Risky Bulletin: Sandworm Deploys Tor Nodes on Hacked Networks Hosted by Risky.biz | Released on February 16, 2025
Introduction
In this episode of Risky Bulletin, host Claire Aird provides a comprehensive overview of the latest developments in cybersecurity. The episode covers a wide range of topics, including espionage activities by Russian and Chinese threat actors, significant software vulnerabilities, ransomware operations, government policy changes, and advancements in security technologies.
1. Sandworm's Deployment of Tor Nodes on Hacked Networks
Overview: Russia's Sandworm espionage group has intensified its cyber operations by deploying web shells and Tor-enabled backdoors as part of an initial access campaign. This sophisticated technique involves installing Tor hidden services on compromised hosts, allowing Sandworm to maintain stealthier access to infiltrated systems.
Key Points:
- Sandworm utilizes the "shadow link" technique, which enhances the stealth and longevity of their cyber presence.
- Microsoft has identified and reported on this method, highlighting its potential impact on organizational security.
Notable Quote:
"Russia's Sandworm espionage group is deploying web shells and Tor enabled backdoors as part of an initial access campaign."
— Claire Aird [00:04]
2. Russian APTs Abusing Device Code Authentication in Phishing Campaigns
Overview: Russian Advanced Persistent Threat (APT) groups are exploiting device code authentication mechanisms in recent phishing attempts. This method deceives victims into authenticating their sessions through flows typically reserved for devices like smart TVs, IoT devices, or printers, inadvertently granting attackers access to their accounts.
Key Points:
- Security firm Valexity associates these attacks with at least three Russian APT groups, including APT 29 from Russia's SVR intelligence agency.
- The technique leverages one-time passcodes, making the phishing attempts appear legitimate and bypass traditional security measures.
Notable Quote:
"Victims share a one time passcode with the attackers that grants access to their accounts."
— Claire Aird [00:04]
3. Salt Typhoon's Exploitation of Unpatched Cisco Devices
Overview: The Salt Typhoon espionage group, associated with Chinese intelligence, continues its hacking spree by targeting unpatched Cisco networking devices. Their campaign has impacted over 1,000 Cisco devices globally during December and January, with confirmed victims in the UK and South Africa's telecommunications sectors.
Key Points:
- Recorded Future reports on the extensive reach of Salt Typhoon's operations.
- The exploitation underscores the critical need for timely patch management in safeguarding network infrastructure.
Notable Quote:
"Salt Typhoon Chinese espionage group is exploiting unpatched Cisco networking devices."
— Claire Aird [00:04]
4. Patching of Actively Exploited Zero-Days by Apple and Google
Overview: Both Apple and Google have released patches for actively exploited zero-day vulnerabilities affecting their mobile operating systems. Apple's zero-day allowed attackers with physical access to disable USB restricted mode on locked iOS devices, while Google's vulnerability targeted Android's USB interface.
Key Points:
- Apple acknowledged Bill Marzak of CitizenLab for discovering the iOS vulnerability.
- These patches come swiftly after the vulnerabilities were exploited in the wild, demonstrating the companies' responsiveness to emerging threats.
Notable Quote:
"Apple has patched an actively exploited zero day in its iOS mobile operating system."
— Claire Aird [00:04]
5. Seizure of Zservers' Infrastructure by International Law Enforcement
Overview: Dutch authorities have seized server infrastructure belonging to the Russian bulletproof hosting provider Zservers. This action follows sanctions imposed by Australia, the US, and the UK on Zservers and its UK front company Xhost. The service has been implicated in supporting numerous cybercrime operations, including the Lockbit ransomware gang.
Key Points:
- Two administrators and four employees of Zservers, all Russian nationals, have been targeted.
- The crackdown aligns with broader international efforts to dismantle cybercriminal infrastructure.
Notable Quote:
"Dutch police have seized server infrastructure belonging to Russian bulletproof hosting provider zservers."
— Claire Aird [00:04]
6. Crackdown on Eight Base Ransomware Gang
Overview: European and US law enforcement agencies have taken action against the Eight Base ransomware gang by seizing their server infrastructure. Thai authorities have also detained four Russian nationals linked to the group, which is notorious for ransoming over 1,000 victims and generating more than $16 million.
Key Points:
- Eight Base ransomware operates as a variant of the older Phobos strain and has been active since early 2020.
- The arrests mark significant progress in combating ransomware operations and disrupting their financial gains.
Notable Quote:
"The Trump administration has put 17 CISA employees who worked on election security on forced leave."
— Claire Aird [00:04]
7. Trump Administration's Actions on CISA Employees
Overview: The Trump administration has placed 17 employees of the Cybersecurity and Infrastructure Security Agency (CISA) on forced leave. These individuals were part of a team focused on election-related disinformation. This move follows the disbandment of the Justice Department's Foreign Influence Task Force, which addressed foreign disinformation campaigns targeting US elections.
Key Points:
- The administration's actions may impact ongoing efforts to safeguard election integrity against foreign interference.
- The decision reflects the politicization of cybersecurity roles within government agencies.
Notable Quote:
"The Trump administration has put 17 CISA employees who worked on election security on forced leave."
— Claire Aird [00:04]
8. British Military’s Reduction of Cyber Training Requirements
Overview: In response to a shortage of cyber specialists, the British military has scaled back its basic training requirements for new cyber recruits. New cyber warriors are now exempt from the mandatory fitness and weapons training that regular military personnel undergo.
Key Points:
- This policy change aims to streamline the recruitment and onboarding process for cyber roles.
- It highlights the increasing importance of cyber capabilities in modern military operations.
Notable Quote:
"The British military has reduced basic military training requirements for new cyber warriors."
— Claire Aird [00:04]
9. Russian Disinformation Targeting German Federal Elections
Overview: Ahead of Germany's upcoming federal elections, at least two Russian disinformation groups are actively targeting German audiences. Utilizing deepfakes and fake news sites, these groups are pushing false narratives to promote far-right and pro-Kremlin parties while attacking opponents.
Key Points:
- Recorded Future links the disinformation efforts to the groups Copy Cop and Doppelganger.
- Germany's Interior Ministry faces challenges in countering these campaigns due to the lack of specific prohibitions against foreign disinformation.
Notable Quote:
"At least two Russian disinformation groups are targeting German audiences ahead of the country's upcoming federal elections."
— Claire Aird [00:04]
10. Ukraine's Cyber Attack on Gaztroiprom
Overview: Ukraine's military intelligence agency claims to have hacked over 10,000 computers at Gazprom's main construction contractor, Gaztroiprom. This cyber attack is believed to hinder Gazprom's capacity to develop and maintain its oil and gas infrastructure, complementing ongoing Ukrainian drone assaults on Russian energy assets.
Key Points:
- The attack underscores the strategic use of cyber operations in the broader context of the Russia-Ukraine conflict.
- Disrupting energy infrastructure can have significant economic and operational impacts on Russia.
Notable Quote:
"Ukraine's military intelligence agency claims to have hacked more than 10,000 computers at Gazprom's main construction contractor, Gaztroiprom."
— Claire Aird [00:04]
11. Furry-Themed Hacking Group Leaks Lexapol Files
Overview: A hacker group with a furry theme has leaked thousands of documents from Lexapol, a Texas-based company that provides training materials for US police and first responders. The leaked files include procedures for handling armed threats, managing informants, and conducting high-speed chases.
Key Points:
- The group alleges that insufficient hacking efforts have focused on law enforcement, prompting their actions.
- The leak raises concerns about the security of sensitive training materials and their potential misuse.
Notable Quote:
"A furry themed hacking group leaked thousands of files from Lexapol, a Texas company that develops training materials for US police and first responders."
— Claire Aird [00:04]
12. AI Voice Cloning Scam Targets Italy’s Elite
Overview: Scammers have employed AI voice cloning technology to impersonate Italy's defense minister, soliciting funds from the country's wealthiest businessmen to secure the release of kidnapped journalists. The deceptive scheme targeted prominent figures, including owners of Prada, Armani, Inter Milan, Beretta, and Manerini.
Key Points:
- Victims were instructed to transfer €1 million to fraudulent accounts, with at least one successful payment reported.
- The use of advanced AI technologies exemplifies the evolving sophistication of cyber scams.
Notable Quote:
"Scammers have used AI voice cloning technology to impersonate Italy's defence minister and request money from the country's richest businessmen to free kidnapped journalists."
— Claire Aird [00:04]
13. High-Profile Cybercriminal Swap Facilitated by Trump Administration
Overview: The Trump administration is set to exchange a high-profile Russian cybercriminal, Alexander Vinnick, founder of the former cryptocurrency exchange BTCE, for an American teacher detained in Russia. Vinnick, who pleaded guilty to money laundering charges, was involved in laundering over $4 billion worth of Bitcoin, including funds from ransomware operations.
Key Points:
- The swap underscores the geopolitical complexities in negotiating with cybercriminals.
- Vinnick's cooperation could provide valuable insights into ransomware payment flows and cryptocurrency laundering techniques.
Notable Quote:
"The Trump administration will swap a high profile Russian cybercriminal for an American teacher detained in Russia."
— Claire Aird [00:04]
14. Italian Company SIO Linked to Spyware Strain Spyticus
Overview: SIO, an Italian company, is behind the development of the spyware strain Spyticus. According to TechCrunch, SIO supplies spyware tools to the Italian government, with the spyware embedded in fake WhatsApp and customer support Android apps. A 2024 Kaspersky report also identifies versions for iOS and Windows.
Key Points:
- Spyticus poses a significant threat to user privacy and security across multiple platforms.
- The involvement of a government-affiliated company raises concerns about state-sponsored surveillance and data exploitation.
Notable Quote:
"Italian company SIO is behind a spyware strain named spyticus."
— Claire Aird [00:04]
15. Exploitation of Palo Alto Networks' Firewalls
Overview: Threat actors are exploiting a newly discovered vulnerability in Palo Alto Networks' firewalls. The attacks began shortly after security firm Asset Note published details of the bug, prompting Palo Alto to release patches. The vulnerability, related to NGINX and Apache path confusion, allows attackers to bypass authentication protocols.
Key Points:
- Timely patching is crucial to mitigate the risks posed by such vulnerabilities.
- Organizations using Palo Alto’s firewall products should apply updates immediately to prevent unauthorized access.
Notable Quote:
"Threat actors are exploiting a new vulnerability in Palo Alto network's firewalls."
— Claire Aird [00:04]
16. Chainalysis Links $10 Billion in Crypto Assets to Online Scams
Overview: Cryptocurrency analysis firm Chainalysis has traced nearly $10 billion worth of crypto assets to online scam gangs. The majority of these funds—approximately 85%—are associated with investment and romance scam operations. The firm anticipates this figure could rise to $12.4 billion as new cryptocurrency addresses are identified.
Key Points:
- The substantial volume of funds indicates the lucrative nature of crypto-enabled scams.
- Enhanced tracking and regulation of cryptocurrency transactions are imperative to combat these illicit activities.
Notable Quote:
"Chainalysis has linked almost $10 billion worth of crypto assets to online scam gangs."
— Claire Aird [00:04]
17. Google's Upcoming Android Security Feature to Block Sensitive Changes During Calls
Overview: Google is developing a new security feature for Android devices that will prevent users from making sensitive changes to their devices during phone calls. This includes blocking actions such as sideloading apps or enabling device accessibility features, aiming to counteract voice scams and social engineering attacks.
Key Points:
- The feature is slated to launch later in the year alongside Android 16.
- By restricting certain device settings during calls, Google seeks to enhance user protection against real-time exploitation attempts.
Notable Quote:
"Google is working on a new security feature for Android that will block users from making sensitive changes to their devices during a phone call."
— Claire Aird [00:04]
Conclusion
This episode of Risky Bulletin underscores the dynamic and multifaceted nature of cybersecurity threats in 2025. From state-sponsored espionage and sophisticated phishing campaigns to the exploitation of software vulnerabilities and the rise of crypto-based scams, the landscape remains perilous. Additionally, government responses and technological advancements are continuously evolving to address these challenges. Staying informed and proactive is essential for individuals and organizations alike to navigate and mitigate the complexities of the modern cyber threat environment.
This summary has been crafted based on the transcript provided and seeks to encapsulate all key discussions, insights, and conclusions presented in the podcast episode.