US Cyber Command reportedly pauses cyberattacks on Russia
Infosec In Brief US Defense Secretary Pete Hegseth has reportedly ordered US Cyber Command to pause offensive operations against Russia, as the USA’s Cybersecurity and Infrastructure Security Agency (CISA) has denied any change in its posture.
The order, first reported by The Record and since confirmed by The New York Times, The Washington Post and other outlets.
Cyber Command is one of eleven Unified combatant commands, orgs that combine personnel from multiple departments of the US military. The Command describes its dual mission “to defend the nation and, if necessary, engage our enemies in the cyber domain.”
As reports of the order to pause ops directed against Russia proliferated, CISA’s X account posted the following:
The timing of that post could be taken as a riposte to reporting on the stand-down order reportedly given to Cyber Command.
Or it could be a response to other reports that claim CISA has set new priorities that include defending against China, but which omit mentions of Russia.
The Register fancies the latter scenario is more likely as CISA doesn’t conduct offensive operations (although it does run training on how to do so) and is part of the Department of Homeland Security. The org describes itself as the “National Coordinator for Critical Infrastructure Security and Resilience” that “works with partners at every level to identify and manage risk to the cyber and physical infrastructure that Americans rely on every hour of every day.”
It makes little sense for CISA to describe its unchanged stance in the context of an order directed at Cyber Command.
Reporting on the ‘Don’t hack Moscow’ story quotes Trump administration appointees as saying the cyber-ops pause is a tactic to get Russia to the negotiating table to discuss Vladimir Putin’s illegal invasion of Ukraine.
If it’s a tactic, it’s a generous one because none of the stories we’ve seen on this apparent order mention the US seeking reciprocity from Moscow. President Putin therefore remains free to keep using the sophisticated cyber-armory he has many times directed against American targets in operations such as the Sandworm credential-stealing campaign, ransomware sprees, and the phishing.
Those last three links are some of our most recent reporting of Russia-linked actors. Our archives are full of many more stories about Kremlin-linked operatives like NotPetya, Cozy Bear, Fancy Bear, Midnight Blizzard, and troll armies. And who could forget the Solar Winds supply chain attack?
Plenty of those efforts had big impacts in the USA, but the most recently-revealed large-scale attack on America came from the China-backed Salt Typhoon infiltration of most US phone networks. Foreign policy analysts suggest the Trump Administration hopes to settle its relationship with Russia so it can focus more of its attention on China.
– With Simon Sharwood
Phishing suspects used fishing gear as alibi during Police sting
Police in the Netherlands have cuffed alleged phishers who were carrying fishing equipment in an attempt to disguise the fact they were on the way to collect loot from their victims.
The Police pretended to fall for a phishing scam and to convince the alleged perps they’d been fooled, arranged to meet and hand over cash and jewelry.
The meetups were actually sting operations and the police planned cuffed suspects once they showed up.
Some of the phisherfolk claimed they were not doing anything untoward but were instead heading out for a spot of actual fishing. To prove their alibi, some even carried fishing equipment in their cars.
“They immediately stated that they had no idea why they were being stopped. Creative, but of course, we won’t fall for this,” the Police told local media.
Medusa can’t read maps?
An online extortion crew was apparently left red faced last week after trying to extort the wrong target.
According to a Cybernews report, the notorious Medusa ransomware gang claimed it had stolen data from the city of Aurora, Colorado, and would delete it if paid $230,000.
Aurora, Colorado, is home to almost 400,000 residents.
However, the data appears to have been stolen from the city of Aurora, Nebraska, home to fewer than 5,000 people.
The Register fancies that the tax base of the Colorado city means it have a spare $230,000 to make this go away. The Nebraskan town probably doesn’t and has to figure out how to handle a data breach.
Apple Find my Device turned into a snooping tool
A team at George Mason University has found a way to have Apple’s “Find My” device-tracking tool report on the location of many Bluetooth-enabled devices – not just the Apple kit it’s intended to track.
The technique, dubbed nRootTag, uses Apple’s network of Bluetooth sensors to track Linux, Windows, and Android systems.
The technique requires trojan code to be present on the target device, and involves brute-force discovery of private keys used to encrypt location info stored by Find Me.
The researchers used GPUs for that effort, and found “The attack achieves a success rate of over 90% within minutes at a cost of only a few US dollars.”
The technique will be presented at August’s USENIX 2025 conference in Seattle.
CVSS 9.2 – Ping Identity has warned about a flaw in its PingAM Java Agent identity management software that would allow code injection.
CVSS 8.8 – Citrix has fixed a serious privilege escalation flaw in its NetScaler Console and Agent that could potentially lead to remote code execution. The company has warned no workaround is available.
CVSS 7.4 – Cisco’s Nexus 3000 and 9000 series switches need a fix to block a potential denial of service attack in devices left in standalone NX-OS mode.
CVSS 6.6 – Chat widget TawkTo Widget is open to cross-site scripting attacks and needs patching to avoid malicious JavaScript injection.
Cellebrite exploits unpatched flaws to surveil Serbians
Amnesty international has reported that commercial surveillanceware outfit Cellebrite have been caught using linked flaws to spy on Android phones, one belonging to a Serbian student.
Cellebrite claims it only works with governments in search of legitimate criminal targets. However, the case uncovered by Amnesty shows student activists being targeted using three flaws in Android’s Linux kernel USB drivers.
The first, CVE-2024-53104, was patched in Android this month. The other two – CVE-2024-53197 and CVE-2024-50302 – have been patched in the Linux kernel but not yet in Android. We’ll keep an eye out on March’s updates, due next week.
Cellebrite has since said it will stop selling to the Serbians “at this time.”
Belgian cops need a Poirot after Chinese hack
A spying operation by China has reportedly scooped a huge volume of emails from the Belgian State Security Service.
The two-year campaign has reportedly hoovered up the personal information of about half the agency’s members. The attackers apparently subverted a Barracuda Networks email gateway to capture emails from the Security Service and those of the Belgian Pipeline Organisation, which manages undersea pipes in the North Sea.
No classified material was lost in the attack, and Belgian prosecutors are investigating. ®
READ MORE HERE