Suspected Foreign Hackers Breached Nine Organizations in Ongoing Espionage Campaign

NSO spyware found on Palestinian human rights activists' phones, Details on Clop gang arrests revealed, Ransomware gangs target tribal-owned casinos, Incident reporting requirements proposed, more

Check out my latest column in CSO, which looks at what’s next in Congress for cybersecurity now that the infrastructure bill, which boosts cybersecurity spending by $1.9 bil, has passed.

With the help of the National Security Agency, researchers at Palo Alto Networks discovered that suspected foreign hackers breached nine organizations in the defense, energy, health care, technology, and education sectors as part of an ongoing espionage campaign.

Calling the nine confirmed victims the tip of the spear, the researchers say the hackers stole passwords from some targeted organizations to maintain long-term access to those networks. Palo Alto Networks said some of the attackers' tactics and tools overlap with those used by a suspected Chinese hacking group. (Sean Lyngaas / CNN)

Related: Slashdot, The Hill: Cybersecurity, Bleeping Computer, Palo Alto Networks, Axios, Security Affairs, TechRadar

Security researchers at the nonprofit organization Frontline Defenders report they detected for the first time Pegasus spyware from the notorious Israeli spyware company NSO Group on the cellphones of six Palestinian human rights activists. Three of the activists are affiliated with groups that Israel’s defense minister controversially claimed were involved in terrorism. However, Israel has provided little evidence publicly to support the terrorism designation.

Security researchers from Amnesty International and the University of Toronto’s Citizen Lab confirmed Frontline’s findings in a joint technical report. The news comes days after the U.S. put NSO Group on a sanctions list, which prohibits the company from purchasing American technology. The government of Israel is now distancing itself from NSO. (Frank Bajak and Joseph Krauss / Associated Press)

Related: Citizen Lab, The Hindu - News, Algemeiner, Cybersecurity|, The Guardian, DAILYSABAH, The Independent, Business Standard, The Independent, AP Top News, Hamodia, Security Affairs, Al Jazeera English, ynet - News

Twitter avatar for @RonDeibertprofdeibert @RonDeibert
NEW REPORT: Our partners at @FrontLineHRD discovered that the devices of six Palestinians were hacked with NSO Group's Pegasus.… We @citizenlab and @AmnestyTech both independently verified the findings in a technical report here:

Citizen Lab @citizenlab

BREAKING NOW: @FrontLineHRD discovers hacking of Palestinians with NSO Group's Pegasus. @citizenlab and @AmnestyTech verify findings:

New information came to light regarding how an operation codenamed 'Operation Cyclone,' which targeted the Clop ransomware gang and led to the reported arrests of six members in Ukraine, was conducted. Clop used a vulnerability in the Accellion secure file transfer gateway to steal confidential and private files of corporations and universities.

The operation was coordinated from INTERPOL's Cyber Fusion Centre in Singapore, with assistance from Ukrainian and U.S. law enforcement authorities. The U.S. education institutions targeted in the Accellion attacks included the University of Colorado, University of Miami, Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California. A group of cybersecurity firms, including Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet, and Group-IB, assisted the operation. (Lawrence Abrams / Bleeping Computer)

Related: Infosecurity Magazine, ZDNet Security

A proposed amendment to the National Defense Authorization Act would give critical infrastructure groups, nonprofit organizations, state and local governments, and certain businesses 24 hours to report payments made to hackers due to a ransomware attack.

The reports on the incidents and payments would go to the Cybersecurity and Infrastructure Security Agency (CISA). Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-MI), ranking member Rob Portman (R-OH), Senate Intelligence Committee Chairman Mark Warner (D-VA), and Sen. Susan Collins (R-ME) sponsored the amendment. (Maggie Miller / The Hill)

Related: POLITICO,, ZDNet Security

Trend Micro's ZDI was awarded $1,081,250 for 61 zero-days exploited at Pwn2Own Austin 2021.

The Synacktiv team won the contest earning$197,000 in cash for their zero-days and 20 Master of Pwn points, with a six-point lead over the DEVCORE team, which finished with 14 points and earned a total of $140,000. Over four days of competition, the contestants compromised printers, routers, NAS devices, and speakers from Canon, HP, Western Digital, Cisco, Sonos, TP-Link, and NETGEAR. (Sergiu Gatlan / Bleeping Computer)

Related:, Security Week,, TechDator, Security Affairs

The Conti ransomware gang, which released thousands of files stolen from the UK jewelry store Graff, including information belonging to the UAE, Qatar, and Saudi royal families, has now apologized to the families apparently out of fear of violent retaliation.

“Our Team apologizes to His Royal Highness Prince Mohammed bin Salman and any other members of the Royal Families whose names were mentioned in the publication for any inconvenience,” the hackers said in an announcement, vowing to delete any of the families’ information and protect it from public exposure. Allan Liska of Recorded Future said, “Bluntly, UAE sends assassination teams to deal with people they don’t like.” (Lorenzo Franceschi-Bicchierai / Motherboard)

The Cybersecurity and Infrastructure Security Agency (CISA) warned that proof-of-concept (PoC) code for the BrakTooth Bluetooth vulnerabilities is now publicly available.

The vulnerabilities affect commercial Bluetooth stacks on more than 1,400 chipsets used in billions of devices, including smartphones, PCs, toys, internet-of-things (IoT) devices, and industrial equipment that rely on Bluetooth Classic (BT) for communication. CISA urges manufacturers, vendors, and developers to patch or employ workarounds. (Lisa Vaas / Threatpost)

Related: Security Week, Hot Hardware, CISA, Github

After nine years of living openly in Russia and publishing a book about his exploits, Belarusian Sergey Pavlovich, an admitted former scammer charged in the U.S., told Cyberscoop he was surprised to be arrested on November 1 in St. Petersburg under a warrant issued by Interpol.

U.S. prosecutors indicted Pavlovich in 2008, accusing him of involvement with, a now-defunct website that facilitated the sale of more than 40 million stolen credit and debit card numbers. Anne Neuberger, the White House’s top adviser for cyber and emerging technologies, reportedly recently provided the Kremlin with several hackers who are “actively launching attacks” on the U.S. (Jeff Stone / Cyberscoop)

Related: Bloomberg

According to IAB Europe, the Belgian data protection authority said that its Litigation Chamber is close to finalizing a draft ruling that will conclude that IAB’s Transparency and Consent Framework (TCF) was found to fail to comply with GDPR principles of transparency, fairness, and accountability, and the lawfulness of processing.

Google and scores of other advertisers use the IAB’s framework for gathering consent from web users in the form of cookie consent pop-ups. (Natasha Lomas / TechCrunch)

Related: Slashdot, Hacker News,, IAB Europe

In a private industry notification, the FBI's Cyber Division said that ransomware gangs had hit several tribal-owned casinos, taking down their systems and disabling connected systems, with damages estimated in the millions of dollars in recent months.

Ransomware gangs that coordinated attacks against tribal communities include REvil (Sodinokibi), Bitpaymer, Ryuk, Conti, Snatch, and Cuba. (Sergiu Gatlan / Bleeping Computer)

Related: Threatpost

The FBI warned of fraudulent schemes leveraging cryptocurrency ATMs and Quick Response (QR) codes to facilitate payment. The Bureau has seen an increase in scammers directing victims to use physical cryptocurrency ATMs and digital QR codes to complete payment transactions.

The FBI says that scammers use various schemes to maliciously leverage ATMs and QR codes from victims. Among the ways, scammers approach victims are online impersonation, romance schemes, and lottery schemes (Sergiu Gatlan / Bleeping Computer)

Related: SlashGear, TheDigitalHacker, FBI, Security Affairs

A hacker stole an estimated $55 million worth of cryptocurrency assets from bZx, a decentralized finance (DeFi) platform that allows users to borrow, loan, and speculate on cryptocurrency price variations.

bZx said it disabled its website’s UI to prevent users from depositing new funds and is working with various cryptocurrency exchanges to track the attacker and freeze and potentially recover the stolen funds. bZx also offered a bounty to the hacker for returning the stolen funds. (Catalin Cimpanu / The Record)

Related: Crypto News, Business Insider, bZx

SolarWinds investors sued the software company's directors, alleging they knew about and failed to monitor cybersecurity risks to the company ahead of the significant breach revealed late last year that created a vulnerability in thousands of its customers' systems.

The investors allege that the board failed to implement procedures to monitor cybersecurity risks, such as requiring the company's management to report on those risks regularly. (Jody Godoy / Reuters)

Related: IT News

Security-software giant McAfee is reportedly near a deal to sell itself to a group including private-equity firms Advent International Corp. and Permira for more than $10 billion.

The deal, which would value the cybersecurity company at around $25 a share, could be announced today. (Cara Lombardo, Miriam Gottfried and Dana Cimilluca / Wall Street Journal)

Related: Marketwatch, Financial Times, Reuters, Gadgets NDTV,

Despite the massive venture capital investments in cybersecurity startups and a booming market for cybersecurity services, of 26 cybersecurity firms reviewed by the Wall Street Journal, 17 have seen net losses for their most recent fiscal year. Twelve have seen net losses for all of the past three fiscal years.

According to the Journal's report, part of the problem is that many cybersecurity ventures spend their time bolstering their values and spending money on sales, marketing, and research. (David Uberti and James Rundle / Wall Street Journal Pro)


Adversarial emulation company Scythe has raised $10 million in a Series A venture funding round.

Gula Tech Ventures and Paladin Capital Group led the round with participation from Energy Impact Partners (EIP). (Business Wire)

Photo by Towfiqu barbhuiya on Unsplash