Russian group Turla impersonated Kaspersky to spy on embassies
China accuses US of exploiting Exchange flaw to steal data and launch attacks, China grills Nvidia on AI chip security risks, Google was indexing ChatGPT conversations, UK age verification law is blocking non-porn content, Illumina to pay $9.8m to resolve US cybersecurity complaint, much more
A Special Appeal
Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.
If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.
To learn more, feel free to reach out at cynthia@metacurity.com.
Thank you so much for being part of the Metacurity community.
If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.
Researchers at Microsoft report that the notorious Russian hacking group known as Turla or Secret Blizzard is impersonating a prominent cybersecurity firm and using the country’s internet providers to spy on foreign embassies.
The attackers engaged in a “large scale” cyber-espionage campaign in which they used Russian internet service providers, or ISPs, to conduct their hacks, according to Microsoft. Turla hackers also disguised their malware to impersonate cybersecurity software from the Russian cybersecurity company Kaspersky.
With access to those Russian ISPs, the hackers then targeted foreign embassies in Moscow, redirecting victims’ internet traffic and delivering malware as part of the apparent intelligence-gathering operation, the report said. Microsoft declined to name specific targets.
Microsoft said Secret Blizzard uses an adversary-in-the-middle (AiTM) position to deploy their custom malware called ApolloShadow, which can install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling the group to maintain persistence on diplomatic devices, likely for intelligence collection.
This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities that rely on local internet providers. (Patrick Howell O'Neill / Bloomberg and Microsoft)
Related: The Record, The Register, Wired, Nextgov/FCW, 112.ua, Mezha, Ukrainska Pravda, UNN, Ukrinform, WinBuzzer, Security Affairs, Al Jazeera
The Cyber Security Association of China accused the US of exploiting a flaw in Microsoft Corp.’s email servers to steal military data and launch cyberattacks on its defense sector.
The association said that US actors had been linked to two major cyberattacks on Chinese military companies, without naming them. They exploited flaws in Microsoft Exchange to control the servers of a key company in the defense sector for nearly a year, it added. The association is a little-known entity backed by the powerful Cyberspace Administration of China.
“Every nation state in the world carries out offensive cybersecurity campaigns against others,” said Jon Clay, vice president of threat intelligence at Trend Micro. “I’m assuming at this point, because of the recent SharePoint vulnerability that Microsoft attributed to China, they are coming out and saying, hey, the US has been targeting us with exploits.” (Jane Lanhee Lee and Mark Anderson / Bloomberg)
Related: China Cyberspace Security Association, Digwatch, Economic Times
The Cyberspace Administration of China, China’s cybersecurity regulator, has summoned hot chip giant Nvidia's representatives to discuss the security risks of artificial-intelligence chips it sells in China.
The regulator wants Nvidia to explain the “backdoor security risks” associated with its H20 chips sold in China and submit relevant documents.
The move is aimed at “safeguarding the network and data security of Chinese users,” given that American industry experts had said Nvidia’s chips had tracking and remote-shutdown capabilities.
“Cybersecurity is critically important to us. Nvidia does not have ‘backdoors’ in our chips that would give anyone a remote way to access or control them,” a Nvidia spokesperson said. (Sherry Qin / Wall Street Journal)
Related: Reuters, Fast Company, The Washington Post, AFP
Google is indexing conversations with ChatGPT that users have sent to friends, families, or colleagues, turning private exchanges intended for small groups into search results visible to millions.
A basic Google site search using part of the link created when someone proactively clicks “Share” on ChatGPT can uncover conversations where people reveal deeply personal details, including struggles with addiction, experiences of physical abuse, or serious mental health issues—sometimes even fears that AI models are spying on them. While ChatGPT doesn’t show the users’ identities, some users potentially identify themselves by sharing highly specific personal information during the chats.
A user might click “Share” to send their conversation to a close friend over WhatsApp or to save the URL for future reference. It’s unclear whether those affected realize their conversations with the bot are now publicly accessible after they click the Share button, presumably thinking they’re doing so to a small audience.
Nearly 4,500 conversations come up in results for the Google site search, though many don’t include personal details or identifying information. This is likely not the full count, as Google may not index all conversations.
Hours after news broke of this practice, OpenAI said it removed the feature from ChatGPT that allowed users to make their public conversations discoverable by search engines. The company says this was a short-lived experiment that ultimately “introduced too many opportunities for folks to accidentally share things they didn’t intend to.” (Chris Stokel-Walker / Fast Company and Amanda Silberling / TechCrunch)
Related: Livemint, Search Engine Land, Shelly Palmer, VentureBeat, Business Insider, Tom's Guide, PCMag, Windows Central, PYMNTS.com, Ars Technica
Social media companies are blocking wide-ranging content, including posts about the wars in Ukraine and Gaza, in an attempt to comply with the UK's new Online Safety Act, BBC Verify has found.
The new legislation, which came into effect last Friday, imposes fines on social media companies and other websites that fail to protect under-18s from pornography, posts promoting self-harm, and other harmful content. In severe cases, services could be blocked in the UK.
But BBC Verify found a range of public interest content, including parliamentary debates on grooming gangs, has been restricted on X and Reddit for those who have not completed age verification checks.
Experts warn companies are risking stifling legitimate public debate by overapplying the law. (Ned Davies, Shayan Sardarizadeh & Matt Murphy / BBC News)
The US Justice Department announced that biotech contractor Illumina agreed to a $9.8 million settlement with the US government to resolve allegations that it sold the federal government genomic sequencing systems riddled with cybersecurity flaws.
The case against the biotech company specializing in genetic analysis was brought under the False Claims Act, which allows the Department of Justice to pursue damages from vendors who violate contracts.
The DOJ alleged that between 2016 and 2023, the San Diego-based firm sold government agencies products that included software vulnerabilities. Illumina had an inadequate security program, the government said, and did not sufficiently monitor for or fix cybersecurity issues in its products.
Illumina “knowingly failed to incorporate product cybersecurity in its software design, development, installation, and on-market monitoring,” the DOJ said.
It also starved staff and systems charged with product security of resources and deceptively claimed that its software met national benchmarks for cybersecurity standards, the government said. (Suzanne Smalley / The Record)
Related: Justice Department, The Register, Hoodline
Researchers at GreyNoise found that in roughly 80% of cases, spikes in malicious activity like network reconnaissance, targeted scanning, and brute-forcing attempts targeting edge networking devices are a precursor to the disclosure of new security vulnerabilities (CVEs) within six weeks.
GreyNoise bases this on data from its 'Global Observation Grid' (GOG) collected since September 2024, applying objective statistical thresholds to avoid results-skewing cherry-picking.
After removing noisy, ambiguous, and low-quality data, the firm ended up with 216 events that qualified as spike events, tied to eight enterprise edge vendors.
"Across all 216 spike events we studied, 50 percent were followed by a new CVE within three weeks, and 80 percent within six weeks," the researchers said.
The correlation was notably stronger for Ivanti, SonicWall, Palo Alto Networks, and Fortinet products, and weaker for MikroTik, Citrix, and Cisco. State-sponsored actors have repeatedly targeted such systems for initial access and persistence.
On a related development, Google's Project Zero announced that it will begin informing the public that a vulnerability has been discovered within a week, helping system admins bolster their defenses while vendors work on developing a patch. (Bill Toulas / Bleeping Computer)
Related: GreyNoise, SC Media, Infosecurity Magazine
As of today, Microsoft's tool for saving passwords, Microsoft Authenticator, will be gone, along with any passwords users have saved in the app.
While the code features and passkeys will still be there, users' stored passwords will be deleted. (Kim Key / PC Mag)
Related: ZDNet, The Independent, Tom's Guide, Mashable, Associated Press
Trend Micro’s Zero Day Initiative (ZDI) announced the targets and prizes for the upcoming Pwn2Own hacking event, set to take place in Cork, Ireland, on October 21-24.
Meta is a sponsor of Pwn2Own Ireland 2025, and up to $1 million is being offered for a WhatsApp exploit that enables remote code execution with no user interaction.
In addition, a one-click WhatsApp remote code execution exploit can earn participants up to $500,000, while a zero-click account takeover exploit can be worth up to $150,000.
Remote zero-click exploits that enable access to the microphone or video feed, or access to sensitive user data, are worth up to $130,000. An exploit that allows access to user data is worth the same amount even if it requires one click. (Eduard Kovacs / Security Week)
Related: Zero Day Initiative
Researchers from Cloudflare’s Email Security team discovered that attackers are exploiting the URL wrapping practices of email security services to conceal phishing links and lend credibility to their malicious campaigns.
They found several phishing campaigns over the past two months that abused compromised email accounts protected by services from Proofpoint and Intermedia.net.
“Link wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click,” Cloudflare researchers wrote in their report on the attacks. “While this is effective against known threats, attacks can still succeed if the wrapped link hasn’t been flagged by the scanner at click time.”
Recipients of these rogue emails are more likely to click on wrapped links, assuming security services have already vetted them. At the same time, reputation-based spam filters may fail to block such links, as they appear to point to trusted domains. (Lucian Constantin / CSO Online)
Related: Cloudflare, Soatok
Coinbase's highly-publicized data theft cost the firm $307 million, the company said in its second-quarter earnings report.
While Coinbase estimated the data breach might cost as much as $400 million, the report provided a specific value to losses incurred from cyber criminals bribing some of the firm's offshore customer service representatives to obtain user data and account management records.
Coinbase reported the incident in May. (RT Watson / The Block)
Related: SEC, Dataconomy
Researchers at Semperis report that over the past 12 months, executives at firms hit by ransomware attackers were physically threatened in 40% of the incidents.
This tactic increased to 46% of cases impacting US-based firms.
On top of this, victims reported that threat actors threatened to file regulatory complaints against them if they refused to pay in around half (47%) of attacks.
This threat was common against US companies, occurring in 58% of cases. This is likely due to growing regulatory requirements around cyber incident reporting in the region, including the Securities and Exchange Commission (SEC) four-day disclosure rule for publicly listed firms. (James Coker / Infosecurity Magazine)
Related: Semperis, The Register
Prophet Security, a startup developing autonomous artificial intelligence systems for cybersecurity defense, announced it had raised $30 million in a Series A venture funding round.
Accel led the round with participation from Bain Capital Ventures and other strategic investors. (Michael Nuñez / Venture Beat)
Related: Prophet Security, Tech Republic, Business Wire, FinSMEs
Best Thing of the Day: How a Class Act Responds
Former CISA Director and top-flight warfighter Jen Easterly addressed how she had been canceled by an uninformed conspiracy theorist, concluding that she'll keep showing up and fighting for what is right.
Worst Thing of the Day: How a Class Act Doesn't Respond
Atlassian CEO and co-founder Mike Cannon-Brookes sent a pre-recorded video titled “Restructuring the CSS Team: A Difficult Decision for Our Future” to inform 150 staff members that they were fired.
