CTRL + ALT + SEC

Tag: Scattered Spider

What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 7/21/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: Woman gets 8 years for aiding North Koreans infiltrate 300 US firms

This article details the sentencing of Christina Marie Chapman to 102 months in prison for her pivotal role in a sophisticated scheme that allowed North Korean IT workers to infiltrate over 300 U.S. companies. Chapman facilitated this by operating a “laptop farm” in her Arizona home, creating the illusion that the workers were based in the United States. Her co-conspirator, Ukrainian citizen Oleksandr Didenko, ran an online platform, UpWorkSell, which provided false identities for the North Koreans seeking remote IT positions. This elaborate operation enabled the North Korean workers to illicitly collect over $17 million, a portion of which was funneled through Chapman’s financial accounts.

The scope of this infiltration was extensive, with North Korean individuals securing remote software and application development roles in a wide array of high-profile U.S. entities, including Fortune 500 companies, an aerospace and defense firm, a major television network, and a Silicon Valley technology company. This access not only generated significant illicit revenue for the North Korean regime but also posed substantial national security risks by potentially exposing sensitive information and intellectual property within critical U.S. industries. The scheme highlights the persistent and evolving methods used by foreign adversaries to exploit vulnerabilities in remote work environments.

In response to this and similar incidents, U.S. authorities have intensified their efforts to counter North Korean IT worker schemes. The Department of Justice has been actively disrupting extensive networks involved in these operations, leading to charges against individuals like Chapman and Didenko, as well as other foreign nationals. Concurrently, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued sanctions against North Korean front companies and associated individuals. These actions, coupled with updated FBI guidance for U.S. businesses and joint advisories with international partners, underscore a concerted strategy to mitigate the threat posed by North Korea’s illicit revenue generation and espionage activities.

Projects
- TryHackMe – Web Application Basics – In Progress
Articles
- Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks – Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances.
- CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks – The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on July 22, 2025, added two Microsoft SharePoint flaws, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
- Ukraine arrests suspected admin of XSS Russian hacking forum – The suspected administrator of the Russian-speaking hacking forum XSS.is was arrested by the Ukrainian authorities yesterday at the request of the Paris public prosecutor’s office.
- ExpressVPN bug leaked user IPs in Remote Desktop sessions – ExpressVPN has fixed a flaw in its Windows client that caused Remote Desktop Protocol (RDP) traffic to bypass the virtual private network (VPN) tunnel, exposing the users’ real IP addresses.
- Nuclear Weapons Agency Breached in Microsoft SharePoint Hack – The US agency responsible for maintaining and designing the nation’s cache of nuclear weapons was among those breached by a hack of Microsoft Corp.’s SharePoint document management software, according to a person with knowledge of the matter.
- Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure – The notorious cybercrime group known as Scattered Spider is targeting VMware ESXi hypervisors in attacks targeting retail, airline, and transportation sectors in North America.
- UK Student Sentenced to Prison for Selling Phishing Kits – Ollie Holman was sentenced to prison for selling over 1,000 phishing kits that caused estimated losses of over $134 million.
- Woman gets 8 years for aiding North Koreans infiltrate 300 US firms – Christina Marie Chapman, a 50-year-old woman from Arizona, was sentenced to 102 months in prison after pleading guilty to her involvement in a scheme that enabled North Korean IT workers to infiltrate 309 U.S. companies.
Podcasts
July 28, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 7/7/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: Elmo’s X account was hacked and shared antisemitic and racist posts

The recent hacking of Elmo’s X (formerly Twitter) account represents a concerning incident that transcends a simple social media breach, highlighting broader vulnerabilities and the potential for weaponized online platforms. The unauthorized posts, which included antisemitic, racist, and politically charged content, not only severely damaged the innocent and wholesome brand associated with Elmo and Sesame Street but also demonstrated how easily prominent accounts can be leveraged to disseminate harmful narratives. The fact that such hateful messages were visible to nearly 650,000 followers, even for a brief period, underscores the immediate and widespread impact that compromised accounts can have on public discourse and perception. This event serves as a stark reminder of the constant threat of cyberattacks and the imperative for robust security measures across all major online platforms.

This incident also brings into focus the ongoing challenges faced by X, particularly in light of previous controversies surrounding its AI chatbot Grok and the proliferation of extremist views on the platform. The “disgusting” nature of the hacked posts, as described by Sesame Workshop, echoes similar issues where X has struggled to contain inflammatory content, including antisemitic remarks. The repeated instances of problematic content, whether through compromised accounts or algorithmic failures, raise serious questions about X’s content moderation strategies and its ability to safeguard users from harmful material. While XAI has acknowledged and attempted to address issues with Grok, the Elmo hack suggests that the platform’s vulnerabilities extend beyond AI-generated content to fundamental account security.

Ultimately, the Elmo account hack is more than just an isolated security breach; it’s a symptom of a larger, more complex problem concerning online safety, platform responsibility, and the weaponization of social media. For a character universally associated with childhood innocence and positive values to be used as a conduit for hate speech is deeply disturbing and illustrates the insidious nature of online extremism. This event should prompt renewed scrutiny of social media companies’ commitment to preventing abuse, ensuring account integrity, and protecting their users from the dissemination of harmful ideologies. The incident reinforces the critical need for continuous vigilance, technological advancements in security, and a proactive approach to combating the misuse of online platforms.

Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Projects
- TryHackMe – Web Application Basics – In Progress
Articles
- FBI warns travelers of ‘Scattered Spider’ group targeting airlines – SFGATE contributor Jim Glab rounds up air travel and airport news for our weekly column Routes
- Qantas is being extorted in recent data-theft cyberattack – Qantas has confirmed that it is now being extorted by threat actors following a cyberattack that potentially exposed the data for 6 million customers.
- Columbia data stolen in cyberattack that caused dayslong IT outage, University says – Bloomberg News reported that the alleged hacker stole the personal information of Columbia applicants.
- AT&T Reaches $177M Deal Over 2019 and 2024 Data Breaches – AT&T’s $177M data breach settlement. Check eligibility for payouts from 2019 and 2024 incidents.
- Alleged Chinese State Hacker Wanted by US Arrested in Italy – Xu Zewei has been arrested on charges that he is a member of the Chinese state-sponsored hacking group Hafnium (Silk Typhoon).
- Canadian Electric Utility Says Power Meters Disrupted by Cyberattack – Nova Scotia Power is notifying individuals affected by the recent data breach, including in the United States.
- U.S. Sanctions North Korean Andariel Hacker Behind Fraudulent IT Worker Scheme – The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Tuesday sanctioned a member of a North Korean hacking group called Andariel for their role in the infamous remote information technology (IT) worker scheme.
- Russian pro basketball player arrested for alleged role in ransomware attacks – Russian professional basketball player Daniil Kasatkin was arrested in France at the request of the United States for allegedly acting as a negotiator for a ransomware gang.
- Elmo’s X account hacked to publish racist and antisemetic posts – In case it wasn’t obvious, no, that’s not the real Elmo that posted racist and antisemetic posts on Elon Musk’s X. Someone had hacked into the Sesame Street character’s X account.
Podcasts
July 14, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 6/30/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: US shuts down a string of North Korean IT worker scams

The US Department of Justice has successfully disrupted several sophisticated IT worker scams orchestrated by North Korea, leading to two indictments, one arrest, and the seizure of 137 laptops. These operations involved North Korean IT staff using stolen or fictitious identities to secure remote positions at over 100 US companies. Beyond drawing salaries, these individuals allegedly exfiltrated sensitive data for Pyongyang and engaged in virtual currency theft, with one instance involving a $740,000 cryptocurrency heist. This tactic of deploying remote IT workers, facilitated by the shift to remote work during the COVID-19 pandemic, is a significant evolution from North Korea’s traditional cybercrime activities, which are primarily aimed at circumventing international sanctions and funding their illicit weapons programs.

One key aspect of these scams involved the establishment of “laptop farms” in the US. These farms allowed North Korean coders to remotely control company-issued laptops, making it appear as though the workers were operating within the US, thereby evading detection by employers monitoring IP ranges. Zhenxing “Danny” Wang, one of the indicted individuals, is accused of setting up a fake software development business that funneled approximately $5 million back to North Korea and left US companies with an estimated $3 million in cleanup costs. This complex network highlights the critical role of US-based collaborators in enabling these schemes and the substantial financial gains reaped by both the North Korean regime and its stateside operatives.

The investigations also revealed a more direct form of cryptocurrency theft, as seen in the case of four North Koreans who traveled to the UAE to secure remote programming jobs. These individuals, using stolen identities, were able to gain access to company virtual wallets and subsequently steal significant amounts of cryptocurrency, which was then laundered using sanctioned tools like Tornado Cash. The ongoing nature of these threats underscores the challenges faced by companies hiring remote IT workers and the persistent efforts by North Korea to exploit vulnerabilities for financial gain. The US Department of Justice is actively pursuing these cases, offering substantial bounties for information that helps dismantle North Korea’s illicit financial mechanisms.

Projects
- TryHackMe – Web Application Basics – In Progress
Articles
- US shuts down a string of North Korean IT worker scams – The US Department of Justice has announced a major disruption of multiple North Korean fake IT worker scams.
- Stablecoin protocol Resupply loses $9.6M to price manipulation exploit – A flaw in ResupplyFi’s contract allowed an attacker to manipulate token prices and drain $9.6 million from its wstUSR market.
- Hacker Conversations: Rachel Tobac and the Art of Social Engineering – Rachel Tobac is a cyber social engineer. She is skilled at persuading people to do what she wants, rather than what they know they ought to do.
- Hackers stole data on 2.2 million people in cyberattack affecting American grocery chains – The Dutch conglomerate behind dozens of major American supermarket brands said more than 2.2 million people had information stolen from its systems during a cyberattack in November that left customers unable to place delivery orders online.
- Aloha, you’ve been pwned: Hawaiian Airlines discloses ‘cybersecurity event’ – ‘No impact on safety,’ FAA tells The Reg
- The FBI warns that Scattered Spider is now targeting the airline sector – The FBI warns that Scattered Spider is now targeting the airline sector. Feds are working with aviation partners to combat the threat and assist affected victims.
- Ex-student charged over hacking university for cheap parking, data breaches – New South Wales police in Australia have arrested a 27-year-old former Western Sydney University (WSU) student for allegedly hacking into the University’s systems on multiple occasions, starting with a scheme to obtain cheaper parking.
- Qantas Confirms Major Data Breach Linked to Third-Party Vendor – Qantas has confirmed a data breach after attackers gained access through a third-party call centre platform, affecting millions of frequent flyers just as the airline industry heads into its busiest season.
July 7, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 6/2/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: Largest ever data leak exposes over 4 billion user records

The recent exposure of over 4 billion user records in China represents an unprecedented cybersecurity catastrophe, highlighting the extreme vulnerability of personal data in the digital age. This colossal leak, comprising 631 gigabytes of unsecure data, contained a vast array of sensitive information, including financial details, WeChat and Alipay records, residential addresses, and potentially even communication logs. The sheer scale and diversity of the exposed data — ranging from over 800 million WeChat IDs to 630 million bank records and 610 million “three-factor checks” with IDs and phone numbers — strongly suggest a centralized aggregation point, possibly for surveillance, profiling, or data enrichment purposes. This incident underscores a critical failure in data security, leaving hundreds of millions of individuals susceptible to a wide range of malicious activities.

With access to correlated data points on residential information, spending habits, financial details, and personal identifiers, threat actors could orchestrate large-scale phishing scams, blackmail schemes, and sophisticated fraud. The inclusion of Alipay card and token information further raises the risk of unauthorized payments and account takeovers, potentially leading to significant financial losses for users. Beyond individual exploitation, the possibility of state-sponsored intelligence gathering and disinformation campaigns cannot be overlooked, given the perceived nature of the data collection as a comprehensive profile of Chinese citizens. The swift removal of the database after discovery, coupled with the anonymity of its owners, further complicates efforts to understand the breach’s origins and implement protective measures for impacted individuals.

The inability to identify the database’s owners or provide direct recourse for affected users exemplifies the precarious position individuals find themselves in when their data is compromised on such a grand scale. While China has experienced significant data breaches in the past, this incident stands as the largest ever recorded, dwarfing previous exposures.

Projects
- TryHackMe – Hashing Basics – In Progress
Papers
- Research on insider threat detection based on personalized federated learning and behavior log analysis
Articles
- ‘Russian Market’ emerges as a go-to shop for stolen credentials – The “Russian Market” cybercrime marketplace has emerged as one of the most popular platforms for buying and selling credentials stolen by information stealer malware.
- Cartier discloses data breach amid fashion brand cyberattacks – Luxury fashion brand Cartier is warning customers it suffered a data breach that exposed customers’ personal information after its systems were compromised.
- Meta stopped covert operations from Iran, China, and Romania spreading propaganda – Meta stopped three covert operations from Iran, China, and Romania using fake accounts to spread propaganda on social media platforms.
- Victoria’s Secret hit by outages as it battles security incident – Fashion retail giant Victoria’s Secret said it is addressing a “security incident,” as its website and online orders face ongoing disruption.
- Crooks fleece The North Face accounts with recycled logins – Outdoorsy brand blames credential stuffing
- Coinbase breach tied to bribed TaskUs support agents in India – A recently disclosed data breach at Coinbase has been linked to India-based customer support representatives from outsourcing firm TaskUs, who threat actors bribed to steal data from the crypto exchange.
- Scattered Spider: Three things the news doesn’t tell you – With the recent attacks on UK retailers Marks & Spencer and Co-op, so-called Scattered Spider has been all over the media, with coverage spilling over into the mainstream news due to the severity of the disruption — currently looking like hundreds of millions in lost profits for M&S alone.
- Exclusive: Hackers Leak 86 Million AT&T Records with Decrypted SSNs – Hackers leak data of 88 million AT&T customers with decrypted SSNs; latest breach raises questions about links to earlier Snowflake-related attack.
- FBI: Play ransomware breached 900 victims, including critical orgs – In an update to a joint advisory with CISA and the Australian Cyber Security Centre, the FBI said that the Play ransomware gang had breached roughly 900 organizations as of May 2025, three times the number of victims reported in October 2023.
- Largest ever data leak exposes over 4 billion user records – In what’s likely the biggest data leak to ever hit China, billions of documents with financial data, WeChat and Alipay details, as well as other sensitive personal data, were exposed to the public. Worryingly, there’s little that impacted users can do to protect themselves.
Podcasts
- Smashing Security 419: Star Wars, the CIA, and a WhatsApp malware mirage
June 9, 2025