Risky Business

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover: * SEC Twitter account hack moves bitcoin price * Kaspersky admires Triangulation hackers’ fine work * Telcos hacked all over * Israel hacks Iranian gasoline pumps again * Iran up in Albania, Sudan, Egypt and Tanzania * and much, much more…

This week’s show is brought to you by Nucleus Security. Co-founder Scott Kuffer joins us to talk about why patch management is more nuanced than just “patch fast!”

Show notes

• U.S. Securities and Exchange Commission on X: "The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products." / X
• Mandiant, the security firm Google bought for $5.4 billion, gets its X account hacked | Ars Technica
• 4-year campaign backdoored iPhones using possibly the most advanced exploit ever | Ars Technica
• Spyware attack chain used previously unknown iPhone hardware feature, report says
• "Dutch engineer carried out Iranian nuclear sabotage": VK - DutchNews.nl
• Russian hackers infiltrated Ukrainian telecom giant months before cyberattack
• Ukraine telecom cyberattack one of ‘highest-impact’ hacks of the war
• Pro-Ukraine hackers claim breach of Russian internet provider
• Ukraine says Russia hacked web cameras to spy on targets in Kyiv
• Optus outage: Banks, telcos to be quizzed at Senate hearing
• A “ridiculously weak” password causes disaster for Spain’s No. 2 mobile carrier | Ars Technica
• Albanian parliament, telecom company hit by cyberattacks
• Paraguay military warns of ‘significant impact’ of ransomware after attack on internet provider
• Iran confirms nationwide cyberattack on gas stations
• Hackers disrupt Beirut airport with anti-Hezbollah message
• Telecom organizations in Africa targeted by Iran-linked hackers
• Myanmar rebels take control of ‘pig butchering’ scam city amid Chinese pressure on junta
• AlphV ransomware site is “seized” by the FBI. Then it’s “unseized.” And so on. | Ars Technica
• BreachForums administrator detained after violating parole
• Autistic teen behind spate of Lapsus$ hacks sentenced to indefinite hospital stay
• Global law enforcement seizes $300 million, arrests 3,500 involved in transnational cybercrime operation
• Toronto Zoo says it remains open after ransomware attack
• Central Bank of Lesotho facing outages after cyberattack
• Kansas City-area hospital transfers patients, reschedules appointments after cyberattack
• Cyberattack on Massachusetts hospital disrupted records system, emergency services
• LockBit claims November attack on New Jersey hospital that disrupted patient care
• First American becomes latest real estate industry giant hit with cyberattack
• Ivanti warns of critical vulnerability in its popular line of endpoint protection software | Ars Technica
• US officials say Russian targeting JetBrains servers for potential SolarWinds-style operations | Reuters
• SSH protects the world’s most sensitive networks. It just got a lot weaker | Ars Technica
• LastPass enforces 12-character master password lengths | Cybersecurity Dive
• FTC soliciting contest submissions to help tackle voice cloning technology
• Biden signs short-term FISA extension before year-end deadline
• Foone: "The 37C3 talk on TEA1 encrypti…" - Infosec Exchange
• Crypto hedge fund CEO may not exist; probe finds no record of identity | Ars Technica