Newsletters

But despite their oversized presence on npm, their end goals were not up to par with their determination to infect targets. Checkmarks said that the group used the stolen credentials to merely boost their Discord server. Stolen gaming and streaming account creds were leaked on the Cracked.io hacking forum as a way to draw attention and promote their hacking tools (many of which were widely available via a public GitHub page) and an underground service for selling fake Instagram followers.

Imagine spending all this time flooding the npm portal with fake libraries, compromising developer boxes, and all of it just for some hacker rep.

We often hear about reports of malicious libraries being found on PyPI, npm, or Rubygems, but in recent years, all of these have been linked to teenage hackerism like this or to some lame cryptomining op. For all the hype surrounding supply chain attacks, it appears that threat actors like LofyGang are exhibiting a serious lack of imagination when they manage to land a malicious package on any of these repos for more than a week or two. One reason why these attacks are often spotted early on is because the DevSecOps has quickly matured, and tools to continuously scan public package repos have caught up with attackers' speed.

Prosecutors did add wire fraud charges to Sullivan's case, related to the actual bug bounty payout to the hackers, in December 2021, but the charges were eventually dropped, leaving the core of the case to hinge around the Uber exec's obstruction of justice.

Sullivan, who once used to be a prosecutor in the same office that charged him now, faces up to eight years in prison and $500,000 in fines. His sentencing hearing has not been scheduled yet.

But regardless of the fine minutia of the case, the infosec industry has been seriously rocked by Sullivan's prosecution. Several opinions going online argue that the case will either drive away legitimate professionals from CISO/CSO roles to minor or completely different positions or industries or will drive up position salaries through the stratosphere if security execs are now literally expected to fall on the legal sword following a security breach and all the legal shenanigans that often take place in the backstage of many organizations. Because we know they do.

Google has released a new six-part documentary series profiling various Google security teams including the Threat Analysis Group and Project Zero among others.

We've seen Episode 000 so far and it's great fun. It covers the 2010 "Operation Aurora" hack from Google's perspective (although dozens of other US companies were also affected). This was a watershed moment in cyber security history and it resulted in both a significant change in Google's security posture and its relationship with China. Google's remarkably frank and norm-shattering press release on the hack from back then will get you primed for viewing.

Hacktivist group Guacamaya which we mentioned in late September is having some impact in South America, particularly in Mexico. Despite that, the group told The Record that it was not particularly happy that journalists had focused on Mexican President López Obrador's health rather than on the environmental impacts of Tren Maya, an intercity railway megaproject.

The move to block these popular GFW circumvention tools comes two days after the Chinese government also blocked access to 1,147 Google domains. This includes both DNS and SNI-based blocks, in China's greatest crackdown on Google services to date.

Telstra breach: Two weeks after Australian telco Optus disclosed a data breach, its main rival Telstra also disclosed a similar incident. However, as the company explained in a breach notification posted on its website, the incident is far smaller than the Optus breach and only involved the personal data of employees the company had back in 2017.

Suspected ADATA breach: The operators of the RandomHouse data extortion group claimed on early Wednesday to have breached Taiwanese hardware vendor ADATA. If confirmed, this would mark the second time the company gets hacked after suffering a ransomware attack by the RagnarLocker gang last year.

The arrests last week mark the first time Air Lords members were arrested on cybercrime-related charges.

Previously, past Interpol and FBI operations had gone after suspects linked to Black Axe, another Nigerian confraternity that devolved into a global crime syndicate.

While Black Axe members have been arrested for cybercrime activities as far back as 2015, international law enforcement started heavily concentrating on the group cybercrime "division" last year, with several crackdowns in September 2021, October 2021, April 2022, and May 2022.

Since such operations are usually carried out with automated tools like headless browsers, Twitch's security team initially responded to the attack by blocking all user logins from all browsers except the very most recent versions of Chrome, Firefox, and Edge, on which most of its "legitimate" userbase would likely be using.

"There are organized groups trying to create botnets—bots that end up getting used for hate raids. There was one such mob very active recently," said Twitch chief product officer Tom Verrilli said in a Twitter thread yesterday, trying to explain to users what was happening and why some of them couldn't log in.

"When that happens, we (1) close whatever hole they found, (2) clean up the bot accounts made. Because (1) takes time, we're temporarily restricting log-in to certain browsers," he added.

Hopefully, the stolen data has been destroyed, but Optusdata's statement isn't evidence that it actually has been. Optus confirmed that it had not paid a ransom.

So. Where to from here?

It is common in Australia to prove your identity when creating new accounts by providing "100 points" of identification, where various identity documents are assigned particular point values. A driver's licence might be worth 50-70 points and a credit card 30, for example. This was originally an anti-financial crime measure, but the practice has since spread broadly in Australia across all sorts of sectors.

In the meantime, the Australian government said that since driver's license numbers were stolen in the breach, anyone whose data was leaked in the Optus incident can apply for a free replacement.

Rust coming to Linux 6.1: The first components written in the Rust programming language are coming to the official Linux kernel with its upcoming v6.1 release, Linus Torvalds announced last week, speaking at the Kernel Maintainers Summit.

Chrome 106: A new version of the Google Chrome browser is out, including 20 security fixes.

In addition, Mandiant also believes that XakNet has coordinated with another faux hacktivist group named KillNet, but has not formally linked the latter to the GRU just yet. The company has also not ruled out that either GRU or other Russian intelligence services might be behind other pro-Russian newly formed hacktivist groups, such as FromRussiaWithLove (FRWL), DeadNet, Beregini, JokerDNR (alternate spelling: JokerDPR), and RedHackersAlliance.

But Mandiant's findings are not surprising in the slightest for anyone familiar with APT28's history and its propensity toward using "hacktivist" personas. GRU's cyber division has also previously posed as Anonymous Poland in a campaign to influence the country's politics through leaks, hacked WADA under the guise of a hacktivist group cheekily named FancyBear (a codename used for Russia's FSB hackers), invented the Guccifer 2.0 persona [PDF] to leak data from the DNC hack, and the CyberBerkut persona to leak data on Ukrainian politicians in the late 2010s.

As for a response from the hacktivist groups after Mandiant's report, only XakNet has addressed the topic, promising a reply in the coming days. Knowing how we know XakNet, it will probably be something lame and stupid.

This EDPS investigation (and the current lawsuit) is a highly controversial topic among law enforcement officials. In an official response in January, Europol said that deleting this data will impact its "ability to analyze complex and large datasets at the request of EU law enforcement," which will hinder the EU's ability to detect and respond to many threats, such as terrorism, cybercrime, international drugs trafficking, child abuse, and others, many of which involve trans-national investigations at a very large scale.

In honesty, this is one of those situations where both parties are right at the same time. You can't fight crime in the XXI century without some serious ML and data analysis, but you also can't leave a giant database of PII data without any safeguards from institutional abuse. Sure, it's Europol. We're not talking about China or Russia, so the possibility of abuse is low. But it's also not zero, as there's always that rogue insider in every government agency.

Ask.fm 2020 breach: Earlier this week, an individual named "Data" began advertising the data of 350 million Ask.fm users on an underground cybercrime forum. Data told DataBreaches.net that he reached out to Ask.fm in 2020 about the breach but was ignored. The company appears to have never publicly disclosed the incident.