Hacktivists claim cybersabotage of 116 Iranian ships
pIn other news Iran calls out China for hacking six new Paragon customers come to light North Korea creates new cyber unitppThis newsletter is brought to you by nocode automation platform Tines You can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business in your podcatcher or subscribing via this RSS feed ppAn antiregime hacktivist group has claimed credit over a cyberattack that crippled the onship communication systems of 116 Iranian shipsppThe ships are operated by the National Iranian Tanker Company 50 and the Islamic Republic of Iran Shipping Company 66ppAccording to Nariman Gharib a Londonbased Iranian cyber espionage investigator the alleged affected vessels are these onesppA group named LabDookhtegan took credit for the sabotage The attack allegedly targeted the VSAT satellite communication systems of the two companies where the group wiped data storage devicesppLabDookhtegan claimed the two companies had used their ships to resupply the Houthi rebel group in Yemen which has been attacking ships passing through the BabelMandeb straight and disrupting global commerce for the past yearppThe group also claimed it received help conducting the attack from government insidersppFor those familiar with the groups history this is not that much of a stretch of ones imaginationppThe LabDookhtegan appeared in 2019 and initially leaked hacking tools and malware used by an Iranian espionage group named APT34ppThrough tens of subsequent leaks the group leaked troves and troves of internal documents from Iranian government agencies These leaks have helped out cybersecurity companies and foreign government agencies map out the Iranian governments structure and dox many of its cyber units and private cyber contractorsppThis marks the first time when the group has claimed credit for a destructive attack which is a big change from its regular leak leak leak modus operandippRisky Business is now on YouTube with video versions of our main podcasts Below is our latest weekly show with Pat and Adam at the helmppSpyX hack A hacker has breached and leaked the data of almost two million users who signed up for spyware app SpyX and two of its clone services The leaked data contained emails IP addresses country of origin and even some information on surveilled targets The hack took place in June of last year but only came to light this week after a researcher shared the data with the Have I Been Pwned service According to TechCrunch SpyX is the 25th mobile spyware app to get hacked since 2017ppBaidu denies breach Chinese search giant Baidu denied suffering a security breach after the daughter of a top executive doxxed internet users following an online argument Baidu Cloud Vice President Xie Guangjun apologized for the incident on Monday in a WeChat post He said his teenage daughter obtained the personal data from foreign doxing databases Additional coverage in ReutersppCrypto AI bot gets hacked An attacker used malicious Twitter replies to hack an AI crypto chatbot and steal over 100000 worth of Ether Additional coverage in DecryptppChangedFiles impact was very small A supply chain attack on the ChangedFiles GitHub action impacted just over 600 repositories and leaked secrets only from 218 The number is far below the initial estimate of 23000 EndorLabs says that even if the action contained malicious code for 18 hours only a small percentage of the actions users ran the file The ChangedFiles incident took place last Friday after an attacker added malicious code to the action that printed a projects credentials and secrets in build logs According to Wiz the action was allegedly compromised after a hack of another GitHub action ReviewDogActionsSetupppTikTok deal Oracle has emerged as the main candidate to take over TikToks US operations Additional coverage in PoliticoppHP adds PQC to printers HP has released its first printers with support for PQC protectionsppChrome rolls out new Rustbased font loader Google has rolled out a new Rustbased font loader for Chrome to improve the browsers security The new Skrifa engine replaced FreeType as the default font renderer in Chrome in February this year It shipped on Android Linux and ChromeOS On Windows and macOS font rendering is handled by the OS and Skrifa is used as a backup for unknown fonts Skrifa is the latest Rust component to ship in Chrome after Google committed in 2023 to slowly transition from Chromes C code to RustppEU warns Apple and Google The European Commission has sent letters to both Apple and Google informing them they are not DMA compliant Fines may soon follow since the two companies are now hiding behind an overly antiEU Trump and the EU seems to be looking for a fightppUS suspends disinformation work The White House has suspended the work of several US intelligence agencies that were helping EU allies detect and prevent Russian cyberespionage disinformation and sabotage attacks The previous Biden administration set up the working groups last year According to Reuters the groups stopped working and scheduling meetings after Trump took officeppUS agencies abuse E2EE apps An AP investigation found that more and more US federal and local agencies are using E2EEcapable apps in an attempt to hide their communications and keep them off public recordsppStarlink in the White House There are more and more reports that connecting Starlink terminals to White House infrastructure is a major national security threat due to the platforms insecurityppHong Kong passes cybersecurity bill The Hong Kong government has passed its firstever cybersecurity bill The new law introduces new cybersecurity requirements for critical sector operators such as reporting incidents to the Security Bureau within 12 hours and filing yearly risk assessments It also introduces fines of up to 640000 for any security lapses or failure to maintain cybersecurity standards Additional coverage in the Hong Kong Free Press ht DataBreachesnetppUK sets PQC migration plan The UKs cybersecurity agency has published a threephase plan to help organizations migrate to using quantumresistant encryption methods Companies must identify cryptographic services using old encryption standards and migrate to a PQC alternative by 2035 Highpriority and critical services must migrate by 2031ppNew Dutch espionage law The Dutch government passed a new law that criminalizes more forms of espionage such as digitalcyber and diaspora espionageppDutch MPs approve a Dutch cloud The Dutch Parliament passed several motions this week to create a Dutchbased cloud service move government systems back into the country and stop using unsafe US infrastructureppNorth Korea creates new cyber bureau North Korea has established a new cyber unit inside its military intelligence agency for developing new offensive hacking technologies The new Research Center 227 will operate under the Reconnaissance General Bureau the agency that directs all of the countrys foreign hacking operations Most of the countrys APT groups are operated by RGB Bureau 3 5 121 and 325 The center began operations at the start of the month and will allegedly be staffed with around 90 computer experts Additional coverage in the Daily NKppIn this Risky Business News sponsor interview Tom Uren talks to Matt Muller field CISO of Tines He explains how governments are using carrots and sticks to improve the security of enterprise software Matt discusses CISAs Secure by Design pledge and the UK NCSCs effort to quantify unforgivable bugsppCapitalOne hacker to be resentenced A US appeals court has vacated a sentence handed out to Capital One hacker Paige Thompson Appeal judges considered the original 2022 sentence of time served and a fiveyear probation period to be too lenient and an unreasonable departure from recommended sentencing guidelines The case was sent back to a district court for resentencing This is the second time in two months that an appeals court has ordered a hackers case to be resentenced after the case of BreachForums admin Pompompurin Additional coverage in ReasonppMore Paragon customers uncovered CitizenLab researchers have identified at least six other governments who bought access to spyware from Israeli company Paragon Solutions An analysis of Paragon server infrastructure has found ties to possible customers in Australia Canada Cyprus Denmark Israel and Singapore Paragon found itself at the center of a public scandal in late January when Meta notified around 90 users that theyd been targeted with Paragons Graphite spyware Many of the initial infections were Italian activists and journalists Paragon has since dropped the Italian government as a customer citing a breach of termsppState protection for BlackBasta admin A new analysis of the BlackBasta leaked internal chats suggests the groups administrator requested and received help from Russian authorities after he was arrested in Armenia last year BlackBasta admin Oleg Nefedov bragged about contacting a highlevel Russian official who then flew to Armenia to secure his release Security firm Trellix says the BlackBasta admin described the procedure as a green corridor but did not name the official Nefedov was arrested in Armenia based on a US arrest warrant in June last year and was mysteriously released after a judge did not extend his detain order in highly unusual circumstancesppRise in ServiceNow attacks Security firm GreyNoise has seen a notable rise of inthewild activity targeting ServiceNow servers The attacks are exploiting three ServiceNow vulnerabilities patched last year The exploitation wave surged over the past two days and around 70 of sessions targeted servers in IsraelppChrome extension market Security firm SecureAnnex has published a deep dive into the underground market of Chrome extensions where cybercrime groups buy good extensions and turn them into malwareppDesorden profile GroupIB has published a profile of the Desorden AltDos hacker which they helped arrest earlier this monthppDragon RaaS SentinelOne has published a profile of Dragon RaaS a proKremlin hacktivist group and ransomware operation that emerged last July as an offshoot of the Stormous groupppNew Ox Thief ransomware FalconFeeds has identified a new ransomware gang going by the name of Ox Thiefpp OX THIEF Ransomware Alert
We have identified and begun monitoring a new ransomware group named OX THIEF They have listed Broker Educational Sales Training as a victim on their dark web portal
Note Broker Educational Sales Training previously fell victim to MEDUSA RansomwareppBabuk2 ransomware A new threat actor is posing as the old Babuk ransomware gang and attempting to ransom and scam companies with old leaked datappDollyWay botnet GoDaddys security team has discovered a botnet that has compromised over 20000 WordPress sites Named DollyWay the botnet has been active since 2016 and uses the hacked websites to redirect users to online scams and fake browser update pages The botnets operators often apply security updates to compromised sites and remove any competing malware GoDaddy says DollyWay is the larger parent cluster of previously reported groups such as Master134 Fake Browser Updates and CountsTDSppVanHelsing ransomware CyFirma researchers have spotted a new ransomware strain named VanHelsingppAnubis backdoor G Data has published a technical analysis of Anubis a new Pythonbased backdoor linked to FIN7 operations Also check out the Prodaft reportppBetruger backdoor Symantec has published a report on Betruger a new backdoor used by the RansomHub gang The backdoor is pretty sophisticated and includes support forppArcane Stealer Kaspersky researchers have published an analysis of Arcane Stealer a new infostealer spread via YouTube videos promoting links to video game cracks and cheatsppIn this product demo CEO Eoin Hinchy shows how Tines Workbench can integrate an LLM into security workflows to gather analyze and act on data from both inside and outside your company This demo includes grabbing IOCs from an external webpage comparing them to your companies own incidents and taking actions like resetting passwordsppIran stops APT15 Irans cybersecurity agency AFTA said it detected and stopped an attack from Chinese cyberespionage group APT15 The group allegedly gained access to critical infrastructure and government networks This marks the first time the Iranian government has called out China for its espionage operationsppUAT5918 targets Taiwan A newly discovered cyberespionage group UAT5918 is targeting Taiwan and aiming to establish longterm persistent access to local networks Cisco Talos says the activity of this group overlaps with four different Chinese APTsVolt Typhoon Flax Typhoon Earth Estries and DalbippZhou Shuai profile Natto Thoughts has published a profile on Zhou Shuai one of Chinas oldest hacktivists known as Coldface now turned government hacker The US indicted and sanctioned Zhou earlier this month for his and his companys ties to a cyberespionage group known as APT27ppNTLM hash leak bug Security researcher 0x6rss has published details and a PoC for CVE202524071 an NTLM hash leak vulnerability that Microsoft patched this monthppAzure App Proxy leak TrustedSec researchers have found a bug in the Azure App Proxy that may accidentally expose private networks to internet accessppVeeam RCE Software company Veeam has fixed a remote code execution vulnerability in its widelyused Backup Replication server The vulnerability CVE202523120 has a severity score of 9910 and can allow users from the same network domainauthenticated to run malicious code on the server According to watchTowr Labs the vulnerability exploited and bypassed the apps deserialization blacklist to run a deserialization attackppJenkins update The Jenkins project has released a security update to fix three vulnerabilities in major pluginsppWP Ghost vulnerability Patchstack researchers have found an LFI vulnerability in WP Ghost a WordPress plugin installed on over 200000 sitesppApple Passwords app was vulnerable to phishing Mysk researchers have found a phishing vector in Apples Passwords app The issue was patched but Apple declined to pay for the bug reportwhich is becoming a regular occurrence at the company these daysppThreattrend reports CyFirma Europol NCC Group and Positive Technologies have recently published reports and summaries covering various infosec trends and industry threatsppNew toolWEBCAT The SecureDrop project has opensourced WEBCAT a project to sign and verify websites before they loadppTom Uren and Patrick Gray discuss how Chinas Ministry of State Security is increasingly doxxing and threatening Taiwanese APT operators In some ways this mirrors the US strategy of naming and shaming Chinese cyber operators in indictments that contain lots of supporting information But although MSS statements are filled with propaganda rather than technical detail naming Taiwanese military hackers has some biteppIn this edition of Between Two Nerds Tom Uren and The Grugq talk about how offensive cyber operations could do so much more than just deny disrupt degrade and destroy Grugq thinks this thinking is rooted in US military culture and he wonders why cyber operations are always so meanppIn other news Gmail rolls out E2EE support for enterprise users White House extends cyber national emergency EO hackers steal over 100 million via Coinbase phishingppIn other news EU to invest in AIcybersecurity backdoor found in robot dog macOS to support TCC eventsppIn other news Google fixes Chrome zeroday China publishes new facial recognition rules DragonForce ransomware hacks two rivalsppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Sublime Security
You can hear a podcast discussion ofpp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp
We have identified and begun monitoring a new ransomware group named OX THIEF They have listed Broker Educational Sales Training as a victim on their dark web portal
Note Broker Educational Sales Training previously fell victim to MEDUSA RansomwareppBabuk2 ransomware A new threat actor is posing as the old Babuk ransomware gang and attempting to ransom and scam companies with old leaked datappDollyWay botnet GoDaddys security team has discovered a botnet that has compromised over 20000 WordPress sites Named DollyWay the botnet has been active since 2016 and uses the hacked websites to redirect users to online scams and fake browser update pages The botnets operators often apply security updates to compromised sites and remove any competing malware GoDaddy says DollyWay is the larger parent cluster of previously reported groups such as Master134 Fake Browser Updates and CountsTDSppVanHelsing ransomware CyFirma researchers have spotted a new ransomware strain named VanHelsingppAnubis backdoor G Data has published a technical analysis of Anubis a new Pythonbased backdoor linked to FIN7 operations Also check out the Prodaft reportppBetruger backdoor Symantec has published a report on Betruger a new backdoor used by the RansomHub gang The backdoor is pretty sophisticated and includes support forppArcane Stealer Kaspersky researchers have published an analysis of Arcane Stealer a new infostealer spread via YouTube videos promoting links to video game cracks and cheatsppIn this product demo CEO Eoin Hinchy shows how Tines Workbench can integrate an LLM into security workflows to gather analyze and act on data from both inside and outside your company This demo includes grabbing IOCs from an external webpage comparing them to your companies own incidents and taking actions like resetting passwordsppIran stops APT15 Irans cybersecurity agency AFTA said it detected and stopped an attack from Chinese cyberespionage group APT15 The group allegedly gained access to critical infrastructure and government networks This marks the first time the Iranian government has called out China for its espionage operationsppUAT5918 targets Taiwan A newly discovered cyberespionage group UAT5918 is targeting Taiwan and aiming to establish longterm persistent access to local networks Cisco Talos says the activity of this group overlaps with four different Chinese APTsVolt Typhoon Flax Typhoon Earth Estries and DalbippZhou Shuai profile Natto Thoughts has published a profile on Zhou Shuai one of Chinas oldest hacktivists known as Coldface now turned government hacker The US indicted and sanctioned Zhou earlier this month for his and his companys ties to a cyberespionage group known as APT27ppNTLM hash leak bug Security researcher 0x6rss has published details and a PoC for CVE202524071 an NTLM hash leak vulnerability that Microsoft patched this monthppAzure App Proxy leak TrustedSec researchers have found a bug in the Azure App Proxy that may accidentally expose private networks to internet accessppVeeam RCE Software company Veeam has fixed a remote code execution vulnerability in its widelyused Backup Replication server The vulnerability CVE202523120 has a severity score of 9910 and can allow users from the same network domainauthenticated to run malicious code on the server According to watchTowr Labs the vulnerability exploited and bypassed the apps deserialization blacklist to run a deserialization attackppJenkins update The Jenkins project has released a security update to fix three vulnerabilities in major pluginsppWP Ghost vulnerability Patchstack researchers have found an LFI vulnerability in WP Ghost a WordPress plugin installed on over 200000 sitesppApple Passwords app was vulnerable to phishing Mysk researchers have found a phishing vector in Apples Passwords app The issue was patched but Apple declined to pay for the bug reportwhich is becoming a regular occurrence at the company these daysppThreattrend reports CyFirma Europol NCC Group and Positive Technologies have recently published reports and summaries covering various infosec trends and industry threatsppNew toolWEBCAT The SecureDrop project has opensourced WEBCAT a project to sign and verify websites before they loadppTom Uren and Patrick Gray discuss how Chinas Ministry of State Security is increasingly doxxing and threatening Taiwanese APT operators In some ways this mirrors the US strategy of naming and shaming Chinese cyber operators in indictments that contain lots of supporting information But although MSS statements are filled with propaganda rather than technical detail naming Taiwanese military hackers has some biteppIn this edition of Between Two Nerds Tom Uren and The Grugq talk about how offensive cyber operations could do so much more than just deny disrupt degrade and destroy Grugq thinks this thinking is rooted in US military culture and he wonders why cyber operations are always so meanppIn other news Gmail rolls out E2EE support for enterprise users White House extends cyber national emergency EO hackers steal over 100 million via Coinbase phishingppIn other news EU to invest in AIcybersecurity backdoor found in robot dog macOS to support TCC eventsppIn other news Google fixes Chrome zeroday China publishes new facial recognition rules DragonForce ransomware hacks two rivalsppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Sublime Security
You can hear a podcast discussion ofpp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp
