In today’s cybersecurity news…
U.S. Treasury lifts sanctions on Tornado Cash
The U.S. Treasury Department has lifted sanctions against Tornado Cash, a cryptocurrency mixer previously accused of facilitating money laundering for North Korean hackers and other cybercriminals. Initially sanctioned in 2022 for allegedly aiding in laundering over $7 billion, including $455 million stolen by the Lazarus Group, Tornado Cash has been removed from the Specially Designated Nationals list following a November 2024 appellate court ruling. The court determined that the Treasury had overstepped its authority, as Tornado Cash’s immutable smart contracts did not qualify as property under federal law. Despite lifting the sanctions, the Treasury says it “remains concerned about North Korea’s cyber activities and emphasizes the importance of securing the digital asset industry from illicit use.”
Web service outage in Russia due to reported Cloudflare block
The outages were observed Thursday across numerous Russian regions, affecting platforms including “TikTok, Steam, Twitch, Epic Games, Duolingo and major Russian mobile operators.” Also impacted were banking and government services, and messaging apps such as Telegram and WhatsApp. Industry experts are suggesting the cause of the outage to be the Russian government’s blocking of U.S. based Cloudflare. Russian internet regulator Roskomnadzor recommended that local organizations switch to Russian hosting providers.
Microsoft Trust Signing service abused to code-sign malware
Researchers at BleepingComputer and elsewhere are observing more incidences of threat actors using the Microsoft Trusted Signing service to “sign their malware with short-lived, three-day code-signing certificates.” Code-signing certificates make malware appear legitimate, potentially bypassing security filters that block unsigned executables. Extended Validation (EV) certificates are particularly sought after by threat actors due to the increased trust they confer from cybersecurity programs and their ability to help bypass alerts in SmartScreen. A cybersecurity researcher and developer with the wonderful name of Squiblydoo, told BleepingComputer that they believe threat actors are switching to Microsoft’s service out of convenience, especially given that recent changes to EV certificates are causing confusion for users – something threat actors are taking advantage of.
Oracle denies breach
Oracle is denying that they have suffered a breach “after a threat actor claimed to be selling 6 million data records allegedly stolen from the company’s Oracle Cloud federated SSO login servers.” The company says, “the published credentials are not for the Oracle Cloud [and that] no Oracle Cloud customers experienced a breach or lost any data.” A threat actor released text files containing “a sample database, LDAP information, and a list of the companies that they claimed were stolen from Oracle Clouds’ SSO platform,” and claiming they gained access to Oracle Cloud servers around 40 days ago and exfiltrated data from the US2 and EM2 cloud regions.
Huge thanks to our sponsor, ThreatLocker
DOGE aide broke Treasury policy by emailing unencrypted database, says court filing
This filing pertains to a lawsuit brought by New York Attorney General Letitia James and 18 other state AGs in February. The filing contains sworn testimony of David Ambrose, the chief security and privacy officer at the Treasury Department’s Bureau of Fiscal Services (BFS), who told the court that “DOGE operative Marko Elez violated Treasury rules by sending the unencrypted database including personally identifiable information and by not obtaining prior approval for the transmission.” The action was declared as “low risk, because the database did not include social security numbers or more specific identifiers”, but the Treasury’s testimony says but was contrary to BFS policies.”
FCC alleges Chinese telecom companies are making ‘end run’ around bans
The Federal Communications Commission’s newly created Council on National Security will conduct a “sweeping investigation of Chinese-made equipment in America’s telecommunications infrastructure,” according to an announcement made on Friday. The focus will be on Chinese companies like Huawei, ZTE, and others, who have been banned from doing business with U.S. companies, but who allegedly continue to exploit loopholes or simply massively underbid other competitors when dealing with smaller U.S. telecommunications providers.
U.S. pilot safety messaging system resumes operations after outage
The Federal Aviation Administration (FAA) system that provides safety messages to pilots “experienced an outage for several hours on Saturday before resuming operations,” according to the FFA and airlines said. The system, named NOTAM, an acronym for “Notice to Airmen” went down for more than three hours on Saturday was due to a hardware issue. “All active NOTAM messages were available until the time of the outage,” the FAA said. Officials are claiming an aging air traffic control system paired with underfunding as causes.
(Reuters)
Infostealers grabbed 2.1B credentials last year
A new report from Flashpoint says, “cybercriminals stole 33% more credentials in 2024 compared to the previous year, and that more than 200 million credentials were already stolen in the first two months of this year.” Ian Gray, vice president of intelligence at Flashpoint, said, “Infostealers have increasingly become the initial access vector for ransomware campaigns by stealing credentials, system information and browser data.” Among the report’s findings is that the majority of infostealer infections were running on the Microsoft Windows operating system, and nearly 7 in 10 infostealer infections on Windows devices targeted corporate systems.