UK Cybersecurity Chief Warns of Rise in Hostile Cyber Activity

Russia sentences Hydra Market leader to life in prison, Former Polish security chief forced into Pegasus spyware hearing, CFPB publishes proposed data brokers rule, SEC settles ICBC ransomware records case, FDD argues for Chinese-made lidar sensor ban, Hack forces DMM Bitcoin shutdown, much more

Cynthia B Brumfield

Dec 3, 2024 — 14 min read

NCSC CEO Dr Richard Horne announces the launch of the eighth Annual Review. Source: NCSC

Sponsor Message

Armed with a complete view of your organization’s software assets, Anchore allows you to find and prevent malicious content from reaching your users. Anchore’s end-to-end, SBOM-powered software supply chain security management platform protects you and your customers at every step, from SBOM monitoring to policy enforcement to remediation. Anchore integrates at every stage of the software development process, from source code to build to runtime. Every package, every library, every version is cataloged and stored. This enables organizations to find out where content is, where it came from, and how it changed.

Prevent Software Attacks With Anchore

The UK's cybersecurity chief and head of the National Cyber Security Centre (NCSC), Richard Horne, warned of a rise in hostile activity in the country's cyberspace, saying the number of incidents handled by officials rose by 16% in 2024 compared to a year ago.

The NCSC, an arm of the spy agency GCHQ, said it handled 430 incidents in 2024, compared to 371 the previous year. Of those, 347 involved some data exfiltration, while 20 involved ransomware.

In its latest annual review, the NCSC issued 542 bespoke notifications informing organizations of a cyber incident impacting them and providing advice on mitigation, more than double the 258 notifications issued last year.

The NCSC said ransomware attacks posed "the most immediate and disruptive" threat to critical infrastructure, such as energy, water, transportation, health, and telecommunications.

The agency also warned of the potential of hackers to exploit AI to create more advanced cyber attacks. (Muvija M / Reuters)

Russian authorities sentenced Stanislav Moiseyev, the leader of the criminal group behind the now-closed dark web platform Hydra Market, to life in prison while convicting more than a dozen accomplices for their involvement in the production and sale of nearly a ton of drugs.

Moiseyev's co-conspirators (Alexander Chirkov, Andrey Trunov, Evgeny Andreyev, Ivan Koryakin, Vadim Krasninsky, Georgy Georgobiani, Artur Kolesnikov, Nikolay Bilyk, Alexander Khramov, Kirill Gusev, Anton Gaykin, Alexey Gukalin, Mikhail Dombrovsky, Alexander Aminov and Sergey Chekh) received imprisonment for terms ranging from 8 to 23 years, with fines totaling 16 million rubles.

The court said they would serve their imprisonment terms within special and strict regime penal colonies.

"The court established that from 2015 to October 2018, the criminal group operated in various regions of the Russian Federation and the Republic of Belarus," the Moscow prosecutor's office said.

"In total, law enforcement officers seized almost a ton of narcotic drugs and psychotropic substances in various constituent entities of the Russian Federation during searches of the defendants' residences, houses adapted for laboratories for the production of prohibited substances, garages used for storage, and cars equipped with special hiding places during the liquidation of the criminal community."

Before German police seized Hydra Market's servers in a joint action with the United States in April 2022, effectively taking down the entire operation, Hydra Market was the world's largest darknet market for selling drugs and money laundering. (Sergiu Gatlan / Bleeping Computer)

A spokesperson for the interior ministry reported that Piotr Pogonowski, the former head of the Polish Internal Security Agency (ABW,) has been detained and forcibly brought to a hearing before an investigative commission into the Pegasus spyware wiretapping scandal.

Interior Minister Tomasz Siemoniak also addressed Pogonowski's detainment, writing on X: "Everyone is equal in the face of the law. Everyone."

The case revolves around the alleged illegal use of the highly invasive Pegasus spyware by the previous government of the nationalist-leaning Law and Justice (PiS) against the then opposition politicians, lawyers, and other figures criticising PiS.

In the past, Pogonowski had not appeared at his hearings three times already, justifying his absence by referring to the ruling of the Constitutional Tribunal, the country’s top court, which deemed the commission’s work unconstitutional. However, after acquiring the opinion of legal experts, the commission decided that Pogonowski’s absence at his scheduled hearings renders the use of compulsory measures in the form of forced witness attendance. (Polish Press Agency)

The US Consumer Financial Protection Bureau (CFPB) published a long-anticipated proposed rule change regarding how data brokers handle people’s sensitive information, including their names and addresses. The change would introduce increased limits on when brokers can distribute such data.

The proposed rule aims to tackle the distribution of credit header data, which is the personal information at the top of a credit report that doesn’t discuss the person’s actual lines of credit. However, credit header data is currently distributed so widely to so many companies that it ends up in the hands of people who use it maliciously.

The rule would reclassify companies that sell certain sensitive personal information as “consumer reporting agencies” under the Fair Credit Reporting Act (FCRA). This decades-old law states that consumer reporting agencies can only transfer credit data for legitimate purposes.

These include issuing credit, insurance, and employer background checks—meanwhile, some data brokers access and sell such data for various other purposes, such as marketing. With the new rule, those limits would now apply to more data brokers, potentially limiting the flow of such data to malicious parties.

The impact of the proposed rule change if it were to go into force wouldn’t be clear until it actually happens, potentially not until at least next year. And that might be up in the air: Elon Musk, who is playing a key role in the transition to the forthcoming Trump administration, and venture capitalist Marc Andreessen have both criticized the agency. However, the proposed rule change still shows a significant effort by a US government agency to wrangle the data broker industry. (Joseph Cox / 404 Media)

The US Securities and Exchange Commission settled record-keeping charges against an Industrial and Commercial Bank of China unit regarding a November 2023 ransomware attack but decided not to impose a civil fine.

The accord resolves accusations that for nearly four months after the attack, New York-based ICBC Financial Services failed to keep its books and records current or send written notifications to customers regarding securities-related transactions.

The SEC decided against a fine based on the ICBC unit's "meaningful cooperation and extensive remedial measures." It also said the attack's causes included inadequate preparation for a potentially severe cybersecurity incident.

The ICBC unit did not admit or deny wrongdoing in agreeing to settle. (Jonathan Stempel / Reuters)

According to a report by the Foundation for Defense of Democracies, Chinese-made lidar sensors could expose the US military to hacking and sabotage during a conflict and should be banned in American defense equipment.

Lidar sensors use lasers to generate a digital three-dimensional map of the world around them. While most commonly found in driver-assistance systems in the automotive industry, they are also used in critical infrastructure such as ports, which help automate cranes.

The foundation said that lidar sensors, typically connected to the internet, use advanced processors that could conceal malicious code or firmware backdoors that are difficult to detect.

Such "hardware trojans" could be exploited by China's government, which, under Chinese law, can force companies to comply with state security directives. The foundation said satellite-based laser systems could also trip or disable such sensors in fractions of a second over broad swaths of US territory.

The foundation recommended that US lawmakers ban the procurement of Chinese lidar in defense gear and that US state governments ban its use in critical infrastructure. The think tank also recommended that U.S. policymakers work with allied countries such as Germany, Canada, South Korea, Israel, and Japan to create an alternative lidar supply chain for China. (Stephen Nellis / Reuters)

DMM Bitcoin, a popular Japanese cryptocurrency platform, is shutting down less than six months after hackers siphoned more than $300 million worth of coins from the site.

The platform said it planned to transfer all customer accounts and company assets to another crypto firm, SBI VC Trade, a Japanese financial services giant SBI Group subsidiary.

The platform attributed the move to the May 31 incident when hackers broke into the platform and stole 4,502.9 bitcoins, worth $308 million but now worth more than $429 million.

DMM Bitcoin explained that it is still investigating the incident and noted that the platform has continued to restrict crypto withdrawals and purchase orders.

“But we have determined that allowing this situation to continue for a long time would significantly impair customer convenience,” the company said. (Jonathan Greig / The Record)

Cryptocurrency exchange Crypto.com has launched a landmark bug bounty program with HackerOne, offering a top bounty of $2 million, the biggest sum the bug bounty company offers.

Jason Lau, CISO at Crypto.com, said, “Deepening our relationship with HackerOne through this milestone and setting this landmark bounty underscores our commitment to enhancing safeguards and consumer protection. We look forward to continuing to engage with this community productively." (Beth Maundrill / Infosecurity Magazine)

Related: HackRead, Forbes, Security Week

In an SEC filing, ENGlobal Corporation, a major contractor for the energy industry, confirmed that it is dealing with a ransomware attack that has hindered operations.

The company said the ransomware attack was discovered on November 25. “The preliminary investigation has revealed that a threat actor illegally accessed the Company’s information technology system and encrypted some of its data files,” the Oklahoma-based firm said.

ENGlobal Corporation has restricted employee access to its IT system to only essential business operations. The company explained that it has taken several steps to address the issue, including starting an internal investigation and hiring external cybersecurity experts.

“The timing of restoration of full access to the Company’s IT system remains unclear as of the date of this filing,” ENGlobal Corporation said, adding that it hasn’t been able to determine yet if it would have a material impact on its financial performance.

No ransomware gang has taken credit for the incident. (Jonathan Greig / The Record)

The Marin Housing Authority in California said online criminals have stolen $950,000 that was earmarked for the rehabilitation of public housing in Marin City.

The money was part of the $3 million the county loaned to the housing agency in March for the work at Golden Gate Village.

"We are actively working to identify funding sources to replace what was lost," said Kimberly Carroll, director of the Marin Housing Authority.

Carroll vowed that the theft would not prevent the Marin City project from proceeding.

Carroll said investigators suspect the criminals used a "phishing" attack to gain access to several email accounts belonging to the agency's employees, including hers,

Some of the housing agency's email accounts were particularly vulnerable because they lacked "two-factor authentication," a security procedure that combines two forms of identification to guard against unauthorized access. In addition to the typical username and password, it adds a second factor, sometimes a code sent via text message.

Carroll said the scammers accessed six email accounts belonging to housing authority employees. Then, using the emails to pose as employees, they hijacked two large payments meant for Burbank Housing, the agency's development partner for the Marin City project. (Richard Halstead / The Marin Independent Journal)

Related: ABC7

Two National Health Service (NHS) hospitals in the UK disclosed cyberattacks last week, and at least one of the attacks was conducted by a ransomware group.

Alder Hey Children’s Hospital is investigating claims that its systems may have been breached and that patient records and other information were stolen.

“We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust. We are working with partners to verify the data that has been published and to understand the potential impact,” the hospital said.

The ransomware group Inc Ransom added Alder Hey to its Tor-based leak site, claiming the theft of patient records, donor reports, and other information. The data, the gang claims, is dated 2018 – 2024.

In its statement, the hospital said it was working on securing its systems but noted that the incident had no impact on the availability of its services.

“This incident is not linked to the ongoing incident at Wirral University Teaching Hospitals,” Alder Hey said.

Wirral University Teaching Hospital announced last week that it was scrambling to respond to a cyberattack that forced it to shut down its systems and revert to pen and paper. (Ionut Arghire / Security Week)

Refinadora Costarricense de Petróleo, known by most as RECOPE, the state-owned energy provider for Costa Rica, was hit with a ransomware attack last week requiring the company to shift to manual operations and call in help from abroad.

RECOPE said it discovered a ransomware incident on Wednesday morning and began investigating. Officials said they were forced to conduct fuel sales manually because the attack took down all of the digital systems used to facilitate payments.

“Fuel unloading at our dock continues as usual. This morning, ships were received with premium gasoline, diesel and aviation fuel. In parallel, Recope and Micitt continue to work together to deal with the incident,” RECOPE said.

“We reiterate that Recope has sufficient inventories to meet the demand for fuel and continue to guarantee the service, as we have done for the past 61 years.”

On Friday, Karla Montero, president of RECOPE, said cybersecurity experts from the U.S. arrived on Thanksgiving and were able to help “gradually restore some systems” but said the organization “will continue to operate systems manually until it is fully guaranteed that processes are safe.” (Jonathan Greig / The Record)

Amar Bhakta, who has worked in advertising technology for Apple since 2020 filed a lawsuit against the Cupertino giant accuses the company of spying on its workers via their personal iCloud accounts and non-work devices.

The suit, filed in California state court, alleges Apple employees are required to give up the right to personal privacy and that the company says it can “engage in physical, video and electronic surveillance of them” even when they are at home and after they stop working for Apple.

Those requirements are part of a long list of Apple employment policies that the suit contends violate California law.

Bhakta said Apple used its privacy policies to harm his employment prospects. For instance, it forbade Bhakta from participating in public speaking about digital advertising and forced him to remove information about his job at Apple from his LinkedIn page.

Apple said it strongly disagrees with the claims in the lawsuit. “Every employee has the right to discuss their wages, hours and working conditions and this is part of our business conduct policy, which all employees are trained on annually,” it said. (Reed Albergotti / Semafor)

Google released its December 2024 Android Security Bulletin, detailing a range of security vulnerabilities affecting various components across Android devices, with some potentially allowing remote code execution and local escalation of privileges.

The bulletin’s most critical concern centers on vulnerabilities within the system components, which allow developers to build applications with specific functionalities within the Android ecosystem.

One particular vulnerability, CVE-2024-43767, allows for remote code execution. The company states that a malicious actor does not require additional execution privileges to exploit it. Google rated the bug as a “high” severity bug, but it has yet to have a CVE entry in NIST’s National Vulnerability Database (NVD).

Google has ensured that its Android partners were alerted to these issues well in advance, providing a window for necessary adjustments ahead of the patches’ public release. Source code patches for these vulnerabilities have been integrated into the Android Open Source Project (AOSP) repository, with further details and patches to be made accessible from Android partners like MediaTek and Qualcomm. (Greg Otto / Cyberscoop)

Related: Android, Android Authority

The Council of the European Union gave the final green light to the Cyber Solidarity Act, which aims to strengthen coordination and capacity to detect, prepare for, and respond to increasingly frequent cyber threats.

The new law, proposed by the European Commission on April 18, 2023, focuses on establishing mechanisms for cooperation between national authorities and cross-border security hubs.

The first mechanism is a “cybersecurity alert system,” a pan-European infrastructure composed of national and cross-border cyber hubs across the EU. It is a sort of European cyber shield that will use leading-edge technologies, such as artificial intelligence and advanced data analytics, to detect and share early warnings about cross-border cyber threats and incidents.

The new regulation also creates a cybersecurity contingency mechanism to increase preparedness and improve incident response capabilities in the community. The mechanism will support preparedness actions, including testing potential vulnerabilities of entities in highly critical sectors ( such as health, transportation, and energy) based on common risk scenarios and methodologies.

The mechanism will also establish an EU cybersecurity reserve, which member states, EU institutions, bodies and agencies, and associated third countries can call to the rescue in the event of a significant or large-scale cybersecurity incident.

The Cyber Solidarity Act establishes an incident review mechanism to evaluate the effectiveness of the cyber emergency mechanism and the use of the security reserve. This mechanism will also oversee the contribution of this legislation to strengthening the competitive position of industry and service sectors.

Member countries also approved a targeted amendment to the Cybersecurity Act, which will allow the future adoption of European certification schemes for so-called “managed security services.” These services may include incident management, penetration testing, security audits, and consulting related to technical support. (Simone De La Feld / EU News)

Researchers at Fortinet discovered a series of new malware attacks targeting companies in Taiwan linked to the SmokeLoader malware that have impacted industries ranging from manufacturing and healthcare to IT and beyond.

SmokeLoader, known for its ability to deliver other malicious payloads, is taking a more direct role in this campaign, using its own plugins to execute attacks and steal sensitive data.

The attacks began with phishing emails containing malicious attachments designed to exploit Microsoft Office vulnerabilities. These included CVE-2017-0199, which enabled malicious documents to automatically download and execute harmful payloads, and CVE-2017-11882, which exploited a vulnerability in Microsoft Office’s equation editor for remote code execution.

The emails, written in native Taiwanese, were convincing but contained inconsistencies, such as different font and color schemes, that suggested the text had been copied from elsewhere.

Once the malicious attachment was opened, the SmokeLoader malware was downloaded and executed, allowing it to communicate with its command and control (C2) server. From there, the malware downloaded various plugins, each designed to target specific applications and extract sensitive information.

The SmokeLoader malware was also found to use advanced techniques to evade detection, including code obfuscation, anti-debugging, and sandbox evasion. Its modular design allows it to adapt to different attack scenarios, making it a formidable threat to organizations. (Waqas / HackRead)

SmokeLoader attack flow. Source: Fortiguard

Open-source network security platform NetBird announced it had raised €4 million (around $4.2 million) in a seed venture funding round.

InReach Ventures and existing investor Nauta led the round with participation from Antler and a grant from the German Federal Ministry of Education and Research. (Vigneshwar Ravichandran / Silicon Canals)

Related: Tech Funding News, EU-Startups

Best Thing of the Day: I Can't Help a Single One of You

CURL developer Daniel Sternberg took to his blog to redirect misguided users of Cisco's AnyConnect seeking assistance on the product away from contacting him simply because his name appears in the VPN client application because the product uses a CURL license.

Worst Thing of the Day: Stop With the Data Cable Cutting

Two data cables owned by digital infrastructure company Global Connect running across the land border between Sweden and Finland were cut, affecting 6,000 private customers and 100 businesses following the rupture of two data cables on the Baltic Sea bed last month. (Although, unlike the Baltic Sea incident, Finnish authorities don't suspect criminal activity)