Risky Bulletin Yanluowang ransomware IAB pleads guilty
pIn other news US CBO hacked by foreign APT Singapore to punish scammers with cane beatings Chrome will remove XSLT support for security reasonsppThis newsletter is brought to you by cloud security firm Prowler You can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business in your podcatcher or subscribing via this RSS feedppA Russian man has pleaded guilty to hacking US companies and selling access to ransomware groupsppAleksei Olegovich Volkov went online under the hacker name of chubakakor and worked as an initial access broker IAB for the Yanluowang ransomwareppVolkov used various techniques to breach a corporate employees account escalate access to the employers network and then sold that access to other cyber criminalsppAccording to court documents between July 2021 and November 2022 Volkov regularly sold access to individuals who later deployed the Yanluowang ransomwareppInvestigators tied Volkov to intrusions and subsequent ransomware attacks on seven US companies including a bank a telco and an engineering firmppTwo of the seven victims paid ransoms of 15 million in Bitcoin of which Volkov also got a cut according to charging documentsppAlthough court documents dont mention this Volkov was charged shortly after the Yanluowang hacked and tried to ransom Cisco in May 2022 Its unclear if that played any role but tickling the parent company of the vaunted Talos IR teams might have been a bad decisionppThe Yanluowang eventually shuttered operations in November 2022 after it got hacked and internal chats and its source code were leaked onlineppVolkov was eventually arrested in 2024 after he moved to Rome most likely to escape the complications of Russias invasion of Ukraine and the states everincreasing military drafting He was extradited to the US that same yearppHe faces up to 50 years in prison and fines of up to 1 million A date for the sentencing hearing has not been set yet He will also have to pay restitution to past victimsppht Seamus Hughes of CourtHouseNews ht OnionToranagappThe main Risky Business podcast is now on YouTube with video versions of our recent episodes Below is our latest weekly show with Pat and Adam at the helmppTISZA leak Hungarys main opposition party has suffered a major security breach Hackers leaked more than 200000 user records from the TISZA partys mobile app This is the partys second breach this year TISZA leader Péter Magyar blamed the hack on Russian hackers KiberBlogHungary TodayppAPT breaches US CBO The US Congressional Budget Office has been hacked by a foreign hacking group The intruders are believed to have stolen emails and internal chat logs The hack was discovered last week and is still under investigation The CBO creates economic projections for proposed bills Washington PostPoliticoppWaPo breach linked to Oracle hacks The Washington Post has joined the list of companies that have been impacted by a recent wave of zeroday attacks against Oracle EBS environments ReutersppIlluminate fined for 2022 breach Illuminate an IT provider of school attendance and grading software has agreed to pay a 51 million fine to the NY OAG for a 2022 security breach that exposed the data of 17 million students ht DataBreachesnetppBalancer IR Trail of Bits has published an incident report on the 128 million hack of the Balancer DeFi platform last weekppTinder to rummage through your photos Tinder will use AI to analyze a users photo gallery to learn more about their interests and personality The AI will request permission before accessing the camera roll The new feature is named Chemistry and has been rolled out for tests in Australia and New Zealand Tinder becomes the second company after Meta to deploy AI on its users private galleries The dating app has seen nine straight quarters of declining paying subscribers TechCrunchppChrome to remove XSLT support Google will remove support for the XSLT language from the Chrome browser by late 2026 Extensible Stylesheet Language Transformations is a system similar to CSS designed to stylize XML documents Google cited security reasons for removing support XSLT support will be removed in Chrome version 155 scheduled for November next year Firefox and Safari will also remove XSLT support but they have not announced clear deadlinesppFirefox paid support Mozilla has announced Firefox paid support for corporate customersppAkamai reports disruptions in Russia The Russian government has started filtering Akamai traffic leading to disruptions for some local customers Akamai says it is aware of the governments actions but its unable to do anything A full block has not yet been fully implemented Russia has required all foreign cloud providers to open offices in the country and register with the stateppEU GDPR changes to cookie nightmare Proposed changes to the EU GDPR legislation would allow European users to accept or refuse tracking cookies using browser or device settings The changes are currently being discussed by EU lawmakers looking to simplify GDPR laws and reduce the number of cookie consent banners Companies that will ignore devicelevel tracking refusals would risk fines of up to 20 million or 4 of their annual turnover under the new rules Analysis by Lukasz OlejnikppEuropol data sharing law gets green light The European Parliaments Committee on Civil Liberties Justice and Home Affairs LIBE has voted to advance legislation proposed by Europol that will expand data sharing and the use of biometrics across the bloc The RecordppCMMC 2 compliance lagging behind Most US cybersecurity government contractors are lagging behind on compliance with the US governments new Cybersecurity Maturity Model Certification 20 framework Phase 1 of CMMC 2 compliance will be enforced starting Monday November 10 Bloomberg LawppAustralia sanctions North Korean hackers Australia has imposed financial sanctions and travel bans on North Korean hackers Sanctions were levied on one individual and four entities associated with the DPRKs statesponsored hacking program Sanctioned entities include the Kimsuky Lazarus and Andariel hacking groups WannaCry developer Park Jin Hyok and his employer Chosun Expo were also sanctionedppICC replaces US software The International Criminal Court has migrated from Microsoft Office to OpenDesk after the US sanctioned some of its judges HandelsblattEuractivppAustria abandons Microsoft too The Austrian Armed Forces has abandoned Office for LibreOffice while the countrys ministry of economy has also moved from Microsoft to NextCloud Its FOSSppSingapore to punish scammers with cane beatings Singapore authorities will punish scammers recruiters and money mules with cane beatings Scammers could receive between 6 and 24 strokes and money mules up to 12 Lawmakers updated the countrys criminal law last week to include physical punishments The country lost almost 285 billion to scams over the past halfdecade The Straits TimesppChinese bus fears spread Last week an investigation in Norway found that Chinese electric buses contained killswitches and remote access vulnerabilities Now the same fears are close to sparking official investigations in many other countries such as Australia Denmark the UK and the Netherlands ht Ravi NayyarppTrump ally named NSO boss Israeli spyware maker the NSO Group has named a new chairman The company has named David Friedman to the position Friedman is a former lawyer for Donald Trump and was also appointed ambassador to Israel during Trumps first presidency Friedman was appointed after a consortium of US investors acquired the company last month Under his new role Friedman has promised to help lift sanctions and return to the US market The MarkerWall Street JournalHaaretzpp David Friedman Trumps former ambassador to Israel and one of the key architects of the Abraham Accords has been appointed head of spyware vendor NSO Group
wwwthemarkercomtechnation2ppIn this Risky Business sponsor interview Casey Ellis chats to Toni de la Fuente founder and CEO of Prowler an open source platform for cloud security They chat about how and why Prowler selectively applies AI to ensure it adds value rather than just because they canppFBI goes after Archiveis The FBI has launched a criminal investigation against Archiveis a popular website archiving toolkit The agency has requested information about the sites owner from Canadian domain registrar Tucows The website is often used to bypass paywalls for paid news articles 404 MediaArchiveis tweetppNew The FBI filed a subpoena trying to unmask the person or people behind archiveis archivetoday which have been running anonymously for 13 yrs Site was widely used by GamerGate and then to bypass paywalls but has become kind of core archiving infrastructure
www404mediacofbitriestoppSamourai Wallet dev gets prison sentence The cofounder and CEO of cryptocurrency mixing service Samourai Wallet was sentenced to five years in prison Keonne Rodriguez received the maximum prison sentence for his crimes Authorities shut down the Samourai Wallet website in April 2024 The service was used to launder more than 237 million in crypto linked to hacks online fraud and drug trafficking Samourai Wallet CTO William Lonergan Hill will be sentenced later this month CoinDeskppHackers sentenced over gambling site hacks Singaporean authorities have sentenced three Chinese nationals to prison for hackingrelated charges All three received prison sentences of more than two years and four months in prison The three hacked into online gambling sites to cheat on games and steal personal data The three are part of a sixman hacker group arrested in September last year Authorities seized assets worth 40 million from the groupppPakistani arrested over data breach A Pakistani man was arrested for allegedly selling the data of millions of citizens online Anees Ahmed Shah from the city of Bhakkar was taken into custody by the countrys cybercrime agency last week Officials claim Shah bought the personal data of Pakistani citizens from black markets and then resold it on dedicated websites The sites provided access to names ID card numbers home addresses and travel records The Express TribuneppCambodia raids Bavet scam centers The Cambodian government has raided two cyber scam compounds in the city of Bavet More than 650 suspects mostly foreign nationals were taken into custody One scam compound specialized in impersonating government agencies while the second ran investment scams Phnom Penh PostppCAMBODIA More video circulating alleged to show workers escaping a Cambodian scam compound this time in Bavet 16ppCAMBODIA More clips circulating of Bavet scam compound breakout 14ppKK Park to be demolished Myanmar militarys junta has started demolishing buildings in the countrys largest scam compound Controlled demolitions began on October 23 at KK Park in the city of Myawaddy 24 of the parks 250 buildings have been demolished using dynamite by the local border force VietnamvnThe IrrawaddyppJudge rules mistrial in MEV hacker case A New York judge has ruled a mistrial in the case of two brothers who stole 25 million worth of cryptocurrency from cryptotrading bots The judge sent the jury home after they couldnt reach a verdict The two brothers Anton and James PeraireBueno were charged in May 2024 Their defense argued that the brothers used their MIT education to execute a novel but legitimate trading strategy The DOJ claimed the two exploited vulnerabilities in MEV trading bots and then laundered the extracted funds ReutersppStalkerware goes down The number of unique stalkerware products has gone down over the past halfdecade An audit of stalkerware detections on mobile antivirus products found that many stalkerware apps are variations of a small number of products Unique stalkerware families went down from 20 in 2020 to 17 this year Detections stayed the same with a few mobile security products detecting most threats while others were still very far behindppMEOW attacks decline Trustwave says the MEOW campaign appears to have subsided MEOW attacks appeared in 2020 A mysterious group hacked and deleted data overwriting indexes with the word meow on databases left exposed on the internet without a passwordpp123456 remains top password A study of two billion passwords leaked this year reveals that 123456 is still the most widely used passwordppMalicious casino spam Sucuri looks at the rising waves of online gambling and casino spam targeting Asian audiences and hosted on hacked sites reminiscent of the old pharma campaigns targeting Englishspeaking audiences in the pastppMalicious AI agent impersonators Radware is sounding the alarm that threat actors are actively developing malicious bots that pose as more popular and legitimate AI agents which they then use for attacks such as website scraping bruteforcing form automation and so onppNew npm malware Fiftyseven malicious npm packages were discovered and taken down last week Check out the GitHub security advisory portal for more detailsppRansomware in VS Code extensions A malicious VS Code extension on the official marketplace tried to deploy ransomware on developer systems According to Secure Annex the ransomware appears to have been vibecoded hardcoded its encryption key and appears to have been some sort of joke or experimentppRansomware has appeared in the VS Marketplace and makes me worry Clearly created through AI it makes many mistakes like including decryption tools in extension If this makes it into the marketplace through what impact would anything more sophisticated cause
secureannexcomblogransomvppGlassWorm returns GlassWorm a worm that spreads using VS Code extensions has returned on the OpenVSX portalppEleven11RapperBot evolution The Netscout team has published a short history of the rise and fall of the Eleven11 RapperBot DDoS botnet up until the arrest of one of its adminsppRondoDox expands exploit arsenal The RondoDox IoT botnet has apparently expanded its exploit arsenal by 650 per BelzebubppFantasy Hub RAT Zimperium has identified a new Android RAT named Fantasy Hub that is currently advertised under a MaaS model via ads on hacking forums and TelegramppSamsung zeroday delivers Landfall spyware A new commercialgrade Android spyware has been spotted in a campaign targeting the Middle East The attackers used malicious image files to trigger a Samsung zeroday and install the new Landfall spyware Samsung patched the zeroday CVE202521042 in April but traces of the spyware have been found dating back to July of last year Security firm Palo Alto Networks has not linked the zeroday to any spyware vendor or stateppIn this sponsored product demo Prowler founder and CEO Toni de la Fuente walks Risky Business host Patrick Gray through the companys opensource cloud security platform Toni demonstrates how Prowler can identify and remediate security issues across AWS Azure GCP and Kubernetes Theres a pointyclicky GUI interface and a CLI and both come in handy in different ways The Prowler platform is completely free and open source but there is a hosted version you can pay for if you dont want to run it yourselfppSilent Lynx Seqrite has spotted the Silent Lynx APT YoroTrooper Sturgeon Phisher Cavalry Werewolf ShadowSilk shift its focus on targeting the Azerbaidjan governmentppAPTC60 DarkHotel The APTC60 group aka DarkHotel is continuing its attacks on Japan attacks first spotted in October by the countrys CERT Chinas Qihoo 360 also looks at the same groupppNew Lazarus Comebacker version ENKI researchers have spotted a new version of Comebacker a downloader and backdoor previously used by North Korean hacking group LazarusppKonni APT wipes victim Android phones A North Korea APT is breaching targets and wiping its victims Android phones The hacks are part of a campaign targeting North Korean human rights activists Konni operators breach their PCs and spam their KakaoTalk contacts with malware The attackers then wipe the Android devices via the Google Find hub to prevent victims from receiving KakaoTalk notifications or replies from friendsppDjango SQLi The Django Python framework has patched an SQL injection vulnerability in its database component The vulnerability CVE202564459 can be exploited by adding internal query parameters to user input It can allow attackers to bypass authentication elevate privileges and access sensitive data Django is the Python languages most widely used web frameworkppMonsta FTP RCE WatchTowr Labs has published a writeup about a preauth RCE it found in Monsta FTP a webbased filetransfer solution This is now tracked as CVE202534299ppASPNET request smuggling Praetorians Siddhant Kalgutkar has published a technical writeup on CVE202555315 an HTTP request smuggling vulnerability in ASPNET Cores Kestrel server The bug netted Kalgutkar a 10000 bounty from Microsoft The bug was patched last monthppRunC vuln allows container breakout Three vulnerabilities in Dockers RunC lightweight container runtime can allow threat actors to break out from containers to host systemsppLangGraph RCE An RCE vulnerability has been discovered and patched in LangChains LangGraph toolkit for building AI agentsppQNAP security updates QNAP has released security fixes including for some of the bugs used at the recent Pwn2Own Dublin hacking contestppKubeVirt security audit Quarkslab has completed a security audit of opensource project KubeVirt a virtual machine management addon for KubernetesppWhisper Leak attack Microsoft has discovered a new sidechannel attack that can leak the topic of AI chatbot discussions The new Whisper Leak targets the encrypted TLS traffic between AI chatbots and their backend LLMs In Microsofts tests the attack had a 100 precision rate against some LLMs Microsoft OpenAI Mistral and xAI have deployed protections against Whisper LeakppThreattrend reports Bitsight PDF Comparitech CyFirma Eclypsium Google PDF and Nagomi Security have recently published reports and summaries covering various threats and infosec industry trendsppNew toolBlade Security firm CyberCX has opensourced Blade a commandline tool written in Go designed to interact with BloodHound CE and Neo4jppNew toolMADCAT Security researcher Karl Biron has released MADCAT a tool that simulates destructive attacks on database systemsppNew toolDonPwner Security researcher Mor David has opensourced DonPwner a tool for safe password spray attacks with builtin delay and jitter mechanisms to avoid account lockouts automatic removal of successfully authenticated users and credential analysis against secretsdump filesppNew toolVenom C2 IBM XForce researcher Bobby Cooke has released Venom C2 a dependencyfree Python 3 CC framework for redteam operationsppNew toolNoMoreStealers Security researcher EvilBytecode has released NoMoreStealers a Windows kernelmode minifilter driver that monitors file system access to protect against informationstealing malwareppNew toolGMSGadget Security researcher Kévin Gervot has released a project named GMSGadget The project tracks JavaScript gadgets that can be used to bypass XSS mitigations The project is similar to other initiatives that track benign tools that can be abused for attacks on Windows LOLBAS LOLDrivers and LOFLCAB Linux GTFOBins macOS LOOBins CICD pipelines LOTP ESXi VMs LOLESXi RMM software LOLRMM and tunneling technologies LOLTunnelsppIn this edition of Seriously Risky Business Tom Uren and Amberleigh Jack talk about aggressive US cyber operations targeting the Venezuelan government in President Trumps first term These were narrowly successful in that they achieved their immediate operational goals but they didnt achieve Trumps broader policy goal of ousting Venezuelan leader Nicolás MaduroppIn this edition of Between Two Nerds Tom Uren and The Grugq discuss the futility of using aggressive cyber operations to send messages between statesppIn other news Meta is making a fortune from scam ads KT hid a second breach for months Pakistani senators get scammedppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Sublime Security
You can hear a podcast discussion ofppIn other news Hackers extort massage parlor visitors Balancer hacked for 128 million cargo thieves use hackers to go after trucking and freight companiesppIn other news CyberCorps program freeze threatens students with huge loans Chrome and Edge get scareware blockers Conti member extradited to USpp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp
wwwthemarkercomtechnation2ppIn this Risky Business sponsor interview Casey Ellis chats to Toni de la Fuente founder and CEO of Prowler an open source platform for cloud security They chat about how and why Prowler selectively applies AI to ensure it adds value rather than just because they canppFBI goes after Archiveis The FBI has launched a criminal investigation against Archiveis a popular website archiving toolkit The agency has requested information about the sites owner from Canadian domain registrar Tucows The website is often used to bypass paywalls for paid news articles 404 MediaArchiveis tweetppNew The FBI filed a subpoena trying to unmask the person or people behind archiveis archivetoday which have been running anonymously for 13 yrs Site was widely used by GamerGate and then to bypass paywalls but has become kind of core archiving infrastructure
www404mediacofbitriestoppSamourai Wallet dev gets prison sentence The cofounder and CEO of cryptocurrency mixing service Samourai Wallet was sentenced to five years in prison Keonne Rodriguez received the maximum prison sentence for his crimes Authorities shut down the Samourai Wallet website in April 2024 The service was used to launder more than 237 million in crypto linked to hacks online fraud and drug trafficking Samourai Wallet CTO William Lonergan Hill will be sentenced later this month CoinDeskppHackers sentenced over gambling site hacks Singaporean authorities have sentenced three Chinese nationals to prison for hackingrelated charges All three received prison sentences of more than two years and four months in prison The three hacked into online gambling sites to cheat on games and steal personal data The three are part of a sixman hacker group arrested in September last year Authorities seized assets worth 40 million from the groupppPakistani arrested over data breach A Pakistani man was arrested for allegedly selling the data of millions of citizens online Anees Ahmed Shah from the city of Bhakkar was taken into custody by the countrys cybercrime agency last week Officials claim Shah bought the personal data of Pakistani citizens from black markets and then resold it on dedicated websites The sites provided access to names ID card numbers home addresses and travel records The Express TribuneppCambodia raids Bavet scam centers The Cambodian government has raided two cyber scam compounds in the city of Bavet More than 650 suspects mostly foreign nationals were taken into custody One scam compound specialized in impersonating government agencies while the second ran investment scams Phnom Penh PostppCAMBODIA More video circulating alleged to show workers escaping a Cambodian scam compound this time in Bavet 16ppCAMBODIA More clips circulating of Bavet scam compound breakout 14ppKK Park to be demolished Myanmar militarys junta has started demolishing buildings in the countrys largest scam compound Controlled demolitions began on October 23 at KK Park in the city of Myawaddy 24 of the parks 250 buildings have been demolished using dynamite by the local border force VietnamvnThe IrrawaddyppJudge rules mistrial in MEV hacker case A New York judge has ruled a mistrial in the case of two brothers who stole 25 million worth of cryptocurrency from cryptotrading bots The judge sent the jury home after they couldnt reach a verdict The two brothers Anton and James PeraireBueno were charged in May 2024 Their defense argued that the brothers used their MIT education to execute a novel but legitimate trading strategy The DOJ claimed the two exploited vulnerabilities in MEV trading bots and then laundered the extracted funds ReutersppStalkerware goes down The number of unique stalkerware products has gone down over the past halfdecade An audit of stalkerware detections on mobile antivirus products found that many stalkerware apps are variations of a small number of products Unique stalkerware families went down from 20 in 2020 to 17 this year Detections stayed the same with a few mobile security products detecting most threats while others were still very far behindppMEOW attacks decline Trustwave says the MEOW campaign appears to have subsided MEOW attacks appeared in 2020 A mysterious group hacked and deleted data overwriting indexes with the word meow on databases left exposed on the internet without a passwordpp123456 remains top password A study of two billion passwords leaked this year reveals that 123456 is still the most widely used passwordppMalicious casino spam Sucuri looks at the rising waves of online gambling and casino spam targeting Asian audiences and hosted on hacked sites reminiscent of the old pharma campaigns targeting Englishspeaking audiences in the pastppMalicious AI agent impersonators Radware is sounding the alarm that threat actors are actively developing malicious bots that pose as more popular and legitimate AI agents which they then use for attacks such as website scraping bruteforcing form automation and so onppNew npm malware Fiftyseven malicious npm packages were discovered and taken down last week Check out the GitHub security advisory portal for more detailsppRansomware in VS Code extensions A malicious VS Code extension on the official marketplace tried to deploy ransomware on developer systems According to Secure Annex the ransomware appears to have been vibecoded hardcoded its encryption key and appears to have been some sort of joke or experimentppRansomware has appeared in the VS Marketplace and makes me worry Clearly created through AI it makes many mistakes like including decryption tools in extension If this makes it into the marketplace through what impact would anything more sophisticated cause
secureannexcomblogransomvppGlassWorm returns GlassWorm a worm that spreads using VS Code extensions has returned on the OpenVSX portalppEleven11RapperBot evolution The Netscout team has published a short history of the rise and fall of the Eleven11 RapperBot DDoS botnet up until the arrest of one of its adminsppRondoDox expands exploit arsenal The RondoDox IoT botnet has apparently expanded its exploit arsenal by 650 per BelzebubppFantasy Hub RAT Zimperium has identified a new Android RAT named Fantasy Hub that is currently advertised under a MaaS model via ads on hacking forums and TelegramppSamsung zeroday delivers Landfall spyware A new commercialgrade Android spyware has been spotted in a campaign targeting the Middle East The attackers used malicious image files to trigger a Samsung zeroday and install the new Landfall spyware Samsung patched the zeroday CVE202521042 in April but traces of the spyware have been found dating back to July of last year Security firm Palo Alto Networks has not linked the zeroday to any spyware vendor or stateppIn this sponsored product demo Prowler founder and CEO Toni de la Fuente walks Risky Business host Patrick Gray through the companys opensource cloud security platform Toni demonstrates how Prowler can identify and remediate security issues across AWS Azure GCP and Kubernetes Theres a pointyclicky GUI interface and a CLI and both come in handy in different ways The Prowler platform is completely free and open source but there is a hosted version you can pay for if you dont want to run it yourselfppSilent Lynx Seqrite has spotted the Silent Lynx APT YoroTrooper Sturgeon Phisher Cavalry Werewolf ShadowSilk shift its focus on targeting the Azerbaidjan governmentppAPTC60 DarkHotel The APTC60 group aka DarkHotel is continuing its attacks on Japan attacks first spotted in October by the countrys CERT Chinas Qihoo 360 also looks at the same groupppNew Lazarus Comebacker version ENKI researchers have spotted a new version of Comebacker a downloader and backdoor previously used by North Korean hacking group LazarusppKonni APT wipes victim Android phones A North Korea APT is breaching targets and wiping its victims Android phones The hacks are part of a campaign targeting North Korean human rights activists Konni operators breach their PCs and spam their KakaoTalk contacts with malware The attackers then wipe the Android devices via the Google Find hub to prevent victims from receiving KakaoTalk notifications or replies from friendsppDjango SQLi The Django Python framework has patched an SQL injection vulnerability in its database component The vulnerability CVE202564459 can be exploited by adding internal query parameters to user input It can allow attackers to bypass authentication elevate privileges and access sensitive data Django is the Python languages most widely used web frameworkppMonsta FTP RCE WatchTowr Labs has published a writeup about a preauth RCE it found in Monsta FTP a webbased filetransfer solution This is now tracked as CVE202534299ppASPNET request smuggling Praetorians Siddhant Kalgutkar has published a technical writeup on CVE202555315 an HTTP request smuggling vulnerability in ASPNET Cores Kestrel server The bug netted Kalgutkar a 10000 bounty from Microsoft The bug was patched last monthppRunC vuln allows container breakout Three vulnerabilities in Dockers RunC lightweight container runtime can allow threat actors to break out from containers to host systemsppLangGraph RCE An RCE vulnerability has been discovered and patched in LangChains LangGraph toolkit for building AI agentsppQNAP security updates QNAP has released security fixes including for some of the bugs used at the recent Pwn2Own Dublin hacking contestppKubeVirt security audit Quarkslab has completed a security audit of opensource project KubeVirt a virtual machine management addon for KubernetesppWhisper Leak attack Microsoft has discovered a new sidechannel attack that can leak the topic of AI chatbot discussions The new Whisper Leak targets the encrypted TLS traffic between AI chatbots and their backend LLMs In Microsofts tests the attack had a 100 precision rate against some LLMs Microsoft OpenAI Mistral and xAI have deployed protections against Whisper LeakppThreattrend reports Bitsight PDF Comparitech CyFirma Eclypsium Google PDF and Nagomi Security have recently published reports and summaries covering various threats and infosec industry trendsppNew toolBlade Security firm CyberCX has opensourced Blade a commandline tool written in Go designed to interact with BloodHound CE and Neo4jppNew toolMADCAT Security researcher Karl Biron has released MADCAT a tool that simulates destructive attacks on database systemsppNew toolDonPwner Security researcher Mor David has opensourced DonPwner a tool for safe password spray attacks with builtin delay and jitter mechanisms to avoid account lockouts automatic removal of successfully authenticated users and credential analysis against secretsdump filesppNew toolVenom C2 IBM XForce researcher Bobby Cooke has released Venom C2 a dependencyfree Python 3 CC framework for redteam operationsppNew toolNoMoreStealers Security researcher EvilBytecode has released NoMoreStealers a Windows kernelmode minifilter driver that monitors file system access to protect against informationstealing malwareppNew toolGMSGadget Security researcher Kévin Gervot has released a project named GMSGadget The project tracks JavaScript gadgets that can be used to bypass XSS mitigations The project is similar to other initiatives that track benign tools that can be abused for attacks on Windows LOLBAS LOLDrivers and LOFLCAB Linux GTFOBins macOS LOOBins CICD pipelines LOTP ESXi VMs LOLESXi RMM software LOLRMM and tunneling technologies LOLTunnelsppIn this edition of Seriously Risky Business Tom Uren and Amberleigh Jack talk about aggressive US cyber operations targeting the Venezuelan government in President Trumps first term These were narrowly successful in that they achieved their immediate operational goals but they didnt achieve Trumps broader policy goal of ousting Venezuelan leader Nicolás MaduroppIn this edition of Between Two Nerds Tom Uren and The Grugq discuss the futility of using aggressive cyber operations to send messages between statesppIn other news Meta is making a fortune from scam ads KT hid a second breach for months Pakistani senators get scammedppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Sublime Security
You can hear a podcast discussion ofppIn other news Hackers extort massage parlor visitors Balancer hacked for 128 million cargo thieves use hackers to go after trucking and freight companiesppIn other news CyberCorps program freeze threatens students with huge loans Chrome and Edge get scareware blockers Conti member extradited to USpp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp
