By the CyberWire staff
Alleged Twitter hackers arrested.
US Federal prosecutors have charged three individuals in connection with the July 15th Twitter hack. Graham Ivan Clark, 17, of Tampa, Florida, Mason Sheppard, 19, of Bognor Regis, England, and Nima Fazeli, 22, of Orlando, Florida, are the three under indictment. The US Attorney for the Northern District of California declined to name Mr. Clark because of his age, but his arrest has been so widely reported by the press in Florida and elsewhere that there seems little point in finessing the identification at this point.
The Hillsborough State Attorney's Office in Florida asserts that Graham Clark was the "mastermind" of the scheme, and he's being charged as an adult. Mr. Clark faces thirty felony charges: one count of organized fraud (over $50,000), seventeen counts of communications fraud (over $300), one count of fraudulent use of personal information (over $100,000 or thirty or more victims), ten counts of fraudulent use of personal information, and one count of accessing a computer or electronic devices without authority. Mason Sheppard and Nima Fazeli have been charged in the Northern District of California: Sheppard with "conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer," and Fazeli with "aiding and abetting the intentional access of a protected computer."
ZDNet has a timeline of the incident and the investigation. According to the indictment, Mr. Clark infiltrated some part of Twitter's network on May 3rd. The New York Times says he first gained access to Twitter's internal Slack channel, where he found credentials for an administrative tool that allowed Twitter employees to access and manipulate user accounts. This tool was protected by two-factor authentication, which Clark was able to bypass on July 15th by using social engineering against Twitter employees over the phone. He then contacted Mr. Sheppard and Mr. Fazeli over Discord and sold them access to several Twitter accounts with swanky handles (e.g., "@dark," "@vague," "@drug," and "@vampire").
Later the same day, Sheppard and Fazeli allegedly began brokering deals for Graham on the OGUsers forum, advertising access to any Twitter account for between $2000 and $3000 per account. WIRED says Clark made approximately $33,000 selling access to accounts, while Sheppard received $7,000 for brokering the deals. ZDNet notes that authorities are still investigating the users who purchased these accounts.
Finally, Clark is accused of perpetrating the high-profile Bitcoin scam on the afternoon of July 15th after hijacking the Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffet, Floyd Mayweather, Kim Kardashian, Apple, Uber, Coinbase, Kucoin, Gemini, Binance, and the "@Bitcoin" account. Hillsborough State Attorney Andrew Warren alleges that Clark "stole the identities of prominent people, posted messages in their names directing victims to send Bitcoin to accounts associated with Clark, and reaped more than $100,000 in Bitcoin in just one day." His bail has been set at $725,000.
It appears that the FBI tracked online activity in Discord and OGUsers until they came to points where the three defendants used either their real identities or their home IP addresses or both. The Bureau also made use of a leaked database of OGUsers member information, which was posted online when the forum was hacked in April. That database contained private messages, IP addresses, and email addresses. Fazeli and Sheppard also used their real driver's licenses to verify accounts on Coinbase, which were linked to various email and IP addresses involved in the hacks.
Cyber leadership session on-demand: Adopting a proactive, intelligence-led cyber mission
Leaders from the Navy, Government Accountability Office and Mandiant Security Validation took the virtual stage to discuss "Adopting a Proactive, Intelligence-Led Cyber Mission". Watch the on-demand webcast to join the discussion on how automated security validation, integrated with the latest threat intelligence and frontline expertise can validate the health of your infrastructure by testing against actual threats.
Intel sustains intellectual property breach.
Intel has suffered a breach involving twenty gigabytes of internal documents, many of which include sensitive corporate intellectual property, CyberScoop reports. According to Engadget, the documents were published by Swiss software engineer Till Kottmann, who says he received them from a source who claims to have hacked the company earlier this year. Intel disputes that it was hacked, saying it believes an insider leaked the data.
The company said in a statement to the media, "We are investigating this situation. The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access. We believe an individual with access downloaded and shared this data."
ZDNet explains that "[t]he Intel Resource and Design Center is a web portal where Intel provides non-public technical documents to business partners integrating Intel chipsets into their respective products." ZDNet says the leaked documents match this description.
Operation Skeleton Key targets Taiwan's semiconductor sector.
At Black Hat on Thursday, researchers from CyCraft Technology described a suspected Chinese government threat group, "Chimera," that's successfully targeted Taiwan's semiconductor industry. According to WIRED, the hackers were after source code, chip designs, software development kits, and similar intellectual property. The group targeted at least seven chip manufacturers in 2018 and 2019. CyCraft doesn't name the victims, but says they were based in the Hsinchu Science Industrial Park.
CyCraft calls the campaign "Operation Skeleton Key" after its use of SkeletonKeyInjector, which "implanted a skeleton key into domain controller (DC) servers to continuously conduct lateral movement." The operators' principal remote access Trojan was Cobalt Strike, and they used an old version of RAR to exfiltrate data.
The ABCs of ICS Threat Activity Groups
Find out why threat activity groups are so important to a cyber defense strategy. Dragos and CyberWire are joining forces for this August 26 webinar to cover identification, analysis and attribution of threat groups including an update on the latest groups to surface.
Microsoft exploring TikTok acquisition.
Microsoft confirmed on Sunday that it's in discussions with ByteDance to buy TikTok's US operations, with President Trump's blessing. The purchase might extend to TikTok's operations in Canada, Australia, and New Zealand as well. Microsoft stated, "Following a conversation between Microsoft CEO Satya Nadella and President Donald J. Trump, Microsoft is prepared to continue discussions to explore a purchase of TikTok in the United States....It is committed to acquiring TikTok subject to a complete security review and providing proper economic benefits to the United States, including the United States Treasury. Microsoft will move quickly to pursue discussions with TikTok’s parent company, ByteDance, in a matter of weeks, and in any event completing these discussions no later than September 15, 2020."
The announcement came after President Trump's statement last Friday, reported in the Washington Post, that he intended, on security grounds, to ban TikTok from operating in the US. The President then signed an Executive Order this past Thursday that will ban transactions between US citizens and ByteDance, effective on September 20th. A separate Executive Order, also signed Thursday, similarly restricted transactions between US citizens and Tencent Holdings, the owner of WeChat. Both Orders state that "the spread in the United States of mobile applications developed and owned by companies in the People’s Republic of China continues to threaten the national security, foreign policy, and economy of the United States."
TikTok objected to the Executive Order in a statement issued Friday morning, asserting that the Order's claims are unfounded and that "[t]here has been, and continues to be, no due process or adherence to the law." The company also stated, "We have made clear that TikTok has never shared user data with the Chinese government, nor censored content at its request."
Reuters reports that ByteDance has agreed to divest TikTok's US operations completely, although Microsoft stressed that "[t]hese discussions are preliminary and there can be no assurance that a transaction which involves Microsoft will proceed." Forbes quotes various state-run Chinese media outlets as calling the potential deal "theft," "open robbery," and "tantamount to inviting potential U.S. purchasers to participate in an officially sanctioned 'steal' of Chinese technology."
For more business news, see the CyberWire Pro Business Briefing.
Documents used during the last UK general election may have come from an email hack.
Reuters reports that papers related to UK-US trade negotiations that were leaked to the Labour Party and others during the last British general election were taken from the email account of former Conservative trade minister Liam Fox. Reuters cites "sources with direct knowledge of the matter" to the effect that "the hackers accessed the account multiple times between July 12 and Oct. 21 last year."
The documents were represented as evidence of plans the Tory government had to “privatise” the National Health Service and turn it over to American for-profit control. This story was far-fetched and implausible even by the standards of electoral politics, and, while the leaked documents were waved by Labour leader Jeremy Corbyn on camera in a campaign photo op, the narrative gained little traction.
The theft has been widely attributed to Russian intelligence services. British foreign minister Dominic Raab last month said "Russian actors" had sought to interfere in the election “through the online amplification of illicitly acquired and leaked Government documents.” An investigation into how the documents were taken is still in progress.
For more, see the CyberWire Pro Disinformation Briefing.
Students and members of the military, don't be left out of CyberWire Pro! We've got you!
Due to your student or military status (active or reserve military status), you are able to subscribe to CyberWire Pro or CyberWire Pro+ at a significant discount. That means you can unlock access to our focus briefings, exclusive podcasts, quarterly analyst calls, premium articles and much more. To learn more, visit here and click on the Contact Us button in the Academic or Government & Military box.
Ramifications of Blackbaud's data breach.
The effects of the Blackbaud ransomware and data theft incident continue to ripple through the educational, political, and not-for-profit sectors. In the US, a new set of universities are now known to have been affected. The Universities of Texas and Oklahoma have both warned donors and alumni that their information may have been accessed by the attackers. And EdScoop reports that the California State University system is now investigating the possibility that the Blackbaud attackers successfully compromised all twenty-three institutions in the system.
There have been other victims in the United Kingdom, too. Third Sector reports that more than thirty British charities have been affected. The UK's Labour Party has disclosed that personal information about thousands of its donors was exposed in the incident; Labour had been using "Raiser’s Edge," a fundraising and donor management solution from Blackbaud.
For more, see the CyberWire Pro Privacy Briefing.
Doki backdoor exploits misconfigured Docker servers.
Intezer warns that a "completely undetected Linux malware" is using automated, continuous scanning to detect and infect any Internet-exposed Docker servers. The malware, which the researchers have dubbed "Doki," is part of the Ngrok Botnet cryptomining campaign, but the malware in this case isn't a cryptominer.
Doki is a backdoor whose purpose is to gain access to misconfigured Docker API ports and then create its own containers. Intezer says these containers "are configured to bind /tmpXXXXXX directory to the root directory of the hosting server. This means every file on the server’s filesystem can be accessed and even modified, with the correct user permissions, from within the container." The malware has been active for more than six months, but was completely undetected until late July.
For more, see the CyberWire Pro Research Briefing.
CSO Perspectives w/ Rick Howard returns for season 2!
With a CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis, and trends across the evolving cybersecurity landscape, save some money, and look like a hero at the same time. To learn more, visit our CyberWire Pro page and click on the Contact Us link in the Enterprise box.
ZDNet says patches for the BootHole flaw in the GRUB2 bootloader are causing problems for users of Red Hat, Ubuntu, Debian, CentOS, and Fedora, but users are still advised to apply the patches.
Crime and punishment.
The court hearing of alleged Twitter hacker Graham Ivan Clark was held virtually and publicly over Zoom, and the proceedings were repeatedly disrupted by trolls, Ars Technica reports. Meeting attendees played loud music, shouted curse words and racial slurs, and at one point hijacked the screen with pornography. Brian Krebs noted that the hearing's organizers failed to implement Zoom's security settings. According to the Verge, Judge Christopher Nash has said future hearings will be password-protected.
The operators and proprietors of the NetWalker ransomware-as-a-service offering have raked in at least $25 million since March 2020, according to a report by McAfee.
Courts and torts.
Capital One has been fined $80 million by the US Office of the Comptroller of the Currency (OCC) over the bank's 2019 data breach, The Hill reports. The OCC stated that it "took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner. In taking this action, the OCC positively considered the bank's customer notification and remediation efforts....The OCC found the noted deficiencies to constitute unsafe or unsound practices and resulted in noncompliance with 12 C.F.R. Part 30, Appendix B, 'Interagency Guidelines Establishing Information Security Standards.'"
Morgan Stanley is facing two US Federal lawsuits filed by seven current and former customers who allege that the company compromised their "Social Security, passport and account numbers" when it decommissioned two data centers in 2016, Financial Planning reports. The company hired a third-party to wipe data from the centers' systems, but learned in 2019 that a software flaw had left copies of unencrypted, "previously deleted data" on the hard drives. Morgan Stanley has since disclosed that it's been "unable to locate a small number of those devices."
Policies, procurements, and agency equities.
The US State Department is offering bounties of up to $10 million under its Rewards for Justice program "for information leading to the identification or location of any person who works with or for a foreign government for the purpose of interfering with U.S. elections through certain illegal cyber activities." The bounties seem to apply to hackers as opposed to influencers, as the announcement states, "Persons engaged in certain malicious cyber operations targeting election or campaign infrastructure may be subject to prosecution under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, which criminalizes unauthorized computer intrusions and other forms of fraud related to computers."
Interestingly, Reuters reports that text messages communicating the offer and a link to Rewards for Justice have been turning up on Iranian and Russian devices. Who sent the texts isn’t clear, but there’s speculation that the messaging was done on behalf of the US Government. US Cyber Command referred Reuters to the State Department, and State had nothing to say, so the origin of the texts remains unclear.
The US Office of the Director of National Intelligence on Friday released a statement on election interference. NCSC Director William Evanina says that China, Russia, and Iran are all interested in various forms of interference. Roughly speaking, China dislikes President Trump and wants him out, Iran also dislikes the incumbent (and American political institutions even more), and Russia, while generally disruptive, has tended to denigrate former Vice President Biden (which animus goes back to his connections with Ukraine).
US Secretary of State Pompeo on Wednesday announced five new "lines of effort" under the US Clean Network program. These include "Clean Carrier" (aimed at disconnecting untrustworthy carriers from US telecommunications networks), "Clean Store" (which would remove untrusted applications from US mobile app stores), "Clean Apps" (intended to prevent untrusted smartphone manufacturers from pre-installing trusted apps in their own app stores), "Clean Cloud" (which would keep US personal data and intellectual property out of adversaries' cloud services), and "Clean Cable" (which would ensure that undersea cables aren't compromised by hostile intelligence services). All of these measures are directed at China, and the Secretary’s published announcement is quite explicit in this respect. The Secretary of State has invited friendly nations to participate in these lines of effort.
In a Malware Analysis Report published Monday, the US Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense, and the FBI officially attributed the remote access Trojan "Taidoor" to Chinese government actors.
For more, see the CyberWire Pro Policy Briefing.