Home
cover of episode Risky Biz News: Spyware vendors behind 24 zero-days last year

Risky Biz News: Spyware vendors behind 24 zero-days last year

2024/3/28
logo of podcast Risky Business News

Risky Business News

Chapters

Google reported that 24 out of 97 zero-days exploited last year were linked to commercial spyware companies, with a focus on mobile platforms like Safari, iOS, Android, and Google products.

Shownotes Transcript

Spyware vendors were behind 24 zero days last year. A hacker steals and then returns $62 million to crypto platform Munchables.

The US charges KuCoin and its founders with money laundering. And the Brutus botnet targets VPN service across the world. This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird. Today is the 29th of March, and this podcast episode is brought to you by Sublime Security, an email security platform that's not a black box.

In today's top story, Google says that 24 of the 97 zero-days exploited in the wild last year are linked to commercial spyware companies. 11 of the zero-days impacted Safari and iOS, while the rest targeted Android and Google products.

The data shows a clear focus by spyware vendors on mobile platforms. Google linked another 24 zero days to APT groups and four to ransomware gangs. Attribution was only possible for 58 of last year's zero days.

Czech intelligence services have disrupted a Russian propaganda network operating in Prague. The network operated a news website named The Voice of Europe. Officials said the website was registered to a local company but financed from Russia. It published demands by EU politicians that Europe stop financing Ukraine.

According to local news outlet Danik K, some of the politicians were paid using funds from Russia. The Czech government sanctioned the Voice of Europe and two of its administrators. One of them is former Ukrainian politician Viktor Medvedchuk. Czech officials claim Medvedchuk ran the entire operation from Moscow.

The U.S. Justice Department has charged cryptocurrency exchange KuCoin and two of its founders over alleged anti-money laundering breaches. U.S. officials claim the company intentionally didn't run an anti-money laundering program. Since 2017, KuCoin received over $5 billion and transferred out over $4 billion of suspicious and criminal proceeds, the DOJ says.

Funds were allegedly linked to proceeds from darknet markets, malware, ransomware and fraud schemes. The company's two founders are still at large.

A threat actor has stolen and then returned $62 million worth of tokens from crypto gaming platform Munchables. Blockchain security experts claim the hack took place after Munchables had inadvertently hired a North Korean IT developer. The individual is believed to have stolen the funds using a backdoor they planted in the code. It's currently unknown why the attacker returned the funds a day after the hack.

A ransomware gang has encrypted computers at Scotland's National Healthcare System. The incident has impacted the NHS board serving the Dumfries and Galloway region in South Scotland. The incident has not impacted patient care. A ransomware group named Inked Ransom has taken credit for the attack.

The head of France's cyber security agency expects threat actors to target the Paris Olympics this year. ANSI Director-General Vincent Strubel says hackers might try to disrupt the opening ceremony and the city's public transport network. The official stopped short of accusing Russia, whose athletes are largely excluded from the Games. Russia used malware to disrupt the 2018 Winter Olympics in South Korea.

A US judge has sentenced a Cameroonian national to 12 years in prison for his role in BEC scams. Officials say New Valentine Fombe stole more than $2 million through BEC scams between 2016 and 2018. Fombe fled to the UK in 2019 after he was indicted. In the UK, he allegedly engaged in pandemic-related unemployment scams.

A new botnet named Brutus is behind a wave of brute force attacks that have hit VPN appliances across the world. According to security researcher Aaron Martin, attacks began on March 15. The brute force activity is indiscriminate and targets VPNs from many vendors such as Cisco, Fortinet and SonicWall.

Martin says Brutus is launching tens of millions of brute force requests per day. Recent attacks are also targeting web apps that use Active Directory for authentication.

Threat actors are selling software that can transform Raspberry Pi devices into an anonymisation tool for cybercrime operations. The tool is named GeoBox and is being advertised on Telegram for $700. GeoBox turns Raspberry Pi devices into no-log proxies that can fake GPS and local Wi-Fi networks to spoof geolocation. Security firm ReSecurity says it's encountered GeoBox in an attack at a Fortune 100 financial institution.

Netcraft security researchers have linked more than 20,000 phishing sites to a new phishing-as-a-service platform named Darkala. The platform launched this year and is advertised to Chinese-speaking hackers. Darkala is also one of the first phishing platforms to incorporate support for RCS messaging. RCS is the new messaging standard that aims to replace SMS. This allows phishing spam to bypass SMS firewalls and security filters.

Progress Software has patched a critical vulnerability in Telerik Report Server, a centralised data reporting platform. The vulnerability allows remote code execution attacks through an insecure deserialisation vulnerability. According to Census, more than 100 Telerik Report Servers have their login pages exposed on the internet.

Security researcher Skylar Ferrante has discovered a vulnerability in Wall, a Linux utility to display a message on the terminals of all logged-in users.

The vulnerability allows unprivileged users to put malicious text on other users' terminals. The vulnerability can be used to prompt and collect user passwords or alter clipboard data. Ferrante says all wall versions released over the past 11 years are vulnerable. He named the vulnerability Wall Escape. Proof of concept is available on GitHub.

The Python Software Foundation temporarily suspended new project creation and new user registration on the PyPy platform. PyPy admins said they suspended the platform to mitigate a malware upload campaign. Access to the platform was restored after 10 hours.

Eclectic IQ has identified a new threat actor targeting Indian government entities and organisations in its energy sector. The attacker is using a modified version of the open-source Infostela hack browser data. Eclectic IQ has notified Indian authorities about multiple successful intrusions. Researchers named the campaign Operation Flight Night after one of the attacker's Slack channels.

And finally, EU cybersecurity agency ANISA has ranked supply chain attacks as the top emerging cybersecurity threat for the next half decade. The other area of concern is the cybersecurity workforce skills shortage, which moved from number 10 to number 2. New on the agency's top 10 list is the exploitation of unpatched systems, which entered at number 4.

And that is all for this podcast edition. Today's show was brought to you by our sponsor, Sublime Security. Find them at sublime.security. Thanks for your company.