Foreign Actors Attacked U.S. Courts' Document System in 2020 Causing Security Failure

German police identify alleged energy and water company hacker, US MSP suffers cyberattack, Questions surround Sky Mavis CEO's pre-hack transactions, 'Proxy service' exposes user database, more

Jul 29

At a committee hearing on oversight of the Justice Department’s National Security Division, House Judiciary Committee Chair Jerrold Nadler (D-NY) told fellow lawmakers that “three hostile foreign actors” attacked the U.S. Courts’ document filing system as part of a breach in early 2020 causing a “system security failure.”

Nadler said the committee learned in March about the “startling breadth and scope” of the breach, which was separate from the SolarWinds hack revealed in late 2020. Assistant Attorney General for National Security Matthew Olsen testified to the committee that NSD is “working very closely with the judicial conference and judges around the country to address this issue” and committed to updating the committee on the investigation as it progressed. (Maggie Miller / Politico)

Gregg Smith @RanchHand0351

FUCKERY for $1000 Alex. - In 2020 they breeched the US Federal Courts case management system. -Who is the UAE ? - Yes

Justice Department investigating data breach of federal court systemHouse Judiciary Committee Chair Jerrold Nadler described a “system security failure” of the U.S. Courts’ document management system.politico.com

Hours before a hearing on “scams and risks in crypto and securities markets,” the chairman of the Senate Banking Committee, Sherrod Brown (D-OH), sent nearly identical letters to Apple and Google, seeking explanations as to how these tech giants are evaluating and ultimately allowing these types of trading apps that seemingly enable cryptocurrency fraud.

One such app, Metatrader 5, which is still available on both companies’ app stores, has been linked to alleged cryptocurrency scams. One California-based victim, whose identity Forbes is withholding at his request, said that after he lost $1.2 million late last year via a scam and purported trades made on Metatrader, he had suicidal thoughts. Neither Apple nor Google immediately responded to a request for comment. (Cyrus Farivar / Forbes)

In the hours before Sky Mavis, the startup that makes the video game Axie Infinity, announced it had suffered a devastating hack and froze user assets, a digital wallet belonging to its chief executive officer and co-founder, Trung Nguyen, made a significant transaction that included about $3 million worth of Axie Infinity’s primary token, AXS.

Kalie Moore, a company spokeswoman, said that Nguyen had been working to shore up the company’s finances during the crisis and had to do so in a way that wasn’t obvious to the broader crypto market for the good of the overall Axie Infinity economy. By moving AXS to the Binance cryptocurrency exchange, said Moore, the company could provide liquidity to its users as it restored access to funds via Binance.

An analysis by someone who uses only their screen name Asobs revealed that other Sky Mavis employees made large transactions during the same period that the 0x113c wallet moved out its tokens. Moore said the company wouldn’t confirm that the wallets belonged to Sky Mavis employees and described any suggestion they made as speculation, noting that contractors and business partners may also receive tokens. (Joshua Brustein / Bloomberg)

Trung Nguyen @trungfinity

As many of you know, I prefer to operate behind the scenes, but there is a story that dropped today that I want to address with the community, personally.

The Baden-Württemberg State Criminal Police Office in Germany has identified one of the alleged perpetrators in a wide-ranging espionage operation in which more than 150 companies, particularly power and wastewater utilities, were targeted after years of investigation.

The suspect, Pawel A., is said to belong to a hacker group called Berserk Bear or Dragonfly, which U.S. authorities say has ties to the Russian secret service FSB. Pawel A. is accused of hacking the network of Netcom BW, which is part of the EnBW power group, in the summer of 2017. In September 2021, more than four years later, the Attorney General in Karlsruhe obtained an arrest warrant. (Hakan Tanriverdi and Florian Flade / Tagesschau)

Gabby Roncone 🌻 @gabby_roncone

awesome reporting by @hatr as always - and exciting to see an arrest warrant out for member of temp.isotope 👀

hakan @hatr

🇩🇪 federal prosecutor issued arrest warrant against Pawel A., member of hacking group "Berserk Bear". They tried to infiltrate critical infrastructure with special focus on power/wastewater utilities. Short thread, including phishing doc w/ @FlorianFlade https://t.co/NHq3HqaOKZ https://t.co/suJ13GuNXj

The Cybersecurity and Infrastructure Security Agency (CISA) signed a Memorandum of Cooperation (MoC) with the Ukrainian State Service of Special Communications and Information Protection of Ukraine (SSSCIP). It will extend an existing relationship between the two agencies.

Under the agreement, the two organizations will exchange information and best practices relating to cyber incidents. They will also share technical information about critical infrastructure security in real time, said Oleksandr Potii, deputy chairman of the SSSCIP. The MoC also authorizes the two agencies to conduct joint exercises and training sessions. (Danny Bradbury / Infosecurity Magazine)

Related: CISA, The Record

Microleaves, a proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database.

The service, which is in the process of being rebranded to “Shifter.io,” says it has leased 20-30 million IP addresses to shift each customer’s address every five minutes, leading some to speculate that Microleaves was just a botnet that was being resold as a commercial proxy service. However, data exposed in the breach shows the service has a lengthy history of being supplied with new proxies by affiliates incentivized to distribute the software any way they can, such as by secretly bundling it with other titles.

Shifter.io’s website also exposed information about its customer base and most active users, indicating that Shifter has earned more than $11.7 million in direct payments, although it’s unclear how far back in time those payment records go or how complete they are. The bulk of Shifter customers who spent more than $100,000 on the proxy service appears to be digital advertising companies, including some in the United States. (Brian Krebs / Krebs on Security)

Kevin Kosh @kidko92

Micro-agression: @briankrebs exposes an enterprise proxy service when a breach of customer data reveals the extent to which the service used affiliates and bundling to resemble more of "a botnet which was being resold as a commercial proxy service."

Breach Exposes Users of Microleaves Proxy ServiceMicroleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, exposed their entire user database and the location of tens of millions of PCs running the proxy software. Microleaves claims its proxy…krebsonsecurity.com

U.S. managed service provider NetStandard suffered a cyberattack causing the company to shut down its MyAppsAnywhere cloud services, consisting of hosted Dynamics G.P., Exchange, Sharepoint, and CRM services.

The company detected signs of a cyberattack on Tuesday morning and quickly shut down cloud services to prevent the attack's spread. In what may be a coincidence, Huntress Lab's CEO Kyle Hanslovan tweeted a screenshot yesterday of a threat actor looking for partners to conduct an attack on a managed service provider. (Lawrence Abrams / Bleeping Computer)

Related: The Record, Reddit

Kyle Hanslovan @KyleHanslovan

Anyone want to guess what this exploit[.]in forum post is about? 💀 Hint: it involves a Managed Service Provider 🤬

In a write-up for MANRS (Mutually Agreed Norms for Routing Security), a public interest group that looks after internet routing, Internet Society senior internet technology manager Aftab Siddiqui said that Russia's Rostelecom started announcing routes for part of Apple's network on Tuesday, in a practice referred to as BGP (Border Gateway Protocol) hijacking.

Siddiqui said Rostelecom (AS12389) has been involved in previous BGP hijackings and emphasized that network operators implement effective route filtering based on reliable information to thwart these shenanigans. Apple did not respond to a request for comment. (Thomas Claburn / The Register)

Related: Apple Insider, Cybernews, MANRS

Kansas City Police and the U.S. Department of Justice are using a controversial “geofence” warrant to gain access to Google’s vast pool of location data that they hope will help prosecute two men for a series of crimes in 2015, including murder.

Two men, Shawn Burkhalter and Joshua Nesbitt, were suspected of being involved in the crime. The FBI states in its warrant for the geofence location data that “Google maintains these records indefinitely for accounts created before June 2020, unless the user deletes it or opts to automatically delete their location history and web and app activity after three or eighteen months.”

Google confirms that it currently does not keep information on a user’s historical location by default, but that for anyone who had location history turned on before mid-2020, you have to actively turn on auto-delete for Google to erase the information. (Thomas Brewster / Forbes)

Thomas Brewster @iblametom

NEW - In Kansas City, cops are trying to pin two men for a 2015 murder and have them executed. They've turned to a controversial tool known as a Google geofence warrant. With that, Google's location data could mean the difference between life and death.

Cops Turn To Google Location Data To Pursue A Death Penalty For 2015 MurderCops in Kansas City are using a controversial “geofence” warrant to gain access to Google’s huge pool of location data that they hope will help prosecute two men for a series of crimes in 2015, including murder.forbes.com

After a six-month investigation of allegations that Israeli police used NSO Pegasus spyware against the country’s citizens, the panel, and inquiry panel, which included two former members of the Shin Bet and one retired Mossad member, said all intercomputer communications initiated by the police, were within their legal purview.

The panel’s findings presented to Attorney General Gali Baharav-Miara said that although the police overstepped the authority given by the courts in a small number of cases, there was no mass infection of phones with the Pegasus or its more limited version, Saifan. (Tova Tzimuki / Ynet News)

Related: Haaretz, Hamodia

Anne Neuberger, White House deputy national security advisor (DNSA) for cyber and emerging technologies, traveled to Seoul, Republic of Korea to discuss ways to enhance the countries' cooperation in countering cybercrimes committed by actors such as North Korea.

An NSC spokesperson noted that President Biden and South Korean President Yoon Suk-yeol had agreed to expand their "bilateral cooperation on regional and international cyber issues and confront cyber threats, including from the Democratic People's Republic of Korea.” (Byun Duk-kun / Yonhap News)

Related: White House, KBS World

A Twitter user who goes by the handle @pancak3stack was locked out of his account for a screenshot of a tweet sent earlier that day containing the name, nickname, date of birth, and passport of the alleged developer behind Predator the Thief, credential stealing malware dating back to 2018.

Then, after launching a Substack newsletter called Who’s Behind The Keyboard? dedicated to doxxing people allegedly associated with cybercrime, Substack removed @pancak3stack’s newsletter. Pictures of the suspects in the newsletter look to be taken from social media sites as they smile into the camera or pose alongside nice cars. The information is “all open-source,” pancak3 said, noting that both the Conti leaks and the much larger leaks from TrickBot helped “tremendously.” (A.J. Vicens / Cyberscoop)

pancak3 @pancak3stack

For those who were following the Substack newsletter, it’s gone. They removed, not just a single post, but the whole account.

Hong Kong’s government rejected a security audit by Polish cybersecurity firm 7ASecurity of the country’s COVID-19 LeaveHomeSafe app that found flaws that could expose sensitive user information.

7ASecurity said it detected vulnerabilities in the software that could allow hackers to access I.D. numbers, visit records, or vaccination and testing information. Researchers from 7ASecurity said they shared their work, funded by the U.S. non-profit Open Technology Fund, in June with the app’s developer, Hong Kong-based Cherrypicks, a Netdragon Websoft Holdings Ltd subsidiary. The government, however, said there had never been security or privacy incidents related to the LeaveHomeSafe app, which has undergone third-party assessments. (Sarah Zheng / Bloomberg)

Innocuous-seeming “wrong number” texts are, in fact, scams that ultimately lead to pitches for bad cryptocurrency scams and other ways to bilk people for money.

Erin West, the deputy district attorney in charge of the high technology crimes unit in Santa Clara County, California, said “accidental” text messages have become one of the most common new ways to trick people in the same crypto scams her office has tracked for several years. The Federal Communications Commission warned about spam and scam texts saying ignoring them is the most effective way to ensure users are not scammed. (Kevin Collier / NBC News)

Related: FCC.gov

AJ Vicens @AJVicens

Nice, @kevincollier. I had one yesterday where I tried to flip the script and just asked them for money. The convo ended pretty quick, but not before taking a weird turn:

Tom Namako @TomNamako

.@kevincollier struck up a conversation with someone sending those weird random texts: https://t.co/9B839XFC8r via @nbcnews

Image by Sang Hyun Cho from Pixabay

Metacurity