Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Breach Roundup: Brazilian Police Arrest USDoD
Also: Internet Archive Limps Back Online, Beware Kerbertoasing and Passkey TakeupEvery week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, Brazilian police arrested USDoD, the Internet Archive slowly recovered, a Microsoft warning over Kerberoasting and of mounting phishing attacks using file-sharing services, Google touted memory safety efforts, Volkswagen said no harm done after ransomware attack, and Amazon reported over 175 million customers using passkeys.
See Also: 57 Tips to Secure Your Organization
Brazilian Police Arrest USDoD Hacker
The Federal Police of Brazil said Wedneday they arrested the hacker who boasted in 2022 of posing as an American CEO to gain access to the FBI-run cybersecurity forum InfraGard.
A hacker going by the moniker "USDoD" on the BreachForums criminal forum offered to sell for $50,000 what he said were details of all of InfraGuard's more than 80,000 members, including 47,000 email addresses (see: Hacker Reportedly Breaches US FBI Cybersecurity Forum).
USDoD is also the hacker behind the December 2023 theft of personal information pertaining to 1.3 million U.S. residents from data broker NationalPublic Data, whose owner and sole employee earlier this month sought bankruptcy protection in U.S. federal court (see: Background Check Firm National Public Data Confirms Breach).
Brazilian police in a statement first reported by Bleeping Computer said they executed a search and seizure warrant and an arrest warrant in the hacker's hometown of Belo Horizonte, located in the South American country's southeastern state of Minas Gerais. The hacker allegedly put up federal police data for sale in May 2020 and again in February 2022, police said.
USDoD has taken responsibility for hacking European airplane manufacturer Airbus in September 2023, obtaining 3,200 vendor names, emails, and mailing addresses. The hacker said he obtained access through logon credentials stolen from a Turkish airline. In July, he posted a spreadsheet on BreachForums containing an "entire threat actor list" from cybersecurity firm CrowdStrike, which was going through its own difficulties at the time (see: CrowdStrike Outage Losses Will Hit Healthcare, Banking Hard).
The identity of USDoD has been an open secret for months now. After publishing the CrowdStrike spreadsheet, Brazilian publication Tecmundo published what it said was a leaked CrowdStrike report identifying USDoD as a Brazilian named "Luan BG," a resident of Minas Gerais.
Cybernews days later reported that a researcher using open source intelligence tools identified him as Luan Goncalves, 33. Goncalves then outted himself in a statement to HackRead, writing "Yes, this is Luan speaking. I won’t run, I’m in Brazil, the same city where I was born."
Internet Archive Slowly Comes Back Online
The Internet Archive returned online in skeleton form after a run of attacks earlier this month including a paralyzing distributed denial of service attack followed by a data breach affecting 31 million users (see: Internet Archive Data Breach Exposes 31 Million Accounts)
The archives are safe, and "we hope to turn more web crawling on within a day to make sure our web collections remain whole," the Internet Archive said on social media platform Bluesky.
Network monitoring firm Netscout reported Friday the DDoS attack lasted around three hours, with five gigabits per second of traffic flooding the site. The attack targeted three IP addresses and used TCP RST floods and HTTPS application-layer attacks, with signs pointing to a Mirai variant botnet. Most of the attack traffic originated from compromised IoT devices in Korea, China and Brazil.
Microsoft Warns of Kerberoasting Attacks
Microsoft raised alarms over the increasing potency of Kerberoasting, a cyberattack targeting the Kerberos authentication protocol to steal Active Directory credentials. Hackers now use GPUs to accelerate password cracking, making attacks more effective.
Microsoft VP of Enterprise and OS Security David Weston in a Friday blog post described the method as a post-exploitation technique. After gaining access to a network, attackers request service tickets tied to Active Directory accounts. Hackers crack the tickets, encrypted with an NTLM hash, offline to reveal passwords.
Weston called Kerberoasting "a low-tech, high-impact attack" that can be executed using open-source tools to query target accounts, retrieve service tickets and crack passwords. Once attackers obtain valid credentials they can swiftly move through compromised networks.
Microsoft Threat Intelligence reported on Oct. 8 a surge in phishing campaigns exploiting legitimate file-sharing services like OneDrive, SharePoint and Dropbox. Victims receive email notifications prompting authentication, leading to an adversary-in-the-middle phishing page. The campaigns often leads to business email compromise, causing financial fraud, data theft and lateral network movement.
Microsoft identified attackers using compromised accounts from trusted vendors to host malicious files. Recipients, trusting the source, authenticate and view documents with disguised phishing links. Users are then prompted to verify their identity with a password and MFA, giving attackers access to other accounts.
Google Boosts Memory Safety Languages
Google vowed Tuesday to increase its adoption of memory-safe languages even in environments where previously C++ was the optimal, high-performance choice.
Google estimates that three quarters of known vulnerabilities used in zero day exploits are memory safety vulnerabilities. Urging industry to adopt memory safety languages has been a notable part of the Biden administration's cybersecurity policy agenda (see: Breach Roundup: White House Calls for Memory-Safe Languages).
The Silicon Valley giant said it'll start using Rust more in programming Android and will work to retrofit "at scale" C++ code bases. "While we won't make C and C++ memory safe, we are eliminating sub-classes of vulnerabilities in the code we own, as well as reducing the risks of the remaining vulnerabilities through exploit mitigations," Google said. IT also pledged to expand use of techniques such as sandboxing and privilege detection, and subject its code base to bug testing through fuzzing and other techniques.
Google also said it is investigating Capability Hardware Enhanced RISC Instructions - CHERI for short - architecture at the chip level. Designed by the researchers at the University of Cambridge with backing from the U.K. and U.S. governments CHERI "can provide finer grained memory protections and safety controls, particularly appealing in security-critical environments like embedded systems," Google said (see: CHERI Backers Form Alliance to Promote Memory Safety Chip).
Volkswagen Says No Harm Done After Ransomware Attack
The Volkswagen Group said the company’s IT infrastructure was unaffected after a ransomware group called 8Base claimed to have stolen sensitive information from the company, French news site LeMagIT reported.
8Base listed Volkswagen on its leak site, claiming it had obtained invoices, receipts, accounting documents, personal data, employment contracts and other confidential information.
Since its emergence in early 2023, 8Base has targeted over 400 victims, using data theft as leverage to pressure organizations into paying ransom before deploying file-encrypting malware. The German company was previously compromised by Chinese state-sponsored hackers, who accessed its systems from 2011 to 2014.
Amazon Reports Over 175 Million Customers Using Passkeys
Amazon announced more than 175 million customers have taken up the passwordless security feature since its rollout to customers last year. Passkeys allow users to sign in six times faster than traditional methods, the e-commerce giant said.
Passkeys are digital credentials linked to biometric authentication or PINs, stored securely on devices like smartphones, computers and USB security keys. When a passkey is created, a private key is securely stored on the device's trusted platform module, while the online service receives only the public key. This system enhances security since passkeys are less vulnerable to data breaches, phishing attacks, or malware.
Other Stories From Last Week
- Fortinet Edge Devices Under Attack - Again
- UK Reports 50% Spike in 'Nationally Significant' Incidents
- Schools Face Spike in Cyberattacks From Nation-State Hackers
- Sri Lankan Police Arrest Over 200 Chinese Scammers
- TrickMo Trojan Variants Target Device Unlock Codes
With reporting from Information Security Media Group's David Perera in Washington, D.C.