Chapters
Shownotes Transcript
The US government sanctions Russian disinformation peddlers in Latin America. The White House announces a water sector cyber security task force. Russian hackers are suspected of wiping four Ukrainian telcos. And Glassdoor starts doxing its users. This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird.
Today is the 22nd of March, and this podcast episode is brought to you by Kroll. Find them at kroll.com slash cyber. In today's top story, the US government has sanctioned two Russian nationals and their companies for running disinformation campaigns across Latin America. The US Treasury levied sanctions on Ilya Andreevich Gambashidz, his company's social design agency, and Nikolai Alexandrovich Tupikin and his company, Structura.
US officials said the two companies ran more than 60 websites that impersonated legitimate news organisations. The sites published anti-US and pro-Russian propaganda and disinformation. The State Department says articles were written in Russian, translated to Spanish or Portuguese and then sent for promotion. The companies would publish the articles on their sites or plant stories with local news outlets and social media influencers.
The State Department describes Structura and the social design agency as influence for higher companies. In other news, the White House and the Environmental Protection Agency will set up a cybersecurity task force for the U.S. water sector. Officials announced their plan in a letter sent to U.S. governors this week. The letter warned state authorities about a rise in cyberattacks against water utilities across the U.S.,
The White House and the EPA specifically mentioned Chinese group Vault Typhoon as a major threat to US water infrastructure. China's state security agency has urged local companies to improve their cyber security defences. The Ministry of State Security says foreign spy agencies have infiltrated hundreds of local businesses and government departments. The agency published the message a day after the US warned about Vault Typhoon.
Russia's planned GitHub clone has been postponed indefinitely due to lack of funding. The platform was announced at the end of 2022 and was scheduled to go live in April this year. The site was part of the Kremlin's effort to create national clones of popular US services. The government promised to invest over a billion rubles, around $14 million, in the project. According to a Vedamosti report, the two IT companies selected to build the platform never received any of the funds.
Security researchers believe Russian hackers have deployed a new version of the Viasat wiper against multiple Ukrainian telcos. Ukraine has not confirmed the incidents, but at least four telco providers have been offline since March 13. SentinelOne says it discovered a new version of the acid rain wiper around the same time of the outages. The company named this new version AcidPore and said it can target Linux x86 systems.
A hacking group named Sanchipixet took credit for the attack, but Sentinel-1 linked the malware to Russia's Sandworm APT.
A Chinese hacker is exploiting a vulnerability in F5 Big IP devices to gain initial access to corporate and government networks. Google's Mandiant division has linked the attacks to UNC-5174. Mandiant says UNC-5174 is a former hacktivist known as Uteus, who now appears to work as a contractor for China's Ministry of State Security.
Besides attacks on F5 devices, UTS has also been exploiting the recent vulnerability in ConnectWise Screen Connect. Security firm CoreLogic has published details and proof-of-concept code for a major vulnerability in Artica proxy appliances.
CoreLogic described the vulnerability as a pre-auth PHP deserialization attack. It allows threat actors to run malicious code on the appliance's admin web interface. The vendor has not replied to CoreLogic's bug report and the vulnerability is still unpatched. Artica claims on its website that it's sold more than 100,000 appliances, although it's unsure how many of these are its proxy.
Japanese IT giant Fujitsu left an AWS storage bucket with a trove of sensitive data exposed on the internet for almost a year. The server contained full mailbox backups, customer data and a CSV file of passwords exported from password manager LastPass. This embarrassment is separate from last week's announcement that the company had found malware on its internal network.
Ukraine's cyber police has detained three suspects accused of hacking and selling access to email and Instagram accounts. The group used brute forcing attacks to gain access to more than 100 million accounts. The suspects were detained in Ukraine's Kharkiv region. They face up to 15 years in prison. Officials are also investigating if the group's members cooperated with Russian agents after some of the hacked accounts were used in Russian cyber attacks.
Dutch authorities have charged a Russian national with money laundering for his role in developing the Tornado Cash platform. Alexei Pertsev was arrested in August 2022, days after the US sanctioned the Tornado Cash platform. He's the third suspect to have been charged for their role in developing the platform. Two Tornado Cash co-founders were charged in the US in August 2023. Officials claim Pertsev and his co-conspirators helped launder more than $1.2 billion worth of cryptocurrency.
German authorities have seized servers hosting the Nemesis dark web marketplace. The market launched in 2021 and had more than 150,000 registered users. It was primarily known for the sale of illegal drugs.
Three ransomware groups are using recent law enforcement takedowns to aggressively recruit new members. Groups like Cloak, Medusa and Ransom Hub have posted ads on underground forums, according to GuidePoint Security. The ads are attempting to lure more experienced hackers from the defunct Alpha V and Lockbit gangs. Two ransomware platforms named Beast and Rass Flocker also launched this month and are attempting to fill the void left by Alpha V and Lockbit.
Microsoft has released an out-of-band security update for the Xbox platform. The update fixes a vulnerability that can allow threat actors to gain system privileges. The Microsoft Store will automatically install the update on all affected customers. Microsoft initially declined to patch the bug. The company changed its mind after a proof of concept was published online last week.
Users at employee review site Glassdoor say the company is publishing their real names without their consent. Users say they had to delete accounts after their real names appeared on anonymous employment reviews they made in the past.
Many users don't know where the company obtained their real names. In some cases, the company took real names from support requests and added them to users' profiles. Glassdoor has also changed its sign-up process and is now requiring users to disclose their full names, job titles and employers before creating a new account. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Kroll. Find them at kroll.com slash cyber. Thanks to your company.
