Risky Biz News: New router malware intercepts traffic to steal credentials
07:36 Share

Today

Today is the 3rd of May and this podcast episode is brought to you by Socket Security. Socket makes a security platform for developers that protects their software from vulnerable and malicious open source dependencies. Find them at socket.dev. In today's top story, Black Lotus Labs has discovered a new malware strain that infects routers to intercept and extract credentials from internet traffic.

The new malware is named Cuttlefish and activates when it detects URLs that reference passwords, keys, tokens and other authentication-related items. It also steals access to cloud services such as AWS, DigitalOcean, CloudFlare and others. Cuttlefish infections have been seen as far back as July on both Soho and Enterprise routers. 99% of the infections were in Takiyah and all victims operated in the telecommunications sector.

In other news, Dropbox says that hackers accessed its IT infrastructure and stole the data of some of its users. The incident impacted only Dropbox Sign, a Dropbox service for sharing and digitally signing documents. The threat actors stole usernames, email addresses and even hashed passwords.

ABI keys and OAuth tokens were also exposed for some users. Dropbox says it discovered the breach last week and found no evidence that hackers accessed customers' documents stored in the platform. The FBI has halved its searches in the Pfizer 702 surveillance program database. In

In its annual transparency report, the Office of the Director of National Intelligence says the FBI conducted over 57,000 searches last year, compared to almost 120,000 the previous year. The FBI attributed the drop in the number of searches to new internal procedures. Congress previously delayed the Section 702 renewal for months, citing the FBI's broad searches of the Pfizer database.

The White House has overhauled the hiring process for government cyber roles. Officials have encouraged federal agencies to hire IT staff based on their skills and removed requirements for years of experience and degrees. National Cyber Director Harry Coker Jr. hopes that relaxing hiring requirements will help the government hire experts in crucial tech roles that are unfilled because of stringent hiring requirements. The

The government currently has nearly 100,000 open tech jobs. The changes will also apply to contractor positions.

Ukrainian President Zelensky has formally dismissed Ilya Vytuk, the former head of the SBU's cyber division. The SBU suspended Vytuk and reassigned him to a unit on the front line last month while they conducted an anti-corruption investigation. Vytuk was suspended after a news outlet discovered that he and his wife bought expensive real estate despite not having the financial means to do so. Reporters also claimed they were harassed by SBU staff after publishing their article.

The US has sentenced a Ukrainian national to 13 years and 7 months in prison for his role in the Kaseya ransomware incident. Yaroslav Vysinsky was a member of the Rival ransomware group where he operated under the name of Robotnik. In July 2021, Vysinsky exploited a vulnerability in the Kaseya VSA software to breach more than 50 MSPs and deploy ransomware to their customer networks.

Officials say Byszynski was responsible for more than 2,500 ransomware attacks across the globe and tried to extort over $700 million from victims. Byszynski was arrested four months later while travelling to Poland. He received the biggest sentence for a ransomware attack to date. He was also ordered to pay over $16 million in restitution.

Australian police arrested a Sydney man over an alleged data breach of an IT provider, Outerbox. Officials believe the man created a website that allowed anyone to search through Outerbox data. The website claimed to contain data about more than a million users, including personal details, driver's licence scans, signatures and facial recognition data. Police have charged the 46-year-old suspect with blackmail.

The FBI has arrested a cybersecurity consultant for allegedly trying to extort an IT company for $1.5 million. Officials claim that Vincent Kennedy from El Dorado Springs, Missouri, threatened to publish sensitive and proprietary files unless the company paid him.

Kennedy allegedly took the files while contracting for the victim company a year before. Prosecutors say the suspect allegedly tried to disguise the extortion as discrimination and emotional distress claims.

Microsoft is rolling out passkey support for all the company's consumer accounts. Users will be able to generate a passkey and use it to log into their operating systems and Microsoft Online services. The company is expanding passkey support after first launching it for Windows 11 last year. Passkeys have been described as a replacement for passwords. Microsoft made the announcement on World Password Day.

The NSA, the FBI and the State Department have urged US organisations to secure email servers with correct DMARC policies to prevent abuse by North Korean hackers. The three agencies say North Korean APTs have exploited misconfigured DMARC policies to spoof official domains as part of their social engineering operations. The group that uses this tactic is Kim Suu Kyi, also known as APT43, and Velvet Chalima.

Russian state-sponsored hackers have continued to use the MooBot botnet even after US authorities took down part of it in February. Security firm Trend Micro says the takedown only affected the part of MooBot made up of Ubiquiti Edge routers.

The group has continued to use the remaining parts of the botnet, which comprises infective Raspberry Pi devices and data centre servers. The botnet is currently estimated to be around 350 devices. Trend Micro says some of these systems were used during spearfishing operations in Ukraine.

A threat actor has stolen $1.9 million worth of crypto assets from DeFi platform Pike Finance. The attacker first stole $300,000 on April 26 and then another $1.6 million four days later. Pike said both attacks exploited the same vulnerability in one of the platform's smart contracts. The company is now offering a bounty of 20% for the return of the stolen funds.

And finally, roughly one third of the 10,000 data breaches last year involved ransomware or some other extortion, according to Verizon's yearly report. Almost 14% of all breaches were linked to the exploitation of vulnerabilities, a three-fold increase on the previous year. The move at related breaches accounted for most of these incidents.

And that is all for this podcast edition. Today's show was brought to you by our sponsor, Socket Security. Find them at socket.dev. Thanks to your company.