Indian cops busted Garantex co-founder at the US government's request

Check out my latest CSO news item on Trump's nomination of Sean Plankey as CISA chief and whether that might slow down DOGE-delivered funding cuts and layoffs after seven brutal weeks at the agency.

Metacurity is a mostly reader-supported publication that relies on the generous support of our paid readers. Please consider supporting Metacurity with an upgraded subscription. Thank you.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

Indian police arrested the co-founder of Garantex, a Russian cryptocurrency exchange sanctioned by the European Union and the US government, under India’s extradition law at the request of the US government.

US Justice Department spokesperson Nicole Oxman confirmed that Besciokov was “arrested in India at the request of the United States."

Shortly after the arrest, Besciokov was produced before the local court in the district and will be taken to the Patiala Court on Monday to face the charges.

Besciokov was indicted along with Russian national Aleksandr Mira Serda, who co-founded Garantex and lives in the United Arab Emirates.

The two administrators, according to US prosecutors, “redesigned Garantex’s operations to evade and violate US sanctions and induce US businesses to unwittingly transact with Garantex in violation of the sanctions.” (Jagmeet Singh and Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Decrypt, The Block, CoinDesk, Krebs on Security, Times of India, Times of India, BleepingComputer, India TV News, Protos, crypto.news, Cointelegraph, Economic Times, Protos, Bleeping Computer,

Researchers at Google-owned Mandiant report that a state-backed espionage group operating out of China, dubbed UNC3886, is targeting Juniper Networks' routers.

The researchers say the group was behind a campaign last year to deploy custom backdoors on the company’s Junos OS routers. The group appears “focused mainly on defense, technology, and telecommunication organizations located in the US and Asia."

Mandiant worked with Juniper Networks to investigate the activity and found that the affected routers were running end-of-life hardware and software. The malware deployed on the Juniper routers “demonstrates that UNC3886 has in-depth knowledge of advanced system internals,” they said. 

The company previously tracked UNC3886’s efforts in 2023 to exploit vulnerabilities in Fortinet and VMware network security systems and firewalls. 

The incident responders found that the goal in both campaigns was the same — to “gather and use legitimate credentials to move laterally within a network, undetected.” They assess the threat actor is preeminently focused on maintaining long-term access to victim networks. (Jonathan Greig / The Record)

Related: Google Cloud, Cybernews, The Register, HackRead, CSO Online, Dark Reading

OT cybersecurity company Dragos spotted some usual network traffic and communications with China that shouldn't occur inside Littleton Electric Light and Water Departments (LELWD) in Massachusetts, only to discover the intruders were the Chinese nation-state threat group Volt Typhoon.

The discovery was the first-ever confirmed presence of Volt Typhoon in a US electric grid.

The Chinese spies gained initial access via a buggy FortiGate 300D firewall. Fortinet patched this flaw in December 2022, but as of August 2023, LELWD's managed services provider still hadn't updated the firmware. The water and electric utility has since fired that MSP.

By December, the federal government had also installed its own sensors on LEWLD's networks and requested that the utility leave the security hold open so they could monitor the spies' activity.

A week before Christmas, the feds and the Chinese spies were off LEWLD's networks, and the firewall vulnerability was patched. The utility completely rebuilt its networks to ensure they didn't just copy over a Volt Typhoon backdoor, and last August, the government agencies performed a three-week penetration test to ensure the utilities' network defenses were working properly (they were). (Jessica Lyons / The Register)

Related: Dragos, PC Mag, Industrial Cyber, The Record, Security Week, HackRead

In a joint advisory with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the US Cybersecurity and Infrastructure Security Agency (CISA) said the Medusa ransomware operation impacted over 300 organizations in critical infrastructure sectors in the United States until last month.

"As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing," the agencies said.

Medusa ransomware surfaced almost four years ago, in January 2021, but the gang's activity only picked up two years later, in 2023, when it launched the Medusa Blog leak site to pressure victims into paying ransoms using stolen data as leverage.

Since it emerged, the gang has claimed over 400 victims worldwide and gained media attention in March 2023 after claiming responsibility for an attack on the Minneapolis Public Schools (MPS) district and sharing a video of the stolen data.

The advisory offers a series of measures to defend against Medusa. (Sergiu Gatlan / Bleeping Computer)

Related: CISA, Cyber Daily, Industrial Cyber, The Record, HackRead, Security Affairs

Brendan Carr, the new chair of the US Federal Communications Commission, said he is creating a national security council to bolster US defenses against Chinese cyber attacks and help it stay ahead of China in critical technologies, such as artificial intelligence.

The council will be led by Adam Chan, a lawyer who previously worked for the
House of Representatives China committee, which Congress created in
2023 to focus on security threats from Beijing.

Carr said he was establishing the council to step up the agency’s focus on the
“persistent and constant threat from foreign adversaries, particularly the Chinese
Communist party." (Demetri Sevastopulo / Financial Times)

The EU High Representative for Foreign Affairs and Security Policy Kaja Kallas told Belgian broadcaster VRT that Russian and Iranian agents are behind “state-sponsored terrorism" against Europe, responding to revelations that Russia was recruiting people in Europe to spread disinformation and conduct sabotage and cyberattacks.

Public broadcasters revealed that pro-Russia hacktivist groups were actively approaching people on social media site Telegram to conduct sabotage and vandalism and support disruptive operations across Europe.

Journalists saw and directly received requests to carry out various acts of sabotage, including plastering the EU quarter with anti-NATO stickers and collecting the email addresses of 30 Belgian journalists seen as sympathetic toward the Ukrainians. 

Participants were promised payments in cryptocurrencies in exchange for the support.

NATO's Deputy Assistant Secretary-General for Innovation, Hybrid, and Cyber James Appathurai told VRT that he was “absolutely convinced” that cyberattacks would continue to take place even if Moscow and Kyiv can come to an agreement about putting down their arms. (Antoaneta Roussi and Laurens Cerulus / Politico EU)

Related: VRT, VRT, Eurovision News, Latvian Public Media

Niantic is selling Pokémon Go, Pikmin Bloom, and Monster Hunter Now to Scopely, which is a wholly-owned subsidiary of a Saudi Arabian company called Savvy Games, which itself is owned by the Saudi Arabian government’s Public Investment Fund, with no word about what happens to all of the users' location data.

Two other apps, called Campfire and Wayfarer, are also part of the deal. Campfire is a tool that lets people meet up in the real world to play Pokémon Go (or other Niantic games) together, and Wayfarer is an app that specifically leverages the players of Niantic games to map real-world locations for Pokémon Go. Niantic will keep Ingress, its first augmented reality game, and another game called Peridot.

Niantic said that a knock-on effect of this massive deal is that it will spin off its nascent AI mapping business, which was using Pokémon Go data to create a “large geospatial model” into a separate company called Niantic Spatial.

Scopely said, "Protecting player privacy and data is of the utmost importance to both Scopely and Niantic. Player data always has and will continue to be handled in accordance with strict data privacy laws and regulations, as well as stored exclusively on US-based servers. We never have and never will sell data to third parties. Player data will continue to be held in the US following the acquisition. Scopely maintains a fully autonomous and independent operational model distinct from Savvy and the PIF, including retaining full sovereignty over its technology ecosystem." (Jason Koebler / 404 Media)

Related: Kotaku, BBC News, Reuters, Wall Street Journal, Bloomberg, Morning Brew, New York Times, AL-Monitor, Financial Times, Scopely, Niantic Labs, Pokémon GO, GamesIndustry.biz, Gameranx, 80 Level, MIXED Reality News, VentureBeat, TechCrunch, Hindustan Times, Polygon, Android Headlines, PocketGamer.biz, How-To Geek, Los Angeles Times, The Information, Neowin, IGN, The Verge, The Hollywood Reporter, Eurogamer.net, Bloomberg, Variety, Deadline, Financial Times

Security researcher Jeremiah Fowler discovered that more than 86,000 records containing nurses' medical records, facial images, ID documents, and more sensitive info linked to health tech company ESHYFT were left sitting in a wide-open misconfigured AWS S3 bucket for months, or possibly even longer, before it was closed it last week.

The non-password-protected, unencrypted database was discovered on January 4 and two days later reported to ESHYFT, a New Jersey-based company that operates in 29 US states and bills itself as "like an Uber for nurses." 

He said both the database's name and the documents inside it "indicated that the records belonged to ESHYFT," and he immediately notified the outfit, which he said responded to thank him and say that it was taking action.

However, even after Fowler notified the company about the data disaster that was waiting to happen, the S3 cloud bucket containing ESHYFT info was not closed from public access until over a month later.

The bucket held 108.8 GB and contained 86,341 records. As of March 5, it is no longer open to the public. (Jessica Lyons / The Register)

Related: Teiss, Website Planet

Facebook warns that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks.

FreeType is a popular open-source font rendering library that displays text and programmatically adds text to images. It provides functionality to load, rasterize, and render fonts in various formats, such as TrueType (TTF), OpenType (OTF), and others.

The library is installed in millions of systems and services, including Linux, Android, game engines, GUI frameworks, and online platforms.

The vulnerability, tracked under CVE-2025-27363 and given a CVSS v3 severity score of 8.1 ("high"), was fixed in FreeType version 2.13.0 on February 9th, 2023.

Facebook disclosed the flaw yesterday, warning that the vulnerability is exploitable in all versions of FreeType up to version 2.13 and that there are reports of it actively being exploited in attacks. (Bill Toulas / Bleeping Computer)

Related: Facebook

Google alleges that Meta's push for new laws requiring app stores to give parents control over kids’ app downloads is a misguided effort to “offload” Meta’s own responsibility to keep kids safe.

Google's allegation follows the passage of Utah’s App Store Accountability Act, the first of its kind to advance to the governor’s desk. The act requires app store operators to keep kids from accessing inappropriate content.

Similar bills in more than a dozen states across the country are part of a growing trend of child safety legislation following the failure of the Kids Online Safety Act to become law last year.

Google proposes putting more discretion on app developers, rather than app stores, to determine the appropriate protections to put in place for a given age group. (Lauren Feiner / The Verge)

Related: The Keyword, Engadget, MediaPost, Bloomberg Law

Automated security validation company Pentera announced it had raised $60M in a Series D venture funding round.

Evolution Equity Partners led the round with participation from Farallon Capital Management. (Ingrid Lunden / TechCrunch)

Related: FinTech Global, Startup News, CTech, BankInfoSecurity, TechInAsia, Verdict, FinSMEs, CityBiz

Digital executive protection platform 360 Privacy announced a $36 million growth equity investment from FTV Capital.

The company said it would invest the funds in growing engineering, customer service, and revenue teams. (Steve Brooks / Enterprise Times)

Related: CityBiz, The Business Journals, Intelligent CIO

Best Thing of the Day: Rest in Power to a Civil Liberties Hero

Mark Klein, a telecommunications technician for AT&T who risked civil liability and criminal prosecution to help expose a massive spying program that violated the rights of millions of Americans, passed away.

Worst Thing of the Day: DOGE is Giving US Digital Adversaries a Nice Little Breather

The onslaught of budget cuts and staff layoffs at CISA have forced workers to look over their shoulders instead of watching US digital adversaries.

Closing Thought