Spain's Prime Minister and Defense Minister Were Compromised by NSO Group's Pegasus Spyware
Russian Killnet hacking group targeted Romanian government websites, FBI conducted 3.4 million searches of U.S. data under FISA, Cloudflare detected huge HTTPS DDoS attack, much more
Don’t miss our special report on the recent spate of crypto-related hacks and phishing incidents.
During an emergency press conference on a public holiday in Spain, the Spanish government said Prime Minister Pedro Sánchez and Defense Minister Margarita Robles were targeted by Israeli spyware firm NSO Group’s Pegasus spyware.
The minister of the presidency, Félix Bolaños, said a complete intrusion of the government leaders' mobile communication by an "external" force occurred in May and June 2021, with Sánchez's phone infected twice and large amounts of data were extracted from both phones. (Camille Gus / Politico)
Related: Haaretz, Reuters, The Guardian, The Olive Press, DAILYSABAH, Reuters: World News, Bloomberg, The Times of Israel, The Register - Security, The Independent, Jerusalem Post, The Huffington Post, Associated Press Technology, ABC.net.au
Romanian government websites and other institutions were the targets of a cyberattack that the nation’s intelligence agency attributed to a pro-Russian hacking unit called Killnet, which claimed credit for the attack.
The cyber assault hit the websites of the country’s defense ministry, border police, railway company CFR Calatori and a financial institution, which were not functional for several hours. Romania’s ruling Social Democratic party and parliament speaker Marcel Ciolacu said the country, which borders Ukraine, is considering options for potential military aid to Kyiv. (Andra Timu / Bloomberg)
An annual report published by the Office of the Director of National Intelligence disclosed that the FBI conducted as many as 3.4 million searches of U.S. data that the National Security Agency had previously collected.
Senior Biden administration officials said the number of searches is likely far lower, citing complexities in counting and sorting foreign data from U.S. data. The disclosure marks the first time a U.S. intelligence agency has published an accounting, however imprecise, of the FBI’s grabs of American data through a section of the Foreign Intelligence Surveillance Act, the 1978 law that governs some foreign intelligence gathering. (Dustin Volz / Wall Street Journal)
The Cybersecurity and Infrastructure Security Agency (CISA) advised companies to take a hard look at its list of the top 15 routinely exploited vulnerabilities in 2021, including Log4Shell, Microsoft bugs ProxyLogon and ProxyShell, as well as a vulnerability affecting Atlassian products.
The National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) worked alongside CISA to compile the list. (Jonathan Greig / The Record)
India’s government issued new directives requiring organizations to report cybersecurity incidents to CERT-IN within six hours, even if those incidents are port or vulnerability scans of computer systems.
India's Computer Emergency Response Team (CERT-In) said it had identified specific gaps causing difficulties in security incident analysis and response, and to address them, it needs to impose more aggressive measures. The measures were integrated into section 70B of the Information Technology (IT) Act, 2000, so they are part of the Indian law, entering into force in 60 days. (Bill Toulas / Bleeping Computer)
Cloudflare said that its systems automatically detected and mitigated a 15.3 million request-per-second (rps) DDoS attack targeting a Cloudflare customer on the Professional (Pro) plan operating a crypto launchpad, one of the largest HTTPS DDoS attacks on record.
The attack was launched by a botnet that Cloudflare had been observing, and it had already seen significant episodes as high as 10M rps matching the same attack fingerprint. The attack mainly came from data centers and was launched from approximately 6,000 unique bots from a botnet. It originated from 112 countries around the world. (Dan Goodin / Ars Technica)
Deutsche Windtechnik AG, which specializes in the maintenance of wind turbines, was hacked in April with remote-control systems for about 2,000 wind turbines in Germany down for about a day after the attack, the company said.
This incident followed a security incident involving Turbine maker Nordex SE the company discovered on March 31, and a February attack on Enercon GmbH, a turbine maker. That attack knocked out remote control of 5,800 of Enercon’s wind turbines, though they continued to operate on auto mode. (Catherine Stupp / Wall Street Journal)
Related: The Record
A sample of a new ransomware operation's encryptor that AVAST research Jakub Kroustek discovered shows that the notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks.
The gang purportedly shut down in October after a law enforcement operation hijacked their Tor servers, followed by arrests of members by Russian law enforcement. Security researcher R3MRUM tweeted that the REvil sample has had its version number changed to 1.0 but is a continuation of the last version, 2.08, released by REvil before they shut down. (Lawrence Abrams / Bleeping Computer)
Researchers at Proofpoint say that a newly discovered malware loader called Bumblebee is likely the latest development of the Conti syndicate, designed to replace the BazarLoader backdoor used to deliver ransomware payloads.
Proofpoint’s research confirms the work of Eli Salem, lead threat hunter and malware reverse engineer at Cybereason, who says that the deployment techniques for Bumblebee are the same as for BazarLoader and IcedID, both seen in the past deploying Conti ransomware. (Ionut Ilascu / Bleeping Computer)
Google rolled out a new policy to expand the types of data people can ask to have removed from search results, including personal contact information such as a user’s phone number, email address, or physical address.
The company said in a blog post that its expanded policy now allows for the removal of additional information that may pose a risk for identity theft, such as confidential log-in credentials, email addresses, and phone numbers when it appears in search results. (Brian Krebs / Krebs on Security)
Russia’s invasion of Ukraine has coincided with a boom in the number and sophistication of commercial surveillance satellites, with hundreds now in orbit aiding Ukrainian forces hunting Russian tanks and tracking troop movement with imagery from commercial spy satellites, giving Kyiv access to intelligence once the domain of only a few governments.
The satellites are also gathering data on Russian troop movements and electronic signals that can be used to track Russian troop movements. Satellites have also been used to track refugee flows and spot mass graves in Ukraine. (Warren P. Strobel and Robert Wall / Wall Street Journal)
A Microsoft support page reveals that the company is adding a free built-in virtual private network (VPN) service to its Edge browser to improve security and privacy.
Microsoft is testing the Cloudflare-powered VPN service called Edge Secure Network and says it will roll it out to the public as a part of a security upgrade. Edge Secure Network should encrypt users’ web traffic, so internet service providers can’t collect browsing information users would rather keep private such as health-related searches or bizarre queries. It will also let users hide their location by making it possible for them to browse the web using a virtual IP address. (Sheena Vasani / The Verge)
The FBI's Cyber Division revealed in a TLP:WHITE flash alert in coordination with the Cybersecurity and Infrastructure Security Agency (DHS/CISA) that the Black Cat ransomware gang, also known as ALPHV, has breached the networks of at least 60 organizations worldwide between November 2021 and March 2022.
BlackCat/ALPHV "is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing," the FBI said. (Sergiu Gatlan / Bleeping Computer)
Despite a long-standing belief in Russian cyber-superiority, during the third month of the war in Ukraine, Russia is struggling under an unprecedented hacking wave that entwines government activity, political voluntarism, and criminal action.
Digital assailants have plundered the country’s financial data, defaced websites, and handed decades of government emails to anti-secrecy activists abroad. One recent survey showed more passwords and other sensitive data from Russia were dumped onto the open Web in March than information from any other country. A cache of twenty years’ worth of emails from VGTRK, or All-Russia State Television and Radio Broadcasting Co, was obtained by a hacktivist group called Network Battalion 65, which says it gets no direction or assistance from government officials in Ukraine or elsewhere. (Joseph Menn / Washington Post)
A special report released by Microsoft on cyber activity in Ukraine highlights many examples of the “hybrid” war against Ukraine, noting that hackers in six groups aligned with the Kremlin have launched no fewer than 237 operations in concert with the physical attacks on the battlefield.
“Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians,” Tom Burt, Microsoft corporate vice president for customer security, wrote. (Dan Goodin / Ars Technica)