Cozy Bear, Fancy's quieter cousin, is back, or, as ESET puts it in a study released this morning, Cozy never really left. "Operation Ghost" was discretely successful in penetrating and collecting against a number of European diplomatic targets, including at least one country's Washington embassy. Cozy Bear, which ESET calls "the Dukes," and others "APT29," is probably a unit of Russia's SVR foreign intelligence service, although the FSB is also sometimes associated with the group. Operation Ghost was characterized by patient determination and careful use of steganography. Cozy Bear came to widespread attention when its tracks were detected in the US Democratic National Committee during 2016. (Fancy Bear noisily blew the gaffe for both groups.)
Nothing new on that US cyberattack against Iranian propaganda capabilities, beyond a response from Iran's Iran Minister of Communications and Information Technology Mohammad Javad Azari-Jahromi, which Ars Technica dutifully records: it never happened, "[the Americans] must have dreamed it."
Palo Alto Networks yesterday described the Graboid worm, a cryptojacker that infests unsecured Docker hosts, about two-thousand of which the researchers came across in the course of their work. Palo Alto sniffs that Graboid (whose name is a well-chosen homage to the horror classic Tremors) may be capable of short bursts of speed, but overall is "relatively inept." Unsurprisingly, Graboid exploits improperly configured hosts.
BlackBerry Cylance has discovered malicious code that evades detection by hiding in WAV audio files. The payload is often an XMRig Monero miner.
An international dragnet took down hundreds of online pornographers.