Cyber Security Headlines: Inside RaaS, cyber education initiatives, attacking TP-Link routers

An inside look at RaaS

A new report from Group-IB details the inner workings of the ransomware-as-a-service operator Qilin. The firm infiltrated the group in March 2023. It found that group customizes attacks for each victim for maximum impact. This includes things like changing file extensions and targeting specific processes and services to terminate in an attack. Qilin pays affiliates 80-85% of ransom payments. It also provides affiliates with an admin panel to effectively oversee ongoing operations. The group generally equips affiliates to use phishing emails with malicious links to obtain initial access. Then it performs a classic double extortion attack. The report warns Qilin actively recruits affiliates and provides upgraded tools and techniques to quickly weaponize them. 

(The Hacker News)

White House cyber strategy goes big on education

In a speech to the National Security Telecommunications Advisory Committee, acting national cyber director Kemba Walden said providing “foundational cyber skills” was a central part of the Biden’s administration cyber strategy. Walden marked this as one of four pillars to its upcoming implementation plan. This would include efforts to educate citizens on digital literacy, computational math and digital resilience. Other aspects include transforming cyber education, growing the available cyber workforce in the US, and specifically increasing federal staff. 


Chinese attackers hit TP-Link routers

Researchers at Check Point report that the Chinese state-sponsored group dubbed “Camaro Dragon ” used a custom malware called “Horse Shell ” to infect residential TP-Link routers. This installed a malicious firmware designed to give a persistent backdoor to the attackers, letting them generate attacks that appeared to come from the device’s home network. The attackers seem to use the routers to attack European foreign affairs organizations. It’s not clear how the attacks infected the routers with the firmware, but it may just come from a brute force attack. The researchers say firmware implant isn’t specific to anything implemented by TP-Link, so it could work on other routers’ firmware images. 

(Bleeping Computer)

Popular parental control app vulnerable

The Android app Kids Place offers a parental control suite downloaded over 5 million times on the Play Store. However researchers at SEC Consult discovered multiple flaws in the app that could allow for uploading arbitrary files on devices, allow kids to bypass restrictions, or steal user credentials. Vulnerabilities include returning an unsalted MD5 password hash on login, triggering a cross-site scripting payload on the management dashboard by changing the device name, and allowing anyone to upload files to an AWS S3 bucket that would automatically download to a connected device. The researchers contacted the app’s developer. And the most recent update fixes the issues, but all older versions remain at risk. 

(Bleeping Computer)

And now a word from our sponsor, Hunters

If your SIEM is causing an endless cycle of noisy alerts, manually writing generic detection rules, and limited data ingestion & retention, your SOC might need an upgrade. Hunters is a SaaS platform, purpose built for your Security Operations team. Solaris Group, a leading German FinTech, implemented Hunters SOC Platform to eliminate the burden of redundant detection engineering and manual event correlation – allowing SOC analysts to focus on higher-value tasks. Visit to learn how your SOC can Move Beyond SIEM and let them know you heard about Hunters on the CISO Series.

Microsoft scanning password-protected ZIP files

Security researcher Andrew Brandt posted on Mastodon that Microsoft began scanning password protected ZIP files on SharePoint for malware. Brandt used these for backing up and sharing malware with other researchers. As researcher Kevin Beaumont noted, Microsoft does this on other cloud services like OneDrive. However Brandt notes this seems to be new behavior on SharePoint. 

Both researchers note this behavior would be desirable for almost all other users as an effective malware prevention approach. However they found it increasingly difficult to save and share malware samples due to these types of measures. To access ZIP file content, Beaumont says Microsoft looks for passwords in emails containing ZIP files to use for scanning, or will use a list of common passwords.

(Ars Technica)

The shocking consequences of bad firmware

At the Black Hat Asia conference, two researchers from the University of Birmingham in England showed their latest attack vector using modified voltage on a target system. Dubbed PMFault, the attack uses malicious Board Management Controller firmware to undervolt the PMBus. The researchers say this breaks the integrity guarantees of Intel’s Software Guard Extensions and bypasses previous Intel countermeasures. The researchers also showed that subsequently overvolting the bus could brick the system’s CPU. The attackers would need root access to a machine and an attached Ethernet cable to use PMFault. However the researchers say this proves “less messy” than the previous VoltPilager attack they showed off. 

(The Register)

Cloudflare tries to secure generative AI

We’ve recently seen large organizations taking measures to protect against potential data leaks with generative AI systems. Samsung recently banned the use of the tech over these concerns. Meanwhile Microsoft announced plans for private ChatGPT servers. As a potential middle ground, Cloudflare announced Cloudflare One for AI. This provides a set of zero-trust security controls for organizations using generative models. This includes visibility and usage measurement tools, tools to manage budgeting and licenses, logs of API requests, and control over service that can access training data. Admins can also set types of sensitive data or intellectual property to scan for when employees upload data to these services over their network.


US charges and sanctions central figure in Babuk 

The US Department of the Treasury announced it imposed economic sanctions against financial dealings with Mikhail Matveev. He is accused of acting as a central figure in the Babuk ransomware organization. It also offered a $10 million reward for information leading to his arrest. This comes after the Justice Department unsealed an indictment against Matveev, accusing him of working with Babuk operators to deploy ransomware against the Washington DC police department in 2001. Matveev also goes by the online alias Wazawaka, an actor who security researcher Brian Krebs identified last year as a major DDoS and ransomware access broker. 


Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.