FBI grounds Volt Typhoon
The Chinese state-affiliated hacking group Volt Typhoon created the KV botnet by infecting small office/home office routers and IoT devices from Netgear, Cisco, DrayTek and Lumen Technologies. The group used the botnet to hide reconnaissance and exploitation efforts. The FBI reports it began an operation in early December to take down the botnet with a court order to take down its C2 server. This saw the FBI compromise the server and use it to cut off access to infected devices by uninstalling its VPN component on routers. The FBI and CISA also issued guidance for SOHO router manufacturers to secure hardware against continued Volt Typhoon activity, even for end-of-life hardware.
More companies refuse to pay ransoms
The ransomware negotiation firm Coveware reports that in Q4 2023, a record low 29% of firms made payments to ransomware operators, down from 37% a year ago. The firm notes the rate of ransomware payments decreased steadily over the last five years, which saw 85% of firms pay in Q1 2019. This drop occurred even in cases when threat actors exfiltrated data. Covewave said the continued decline comes from mounting legal pressure on paying ransoms, a lack of trust in cybercriminals, and overall better preparedness for ransomware attacks.
Binance internal info exposed on GitHub
404 Media reported that data belonging to the cryptocurrency giant sat available on GitHub for months. This included internal production passwords, technical information, code, and infrastructure diagrams. There remains no public evidence of misuse so far. Binance filed a copyright takedown request with GitHub to have the information removed. It’s not clear if the account that uploaded the information acted maliciously or accidentally. Binance characterized it simply as a “leak” in the takedown notice.
AI poisoning tools sees download surge
Last week researchers at the University of Chicago released a tool called Nightshade. Similar to other AI poisoning tools like Glaze, Nightshade serves to “distort feature representations inside generative AI image models.” The idea being that anyone not wanting their data scraped for training could use this while still keeping their context indexed on the open web. The team reports that since release, Nightshade saw over 250,000 downloads, indicating a high level of interest.
(Spiceworks, Nightshade Project Site)
Huge thanks to our sponsor, Vanta
Vanta is the leading Trust Management Platform that helps you centralize your efforts to establish trust and enable growth across your organization.
Over 6,000 companies partner with Vanta to automate compliance, strengthen security posture, streamline security reviews, and reduce third-party risk.
To learn more, go to vanta.com/ciso and watch their 3-minute product demo.
US lawmakers propose DEFIANCE Act to combat deepfake porn
A bipartisan group of US Senators introduced the Disrupt Explicit Forged Images and Non-Consensual Edits, aka DEFIANCE Act. This gives people a civil right of action against using “digital forgeries” to portray an identifiable individual in an intimate act without consent, opening the door for victims to collect damages. A provision in the Violence Against Women Act Reauthorization Act of 2022 gave a similar right for non-faked images. The Act would apply to any images created with “software, machine learning, artificial intelligence, or any other computer-generated or technological means.”
US law enforcement uncovers largest SIM-swapping ring
The US Department of Justice filed an indictment against Chicago resident Robert Powell in the Northern District of Illinois, alleging that he operated a large-scale SIM-swapping ring that stole an estimated $400 million. Powell and his team allegedly operated these attacks from March 2021 through April 2023. The indictment outlines over 50 victims, with Powell forging documents to get SIM cards at Apple, AT&T, Verizone, and T-Mobile stores. The largest transaction claims Powell drained $400 million from a single company account, as well as cryptocurrency thefts up to $1 million.
EU launches cybersecurity certification on digital products
The European Union adopted the voluntary European Cybersecurity Scheme on Common Criteria, initially drafted by the European Union Agency for Cybersecurity. This will replace existing national certification frameworks, giving the bloc a more consistent process. The framework will apply to technological components, hardware, and software, setting out two levels of assurance based on risk of the product’s intended use.
Ivanti and the terrible, horrible, no good, very bad zero-days
Ivanti began slowly rolling out patches for its previously disclosed zero-days this week. These cover the command injection and authentication bypass flaws it disclosed January 11th. But now it disclosed two more zero-days impacting its Connect Secure, Policy Secure, and ZTA gateways. One flaw under active exploitation lets attackers bypass authentication and access system resources. A second flaw opens the door to a privilege escalation in its gateway web component. It released patches for some ZTA and Connect Secure devices, with mitigations for all unpatched devices available as well.
Ars Technica used in malware campaign
We use the site Ars Technica as a reliable news source with quality coverage frequently on this show. But a new report from Mandiant, covered on Ars, found that threat actors used a novel attack chain to use the site to serve second-stage malware. This saw from threat actor UNC4990, initially linking to an image of a pizza from a third-party website on an Ars user profile. The URL to the image contained a payload encoded in Base 64 in its character string. This would cause a machine already infected with first-stage malware through an infected USB drive to retrieve the string and install the second stage. A seemingly benign video on Vimeo also used this same approach. Mandiant researchers found a third-stage deployed in only one instance, which installed a crypto miner.