Drawing upon the latest news from Talion’s Threat Set Radio Episode 166, we’re diving into the details from 3 key cybersecurity events.
Want to listen instead?
Pegasus spyware has returned to the news – this time ciphering their way into the phones of UK government officials. Confirmed by findings from the Citizen Lab at the University of Toronto, several of the No.10 Downing Street phones were included in 2020 and 2021 compromises by the UAE linked Trojan Spyware, which turned mobile phones into remote listening devices. It has not been confirmed whose devices were compromised this time, only that these individuals work alongside Prime Minister Boris Johnson.
Last year, the NSO group – the company behind the tool – had a lawsuit brought against them by Apple for abusing iPhone users with the technology. The NSO group claim that Pegasus only targets terrorists and criminals and the spyware is developed, marketed and licensed by governments around the world. But politicians, journalists and activists have found this software downloaded unlawfully onto their devices. The Biden administration placed NSO on a US blacklist as a result, stating it had evidence the company had sold surveillance spyware to foreign governments who had used it for transnational regression.
More examples of Pegasus include the purchase of spyware by Israel police to spy on protestors and government employees without court supervision, and the Hungarian government to spy on journalists, businesspeople, and an opposition politician. Even the FBI have admitted to purchasing the spyware but claim not to have used it as part of any investigation.
The US are calling desperately for any information on North Korean cyber criminals who have retrieved cryptocurrency, or any operative working on behalf of North Korean leader Kim Jong Un – and they’re offering $5 million as a reward. This comes just days after the public attribution of a threat group associated with the Democratic People’s Republic of Korea (DPRK) – Lazarus. The Lazarus operation against finance platform Ronin Network, deemed to be the largest cryptocurrency heist to date, successfully retrieved around $540 million in cryptocurrency, used to support North Korea’s regime and fund its weapons program.
Ronin Network was initially hacked in March 2022 and Lazarus has slowly siphoned off more than $9 million since, sending the funds to Tornado Cash – a cryptocurrency mixer that allows users to hide the origin of the funds. The CISA & FBI have issued a joint advisory, warning blockchain companies that they are at high risk of falling victim to one of these financial heists, from decentralised finance (DeFi) protocols, to cryptocurrency trading companies, or even play-to-earn cryptocurrency video games.
The notorious Zloader botnet has been intercepted by a global operation headed by Microsoft’s Digital Crimes Unit. 65 domains that the Zloader gang has used to build and control its empire have been taken over by Microsoft and now direct to a sinkhole where they can no longer be used by the botnet’s criminal operators.
Embedded within the Zloader malware is a domain generation algorithm (DGA) – a technique used to generate 32 different domains per day, acting as a fallback or backup communication channel for the botnet. In addition to the take down of the domains, the court order also allows Microsoft to take control of an additional 319 currently registered DGA domains, enabling the blocking of the future registration of any DGA domains.
Originally, the primary goal of Zloader when it first appeared in 2019 was financial theft, stealing account login IDs and passwords to access money. In recent times, Zloader has aided a number of ransomware groups including RYUK – a strain which has taken down countless healthcare institutions, recklessly putting patients’ lives at risk during their attempts to extort ransom demands.
During Microsoft’s investigation, they identified one of the perpetrators helping ransomware gangs distribute the strain via the botnet – Denis Malikov, operating out of the city of Simferopol on the Crimean Peninsula. Microsoft chose to name him in their blog post, to break the anonymity many of these operatives have been hiding behind.
Microsoft have also stated:
“We expect the defendants to make efforts to revive Zloader’s operations. We referred this case to law enforcement, are tracking this activity closely and will continue to work with our partners to monitor the conduct of these cybercriminals. We will work with internet service providers (ISPs) to identify and remediate victims. As always, we’re ready to take additional legal and technical action to address Zloader and other botnets.”
To stay up to date on the latest cybersecurity news from our threat intelligence service, keep an eye out for a new Threat Set Radio podcast episode every Friday, hosted by Talion’s Threat Intelligence Analyst Natalie Page.
In the meantime, feel free to browse our Resources Hub for more security insight.
Call us directly and we’ll put you in touch with the most relevant cyber expert.
Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.