In today’s cybersecurity news…
Operation PowerOFF hits DDoS sites
Europol announced that a coordinated law enforcement effort across Finland, Australia, Brazil, Canada, the UK, and US led to the shutdown of 27 popular DDoS attack platforms. Dubbed Operation PowerOFF, the effort identified over 300 users of these platforms and the arrests of three administrators. Europol said it timed the takedowns ahead of the December holiday season to prevent the typical spike in DDoS attacks that cause “severe financial loss, reputational damage, and operational chaos for their victims.”
FCC proposes new telco cybersecurity rules
FCC Chairwoman Jessica Rosenworcel shared these proposed rules as a Declaratory Ruling with the commission’s other members. These seek to create a “modern framework to help companies secure their networks.” The rules would require submitting annual certification to the FCC confirming telcos implemented and regularly updating a cybersecurity risk management plan. This comes after the ongoing Salt Typhoon that compromised communications from several telcos and ISPs. CISA has already issued best practices and guidance for telcos in light of the campaign. We covered yesterday that Senator Ron Wyden introduced legislation requiring the FCC to create digital security standards for these companies.
ZLoader returns
Researchers at Zscaler ThreatLabz documented a new version of ZLoader malware, notably adding “a custom DNS tunnel protocol for C2 communications and an interactive shell that supports more than a dozen commands.” ZLoader originated as an offshoot of the Zeus baking trojan in 2015, eventually having its infrastructure disrupted by law enforcement in April 2022. It resurfaced late last year, showing ties to Black Basta ransomware. The researchers also found ZLoader developers updated its environment checks and API import resolution algorithms to evade typical analysis tools.
Lynx behind electricity supplier attack
Electrica Group supplies power to over 3.8 million customers in Romania. Earlier this week, the company said it was investing an ongoing ransomware attack but did not name a threat actor. The Romanian National Cybersecurity Directorate named the Lnyx ransomware organization behind the incident, although Lynx did not name the company on its breach site. Romania’s Energy Minister Sebastian Burduja said the attack did not impact Electrica’s SCADA and critical systems. Lynx has been active since July 2024, attacking over 20 entities from the energy, oil, and gas sectors using an encryptor with a nearly identical source code to INC Ransom.
Thanks to today’s episode sponsor, ThreatLocker
ThreatLocker helps you take a proactive, default-deny approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation are fully supported by their US-based support team.
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit ThreatLocker.com.
AI voice generation likely used in influence operation
Researchers at Recorded Future cited the use of generative AI voice generation technology in a recent Russian-tied campaign to weaken Europe’s support for Ukraine. The researchers found it “very likely” the campaign used commercial AI voice generation products in their efforts, including tech from ElevenLabs. These voices were used over supposed news clips to present Ukranian politicians as corrupt. The tech allowed the campaign to produce videos quickly in various languages across the EU using native speech patterns and dialects. Recorded Future concluded the actual impact of the campaign on public opinion was minimal.
A call for clarity with the National Cyber Director
A new report from the nonprofit Center for Cybersecurity Policy and Law calls on the upcoming Trump administration to “clarify” the mission of the Office of the National Cyber Director, with clear differentiation in mandate from CISA and the Office of Management and Budget. The report calls on the ONCD to serve as the government’s top public-facing cyber official, be given a senior role on the National Security Council, and bring more subject matter experts into the office. The report also calls for the federal CIO to be made a direct report to the National Cyber Director.
Snowflake to make MFA mandatory
Starting in November 2025, Snowflake will block sign-ins using single-factor passwords. Since October 2024, the company has made multi-factor authentication the default for new accounts. Both moves were part of its commitments to CISA’s Secure by Design pledge. As part of the rollout, in April 2025, Snowflake will require all human users to enroll in MFA on their next login attempt, excluding those with a custom authentication policy. In August, MFA will be required for all human password sign-ins.
Firefox removed “Do Not Track”
Starting with Firefox version 135, Mozilla will remove “Do Not Track” support from the browser. Firefox added the feature back in 2011, which sends an HTTP header to sites with a user’s request to opt out of tracking. Mozilla said many sites “do not respect this indication of a person’s privacy preferences” and suggested that users use the Global Privacy Control setting instead. Google’s Chrome and Microsoft’s Edge browsers offer Do Not Track settings.
Breaking AMD processors for $10
An academic team from KU Leuven, the University of Lubeck, and the University of Birmingham demonstrated how to use off-the-shelf equipment to get around AMD SEV-SNP memory integrity protections with an attack method called BadRAM. The researchers could tamper with an embedded SPD chip, misrepresenting the chip’s size to the processor to show double the DRAM, letting the team manipulate memory mappings. This effectively fully compromises the processor’s attestation feature. AMD released a firmware update to resolve the issue on impacted EPYC processors. The researchers also noted that DRAM vendors that leave serial presence detect metadata unlocked could open the door to a software-only BadRAM attack.
Krispy Kreme hit with cyberattack
In “affront to all that is sacred” news, the US donut chain Krispy Kreme confirmed it suffered a cyberattack in an SEC filing. The attack began on November 29th, with ongoing impacts on online ordering in the US as of this recording. The attack did not impact in-person ordering and retail deliveries. In its Q3 earnings, the company reported digital orders represented 15.5% of sales. Krispy Kreme immediately sought outside expertise after discovering the attack, but no other details have been released. So far, no threat actors have taken credit for the attack.