Please find our eighth edition of the Cyber Capsule. In this edition, we discuss a brazen botnet, steps to shield the online availability of federal judges' personal information, the price of cybersecurity, and a warning about virtual assistants. As with every edition, we chronicle some amusing happenings in the threat actor world, and close with a reminder about New York's upcoming mandatory CLE requirement.

CONSIDER THIS

1. No Thanks, Mr. Roboto. In December 2021, a prominent search engine company filed suit against two Russian men for allegedly operating the botnet Glupteba — a rootkit that steals passwords, disables security software, and attempts to compromise other network devices to relay spam or other malicious traffic. To resolve the suit, the defendants offered to cease "business" operations if compensated by the search engine company. Unamused, the judge found for the search engine and ordered the defendants and their attorney to pay the search engine company’s legal fees. Did any of this work? Maybe not. According to BleepingComputer.com, "The Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted … almost a year ago." It is believed the botnet started back up in June 2022.

2. Order in the Court! Federal Judge Information Kept Under Seal. On December 15, 2022, the Senate passed the Daniel Anderl Judicial Security and Privacy Act, a measure to protect federal judges by shielding their personal information online. According to a press release, the bill is headed to President Biden's desk for signature.

3. $3 Billion Can Buy a Lot of Security. On December 29, 2022, President Biden approved a $2.9 billion allocation to the Cybersecurity and Infrastructure Security Agency for fiscal year 2023 as part of HR2617, the Consolidated Appropriations Act, 2023. Of that sum, $46 million is earmarked for threat-hunting and response capabilities, and another $17 million for emergency communications preparedness.

4. Virtual Assistant or Uninvited Guest? On December 30, 2022, a security researcher identified wiretapping bugs in certain smart speakers that can be exploited to install backdoors, which in turn allow threat actors to eavesdrop on users.

AS THE WORLD TURNS

1. We Love to See It. Research from Sophos revealed that during the past 12 months, scammers have lost more than $2.5 million to other scammers.

2. Not on Our Watch. On December 14, 2022, the Department of Justice seized 48 internet domains and charged six individuals suspected of running platforms that enable attackers to launch DDoS attacks.

3. This Ought to Make You Sick. On December 6, 2022, the Secret Service confirmed that the APT41 group stole over $20 million from U.S. COVID-19-relief funds by targeting SBA loans and unemployment insurance funds in over 12 states.

4. For Sale: Twitter Accounts, Kinda Used. On December 25, 2022, SecurityAffairs.co reported that a threat actor launched the sale of a database, containing data of four billion Twitter users. It includes information, such as emails and phone numbers of celebrities, politicians, companies, and other users.

FORGET ME NOT

1. The Countdown Has Started. New York’s new mandatory cybersecurity CLE requirement takes effect on July 1, 2023. New York will become the first U.S. state to require attorneys to complete at least one credit of cybersecurity, privacy, and data protection training as part of their CLE requirements.