Scattered Spider extradition, Telecom hack warnings, Impersonation scammer takedown
In today's cyber security news...
Alleged ‘Scattered Spider’ member extradited to U.S.
A 23-year-old Scottish man, thought to be part of the prolific ransomware gang, was extradited last week from Spain to the U.S., where he faces charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the U.S. and abroad, and that he personally controlled more than $26 million stolen from victims. Buchanan was arrested in connection with a series of SMS-based phishing attacks back in 2022 that led to intrusions at Twilio, LastPass, DoorDash, Mailchimp, and other tech firms. While Scattered Spider has been tied to the 2023 ransomware attacks against MGM and Caesars casinos in Las Vegas, it remains unclear whether Buchanan was implicated in those incidents.
Experts see little progress after major Chinese telecom hack
On Wednesday, a panel of national security and telecommunications experts warned the House Energy and Commerce Committee of the implications of the nation’s cyber defense failures during the Salt Typhoon telecom hacks last year. Jamil Jaffer, founder and executive director of the National Security Institute, said “The stark reality is we are not currently positioned to provide for a comprehensive defense of our nation, nor the global telecommunications systems or networks that American companies help operate and we do not appear prepared to undertake the actions needed to do so.” Panelists warned that adversaries have ramped up intelligence operations and artificial intelligence has supercharged data processing – all while the telecom sector has failed to detect real-time threats. Veteran cybersecurity intelligence analyst Laura Galante,said, “Despite the telecoms’ significant internal cybersecurity programs, detecting the Salt Typhoon compromise has required an extensive joint government-industry response. We must build a better, more dynamic operational security model than what we have today.” The panelists noted the Cybersecurity and Infrastructure Security Agency (CISA) initially detected signs of Chinese hackers targeting U.S. telecoms through telemetry on government networks. Jaffer referred to that fact as “a stunning revelation” and even implied that CISA may have failed to provide timely warning to telecoms of those threats against them.
Polish police take down impersonation scammers
On Tuesday, Polish authorities announced they have detained nine people in connection with a dismantled international cybercrime group accused of defrauding dozens of victims out of nearly $665,000. The suspects range in age from 19 to 51 years old and consist mostly of Ukrainian nationals, while others come from Georgia, Moldova and Azerbaijan. Beginning in 2023, the suspects allegedly used spoofed phone numbers to pose as bank employees and law enforcement to target at least 55 victims into transferring funds to fraudulent accounts. The stolen funds were later converted into cryptocurrencies. Polish authorities previously charged 46 other individuals in connection with the operation and more arrests may be coming.
RansomHub operation goes dark
A report issued this week by Group-IB offers an in-depth look at RansomHub’s affiliate recruitment methods, negotiation tactics, and aggressive extortion strategies. The researchers say the ransomware-as-a-service (RaaS) operation has been inactive since April 1 but speculated that the operation may have migrated to the Russian-language speaking Qilin operation. Earlier this month GuidePoint Security noted that a “series of internal disagreements” between RansomHub administrators and some affiliates had caused disruptions within the RaaS operation. The disagreements apparently stirred unease among other RansomHub affiliates, who began diverting their communications with victims to rival platforms.(Dark Reading)
Thanks to today’s episode sponsor, ThreatLocker
Apple notifies victims of spyware attacks across the world
As of Wednesday, two people have confirmed they have received warnings from Apple that they were targeted with government spyware. One is Italian journalist, Ciro Pellegrino, who confirmed he received an email and text message from Apple on Tuesday notifying him that he was targeted with spyware. The message also indicated that the notification “is being sent to affected users in 100 countries.” The second recipient is Dutch right-wing activist, Eva Vlaardingerbroek, who posted on X on Wednesday. “Apple detected a targeted mercenary spyware attack against your iPhone,” The alert stated, “This attack is likely targeting you specifically because of who you are or what you do. Apple has high confidence in this warning — please take it seriously.” Vlaardingerbroek appeared to dismiss the alert as an attempt to intimidate and silence her. Apple has sent similar notifications to targets and victims of spyware in the past and so have other tech companies, like Google and WhatsApp.
Meta launches LlamaFirewall to secure AI
On Tuesday, Meta unveiled LlamaFirewall, an open-source framework designed to secure artificial intelligence (AI) systems by leveraging three guardrails. The first is PromptGuard 2, which detects direct jailbreak and prompt injection attempts in real-time. The second is Agent Alignment Checks, which inspect agent reasoning for goal hijacking and indirect prompt injection. The third is CodeShield, an online static analysis engine that helps prevent the generation of insecure code by AI agents. The company said, “LlamaFirewall is built to serve as a flexible, real-time guardrail framework for securing LLM-powered applications.”
Malicious WordPress plugin poses as a security tool
According to Wordfence researchers, a new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into trusting it. The malware provides attackers with persistent access, remote code execution, and JavaScript injection. At the same time, it remains hidden from the plugin dashboard to evade detection. Wordfence discovered the malware in late January 2025, programmatically activating a malicious plugin. If the plugin is deleted, a php file automatically re-creates and reactivates it on the next site visit. Wordfence hypothesizes the infection occurs via a compromised hosting account or FTP credentials.
Maryland man pleads guilty to outsourcing U.S. govt work to foreign national
A Vietnamese-born naturalized U.S. citizen, Minh Phuong Ngoc Vong, has pleaded guilty to fraud after landing a job with a U.S. government software contractor, and then outsourcing the work to a North Korean developer located in China. According to prosecutors, in January 2023, a Virginia-based technology company seeking a full-stack web developer received a resume falsely claiming Vong held a bachelor’s degree and had 16 years of experience. In reality, he worked at a nail salon in Bowie, Maryland. Vong participated in multiple job interviews to land the position, then worked on a software development contract for the Federal Aviation Administration. Vong installed remote access software on a company-issued laptop, allowing the developer access from China between March and July 2023, while masking the user’s location. Vong has admitted to similar frauds targeting at least 13 U.S. companies between 2021 and 2024. He’s due to be sentenced in August, and faces up to 20 years in prison.