Cybersecurity

Russian Prosecutor Accuses Recorded Future of Cooperation in Cyberattacks Against Moscow

US eyes ban on TP-Link routers, CISA issues cloud security directive, DHS worries about SS7 security holes in telecom networks, Dutch fine Netflix $5m, EU authority fines Meta $263m over 2018 hack, Interpol wants folks to stop saying pig butchering, Ledger phishing campaign underway, and much more

Cynthia B Brumfield

9 min read
Russian Prosecutor Accuses Recorded Future of Cooperation in Cyberattacks Against Moscow
Decree of the President of Russia, Public domain, via Wikimedia Commons

Russia's Prosecutor General's office designated US cybersecurity firm Recorded Future as an "undesirable" organization and accused it of being involved in cyberattacks against Moscow.

Russia's Prosecutor General said the company's employees "actively cooperate with the CIA and intelligence services of other countries and provide informational and technical support for the anti-Russian propaganda campaign undertaken by the West."

Moscow began compiling a list of "undesirable" organizations in 2015, which has ballooned to 194 entities, including The Moscow Times. Being listed as "undesirable" means organizations are forced to shut down inside Russia.

Russian citizens who work for "undesirable" organizations, finance them, or collaborate with them may also be subject to criminal prosecution. Leaders of an "undesirable" organization can face up to six years in prison, while participating in the organization's activities can bring a four-year jail term. (AFP)

Related: Russian Federation Prosecutor General's Office, Oreanda News

According to sources, investigators at the Commerce, Defense, and Justice departments have opened investigations into the company. Authorities could ban the sale of TP-Link routers in the US next year. An office of the Commerce Department has subpoenaed TP-Link.

Action against the company would likely fall to the incoming Trump administration, which has signaled an aggressive approach to China.
An October analysis from Microsoft found that a Chinese hacking entity maintains an extensive network of compromised network devices, primarily thousands of TP-Link routers.

Numerous Chinese actors have used the network to launch cyberattacks. They have targeted Western targets, including think tanks, government organizations, nongovernment organizations, and Defense Department suppliers.

However, security experts say there is no evidence that TP-Link routers are more likely to be exploited by threat actors, including the Chinese government than routers made by any other manufacturer. (Heather Somerville, Dustin Volz and
Aruna Viswanatha / Wall Street Journal and Cynthia Brumfield / CSO Online - from September)

Related: Reuters, 9to5Mac, The Verge

The Cybersecurity and Infrastructure Security Agency (CISA) issued a binding directive giving federal agencies a series of deadlines to identify cloud systems, implement assessment tools, and abide by the agency’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.

Since April 2022, CISA has used the SCuBA project to provide guidance and capabilities to secure federal agencies’ cloud business application environments and protect federal information created, accessed, shared, and stored in those environments. 

The push to make it mandatory is new. CISA warned of recent incidents that show attackers can use misconfigurations and weak security controls to steal data and disrupt services. 

While the agency did not provide details, in 2023 and 2024, hackers from Russia and China conducted at least two major federal government breaches through Microsoft cloud products. 

When asked why the directive was being issued now or if it was related to a specific incident, Matt Hartman, deputy executive assistant director for cybersecurity at CISA, said there have been “a number of recent cybersecurity incidents” where “the improper configuration of security controls in cloud environment introduced substantial risk and has resulted in actual compromises.”

Hartman would not detail the recent incidents or intrusions, only mentioning the 2020 SolarWinds compromise as an example. (Jonathan Greig / The Record)

Related: CISA, Cyberscoop, Dark Reading, Bleeping Computer, Homeland Security Today, Payment Security

According to information released by Senator Ron Wyden, the US Department of Homeland Security (DHS) believes that China, Russia, Iran, and Israel are the “primary” countries exploiting security holes in telecommunications networks to spy on people inside the United States, which can include tracking their physical movements and intercepting calls and texts.

The news provides more context around the use of SS7, the exploited network and protocol, against phones in the country. SS7 routes messages when a phone user roams outside its normal coverage area. However, governments, surveillance contractors, and financially motivated criminals also leverage it to target phones.

The information is in a letter the Department of Defense (DoD) wrote in response to queries from the office of Senator Wyden. The letter says that in September 2017, DHS personnel gave a presentation on SS7 security threats at an event open to US government officials. The letter says that Wyden staff attended the event and saw the presentation. One slide identified the “primary countries reportedly using telecom assets of other nations to exploit U.S. subscribers,” it continues.

“Those countries, according to the DHS presentation, are Russia, China, Israel, and Iran,” it adds. The presentation also listed other countries where telecom assets are used to attack US subscribers, including “a number of countries in Africa, Central/South America, and Europe, the Middle East.”

In the newly released document, Senator Wyden’s office says the DoD confirmed it believes that all US carriers are vulnerable to SS7 and Diameter surveillance and that the DoD has not reviewed third-party audits carried out by US carriers of their own networks. “The DoD has asked the carriers for copies of the results of their third-party audits and were informed that they are considered attorney-client privileged information,” the DoD writes. Diameter is an efficiency upgrade to SS7 but can still be attacked. (Joseph Cox / Motherboard)

Related: Senator Ron Wyden, Firstpost, Slashdot, Odessa Journal, AskWoody

Please consider supporting Metacurity with a subscription upgrade

The US Justice Department announced the sentencing of 32-year-old Vitalii Antonenko, a man accused of hacking, credit card theft, and money laundering.

Antonenko, a resident of New York City, was arrested in March 2019 after returning from Ukraine. An indictment accusing him of participating in a cybercrime scheme was announced one year later.

He pleaded guilty to conspiracy to engage in computer hacking, money laundering, and trafficking in stolen payment card information in September 2024.

Antonenko was sentenced to 69 months and 18 days in prison last week. However, since he has been detained since 2019, he will be released 10 days after his sentence.

When he was arrested in 2019 after landing at JFK Airport following a trip to Ukraine, law enforcement discovered that computers and other storage devices he had been carrying contained hundreds of thousands of stolen payment card numbers.

Investigators determined that Antonenko was part of a cybercrime group that searched the internet for vulnerable networks from which they could steal personal and payment card information. (Eduard Kovacs / Security Week)

Related: Justice.gov

The Dutch Data Protection Agency said it had fined Netflix €4.75 million ($5 million) because it "did not inform customers clearly enough in its privacy statement about."

“Furthermore, customers did not receive sufficient information when they asked Netflix which data the company collects about them,” the regulator said.

The agency said Netflix has since updated its privacy statement and improved its information provision. (Sarah Jacob and Cagan Koc / Bloomberg)

Related: Noyb, Dutch News, TechCrunch, NL Times, Times of India, Telecomlead, TechCentral.ie

Ireland’s Data Protection Commission (DPC) fined Meta €251 million (around $263 million) in the European Union for a Facebook security breach that affected millions of users, which the company disclosed in September 2018.

The penalty enforces the bloc’s General Data Protection Regulation (GDPR).

The breach dates back to July 2017, when Facebook rolled out a video upload function that included a “View as” feature, which let the user see their own Facebook page as another user would see it.

A bug in the design allowed malicious actors to invoke the uploader in conjunction with Facebook’s “Happy Birthday Composer” feature to generate a user token that gave them full access to the Facebook profile of that user. They could then use the token to exploit the same combination of features on other accounts, gaining unauthorized access to multiple users’ profiles and data, per the DPC.

Between September 14 and September 28, 2018, the watchdog said unauthorized people used scripts to exploit this vulnerability to log in to approximately 29 million Facebook accounts globally, around 3 million of which were based in the EU/European Economic Area. (Natasha Lomas / TechCrunch)

Related: Bleeping Computer, Security Affairs, Silicon Angle, South China Morning Post, Social Media Today, Bloomberg, Mobile World Live, Euractiv, Security Affairs, The Record, Phone Arena, CSO Online, Reuters, Fudzilla, TechNadu

Interpol is calling for a shift in language to combat online relationship and investment frauds, advocating for the term 'romance baiting' to replace the widely used but stigmatizing 'pig butchering.'

The term comes from fraudsters referring to their victims as 'pigs' – those they gradually 'fatten up' by luring them into a fake romance or friendship before 'butchering' them by convincing them to invest, often in fake cryptocurrency schemes.

Once victims invest significant sums of money, they are manipulated further or abruptly cut off, often leaving them with devastating financial losses as well as psychological harm.

Interpol argues that the term ‘pig butchering’ dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities. (Interpol)

Related: Wired, The Register, Gizmodo, PCMag

Researchers from Kaspersky Lab report that an advanced persistent threat (APT) group called Careto or The Mask, which has been absent for over a decade, has suddenly resurfaced in a cyber-espionage campaign targeting organizations in Latin America and Central Africa.

The group began operations in 2007 and seemingly wafted into thin air in 2013. Over that period, the Spanish-speaking threat actor claimed some 380 unique victims across 31 countries, including the US, UK, France, Germany, China, and Brazil.

The security vendor also observed the attackers targeting cookies from messenger apps such as WhatsApp, WeChat, and Threema.

As part of the attack chain, Careto exploited a previously unknown vulnerability in a security product used by both victims to distribute four multi-modular implants on machines across each victim's network. Kaspersky's report did not identify the security product or the vulnerability that Careto has been exploiting in its new campaign. (Jai Vijayan / Dark Reading)

Related: Securelist, Security Affairs

A new Ledger phishing campaign is underway that pretends to be a data breach notification asking you to verify your recovery phrase, which is then stolen and used to steal your cryptocurrency.

Ledger is a hardware cryptocurrency wallet that allows you to store, manage, and sell cryptocurrency. The funds in these wallets are secured using 24-word recovery phrases or 12 and 18-word phrases generated by other wallets.

Anyone who knows your Ledger recovery phrase can use it to access the funds within the wallet. Therefore, recovery phrases must always be kept offline and never shared with anyone to prevent cryptocurrency funds from being stolen.

Over the past few days, multiple people have reported receiving a Ledger phishing email that pretends to be a new data breach notification.

The phishing emails have the subject of "Security Alert: Data Breach May Expose Your Recovery Phrase" and appear to be from "Ledger <support@ledger.com." However, they are sent through the SendGrid email marketing platform.

The phishing emails claim that Ledger suffered a data breach and that some recovery phrases have been exposed. The email then says that the user must verify their recovery phrase on Ledger's official verification page.

Clicking a link in the email takes the target to a Ledger site that asks them to perform a security check to see if their recovery phrase is compromised, as shown below. Clicking the "Verify your Ledger now" brings up another page asking you to enter your 12, 18, or 24-word Ledger recovery phrase.

Armed with the recovery phrase, the attackers can gain full access to the victim's cryptocurrency funds and steal them. (Lawrence Abrams / Bleeping Computer)

Related: Cointelegraph, BeInCrypto

Threat actor IntelBroker has published a small portion of the data it stole from Cisco last October.

“Today, I have shared the Cisco partial Breach for you to download. Thanks for reading and enjoy!” Intelbroker said.

IntelBroker acknowledged that it and its team at CyberN--—s accessed a DevHub instance that Cisco accidentally left open, adding that they exfiltrated 4.5 terabytes of data.

The partial upload allegedly contains 2.9 gigabytes of data comprising Cisco C9800-SW-iosxe-wlc.16.11.01, Cisco IOS XE & XR, Cisco ISE, Cisco SASE, Cisco Umbrella, and Cisco Webex.

“Hopefully this proves the legitimacy of the breach to others wanting to buy the full version,” added IntelBroker. (Daniel Croft / Cyber Daily)

Related: Security Week, HackRead

The Texas Tech University Health Sciences Center and its El Paso counterpart announced they suffered a cyberattack in September that disrupted computer systems and applications, potentially exposing the data of 1.4 million patients.

In a filing with the US Department of Health and Human Services Office for Civil Rights, the Texas Tech University Health Sciences Center reports that the breach exposed the combined data of 1,465,000 people.

Those who are confirmed to have been impacted will be notified by the organization and will be offered free credit monitoring services. (Bill Toulas / Bleeping Computer)

Related: Texas Tech, Cyber Daily, Dark Reading, The HIPAA Journal, Silicon Angle, Tom's Guide, SC Media

Best Thing of the Day: Another Reason to Keep Your Hobbies Hidden Online

Last year, French cops busted a man believed to be one of the “bankers” of the Hive ransomware gang because they tracked his Parisian jogging route down via either social media posts or sports tracking applications like Strava.

Worst Thing of the Day: When a Simulacra Swarm Urges You to Pay Your Extortionist

Bloomberg columnist Conor Sen was the target of an extortion attack on BlueSky from someone who squatted a domain in his name and then tried to force Sen to buy the domain, egged on by a cast of other fake journalists who had been made into fake sock puppets via similar domain squatting jujitsu.

Closing Thought

Read more