This week
- Black Basta ransomware group chat logs leaked
- Sweeping layoffs expected at CISA
- Attackers accessed 150,000 emails at US Treasury bureau
- Apple vs Home Office ‘backdoor’ case details will be public
- Krebs, SentinelOne clearances revoked in Presidential order
- Yes, Oracle was breached.
Interesting stats
1% of UK organisations suffered ransomware incidents last year, up from 0.5% the year before, according to the latest UK government statistics. Worryingly, 27% of boards include a cyber specialist today, down from 38% in 2021. LINK
46% in ransomware claims at $25M-$100M revenue businesses, with 80% of direct attacks start with remote access tools, according to Insurer At Bay LINK
~3/4 of 1,393 C-suite tech execs and senior IT decision-makers intend to increase cyber security spending in 2025, according to Experts. LINK
Five things
-
Oracle has confirmed that its cloud services were compromised, something that appeared to be obvious to everyone for the last few weeks. In a notification sent to customers and seen by Bleeping Computer, Oracle says, “Oracle would like to state unequivocally that the Oracle Cloud—also known as Oracle Cloud Infrastructure or OCI—has NOT experienced a security breach,” before going on to explain that it relates to “two obsolete servers” related to Oracle Cloud Classic (note the subtle difference). The Register has a more honest appraisal of the breach notice. Oracle’s product pedantry aside, there are still plenty of questions here: why were the obsolete servers still online if they were no longer needed? What other ‘obsolete’ servers are also hanging around the Oracle estate? What customer information is stored on them? The breach included over 6 million credentials; hardly what you want just sat gathering dust in the corner! LINK, NOTICE, HONEST
-
Around 190,000 chat messages between members of the Black Basta ransomware group have been leaked, giving researchers insight into the ‘highly structured and efficient organisation’. The messages cover a year from September 2023 to September 2024 and show some of the group’s tactics, techniques and procedures. “One girl is really good at calling,” a message reads, “every fifth call converts into remove access :).” Referring to the social engineering approaches, posing at IT administrators. In another chat message, the group agreed that “[$]200k is a fair price for a 0day” vulnerability they can use to gain access to victim’s infrastructures. I suspect a lot more insight will come from these logs in the coming weeks, and there will be many opportunities to understand the identities of individuals behind the group. LINK
-
The Office of the Comptroller of the Currency (OCC), an independent part of the US Treasury, has reported a “major information security incident” to Congress. The incident, uncovered on 11th February 2025, involves access to about 100 senior official’s inboxes and more than 150,000 emails containing “highly sensitive information” dating back to June 2023. In December, Chinese-linked attackers were discovered in another Treasury agency, the Office of Foreign Assets Control (OFAC). It’s unknown if the incidents are related. LINK
-
Signalgate: A White House investigation believes Atlantic Editor Jeffery Goldberg was added to a sensitive chat group because Michael Waltz had been prompted to add Goldberg’s phone number to his address book, updating an existing contact. I can see how this might easily happen, though using consumer applications to conduct government business is a foreseeable risk. LINK
-
Apple vs the Home Office: The UK’s Investigatory Powers Tribunal has ruled that details about Apple’s case against the Home Office’s so-called ‘backdoor’ technical capability notice can be made public. “We do not accept that the relation of the bare details of the case would be damaging to the public interest or prejudicial to national security,” the judgement reads. LINK
In brief
-
🤓 Interesting reads: Interesting arguments against CALEA, the US’ wiretapping legislation (Communications Assistance for Law Enforcement Act), that they’re not fit for purpose given the increase in attack surface of telecommunications infrastructure. Interesting piece on cyber market failures and the need to understand them when (de)regulating industry. CALEA, MARKET
-
⚠️ Incidents: The Czech prime minister’s Twitter/X account was compromised and used to post false messages this week, “despite… two-factor authentication” being enabled. The posts included reports of Russian attacks on Czech troops and retaliatory tariffs on the US. Seattle-based health services company Laboratory Services Cooperative (LSC) says it’s suffered a data breach affecting the sensitive information of 1.6 million people. Morocco’s social security agency is investigating a breach and heft of millions of citizens’ personal data at the hands of a politically motivated Algerian JabaROOT group. CZECH, LSC, MOROCCO
-
🏴☠️ Ransomware: The Everest ransomware gang’s dark web leak site was compromised and defaced: “Don’t do crime CRIME IS BAD xoxo from Prague”. Cell C, one of South Africa’s largest mobile network operators, has confirmed a breach claimed by the RansomHouse threat group. Cell C has 7.7 million subscribers, and RansomHouse claims to have exfiltrated 2TB of data, but the exact scope of the incident is currently unknown. Sensata, an industrial technology company, has reported a ransomware incident involving data exfiltration to the SEC. Fourlis Group, operator of IKEA stores in Greece, Cypress, Romania, and Bulgaria, has reported a ransomware attack before Black Friday last year costing €20 million ($22.8M). EVEREST, CELL C, SENSATA, IKEA
-
🕵️ Threat Intel: Outpost24 says they have ‘high confidence’ that SkorikARI, a security researcher who reported two zero-day vulnerabilities to Microsoft, is also the EncryptHub threat actor that’s compromised 618 organisations. NCSC has released technical details of MOONSHINE and BADBAZAAR spyware used to monitor Uyghur, Tibetan, and Taiwanese people. SentinelOne says that spammers used OpenAI to generate unique messages and bypass spam filters on more than 80,000 websites. Security researchers at F5 have discovered a campaign using Server-Side Request Forgery (SSRF) vulnerabilities to extract AWS IAM metadata from EC2-hosted websites. Russia-linked Gamaredon threat actors have used a removable media drive with GammaSteel malware to target a Ukrainian military mission in a Western country, according to Symantec. ENCRYPTHUB, MOONSHINE, OPENAI, AWS IAM, GAMAREDON
-
🪲 Vulnerabilities: The Shadowserver Foundation says around 5,100 Ivanti VPN instances vulnerable to a recent actively exploited buffer overflow vulnerability are exposed to the internet and yet to be patched. A flaw in WhatsApp for Windows can be used to spoof the file type of an attachment and to trick recipients into opening executables they believe are other file types. Gladinet has patched an issue relating to a hardcoded key in its CentreStack file-sharing solution (CVE-2025-30406, 9.8/10). Fortinet has patched a critical FortiSwitch vulnerability (CVE-2024-48887, 9.8/10) that allows attackers to remotely change the device’s administrator password. IVANTI, WHATSAPP, CENTRESTACK (ADVISORY), FORTISWITCH (ADVISORY)
-
🛠️ Security engineering: AI coding assistants keep writing code that includes hallucinated software dependencies which attackers may use to compromise systems. Last year, researchers found commercial models had a 5% error rate, while open-source equivalents included packages that didn’t exist 22% of the time. CODE ASSISTANTS
-
🧿 Privacy: The European Commission plans to simplify GDPR for smaller businesses to “ease the burden” and promote European tech competitiveness. Sarah Wynn-Williams, Facebook’s former global policy director, has told a Senate committee that there was “no bridge too far” in Meta’s China expansion plans, including ‘dangling’ US citizen’s data. Meta says Wynn-William’s testimony is “divorced from reality”. GDPR, META
-
📜 Policy & Regulation: The US intends to sign the Pall Mall pact, which sets out good practices for the use of ‘commercial cyber intrusion capabilities’, or spyware. PALL MALL
-
👮 Law Enforcement: Noah Michael Urban, 20, a member of the Scattered Spider cybercrime group, has pleaded guilty and faces up to 60 years in prison for theft of cryptocurrency and sensitive documents. SPIDER
-
💰 Investments, mergers and acquisitions: UK venture capital firm Osney Capital has launched an oversubscribed, £50 million cyber security seed fund. OSNEY
-
🗞️ Industry news: The ‘CISA section’ this week… Senator Ron Wyden is blocking the nomination of Sean Plankey to head up CISA over a “multi-year cover up” described in an unclassified, but unpublished report into telecommunications security. The Trump administration is planning major staffing and budget cuts at CISA, with 1,300 (~1/2) full-time staff and 40% of contractors facing layoffs. Donald Trump has instructed the Department of Homeland Security to investigate former CISA director Chris Krebs, now a senior executive at SentinelOne. Trump’s executive order revoked Krebs’s and his colleagues’ security clearances. SentinelOne has said it will cooperate with the review of security clearances, which number fewer than ten. Trump says Krebs’ denial of election interference was not permitted. Trump’s election claims have been dismissed in more than 50 lawsuits. PLANKEY, CISA JOBS, KREBS
And finally
- The obscure radio broadcasts on BBC Radio 4’s long wave that controls cheap power tariffs in the UK will soon end. Less cyber-focussed, but tech geekery, especially given the issues with more modern, ‘smart’ meter rollouts. LINK