Cisco Talos' Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. 
These vulnerabilities have not been patched at time of this posting. 
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule

Monday, December 9, 2024 14:30

Cisco Talos' Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. 

These vulnerabilities have not been patched at time of this posting. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

****MC Technologies OS command injection vulnerabilities** **

_Discovered by Matt Wiseman of Cisco Talos._ 

The MC-LR Router from MC Technologies supports IPsec and OpenVPN implementations, firewall capabilities, remote management via HTTP and SNMP, and configurable alerting via SMS and email, with two-port and four-port variants, includes models that support transparent serial-to-TCP translations and 1-in/1-out digital I/O. 

Talos recently published two advisories detailing OS command injection vulnerabilities discovered in the MC-LR Router from MC Technologies. TALOS-2024-1953 covers three vulnerabilities (CVE-2024-28025 through CVE-2024-28027), which are reachable through the I/O configuration functionality of the web interface. TALOS-2024-1954 covers one vulnerability (CVE-2024-21786) in the importation of uploaded configuration files. All vulnerabilities may be triggered with an authenticated HTTP request. 

****GoCast authentication and OS command injection vulnerabilities** **

_Discovered by Edwin Molenaar and Matt Street of Cisco Meraki._ 

The GoCast tool provides BGP routing for advertisements from a host; it is commonly used for anycast-based load balancing for infrastructure service instances available in geographically diverse regions.  

The GoCast HTTP API allows the registration and deregistration of apps without requiring authentication, shown in TALOS-2024-1962 (CVE-2024-21855). The lack of authentication can be used to exploit TALOS-2024-1960 (CVE-2024-28892) and TALOS-2024-1961 (CVE-2024-29224), leading to OS command injection and arbitrary command execution.

MC LR Router and GoCast unpatched vulnerabilities

Discover essential tips to secure your digital assets like crypto, NFTs, and tokens. Learn about wallet safety, avoiding…

Discover essential tips to secure your digital assets like crypto, NFTs, and tokens. Learn about wallet safety, avoiding phishing, 2FA, and protecting your holdings against theft.

As digital assets like cryptocurrencies, tokens, and NFTs grow in popularity, so does the importance of securing them. These assets are valuable, decentralized, and often stored in digital wallets that require specific security measures.

However, this decentralization, due to the lack of central oversight, makes them particularly vulnerable to hacking, phishing, malware, and human error. The good news is that with the right precautions and knowledge, you can significantly reduce the risks of theft or fraud.

This guide will explore the basics of digital asset cybersecurity, including common risks and best practices to help protect your crypto holdings.

****Understanding Digital Asset Security Risks****

Before diving into crypto, it’s crucial to understand the unique security risks that come with managing digital assets. Digital assets are typically stored in wallets, which are secured by private keys and seed phrases. These are the most critical components that control access to your assets, and if compromised, you could lose everything.

Hackers often target exchanges, wallets, and platforms where cryptocurrencies are stored. Phishing scams trick users into revealing their private keys or login details. Malware can infect devices, enabling cybercriminals to steal your credentials. Additionally, human error, such as sending funds to the wrong address or losing your private keys, can result in permanent asset loss.

****Wallets: Private Keys, Seed Phrases, and Passwords****

Your crypto wallet is the most important part of your security setup. Each wallet has a public key (which is shared with others to receive funds) and a private key (which grants access and control over your assets). Most wallets also use a seed phrase to recover access in case the wallet is lost or damaged. This seed phrase consists of 12-24 random words that serve as a backup to your private key.

Backing up your seed phrase securely is essential. Store it offline in a secure location—never on your computer or in the cloud, where it could be hacked. Losing your seed phrase means losing access to your funds permanently. Similarly, ensure your wallet has a strong, unique password for day-to-day access and use a password manager to keep track of it safely.

****Using Non-Custodial Wallets for Better Security****

When choosing a wallet, consider whether it’s custodial or non-custodial. In a custodial wallet, a third party, like an exchange, controls your private keys. This can leave your funds vulnerable if the platform is hacked. A non-custodial wallet gives you full control of your private keys, making it a more secure option. Because non-custodial wallets are so secure, many digital currency enthusiasts consider them the best Bitcoin wallet option for keeping high-value assets safe and secure. 

****Two-factor authentication (2FA)****

Another critical security measure is enabling two-factor authentication (2FA) on your crypto accounts. 2FA requires an additional authentication step (such as a code sent to your phone) when logging into accounts. This makes it much harder for hackers to gain access, even if they have your password. 

Use a 2FA app like Google Authenticator or Authy for better protection. Avoid using SMS-based 2FA, as it’s vulnerable to SIM-swapping attacks, where hackers can hijack your phone number. Additionally, ensure that any backup codes or recovery methods for your 2FA are stored securely, as losing access to your 2FA can lock you out of your accounts permanently.

****Always Double-Check Wallet Addresses****

Cryptocurrency transactions are irreversible, which means once funds are sent, they cannot be recovered. Always double-check wallet addresses before sending or receiving funds. This simple step can save you from accidentally sending assets to the wrong address.

If you receive a request to send crypto, verify the wallet address and ensure it matches the intended recipient. You can also use QR codes to minimize the chance of errors when entering an address manually.

****Beware of Phishing and Social Engineering****

Phishing attacks are one of the most common methods cybercriminals use to steal digital assets. These scams often involve fake websites, emails, or messages that mimic trusted platforms like exchanges, wallet providers, or crypto services. If you’re tricked into entering your credentials on a fraudulent site, hackers can access your wallet and steal your assets.

Always check the URL of the website you’re visiting and look for signs of legitimacy. Never share your private keys, seed phrases, or sensitive information over email, phone, or social media. Be cautious of unsolicited messages, and always verify requests before acting on them.

****Understand the Risks of Crypto Exchanges****

Cryptocurrency exchanges are often targets for cyberattacks, as they store large amounts of digital assets. While exchanges are convenient for trading and holding crypto, they come with risks. For example, if the exchange is hacked or experiences a security breach, your funds could be stolen. Some exchanges also have poorly managed security protocols, putting your assets at risk.

Consider using non-custodial wallets for long-term storage and only keeping small amounts of crypto on exchanges for trading purposes. Research exchanges before using them and check their security track record.

****Stay Informed and Educated About Security****

The crypto space is constantly evolving, and new threats are emerging all the time. Stay informed by following reputable sources on security best practices, crypto news, and updates on potential vulnerabilities. Joining online communities or forums can help you stay up-to-date on the latest trends, security threats, and emerging technologies, ensuring you understand the evolving landscape. 

It’s also important to educate yourself on the specific risks associated with decentralized finance (DeFi) protocols, smart contracts, and other decentralized services. While these platforms offer new opportunities, they can also expose you to unique risks like smart contract bugs, liquidity issues, or governance vulnerabilities that could lead to significant losses. Understanding these risks helps you make informed decisions and protect your assets.

****Crypto Security Best Practices: Do’s and Dont’s********Do’s:****

*   Back up your seed phrase and store it securely in multiple offline locations.
*   Use strong, unique passwords for your crypto accounts and avoid reusing passwords from other sites.
*   Enable two-factor authentication (2FA) for added protection on all platforms.
*   Double-check wallet addresses before sending or receiving funds to avoid errors.
*   Research wallet providers and choose reputable ones that prioritize security features.
*   Stay informed about new security threats and best practices to protect your assets.

****Don’ts:****

*   Never share your private keys or seed phrases with anyone, as this would give them access to your funds.
*   Avoid suspicious links and be cautious of phishing emails or messages that impersonate trusted services.
*   Be wary of centralized exchanges, as they are more vulnerable to hacks. Consider using non-custodial wallets for long-term storage.
*   Exercise caution with DeFi protocols, as they can have vulnerabilities in smart contracts.
*   Don’t trust unverified sources—always verify the legitimacy of platforms and communications before sharing any personal information.

****Conclusion****

Digital assets offer incredible opportunities, but they also come with unique risks. By following these essential cybersecurity practices, you can significantly reduce the chances of falling victim to theft or fraud. Secure your assets by backing up your seed phrase, using strong passwords and 2FA, avoiding phishing scams, and staying informed about the latest threats in the crypto space.

Ultimately, safeguarding your crypto holdings requires a combination of vigilance, knowledge, and secure practices. By adopting these principles, you can enjoy the benefits of digital assets while minimizing the risks.

1.  **Benefits of Using an Anonymous Bitcoin Wallet**
2.  **Outdated Wallets Threatening Billions in Crypto Assets**
3.  **Step-by-Step Guide to Creating Your First Crypto Wallet**
4.  **Trust Wallet Launches Browser Extension Wallet for Desktop**
5.  **Internet Computer Protocol Launches Walletless Verified Credentials**

Digital Assets Cybersecurity Essentials

Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.

 issue affects Apache Superset: from 2.0.0 before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-35fc-9hrj-3585: Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled

Generation of Error Message Containing analytics metadata Information in Apache Superset.

This issue affects Apache Superset: before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.

GHSA-2cx9-54hp-r698: Apache Superset: Error verbosity exposes metadata in analytics databases

Another day, another supply chain attack!

****KEY POINTS****

*   **Cybersecurity researchers at ReversingLabs found that hackers used malicious code to combine the Ultralytics AI library to mine cryptocurrency.**

*   **Hackers exploited the library’s build system and injected XMRig mining software into updates 8.3.41 and 8.3.42.**

*   **The attack used GitHub Actions Script Injection and fake pull requests to gain access to the system.**

*   **With over 60 million downloads, the compromised library posed a risk, though the damage was limited to mining.**

*   **Developers and users must verify software updates and sources to avoid similar incidents.**

The latest research from ReversingLabs (RL) shared with Hackread.com, reveals that a popular AI library called _“_Ultralytics_“_ has been secretly mining cryptocurrency for someone else. This follows the recent discovery of the malicious aiocpa Python package, which was spreading an infostealer.  

On December 4th, an update (version 8.3.41) for Ultralytics hit the Python Package Index (PyPI), a repository for Python software. However, something else also hit the repository: Hackers had infiltrated the project’s build environment, which prepares the software for release. 

The content in the GitHub repository did not match the content of the matching PyPI package, as malicious actors compromised the build environment and injected malicious code after the code review process was completed.

The tampered code downloaded a program called XMRig, a cryptocurrency miner. The worst part, according to RL’s report, is that even a supposed “fix” (version 8.3.42) released the next day was also infected.

That’s because the project’s maintainers failed to locate the compromise, resulting in version 8.3.42, intended to address the incident and serve as a safe upgrade, containing the same malicious code. A clean version, 8.3.43, was released on the same day, resolving this supply chain attack.

In case you are wondering how the hackers got in, it all started with exploiting a GitHub Actions Script Injection to enter the build environment of a trusted npm package, @solana/web3.js. This injection allowed a malicious actor to create a fork of any repository using ultralytics/actions and craft a pull request from a branch with injection payload code in its title.

Next, two maliciously crafted pull requests, #18018 and #18020, were designed to enable backdoor access to the compromised environment. The user account behind this pull request, openimbot, and the remote connection established after the execution of the malicious payload were initiated from Hong Kong, based on information provided by ultralytics maintainers. By creating fake pull requests with cleverly crafted titles, actors tricked the system into running their malicious code.

A GitHub comment explaining what happened and limited details about the user involved in the hack (Screenshots via RL)

****Impact: 60 million downloads and 30,000 GitHub stars****

This attack had the potential to impact millions considering that Ultralytics boasts over 60 million downloads and 30,000 GitHub stars, indicating its widespread use. Thankfully, the damage seems limited to cryptocurrency mining.

However, this incident shows how vulnerable software supply chains can be. Malicious actors could have easily injected more dangerous code, like backdoors or remote access tools. This means, developers must be cautious at all stages to protect AI projects. 

It also shows the importance of software security, emphasizing the need for developers to double-check code changes from untrusted sources, and users to download software from trusted sources and keep it updated.

1.  **ChatGPT Sandbox Flaws Enabling Python Execution**
2.  **PyPI Exploited to Infiltrate Systems Through Python Packages**
3.  **PythonAnywhere** **Cloud Platform Abused to Host Ransomware**
4.  **Qubitstrike Malware Hits Jupyter Notebooks for Cryptojacking**
5.  **VMCONNECT: Malicious PyPI Package Mimicking Python Tools**

Ultralytics AI Library with 60M Downloads Compromised for Cryptomining

Cryptocurrencies, from Bitcoin to altcoins and meme coins, revolutionize payments by offering privacy, reduced fees, faster transactions, enhanced…

Cryptocurrencies, from Bitcoin to altcoins and meme coins, revolutionize payments by offering privacy, reduced fees, faster transactions, enhanced security, and global accessibility.

Cryptocurrencies are no longer just a fading trend; they have been implemented in plenty of industries because of their various advantages. For example, cryptocurrencies have started to be used as a payment option for web hosting providers to improve the satisfaction of individuals worldwide and offer what they want.

Bitcoin is the first cryptocurrency ever created that will forever have the first-mover advantage. However, over the years, plenty of other digital coins have appeared that wanted to offer something else from the crypto pioneer. For example, altcoins are one of the most popular digital coins after Bitcoin, having introduced plenty of other use cases into the game so that they will manage to have a better appeal over the crypto king. 

Another example of other cryptocurrencies is meme coins, which represent cryptocurrencies created after something funny, trying to add a humorous appeal and attract the attention of a fun community. Usually, they have an animal meme image or an animated character created by using blockchain to attract users worldwide.

Dogecoin is considered the first meme coin. It is the result of a happy accident. The software engineer created this digital coin as a joke and wanted to make fun of all the crypto speculations that were present at the time.

But Dogecoin had great success, establishing itself as an important digital currency. Even though Dogecoin is more satirical, this digital coin still managed to be considered a legitimate investment prospect by some who want to add this cryptocurrency to their crypto portfolio after checking the Dogecoin price. 

As you can see, cryptocurrencies are very popular assets that can change the financial sector forever and introduce something that wasn’t even imaginable up to that moment. Here are some reasons that made web hosting providers turn their attention to cryptocurrencies. 

****Cryptocurrencies are anonymous and private****

Web service providers have started to accept crypto payments because digital coins are private and anonymous, and some customers want to benefit from these features. In traditional financial services, customers need to provide personal information to the hosting company, such as contact details, credit cards, and other personal information, but that is not the case with cryptocurrencies.

Unfortunately, if an individual offers their data to a company, and that company doesn’t take the necessary steps to protect this information, then people risk becoming victims of a data breach. However, as cryptocurrencies are both private and anonymous, they remove this chance from the equation, which is something that individuals worldwide are looking to have. In this way, people can protect their sensitive information while still managing to buy the services they need. 

****Cryptocurrencies have lower transaction fees****

Cryptocurrencies also have another advantage, represented by the fact that they come with reduced fees, which is always something better, as the expenses for customers can be considerable if taken into account from the long-term perspective.

However, cryptocurrencies have lower transaction fees, so customers can save some money. This is why individuals might prefer a web hosting provider who accepts cryptocurrencies over someone who doesn’t for all the advantages they bring. This is especially essential for businesses and individuals who want to cut their expenses and increase their bottom line. 

****Offer global accessibility for the payments****

Cryptocurrencies offer better accessibility, which is superior to traditional payment methods, and because of this, web hosting providers can attract a larger base if they choose to accept crypto payments. Digital currencies are not associated with international transaction fees or exchange rates, and because of that, they have the great advantage that anyone in the world can use, removing geographical barriers out the way.

In this way, individuals worldwide can pay with crypto, as they only need an internet connection and can transact anywhere, no matter their geographical location. 

This is even more important for large-scale web hosting services, as they can better navigate the complexities associated with traditional payment methods. This way, individuals worldwide can pay for web hosting services without dealing with delayed transactions, currency conversion fees, and other limitations. 

****Faster transactions****

Another advantage of accepting crypto payments is that web hosting providers can receive payments much faster, an important criterion for a business. In traditional financial services, companies need to wait a lot more to receive transactions, but this doesn’t need to happen when transacting with cryptocurrencies.

For example, in a conventional payment method, businesses can wait several days for a transaction to be completed. Still, crypto transactions are usually received in a few minutes because they are decentralized assets that are not controlled by local authorities. Because of that, they remove the need for middlemen. 

Instead, by accepting crypto payments, businesses worldwide can benefit from efficient and prompt payment processing, which is especially vital for companies that need quick turnaround times. 

****Enchanted security****

Cryptocurrencies have a higher level of security than traditional alternatives, which can bring advantages to web hosting payments, as customers will be more likely to make a payment. Conventional payment services can come with associated online risks, such as chargebacks, fraud, and data breaches, but that doesn’t occur with cryptocurrencies that are not subjected to the same hacking attempts.

Because cryptocurrencies function with the help of blockchain, they are more secure, as a cybercriminal will need to hack the majority of the nodes, which is highly improbable. This can offer web hosting providers a safer environment and peace of mind while ensuring they offer their clients the best services. 

****Conclusion****

Cryptocurrencies have started to increase in popularity in recent times, and because of that, they have become preferred options for numerous individuals worldwide, including web service providers. Digital coins have plenty of benefits, such as enhanced security, reduced fees, better privacy, global accessibility, and faster transactions, which web hosting providers can take advantage of.

Web hosting providers have started to accept crypto payments: Here’s why

Operation Destabilise was a major international operation led by the UK's National Crime Agency (NCA) to dismantle two Russian-speaking criminal networks: Smart and TGR. These networks were backbone in laundering billions of dollars for various criminal activities.

****KEY POINTS of THIS STORY****

*   **Operation Destabilise Success**: The UK’s NCA led an international effort that dismantled two major Russian-speaking criminal networks laundering millions of dollars.

*   **Criminal Activities**: The networks funded ransomware attacks, drug trafficking, and Russian espionage, laundering over $2.3 million in ransomware payments.

*   Global Reach: These networks operated in 30 countries, using cryptocurrency and cash-for-crypto methods to fund illicit activities.

*   **Arrests and Seizures**: Authorities arrested 84 individuals, seized £20 million in cash and crypto, and imposed US sanctions on key figures.

*   **Blockchain Analysis**: The operation highlighted the critical role of blockchain tracing in combating cyber and traditional organized crime.

A joint international effort led by the UK’s National Crime Agency (NCA) has successfully disrupted two large-scale Russian-speaking criminal networks involved in laundering millions of dollars in illegal funds.

Dubbed Operation Destabilise, the investigation exposed a network of financial transactions that supported various criminal activities, including ransomware attacks, drug trafficking, and Russian espionage.

Two networks, identified as “Smart” (led by Ekaterina Zhdanova) and “TGR” (led by Rossi, Chirkinyan, and Bradens), were instrumental in facilitating the movement of illegal funds across borders, often using cryptocurrency as a primary tool.

Authorities found that between 2022 and 2023, these networks laundered over $2.3 million (£20 million) in ransomware payments made to the **Ryuk ransomware group,** provided financial support to notorious criminal organizations like the Kinahan crime syndicate known for drug and arms trafficking, and facilitated funding of Russian espionage operations, helping to bypass financial sanctions imposed on Russia.

According to the NCA’s **press release**, the network had a global reach, with operations spanning across 30 countries, including the UK, Russia, the Middle East, and South America. 

Further probing revealed the techniques employed to hide the origin of ill-gotten funds, often involving cash-for-crypto transactions. Criminal gangs used cryptocurrency to reinvest in their illegal business, buying more drugs and firearms without transferring physical money across borders. This financial service allowed these groups to continue their violent activity. 

The operation resulted in the arrest of 84 individuals and the seizure of over £20 million in cash and cryptocurrency. Additionally, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) has **imposed sanctions** on four entities and five individuals associated with the TGR network. These sanctions target key figures involved in laundering money for Russian elites and cyber criminals.

The operation was a collaborative effort involving multiple international law enforcement agencies, including the UK Metropolitan Police Service, French police, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the Drug Enforcement Agency (DEA), and the Federal Bureau of Investigation (FBI).

“While these organisations have sought to exploit emerging technologies such as cryptocurrency to obscure their activities, the inherent traceability of blockchain has proven invaluable in unravelling their activities that operated on a truly global scale, moving billions of dollars for a range of different threat actors,” the NCA’s head of cyber intelligence, Will Lyne, stated.

This operation has significantly disrupted the activities of various criminal organizations, including ransomware groups, drug traffickers, and Russian intelligence services. It has also exposed the complex ways in which cybercrime and traditional organized crime intersect.

1.  **Russian Court Jails Four REvil Ransomware Gang Members**
2.  **Leading French IT firm Sopra Steria hit by Ryuk ransomware**
3.  **Russian Man Extradited to US over Phobos Ransomware Attacks**
4.  **Dark Web Hydra Market Mastermind Sentenced to Life by Russia**
5.  **Hacker Wanted by FBI in Ransomware Attacks Arrested in Russia**

84 Arrested as Russian Ransomware Laundering Networks Disrupted

Plus: Russian spies keep hijacking other hackers’ infrastructure, Hydra dark web market admin gets life sentence in Russia, and more of the week’s top security news.

A consortium of global law enforcement agencies led by Britain’s National Crime Agency announced a takedown operation this week against two major Russian money-laundering networks that process billions of dollars each year in more than 30 locations around the world. WIRED had exclusive access to the investigation, which uncovered new and troubling laundering techniques, particularly schemes to directly change cryptocurrency for cash. As the United States government scrambles to address China’s “Salt Typhoon” digital espionage campaign into US telecoms, two senators demanded this week that the Department of Defense investigate its failure to secure its own communications and address known vulnerabilities in US telecom infrastructure. Meanwhile, Signal Foundation president Meredith Whittaker spoke at WIRED’s The Big Interview event in San Francisco this week about Signal’s enduring commitment to bring private, end-to-end encrypted communication services to people all over the world regardless of geopolitical climate.

A new smartphone scanner from the mobile device security firm iVerify can quickly and easily detect spyware and has already flagged seven devices infected with the invasive Pegasus surveillance tool. Programmer Micah Lee built a tool to help you save and delete your X posts after he offended Elon Musk and was banned from the platform. And privacy advocate Nighat Dad is fighting to protect women from digital harassment in Pakistan after escaping from an abusive marriage.

The US Federal Trade Commission is targeting data brokers who it says unlawfully tracked protesters and US military personnel, but the enforcement efforts seem likely to trail off under the Trump administration. Similarly, the US Consumer Financial Protection Bureau has devised a strategy to impose new oversight on predatory data brokers, but the new administration may not continue the initiative. Some new laws are finally coming around the world in 2025 that will attempt to regulate the dysfunction of the digital advertising industry, but malicious advertising is still booming around the world and continues to play a big role in global scamming.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Officials Urge Americans to Encrypt Calls and Texts After Chinese Telecom Hacking**

Remember how the US federal government spent much of the last three decades periodically decrying the dangers of strong, freely available encryption tools, arguing that because they enable criminals and terrorists, they should be outlawed or required to implement government-approved backdoors? As of this week, the government will never again be able to make that argument without privacy advocates pointing to a particular phone call where two officials recommended Americans use exactly those encryption tools to protect themselves amidst an ongoing massive breach of US telecoms by Chinese hackers.

In a briefing with reporters about the breach of no fewer than eight phone companies by the Chinese state-sponsored espionage hackers known as Salt Typhoon, officials from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI both said that amid the still-uncontrolled infiltration of US telecoms that have exposed calls and texts, Americans should use encryption apps to safeguard their privacy. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. (Signal and WhatsApp, for instance, end-to-end encrypt calls and texts, though the officials didn’t name any particular apps.)

The recommendation amid what one senator has called “the worst telecom hack in our nation’s history” represents a stunning reversal from previous US officials’ rhetoric on encryption, and in particular the FBI’s repeated calls for access to backdoors in encryption. In fact, it was exactly this sort of government-approved wiretap capability requirement for US telecoms that the Salt Typhoon hackers in some cases exploited to access Americans communications.

**Russia’s FSB Hackers Keep Hijacking Other Hackers’ Infrastructure for Spying**

The hacker group known as Secret Blizzard, Snake, or Turla, widely believed to work for Russia’s FSB intelligence agency, is known for using some of the most ingenious hacking techniques ever seen to spy on its victims. One of the tricks that’s now become its signature move: hacking the infrastructure of other hackers to stealthily piggyback on their access. This week Microsoft’s threat intelligence researchers and security firm Lumen Technologies revealed that Turla gained access to the servers of a Pakistan-based hacker group and used its visibility into victim networks to spy on government, military and intelligence targets in India and Afghanistan of interest to the Kremlin. In some cases, Turla hijacked the Pakistani hackers’ access to install their own malware, while in other instances they appear to have used the other group’s tools for even greater stealth and deniability. The incident marks the fourth known time since 2017, when it penetrated an Iranian hacker group’s command-and-control servers, that Turla has freeloaded on another hacker group’s infrastructure and tooling, according to Lumen.

**Admin of Russian Dark Web Market Hydra Sentenced to Life in Prison**

The Russian government is known for turning a blind eye to cybercrime—until it doesn’t. This week 15 convicted members of the notorious dark web market Hydra learned the limits of that forbearance when they reportedly received prison sentences ranging from 8 years to 23 years, as well an unprecedented life sentence for the site’s creator Stanislav Moiseyev. Before it was taken down two years ago in a law enforcement operation led by IRS criminal investigators in the US and Germany’s BKA police agency, Hydra was a uniquely sprawling dark web marketplace, one that not only served as the post-Soviet world’s biggest online bazaar for narcotics but also a vast money laundering machine for crimes including ransomware, scams, and sanctions evasion. In total, Hydra enabled more than $5 billion dollars in dirty cryptocurrency transactions since 2015, according to crypto tracing firm Elliptic.

**Suspected Ransomware Actor “Wazawaka” Reportedly Charged and Apprehended by Russia**

Russian law enforcement charged and arrested a software developer last week who is suspected of prolific contributions to multiple ransomware groups, including building malware to extort money from businesses and other targets. The suspect is reportedly Mikhail Matveev, or “Wazawaka,” who has worked as an affiliate with ransomware gangs like Conti, LockBit, Babuk, DarkSide, and Hive. Social media reports indicate that Matveev confirmed his indictment and said that he has been released from law enforcement custody on bail.

Russia’s prosecutor general did not name Matveev, but described charges last week against a 32-year-old hacker under Article 273 of Russia’s Criminal Code, which bans the creation or use of malware. The move came as Russia seemed to be sending some sort of message about its tolerance for cybercrime with the sentencing of the dark web marketplace Hydra’s staff, including a life sentence for its administrator. In 2023, the US government indicted and sanctioned Matveev.

**FBI Is Investigating Exxon Lobbyist Firm Over Hack-and-Leak Operation Targeting Activists**

In a disturbing scoop (one we didn’t cover last week due to the Thanksgiving holiday), Reuters reporters have revealed that the FBI is now investigating a lobbying consultancy hired by Exxon over the firm’s role in a hack-and-leak operation that targeted climate change activists. DCI Group, a lobbying firm hired at the time by Exxon, allegedly gave a list of target activists to a private investigator who then outsourced a hacking operation against those targets to mercenary hackers. After the private investigator—an Israeli man named Amit Forlit, who was later arrested in London and faces US hacking charges—allegedly gave the hacked material to DCI, it leaked the activists’ internal communications about climate change litigation against Exxon to the media, Reuters discovered. The FBI, according to Reuters, has determined that DCI also first previewed that material to Exxon before leaking it. “Those documents were directly employed by Exxon to come after me with all guns blazing,” one attorney working with the activist group, the Center for Climate Integrity, told Reuters. “It turned my life upside down.”

Exxon has denied knowing about any hacking activities and DCI told Reuters in a statement that “we direct all our employees and consultants to comply with the law.”

US Officials Recommend Encryption Apps Amid Chinese Telecom Hacking

Cybercriminals know that privileged accounts are the keys to your kingdom. One compromised account can lead to stolen data, disrupted operations, and massive business losses. Even top organizations struggle to secure privileged accounts. Why?
Traditional Privileged Access Management (PAM) solutions often fall short, leaving:

Blind spots that limit full visibility.
Complex deployment processes.

Learn How Experts Secure Privileged Accounts—Proven PAS Strategies Webinar

Cybersecurity researchers have warned of a new scam campaign that leverages fake video conferencing apps to deliver an information stealer called Realst targeting people working in Web3 under the guise of fake business meetings.
"The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy," Cado Security researcher Tara Gould said. "The company

Tag

#web