briankrebs

briankrebs , 5 days ago to random

Wired has a good story from @kimzetter about how the ShinyHunters group got access to Ticketmaster's Snowflake cloud account.

"Snowflake has not revealed details about how the hackers accessed the accounts, saying only that the intruders did not directly breach Snowflake’s network. This week, Google-owned security firm Mandiant, one of the companies engaged by Snowflake to investigate the breaches, revealed in a blog post that in some cases the hackers first obtained access through third-party contractors, without identifying the contractors or stating how this access aided the hackers in breaching the Snowflake accounts.

But according to one of the hackers who spoke with WIRED through a text chat, one of those firms was EPAM Systems, a publicly traded software engineering and digital services firm, founded by Belarus-born Arkadiy Dobkin, with current revenue of around $4.8 billion. The hacker says his group, which calls themselves ShinyHunters, used data found on an EPAM employee system to gain access to some of the Snowflake accounts."

https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/

briankrebs , 7 days ago to random

Alleged Boss of "Scattered Spider" Hacking Group Arrested in Spain

A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years.

https://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/

#scatteredspider #0ktapus #tylerb #sosa

briankrebs , 23 days ago to random

So, I guess we just need a constitutional amendment that says convicted felons can't hold the highest office in the land? Soonish? How hard would that be?

briankrebs , 23 days ago to random

Today's story: 'Operation Endgame' Hits Malware Delivery Platforms

Law enforcement agencies in the United States and Europe today announced Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for delivering ransomware and data-stealing malware. Dubbed “the largest ever operation against botnets,” the international effort is being billed as the opening salvo in an ongoing campaign targeting advanced malware “droppers” or “loaders” like IcedID, Smokeloader and Trickbot.

https://krebsonsecurity.com/2024/05/operation-endgame-hits-malware-delivery-platforms/

briankrebs , 24 days ago to random

What a story: A former sheriff from Florida has received political asylum in Moscow, and is now a key player in Russia's disinformation operations against the West, the NYT reports.

"Working from an apartment crowded with servers and other computer equipment, Mr. Dougan has built an ever-growing network of more than 160 fake websites that mimic news outlets in the United States, Britain and France."

https://www.nytimes.com/2024/05/29/business/mark-dougan-russia-disinformation.html

briankrebs , 25 days ago to random

Haha, wow. Treasury just sanctioned 3 Chinese nationals for allegedly running 911S5, a giant botnet that was sold for about a decade as one of the most reliable and cheapest proxy services for routing your traffic through someone else's (infected) machine.

One of the guys sanctioned by Treasury today I named as the apparent head of 911S5 in China, in a 2022 deep dive on this venerated proxy service. 911S5 imploded less than a week later, saying it had been massively hacked and that all user data was wiped.

https://home.treasury.gov/news/press-releases/jy2375

https://krebsonsecurity.com/2022/07/a-deep-dive-into-the-residential-proxy-service-911/

https://krebsonsecurity.com/2022/07/911-proxy-service-implodes-after-disclosing-breach/

briankrebs , 28 days ago to random

Finally got around to reading an important piece from @anneapplebaum in The Atlantic this month. I'm glad I did, b/c it puts a tremendous amount of sheer madness into perspective.

THE NEW PROPAGANDA WAR
Autocrats in China, Russia, and elsewhere are now making common cause with MAGA Republicans to discredit liberalism and freedom around the world.

https://infosec.exchange/@anneapplebaum@journa.host/112394033190929944

https://www.theatlantic.com/magazine/archive/2024/06/china-russia-republican-party-relations/678271/?gift=hVZeG3M9DnxL4CekrWGK3xgKh4wbI9WqxWEqzvYfefo&utm_source=copy-link&utm_medium=social&utm_campaign=share

briankrebs , 28 days ago to random

Someone on Linkedin just praised a recent story and requested to connect, and in the same breath warned me that I'd somehow left clues in my writing that showed AI was used in the composition of the story. It's been a while since I wanted to reach through the interwebs and honk someone's nose.

briankrebs , 29 days ago to random

So the human $#!+weasel *ucker Carlson just aired an hour long video with Pavel Durov, the CEO of Telegram.

Mu*k's recent cozying up to Durov/Telegram while making gonzo claims about Telegram security and bashing Signal as somehow less secure starts to make more sense now.

briankrebs , 30 days ago to random

Just published the second-longest blog post in my 14 year career as an independent reporter.

This story is the result of a ridiculous amount of research. I hope you like it, because I learned tons reporting this, and there needs to be a broader conversation about some of the issues raised by this research. The lede:

Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.

https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/

briankrebs , 1 month ago to random

Ah, restaurants. One of the few businesses that actually answer the phone these days. Today, I was presented with what sounded like an automated (AI?) reservation assistant. No shaming. Just asking for someone who hasn't made a dinner reservation in a while: Is this common?

briankrebs , 1 month ago to random

Today's story: Why Your Wi-Fi Router Doubles as an Apple AirTag

Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally -- including non-Apple devices like Starlink systems -- and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.

https://krebsonsecurity.com/2024/05/why-your-wi-fi-router-doubles-as-an-apple-airtag/

briankrebs , 1 month ago to random

Best thing I heard all week, from @riskybusiness podcast, in re Telegram: "It's like having the Dark Web in your pocket." LOL https://risky.biz/RB748/

briankrebs , 1 month ago to random

Ruh roh

briankrebs , 1 month ago to random

I would like to be part of a modest democratic experiment wherein we only elect people who really don't want to hold the office, but are nonetheless very qualified and capable.

briankrebs , 1 month ago to random

TIL you can quickly find your own posts by including "from:me" in the search box and then a key word or phrase you're searching for. Yes, it took me this long to figure that out.

briankrebs , 1 month ago to random

Last week, the United States joined the U.K. and Australia in sanctioning and charging a Russian man named Dmitry Yuryevich Khoroshev as the leader of the infamous LockBit ransomware group. LockBit's leader "LockBitSupp" claims the feds named the wrong guy, saying the charges don't explain how they connected him to Khoroshev. This post examines the activities of Khoroshev's many alter egos on the cybercrime forums, and tracks the career of a gifted malware author who has written and sold malicious code for the past 14 years.

https://krebsonsecurity.com/2024/05/how-did-authorities-identify-the-alleged-lockbit-boss/

briankrebs , 1 month ago to random

Reason #2,391 why revisiting security assumptions is always a good idea.

[Bimi] No cryptographic connection between VMC and DKIM key

https://mailarchive.ietf.org/arch/msg/bimi/Ba3jFfJ8K6ic7qg4DzPsIsGW5UY/

My favorite part:

"I guess some may consider what I just said as an unimportant or a merely theoretical issue, so I would like to illustrate it with an example. Let's take the domain entrust.com. It has a DKIM key
configured at "dkim._domainkey.entrust.com". The TXT record is the following:

"v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyGF0xzO7Eig1H8QdIErjEKOGnIVvoLU5VjcMRBRWZK65NinL+gVnjuMD2mYdjC3f+7sQCWxGDSKIFn/bB+iXxO2x1/ktkwXHQfQ/9FcFuy+LE0Snsm0SwXN/2l1m5f9e1xdswC+dzHt6DIpDSDENsRal019YKQTqwVyB++7QORwIDAQAB"

This is a 1024 bit RSA key, which is not up to modern standards. But breaking 1024 bit RSA is still only feasible for very powerful attackers. However, this key has another problem: it is vulnerable to
the Debian OpenSSL bug (CVE-2008-0166). It is trivially possible to
find the private key (you can use my tool badkeys -
https://badkeys.info/ - to do that):

https://github.com/badkeys/debianopenssl/blob/main/rsa1024/ssl/le32/25731-rnd.key"

briankrebs , 1 month ago to random

So, back in 2016 I wrote a story about Dell customers getting inundated with spam spoofing the company and referencing the recipient's real name and actual Dell service tag ID for the recipient's computer. Dell responded by asking customers who receive these messages to report them.

https://krebsonsecurity.com/2016/02/dell-to-customers-report-service-tag-scams/

Today, Dell disclosed a breach involving "a Dell portal" which contained customer names, physical addresses, and Dell hardware and order information, including service tag, item description, date of order and related warranty info."

I've asked Dell when they discovered this and how long they believe the intruders had access.

briankrebs , 1 month ago to random

Wow, the US govt finally made good on its doxing threat against the Lockbit ransomware group administrator LockbitSupp. This just released by OFAC:

SPECIALLY DESIGNATED NATIONALS LIST UPDATE
The following individual has been added to OFAC's SDN List:
KHOROSHEV, Dmitry Yuryevich (a.k.a. KHOROSHEV, Dmitrii Yuryevich; a.k.a. KHOROSHEV, Dmitriy Yurevich; a.k.a. YURIEVICH, Dmitry; a.k.a. "LOCKBITSUPP"), Russia; DOB 17 Apr 1993; POB Russian Federation; nationality Russia; citizen Russia; Email Address khoroshev1@icloud.com; alt. Email Address sitedev5@yandex.ru; Gender Male; Digital Currency Address - XBT bc1qvhnfknw852ephxyc5hm4q520zmvf9maphetc9z; Secondary sanctions risk: Ukraine-/Russia-Related Sanctions Regulations, 31 CFR 589.201; Passport 2018278055 (Russia); alt. Passport 2006801524 (Russia); Tax ID No. 366110340670 (Russia) (individual) [CYBER2].

briankrebs , 1 month ago to random

Basically all of the speaking requests I've received over the last six months, all any of them want to talk about is AI, b/c everyone is trying to position themselves as being the perfect partner to usher companies through the madness. I'm probably not going to be asked to do speaking much longer, b/c I find I am fairly hawkish on all the AI hype.

I guess I come from a pretty old-fashioned point of view on technology vs security, which is basically that the more you complexify something, the harder it is to secure. And most of the AI visions that companies are espousing would increase the complexity of security efforts by several orders of magnitude. The issue of data governance is just one small microcosm of that (one in which most fail at miserably already).

I think it's also safe to predict that first movers here (beyond the now entrenched big ones) are going to get clobbered by regulation soon.

briankrebs , 1 month ago to random

Random PSA: If you own a motor vehicle that has a spare tire, it's a good idea to check every once in a while that the spare actually has air in it enough to support the car. Had to get the spare out from under my truck (a hugely complicated maneuver that would be really unfun to do for the first time in an emergency), and found it had about 10 percent of the necessary air.

If you can't be bothered to check the pressure once a year or so, better keep an air pump in the trunk as well.

briankrebs , 1 month ago to random

Researchers at Leviathan Security have released some interesting findings that illustrate why your VPN service may not be as secure as it claims.

From the story:

"VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP protocol so that other users on the local network are forced to connect to a rogue DHCP server.

“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers Lizzie Moratti and Dani Cronce wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”"

More here: https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/

briankrebs , 1 month ago to random

Nothing like spending $1700 to fix an obnoxious noise in your car, only to hear the sound again when you're halfway home from the dealership.

briankrebs , 1 month ago to random

What a surprise.

"The auditor for former president Donald Trump’s media company was charged with “massive fraud” Friday by the Securities and Exchange Commission, which accused the firm of being a “sham audit mill” whose failures put investors at risk."

https://www.washingtonpost.com/technology/2024/05/03/trump-media-auditor-borgers-suspended-permanently/

briankrebs , 1 month ago to random

It's always amazed me that ID.me, which you have to use in order to interact w/ the IRS online these days, has a top level domain from the country of Montenegro. Ublock Origin says they're injecting tracking links from Italy's TLD when you login at the irs.gov website.

What's next? Cookies from Colombia? AI from Anguilla?

briankrebs , 1 month ago to random

Dropbox has disclosed a cybersecurity incident, in filing with the SEC:

https://www.board-cybersecurity.com/incidents/tracker/20240501-dropbox-inc-cybersecurity-incident/#8-k-filed-on-2024-05-01

On April 24, 2024, Dropbox, Inc. (“Dropbox” or “we”) became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. We immediately activated our cybersecurity incident response process to investigate, contain, and remediate the incident. Upon further investigation, we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings. For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. Based on what we know as of the date of this filing, there is no evidence that the threat actor accessed the contents of users’ accounts, such as their agreements or templates, or their payment information. Additionally, we believe this incident was limited to Dropbox Sign infrastructure and there is no evidence that the threat actor accessed the production environments of other Dropbox products. We are continuing our investigation.

briankrebs , 1 month ago to random

Scenario: The (non chaotic evil) sysadmins of the world band together to go on strike. What's on their list of demands?

*Correct answers optional.

briankrebs , 1 month ago to random

Say what you will about Tesla, but they were the only car company who said they both require a court-ordered warrant before sharing your vehicle's location data AND tell customers about demands for their data.

This finding comes from the office of Sen. Ron Wyden, which asked the association representing automakers how their members respond to law enforcement requests for location information collected from internet-connected cars and trucks.

briankrebs , 1 month ago to random

A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.

https://krebsonsecurity.com/2024/04/man-who-mass-extorted-psychotherapy-patients-gets-six-years/

Even though Julius "Zeekill" Kivimaki has a cybercrime rap sheet thicker than a dictionary, he will end up serving roughly half that time, because all that stuff he did before he turned 18 doesn't count toward first-time offender status.

BTW, the CEO of the now-bankrupt psychotherapy practice was prosecuted as well (database credentials "root/root") but received a suspended sentence.

briankrebs , 1 month ago to random

Well this has been a long time coming: The FCC today levied fines totaling nearly $200 million against the four major carriers -- including AT&T, Sprint, T-Mobile and Verizon -- for illegally sharing access to customers' location information without consent.

Some highlights: "The FCC's findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers."

..."The fine amounts vary because they were calculated based in part on each day that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days."

More here: https://krebsonsecurity.com/2024/04/fcc-fines-major-u-s-wireless-carriers-for-selling-customer-location-data/

briankrebs , 1 month ago to random

One of these days I'm going to sit down and catalog all the times I've been an IoC.

This is from a CircleID story about the origins of the Glupteba botnet, which as Internet threats go is about as ubiquitous and long-lived as they come.

https://circleid.com/posts/20240425-digging-deep-to-examine-the-roots-of-the-glupteba-uefi-bootkit

More on maybe why my name keeps showing up in Glupteba stuff:

https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/

https://krebsonsecurity.com/2022/12/judge-orders-u-s-lawyer-in-russian-botnet-case-to-pay-google/

briankrebs , 1 month ago to random

See, the problem is we need MORE guns in school.

"Tennessee passes bill to let teachers carry guns, a year after mass shooting"

https://www.washingtonpost.com/nation/2024/04/23/tennessee-bill-arming-teachers-guns-passes/