This week
- Sinoloa cartel used compromised mobile devices, CCTV, to identify and kill FBI informants
- Qantas call centre system breached, exposing 6M records
- Iran targeting defence, water, CNI say US authorities
- Canada bans Chinese CCTV firm Hikvision
- Ubuntu to remove Spectre protections from Intel GPU
- The Earth is speeding up: we may be heading for a negative leap second
Interesting stats
Ransomware still pays: 49% of organisations are paying ransomware operators, despite a 34% drop in the median ransom demand to $1,324,439, and a 50% drop in the median value paid, to $1 million. There’s good news, though: 97% were able to recover encrypted data (though this is at 50%, its lowest level in six years), $1.53M average cost to recover, is down 44% from 2024’s $2.73M, and 53% are fully recovered after one week, up from 35% in 2024, according to a Sophos survey of 3,400 IT professionals. SOPHOS (PDF)
1/3 of the time, ChatGPT returns the wrong URL for websites, opening the door to phishing, according to Netcraft. LINK
Five things
-
Cartel cyber surveillance: In 2018, a drug cartel insider warned the FBI that it was using a “hacker” to identify, and in some cases kill, FBI informants that posed a threat to their drug operations. The cybercriminal provided services including “exploiting mobile phones and other devices” and compromised Mexico City’s CCTV system to identify and follow “people of interest” to the cartel and El Chapo. Organised crime gangs like this have access to substantial resources, and that they would deploy them in this way should not come as a surprise. It’s why the DOJ audited the FBI to determine the effectiveness of steps to protect itself against the “Ubiquitous Technical Surveillance (UTS) threat”. This is the sort of compromise and misuse of surveillance systems that rights groups are concerned about in the Apple vs UK Home Office ‘encryption backdoor’ case. Once you’ve built something, it’s difficult to control who has access to it and how they will use it. CARTEL, MORE, REPORT (PDF)
-
Scattered Spider: Qantas has confirmed a cyber security incident affecting the records of up to 6 million customers. The Australian flag carrier has now secured the system in question, which was a third-party platform used by their call centre. The exposed data includes names, email addresses, phone numbers, birth dates, and frequent flyer numbers. Financial information, passport details, and credentials weren’t compromised. The tactics used by the attackers match those employed by the Scattered Spider group, which has been linked to similar incidents at WestJet and Hawaiian Airlines, as well as UK retailers earlier this year. If you’re looking to boost your defences against these techniques, then focus on more rigorous identity verification checks before conducting password resets, MFA enrolments and adding or changing recovery phone numbers. QANTAS, MORE
-
Iran: US authorities are warning defence, water treatment, and other critical infrastructure providers that Iran is likely to target them in retaliation for US military strikes against Iran’s nuclear programme. Those who have partnerships with Israeli firms may be at the top of the list of targets. Unitronics Vision Series control systems, used to automate operations in water facilities, have previously been compromised by the Iranian Islamic Revolutionary Guard Corps (IRGC), the advisory from CISA, FBI, NSA, and others warns. DEFENCE, CNI, ADVISORY
-
Splinternet: Canada is ordering Chinese CCTV vendor Hikvision to cease operations in the country, citing national security concerns. It’s the latest in a series of bans imposed by Western countries on Chinese technology companies. Meanwhile, German data protection official Meike Kamp has requested Google and Apple to remove DeepSeek from their app stores for GDPR breaches. There are two sides to these stories: the big picture (cyber/supply chain) security concerns over privacy, backdoors, and espionage, and the digital balkanisation created, with Chinese, Russian, and other states now largely operating on different tech stacks supported by local companies. HIKVISION, DEEPSEEK
-
Ubuntu is removing speculative execution protections for Intel-based graphics chips. The OS’s development team say that the mitigations to the so-called Spectre vulnerabilities result in a 20% performance hit for Intel GPUs, and that mitigations present in the kernel are adequate. This is a good security/performance trade-off: there are many easier ways to attack systems, meaning these protections are likely not necessary, and Ubuntu users can look forward to a substantial performance increase. UBUNTU
In brief
-
⚠️ Incidents: The International Criminal Court (ICC) says that it’s been targeted in a “sophisticated and targeted” incident. ICC teams are conducting an impact analysis. Recent ICC arrest warrants include ones for Russian president Vladimir Putin and Israeli prime minister Benjamin Netanyahu. Healthcare service provider Episource has reported a breach affecting 5.4 million people. The information exposed includes contact, health insurance, and medical data, including test results and treatments. ICC, EPISOURCE
-
🏴☠️ Ransomware: Zurich-based Radix, a health non-profit, suffered a ransomware attack at the hands of the Sarcoma group that has exposed sensitive data, including some from federal offices. The Rhysida gang has attacked Deutsche Wlthungerhilfe (WHH), a German charity providing food aid to Gaza, Ukraine, and Sudan. Rhysida has priors, targeting hospitals and cultural institutions, including a Chicago children’s hospital and the British Library. Screw those guys. Hunters International ransomware has announced that it is shutting down and providing a free decryption utility for victims. The group is essentially rebranding as an extortion-only outfit called World Leaks. RADIX, WHH, HUNTERS
-
🪲 Vulnerabilities: Cisco has patched a critical vulnerability in the ‘Engineering Special’ builds of its Unified Communications Manager and Session Management Edition products. CVE-2025-20309 (10/10) stems from hardcoded credentials for a developer account that cannot be removed or changed. It’s 2025, Cisco, c’mon! CISCO (ADVISORY)
-
📱 SIM swapping: AT&T has introduced a feature to help prevent SIM swapping, also known as port-out fraud. Customers can toggle a lock on their account from within the myAT&T app on their device, preventing social engineering and pretexting attacks or insider call centre workers from redirecting calls and messages to a new SIM. AT&T
-
🕵 Insider threat: A British IT worker who took revenge on his employer after being suspended from work has been jailed for seven months. The US Department of Justice is investigating a ransomware negotiator over allegations that they took kickbacks from criminal gangs while negotiating on behalf of victims. BRITISH, NEGOTIATOR
-
🗞️ National Cyber Director: Sean Cairncross is one step closer to being appointed to one of the US’s top cyber jobs after passing a Senate Homeland Security committee vote. NCD
And finally
- ⏰ Negative leap: For thousands of years, the Earth’s rotation has been gradually slowing, but recently it has sped up. Scientists are unsure why, but now we’re on course for an unprecedented “negative leap second” in 2029. That could present problems to systems where time can’t go backwards. ‘Slewing’ time may be an option for financial systems (very slightly contracting the length of a second over a day), but for others, that may not be a technical option. One to keep an eye on. LEAP