Apple this year sent at least four rounds of notifications to French users potentially targeted by commercial spyware.

The post Apple Sends Fresh Wave of Spyware Notifications to French Users appeared first on SecurityWeek.

Compiling an “ingredients list” for software can help organizations reduce cyber risks, avoid fines and save time, among other benefits, a Cybersecurity and Infrastructure Security Agency-led guide published Wednesday advises.

The CISA document, produced with the National Security Agency and cyber agencies from 14 other countries, aims to produce a shared vision on advancing the concept known as software bill of materials, or SBOM. It’s a nearly universally praised idea whose implementation has been playing catch-up with the embrace of its theoretical value.

In the guide, the agencies tout SBOMs as a way to adopt secure-by-design principles, where software makers implement security as part of the design process rather than as something to be tacked on afterward.

“The ever-evolving cyber threats facing government and industry underscore the critical importance of securing software supply chain and its components,” Madhu Gottumukkala, acting director of CISA, said in a news release accompanying the guide’s publication. “Widespread adoption of SBOM is an indispensable milestone in advancing secure-by-design software, fortifying resilience, and measurably reducing risk and cost.

“This guide exemplifies and underscores the power of international collaboration to deliver tangible outcomes that strengthen security and build trust,” he said. “Together, we are driving efforts to advance software supply chain security and drive unparalleled transparency, fundamentally improving decision-making in software creation and utilization.”

Publication of the guide follows closely on CISA’s updated federal agency guidelines for SBOMs, a set of rules that got mixed reviews when it came out last month.

Wednesday’s guide aims toward a unified approach to implementing SBOMs.

“Divergent implementations could hinder widespread adoption and sustainable implementation of SBOM. An aligned and coordinated approach to SBOM will improve effectiveness while reducing costs and complexities,” the guide reads. “When used widely across sectors, regions, and countries, supply chain illumination drives better ‘ingredients’ for everyone to use and helps ensure that known risks are addressed early. SBOM adoption is an integral condition for software to be secure by design.”

According to the guide, SBOMs help with vulnerability management by allowing organizations to be able to better track vulnerabilities when they arise, making it faster and more efficient to fix flaws. It helps organizations comply with industry-specific policies or government regulations and make decisions about their software purchases as such, thereby pushing vendors to give greater attention to cyber risk. It can help organizations manage software licenses, with violations of open-source licenses something that can trigger fines or reputational damage.

The guide advertises SBOMs as something for software makers, buyers and operators to adopt, as well as government cybersecurity agencies.

Australia, Canada, the Czech Republic, France, Germany, India, Italy, Japan, the Netherlands, New Zealand, Poland, Singapore and South Korea were the other countries involved in producing the guide.

The post CISA guide seeks a unified approach to software ‘ingredients lists’ appeared first on CyberScoop.

BlackSuit’s technical infrastructure was seized in a globally coordinated takedown operation last month that authorities touted as a significant blow in the fight against cybercrime. The ransomware group’s leak site has displayed a seizure notice since July 24.

The takedown followed a long investigation, which allowed authorities to confiscate “considerable amounts of data,” and identify 184 victims, German officials said in a news release last week. The group’s total extortion demands surpassed $500 million by August 2024, with demands typically in the range of $1 million to $10 million, the Cybersecurity and Infrastructure Security Agency said in an advisory last year. 

U.S. authorities were heavily involved in the operation, but have yet to share details about the investigation or its results. BlackSuit’s extortion site was seized by the Department of Homeland Security’s Homeland Security Investigation department, a unit of U.S. Immigration and Customs Enforcement. 

A spokesperson for ICE told CyberScoop the Justice Department has been waiting for court documents to be unsealed before releasing any information about the law enforcement action dubbed “Operation Checkmate.” The FBI, Secret Service, Europol and cyber authorities from the United Kingdom, Germany, France, Ireland, Ukraine, Lithuania and Romania-based cybersecurity firm Bitdefender were also involved in the operation. 

German officials said the takedown prevented the spread of malware and disrupted BlackSuit’s servers and communication. BlackSuit’s data leak site contained more than 150 entries before the takedown, Bitdefender said in a blog post. 

The majority of BlackSuit’s victims were based in the U.S. and the industries most impacted by the ransomware group’s attacks included manufacturing, education, health care and construction, according to Bitdefender. The company did not respond to a request for comment.

While BlackSuit once commanded outsized attention for its consistent spree of attacks, researchers said the ransomware group’s activities significantly decreased starting in December and remained low until its infrastructure was disrupted last month.

BlackSuit associates were already dispersed prior to the global law enforcement action on the group’s operations. 

The impact from the takedown will be limited because members already abandoned the BlackSuit brand early this year, Yelisey Boguslavskiy, co-founder and partner at RedSense, told CyberScoop. 

BlackSuit’s reputation plummeted as victims learned of the group’s Russian cybercrime lineage and declined to pay extortion demands out of fear that any financial support would evade sanctions imposed by the Treasury Department’s Office of Foreign Assets Control, he said.

As part of that pivot, former BlackSuit members have primarily used INC ransomware and its associated infrastructure this year. 

“It’s not that they were concisely preparing for the takedown. Instead, they just felt brand fatigue,” Boguslavskiy said. “They are very prone to rebranding often. It was two years without a rebrand, so the one was coming, and in the meantime, they were using INC as a newer name without baggage.”

BlackSuit emerged from the Conti ransomware group after a major leak of Conti’s internal messages led to a break up in 2022. Members of the Russian-language ransomware collective rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024.

The empowerment of INC is the “most important development in the Russian-speaking ransomware landscape, and the fact that now BlackSuit will double down on using their infrastructure is very concerning,” Boguslavskiy said. 

The ransomware syndicate is composed of about 40 people, led by “Stern,” who has established a massive system of alliances, forming a decentralized collective with links to other ransomware groups, including Akira, ALPHV, REvil, Hive and LockBit, according to Boguslaviskiy. 

INC is currently the second largest Russian-speaking ransomware collective behind DragonForce, he said. 

BlackSuit was prolific, claiming more than 180 victims on its dedicated leak site dating back to May 2023, according to researchers at Sophos Counter Threat Unit. 

The ransomware group’s main members have demonstrated their ability to rebrand and relaunch operations with ease. “It is likely that this latest takedown will have minimal impact on the ability of the individuals behind it to reorganize under a new banner,” Sophos CTU said in a research note.

Former members of BlackSuit emerged under a new ransomware group, Chaos, as early as February, Cisco Talos Incident Response researchers said in a blog post released the same day BlackSuit’s technical infrastructure was seized. Chaos targets appear to be opportunistic and victims are primarily based in the U.S., according to Talos.

The FBI seized cryptocurrency allegedly controlled by a member of the Chaos ransomware group in April, the Justice Department said in a civil complaint seeking the forfeiture of the cryptocurrency last month. Officials said the seized cryptocurrency was valued at more than $1.7 million when it was seized in mid-April.

The post Details emerge on BlackSuit ransomware takedown appeared first on CyberScoop.

Ukrainian authorities Tuesday arrested the alleged administrator of XSS.is, a Russian-language cybercrime forum, following a four-year investigation by the Paris public prosecutor’s office. 

Law enforcement officials from France and Europol seized the domain of the influential forum following the arrest. Authorities have not named the suspected administrator of XSS.is.

The forum, which was active since 2013, had more than 50,000 registered users and was a key marketplace for stolen data, malware, access to compromised systems and ransomware services, officials said. “It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit,” Europol said in a news release.

Officials accuse the forum’s administrator of running technical operations and playing a central role in enabling cybercrime. Messages intercepted by authorities during the investigation revealed the suspect made more than $8.2 million in advertising and facilitation fees.

“Investigators believe he has been active in the cybercrime ecosystem for nearly two decades, and maintained close ties to several major threat actors over the years,” Europol said in the new release about the arrest and takedown operation. Authorities also accuse the suspect of running thesecure.biz, a Jabber-powered private messaging service for cybercrime that remains online as of press time.

The cybercrime unit of the Paris public prosecutor’s office opened an investigation into XSS.is in July 2021 and deployed French police investigators on the ground in Ukraine, with Europol’s support, in September 2024. 

The arrest in Kyiv, Ukraine, followed a series of coordinated law enforcement actions, including evidence gathering and the dismantling of the cybercrime forum’s infrastructure. Authorities said data seized during the investigation will be analyzed to support ongoing investigations across Europe and elsewhere.

The Paris public prosecutor’s office said the alleged administrator of XSS.is was identified as part of a wiretap.

The post Authorities in Ukraine nab alleged admin of Russian-language cybercrime forum appeared first on CyberScoop.