Yanluowang initial access broker faces up to 53 years in prison following guilty plea

A special salute today to all US veterans who served and are continuing to serve. Thank you.

Get your message, announcement, or white paper in front of thousands of cyber leaders, policy makers, and decision-makers for little more than the cost of an annual Metacurity subscription. Click the button below to find out more about our sponsorship options.

A 25-year-old Russian national, Aleksei Olegovich Volkov, pleaded guilty to multiple charges stemming from their participation in ransomware attacks and faces a maximum penalty of up to 53 years in prison.

Volkov, also known as “chubaka.kor,” served as the initial access broker for the Yanluowang ransomware group while living in Russia from July 2021 through November 2022, according to court records. Prosecutors accuse Volkov and unnamed co-conspirators of attacking seven US businesses.

Cisco wasn’t named in the court filings for Volkov’s case, but the enterprise networking and security vendor said it was impacted by an attack attributed to Yanluowang ransomware in May 2022. Cisco linked the attack to an initial access broker who had ties to UNC2447, Lapsus$, and Yanluowang ransomware operators.

Volkov identified targets, exploited vulnerabilities in their systems, and shared access with co-conspirators for a flat fee or percentage of the ransom paid by the victim, according to prosecutors.

Some of Volkov’s alleged victims were unable to function normally without access to their data and had to shut down operations temporarily in the wake of the attacks. Prosecutors said the total amount demanded in ransoms from all seven victims was $24 million.

Volkov pleaded guilty to six charges on Oct. 29, including unlawful transfer of a means of identification, trafficking in access information, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, and conspiracy to commit money laundering. Court Watch was the first to report on Volkov’s guilty plea. 

The plea agreement, which was filed Monday, did not include an agreed-upon sentence, but Volkov is required to pay a combined restitution of nearly $9.2 million to the seven victims. (Matt Kapko / CyberScoop)

Related: Court Listener, The Record, The Register, Bleeping Computer

A cybersecurity breach discovered last week affecting the Congressional Budget Office is now considered “ongoing,” threatening both incoming and outgoing correspondence around Congress’s nonpartisan scorekeeper.

Employees at the Library of Congress were warned in a Monday email that the CBO cybersecurity incident is “affecting its email communications” and that library staff should take a range of measures to protect themselves.

Library of Congress workers also were told to restrict their communication with the nonpartisan agency tasked with providing economic and budgetary information to lawmakers.

“Do NOT click on any links in emails from CBO. Do NOT share sensitive information with CBO colleagues over email, Microsoft Teams, or Zoom at this time,” the email reads.

“Maintain a high level of vigilance and verify the legitimacy of CBO communications by confirming with the sender via telephone that they sent the message,” the note continues.

Congressional staff are in regular communication with CBO regarding scores of legislation and cost estimates the agency prepares for bills in both the House and Senate.

A CBO spokesperson said last week that officials had taken “immediate action to contain” the breach as officials investigate the incident. (Katherine Tully-McManus / Politico)

The ransomware attack on Japanese beer maker Asahi Group last month has severely slowed operations, with shipments currently at just 10% of normal levels, according to an Asahi spokesperson.

The timing couldn’t be worse: December is typically its strongest month, with Super Dry alone accounting for 12% of its annual sales volume.

The attack turned off its internal system that handled all orders and shipments online. As an emergency measure, the company reverted to processing them manually — in person, over the phone, and even by fax, a technology largely considered obsolete in modern business. (Kanoko Matsuyama and Yui Hasebe / Bloomberg)

Related: The Cyber Express

A survey by the Association of British Insurers reports that insurers paid out at least £197mn (around $259 million) in cyber claims in 2024, more than triple the £60mn (around $79 million) paid the previous year, new data shows, as a rise in attacks by cyber gangs hit British businesses.

The share of claims stemming from malware and ransomware attacks rose to 51 percent of the total, up from 32 percent of claims in the prior year. 

The rise in claims came before a string of high-profile attacks earlier this year on large retailers such as Harrods and Marks and Spencer, and on manufacturer Jaguar Land Rover, which was not covered by cyber insurance.
While the sample does not represent all of the UK market, it includes most of the biggest UK insurers, the ABI said. (Lee Harris / Financial Times)

Related: ABI, Fudzilla, The Register, Intelligent Insurer, Insurance Times

Qian Zhimin, a woman, said by police to have bought cryptocurrency now worth billions of pounds using funds stolen from thousands of Chinese pensioners, is due to be sentenced this week for money laundering.

After fleeing China, she moved to a mansion in Hampstead, north London. The Metropolitan Police raided it a year later and made one of the world's single largest crypto seizures.

More than 100,000 Chinese people invested their money in her company, which claimed to be developing high-tech health products and mining cryptocurrency. In reality, she embezzled the funds, police say. As she awaits sentencing, investors say they hope to get at least some of their cash back from the UK authorities.

Anything left unclaimed would typically default to the UK government - leading some to speculate that the Treasury could stand to gain from the haul. (Tony Han / BBC News)

Related: Evrim Ağacı, Finance Monthly, The Independent, Bitget, NDTV, Benzinga, AFP

Mozilla announced a major privacy upgrade in Firefox 145 that reduces even further the number of users vulnerable to digital fingerprinting, which is a tracking technique that allows tracking users' browsing activity and identifying them across websites and browser sessions, even when cookies are blocked or with private browsing active.

Firefox’s existing anti-fingerprinting system, part of the software’s ‘Enhanced Tracking Protection’ mechanism, blocks many known tracking and fingerprinting scripts, most of which are intrinsically pervasive and not related to improving the user’s experience.

“Since 2021, Firefox has been incrementally advancing fingerprinting protections, covering the most pervasive fingerprinting techniques,” explains Mozilla.

“These include things like how your graphics card draws images, which fonts your computer has, and even tiny differences in how it performs math.”

These anti-fingerprinting blocks, which Mozilla marks as ‘Phase 1 Protections’, reduced trackability to roughly 35%, compared to the baseline 65% for now protections at all.

Now, ‘Phase 2’ protections are being rolled out, which block requests to discover installed fonts, hardware details, the number of processor cores, multi-touch support, and dock/taskbar dimensions. (Bill Toulas / Bleeping Computer)

Related: The Mozilla Blog, Dataconomy, ghacks, How-to-geek

According to Koi Security, the GlassWorm malware campaign, which impacted the OpenVSX and Visual Studio Code marketplaces last month, has returned with three new VSCode extensions that have already been downloaded over 10,000 times.

GlassWorm is a campaign and malware that leverages Solana transactions to fetch a payload targeting GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data from 49 extensions.

The malware uses invisible Unicode characters that render as blanks, but execute as JavaScript to facilitate malicious actions. It first appeared via 12 extensions on Microsoft's VS Code and OpenVSX marketplaces, which were downloaded 35,800 times. However, it is believed that the number of downloads was inflated by the threat actor, making the full impact of the campaign unknown.

In response to this compromise, Open VSX rotated access tokens for an undisclosed number of accounts breached by GlassWorm, implemented security enhancements, and marked the incident as closed.

Koi Security says all three extensions use the same invisible Unicode character obfuscation trick as the original files. Evidently, this remains effective at bypassing OpenVSX's newly introduced defenses.

Through an anonymous tip, Koi Security was able to access the attackers' server and obtain key data on the victims impacted by this campaign.

The retrieved data indicates global reach, with GlassWorm found on systems across the United States, South America, Europe, Asia, and a government entity in the Middle East. (Bill Toulas / Bleeping Computer)

Related: Koi, Security Week, CSO Online, SC Media, Security Affairs, Dark Reading

CISA ordered US federal agencies today to patch a critical Samsung vulnerability that has been exploited in zero-day attacks to deploy LandFall spyware on devices running WhatsApp.

Tracked as CVE-2025-21042, this out-of-bounds write security flaw was discovered in Samsung's libimagecodec.quram.so library, allowing remote attackers to gain code execution on devices running Android 13 and later.

While Samsung patched it in April following a report from Meta and WhatsApp Security Teams, Palo Alto Networks' Unit 42 revealed last week that attackers had been exploiting it since at least July 2024 to deploy previously unknown LandFall spyware via malicious DNG images sent over WhatsApp.

CISA has now added the CVE-2025-21042 flaw to its Known Exploited Vulnerabilities catalog, which lists security bugs flagged as actively exploited in attacks, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their Samsung devices against ongoing attacks within three weeks, until December 1, as mandated by the Binding Operational Directive (BOD) 22-01. (Sergiu Gatlan / Bleeping Computer)

Related: CISA, Infosecurity Magazine, Security Affairs

California privacy authorities are pushing legislation that would give corporate whistleblowers better protections for reporting data privacy violations, broaden residents’ personal data deletion rights, and make it easier for individuals to submit privacy requests.

The California Privacy Protection Agency (CPPA), which has a track record of successfully advocating for proposals in the state legislature, approved the three draft bills on Friday. The agency recently scored a victory when Gov. Gavin Newsom signed a bill requiring web browsers to make it easier for consumers to opt out of data sharing.

The whistleblower protection proposal is especially significant. It includes anti-retaliation safeguards and financial rewards for insiders who make regulators aware of company practices that violate state privacy law. It would also allow officials in the CPPA enforcement division to collaborate with whistleblowers’ attorneys.

“A financial awards program would incentivize whistleblowers to come forward with original, valuable information for investigation,” a CPPA memo about the proposal says. “A financial incentive would help to even the scales for whistleblowers who worry about the repercussions of speaking out.”

The memo also says CPPA enforcers would benefit from whistleblowers’ expertise on “highly technical” aspects of data processing and emerging technologies, leading to a “higher volume of meritorious cases that the agency could pursue to hold businesses accountable for violations.”

The proposal for legislation expanding consumers’ data deletion rights centers on the fact that state law currently only gives consumers the right to tell businesses to delete data the business has collected from them. CPPA is seeking to broaden those protections to allow consumers to request that companies delete personal information collected from third parties as well. (Suzanne Smalley / The Record)

Related: CPPA, The National Law Review, Lexology

A spending package tucked into a measure to fund the legislative branch, expected to be approved as part of a deal to reopen the government, would create a broad legal avenue for senators to sue for as much as half a million dollars each when federal investigators search their phone records without notifying them.

The provision appears to immediately allow for eight MAGA senators to sue the government over their phone records being seized in the course of the investigation by Jack Smith, the former special counsel, into the riot at the Capitol on Jan. 6, 2021.

The provision would make it a violation of the law not to notify a senator if their phone records or other metadata were taken from a service provider like a phone company. There are some exceptions, such as 60-day delays in notification if the senator is considered the target of an investigation.

The language of the bill states that “any senator whose Senate data, or the Senate data of whose Senate office, has been acquired, subpoenaed, searched, accessed, or disclosed in violation of this section may bring a civil action against the United States if the violation was committed by an officer, employee, or agent of the United States or of any federal department or agency.”

Because the provision is retroactive to 2022, it would appear to make eligible the eight lawmakers whose phone records were subpoenaed by investigators for Mr. Smith as he examined efforts by Donald J. Trump to obstruct the results of the 2020 presidential election.

Each violation would be worth at least $500,000 in any legal claim, according to the bill language. The bill would also sharply limit the way the government could resist such a claim, taking away any government claims of qualified or sovereign immunity to fight a lawsuit over the issue.

The Republican senators whose phone records were subpoenaed as part of the investigation were: Lindsey Graham of South Carolina, Marsha Blackburn and Bill Hagerty of Tennessee, Josh Hawley of Missouri, Dan Sullivan of Alaska, Tommy Tuberville of Alabama, Ron Johnson of Wisconsin, and Cynthia Lummis of Wyoming. Representative Mike Kelly of Pennsylvania also had his phone records subpoenaed, but he would not be eligible because he is a member of the House. (Devlin Barrett / New York Times)

Related: Politico, Bloomberg Law News, Reporting from Alaska, Daily Beast

Cybersecurity researchers from Mandiant Threat Defense uncovered a critical zero-day vulnerability in Gladinet’s Triofox file-sharing platform that allowed attackers to bypass authentication and execute malicious code with system-level privileges.

The vulnerability, tracked as CVE-2025-12480, was actively exploited by the threat actor group UNC6485 as early as August 24, 2025.

The flaw affected Triofox version 16.4.10317.56372 and has since been patched in release 16.7.10368.56560. (Divya / GBHackers)

Related: Google Cloud, TechNadu, Security Affairs

In a joint operation with Kolkata Police, the Uttar Pradesh police apprehended Sukanta Bandyopadhyay, the prime suspect in a Rs 200 crore (around $22 million) fraud case.

Bandyopadhyay allegedly established a fake company to dupe multiple victims. Bandyopadhyay was previously arrested in connection with another case but was released on bail. (Dwaipayan Ghosh / The Times of India)

Related: The420

The new Cybersecurity Maturity Model Certification standards for defense contractors and their subcontractors took effect Monday after years of industry debate over compliance costs, audit oversight, and supply chain accountability.

The new rule, which amends federal defense acquisition regulations to include CMMC requirements across all new contracts, option years, and extensions, also tasks prime contractors with ensuring their subcontractors meet the appropriate certification level.

The phased rollout begins with Level 1 enforcement and will expand through 2028, while allowing program offices to include higher levels earlier when warranted. (Chris Riotta / DataBreachToday)

Related: JD Supra

Best Thing of the Day: Freak-Out Over F5 Flaws Isn't a Thing

Researchers aren’t very concerned about the dozens of undisclosed F5 vulnerabilities a nation-state attacker stole during a prolonged attack on F5’s internal systems.

Worst Thing of the Day: What Do You Do About a Problem Like Identity?

According to RSA, 69% of organizations experienced an identity-related breach in the last three years, with German organizations suffering more than most.

Closing Thought