Authorities bring down another hacker.

Brazilian authorities arrest the alleged “USDoD” hacker. The DoJ indicts the alleged operators of Anonymous Sudan. CISA and its partners warn of Iranian brute force password attempts. A new report questions online platforms’ ability to detect election disinformation. Recent security patches address critical vulnerabilities in widely-used platforms. North Korean threat actors escalate their fake IT worker schemes. CISA seeks comment on Product Security Bad Practices. Dealing effectively with post-breach stress. Tim Starks, Senior Reporter at CyberScoop, joins us to discuss “What’s new from this year’s Counter Ransomware Initiative summit.” Redbox DVD rental machines get a reboot.

Today is Thursday October 17th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Brazilian authorities arrest the alleged “USDoD” hacker. 

Brazilian authorities recently arrested a hacker, allegedly linked to the alias “USDoD,” who is accused of multiple high-profile cyberattacks. The individual was behind breaches of the FBI’s InfraGard platform, which connects law enforcement with private critical infrastructure organizations, as well as attacks on Airbus, the U.S. Environmental Protection Agency, and others. The hacker also claimed to have leaked a vast database with nearly 900 million Social Security numbers from U.S. background check firm National Public Data.

The arrest followed “Operation Data Breach,” a Brazilian Federal Police initiative investigating breaches of their own systems and international targets. The suspect, whose identity was linked to Luan G., a 33-year-old man from Minas Gerais, Brazil, admitted responsibility for the attacks in a public statement. He had long been under investigation by cybersecurity firms like CrowdStrike, which shared their findings with Brazilian authorities. In a public confession, Luan acknowledged his defeat and expressed readiness to face the consequences of his actions.

The suspect’s activities included selling sensitive data from breached organizations and boasting of his involvement in cyber intrusions. The operation to arrest him is part of broader efforts by Brazilian authorities to crack down on cybercrime.

The DoJ indicts the alleged operators of Anonymous Sudan. 

The U.S. Department of Justice has indicted two Sudanese nationals for operating the cybercriminal group Anonymous Sudan, responsible for launching over 35,000 DDoS attacks against U.S. and global targets. These attacks impacted critical infrastructure, corporate networks, and government agencies, including the FBI, Department of Justice, Microsoft, and Cedars-Sinai Medical Center. Some attacks caused significant disruptions, including shutting down Cedars-Sinai’s emergency department for eight hours. In March 2024, U.S. authorities seized and disabled the group’s DDoS tool as part of a coordinated international law enforcement effort.

The indictment alleges that the group not only performed these attacks but also sold access to their DDoS tool, enabling other criminal actors to launch further assaults. Anonymous Sudan’s attacks, conducted through a tool known as “Godzilla,” resulted in over $10 million in damages to U.S. victims. The group’s platform targeted critical sectors such as healthcare, government, and private companies, causing prolonged outages and operational damage. 

The FBI, with assistance from international law enforcement agencies and private sector partners, took down the group’s infrastructure as part of “Operation PowerOFF.” The operation focused on dismantling global DDoS-for-hire networks.

CISA and its partners warn of Iranian brute force password attempts. 

A joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and other international authorities warns that Iranian cyber actors are increasingly using brute force methods like password spraying and “push bombing” to target global critical infrastructure sectors. These attackers focus on healthcare, government, IT, and energy sectors to steal credentials and gain deeper access to systems. The advisory highlights that Iranian actors have exploited MFA vulnerabilities and sold stolen credentials, urging organizations to enhance security by implementing phishing-resistant MFA and monitoring for suspicious logins and behaviors.

A new report questions online platforms’ ability to detect election disinformation. 

An investigation from the nonprofit NGO Global Witness tested YouTube, Facebook, and TikTok’s ability to detect election disinformation. Results showed mixed performance. TikTok performed the worst, approving 50% of disinformation ads, despite a ban on political content. Facebook improved significantly, rejecting seven out of eight ads, though one containing false election information was accepted. YouTube flagged half of the ads but required additional identification before publishing, leaving room for improvement. The report says that Social media platforms, especially TikTok, must enhance their content moderation systems to prevent election disinformation, especially with the 2024 U.S. presidential election looming.

Recent security patches address critical vulnerabilities in widely-used platforms. 

We’ve got a roundup of Recent security patches addressing critical vulnerabilities in widely-used platforms. 

1. GitHub Enterprise: A vulnerability in GitHub Enterprise Server’s SSO and SAML authentication could allow an attacker to bypass protections and impersonate users. The flaw affects versions up to 3.10.4 and is patched in newer releases.

2. Cisco: Cisco issued fixes for high-severity flaws in its Analog Telephone Adapters (ATA), potentially allowing remote attackers to launch code execution or denial-of-service attacks.

3. F5 BIG-IP: F5 patched a high-severity privilege escalation vulnerability in its BIG-IP product that could allow attackers with restricted access to elevate privileges and gain control of systems.

As always, patch ‘em if ya’ got ‘em. 

North Korean threat actors escalate their fake IT worker schemes. 

North Korean threat actors, notably the Nickel Tapestry group, have escalated tactics in their fake IT worker schemes, according to Secureworks. These actors, previously focused on collecting paychecks, now engage in data theft and extortion. In one case, a contractor quickly stole proprietary data and demanded a ransom from their former employer, threatening to publish the data online. This shift raises the risk for companies employing North Korean IT workers, who now seek larger sums through rapid data theft. Tactics include using personal laptops, rerouting corporate devices, masking IP addresses, and employing virtual desktop setups. To mitigate risks, companies are advised to thoroughly vet candidates, monitor suspicious behavior, and restrict unauthorized access tools. This evolution reflects North Korea’s ongoing efforts to fund its regime through cybercrime.

CISA seeks comment on Product Security Bad Practices. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a draft of its Product Security Bad Practices guidance for public comment. Part of CISA’s Secure by Design initiative, this guidance highlights risky security practices, especially for organizations supporting critical infrastructure. It targets software manufacturers, offering non-binding recommendations to improve product security across on-premises software, cloud services, and SaaS. The guidance covers product properties, security features, and organizational policies. CISA seeks feedback from stakeholders by December 2, 2024, to refine the recommendations further.

Dealing effectively with post-breach stress. 

An article from Bank Info Security highlights the intense stress, often faced by cybersecurity professionals, particularly in the aftermath of a breach. The pressure to contain damage, restore operations, and protect sensitive data can be overwhelming. Every decision feels critical, as it impacts both the company’s future and the individual’s job security. Additionally, leaders like CISOs are increasingly held accountable, sometimes facing legal consequences, further raising the stakes.

Post-incident stress is worsened by scrutiny from management, clients, and regulators, all demanding answers. The fear of making mistakes under pressure adds to the psychological burden, often leading to burnout and, in severe cases, symptoms similar to PTSD.

Burnout has become a growing concern in the field, driven by long hours and high expectations, especially during post-breach recovery. This can lead to mistakes, increasing the risk of future incidents and creating a vicious cycle of stress and burnout.

The article emphasizes the importance of organizational support. Clear post-incident protocols, mental health resources, and stress management workshops can help professionals cope with these challenges. Building emotional resilience, encouraging mindfulness, and fostering team collaboration are also key strategies to manage the demands of the job.

By taking these steps, organizations can help their cybersecurity teams manage post-incident stress more effectively, ensuring both personal well-being and professional performance remain strong.

 

Next up, CyberScoop’s Tim Starks returns to discuss “What’s new from this year’s Counter Ransomware Initiative summit, and what’s next.” We’ll be right back.

Welcome back. You can find a link to the article Tim and I discussed in the show notes. 

Redbox DVD rental machines get a reboot. 

And finally, our retail kiosk security desk reports that the code for Redbox DVD rental machines has hit the internet, and a community of tech tinkerers has dived right in to see what makes these big red boxes tick. Naturally, someone decided the best use for this newfound knowledge was to run Doom on one of the machines—because, of course, that’s always the first step in any reverse engineering project.

According to 404 Media, in the wake of Redbox’s parent company going bankrupt, these kiosks are being abandoned at pharmacies, grocery stores, and other retailers. Some folks have figured out that not only can they liberate DVDs from these machines, but in some cases, they can walk away with the entire Redbox! Walgreens alone is stuck with 5,400 of these clunky kiosks, costing them $184,000 a month to keep powered. As a result, tinkerers have begun asking if they can just haul these things away, and, surprisingly, some store managers are more than happy to oblige.

Reddit and Discord are now buzzing with stories of people acquiring and tinkering with these machines. Some are stripping them down, reverse-engineering the software, and even discovering old rental data, including email addresses and partial credit card numbers (yikes). Others are transforming the kiosks into personalized DVD storage systems—or installing Minecraft, because why not?

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.