ransomware gang by seizing their server infrastructure. Thai authorities have also detained four Russian nationals linked to the group, which is notorious for ransoming over 1,000 victims and generating more than $16 million.
Key Points:
Notable Quote:
"The Trump administration has put 17 CISA employees who worked on election security on forced leave."
— Claire Aird [00:04]
Overview: The Trump administration has placed 17 employees of the Cybersecurity and Infrastructure Security Agency (CISA) on forced leave. These individuals were part of a team focused on election-related disinformation. This move follows the disbandment of the Justice Department's Foreign Influence Task Force, which addressed foreign disinformation campaigns targeting US elections.
Key Points:
Notable Quote:
"The Trump administration has put 17 CISA employees who worked on election security on forced leave."
— Claire Aird [00:04]
Overview: In response to a shortage of cyber specialists, the British military has scaled back its basic training requirements for new cyber recruits. New cyber warriors are now exempt from the mandatory fitness and weapons training that regular military personnel undergo.
Key Points:
Notable Quote:
"The British military has reduced basic military training requirements for new cyber warriors."
— Claire Aird [00:04]
Overview: Ahead of Germany's upcoming federal elections, at least two Russian disinformation groups are actively targeting German audiences. Utilizing deepfakes and fake news sites, these groups are pushing false narratives to promote far-right and pro-Kremlin parties while attacking opponents.
Key Points:
Notable Quote:
"At least two Russian disinformation groups are targeting German audiences ahead of the country's upcoming federal elections."
— Claire Aird [00:04]
Overview: Ukraine's military intelligence agency claims to have hacked over 10,000 computers at Gazprom's main construction contractor, Gaztroiprom. This cyber attack is believed to hinder Gazprom's capacity to develop and maintain its oil and gas infrastructure, complementing ongoing Ukrainian drone assaults on Russian energy assets.
Key Points:
Notable Quote:
"Ukraine's military intelligence agency claims to have hacked more than 10,000 computers at Gazprom's main construction contractor, Gaztroiprom."
— Claire Aird [00:04]
Overview: A hacker group with a furry theme has leaked thousands of documents from Lexapol, a Texas-based company that provides training materials for US police and first responders. The leaked files include procedures for handling armed threats, managing informants, and conducting high-speed chases.
Key Points:
Notable Quote:
"A furry themed hacking group leaked thousands of files from Lexapol, a Texas company that develops training materials for US police and first responders."
— Claire Aird [00:04]
Overview: Scammers have employed AI voice cloning technology to impersonate Italy's defense minister, soliciting funds from the country's wealthiest businessmen to secure the release of kidnapped journalists. The deceptive scheme targeted prominent figures, including owners of Prada, Armani, Inter Milan, Beretta, and Manerini.
Key Points:
Notable Quote:
"Scammers have used AI voice cloning technology to impersonate Italy's defence minister and request money from the country's richest businessmen to free kidnapped journalists."
— Claire Aird [00:04]
Overview: The Trump administration is set to exchange a high-profile Russian cybercriminal, Alexander Vinnick, founder of the former cryptocurrency exchange BTCE, for an American teacher detained in Russia. Vinnick, who pleaded guilty to money laundering charges, was involved in laundering over $4 billion worth of Bitcoin, including funds from ransomware operations.
Key Points:
Notable Quote:
"The Trump administration will swap a high profile Russian cybercriminal for an American teacher detained in Russia."
— Claire Aird [00:04]
Overview: SIO, an Italian company, is behind the development of the spyware strain Spyticus. According to TechCrunch, SIO supplies spyware tools to the Italian government, with the spyware embedded in fake WhatsApp and customer support Android apps. A 2024 Kaspersky report also identifies versions for iOS and Windows.
Key Points:
Notable Quote:
"Italian company SIO is behind a spyware strain named spyticus."
— Claire Aird [00:04]
Overview: Threat actors are exploiting a newly discovered vulnerability in Palo Alto Networks' firewalls. The attacks began shortly after security firm Asset Note published details of the bug, prompting Palo Alto to release patches. The vulnerability, related to NGINX and Apache path confusion, allows attackers to bypass authentication protocols.
Key Points:
Notable Quote:
"Threat actors are exploiting a new vulnerability in Palo Alto network's firewalls."
— Claire Aird [00:04]
Overview: Cryptocurrency analysis firm Chainalysis has traced nearly $10 billion worth of crypto assets to online scam gangs. The majority of these funds—approximately 85%—are associated with investment and romance scam operations. The firm anticipates this figure could rise to $12.4 billion as new cryptocurrency addresses are identified.
Key Points:
Notable Quote:
"Chainalysis has linked almost $10 billion worth of crypto assets to online scam gangs."
— Claire Aird [00:04]
Overview: Google is developing a new security feature for Android devices that will prevent users from making sensitive changes to their devices during phone calls. This includes blocking actions such as sideloading apps or enabling device accessibility features, aiming to counteract voice scams and social engineering attacks.
Key Points:
Notable Quote:
"Google is working on a new security feature for Android that will block users from making sensitive changes to their devices during a phone call."
— Claire Aird [00:04]
This episode of Risky Bulletin underscores the dynamic and multifaceted nature of cybersecurity threats in 2025. From state-sponsored espionage and sophisticated phishing campaigns to the exploitation of software vulnerabilities and the rise of crypto-based scams, the landscape remains perilous. Additionally, government responses and technological advancements are continuously evolving to address these challenges. Staying informed and proactive is essential for individuals and organizations alike to navigate and mitigate the complexities of the modern cyber threat environment.
This summary has been crafted based on the transcript provided and seeks to encapsulate all key discussions, insights, and conclusions presented in the podcast episode.