The Breach Report

China confesses to Volt Typhoon role in U.S. infrastructure cyberattacks

Rob Waters — Mon, 14 Apr 2025 04:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Cyberattacks against U.S. due to “American support for Taiwan”

According to a new report from The Wall Street Journal, Chinese officials indirectly admitted in a meeting amongst the outgoing Biden administration in December 2024 to its role in supporting damaging cyberattacks against the United States' critical infrastructure. The hacks against U.S. ports, energy utilities, airports, and other infrastructure have been attributed to a Beijing state-sponsored group, Volt Typhoon.

The stark admission by Beijing officials stunned American counterparts.

In past talks, China has blamed the cyberattacks attributed to Volt Typhoon on “criminal outfits” or accused the U.S. of having an “overactive imagination.”

The Wall Street Journal reported that the Chinese official’s remarks at the December meeting “were indirect and somewhat ambiguous, but most of the American delegation in the room interpreted it as a tacit admission and a warning to the U.S. about Taiwan.”

“China wants U.S. officials to know that, yes, they do have this capability, and they are willing to use it,” Dakota Cary of cybersecurity firm SentinelOne said.

“We’re not used to China showing their hand,” stated Sean Tufts, managing partner for critical infrastructure at the cybersecurity firm Optiv, to CyberNews.

“Their modus operandi is always to deny, cover, and distract. It makes me think they are distracting us with Volt/Salt Typhoon to cover other activities,” said Tufts.

The cyberattacks against U.S. infrastructure have long been justified by American support for Taiwan. According to China’s One China Principle (or 一個中國政策), there is only one sovereign state under the name of China. Taiwan is an unalienable part of China, unable to declare its sovereignty as a nation.

In March 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned all critical infrastructure leaders about the urgent risk of a Volt Typhoon.

Going on the offensive against “The Typhoons”

Just before being fired as the head of U.S. CYBERCOM and 19th Director of the National Security Agency (NSA), General Timothy Haugh remarked that the U.S. needs government and private-sector collaboration to defend against critical infrastructure cyberattacks.

This includes going on the offensive against “the Typhoons”: Salt Typhoon, Silk Typhoon, and Volt Typhoon–all linked to the CCP.

“99% of the critical infrastructure in the United States is controlled by private companies, so that really drives us to talk about how we partner with industry and with the commercial sector,” Gen. Haugh said.

Asked by Senator Ted Budd (R-NC) about if the U.S. has an offensive cyber strategy, Gen. Haugh stated that he has “clear guidance in what the Secretary of Defense expects in terms of our aggressive approach to be able to restore deterrence.”

Gen. Haugh continued that he’d happily elaborate about the offensive cyber strategy in a closed hearing.

Attribution? Possibly you!

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

P.S. - Do you want to start a newsletter yourself?
You can with beehiiv. Create one today with a free trial.
Disclaimer: The Breach Report may contain affiliate links. Read our Advertising policy page.

DOD Air Force Contractor Pleads Guilty to Stealing Top Secret Classified Documents

Rob Waters — Mon, 31 Mar 2025 04:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Your job called—it wants better business news

Welcome to Morning Brew—the world’s most engaging business newsletter. Seriously, we mean it.

Morning Brew’s daily email keeps professionals informed on the business news that matters, but with a twist—think jokes, pop culture, quick writeups, and anything that makes traditionally dull news actually enjoyable.

It’s 100% free—so why not give it a shot? And if you decide you’d rather stick with dry, long-winded business news, you can always unsubscribe.

Check it out

Meet Gokhan Gun: A Turk charged with stealing Top Secret files and trying to flee to Mexico

The United States Department of Justice announced that Gokhan Gun, 51, an electrical engineer for the Department of Defense, pleaded guilty in federal court on March 20, 2025, to unauthorized removal and retention of classified material.

Gun, a native of Falls Church, Virginia, is a dual citizen of the United States and Turkey. Gun was born in Turkey and became a U.S. citizen in 2021.

Gokhan Gun, 50, was charged with unauthorized removal and retention of classified material. (image credit: Alexandria Sheriff's Office)

His life unraveled on August 9, 2024, when he was arrested as he attempted to board a flight to Puerto Vallarta, Mexico.

Fox News reported at the time of his arrest that Gun was leaving for the airport when FBI agents executed a search warrant on him and two of his homes. Agents discovered documents marked as "TOP SECRET" inside a backpack and across his Falls Church, VA home.

Agents discovered that the documents were printed and transported home as recently as two days before his arrest. Printing and transporting classified documents to an unauthorized location is prohibited.

Until his arrest, Gun was a DOD contractor supporting the U.S. Air Force Joint Warfare Analysis Center, holding a Top-Secret security clearance with access to Sensitive Compartmented Information.

Gun faces 5 years in jail for stealing classified documents

Gun is scheduled to be sentenced on June 17, 2025, and faces up to five years in prison.

A rideshare driver arrived at the scene as FBI investigators were apprehending Gun and approached Gun. It’s safe to say the only ride he got that day was in the back of a federal vehicle.

No word on if he tipped his FBI driver or gave him a five-star rating.

Oracle still denies any breach, but it’s clear they were hacked. Now, Oracle customers are paying the price for it.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Alleged Oracle Cloud Hack: 6 Million Records at Risk? What We Know So Far

Rob Waters — Mon, 24 Mar 2025 04:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Oracle denies breach after hacker claims to steal 6 million records

Is Oracle Cloud $ORCL ( ▲ 0.17% ) the latest victim of a major cyberattack? A hacker known as “rose87168” has claimed to have breached Oracle Cloud's login servers and stolen a massive six million customer data records. However, Oracle has responded to multiple media inquiries, denying any hack or stolen data from its cloud infrastructure. Let's dive into the details of this developing story.

The Hacker claims and demands

A previously unknown hacker using the handle “rose87168” surfaced on the cyber-crime forum BreachForums earlier this month. The hacker boasted of creating a text file on an Oracle Cloud login server and claimed that information was exfiltrated from the EM2 and US2 login servers. Samples of the stolen data were shared on BreachForums, where the hacker has been trying to sell the pilfered dataset.

According to a statement provided to BleepingComputer, they first breached Oracle's cloud infrastructure “40 days ago” after stealing data from the US2 and EM2 cloud regions.

A hacker known as rose87168 on BreachForums claims to have breached Oracle Cloud and stolen 6 million data records. (image credit: BleepingComputer)

Other stolen data includes Oracle Cloud customer security keys, encrypted Oracle Cloud SSO passwords, encrypted LDAP passwords, Enterprise Manager JPS keys, and Java KeyStore (JKS) files containing security certificates and keys. The potentially affected customers are said to number in the thousands.

BleepingComputer reports that the hacker has demanded 100,000 XMR from Oracle for information on how they breached the servers. Oracle refused to pay the ransom, asking instead for all information required to fix and patch the vulnerabilities used.

The hacker states they will “list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold.”

What vulnerabilities the Oracle Cloud hack may have exploited

While Oracle denies any breach, cybersecurity firm CloudSEK conducted its own investigation and offered a contrasting perspective. CloudSEK believes the threat actor may have exploited a known critical vulnerability (CVE-2021-35587) in Oracle Fusion Middleware's Oracle Access Manager, specifically its OpenSSO Agent.

This vulnerability, added to the CISA KEV catalog in December 2022, is considered critical and can be exploited over HTTP without authentication. Successful exploitation could potentially grant an intruder access to the sensitive information that is now being offered for sale. CloudSEK notes that a public exploit code exists for this vulnerability.

CloudSEK's analysis of the compromised subdomain, login.us2.oraclecloud.com, revealed that it was running Oracle Fusion Middleware 11G. Further investigation suggested that this server might not have been patched to close the CVE-2021-35587 vulnerability. The server was reportedly last updated around September 27, 2014, indicating potentially outdated software.

CloudSEK researchers stated, "Due to lack of patch management practices and/or insecure coding, the vulnerability in Oracle Fusion Middleware was exploited by the threat actor. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager".

They suggest exploiting this flaw could have provided the initial access needed to move laterally within the Oracle Cloud environment and access other systems and data.

The fact that the threat actor managed to upload a text file to an Oracle Cloud login server further fuels the speculation that some form of unauthorized access was achieved. Oracle has been contacted for clarification on this point.

Potential impact of an Oracle Cloud hack of 6 million records

If the alleged breach is indeed factual, the impact could be substantial. The exposure of six million records significantly increases the risk of unauthorized access and corporate espionage.

The compromise of JKS files containing cryptographic keys is particularly concerning as it could be used to decrypt sensitive data or gain access to other systems within affected organizations. Similarly, compromised encrypted SSO and LDAP passwords could lead to further breaches across Oracle Cloud environments.

Recommendations to mitigate risk if you are an Oracle Cloud customer

While Oracle denies the breach, CloudSEK recommends several immediate actions for potentially affected parties, including:

Immediate credential rotation
Thorough incident response and forensics
Continuous threat intelligence monitoring
Engagement with Oracle Security for verification and mitigation
Strengthen access controls and audit any existing identity permissions and policies

The situation surrounding the alleged Oracle Cloud hack is still unfolding. While a threat actor claims to possess millions of stolen records and evidence of server access, Oracle vehemently denies any breach. The focus now shifts to further investigation and potential confirmation of the claims.

The alleged exploitation of a known vulnerability in Oracle Fusion Middleware highlights the critical importance of timely patching and robust security practices in cloud environments.

We will continue to monitor this story for further updates.

23andMe has filed for bankruptcy. Good riddance.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Justice Department Charges Two Silk Typhoon Chinese Hackers with U.S. Treasury Breach

Rob Waters — Wed, 19 Mar 2025 04:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

There’s a reason 400,000 professionals read this daily.

Join The AI Report, trusted by 400,000+ professionals at Google, Microsoft, and OpenAI. Get daily insights, tools, and strategies to master practical AI skills that drive results.

Yin Kecheng and Zhou Shuai among 12 Chinese hackers charged with U.S. Treasury breach

The United States Department of Justice confirmed that 12 Chinese hackers have been charged with hacking the U.S. Treasury and over 100 American organizations over the past decade. Two hackers, Yin Kecheng (尹可成), aka “YKC” (“YIN”), and Zhou Shuai (周帅), aka “Coldface” (“ZHOU”), are confirmed members of APT 27, also known as Silk Typhoon.

Silk Typhoon is a Chinese state-sponsored hacking group known for conducting cyber espionage.

The Federal Bureau of Investigation includes Kecheng and Shuai on their Most Wanted list. Both are charged with the following crimes:

Kecheng and Shuai are described as playing “key roles” in hacking over 100 American organizations and the U.S. Treasury. According to the Justice Department, they frequently hack targets “suppressing free speech and religious freedoms” and have carried out hacker-for-hire cyberattacks for over a decade.

Yin Kecheng and Zhou Shuai are on the FBI Most Wanted List for hacking the U.S. Treasury and over 100 other American organizations. The FBI is offering up to $2 million for information leading to the arrest of either individual. (Source: FBI)

Silk Typhoon used Microsoft Exchange, Palo Alto Networks Firewall, Citrix NetScaler, and Ivanti Pulse Connect Secure vulnerabilities

Microsoft published new research this week on how Silk Typhoon leveraged multiple vulnerabilities from Microsoft Exchange, Palo Alto Networks Firewalls, Citrix NetScaler, and Ivanti Pulse Connect Secure to hack into targets.

Microsoft has been tracking cyberattack activity from Silk Typhoon since 2020. The group is also tracked as APT 27 by Mandiant (now part of Google), using malware such as PANDORA, SOGU, and GHOST on its victims.

Prosecutors said the group's targets include U.S. defense contractors, tech companies, law firms, state and local governments, and universities.

Silk Typhoon typically utilizes spear phishing to gain initial access to a target network. It then moves laterally across cloud-hosted networks, manipulating service account permissions and exfiltrating data.

FBI offers $2 million reward for information leading to the arrest of Kecheng or Shuai

Kecheng was formally charged with hacking the U.S. Treasury in December 2024. Kecheng was sanctioned by the Treasury Department’s Office of Foreign Assets Control in February after linking Kecheng to China’s Ministry of State Security (MSS), the intelligence agency responsible for the country’s foreign intelligence collection.

The FBI offers a $2 million reward for information leading to Kecheng and Shuai's arrest and conviction.

For more information on Silk Typhoon, their tactics, and targets, check out the research report by Microsoft Threat Intelligence:

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Lockbit Ransomware Developer Extradited to the United States

Rob Waters — Sat, 15 Mar 2025 04:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

Sign up for The Rundown AI newsletter
They send you 5-minute email updates on the latest AI news and how to use it
You learn how to become 2x more productive by leveraging AI

Alleged LockBit Ransomware Developer Rostislav Panev Extradited to the U.S. in Major Cybersecurity Crackdown

In a significant victory for international law enforcement, Rotislav Panev, the alleged developer of the notorious LockBit ransomware group, has been extradited from Israel to the United States to face trial. The U.S. Department of Justice (DOJ) announced the extradition of Panev, a 51-year-old dual Russian and Israeli national, signaling a continued commitment to dismantle ransomware operations that have caused billions of dollars in losses worldwide.

Panev was initially arrested in Israel in August 2024 following a U.S. provisional arrest request. After his extradition, he made an initial court appearance before U.S. Magistrate Judge André M. Espinosa in Newark, New Jersey, and has been detained pending trial.

U.S. Attorney John Giordano emphasized the significance of this extradition, stating, “Rostislav Panev’s extradition to the District of New Jersey makes it clear: if you are a member of the LockBit ransomware conspiracy, the United States will find you and bring you to justice.”

He further highlighted the unwavering commitment of his office, the FBI, and international partners to prosecuting cybercriminals despite the increasing sophistication of their methods.

Rotislav Panev in an undated picture shared on X. He is charged as a developer of the notorious LockBit ransomware group, helping extort over $500 million from victims.

Panev aided LockBit ransomware group growth, extorting over $500 million from victims

According to court documents and statements, Panev allegedly served as a developer for the LockBit ransomware group from its inception around 2019 through at least February 2024. During this period, LockBit became one of the most active and destructive ransomware groups globally.

Even after a period of reduced activity following law enforcement disruption in February 2024, the group is linked to over 2,700 victims, triple the number of the next most active group.

The DOJ stated that the LockBit group claimed responsibility for attacks on over 2,500 victims across at least 120 countries, including approximately 1,800 in the U.S. Victims ranged from individuals and small businesses to multinational corporations, including critical infrastructure like hospitals, schools, and government agencies.

Notable victims of the LockBit ransomware group include Chinese Bank ICBC, ION Group investments, and the Housing Authority of the City of Los Angeles.

LockBit is estimated to have extracted at least $500 million in ransom payments and caused billions of dollars in other losses.

Panev profited from LockBit infrastructure and affiliate business model

The LockBit operation involved two roles: developers like Panev, who designed the malware code and maintained the operational infrastructure, and affiliates, who carried out the attacks and extorted victims. Ransom payments were then split between these two groups.

Evidence cited in the superseding complaint against Panev reveals that law enforcement discovered administrator credentials on his computer for a dark web-hosted online repository at the time of his arrest.

This repository contained source code for multiple LockBit builder versions, allowing affiliates to create custom versions of the ransomware for specific victims. Investigators also found the source code for LockBit’s StealBit tool, which is used for data exfiltration, and access credentials for the LockBit control panel maintained by the developers for the affiliates.

The complaint further alleges that Panev engaged in direct messages on a cybercriminal forum with LockBit’s primary administrator, identified by the U.S. as Dimitry Yuryevich Khoroshev, also known as LockBitSupp. These messages reportedly discussed tasks related to the LockBit builder and control panel.

Between June 2022 and February 2024, the primary LockBit administrator allegedly transferred approximately $10,000 per month in cryptocurrency to a wallet owned by Panev, totaling over $230,000 during that period. These funds were allegedly laundered through illicit cryptocurrency mixing or “washing” services designed to obfuscate cryptocurrency transactions and wallet tracing.

Panev’s downfall: confessing to Israeli authorities

Following his arrest, Panev reportedly admitted to Israeli authorities that he performed coding, development, and consulting work for the LockBit group and received regular cryptocurrency payments, consistent with the transfers identified by U.S. authorities.

His alleged work included developing code to disable antivirus software, deploy malware across victim networks, and print the LockBit ransom note on all connected printers. He also admitted to writing and maintaining LockBit malware code and providing technical guidance.

The extradition of Panev follows significant disruption efforts against the LockBit ransomware group in February 2024, led by the U.K. National Crime Agency (NCA) in cooperation with the DOJ, FBI, and international partners. This operation involved seizing LockBit’s public-facing websites and disrupting their infrastructure.

To date, seven LockBit members have been charged in the District of New Jersey. Besides Panev and Khoroshev, who remains at large, others charged include affiliates Mikhail Vasiliev and Ruslan Astamirov, who have pleaded guilty and are awaiting sentencing, and Artur Sungatov and Ivan Kondratyev, who also remain at large. Mikhail Matveev, another alleged affiliate, remains at large as well.

The U.S. Department of State is offering rewards of up to $10 million for information leading to the arrest and/or conviction of Khoroshev and Matveev and for information leading to the identification and location of individuals in key leadership positions within LockBit. A reward of up to $5 million is offered for information leading to the arrest and/or conviction of any individual participating in LockBit.

Are you a victim of LockBit ransomware?

Law enforcement encourages all past victims of LockBit to contact the FBI and submit information at www.ic3.gov. Due to the disruption efforts, decryption capabilities have been developed that may help hundreds of victims restore their encrypted systems.

Victims are also encouraged to visit www.justice.gov/usao-nj/lockbit for case updates and information regarding their rights.

It's not a good day when you’re the top news the FBI shares.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Army soldier tried to sell Snowflake stolen data and defect to Russia

Rob Waters — Wed, 05 Mar 2025 05:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Cameron Wagenius, aka Kiberphant0m and cyb3rph4nt0m charged with data theft and extortion

United States authorities have charged Cameron John Wagenius, a 21-year-old U.S. Army soldier, for his involvement in a cybercrime spree targeting Snowflake and exfiltrating data from over 165 major companies. Known online as "Kiberphant0m" and "cyb3rph4nt0m," Wagenius has a history of malicious cyber activity while maintaining a security clearance. He is formally charged in U.S. district courts with unlawfully posting and transferring confidential phone records information, including those allegedly of high-ranking public officials.

Wagenius allegedly attempted to sell stolen data to a foreign intelligence service and extort victims, including AT&T.

In November 2024, while on active duty, Wagenius attempted to extort $500,000 from AT&T, threatening to leak phone records of high-ranking officials. AT&T confirmed in July that cybercriminals accessed their Snowflake environment in April, stealing six months of customer phone and text records.

Court filings state Wagenius is accused of attempting to sell stolen data to a foreign intelligence service—although the service is not named.

However, forensic investigations of personal devices and accounts show repeated use of VPNs and search engine history. Court documents redact the country names, but Wagenius’s search engine queries give the public a strong indication of which foreign intelligence service.

Search engine history revealed that Wagenius was researching information on defecting to Russia. He also searched for “Can hacking be treason?” and “How to defect to countries that do not extradite to the United States.”

Wagenius' alleged co-conspirators, Connor Moucka and John Binns, were indicted in November for allegedly extorting more than 10 organizations after breaking into cloud platforms used by AT&T and other major companies. Binns has also been charged with the 2021 T-Mobile breach that exposed the personal information of at least 76.6 million customers.

Wagenius pleads guilty, considered a flight risk

Wagenius, known online as "Kiberphant0m" and "cyb3rph4nt0m," has a history of malicious cyber activity.

His boldness as a cyber criminal despite being an active Army soldier was apparent throughout his activities. Court documents state Wagenius violated his commanding officer’s orders by purchasing a new laptop after a federal search warrant was executed at his barracks room and his electronic devices were seized. He further leveraged VPNs and other technologies to try and conceal his geographic location or identity.

Wagenius pleaded guilty to unlawfully transferring confidential phone records. The court deemed him a flight risk, citing his online searches for non-extradition countries and the Russian embassy.

The incident also raises concerns about the security of cloud data storage services and the importance of multi-factor authentication [9].

National Security implications of Wagenius

This case has several potential implications for national security and international relations.

Insider threats are some of the most challenging to detect and prevent. Financially motivated cybercrime can directly intersect with and undermine national security interests when individuals with access to highly sensitive data or in positions of trust can become compromised.

Wagenius' alleged attempt to sell data to a foreign intelligence service suggests a willingness to engage with state-level actors, blurring the lines with espionage.

His online research of defecting to countries without the ability to extradite to the U.S. would have enormous national security concerns if he were successful. Attempting to flee the country and potentially seek refuge with a foreign government is deja vu for those intimately familiar with Edward Snowden’s actions.

If Wagenius did attempt to sell stolen data to a foreign intelligence service, this could strain relations between the U.S. and the country involved. Despite current President Donald Trump's complicated relationship with Russian President Vladimir Putin, this would be the last thing Trump wants to deal with in his early second term.

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our favorite blogs and journalists:

Buying a $250 Residency Card From a Tropical Island Let Me Bypass U.S. Crypto Laws (404 Media)
AT&T Hacker Tried to Sell Stolen Data to Foreign Government (404 Media)
Flock Threatens Open Source Developer Mapping Its Surveillance Cameras (404 Media)
DHS says CISA won’t stop looking at Russian cyber threats (CyberScoop)’
Microsoft IDs developers behind alleged generative AI hacking-for-hire scheme (CyberScoop)
Lee Enterprises ransomware attack hits freelance and contractor payments (TechCrunch)
US said to halt offensive cyber operations against Russia (TechCrunch)
The biggest data breaches of 2025 — so far (TechCrunch)

Today’s Cyber Wall of Shame

Busted….

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Evgenii Ptitsyn Extradited to U.S. for Phobos Ransomware

Rob Waters — Wed, 20 Nov 2024 06:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Russian National Extradited for Phobos Ransomware Attacks

Evgenii Ptitsyn, a 42-year-old Russian national, has been extradited from South Korea to the United States to face charges for his alleged role as an administrator of the Phobos ransomware. Ptitsyn appeared in the U.S. District Court in Maryland on November 4th, 2024, facing charges for his cyber criminal activities that included extorting over $16 million from over 1,000 victims in the U.S. alone. The arrest is a significant victory for international law enforcement agencies working to combat the growing threat of ransomware attacks.

Ptitsyn was also known as “derxan” and “zimmermanx” in his cybercriminals activities. If convicted, Ptitsyn could face significant prison time: up to 20 years for each wire fraud count, 10 years for computer hacking, and five years for conspiracy.

The Phobos ransomware is a type of malware that encrypts a victim's files, making them inaccessible until a ransom is paid. The Justice Department alleges that Ptitsyn and his co-conspirators developed the Phobos ransomware and offered access to other criminals, or “affiliates,” in exchange for fees from successful ransomware attacks.

Once the victim’s data was successfully infected with the Phobos ransomware and paid a ransom, criminal affiliates paid fees to Phobos administrators like Ptitsyn for a decryption key to regain access to the encrypted files.

These attacks, which began as far back as 2020, targeted a wide range of victims, including schools, hospitals, government agencies, and enterprises globally.

Charges Against Ptitsyn

Ptitsyn is facing a 13-count indictment that includes:

Wire fraud conspiracy
Wire fraud
Conspiracy to commit computer fraud and abuse
Four counts of causing intentional damage to protected computers
Four counts of extortion in relation to hacking

If convicted on all counts, Ptitsyn faces a maximum penalty of 20 years in prison for each wire fraud count, 10 years for each computer hacking count, and 5 years for conspiracy to commit computer fraud and abuse.

International Collaboration Leads to Arrest

Ptitsyn's extradition results from a collaborative effort between law enforcement agencies in multiple countries, including South Korea, the United States, the United Kingdom, Japan, Spain, Belgium, Poland, the Czech Republic, France, and Romania. This case highlights the importance of international cooperation in combating cybercrime, which often transcends national borders.

It also staggeringly illustrates the extent to which international law enforcement agencies and the United States will hold hackers accountable.

No matter where they are in the world, this case is a major step forward in the fight against ransomware and a reminder of the importance of international cooperation in combating this growing threat.

Phobos Ransomware: Finally on the decline

Phobos ransomware is a particularly insidious form of malware because it often targets organizations that provide essential services, such as healthcare and education. The disruption caused by these attacks can significantly impact ordinary people's lives. In February 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warned that Phobos was targeting state and local government services.

Cybersecurity researchers have noted a recent decline in Phobos activity, possibly related to Ptitsyn's arrest. Alexander Leslie, a threat intelligence analyst for Recorded Future, observed a significant drop in Phobos activity and a complete stall in the operations of 8Base ransomware, which used a variant of Phobos.

Today’s Cyber Wall of Shame

Veterans’ data is a valuable target to our adversaries. The United States Department of Veterans Affairs must do better.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Snowflake hackers charged with stealing 50 billion AT&T records

Rob Waters — Mon, 18 Nov 2024 05:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Writer RAG tool: build production-ready RAG apps in minutes

Writer RAG Tool: build production-ready RAG apps in minutes with simple API calls.
Knowledge Graph integration for intelligent data retrieval and AI-powered interactions.
Streamlined full-stack platform eliminates complex setups for scalable, accurate AI workflows.

Learn more about our production ready RAG tooling here.

U.S. Department of Justice indicts Connor Moucka and John Binns of hacking

In June 2024, I reported along with major tech outlets that the Snowflake data breach had escalated to be regarded as one of the worst breaches ever. Now, the hacker duo responsible are both formally identified and charged.

The United States Department of Justice has publicly released its indictments against Connor Moucka and John Binns, two suspected cybercriminals allegedly responsible for hacking into Snowflake. Once the pair breached the vulnerable Snowflake instances, they exfiltrated data from at least ten organizations and received at least $2.5M in Bitcoin cryptocurrency payments.

Moucka was arrested in Canada last week, where he was living, and Binns was previously arrested and jailed in Turkey in July 2024. Binns is a U.S. citizen but was living in Turkey for unknown reasons.

Prosecutors confirmed that Moucka was known online as “judische,” “catist,” “waif,” and “cllyels.” Binns went by “irdev”and “j_irdev1337.”

Although the victims weren’t named in the indictment, it mentions a telecom provider, which aligns with AT&T as a victim.

In a separate breach unrelated to Snowflake, the same pair hacked T-Mobile in 2021, calling its security “awful,” stealing over 50 million customer records.

The Snowflake breach was massively damaging for both Snowflake and its victims. According to reports by 404 Media, over 165 Snowflake instances and organizations were said to be affected by the hacker duo. While not all Snowflake victims are made public, known organizations affected include Santander, Ticketmaster, LendingTree, and Advance Auto Parts.

AT&T Snowflake breach includes 50 billion customer text and call records

Wired reported in July 2024 that AT&T reportedly paid the hackers $370,000 not to release the stolen data but did so anyway.

With the recent news of Salt Typhoon, a PRC-linked cyber espionage group hacking major U.S. telecom providers like AT&T, T-Mobile, and Verizon, it’s easy to forget that AT&T has suffered other unrelated but highly damaging breaches in recent years.

It also speaks to the complexity and difficulty of securing infrastructure against various threats and vulnerabilities.

The Snowflake breach included over 50 million customer text and call records, comprising virtually all of AT&T’s customers, or 110 million people. According to forensic experts, Moucka and Binns were in the Snowflake instances for over six months, possibly longer.

The pair of hackers are believed to be associated with “The Com,” an online ecosystem that includes groups participating in cybercriminal activities, violence, extortion, kidnappings, shootings, and robberies, according to CyberScoop.

The full indictment is available for download below in Adobe PDF format.

DOJ_ConnorMoucka_JohnBinns_Snowflake.pdf

2.17 MB • PDF File

Download

Today’s Cyber Wall of Shame

Fix your security, Snowflake. Please.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

T-Mobile hacked in Chinese cyber-espionage operation

Rob Waters — Sat, 16 Nov 2024 05:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Start learning AI in 2025

Everyone talks about AI, but no one has the time to learn it. So, we found the easiest way to learn AI in as little time as possible: The Rundown AI.

It's a free AI newsletter that keeps you up-to-date on the latest AI news, and teaches you how to apply it in just 5 minutes a day.

Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses – tailored to your needs.

Salt Typhoon hack part of major U.S. telecom infrastructure spying operation

The Wall Street Journal and Reuters have confirmed that T-Mobile’s network was part of a major intrusion and hacking operation by Salt Typhoon, an advanced persistent threat group with ties to a Chinese intelligence agency. Previous reports in October confirmed that Salt Typhoon had breached AT&T, Verizon, and Lumen Technologies. Investigators believe hackers aimed at a host of well-connected Americans, including the presidential candidates—reflecting the scope and potential severity of the hack.

As a quick refresher, Microsoft has dubbed the APT group “Salt Typhoon,” but it is also known as UNC2286 (Mandiant), GhostEmperor (Kaspersky Labs), and FamousSparrow (ESET).

Experts claim hack is “catastrophic in scope and severity”

Although it is unclear what information Salt Typhoon extracted, if any, the breach of every major U.S. telecom provider is massively damaging. Salt Typhoon managed to breach and access systems maintained by the carriers to comply with U.S. surveillance requests.

At this time, T-Mobile has stated that no customer data has been impacted.

“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,” the spokesperson said.

However, federal investigators, cybersecurity experts, and T-Mobile personnel are conducting an investigation to confirm the extent of the breach. As with any cybersecurity incident, the breadth of the hack will take time to verify with forensic analysis.

Counterintelligence concerns over Salt Typhoon hacks

Using the U.S.’s surveillance infrastructure against its citizens raises serious counterintelligence concerns.

According to the Wall Street Journal, other unnamed international carriers with close ties to the U.S. were also breached as part of the operation.

The hacks are so damaging that the U.S. Consumer Financial Protection Bureau (CFPB) has urged its employees to minimize or eliminate conducting business matters over a cellular phone. The directive states, “Do NOT conduct CFPB work using mobile voice calls or text messages.”

Instead, it recommends conducting business matters on platforms like Microsoft Teams or Cisco WebEx to minimize risk.

The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency also stressed the severity of the attack.

“Chinese government-linked hackers compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders.”

How Salt Typhoon Hacked T-Mobile, AT&T, Verizon, and Lumen Technologies

Details are still emerging, but according to the Journal report, it is believed Salt Typhoon leveraged vulnerabilities from Cisco routers and used artificial intelligence and machine learning to penetrate the U.S. telecom providers further.

Salt Typhoon is believed to have been active for at least eight months within AT&T, Verizon, T-Mobile, and Lumen Technologies.

Senior national security and policy officials across the U.S. were targeted, and the access allowed them to extract call logs, unencrypted texts, and some audio from targets.

This is in addition to other extensive spear phishing and cyberattacks against the Biden, Harris, and Trump Presidential Campaigns by Iran since 2020, as we previously reported.

T-Mobile doesn’t seem to learn from their mistakes. Here’s evidence of no rate-limiting on its internal systems from a separate, unrelated hack back in 2021:

And if you don’t think that is bad… another unrelated T-Mobile breach in 2023 allowed hackers to steal the personal data of 37 million customers.

But wait, there’s more!

Hackers breached T-Mobile’s network again in 2023, having access to hundreds of its customers for over a month.

If you’re on T-Mobile, it may be time to switch to another carrier. They’re all compromised at this point, but wow.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Why Hacking the United States Presidential Election is Nearly Impossible

Rob Waters — Sun, 10 Nov 2024 17:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Tackle Your Credit Card Debt With 0% Interest Until Nearly 2027 AND Earn 5% Cash Back

Some credit cards can help you get out of debt faster with a 0% intro APR on balance transfers. Transfer your balance, pay it down interest-free, and save money. FinanceBuzz reviewed top cards and found the best options—one even offers 0% APR into 2027 + 5% cash back!

Learn How To Apply Now

Hacking may be too difficult, so disinformation is the weapon of choice

In the digital information age, the specter of election hacking looms large in the public consciousness. However, the reality is far more complex. Despite sensationalized news reports and conspiracy theories, successfully hacking the US presidential election is an incredibly difficult, if not impossible, task. Multi-layered technical and procedural safeguards are in place to protect the integrity of US elections, as I’ll outline below, drawing on expert opinions from the White House, NIST, CISA, and the FBI.

For clarity, the term “hack” in this writing is defined as using a computer or internet-connected device to gain unauthorized access to a system.

Last week, I covered how CISA, the FBI, and the ODNI released a joint statement on election security to assure American voters. The statement included debunking viral videos of Haitians voting illegally in Georgia, with a faux FBI terrorism warning of ongoing ballot fraud.

Misusing U.S. agency logos, names, and terminology can be highly effective when weaponized. When malicious actors take the logo of an entity or agency that we trust to communicate false narratives that seem plausible (given recent media sensationalism and voter anxiety), it attempts to appeal to our emotions and ideology in the hope that we act upon it.

The malicious actor bets that a portion will succumb to the disinformation campaign, stir confusion and distrust in the election process, or impact your vote.

The disinformation campaign fails if the videos are unconvincing or quickly debunked (as is the case with the faux ballot voting).

FBI: Financial and data fraud more likely ahead of elections

The 2024 U.S. Presidential Election has passed, and CISA reports no proof of election fraud or cheating.

Sadly, you have a higher likelihood of becoming a victim of financial fraud and scams by your fellow American citizens than the Presidential Election being hacked.

In the months ahead of the election, the FBI warned Americans of scams and fraudulent activities that would try to extort money, data, or other personally identifiable information (PII).

The FBI stated that malicious actors purporting to be part of a political campaign or political action committee (PAC) or offering to sell merchandise of a candidate (but never shipping the item) are targeting voters.

Palo Alto Networks’ Unit 42, which offers expert cybersecurity threat intelligence, research analysis, and guidance, corroborated the report:

Five reasons hacking the United States Presidential Election is unlikely

Now, let’s explore why, despite the sensationalism that (inevitably) occurs each election cycle, hacking the United States Presidential Election is highly unlikely, if not impossible.

The security of US elections is a multi-layered defense system involving a combination of technical, procedural, and human safeguards. Here are five key factors that make large-scale election hacking nearly impossible:

Decentralized Voting Infrastructure
- Diverse Systems: The US election infrastructure is decentralized, with each state and county using a variety of voting machines and systems. This diversity makes it significantly harder for a single attack to compromise the entire system.
- Paper Trails: Most jurisdictions use paper ballots, which serve as a verifiable record of votes. These paper trails can be used to audit election results and detect any discrepancies.
Robust Cybersecurity Measures
- CISA Guidance: As I covered extensively above, the Cybersecurity and Infrastructure Security Agency (CISA) provides guidance and support to state and local election officials to enhance their cybersecurity practices.
- NIST Standards: The National Institute of Standards and Technology (NIST) develops standards and guidelines for secure information systems, including those used in elections.
- Continuous Monitoring: Election officials and cybersecurity experts continuously monitor the election infrastructure for signs of malicious activity.
Rigorous Post-Election Audits
- Risk-Limiting Audits: Many states conduct risk-limiting audits to verify the accuracy of election results. These audits involve randomly selecting a sample of ballots and comparing them to the machine-counted results.
- Manual Recounts: In some cases, manual recounts are conducted to further verify election results, especially in close races.
Intelligence Community Oversight
- FBI and CISA Collaboration: The Federal Bureau of Investigation (FBI) and CISA work closely to identify and mitigate threats to election security.
- Foreign Interference Monitoring: Intelligence agencies monitor for foreign interference in elections and take steps to counter such threats.
Public Awareness and Transparency
- Transparent Processes: Election officials strive to be transparent about their processes and procedures, building public trust.
- Public Education: CISA and other organizations conduct public education campaigns such as #Protect2024 to raise awareness about election security and encourage citizens to report suspicious activity.

So this Thanksgiving, when your crazy Uncle believes the election was “rigged,” “hacked,” or “compromised” by Iran, Russia, or some other foreign nation–you have the facts.

You’re welcome. 🇺🇸

Today’s Cyber Wall of Shame

Nothing to see here. Nothing at all.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

CISA, FBI: U.S. Elections are secure despite Russian interference attempts

Rob Waters — Tue, 05 Nov 2024 05:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

CISA: U.S. elections have never been more secure

Today is November 5, 2024, and millions of voters across the United States are headed to the polls to vote on the next President. Since the 2016 U.S. election, Americans have been on guard about social media manipulation, foreign interference, and election integrity. Most of the concern revolves around foreign interference, with nations such as Iran and China trying to hack political campaigns (including Biden, Harris, and Trump members) or somehow hack and disrupt statewide voting machines.

The good news?

Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), told reporters in a media briefing yesterday that “our election infrastructure has never been more secure.”

Cybersecurity hacks against organizations, government agencies, and consumers have become normalized. However, the Federal Bureau of Investigation (FBI), CISA, and Office of the Director of National Intelligence (ODNI) want Americans to trust that their vote will count and not be erased in a cyberattack.

Russian disinformation spreads on U.S. Election ballot fraud

Despite the measures the U.S. government is taking to secure the election, it doesn’t mean that foreign interference attempts will stop.

The FBI, CISA, and ODNI released a joint statement on November 1, 2024, to assure voters that viral videos pretending to be from the FBI about ballot fraud were fake:

“The IC [sic: Intelligence Community] assesses that Russian influence actors manufactured a recent video that falsely depicted individuals claiming to be from Haiti and voting illegally in multiple counties in Georgia. This judgment is based on information available to the IC and prior activities of other Russian influence actors, including videos and other disinformation activities. The Georgia Secretary of State has already refuted the video’s claims as false.”

The statement continues, “Russian influence actors also manufactured a video falsely accusing an individual associated with the Democratic presidential ticket of taking a bribe from a U.S. entertainer.”

The group released an update on November 4 elaborating on Russia’s disinformation and foreign interference activities:

“Russia is the most active threat. Influence actors linked to Russia in particular are manufacturing videos and creating fake articles to undermine the legitimacy of the election, instill fear in voters regarding the election process, and suggest Americans are using violence against each other due to political preferences, judging from information available to the IC. These efforts risk inciting violence, including against election officials. We anticipate Russian actors will release additional manufactured content with these themes through election day and in the days and weeks after polls close.”

Where to get accurate election and polling information

According to CISA Director Jen Easterly, state and local election officials and websites are the best sources for accurate information about the voting process and election operations.

Nation-states and foreign adversaries heavily utilize social media platforms to spread disinformation, so any news on the platforms should be preceded with caution. Each social media platform has its own rules and policies for verifying or removing inaccurate information, and it may spread virally before it is flagged for inaccuracies or taken down.

You should also be aware that foreign nations and entities have made many other attempts to sow discord and distrust in the U.S. Election process. To learn more about these tactics and how to spot them, read about pre- and post-election tactics on Cyberscoop.

Today’s Cyber Wall of Shame

Be sure to vote, America.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

China-linked Salt Typhoon hacks Verizon, AT&T in intelligence gathering operation

Rob Waters — Wed, 16 Oct 2024 04:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

United States wiretap systems breached by China-linked hacking group “Salt Typhoon”

Another day, another ominous hack by a Chinese hacking group against critical infrastructure and United States businesses. You’d be forgiven for having Chinese hacking news fatigue, but they remain a force to be reckoned with and seemingly grab headlines every month.

An exclusive report by The Wall Street Journal revealed that a cyberattack tied to the People’s Republic of China's government breached the networks of multiple U.S. broadband providers. The targets included Verizon, AT&T, and Lumen Technologies.

The hacking group, known as “Salt Typhoon” - a name given to it by Microsoft—is also known as UNC2286 (Mandiant), GhostEmperor (Kaspersky Labs), and FamousSparrow (ESET).

The breach by Salt Typhoon is problematic because the group exploited backdoors within each U.S. broadband provider intended for use by U.S. intelligence agencies for foreign intelligence surveillance. According to The Wall Street Journal, the U.S. wiretap systems hack could be one of the most damaging China-backed cyber espionage hacks ever.

According to reports, the hackers were within the foreign intelligence surveillance systems for “months, maybe longer” and obtained highly sensitive intelligence and law enforcement data.

According to the report, the hackers accessed the same network infrastructure that U.S. broadband providers use to comply with legal requests for domestic information related to criminal and national security investigations.

U.S. agencies such as the FBI are still investigating the incident to confirm the extent of the hack and how much data may have been accessed or exfiltrated.

More generic internet traffic of U.S. citizens was likely monitored, but according to reports, it would be too challenging to abstract value from it.

This incident validates the concerns of many privacy and security advocates, including Apple, who famously denied providing a “secure backdoor” to its iOS mobile operating system for use by the U.S. government.

Who is Salt Typhoon?

Microsoft has tracked Salt Typhoon since 2020, while ESET has tracked the group under the name FamousSparrow since 2019. The disparity is that different cybersecurity researchers and vendors see different cyber activity. While they can reach a consensus over a distinctive group signature for tactics, techniques, and procedures (TTPs), it doesn’t require perfect alignment in activity and history.

Microsoft has primarily linked the group to cyber espionage campaigns. According to Microsoft's report from August 2024, the group specializes in espionage, data theft, and packet capture.

Salt Typhoon targets organizations and entities primarily in North America and Southeast Asia. Cybersecurity firm ESET has attributed the group to global hacks targeting hotel and government agencies.

China has denied allegations that they are responsible for Salt Typhoon or other China-linked sophisticated hacking groups.

Liu Pengyu, a spokesman at the Chinese Embassy in Washington D.C., said, “China firmly opposes and combats cyberattacks and cyber theft in all forms,” according to The Wall Street Journal.

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our blog:

New from our favorite blogs and journalists:

National Public Data, the hacked data broker that lost millions of Social Security numbers and more, files for bankruptcy (TechCrunch)
European cyber insurance startup Stoïk secures $27M (TechCrunch)
Meet the Chinese ‘Typhoon’ hackers preparing for war (TechCrunch)
Invisible text that AI chatbots understand and humans can’t? Yep, it’s a thing (ArsTechnica)
Apple study exposes deep cracks in LLMs’ “reasoning” capabilities (ArsTechnica)
5th Circuit rules ISP should have terminated Internet users accused of piracy (ArsTechnica)
How Meta Brings in Millions Off of Political Violence (Gizmodo)
Hacked Robot Vacuums Across the U.S. Started Yelling Slurs (Gizmodo)
Hacktivists Claim Responsibility for Taking Down the Internet Archive (Gizmodo)
DOJ Reveals Its Plan for Breaking Up Google’s Search Monopoly (Gizmodo)
This AI Pioneer Thinks AI Is Dumber Than a Cat (The Wall Street Journal)
California’s AI Safety Bill Is Dead, but the Regulation Debate Lives On (The Wall Street Journal)
23andMe Board Resigns in New Blow to DNA-Testing Company (The Wall Street Journal)
The Future of the US Internet is Enforced Interoperability (Quinn Chasan)

Cybersecurity Job Openings

Are you looking for a new job or trying to get started in cybersecurity? We’ll post notable new openings across the industry here.

Today’s Cyber Wall of Shame

I agree; please, somebody, anyone, empty my student loan balances, please.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Trump, Biden, Harris targeted in Iran phishing cyberattacks

Rob Waters — Mon, 19 Aug 2024 13:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Google has released a new report confirming that hackers from Iran have been using phishing attacks against former President Trump, President Biden, and Vice President Harris.

Iran using spear-phishing attacks against President Trump, President Biden, and Vice President Harris

Iran is quickly becoming a dangerous cyber threat to the United States Presidential Election Campaigns across party isles, according to new reports from Google, Microsoft, and multiple news outlets. If that wasn’t enough, they were just banned by OpenAI for using ChatGPT for creating AI-assisted influence operations, generating disinformation on volatile political and ideological topics.

According to The Wall Street Journal, the Federal Bureau of Investigation (FBI) has been investigating sophisticated spear-phishing cyberattacks by Iranian hackers against United States Presidential Election Campaigns since June.

Former President Trump is blaming Iran for “hacking his campaign” and even praises the FBI for their efforts in responding to the incident.

Yet, until a new report from Google’s Threat Analysis Group (TAG) released last week, no independent third party had confirmed the scope or hack attempts. The new Google report confirms the same Iranian hacking group known as “APT42” is targeting former President Trump, President Biden, and Vice President Harris.

The attacks date back to the 2020 United States Presidential Election cycle, targeting then-President Trump and the Biden-Harris presidential campaigns.

Who is APT42?

According to cybersecurity research and response firm Mandiant, Advanced Persistent Threat 42 (APT42) is an Iranian state-sponsored cyber-espionage group. Mandiant also believes that APT42 operates for the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO).

Prior cybersecurity incidents attributed to APT42 confirm the group’s intent to deploy invasive malware on targets’ devices to track, perform espionage, record audio conversations, and exfiltrate data. Targets include government officials and journalists who pose a threat to the Iranian government regime.

APT42 TTPs for luring targets in phishing campaigns

Iranian hackers associated with APT42 are effective by luring targets to establish trust using multiple platforms to exchange files before finally delivering a malicious payload.

APT42 hackers frequently build trust with their targets over chat platforms such as WhatsApp, Telegram, or Signal before attempting to grab their target's valid credentials.

Google’s TAG reports that APT42 would include PDF attachments in emails or utilize legitimate virtual meeting links from providers like Google, Skype, and others. Upon joining the virtual meeting platform, a linked landing page on attacker-controlled platforms like a Google Site, OneDrive, or Dropbox had a malicious payload.

Other times, credential harvesting toolkits such as GCollection, LCollection, YCollection, or DWP were utilized to gather credentials from a target that uses a Google, Hotmail, or Yahoo account.

Google’s TAG observes that APT42 hackers would perform extensive research on their targets, using “open-source marketing and social media research tools to identify personal email addresses that might not have default multi-factor authentication or other protection measures” that corporate accounts typically enforce.

Once APT42 gains access to the targeted account, they would add recovery email accounts (that APT42 controls) and use features that allow applications that do not support multi-factor authentication, like application-specific passwords.

Google’s Advanced Protection Program revokes and disables these application-specific passwords in Gmail, protecting users from these attacks. The Advanced Protection Program also supports using a passkey for stronger user authentication.

APT42 targeting the United States Presidential Election Campaigns

Google has assessed that APT42 deployed spear-phishing attacks on approximately a dozen individuals tied to former President Trump's and President Biden's 2024 election campaigns. APT42 also targeted both campaigns in the 2020 Presidential Election cycle.

Targets also include current and former officials in the U.S. government.

APT42 attempted to attack the Biden-Harris campaign before President Biden stepped down from his reelection campaign and endorsed current Vice President Harris as the Democratic nominee.

The Trump campaign first blamed Iran for hacking his 2024 election campaign when an internal campaign vetting document on J.D. Vance, his running mate, was leaked to members of the press.

Trump claims that the hacks occurred against his campaigns because “Iran is no friend of mine, a lot of bad signals get sent.”

APT42 is banned from OpenAI for using ChatGPT to influence elections

Example fake news outlets and blogs that APT42 used to spread disinformation and for influence operations. Iranian hackers used OpenAI’s ChatGPT to create divisive content against both the U.S. Republican and Democratic parties. (source: OpenAI)

Separately from Google and Microsoft’s reports, OpenAI has banned APT42 from its platforms for using ChatGPT to create disinformation and influence operations against the U.S. Presidential campaigns.

OpenAI found that APT42 used ChatGPT to generate content on numerous topics to spread disinformation or sway public opinion on political issues. The content was then spread across fake news outlets and social media platforms.

Divisive content was created to influence both Democratic and Republican campaign issues.

However, the majority of social media posts that OpenAI detected were not effective, generating minimal likes, shares, or comments.

Iran has denied any involvement in the hacks, according to state media.

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our blog:

New from our favorite blogs and journalists:

Trump, Biden, Harris targeted in Iran phishing campaign, Google finds (Axios)
FBI Is Investigating Suspected Iranian Hack Attempts Against Trump and Biden Campaigns (The Wall Street Journal)
What We Learned From the Cyberattack on Change Healthcare (The Wall Street Journal)
Those Online Accounts You No Longer Use? For Your Own Safety, Get Rid of Them (The Wall Street Journal)
Sam Altman’s Worldcoin Is Battling With Governments Over Your Eyes (The Wall Street Journal)
Iranian group used ChatGPT to try to influence US election, OpenAI says (The Guardian)

Today’s Cyber Wall of Shame

Palo Alto Networks didn’t use common sense when they used real women to model and pose as “lamp women” at this year’s Black Hat event in Las Vegas. The company has since apologized and backtracked on the display. More on this PR disaster…

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

THANK YOU FOR READING!

Thank you for reading The Breach Report. If you haven’t already, please subscribe to our free cybersecurity newsletter.

Microsoft Azure confirms outage due to DDoS cyberattack

Rob Waters — Thu, 01 Aug 2024 13:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Microsoft suffered from a distributed denial of service (DDoS) cyberattack that resulted in outages across its Azure, Microsoft 365, and Microsoft Purview services.

Microsoft Azure, 365 and Purview service outage caused by DDoS cyberattack

If you tried to access Microsoft Azure, 365, or Purview services on Tuesday, you may have experienced the latest outage to hit these platforms. Microsoft confirmed that a distributed denial of service (DDoS) cyberattack led to an eight-hour outage on Tuesday, July 30, 2024. Abnormal traffic spikes and timeouts affected Azure global services such as Azure Front Door and Azure Content Delivery Network.

Microsoft is investigating the outage. It will conduct a preliminary review of the incident within 72 hours and a detailed review within two weeks to understand what went wrong and how to better mitigate future attacks.

The outage comes only days after a global IT outage affected Microsoft Windows endpoints with Crowdstrike Falcon, an endpoint detection and response (EDR) tool. The defective Falcon update caused a “blue screen of death” (BSOD) on all affected systems, rendering the devices useless until remediation could be applied.

Microsoft’s response to DDoS may have made outage worse

Microsoft said once the Azure DDoS protection mechanisms were triggered, “initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it.”

Customer impact was first recorded at 11:45 UTC on July 30, and by 19:43 UTC, failure rates returned to pre-incident levels. Additional escalated incident response monitoring continued, and Microsoft declared the incident mitigated at 20:48 UTC.

Microsoft offers Azure Service Health alerts that trigger emails, SMS, push notifications, and webhooks.

Microsoft has not confirmed the origin of the attack or who is responsible at this time.

On the same day of the incident, Microsoft CEO Satya Nadella stated in an earnings call that “cybersecurity is a top priority for the company.”

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our blog:

Wiz Turns Down $23 Billion Acquisition Offer from Google: Pursuing IPO Instead

New from our favorite blogs and journalists:

CrowdStrike CEO says 97% of Windows sensors restored in IT outage recovery effort (Cybersecurity Dive)
Some companies pay ransomware attackers multiple times, survey finds (Cybersecurity Dive)
Business interruption claims will drive insurance losses linked to CrowdStrike IT disruption (Cybersecurity Dive)
CrowdStrike Explains What Went Wrong Days After Global Tech Outage (The Wall Street Journal)
CrowdStrike Outage Puts Its Financial Reporting Under Scrutiny, Too (The Wall Street Journal)
Google Chrome Adds App-Bound Encryption to Protect Cookies from Malware (The Hacker News)
City of Columbus Says Data Compromised in Ransomware Attack (Security Week)
Exploited Vulnerability Could Impact 20k Internet-Exposed VMware ESXi Instances (Security Week)
Ransomware attack forces hundreds of small Indian banks offline, sources say (Reuters)

Today’s Cyber Wall of Shame

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

AT&T confirms hackers stole nearly all customer records

Rob Waters — Wed, 17 Jul 2024 13:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Your Brilliant Business Idea Just Got a New Best Friend

Got a business idea? Any idea? We're not picky. Big, small, "I thought of this in the shower" type stuff–we want it all. Whether you're dreaming of building an empire or just figuring out how to stop shuffling spreadsheets, we're here for it.

Our AI Ideas Generator asks you 3 questions and emails you a custom-built report of AI-powered solutions unique to your business.

Imagine having a hyper-intelligent, never-sleeps, doesn't-need-coffee AI solutions machine at your beck and call. That's our AI Ideas Generator. It takes your business conundrum, shakes it up with some LLM magic and–voila!--emails you a bespoke report of AI-powered solutions.

Outsmart, Outpace, Outdo: Whether you're aiming to leapfrog the competition or just be best-in-class in your industry, our custom AI solutions have you covered.

Ready to turn your business into the talk of the town (or at least the water cooler)? Let's get cracking! (And yes, it’s free!)

The FBI is investigating the massive hack that affected 73 million AT&T customers. Between May 1 and October 31, 2022, and January 2, 2023, approximately six months' worth of phone calls and text records were stolen.

AT&T confirms records data for 73 million customers stolen and available on hacker forums

AT&T has confirmed that approximately six months’ worth of phone call and text message records for nearly all of its 73 million customers have been stolen. While AT&T has stated that the data doesn’t include actual phone or text content (i.e., transcriptions), it can potentially reveal sensitive information about millions of its customers in the United States.

The data stolen was part of the ever-increasing list of affected customers using the Snowflake data platform breached in April 2024.

AT&T paid a hacker $370,000 to delete the data

One of the hackers responsible for the breach confirmed to Wired that AT&T had paid him $370,000 to delete data related to the breach and provide video proof of deletion.

The hacker was paid 5.7 bitcoin on May 17, 2024, worth $373,646 at the time of the transaction. Wired and TRM Labs, a global cryptocurrency investigation firm, independently verified the exchange.

An investigation by BleepingComputer found that the data includes “names, addresses, mobile phone numbers, encrypted date of birth, encrypted social security numbers, and other internal information.”

However, the hackers have decrypted the birth dates and social security numbers and added them to another file in the leak, making those also accessible.

After initially denying the data was stolen from its systems, AT&T stated in an SEC filing that it learned from an internal investigation in April 2024 that “hackers unlawfully accessed and copied AT&T call logs” saved on a third-party cloud platform.

The U.S. Department of Justice and the Federal Bureau of Investigation are aiding AT&T in investigating the hack. U.S. Senators are also calling for an investigation after pressing the heads of AT&T and Snowflake in a new letter addressed to AT&T Chief Executive Officer John Stankey.

Why the stolen AT&T customer data matters

Analyzing numbers within the breach could be valuable for malicious actors trying to understand patterns or “networks” of communication between people.

This metadata—or data used to describe other forms of data—is what intelligence agencies or law enforcement globally analyze when conducting research or investigations on suspects, for example.

Using publicly available tools could also aid malicious actors in associating phone numbers with customer names.

What AT&T customers should do after the hack

A large dataset of 73 million Americans could prove very valuable for understanding patterns of behavior, personal networks, and perhaps even what businesses or organizations they support.

If you were or currently still are an AT&T customer throughout the affected timeline, we highly recommend you take the following precautionary measures:

Enroll in a credit and identity monitoring service. Most major credit card providers now provide free identity or at least credit monitoring. Check here first to see if your credit card provider does, and enroll today. If you were affected by a different breach, you may also be entitled to free monitoring.

If none of this applies to you, start a new enrollment with a service such as TransUnion, Equifax, or Experian. Many offer free monitoring levels with advanced notifications and protections under a paid membership.
Change your phone number–or obtain a secondary one. Yes, we realize it’s inconvenient to change your phone number. Phone numbers are tied to so much of our everyday lives, whether it’s utilities, banks, or social networks. But that’s precisely why it’s so valuable in the hands of the wrong person. Your number is already compromised, and you’d be better off obtaining a new number. Just make sure you do some Googling on any new proposed number your mobile provider offers to see what the new number is associated with–or who.

You can also obtain a secondary number (e.g., Google Voice) and associate this new number with whatever you want, whether it’s your social circle or utilities, subscriptions, etc.

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our blog:

New from our favorite blogs and journalists:

The World’s Four Internets (Quinn Chasan - Social Dawn)
Anti-Anti-Big Tech (Quinn Chasan - Social Dawn)
Mandiant Highlights Russian and Chinese Cyber Threats to NATO on Eve of 75th Anniversary Summit (SecurityWeek)
Global Coalition Blames China’s APT40 for Hacking Government Networks (SecurityWeek)
Hacker Stole Secrets From OpenAI (SecurityWeek)
Microsoft Banning Android Phones for Staff in China (SecurityWeek)
U.S. Allies Issue Rare Warning on Chinese Hacking Group (Wall Street Journal)
Microsoft Quits OpenAI’s Board Amid Antitrust Scrutiny (Wall Street Journal)
U.S. disrupts Russian bot farm suspected of spreading disinformation in several countries (U.S. Department of Justice)
Hackers leak 39,000 print-at-home Ticketmaster tickets for 154 events (BleepingComputer)
Google Advanced Protection Program gets passkeys for high-risk users (BleepingComputer)
Iraq-based cybercriminals deploy malicious Python packages to steal data(The Record)
Senators press AT&T, Snowflake for answers on wide-ranging data breach(The Record)

Today’s Cyber Wall of Shame

It's not a good time to be an executive at AT&T.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Hacker Amin Stigal Wanted For Russian GRU Malware Operations

Rob Waters — Tue, 02 Jul 2024 20:30:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Rewards for Justice is offering up to $10 million for information or the location of Amin Stigal. Stigal is linked to the Russian GRU for WhisperGate malware operations. (source: Rewards for Justice)

$10 Million Reward for Information on GRU Hacker Amin Stigal Targeting US Critical Infrastructure

Rewards for Justice is offering a $10 million reward for information leading to the location of Amin Timovich Stigal (Амин Тимович Стигал), a hacker linked to Russian Military Intelligence (also known as GRU) and its WhisperGate malware operations. Stigal, 22 years old, is a Russian citizen and is still at large.

Stigal was indicted last week by a federal judge of the Department of Justice in Maryland with conspiracy to hack into and destroy computer systems and data. In advance of the full-scale Russian invasion of Ukraine in February 2022, targets included Ukrainian Government systems and data with no military or defense-related roles.

Later targets included computer systems in countries that were providing support to Ukraine, including NATO members and the United States. The indictment alleges that Stigal and members of the GRU conspired to use a U.S.-based company's services to distribute WhisperGate malware to dozens of Ukrainian government entities, aiming to destroy their computer systems and data.

How WhisperGate malware renders targets unrecoverable

WhisperGate malware infected targets, appearing as ransomware, while actually deleting the data, rendering the systems useless.

These attacks using the WhisperGate malware also defaced websites, leaked stolen data, and rendered compromised systems unrecoverable.

According to Mandiant, in recent years, the use of "fake" ransomware to carry out destructive attacks has been a recurring tactic, technique, and procedure (TTP) for Russian threat groups.

Mandiant associates WhisperGate's attacks closely with threat actor group UNC2589. UNC2589 was active as early as 2020, supporting Russian government goals.

Targeting U.S. Critical Infrastructure

Stigal and the GRU are known to have targeted critical infrastructure in the U.S., particularly in the energy, government, and aerospace sectors. They have scanned for vulnerabilities, mapped networks, and identified potential website weaknesses.

Report Information to Rewards for Justice

If you have information on Amin Stigal, the GRU's malicious cyber activity, or associated individuals and entities, contact Rewards for Justice via their Tor-based tips-reporting channel address:

he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required)

More information is available on the Rewards for Justice site.

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our blog:

Review: Samsung Odyssey G50D Series 32″ Monitor

New from our favorite blogs and journalists:

UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion (Mandiant)
Fiverr Freelancers Offer to Dox Anyone With Powerful U.S. Data Tool (404 Media)
eBay Removes Listing for StingRay Cellphone Spying Tech (404 Media)
AI trains on kids’ photos even when parents use strict privacy settings (Ars Technica)
“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux (Ars Technica)
Mac users served info-stealer malware through Google ads (Ars Technica)
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk (Ars Technica)
New Intel CPU Vulnerability 'Indirector' Exposes Sensitive Data (The Hacker News)
Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware (The Hacker News)
Australian Man Charged for Fake Wi-Fi Scam on Domestic Flights (The Hacker News)
Google to Block Entrust Certificates in Chrome Starting November 2024 (The Hacker News)

Today’s Cyber Wall of Shame

Amin Stigal, ladies and gentlemen:

A Federal Bureau of Investigation Most Wanted alert for Amin Timovich Stigal, the Russian GRU-linked hacker. (source: FBI)

Join the live session: automate compliance & streamline security reviews

Whether you’re starting or scaling your company’s security program, demonstrating top-notch security practices and establishing trust is more important than ever.

Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money — while helping you build customer trust.

And, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Join Vanta’s 45-minute live session on July 9th at 12 pm PST to see the platform in action and ask your questions.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Kaspersky Antivirus banned in U.S. due to National Security risks

Rob Waters — Sat, 22 Jun 2024 16:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Scale your GRC program with Automation and AI

Spending hours gathering evidence, tracking risk, and answering security questionnaires? Move away from manual work by automating key GRC program needs with Vanta.

Automate evidence collection across 21+ frameworks including SOC 2 and ISO 27001 with continuous monitoring
Centralize risk and report on program impact to internal teams
Create your own Trust Center to proactively manage buyer needs
Leverage AI to answer security questionnaires faster

Over 7,000 global companies like Atlassian, Flo Health, and Quora use Vanta to build trust and prove security in real time. Connect with a team member to learn more.

U.S. bans Kaspersky antivirus software due to National Security risks

Eugene Kaspersky, CEO of Kaspersky Labs, maintains that the company has operated independently of any Russian government influence for over 26 years.

The Biden-Harris Administration and the United States Department of Commerce have announced that they are banning Kaspersky antivirus software across the entire U.S., forcing the company to dismantle and shut down all U.S. operations by September 29, 2024. All sales of its cybersecurity and antivirus products and services to U.S. persons must cease by July 20, 2024.

Kaspersky antivirus software has "an ability to gather valuable U.S. business information, including intellectual property, and to gather U.S. persons’ sensitive data for malicious use by the Russian Government pose an undue or unacceptable national security risk,” the Department stated.

The September 29, 2024, deadline will force Kaspersky to shut down its U.S.-based Kaspersky Security Network (KSN), antivirus signatures, and codebase updates. Kaspersky is also prohibited from integrating any component of the company’s offerings into third-party software or offerings.

The only exceptions the Department of Commerce made are Kaspersky Threat Intelligence products and services and Kaspersky Security and Consulting services. The department considers those services “educational” or “informational” and thus avoids the ban.

Commerce: Kaspersky antivirus software is a surveillance tool of the Kremlin

Secretary of Commerce Gina Raimondo articulated the Russian government's exploitation of Kaspersky for cyber intelligence objectives:

“Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive U.S. information, and we will continue to use every tool at our disposal to safeguard U.S. national security and the American people. Today’s action, our first use of the Commerce Department’s ICTS authorities, demonstrates Commerce’s role in support of our national defense and shows our adversaries we will not hesitate to act when they use their technology poses a risk to United States and its citizens.”

Banning Kaspersky antivirus and cybersecurity products in the U.S. was not unexpected. In 2017, the Department of Homeland Security ordered federal agencies to remove all Kaspersky products from federal information systems.

In 2022, the U.S. Federal Communications Commission placed Kaspersky’s products and services on a list that posed a significant threat to national security.

Today, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has announced economic sanctions against 12 executives and senior leaders at AO Kaspersky Lab. Notably, Eugene Kaspersky is not one of them.

Kaspersky to “pursue all legal options” following ban

In a prepared statement to Ars Technica, Kaspersky has stated that it is willing to “pursue all legal options” following the ban on its antivirus software. Predictably, it also claims that the ban by the Department of Commerce is “purely political.”

The company has also maintained that it has operated independently of the Russian government for over 26 years.

Despite the U.S. government ban, It also vows to continue selling its antivirus software.

A full press release was posted by Kaspersky on their X account:

After Kaspersky, is TikTok next?

No matter how Kaspersky challenges the ban, it will likely end any significant market capture within the United States. Sinking revenue since the 2017 Homeland Security ban and increasingly negative public sentiment toward Russia–now more than ever due to the ongoing war in Ukraine–has made this brand too toxic.

It also doesn’t give any confidence in the possibility of a U.S.-based TikTok remaining in operation. The Biden-Harris Administration announced in April it is forcing the Beijing-tied social media platform to sell within one year or face a permanent ban.

Increasing weaponization of data and using software and social media for surveillance purposes originating from China and Russia is a quick way to a ban in today’s political climate.

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our favorite blogs and journalists:

Citing national security, US will ban Kaspersky anti-virus software in July (Ars Technica)
Cisco to establish cybersecurity centre in Taiwan (Reuters)
Cybersecurity Burnout Costing Firms $700m+ Annually (Infosecurity Magazine)
Cybersecurity Concerns Test Paris Olympics Preparations (PYMNTS)
Chinese Cyber Espionage Targets Telecom Operators in Asia Since 2021 (The Hacker News)
U.S. Treasury Sanctions 12 Kaspersky Executives Amid Software Ban (The Hacker News)
Signal Foundation Warns Against EU's Plan to Scan Private Messages for CSAM (The Hacker News)
UNC3886 Uses Fortinet, VMware 0-Days and Stealth Tactics in Long-Term Spying (The Hacker News)
Kaspersky: Biden administration bans Americans from using Russian-made cybersecurity software over national security concerns (CNN)
TikTok ramps up attacks on Biden administration in challenging prospective ban (CNN)

Cybersecurity Industry Press Releases:

Today’s Cyber Wall of Shame

You know you’re going to miss this…

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

CDK Global Software Cyberattack Disrupts 15,000 US Car Dealerships

Rob Waters — Fri, 21 Jun 2024 20:41:01 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

CDK Global Software Cyberattack Disrupts 15,000 US Car Dealerships

CDK Global, a company providing dealer management software (DMS) to car dealerships across the United States, has suffered multiple cyberattacks affecting over 15,000 dealerships. CDK has been forced to shut down its systems, leaving clients unable to perform any business operation the software provides.

The initial cyberattacks were first reported on Tuesday, June 18.

The CDK platform includes CRM, repair requests, orders, inventory, payroll, and financing, among other administrative functions.

According to Bleeping Computer, the attacks forced CDK to shut down its IT systems, phones, and applications to prevent the further spread of the attack.

Customers using CDK’s platform utilize a VPN connection that must remain online to CDK’s datacenters where the software-as-a-service (SaaS) resides. A locally installed application at each dealer accesses the enterprise SaaS through the VPN.

A CDK client from an affected dealership told Bleeping Computer that CDK advised them to disconnect the VPN out of caution.

The ongoing cyberattacks on CDK Global have forced countless US car dealerships to resort to pen-and-paper manual processes to continue some level of business. (source: Reddit)

CDK confirms multiple cyberattacks with no time frame for resolution

"We are actively investigating a cyber incident," a CDK spokesperson told CBS News. "Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible."

Some systems were restored on Wednesday, but another round of cyberattacks on the same day further damaged recovery efforts.

“Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems. In partnership with third-party experts, we are assessing the impact and providing regular updates to our customers. We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible,” CDK shared on Thursday.

Calls to CDK Global’s hotlines are met with a busy signal or a prerecorded message.

The automated recording on CDK Global’s hotline states, " At this time, we do not have an estimated time frame for resolution, and therefore, our dealers’ systems will not likely be available for several days.”

Manual spreadsheets, pen and paper as outage persists

Employees have reported on Reddit that many car dealerships can only function at a reduced level using manual, static spreadsheets, and pen and paper.

“Excel spreadsheets and post it notes for any parts we’re handing out. Any big jobs are not happening,” an affected car dealership employee posted on Reddit.

Some dealerships are even sending employees home, as they will not be able to reasonably perform their jobs until CDK is back online.

"We are almost to that point…no parts, no ROs, no times…just dead vehicles with nothing to show for them or parts to fix them," another affected car dealership employee posted to Reddit.

Your Brilliant Business Idea Just Got a New Best Friend

Our AI Ideas Generator asks you 3 questions and emails you a custom-built report of AI-powered solutions unique to your business.

Outsmart, Outpace, Outdo: Whether you're aiming to leapfrog the competition or just be best-in-class in your industry, our custom AI solutions have you covered.

Ready to turn your business into the talk of the town (or at least the water cooler)? Let's get cracking! (And yes, it’s free!)

Today’s Cyber Wall of Shame

Malicious actors never let a crisis go to waste…

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Owners of "Empire Market" Dark Web Store Worth $430 Million Charged

Rob Waters — Thu, 20 Jun 2024 14:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

The Fall of Empire Market, a Dark Web Marketplace

The United States Department of Justice has announced that two suspects have been charged with owning and operating Empire Market, a dark web marketplace. Empire Market provided access to buying, selling, and exchanging illegal goods and services like drugs, counterfeit items, malware, stolen enterprise data, and other services.

The DOJ has charged Thomas Pavey, aka “Dopenugget,” and Raheim Hamilton, aka “Sydney” and “Zero Angel,” with owning and operating Empire Market from 2018 to 2020. Pavey, 38, resided in Ormond Beach, Florida, and Hamilton, 28, in Suffolk, Virginia.

Two suspects could now face life in prison for the illegal drugs, goods, and services marketplace.

Pavey and Hamilton also previously sold counterfeit U.S. currency on AlphaBay, a dark web marketplace that preceded Empire Market. AlphaBay was shut down in 2017.

In just two years, the pair conducted over four million transactions worth $430 million, according to an indictment in the U.S. District Court in Chicago.

The indictment charges include drug trafficking, computer fraud, access device fraud, counterfeiting, and money laundering.

Empire Market was accessible only on the dark web with a .onion address. Multiple vendors sold various drugs and stolen credit card information. At its peak, over 500 new listings were posted per day, and over 52,000 products were for sale across 4,500 vendors.

For only $750, vendors could register to sell anything customers would be willing to pay for.

An example drug listing of Adderall and Vyvanse on Empire Market while the dark web store was still in operation. (source: webz.io)

Payments accepted on Empire Market included Bitcoin, Litecoin, and Monero cryptocurrencies.

The platform became a hub for learning how to conduct money laundering and attempting to conceal cryptocurrency transactions by “tumbling” it through services like Tornado Cash.

Tornado Cash is used by crypto scammers and dark web users to shuffle cryptocurrency funds across a broad range of cryptocurrencies on the Ethereum blockchain.

Lifetime sentences await Empire Market owners

Empire Market was taken down in January 2020 after a coordinated effort by law enforcement agencies in the United States and abroad. Authorities seized and took the marketplace's servers offline, as well as over $75 million in cryptocurrency, cash, and precious metals.

If Pavey and Hamilton are found guilty and convicted on all counts, they will earn a lifetime sentence each.

If history tells us anything, AlphaBay, Genesis Market, and Empire Market may be gone, but clones inevitably rise. Notorious hacker forum BreachForums remains in operation after repeated international efforts to take down the platform.

Instantly calculate the time you can save by automating compliance

Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

[Calculate now]

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our blog:

NVIDIA Nemotron-4 340B: Large Language Model Training with Synthetic Data (Cybersecurity Careers Blog)

New from our favorite blogs and journalists:

Inside the Underground Site Where ‘Neural Networks’ Churn Out Fake IDs (404 Media)
Kraken Crypto Exchange Hit by $3 Million Theft Exploiting Zero-Day Flaw (The Hacker News)
Empire Market owners charged for enabling $430M in dark web transactions (Bleeping Computer)
CDK Global cyberattack impacts thousands of US car dealerships (Bleeping Computer)
Fake Google Chrome errors trick you into running malicious PowerShell scripts (Bleeping Computer)
Government and military officials fair targets of Pegasus spyware in all cases, NSO Group argues (The Record)
UN Security Council to debate cybersecurity threats, despite Russian veto (The Record)
US intelligence 'not seen much' of Russia attempting to interfere in UK elections (The Record)
Russia may interfere in UK election, warns senior Democratic senator (The Telegraph)
Men plead guilty to aggravated ID theft after pilfering police database (Ars Technica)
High-severity vulnerabilities affect a wide range of Asus router models (Ars Technica)
“Simulation of keyboard activity” leads to firing of Wells Fargo employees (Ars Technica)

Today’s Cyber Wall of Shame

When someone thinks “cybersecurity” is considered a buzzword… in 2024.

h/t vx-underground on X

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

Snowflake customer data and credentials for sale on dark web

Rob Waters — Sun, 16 Jun 2024 16:00:00 +0000

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

This is a special report on the ongoing Snowflake data breach, which now includes over 165 customers, according to a joint investigation by Mandiant and Snowflake.

Its origins and root cause are still disputed, and hundreds of customers may still be affected. Customer data is now for sale on the dark web with an asking price of millions of dollars.

165 customers and counting: Snowflake data breach turning into one of the largest ever

If you haven’t followed the news, data cloud provider Snowflake suffered a highly damaging breach originating in April. Now, hundreds of customer credentials and terabytes of data are for sale on the dark web.

The origin of the breach is in dispute; initial reports stated that info-stealing malware infected numerous employees’ computers. Hackers then leveraged the infected employee devices to breach the enterprise platform and gain access to customer account data.

Snowflake denied the breach and blamed customers affected, such as Santander and Ticketmaster, for poor security of their credentials. They have since changed the definition of “breach” according to their

Snowflake has vehemently denied that its enterprise network was breached and that customers were directly targeted with info-stealing malware to extract valid credentials without sophisticated identity hardening or multifactor authentication (MFA).

“We are aware of recent reports related to a potential compromise of the Snowflake production environment. We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product,” the company shared in a blog post.

The attack path diagram of UNC5537 leverages an info-stealer malware to infect targeted users. Hackers then login with the stolen Snowflake credentials, without MFA enforced, and exfiltrate the customer data. (source: Mandiant)

Cybersecurity firm Mandiant, now part of Google Cloud, continues investigating the incident with Snowflake. Mandiant has given the hacker group the name UNC5537. “UNC” represents an uncategorized group, which indicates that it is not an advanced persistent threat (APT) group.

“UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims,” Mandiant declared on its blog posting of the ongoing investigation.

The company’s blog and news section do not mention any cybersecurity incident. Snowflake social media only has two June posts denying internal breaches of Snowflake systems.

These are the only statements by Snowflake on X denying any breach of its systems:

Snowflake customer data for sale on BreachForums

Despite the FBI seizing the BreachForums domain and assets in May, the hackers responsible for operating the popular breach site cloned and started a new iteration on a new domain.

Hacker group ShinyHunters, which helps administer the site, quickly posted Snowflake customer's data and credentials, such as Santander, Ticketmaster, and Cylance, for sale.

Advance Auto Parts is among the customers listed, and hackers claim to have data on over 380 million of its customers. The asking price is $1.5 million for 3TB of data.

BreachForums user Sp1d3r is selling up to 2TB of data from LendingTree and QuoteWizard for $2 million. The authenticity of the listings and the legitimacy of the hackers posting the sale offers are unclear.

Snowflake customers urged to enforce MFA, still not required by default

CISA has posted an alert urging Snowflake customers to be aware and take preventative actions.

Snowflake urges all customers to enable and enforce MFA and harden their security access. Other Snowflake platform best practices are also recommended.

The company recommends that its customers review the IoCs, investigative queries, and preventive actions published in the Snowflake Community Security Bulletin.

At the time of this publication, Snowflake still does not require its customers to enable and use MFA–nearly two months after the originating customer data breaches.

TechCrunch reports a company spokesperson said they are “developing a plan” to require customers to do so in the future.

Snowflake stock ($SNOW) is down 22% in the last 30 days, losing over 37 million in market cap on the New York Stock Exchange.

The Breach Report

China confesses to Volt Typhoon role in U.S. infrastructure cyberattacks

Cyberattacks against U.S. due to “American support for Taiwan”

Going on the offensive against “The Typhoons”

Today’s Cyber Social Funny

DOD Air Force Contractor Pleads Guilty to Stealing Top Secret Classified Documents

A word from our Sponsor

Your job called—it wants better business news

Meet Gokhan Gun: A Turk charged with stealing Top Secret files and trying to flee to Mexico

Gun faces 5 years in jail for stealing classified documents

Today’s Cyber Social Wall of Shame

Alleged Oracle Cloud Hack: 6 Million Records at Risk? What We Know So Far

Oracle denies breach after hacker claims to steal 6 million records

The Hacker claims and demands

What vulnerabilities the Oracle Cloud hack may have exploited

Potential impact of an Oracle Cloud hack of 6 million records

Recommendations to mitigate risk if you are an Oracle Cloud customer

Today’s Cyber Social Wall of Shame

Justice Department Charges Two Silk Typhoon Chinese Hackers with U.S. Treasury Breach

There’s a reason 400,000 professionals read this daily.

Yin Kecheng and Zhou Shuai among 12 Chinese hackers charged with U.S. Treasury breach

Silk Typhoon used Microsoft Exchange, Palo Alto Networks Firewall, Citrix NetScaler, and Ivanti Pulse Connect Secure vulnerabilities

FBI offers $2 million reward for information leading to the arrest of Kecheng or Shuai

Today’s Cyber Social Wall of Shame

Lockbit Ransomware Developer Extradited to the United States

Learn AI in 5 minutes a day

Alleged LockBit Ransomware Developer Rostislav Panev Extradited to the U.S. in Major Cybersecurity Crackdown

Panev aided LockBit ransomware group growth, extorting over $500 million from victims

Panev profited from LockBit infrastructure and affiliate business model

Panev’s downfall: confessing to Israeli authorities

Are you a victim of LockBit ransomware?

Today’s Cyber Social Wall of Shame

Army soldier tried to sell Snowflake stolen data and defect to Russia

Cameron Wagenius, aka Kiberphant0m and cyb3rph4nt0m charged with data theft and extortion

Wagenius pleads guilty, considered a flight risk

National Security implications of Wagenius

Latest Cybersecurity News

Today’s Cyber Wall of Shame

Evgenii Ptitsyn Extradited to U.S. for Phobos Ransomware

Russian National Extradited for Phobos Ransomware Attacks

Charges Against Ptitsyn

International Collaboration Leads to Arrest

Phobos Ransomware: Finally on the decline

Today’s Cyber Wall of Shame

Snowflake hackers charged with stealing 50 billion AT&T records

Writer RAG tool: build production-ready RAG apps in minutes

U.S. Department of Justice indicts Connor Moucka and John Binns of hacking

AT&T Snowflake breach includes 50 billion customer text and call records

DOJ_ConnorMoucka_JohnBinns_Snowflake.pdf

Today’s Cyber Wall of Shame

T-Mobile hacked in Chinese cyber-espionage operation

Start learning AI in 2025

Salt Typhoon hack part of major U.S. telecom infrastructure spying operation

Experts claim hack is “catastrophic in scope and severity”

Counterintelligence concerns over Salt Typhoon hacks

How Salt Typhoon Hacked T-Mobile, AT&T, Verizon, and Lumen Technologies

Today’s Cyber Social Wall of Shame

Why Hacking the United States Presidential Election is Nearly Impossible

Tackle Your Credit Card Debt With 0% Interest Until Nearly 2027 AND Earn 5% Cash Back

Hacking may be too difficult, so disinformation is the weapon of choice

FBI: Financial and data fraud more likely ahead of elections

Five reasons hacking the United States Presidential Election is unlikely

Today’s Cyber Wall of Shame

CISA, FBI: U.S. Elections are secure despite Russian interference attempts

CISA: U.S. elections have never been more secure

Russian disinformation spreads on U.S. Election ballot fraud

Where to get accurate election and polling information

Today’s Cyber Wall of Shame

China-linked Salt Typhoon hacks Verizon, AT&T in intelligence gathering operation

United States wiretap systems breached by China-linked hacking group “Salt Typhoon”

Who is Salt Typhoon?

Latest Cybersecurity News

Cybersecurity Job Openings

Today’s Cyber Wall of Shame

Trump, Biden, Harris targeted in Iran phishing cyberattacks

Iran using spear-phishing attacks against President Trump, President Biden, and Vice President Harris

Who is APT42?

APT42 TTPs for luring targets in phishing campaigns

APT42 targeting the United States Presidential Election Campaigns

APT42 is banned from OpenAI for using ChatGPT to influence elections