US removes Sandvine from sanctions list after pinky promise

pIn other news Sophos spied on two Chinese exploit development centers Vodafone fined for insecure wiretapping system supply chain attack targets cryptowallet usersppYou can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business News in your podcatcher or subscribing via this RSS feed On Apple PodcastsppThis newsletters podcast embed widgetppThe US Department of Commerce has removed surveillance gear maker Sandvine from its list of sanctioned entities after the company put out a public statement and promised to exit autocratic countriesppThe Canadian company said it had stopped operating in 32 countries already and was planning to exit another 24 by April next yearppSandvine also changed its CEO created a Human Rights Subcommittee and promised to dedicate 1 of its profits to protect internet freedom and digital rightsppThe companys sudden exit from the dark side came almost eight months after it was sanctioned by the US government in FebruaryppThe US Commerce Department added Sandvine to its Entity List for providing internet mass surveillance technology to oppressive regimesppWhile Commerce officials didnt name the customer the company is known for providing internet surveillance and censorship equipment to Egypt Belarus Eritrea the UAE Uzbekistan and many other lovely placesppSandvines removal from the sanctions list may hint at more similar actions Israeli spyware vendor NSO Group has been heavily lobbying to get itself off the list for more than a yearppThe company is the first surveillance vendor to be removed from the listppThe pardon didnt land well with spyware investigators and some government officials This week Sen Ron Wyden asked the Commerce Department to strengthen its export controls to block surveillance software from more countries with known human rights abusesfrom the 23 todayppI can see there are Sandvine installations operating in a number of very problematic countries and probably will be for a while said Citizen Lab Director Ron DeibertppLottie Player supplychain attack A threat actor has compromised the Lottie opensource video player and added malicious code to target cryptocurrency users The incident took place this week when websites using the Lottie player suddenly started prompting users to connect their crypto wallets Users who connected their wallets reported losing funds DevSecOps company Sonatype linked the popups to new Lottie player updates released on Wednesday after eight months of inactivity Its unclear how many funds were stolen but one user alone reported losing over 700000 worth of BitcoinppDHL tracking system hack A cyberattack has disrupted a package tracking tool used by German logistics giant DHL DHL has confirmed the incident and says its working with the tracking tools developer to restore systems According to a report from Better Retailing the tool was developed by British company MicroliseppInterbank security breach Perus fourthlargest bank has confirmed that a threat actor managed to steal data on some of its customers from a thirdparty company The admission comes after Interbank suffered a technical glitch earlier this week and after its customer data was flaunted on hacking forums shortly after The bank is believed to have between 2 and 3 million customers Additional coverage in Infobae AmericappColorado election system password leaks The Colorado Department of State has accidentally posted a document online that contained the partial passwords for the states voting machines Officials have since removed the document and changed passwords They also notified CISA and said the incident wont affect next weeks election Additional coverage in StateScoopppPRCs Canada hacks Canadas cybersecurity agency says that Chinese hacking groups have breached at least 20 government networks over the past four years Officials described the threat of Chinese hacking as second to none targeting multiple fronts such as intelligence collection IP theft and malign influence operations The agency also warned that China and other foreign states are prepositioning for future disruptive or destructive cyber operations against both Canada and its allies The statement echoes the messages that have been coming out of the US over the past yearppVodafone fined for insecure wiretapping system The Dutch government has fined Vodafone 225 million 245 million for failing to secure its phone wiretapping system The company failed to screen staff failed to have staff sign confidentiality agreements and failed to implement logical and physical security systems The fine was imposed for an investigation that started in 2021 and is not related to Chinas hack of US telco wiretapping systemsppEntra enforces MFA Microsoft has announced that all new Entra accounts must enable an MFA solution the first time a user logs into their profile The new rule removes a twoweek grace period when new accounts were allowed to log in using just a passwordppTwitters rightwing lean A WaPo investigation has found that tweets from Republicans go viral on a regular basis since Musk acquired the company while content from Democrats has plummeted in visibility by an order of billions of views A similar NBC News report found the same thingthat Twitter now seems to favor and revolve around a small number of rightwing disinfo accounts while legitimate sources of information can barely get any views WaPo and NBC may not have the balls to say it but Twitter is just mostly troll farm accounts these days It only takes a few minutes of doom scrolling to figure it out This explains the sudden skew in what goes viral and why theres at least one Hitler or fascistrelated topic trending on the platform almost daily The site is easily manipulated because it lost heaps of users who went on to greener and nontoxic platforms Twitter is in such a low place that even Truth Social is now worth moreppRightwing database Politico has discovered a company named L2 Data claiming to sell a database with the names of Americans who support rightwing militias QAnon conspiracy theories and the January 6 insurrection Experts believe the database represents a national security risk as it could help local or foreign adversaries recruit extremists for violent and other types of attacksppMetas ad policing failures While Meta is blocking phrases like Hitler is bad on Threads the company is raking in millions from deceptive political ads Additional coverage in ProPublicappUS warns of Iran election meddling US officials expect Iranian threat actor groups to contact Americans directly on election day to sow disinformation divide society and even incite violent unrest Additional coverage in NBCppFBI conducted 30 ransomware disruptions The FBI has disrupted ransomware infrastructure more than 30 times this year an official revealed this week Deputy Assistant Director of the FBIs cyber division Cynthia Kaiser says some of the disruptions caused some gangs to stop targeting US infrastructure Kaiser says that in many cases detaining suspects is not possible because they operate out of safe harbor countries like Russia Additional coverage in CyberScoopppTajikistan bans violent video games The government of Tajikistan has banned violent video games such as GTA and CounterStrike Local police are now warning internet cafes and public gaming halls to remove such gamesppPredatorgate coverup Greek news site Inside Story claims to have identified crucial evidence that Greek prosecutors ignored evidence and crucial witnesses in the countrys investigation of the current governments use of the Predator spywareppIn this edition of Between Two Nerds Tom Uren and The Grugq talk about a new attempt to measure cyber power the International Institute for Strategic Studies Cyber Power MatrixppDisney employee hacked menu system US authorities have charged a fired Disney employee for allegedly hacking the companys menu creation software Michael Scheuer is accused of removing information if foods contained peanuts from foods served at Walt Disney Worlds restaurants He also allegedly added profanity to some menus and even changed all fonts to Wingdings The menu defacements were spotted days after the menus were printed but before they were shipped to restaurants Additional coverage in CourtWatchppScam compound traffickers plead guilty Two Chinese nationals pleaded guilty to human trafficking Hong Kong citizens for cyber scam compounds Officials say the duo sent three individuals to a scam compound in Thailand and two to KK Park an infamous Myanmar scam center The two were detained after victims paid ransoms or were freed by police Additional coverage in SCMPppScam compound traffickers sent to trial Ugandan prosecutors have charged three suspects with aggravated human trafficking for sending 25 locals into Myanmar cyber scam compounds Officials say the three are part of a larger network that recruits Ugandans for foreign employment under false pretenses Victims are sent to Myanmar where they are forced to work in call centers specialized in internet scams Two of the suspects are elected councilors in Ugandan local governments Additional coverage in The Kampala ReportppChrome extension turns malicious A popular Google Chrome extension with more than 100000 installs has now turned malicious The Hide YouTube Shorts extension is performing affiliate fraud and collecting the browsing history of all its users Security researchers say the extension appears to have turned malicious after it was transferred to a new developerppSYS01 malvertising Bitdefender has spotted a malvertising campaign targeting owners of Meta Business Pages with the SYS01 infostealerppUA taxthemed phishing CERTUA has published details about a taxthemed phishing campaign targeting accountants of Ukrainian enterprisesppThe good ol copyright infringement tactic Cisco Talos says it is seeing a new wave of fake copyright infringement emails luring people to malware Never gets oldppMalicious PyPI packages Checkmarx has discovered yet another campaign using malicious PyPI packages to target the cryptocurrency spaceppAuthor typosquatting Besides domain name and package typosquatting we now have author typosquattingwhere threat actors register profiles similar to wellknown and trusted developersppLunar Spider ops EclecticIQ has linked a malvertising campaign deploying the Latrodectus downloader to a known Russian cybercrime group tracked as Lunar Spider The group is suspected of having developed both IcedID and LatrodectusppXiū Gǒu Doggo phishing kit A new phishing kit is seeing widespread adoption and has already been spotted on over 2000 phishing pages According to Netcraft the new Xiū Gǒu Doggo phishing kit appears to be the work of a Chinesespeaking developer So far the kit has been used for phishing credentials for government portals postal services and online banking portals Xiū Gǒu collects all stolen data on Telegram channels and doesnt seem to support MFA bypassingppEMERALDWHALE Git scan campaign A threat actor has stolen more than 15000 cloud service credentials by scanning the internet for misconfigured Git repositories that leaked their configuration files The scanning operation was discovered by cloud security firm Sysdig which found the stolen credentials on one of the attackers servers Sysdig says the scanning operation between August and September and also targeted websites that exposed Laravel environment files The company named this threat actor EMERALDWHALEppPhish n Ships A Chinesespeaking group has stolen tens of millions of dollars over the past five years using a network of fake online stores According to Human Security the Phish n Ships group has hacked more than 1000 websites to promote and legitimize their fake stores Victims were lured to the sites made payments for nonexistent goods and also had their financial data collected by the groupppPSAUX ransomware attacks A threat actor is exploiting a vulnerability in the CyberPanel web hosting system to gain root access to servers and deploy the PSAUX ransomware The attacks began two days after a security researcher published details about an unpatched remote code execution vulnerability in the software While CyberPanel has since released a patch attacks are still ongoing Security firm LeakIX has also published a free decrypter to help companies recover locked datappBugSleep Cisco Talos has published a deep dive into the C2 protocol used by BugSleep a new implant used by the MuddyWater APTppTitan cryptominer Trend Micro looks at a pretty novel cryptomining operation that targets Atlassian Confluence servers with a miner for the Titan blockchainppRedLine Security researcher Anurag has published an analysis of the RedLine infostealer whose operation was disrupted earlier this week by law enforcementppPySilon AhnLab has published a report on PySilon an opensource Pythonbased RAT that relies on Discord to collect stolen datappCraxsRAT FACCT looks at CraxsRAT an Android RAT used in attacks against Russian government organizations this yearppFakeCall Mobile security firm Zimperium has published a report on the evolution of the FakeCall Android malware and its latest featuresppRisky Business is now on YouTube with video versions of our main podcasts Below is our latest weekly show with Pat and Adam at the helmppUS efforts to hack Venezuela A WIRED article looks at the Trump administrations efforts to push out the Maduro regime from Venezuela including its efforts on the cyber frontppDPRKs love for macOS Trellix researchers look at how North Koreans increasingly adopted macOS malware as its popularity started growing among the enterprise crowdppDPRK APT deploys ransomware A North Korean cyberespionage group known as Andariel Jumpy Pisces has been seen collaborating with a ransomware gang Security firm Palo Alto Networks says Andariel is now deploying the Play ransomware as part of its attacks The first known Andariel and Play attacks date back to the start of September This marks the second time the group deployed ransomware in attacks It previously developed and used its own ransomware strain named Maui The group appears to have switched to Play after the US charged some of its members in July for the Maui attacksppHoopoe Platform Alethea looks at the third incarnation of the Hoopoe Iranian influence operationppEmennet Pasargad rebrands The FBI says that an Iranian threat actor known as Cotton Sandstorm Marnanbridge Haywire Kitten has rebranded the name of its front company in what appears to be an effort to hide from US authorities The group now operates from behind a company named Aria Sepehr Ayandehsazan ASA PDF It previously operated under a company named Emennet Pasargad PDF The company was sanctioned by the US Treasury for interfering in the US 2020 presidential election The FBI says that since rebranding Cotton Sandstorm has run operations targeting the Olympics and the IsraeliPalestinian conflict with a myriad of cover personasppMidnight Blizzard new RDP config technique Microsoft says that a notorious Russian cyberespionage group is using a clever new technique to compromise victims and deploy malware on their systems The technique involves sending malicious RDP configuration files to victims via email If executed the files connect a victims PC to a remote RDP server The connection allows the Russian group to steal data and deploy malware on the compromised device Microsoft has attributed the operation to Midnight Blizzard a cyber unit inside Russias SVR Foreign Intelligence Service The group has used the new technique since October 22 and has targeted individuals in government academia defense and NGOs across the US and Europe This is the same campaign also spotted by AWS and CERTUAppThe Chengdu Sophos exploit farm A university and a private company from the Chinese city of Chengdu have spent years developing exploits for Sophos firewalls that were later used by multiple Chinese statesponsored APT groups UK security firm Sophos has linked the two exploit development centers to the University of Electronic Science and Technology of China and the Sichuan Silence Information Technology firm The security firm says it discovered the exploit development centers after it developed its own surveillance implant to spy and capture exploits as they were being tested on its devices at the two locations Sophos says exploits developed by these two centers have been used over the past halfdecade by groups such as Volt Typhoon APT31 and APT41 Winnti In some cases Sophos says the exploit centers reported the vulnerabilities via its bug bounty program days after it was used in the wildppSharePoint exploitation Rapid7 has published more details on the attacks targeting Microsoft SharePoint servers that are abusing a vulnerability tracked as CVE202438094 The bug was patched in July but entered active exploitation in midOctober Rapid7 says the attack went undetected because the attacker installed a version of Chinese antivirus software Huorong that caused the victims antivirus to crashppXlight exposure More than 3500 Xlight FTP servers are currently exposed on the internet and may be vulnerable to a recently disclosed preauth remote code execution bug Patches are availableppSplunk security updates Cisco has patched two security flaws in its Splunk SIEM productppqBittorrent vulnerability Sharp Security has published details about a 14yearold RCE vulnerability in the qBittorrent clientppOllama vulnerabilities Oligo researchers have found six new security flaws in the Ollama opensource LLM frameworkppPortainer vulnerabilities CyberArk researchers have found two vulnerabilities in Portainer an opensource tool for managing Kubernetes and Docker environmentsppKeycloak security audit HN Security has published the findings of a security audit of the Keycloak authentication systemppOpera Private API access Guardio Security has found a vulnerability in the Opera web browser that can allow extensions access to the browsers Private APIs These are APIs used for the browsers native features like its cryptowallet VPN Pinboard and other features The exploit code is benign in other Chromium browsers This allows threat actors to create and host malicious extensions on the official Chrome Web Store designed to attack Opera users only Opera deployed fixes at the end of September but users remain vulnerable to some narrow attack scenariosppNew toolSAIF Risk Assessment Google has released an interactive tool named the SAIF Risk AssessmentppNew toolGraviola Cryptographer Joe BirrPixton has released Graviola a collection of highquality fast and easy cryptography for RustppNew toolWhispr Cloud engineer N3N has released Whispr a CLI tool to inject secrets from a secret vault ex AWS Secrets Manager Azure Key Vault etc into an apps local environmentppNew toolLOLRMM A team of security researchers has launched a new project named LOLRMM The project tracks a list of Remote Monitoring and Management RMM apps that could be abused by threat actors to bypass security solutions on compromised environments The project is similar to other initiatives that track benign tools that can be abused for attacks on Windows LOLBAS LOLDrivers and LOFLCAB Linux GTFOBins macOS LOOBins CICD pipelines LOTP and ESXi VMs LOLESXippThreattrend reports Au10tix and SonicWall have recently published reports and summaries covering various infosec trends and industry threatsppTransparencydev 2024 videos Talks from Googles Transparencydev 2024 conference which took place at the start of October are now available on YouTubeppIn this podcast Tom Uren and Patrick Gray talk about the evolving relationship between Russian intelligence services and the country cybercriminals The GRUs sabotage unit for example has been recruiting crooks to build a destructive cyber capability Tom suspects that GRU thugs are not so good at handsonkeyboard operations but excellent at coercing weedy cybercriminals to hack for the stateppIn other news Police arrest tech company CEO for building DDoS function hackers steal 17 million from Ugandas central bank Windows Server 2012 zeroday awaits patchppIn other news FTC opens Microsoft antitrust probe US court overturns Tornado Cash sanctions ESET finds first Ubuntu UEFI bootkitppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Stairwell

You can hear a podcast discussion of thisppIn other news Geico fined over 2020 security breach a new proKremlin group emerges out of India Russian group behind Firefox and Windows zerodayspp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp