By the CyberWire staff
At a glance.
- Alleged Anonymous Sudan hacker faces life in prison for hospital DDoS attack.
- Brazilian police arrest alleged hacker behind National Public Data and InfraGard breaches.
- Iranian threat actors sell access to critical infrastructure networks to cybercriminals.
- FBI arrests man accused of hacking the SEC's X account.
- North Korean threat actors incorporate new tactics into fraudulent IT worker schemes.
- Sri Lankan police arrest more than 200 Chinese nationals over financial scams.
- Adload malware may be exploiting macOS vulnerability.
- Finnish Customs office shuts down Sipultie criminal marketplace.
Alleged Anonymous Sudan hacker faces life in prison for hospital DDoS attack.
The US Justice Department has indicted two Sudanese nationals for allegedly running the Anonymous Sudan cybercriminal group. Anonymous Sudan launched thousands of DDoS attacks against government and critical infrastructure targets in the US and other countries. One of the defendants, Ahmed Salah, is charged with "knowingly and recklessly causing serious bodily injury or death" by disrupting services at Cedars-Sinai Hospital in Los Angeles. WIRED notes that these charges carry a potential life sentence. Martin Estrada, a US attorney for the Central District of California, told reporters that the two defendants are in custody, though he didn't disclose where they're being held.
The Justice Department stated, "According to the indictment and a criminal complaint also unsealed today, since early 2023, the Anonymous Sudan actors and their customers have used the group’s Distributed Cloud Attack Tool (DCAT) to conduct destructive DDoS attacks and publicly claim credit for them. In approximately one year of operation, Anonymous Sudan’s DDoS tool was used to launch over 35,000 DDoS attacks, including at least 70 targeting computers in the greater Los Angeles area. Victims of the attacks include sensitive government and critical infrastructure targets within the United States and around the world, including the Department of Justice, the Department of Defense, the FBI, the State Department, Cedars-Sinai Medical Center in Los Angeles, and government websites for the state of Alabama."
Brazilian police arrest alleged hacker behind National Public Data and InfraGard breaches.
Brazil’s Department of Federal Police (DFP) has arrested an individual allegedly responsible for breaching National Public Data, Airbus, and the FBI's InfraGard information-sharing organization, the Record reports. The DFP alleges that the individual is a criminal threat actor who goes by the alias "USDoD."
BleepingComputer notes that USDoD was doxed by CrowdStrike after he breached the cybersecurity firm. CrowdStrike said the hacker was a 33-year-old Brazilian named Luan BG, and USDoD confirmed this information in an interview with HackRead.
The DFP said in a press release (translated from Portuguese), "A search and seizure warrant and a preventive arrest warrant were served in the city of Belo Horizonte/MG against an investigated person suspected of being responsible for two publications selling Federal Police data, on May 22, 2020 and on February 22, 2022. The prisoner boasted of being responsible for several cyber invasions carried out in some countries, claiming, on websites, to have disclosed sensitive data of 80,000 members of InfraGard."
Cobalt: The Only “Outperformer” in GigaOm’s Pentesting Report
For the second year in a row, Cobalt has been named the only “outperformer” in GigaOm’s independent report on Pentesting as a Service. Recognized for its streamlined approach, free retesting, and swift test launches, Cobalt leads the pack. Download the full report to see why Cobalt stands out as the category leader.
Iranian threat actors sell access to critical infrastructure networks to cybercriminals.
Intelligence agencies from the US, Canada, and Australia have issued a joint advisory warning that Iranian threat actors are using brute force and credential stuffing attacks "to compromise organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors." The goal of the attacks is "to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals."
The advisory states, "Since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access."
Unlock your free security questionnaire—limited-time offer.
Customer security questionnaires can be time-consuming, pulling your focus away from scaling your business. At BARR Advisory, we handle your vendor due diligence and much more, so you can focus on what matters most: adding value for your customers. Whether it’s internal audits or penetration testing, our expert team covers every aspect of your security program. Let us handle the details so you can concentrate on the big picture. Claim your complimentary security questionnaire now.
FBI arrests man accused of hacking the SEC's X account.
The FBI has arrested a 25-year-old man in Alabama for allegedly hacking the SEC's X (formerly Twitter) account in January 2024, BleepingComputer reports. The suspect, Eric Council Jr., allegedly granted access to other individuals who used the account to falsely announce that the SEC had approved bitcoin Exchange Traded Funds, which caused the price of bitcoin to spike and then drop sharply following news of the hack. Council is accused of taking over the account via a SIM-swapping attack.
The Justice Department stated, "As part of the scheme, Council and the co-conspirators allegedly created a fraudulent identification document in the victim’s name, which Council used to impersonate the victim; took over the victim’s cellular telephone account; and accessed the online social media account linked to the victim’s cellular phone number for the purpose of accessing the SEC’s X account and generating the fraudulent post in the name of SEC Chairman Gensler."
North Korean threat actors incorporate new tactics into fraudulent IT worker schemes.
Secureworks warns that a North Korean threat actor tracked as NICKEL TAPESTRY has incorporated new tactics into its fraudulent IT worker schemes. The threat actor uses stolen identities to obtain employment at companies in Western countries in order to generate revenue for the North Korean government. Secureworks has observed these incidents in the US, the UK, and Australia. The researchers state that in some cases, "fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes."
Secureworks notes, "The emergence of ransom demands marks a notable departure from prior NICKEL TAPESTRY schemes. However, the activity observed prior to the extortion aligns with previous schemes involving North Korean workers....In many fraudulent worker schemes, the threat actors demonstrate a financial motivation by maintaining employment and collecting a paycheck. However, the extortion incident reveals that NICKEL TAPESTRY has expanded its operations to include theft of intellectual property with the potential for additional monetary gain through extortion. This shift significantly changes the risk profile for organizations that inadvertently hire a North Korean IT worker."
Save 30% on N2K Cyber & IT practice tests
In celebration of Cybersecurity Awareness Month, N2K is offering a 30% discount on all N2K practice tests with promo code "SECURE30". Choose from our vast exam prep library that includes top vendors like AWS, CompTIA, ISC2, Microsoft, and more. Get access to simulated exams, custom quizzes, e-flashcards, and more. Whether you're gearing up for a certification exam or looking to enhance your skills, now is the perfect time to invest in your cybersecurity journey. Visit n2k.com/certify to find your cert and save 30% with promo code “SECURE30” today.
Sri Lankan police arrest more than 200 Chinese nationals over financial scams.
Police in Sri Lanka have arrested more than 200 Chinese nationals for allegedly running pig-butchering scams out of Sri Lankan hotels, BankInfoSecurity reports. Pig-butchering is a type of investment scam that tricks victims into investing in phony cryptocurrencies. The schemes often target users of dating sites and involve tactics used in romance scams.
Police Spokesman Deputy Inspector General Nihal Thalduwa told the Sunday Times, "The scammers tend to look for smaller hotels or similar places with a small number of staff. They would rent the entire place for an extended period and are willing to pay more than the asking price to persuade the owners to agree." He added, "If you are the owner of a small hotel and foreigners or locals come and ask you to lease out the entire place to them for an extended period and they are willing to pay more than the asking price, it should immediately arouse suspicion. We recommend the owner or owners to at least include a clause in the lease agreement enabling them to inspect the premises at any given time to check what’s going on."
The Chinese embassy in Sri Lanka said it fully supported the law enforcement crackdown.
Adload malware may be exploiting macOS vulnerability.
Microsoft has disclosed a medium-severity vulnerability (CVE-2024-44133) affecting macOS that could allow an attacker to bypass the operating system's Transparency, Consent, and Control (TCC) technology and gain unauthorized access to user data. Apple issued a patch for the flaw last month. Microsoft warns that the Adload malware may be exploiting the vulnerability.
Microsoft explains that exploitation "involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent."
Finnish Customs office shuts down Sipultie criminal marketplace.
The Finnish Customs office has seized the domain and servers used by the Sipultie dark web drugs marketplace, BleepingComputer reports. The investigation was supported by Europol, law enforcement in Sweden and Poland, and researchers at Bitdefender.
Finnish Customs stated, "During the investigation, the identities of the administrators of Sipulitie, Sipulimarket, and Tsätti have been discovered. The identities of moderators and customer service agents supporting the administration have also been uncovered. Using the seized material, drug sellers and buyers operating on Sipulitie have also been identified." The office plans on announcing arrests shortly.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Fortinet flaw (CVE-2024-23113) to its Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal agencies to patch the flaw by October 30th. Fortinet fixed the flaw in February, but many devices remain unpatched. CyberScoop notes that, as of Sunday, more than 86,000 IP addresses were vulnerable. The flaw is a format string vulnerability affecting Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb, which can allow "a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests." The vulnerability was assigned a CVSS score of 9.8.
CISA has also added a critical Veeam vulnerability (CVE-2024-40711) to the KEV catalog, the Record reports. The flaw affects Veeam's Backup & Replication product and can lead to unauthorized remote code execution. CISA warns that ransomware actors are known to be exploiting the flaw. Veeam issued a patch for the vulnerability in September, and CISA has ordered federal civilian agencies to apply the fix by November 4th.
Splunk has issued patches for eleven vulnerabilities affecting Splunk Enterprise, including two high-severity flaws that could lead to remote code execution (RCE), SecurityWeek reports. The most serious flaw (CVE-2024-45733) affects Splunk Enterprise for Windows, and can allow a low-privileged user to perform RCE due to an insecure session storage configuration. A second RCE flaw could allow a low-privileged user to execute code by writing a malicious DLL.