Chinese hackers breached diplomats' email servers in a years-long campaign
China sentences 11 people to death for gambling and Myanmar scam operations, DOJ settles with Georgia Tech over fake cyber assessment score, Google launches new ransomware protection, Microsoft launches a security store, BNB Chain X account hacked, Imgur blocked in UK, much more
Don't miss my CSO piece on the government shutdown and how it deepens US cyber risk, exposing our networks even more to threat actors.
And check out my other CSO piece from today that reviews the loss of liability protection when it comes to threat sharing as a vital info-sharing law lapses.
Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.
If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!
Researchers at Palo Alto Networks Unit 42 report that Chinese hackers, which they call Phantom Taurus, breached email servers of foreign ministers as part of a years-long effort targeting the communications of diplomats around the world.
Attackers accessed Microsoft Exchange email servers, gaining the ability to search for information at some foreign ministries.
They specifically searched in the email servers for key terms related to a China-Arab summit in Riyadh, Saudi Arabia, in 2022, said Lior Rochberger, senior researcher at the company. They also searched for names, including Chinese President Xi Jinping and his wife, Peng Liyuan, in the context of that summit, the researchers said.
The researchers declined to specifically identify which countries had their systems breached in the hacking campaign, but wrote in the report that the group’s targeting patterns “align consistently with the People’s Republic of China (PRC) economic and geopolitical interests.”
Palo Alto Networks said the cyber-espionage unit’s operations frequently coincide with major world events, but stopped short of saying definitively that the Chinese government sponsors the hackers. (Emily Forgash / Bloomberg)
Related: Unit 42, HealthcareInfoSecurity.com, Hackread, Slashdot, Insurance Journal, CryptoRank, Infosecurity Magazine, IT Pro, CyberScoop, Security Week
A court in China sentenced 11 people to death for their alleged roles in a family-run crime syndicate accused of running illegal gambling and scam operations worth more than $1.4bn, and for the deaths of workers who disobeyed them.
The Wenzhou intermediate people’s court on Monday sentenced 11 members of the powerful Ming family in Kokang, Myanmar, to death, while another five were handed death sentences suspended for two years.
A further 12 defendants received jail sentences of between five and 24 years. Two-year suspended death sentences are often converted to life in prison.
China issued arrest warrants for four members of the Ming family in November 2023 on suspicion of fraud, murder, and illegal detention as part of a crackdown on illegal scam operations near the border with Myanmar.
The syndicate had “relied on armed force” to establish multiple compounds in Kokang, the court said in a statement posted on social media.
The court alleged the group had killed 14 people, including 10 involved in fraud who had tried to escape from the group or disobeyed its management. It cited one incident in October 2023, when the accused allegedly “opened fire” on people at a scam compound to prevent them from being transferred back to China. (The Guardian)
Related: Metro, CNN, BBC News, OCCRP, The Times, South China Morning Post, Associated Press
An $875,000 payment to the US government will settle a suit against Georgia Tech and Georgia Tech Research Corporation over allegations that they failed to install antivirus tools at Georgia Tech’s Astrolavos Lab while it conducted sensitive cyber-defense research for the Pentagon.
The Justice Department said that Georgia Tech and the affiliate company submitted a false cybersecurity assessment score to the Defense Department.
“When contractors fail to follow the required cybersecurity standards in their DoD contracts, they leave sensitive government information vulnerable to malicious actors and cyber threats,” said Brett Shumate, assistant attorney general of the Justice Department’s Civil Division.
Under the settlement agreement, neither side concedes to the other over the allegations. (Tim Starks / CyberScoop)
Related: Justice Department, Bloomberg Law, WSB
Google launched a new defense for its Google Drive for desktop apps that aims to quickly detect ransomware activity and halt cloud syncing before an infection can spread.
While antivirus scanners monitor for signs of malware across a system, the new ransomware protections in Drive for desktop are meant to act as an additional line of defense. The detection capability is built on an AI model that Google trained using millions of real victims’ files that had been encrypted with various strains of ransomware.
And the feature is designed to detect and contain suspected ransomware in the desktop Drive very quickly. For enterprise Google Workspace customers, the feature is an asset, protecting files of any format that are stored in Drive for desktop and allowing users to easily restore any data that is encrypted or corrupted by malware. But like other ransomware detection and data-backup features, the tool is a treatment, not a cure.
Designed to work in tandem with the malware monitoring tools that Google already builds into Drive, Chrome, and Gmail, the protection was built using the expertise of Google's core antivirus software development team. (Lily Hay Newman / Wired)
Related: PCMag, The Register, Google Workspace Blog, Google Help Center, Android Police, TechWire Asia, Techzine Global, iTnews, CRN, 9to5Google, ComputerWeekly.com, Chrome Unboxed, The Verge
Microsoft is launching a Security Store that will be full of security software-as-a-service (SaaS) solutions and AI agents.
It’s part of a broader effort to sell Microsoft’s Sentinel security platform to businesses, complete with Microsoft Security Copilot AI agents that can be built by security teams to help tackle the latest threats.
The Microsoft Security Store is a storefront designed for security professionals to buy and deploy SaaS solutions and AI agents from Microsoft’s ecosystem partners. Darktrace, Illumio, Netskope, Perfomanta, and Tanium are all part of the new store, with solutions covering threat protection, identity and device management, and more.
A lot of the solutions will integrate with Microsoft Defender, Sentinel, Entra, Purview, or Security Copilot, making them quick to onboard for businesses that are fully reliant on Microsoft for their security needs. This should cut down on procurement and onboarding times, too.
Alongside the Security Store, Microsoft is also allowing Security Copilot users to build their own AI agents. (Tom Warren / The Verge)
Related: Microsoft, ZDNET, Petri IT Knowledgebase, SiliconANGLE
The official X account of the BNB Chain blockchain network, with nearly four million followers, was compromised, with hackers using the account to spread phishing links targeting cryptocurrency wallets.
Binance founder Changpeng “CZ” Zhao confirmed the incident, warning his followers not to interact with the malicious posts containing phishing links. “The hacker posted a bunch of links to phishing websites that ask for Wallet Connect. Do NOT connect your wallet,” CZ wrote.
He added that BNB Chain’s security teams have notified X and are working to suspend the account and restore access. Zhao said takedown requests for the phishing sites have already been submitted.
SlowMist’s chief information security officer, who goes by the handle 23pds on X, said attackers used a classic trick, swapping letters in the phishing domain to make it appear legitimate.
“BNB Chain’s English official X account has been hacked! The phishing website changed the letter i into l,” 23pds posted, warning users not to be deceived. The security professional also suggested that the malicious domain belongs to the infamous Inferno phishing group.
The Inferno Drainer is a crypto wallet-draining software and phishing-as-a-service platform that emerged around 2022 and gained notoriety in 2023. It operates by allowing its affiliates to deploy ready-made phishing sites that mimic legitimate crypto project interfaces. (Ezra Reguerra / CoinTelegraph)
Related: Decrypt, TipRanks, Cryptopolitan, FXStreet
Image hosting platform Imgur has blocked people in the UK from accessing its content.
UK users trying to access Imgur on Tuesday were met with an error message saying "content not available in your region," with Imgur content shared on other websites also no longer showing.
The UK's data watchdog, the Information Commissioner's Office (ICO), said it recently notified the platform's parent company, MediaLab AI, of plans to fine Imgur after probing its approach to age checks and use of children's personal data.
A help article on Imgur's US website, seen by the BBC, states that "from September 30, 2025, access to Imgur from the United Kingdom is no longer available".
"UK users will not be able to log in, view content, or upload images. Imgur content embedded on third-party sites will not display for UK users."
The ICO launched its investigation into Imgur in March, saying it would probe whether the companies were complying with both the UK's data protection laws and the children's code. (Liv McMahon / BBC News)
Related: Imgur, r/rimworld, Bleeping Computer, The Verge, Mashable, Resetera
According to ICE documents, US Immigration and Customs Enforcement (ICE) has bought access to a surveillance tool made by a contractor called Penlink that is updated every day with billions of pieces of location data from hundreds of millions of mobile phones.
The documents explicitly show that ICE is choosing this product over others offered by the contractor’s competitors because it gives ICE essentially an “all-in-one” tool for searching both masses of location data and information taken from social media.
The documents also show that ICE is planning to use location data once again, remotely harvested from people’s smartphones, after previously saying it had stopped the practice.
Surveillance contractors around the world create massive datasets of phones’ and, by extension, people’s movements, and then sell access to the data to government agencies. In turn, US agencies have used these tools without a warrant or court order.
“The Biden Administration shut down DHS’s location data purchases after an inspector general found that DHS had broken the law. Every American should be concerned that Trump's hand-picked security force is once again buying and using location data without a warrant,” Senator Ron Wyden said. (Joseph Cox / 404 Media)
Best Thing of the Day: Always Good to Not Pay Ransom
Maryland officials say they paid no ransom to the Rhysida gang, and services have been fully restored in the wake of a ransomware attack that exposed personal data and disrupted bus services at the state’s transportation agency.
Worst Thing of the Day: The Zodiac Killer Doesn't Want Data Protection for Officials
Sen. Ted Cruz (R-TX) has blocked an effort to pass legislation that would have extended data privacy protections for federal lawmakers and public officials to everyone in the United States.
Bonus Worst Thing of the Day: Add This to the Panoply of Adolescent Woes
Schools and colleges hit by cyberattacks are taking longer to restore their networks, and the consequences are severe, with students' coursework being permanently lost in some cases.
Closing Thought
,
