Apple appeals UK order to build encryption backdoor in cloud systems
Trump pauses intel sharing with Ukraine, BianLian is sending snail mail ransom notes, More proof of Black Basta and Cactus links emerges, Eleven11bot malware reaches 86k IoT devices, Dark Caracal refreshes its malware, Taylor Swift ticket cybercrime crew members arrested, much more
I was honored to be interviewed by the McCrary Institute's Frank Cilluffo on his Cyber Focus podcast about several cybersecurity features I've written. Please give it a listen.
Metacurity is a mostly reader-supported publication that relies on the generous support of our paid readers. Please consider supporting Metacurity with an upgraded subscription.
If you can't commit to a subscription today, please consider donating whatever you can. Thank you!
The Financial Times (FT), citing sources, reports that Apple appealed to the UK's Investigatory Powers Tribunal a British government order to create a "back door" in its most secure cloud storage systems.
Last month, press leaks revealed the existence of the January order asking Apple to build a backdoor in iCloud’s encrypted backups. UK officials are exercising their powers via national security surveillance legislation to try to force the iPhone maker to provide data in the clear to law enforcement.
Apple responded by announcing it would end UK users’ access to the strongly encrypted version of the iCloud storage feature. The challenge via the IPT was filed at the same time, per the FT, indicating that the company is going on the offensive to try to overturn the order against its Advanced Data Protection (ADP) feature and pull the security offering out of the UK market.
A key element is that Apple continues to offer strongly encrypted iCloud backups in other markets even though the order reportedly sought access to users' data outside the UK market, too. According to the FT, the British Government believes Apple has failed to comply despite shuttering the feature locally. (Natasha Lomas / TechCrunch)
Related: BBC News, Financial Times, The Verge, Times of India, Reuters, Ars Technica, 9to5Mac, AppleInsider, MacDailyNews, MacRumors, Gigazine, Heise Online, Daily Mail, mobilenewscwp.co.uk, iPhone in Canada Blog, The Straits Times, Telegraph, r/apple, Slashdot
Speaking on Fox Business, CIA director John Ratcliffe confirmed a Financial Times press report that the Trump administration paused its intelligence-sharing operation with Ukraine following a disastrous Oval Office meeting between the leaders of the two companies last Friday.
However, an official in Kyiv told Bloomberg News that Ukraine was continuing to receive intelligence from the United States,
The CIA director added that he thinks that the pause “will go away,” but did not specify when.
It’s not immediately clear how the pause of US intelligence sharing will affect Ukraine’s ability to defend against attacks from Russia. (Zack Whittaker / TechCrunch and Daryna Krasnolutska / Bloomberg)
Related: Financial Times, Reuters, CNN, The Independent, Kyiv Independent, Ukrainska Pravda, The Telegraph
Researchers at GuidePoint Security report that scammers are impersonating the BianLian ransomware gang in fake ransom notes sent to US companies via snail mail through the United States Postal Service.
The envelopes for these ransom notes claim to be from the "BIANLIAN Group" and have a return address located in an office building in Boston, Massachusets.
One envelope shows it was mailed on February 25th, 2025. This mailing date is the same as the one seen by Arctic Wolf, who also reported on the scam.
The letters are being mailed to the CEOs of the companies at their corporate mailing addresses and show that they were processed through a postal facility in Boston. The envelope is marked, "Time Sensitive Read Immediately."
The envelopes contain a ransom note addressed to the company's CEO or another executive, claiming to be from the BianLian ransomware operation. They are tailored to the company's industry, with different types of allegedly stolen data corresponding to its activities.
The mailed ransom notes are very different from BianLian's, but the scammers attempt to make them look convincing by including the real Tor data leak sites for the ransomware operation in the notes.
The fake notes state that BianLian is no longer negotiating with victims. Instead, the victim has 10 days to make a Bitcoin payment to prevent data from being leaked.
Each ransom note includes a ransom demand ranging between $250,000 and $500,000, a freshly generated Bitcoin address to send payment, and a QR code for the Bitcoin address.
Arctic Wolf said that all healthcare organizations had their ransom demand set to $350,000. (Lawrence Abrams / Bleeping Computer)
Related: The Register, GuidePoint, Arctic Wolf, HackRead, Infosecurity Magazine. Forbes
Researchers at Trend Micro uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups using the same social engineering attacks and the BackConnect proxy malware for post-exploitation access to corporate networks.
BackConnect is malware that acts as a proxy tool for remote access to compromised servers. BackConnect allows cybercriminals to tunnel traffic, obfuscate their activities, and escalate attacks within a victim's environment without detection.
The ransomware gang has historically used Qakbot to gain initial access to corporate networks. However, after a 2023 law enforcement operation disrupted Qbot's operations, the Black Basta operation has looked for alternative malware to breach networks.
The group's pivot to BackConnect suggests they are still working with the developers connected to the Qbot operation.
Trend Micro also found that the Cactus ransomware group uses BackConnect in attacks, indicating a potential overlap between members. (Lawrence Abrams / Bleeping Computer)
Related: Trend Micro, Dark Reading, Infosecurity Magazine
Researchers at GreyNoise discovered a new botnet malware named 'Eleven11bot' that has infected over 86,000 IoT devices, primarily security cameras and network video recorders (NVRs), to conduct DDoS attacks.
The botnet, which is loosely linked to Iran, has already launched distributed denial of service (DDoS) attacks targeting telecommunication service providers and online gaming servers.
Eleven11bot was discovered by Nokia researchers who shared the details with the threat monitoring platform GreyNoise.
Nokia's security researcher, Jérôme Meyer, commented that Eleven11bot is one of the largest DDoS botnets they have observed in recent years.
Threat monitoring platform The Shadowserver Foundation reported seeing 86,400 devices infected by the Eleven11bot botnet, with most in the United States, the United Kingdom, Mexico, Canada, and Australia. (Bill Toulas / Bleeping Computer)
Related: Security Week, Jerome Meyer, Grey Noise, Cybernews
Researchers at Positive Technologies report that the hacker group Dark Caracal appears to be shifting to newer malware in an espionage campaign targeting individuals in Latin America.
The researchers detected 483 samples of Poco RAT in networks, mainly in Venezuela, the Dominican Republic, and Chile, from June 2024 until February. The researchers said Poco RAT shares distinct similarities with Bandook, Dark Caracal's signature malware.
The Poco RAT detections marked a sharp increase in the 355 cases of Bandook that Positive Technologies found between February 2023 and September 2024. The findings suggest Dark Caracal, believed to operate as a mercenary group conducting espionage and financially motivated hacks for hire, might be replacing the older malware in its operations.
The US and the European Union have sanctioned Positive Technologies over alleged ties to Russian intelligence and involvement in related cyber activities, but it retains a wide range of customers outside those areas.
In the latest Poco RAT campaign, the hackers used phishing emails to impersonate financial institutions and business service providers. Victims received messages notifying them of overdue invoices, with attachments designed to resemble official documents. When opened, the files redirected users to links that triggered an automatic malware download from legitimate cloud storage services. (Daryna Antoniuk / The Record)
Related: Positive Technologies
Queens District Attorney Melinda Katz announced that two members of a cybercrime crew, Tyrone Rose and Shamara Simmons, were arrested and charged with grand larceny, computer tampering, and conspiracy charges for stealing and selling over 900 digital tickets to Taylor Swift concerts and other pricey events on StubHub.
The international scam involved people working in Jamaica for a firm contracted by the online ticket marketplace.
The contractors stole the URLs of tickets purchased on StubHub and emailed them to others in New York, who then downloaded and resold them on StubHub at exorbitant prices.
According to prosecutors, the crew earned more than $600,000 in profits over roughly a year between June 2022 and July 2023.
Most of the stolen tickets were for Swift’s Eras Tour, but the thieves also boosted ones for Adele and Ed Sheeran concerts, NBA games, and the US Open Tennis Championship. (Associated Press)
Related: Queens District Attorney, QNS, KOMO, USA Today
The National Basketball Association commissioner's X account was hacked to promote a crypto scam, which triggered a cascade of breaches that compromised several international NBA accounts, including those for the league's Spain and UK fanbases.
The hacked message announced the launch of a crypto asset titled "$NBA Coin."
The post's caption read: "The NBA is taking the game to the next level. Introducing $NBA Coin! our official digital asset on Solana, designed to enhance fan engagement and the future of sports transactions."
The NBA's phony post was deleted promptly after posting to the account's 48.1 million followers. (Alejandro Avila / OutKick)
Related: Front Office Sports, ON3, Newsbreak, The Score, The Mirror
Cisco warned customers of a vulnerability in Webex for BroadWorks that could let unauthenticated attackers access credentials remotely.
While the company has yet to assign a CVE ID to track this security issue, Cisco says it has already pushed a configuration change to address the flaw and advised customers to restart their Cisco Webex app to get the fix.
The vulnerability is caused by sensitive information exposed in the SIP headers and only affects Cisco BroadWorks (on-premises) and Cisco Webex for BroadWorks (hybrid cloud/on-premises) instances running in Windows environments.
The company advises admins to configure secure transport for SIP communication to encrypt data in transit as a temporary workaround until the configuration change reaches their environment. (Sergiu Gatlan / Bleeping Computer)
Related: Cisco
Broadcom issued patches for three VMware hypervisor-hijacking bugs, including one rated critical, that criminals have already found and exploited.
The vulnerabilities tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 affect VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. Updating to a fixed version will plug the holes. (Jessica Lyons / The Register)
Related: Broadcom, Github, Dark Reading, The Record, CSO Online, Ars Technica
Cybereason CEO Eric Gan has stepped down following a months-long feud with investors SoftBank Group Corp. and former US Treasury Secretary Steven Mnuchin, which has stalled decision-making at the cash-strapped startup.
Gan resigned after a boardroom battle erupted at the La Jolla, California-based cybersecurity company, which has been struggling to raise money and stem losses. According to someone familiar with the matter, a planned merger with Chicago-based peer Trustwave Holdings Inc. has also been terminated.
Gan, a former SoftBank executive who helped the tech investor build telecom infrastructure in Japan, sued Mnuchin and the Vision Fund last month, alleging the investors had prioritized their own interests and stymied his efforts to raise the money needed to stave off bankruptcy. Both Mnuchin and the Vision Fund deny the allegations. (Min Jeong Lee and Donal Griffin / Bloomberg)
Related: CTech
British startup Quantexa, an enterprise platform that employs AI and data analytics to fight money laundering and fraud, has raised $175 million in a Series F venture funding round.
Teachers’ Venture Growth (TVG), a division of the Ontario Teachers’ Pension Plan in Canada, led the deal, which also saw participation from previous backer British Patient Capital. (Ingrid Lunden / TechCrunch)
Related: ITPro, EU-Startups, Tech Times, Sifted.eu, Fintech Finance, FinSMEs, The Times, Tech Funding News, UKTN, Digit, City AM
According to sources, venture firm Andreessen Horowitz is set to lead a funding round for the startup Flock Safety, a prominent maker of license plate-reading cameras, valuing the company at about $7.5 billion.
The startup plans to raise about $250 million in the round, said one of the people, all of whom asked not to be identified discussing private information. The person cautioned that the details of the deal could still change. (Katie Roof / Bloomberg)
Best Thing of the Day: Maybe There's Life Left in the US Congress After All
The Federal Contractor Cybersecurity Vulnerability Reduction Act, a bill requiring federal contractors to abide by vulnerability disclosure policies, moved one step closer to becoming a law after sailing through the US House of Representatives.
Worst Thing of the Day: What's a Little Insider Threat to People Who Want to Watch the US Burn?
Some US government workers with top security clearances fired in mass layoffs overseen by Elon Musk in recent weeks were not given standard exit briefings and advised on what to do if approached by foreign adversaries
Closing Thought
