Authorities sanction bulletproof hosting provider Zservers for LockBit support

Please support my work at Metacurity with an upgraded premium subscription. You'll gain access to the paid-only content, archives, and my undying gratitude for your help.

The Department of the Treasury’s Office of Foreign Assets Control (OFAC), Australia’s Department of Foreign Affairs and Trade, and the United Kingdom’s Foreign Commonwealth and Development Office are jointly designating Zservers, a Russia-based bulletproof hosting (BPH) services provider, for its role in supporting LockBit ransomware attacks.

LockBit is one of the most deployed ransomware variants. It was responsible for the November 2023 attack against the Industrial Commercial Bank of China, a US broker-dealer.

The Treasury Department said that during a 2022 search of a known LockBit affiliate, Canadian law enforcement uncovered a laptop operating a virtual machine that was connected to a Zservers’ subleased IP address and running a programming interface used to operate LockBit malware. In 2022, a Russian cybercriminal purchased IP addresses from Zservers, almost certainly for use as Lockbit chat servers to discuss ransomware operations. In 2023, Zservers leased infrastructure, including a Russian IP address, to a Lockbit affiliate.

OFAC is also designating two Russian nationals who are key administrators of Zservers and have enabled ransomware attacks and other criminal activity. 

The first is Alexander Igorevich Mishin (Mishin), a Russian national and administrator of Zservers. Mishin has marketed Zservers’ BPH services to cybercriminals, including LockBit affiliates and other ransomware groups, with the understanding that they would use those services in their cybercriminal activities. He has also directed virtual currency transactions to be made in support of those activities.

The other sanctioned Russian national is Aleksandr Sergeyevich Bolshakov (Bolshakov), a Russian national and administrator of Zservers. In 2023, Bolshakov and Mishin shut down an IP address in response to a complaint from a Lebanese company alleging that a Zservers-associated IP address had implemented Lockbit in a ransomware attack. Zservers likely enabled ransomware attacks to continue by assigning a new IP address to the malicious Lockbit user. Mishin instructed Bolshakov to change the IP address of the malicious user and then told the Lebanese company that the original IP address was cut off. (US Department of the Treasury)

Related: Gov.uk, Reuters

A group of international law enforcement agencies seized the dark web leak site of the 8base ransomware gang as part of a takedown operation.

“This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg,” reads a message on the gang’s dark web leak site,

According to the seizure message, law enforcement agencies from Europe, Japan, the US, and the UK were involved in the takedown operation.

The ransomware gang is a financially motivated hacking group first observed in 2022. Security experts have linked it to the RansomHouse extortion group. The group is known for employing double-extortion tactics: criminals encrypt sensitive information and then threaten to expose it if the victim does not pay a ransom demand.

In a message on its dark web leak site before this week’s takedown, 8base described itself as “honest and simple pentesters.” Much like the prolific Clop ransomware gang, 8base claimed to only target organizations that have “neglected the privacy and importance of the data of their employees and customers.” (Carly Page / TechCrunch)

Related: Security Affairs, Bleeping Computer, Cybernews, The Register, HackRead, SC Media, Databreaches.net, The Record, Infosecurity Magazine

Spanish police announced the arrest in Spain and the Netherlands of four distributors of the encrypted communications service Sky ECC, used extensively by criminals.

The two suspects arrested in the country were the leading global distributors of the service, generating over €13.5 million ($14M) in profits.

The search and arrest operation took place in late January 2025 in Jávea (Alicante) and Ibiza.

During simultaneous police raids at seven locations, the authorities seized telephone terminals and electronic devices, €10,000 and $26,000 in cash, €1,400,000 worth of cryptocurrencies, two cars, and luxury items valued at over €50,000

According to what is known, the clients bought access to the service through a three-month subscription-based scheme that cost €600.

In March 2021, Europol announced that it had cracked Sky ECC's encryption, allowing investigators to monitor the communications of 70,000 users, revealing extensive criminal activity.

Although the service initially declined these reports and claimed cybercriminals didn't use its platform, there was a mountain of evidence proving both. (Bill Toulas / Bleeping Computer)

Related: Policia.es, Techzine, ComputerWeekly

New York State banned the use of the AI service DeepSeek on government devices, citing concerns over data privacy and censorship in the popular generative artificial intelligence app from China.

DeepSeek has caused significant security concerns among Western governments. Analysis from security experts suggests that it has hidden code that could enable information to be sent to sanctioned companies in China. 

State agencies began removing the app over the weekend at Gov. Kathy Hochul’s direction, said Colin Ahern, the state’s chief cyber officer.

“We do have high confidence that the reporting that we’re seeing is true and should be taken very seriously. That’s why the governor is taking new steps today,” he said.

Under the New York ban, state employees will be prohibited from downloading the app on all devices and networks managed by the state’s Office of Information Technology Services, which manages tech for executive branch agencies in New York. 

Ahern said the ban doesn’t affect state workers’ personal devices. He declined to comment on whether the state government had been in direct communication with DeepSeek over the ban. (James Rundle / Wall Street Journal)

Related: ABC News, Spectrum News, WGRZ, State of Politics

Eric Council, Jr., pleaded guilty Monday in federal court in Washington, DC., in connection with last year’s hack of the US Securities and Exchange Commission’s X account, which was used to falsely claim the agency had officially approved exchange-traded funds for bitcoin.

Council was arrested in October, more than 10 months after the Jan. 9, 2024, hack.

He pleaded guilty to conspiracy to commit aggravated identity theft and access device fraud. He faces a maximum possible sentence of five years in prison when he is sentenced on May 16.

Council agreed to forfeit to the government the $50,000 he received for his role in the hacking scheme.

Council, who used the online handles “Ronin,” “Easymunny” and “AGiantSchnauzer,” allegedly was paid in bitcoin by his unidentified co-conspirators. (Dan Mangan / CNBC)

Related: Justice Department, Finextra, Associated Press, Dark Reading, CoinDesk, The Record, CoinPedia, Cybernews, Bleeping Computer, Coinspeaker, The Crypto Times, Bloomberg,  Cyber Security News, Coinpedia Fintech News, Benzinga, UPI, Wall Street Journal, The Verge, WUSA, CoinGape, The Block

The US National Security Agency (NSA) implemented a "Big Delete" of websites and internal network content that contained any of 27 banned words, including "privilege," "bias," and "inclusion," which created unintended negative consequences, including the deletion of mission-related work.

A memo from NSA leadership acknowledges that the list includes many terms that the NSA uses in contexts unrelated to DEI. For example, the NSA uses the term "privilege" in the context of "privilege escalation." In the intelligence world, privilege escalation refers to "techniques that adversaries use to gain higher-level permissions on a system or network."

The purge extends beyond public-facing websites to pages on the NSA's internal network, including project management software like Jira and Confluence. (Judd Legum and Rebecca Crosby / Popular Information)

Related: r/technology

Sources say staffers at the Cybersecurity and Infrastructure Security Agency (CISA), whose job is to ensure the security of US elections, have been placed on administrative leave, jeopardizing critical support provided to state and local election offices across the country.

Recently, 17 CISA employees who have worked with election officials to provide assessments and training dealing with various threats, from cyber and ransomware attacks to the physical security of election workers, have been placed on leave pending a review.

Ten of those employees are regional election security specialists hired to expand field staff and election security expertise ahead of the 2024 election. The regional staffers were told the internal review would examine efforts to combat attempts by foreign governments to influence U.S. elections, duties that were assigned to other agency staff, according to the person.

All were former state or local election officials brought in to build relationships across all 50 states and the nation’s more than 8,000 local election jurisdictions. They spent the past year meeting with election officials, attending conferences and trainings, and ensuring officials were aware of the agency’s various cybersecurity and physical security services. (Christina A. Cassiday / Associated Press)

Related: Cyberscoop, r/hacking

David Yambio, the president and co-founder of Refugees in Libya and an Italy-based human rights activist, said that Apple informed him his phone was targeted in a spyware attack.

Yambio has been a critic of the Italian government’s migrant pact with the North African country and its recent controversial decision to release Osama Najim, a Libyan police chief wanted by the international criminal court (ICC) for suspected war crimes, including torture, murder, enslavement, and rape. Yambio, 27, was an alleged victim of Najim’s abuses during his detention at the notorious Mitiga prison near Tripoli.

Yambio received an email from Apple informing him that he was being targeted by “a mercenary spyware attack” that was attempting to “remotely compromise the iPhone associated with your Apple account.” The message said the attack “is likely targeting you specifically because of who you are or what you do.”

It did not specify what kind of spyware was being used against him, and Yambio was not one of the 90 people who received a WhatsApp notification.

Yambio said he contacted a digital security expert at CyberHub-AM in Armenia, who in turn connected him with the Citizen Lab at the University of Toronto, which tracks digital threats against civil society and assisted WhatsApp in tracking hacking attempts made against the 90 people, allegedly using the spyware produced by Paragon. Seven of the alleged targets live in Italy.

Yambio is attending a press conference in the European Parliament on Tuesday afternoon about the case involving Najim, also called Almasri, which has roiled Italian politics recently. The ICC said that it had officially asked Italy to explain why the country released Najim after his arrest in Turin instead of extraditing him to the Netherlands, where the court is based. (Angela Giuffrida and Stephanie Kirchgaessner / The Guardian)

Related: Reuters, Devdiscourse

According to the threat monitoring platform The Shadowserver Foundation, a large-scale brute force password attack using almost 2.8 million IP addresses is underway, attempting to guess the credentials for a wide range of networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall.

The foundation says a brute force attack has been ongoing since last month, employing almost 2.8 million source IP addresses daily to perform these attacks.

Most of these (1.1 million) are from Brazil, followed by Turkey, Russia, Argentina, Morocco, and Mexico, but there's generally a huge number of countries of origin participating in the activity. (Bill Toulas / Bleeping Computer)

Related: GBhackers, BankInfoSecurity, Forbes, Cybernews

Apple released updates for its mobile operating systems for iOS and iPadOS, which fixed a flaw that the company said “may have been exploited in an extremely sophisticated attack against specific targeted individuals.”

In the release notes for iOS 18.3.1 and iPadOS 18.3.1, the company said the vulnerability allowed the disabling of USB Restricted Mode “on a locked device.” Introduced in 2018, USB Restricted Mode is a security feature that blocks an iPhone or iPad from sending data over a USB connection if the device isn’t unlocked for seven days.

Apple hints that the attacks were most likely carried out with physical control of a person’s device, meaning whoever was abusing this flaw had to connect to the person’s Apple devices with a forensics device like Cellebrite or Graykey, two systems that allow law enforcement to unlock and access data stored on iPhones and other devices.

Bill Marczak, a senior researcher at the Citizen Lab, a University of Toronto group that investigates cyberattacks against civil society, discovered the vulnerability. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Apple, The Verge, Daily Mail, 9to5Mac, Forbes, CNET, BGR, MacRumors, Wccftech, Tom's Guide, Apple Insider, Security Week

Security researcher Egidio Romano (EgiX) discovered that over twelve thousand GFI KerioControl firewall instances are exposed to a critical remote code execution vulnerability, CVE-2024-52875.

KerioControl is a network security suite that small and medium-sized businesses use for VPNs, bandwidth management, reporting and monitoring, traffic filtering, AV protection, and intrusion prevention.

GFI Software released a security update on December 19, 2024, to fix the problem with version 9.4.5 Patch 1, yet three weeks later, according to Censys, over 23,800 instances remained vulnerable.

Most of these instances are located in Iran, the United States, Italy, Germany, Russia, Kazakhstan, Uzbekistan, France, Brazil, and India.

Admins are strongly advised to install KerioControl version 9.4.5 Patch 2, released on January 31, 2025, which contains additional security enhancements. (Bill Toulas / Bleeping Computer)

Related: CSO Online

The US Cybersecurity and Infrastructure Security Agency (CISA) warned federal civilian agencies to patch an actively exploited vulnerability, CVE-2025-0994, that affects Trimble Cityworks, a popular tool many governments use to manage public infrastructure.

Trimble Cityworks is an asset management system many local and federal government agencies use to manage infrastructure assets for airports, utilities, municipalities, and counties.

CISA said the vulnerability allows malicious actors to “potentially conduct remote code execution (RCE) against a customer’s Microsoft Internet Information Services (IIS) web server.”

In a letter to customers, the company said the notice followed “investigations of reports of unauthorized attempts to gain access to specific customers' Cityworks deployments." (Jonathan Greig / The Record)

Related: CISA, Trimble, TechRadar, DMNews, BankInfoSecurity, Security Week

Government and services were shut down in the small Alabama town of Tarrant after cybercriminals attacked its computer system and demanded ransom.

Tarrant Police Chief Wendell Major said city IT contractors were able to take down the server, make repairs, and restore service.

“Our IT protocols were enacted. You’ve got to be prepared for this,” he told AL.com. “We just operate like we normally do.”

Major said the only noticeable difference today is that the department is using paper to file police reports. He said other essential computer services, such as record searches, remain operational. (Joseph D. Bryant / AL.com)

Related: WBRC, WVTM, WBMA

Goldman Sachs Group's growth equity unit led a $125 million funding round for software startup Tines Security Services Ltd., valuing the startup at $1.13 billion and underscoring investors’ appetite for artificial intelligence-powered business tools.

The deal boosted Tines’ valuation by more than 80% from its previous value of $600 million last year. Other investors included SoftBank Group Corp.’s Vision Fund 2, investment firm Activant Capital, and Accel.

Tines, which makes AI software to automate cybersecurity and other business operations tasks, will use the money “to double down on R&D,” said Chief Executive Officer Eoin Hinchy. “That’s the main thing.” (Lizette Chapman / Bloomberg)

Related: Investing.com

Cybersecurity startup ThreatMate announced it had raised $3.2 million in a seed venture funding round.

Top Down Ventures’ Founders Fund led the round with additional support from Blu Ventures and Runtime Ventures. (Ionut Arghire / Security Week)

Related: SC Media, FinTech Global, FinSMEs

Eric Gan, the CEO of Cybereason, sued two investors, former Treasury Secretary Steven Mnuchin and the SoftBank Vision Fund, accusing them of putting the company at risk of bankruptcy by rejecting multiple plans for a much-needed capital infusion of as much as $150 million.

Using their voting rights as board members, the two investors “systematically rejected financing proposals, solely to preserve their control and financial advantages,” Gan said in a complaint filed Monday in Delaware Chancery Court. Gan said the cybersecurity software maker will be forced into Chapter 11 bankruptcy if immediate financing isn’t secured.

Gan and his family office own about 6.8% of the company’s shares, while Mnuchin’s investment firm, Liberty Strategic Capital, has about 6.6%, and SVF owns about 20%, according to the suit. Mnuchin and SVF director Daniela Llobet, also named as a defendant, sit on the Cybereason board. (Sabrina Willmer and Max Abelson / Bloomberg)

Best Thing of the Day: Proving the Inaccuracy of Chatbots

The BBC gave OpenAI's ChatGPT, Microsoft's Copilot, Google's Gemini, and Perplexity AI content from the BBC website, then asked them questions about the news, only to discover they were inaccurately summarizing the news.

Worst Thing of the Day Number One: Would a Backdoor by Any Other Name Still Not Suck?

The UK Home Office is trying to put a positive spin on its demand for a backdoor into Apple's encrypted iCloud saying “…it’s not a backdoor, we just want existing exploitable weaknesses to NOT be removed.”

Worst Thing of the Day Number Two: His Next Role is Top Adviser to the Senior Prom

Nineteen-year-old "Big Balls" Edward Coristine, who was part of the DOGE team raiding US government systems, is now technically a senior adviser at the State Department and at the Department of Homeland Security.

Worst Thing of the Day Number Three: Next Thing is Mandatory Doom Scrolling When in Traffic Jams

Stellantis, the parent company of Jeep, Dodge, Chrysler, and Ram, will be introducing pop-up ads that appear every time a vehicle stops.

Closing Thought