Category Archives: Hacker

AT&T Says Criminals Stole Phone Records Of “Nearly All” Customers



U.S. phone giant AT&T confirmed Friday it will begin notifying millions of consumers about a fresh data breach the allowed cybercriminals to steal the phone records of “nearly all” of its customers, a company person told TechCrunch.

In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages – such as who contacted who by phone or text — during a six-month period between May 1, 2022 and October 31, 2022.

AT&T said some of the stolen data includes more recent records from January 2, 2023 for a smaller but unspecified number of customers.

The stolen data includes call records of customer with phone service from other cell carries that rely on AT&T’s network, the company said.

AT&T said the stolen data “does not contain the content of calls or texts,” but does include calling and texting records that an AT&T phone number interact with during the six-month period, as wells as the total count of a customer’s calls and texts, and call durations — information that does not include the time or date of calls and tests, AT&T said.

ABC News reported AT&T has announced that the company believes a hacker stole records of calls and texts from nearly all of AT&T’s wireless customers, according to a financial filing from the company.

“The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information,” AT&T said in their statement released early Friday morning. “These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration fora day or month.”

AT&T says it has taken “additional cybersecurity measures” in repos to this incident including closing of the point of unlawful access.

CNN reported the call and text message records from mid-to-late 2022 of tens of millions of AT&T cellphone customers and many non-AT&T customers were exposed in a massive data breach, the telecom company revealed Friday.

AT&T said the compromised data includes the telephone numbers of “nearly all” of its cellular customs and the customers of wireless providers that use it’s network between May 1, and October 31, 2022.

“We have an ongoing investigation into the AT&T breach and we’re coordinating with our law enforcement partners,” the FCC said on social media platform X. 

AT&T spokesperson Alex Byers told CNN that it was an entirely new incident that had “no connection in any way” to another incident disclosed in March. At that time, AT&T said personal information such as Social Security numbers on 73 million current and former customers was released onto the dark web.

In my opinion, it is good that AT&T scrambled to stop the hacker from gaining even more data. It is unfortunate that happened, and I expect the hacker to face some kind of legal charges eventually.


New York Times Source Code Stolen From Exposed GitHub Token



Internal source code and data belonging to The New York Times was leaked on the 4chan message board after being stolen from the company’s GitHub repositories in January 2024, The Times confirmed to BleepingComputer.

As first seen by VX-Underground, the internal data was leaked on Thursday by an anonymous user who posted a torrent to a 273GB archive containing the stolen data.

“Basically all source code belonging to The New York Times Company, 270GB,” reads the 4chan forum post. “There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar.”

In a statement to BleepingComputer, The Times said the breach occurred in January 2024 after credentials for a cloud-based third-party code platform were exposed. A subsequent email confirmed this code platform was GitHub.

“The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at there time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity” – The New York Times

Mashable reported reported the controversial image board 4Chan is back in the news this week after two big data dumps were posted on the site.

Now, it appears that the New York Times Company is the largest establishment to have its data leaked on 4Chan over the past week. The data allegedly includes source code to its viral World game.

Mashable reported X user @vxunderground appears to be the first to notice that 270GB of internal data connected to the New York Times was posted online. The data contains the company’s internal source code and consists of more than 5,000+ source code repositories. The leak is made up of a total of roughly 3,600,000 files.

According to a text file shared by the hacker, 6,223 folders were stolen from the New York Times’ GitHub repository. This includes internal company IT documents and source code, which includes the popular word game that the Times acquired in 2022, Wordle.

The Register reported a 4chan user claims to have leaked 270GB of internal New York Times data, including source code and other web assets, via the notorious image board.

According to the unnamed netizen, the information includes, “basically all source code belonging to The New York Times Company,” amounting to roughly 5,000 repositories and 3.6 million files now available for download from peer-to-peer networks. Details on how to get the files where shared by the poster on 4chan.

Of the files listed – whose names indicate everything from blueprints to Wordle to email marketing campaigns and ad reports — “less than 30” repositories are “encrypted,” the 4channer claimed. Again, take this with a healthy does of salt considering the source — an unnamed 4chan user.

In my opinion, stealing files and data from a large company’s GitHub is not a good idea. It is entirely possible that the New York Times may have already hired someone to find the hacker who did this.


US Dismantles Botnet Used For Cyberattacks



The U.S. Justice Department and international partners dismantled the 911 S5 proxy botnet and arrested 35-year-old Chinese national YunHe Wang, its administrator, in Singapore, Bleeping Computer reported.

“Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet – likely the world’s largest botnet every,” said FBI Director Christopher Wray.

“We arrested its administrator, Yunhe Wang, seized infrastructure and assets, and levied sanctions against Wang and his co-conspirators.”

As early as 2011, Wang and his conspirators pushed malware onto victims’ devices using multiple malicious VPN applications bundling proxy backdoors. The VPN apps that added compromised devices to the 911 S5 residential proxy service include MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN.

The U.S. Department of Justice posted a press release:

A court-authorized international law enforcement operation led by the U.S. Justice Department disrupted a botnet used to commit cyber attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

As part of this operation, YunHe Wang, 35, a People’s Republic of China national and St. Kitts and Nevis citizen-by-investment, was arrested on May 24 on criminal charges arising from his deployment of malware and the creation and operation of a residential proxy service known as “911 S5.”

According to an indictment unsealed on May 24, from 2014 through July 2022, Wang and others are alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide. These devices were associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the United States. Wang then generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee.

“The Justice Department-led operation brought together law enforcement partners from around the globe to disrupt 911-S5, a botnet that facilitated cyber-attacks,” said Attorney General Merck B. Garland. “As a result of this operation, YunHe Wang was arrested on charges that he created and operated the botnet and deployed malware. This case makes clear that the long arm of the law stretches across borders and into the deepest shadows of the dark web, and the Justice Department will never stop fighting to hold cybercriminals to account.”…

ArsTechnica reported the U.S Treasury Department has sanctioned three Chines nationals for their involvement with a VPN-powered botnet with more than 19 million residential IP addresses they rented out to cybercriminals to obfuscate their illegal activities, including COVID-19 scares and bomb threats.

The criminal enterprise, the Treasury Department said Tuesday, was a residential proxy known as 911 S5. Such services provide a bank of IP addresses belonging to everyday home users for customers to route Internet connections through. When accessing a website or other Internet service, the connection appears to originate with the home user.

In my opinion, it is good that the U.S. Department of Justice took action against YunHe Wang and others, and prevented them from engaging in these kinds of shenanigans. 


An 18-Year-Old Hacker Sentenced To An Indefinite Hospital Order



Hacker by Toqfiqu barbhuiya on Unsplash smallAn 18-year-old hacker who leaked clips of a forthcoming Grand Theft Auto (GTA) game has been sentenced to an indefinite hospital order, BBC reported.

Arion Kurtaj from Oxford, who is autistic, was a key member of international gang Lapsus$. The gang’s attacks on tech giants including Uber, Nvidia, and Rockstar Games cost the firms nearly $10m. 

According to the BBC, the judge said Kurtaj’s skills and desire to commit cyber-crime meant he remained a high risk to the public. He will remain at a secure hospital for life unless doctors deem him no longer a danger. 

The court heard that Kurtaj had been violent while in custody with dozens of reports of injury or property damage. Doctors deemed Kurtaj unfit to stand trial due to his acute autism so the jury was asked to determine whether or not he committed the alleged acts – not if he did so with criminal intent.

A mental health assessment used as part of the sentencing hearing said he “continued to express the intent to return to cyber-crime as soon as possible. He is highly motivated.”

The jury was told that while he was on bail for hacking Nvidia and BT/EE and in police protection at a Travelodge hotel, he continued hacking and carried out his most infamous hack. Despite having his laptop confiscated, Kurtaj managed to breach Rockstar, the company behind GTA, using an Amazon Firestick, his hotel TV and a mobile phone.

The Verge reported that the 18-year-old Lapsus$ hacker who played a critical role in leaking Grand Theft Auto VI footage has been sentenced to life inside a hospital prison, according to the BBC. A British Judge ruled on Thursday that Arion Kurtaj is a high risk to the public because he still wants to commit cybercrimes.

According to The Verge, a mental health assessment found that Kurtaj “continued to express the intent to return to cybercrime as soon as possible.” He’s required to stay in the hospital prison for life unless doctors determine that he’s no longer a danger.

Another 17-year-old involved with Lapsus$ was handed an 18-month community sentence, called a Youth Rehabilitation Order, and a ban from using virtual private networks.

While Kurtaj’s defense asked the judge to take the GTA VI trailer’s success into account during the sentencing, the BBC says the judge argued that real companies and people were hurt by Lapsus$. Rockstar Games said it spent $5 million recovering from the attack.

Polygon reported that nearly an hour’s worth of footage was published on a Grand Theft Auto forum. The footage confirmed a Bloomberg report that said the game would be set in fictionalized Miami, better known as Vice City in the franchise, and feature a playable female character. GTA 6’s first trailer revealed that this character is called Lucia, and paired up with another lead named Jason.

In my opinion, it is never a good idea to hack information from big companies. Hackers who get caught tend to face big legal issues, and that could become a huge problem for those in the Lapsus$ gang.

 

 


23andMe Says Is Aware Of User Data Leak



Hacker by Toqfiqu barbhuiya on Unsplash small23andMe has confirmed to BleepingComputer that it is aware of user data from its platform circulating on hacker forums and attributes the leak to a credential-stuffing attack, Bleeping Computer reported.

23andMe is a U.S. biotechnology and genomics firm offering genetic testing services to customers who send a saliva sample to its labs and get back an ancestry and genetic predispositions report.

Recently, a threat actor leaked samples of data that was allegedly stolen from a genetics firm and, a few days later, offered to sell data packs belonging to 23andMe customers.

The initial attack was limited, with the threat actor releasing 1 million lines of data for Ashkenazi people. However, on October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.

A23andMe spokesperson confirmed that the data is legitimate and told BleepingComputer that the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts, stated 23andMe’s spokesperson.

“We do not have any indication at this time that there has been a data security incident within our systems.”

“Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”

The Record reported a data scraping incident resulted in hackers gaining access to sensitive user information and selling it on the dark web.

The information of nearly 7 million 23andMe users was offered for sale on a cybercriminal forum this week. The information included origin estimation, phenotype, health information, photos, identification data and more. 23andMe processes saliva samples submitted by customers to determine their ancestry.

The company later said that it was aware that certain 23andMe customer profile information was complied through unauthorized access to individual accounts that were signed up for the DNA Relative feature – which allows users to opt in for the company to show them potential matches for relatives.

According to The Record, a researcher downloaded two files from the BreachForums post and found one that had information on 1 million 23andMe users of Ashkenazi heritage. The other file included data on more than 300,000 users of Chinese heritage.

The data included profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user had opted into 23andMe’s health data.

Engadget reported a data scraping incident resulted in hackers gaining access to sensitive user information and selling it on the dark web.

The information of nearly 7 million 23andMe users was offered for sale on a cybercriminal forum this week. The information included origin estimation, phenotype, health information, photos, identification data and more. 23andMe processes saliva samples submitted by customers to determine their ancestry.

The company later said that it was aware that certain 23andMe customer profile information was complied through unauthorized access to individual accounts that were signed up for the DNA Relative feature – which allows users to opt in for the company to show them potential matches for relatives.

According to The Record, a researcher downloaded two files from the BreachForums post and found one that had information on 1 million 23andMe users of Ashkenazi heritage. The other file included data on more than 300,000 users of Chinese heritage.

The data included profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user had opted into 23andMe’s health data.

Personally, I don’t have any interest in submitting my DNA to any genetics company. That said, I find it extremely troubling that the hackers sought out data from Ashkenazi people and people of Chinese heritage who used 23andMe.


Info From Dozens Of Companies Compromised By CLOP



More victims have emerged of a Russian-speaking cybercrime group whose recent spree includes stealing information from several federal U.S. agencies, NBC News reported.

The BBC, Shell, Johns Hopkins Health System, British Airways, the state of Illinois, and the department of motor vehicles of Oregon and Louisiana all appear to have had their files stolen, according to various news releases.

The group, CLOP, is an established ransomware group, a type of organized cybercrime where hackers try to remotely extort victims by either remotely encrypting their data or stealing and threatening to publish files.

On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA), a federal agency that advises the nation on cyberattacks and helps protect federal networks, said that multiple agencies had been affected by CLOP’s recent spree. Only the Department of Energy has said so far that it is a victim.

According to NBC News, CLOP appears to have struck gold by identifying a flaw in MOVEIt, a computer program designed to help companies transfer files. Organizations using an outdated version of MOVEIt are susceptible to an attack where CLOP can scoop up files.

The Guardian reported that personal details of every holder of a driver’s license from the U.S state of Louisiana were exposed to hackers who have pulled off a colossal cyber-attack that also affected American federal agencies, British Airways and the BBC, according to officials.

A statement on Thursday from the governor of Louisiana, John Bel Edwards, said that his staff believes everyone with a driver’s license, identification card or car registration issued by the state of more than 4.6 million residents probably had their names, addresses, and social security numbers exposed to the hackers.

Other personal information to which the cyber-attackers apparently were Louisianans’ driver’s license numbers, vehicle registration data, handicap placard information, birthdates, heights and eye colors, Edward’s statement said.

The number of records involved is thought to be about 6 million, Louisiana’s homeland security and emergency preparedness director Casey Tingle, told reporters Friday.

According to The Guardian, British Airways last week confirmed that its staffers’ names, addresses, national insurance numbers and banking details were exposed because its payroll provider Zellis used MOVEIt. The BBC said its staff had also been afflicted because Zellis was its payroll provider, though the broad caster added that it did not believe banking details were compromised. The UK’s beauty and health companyBoots said some of its team members’ information was also stolen.

CNN reported that hundreds of organizations across the globe have likely had their data exposed after the hackers used the flaw to break into networks in recent weeks. Multiple US federal agencies, including the Department of Energy, were breached. The US Office of Personnel Management was also impacted by the sweeping hack, multiple sources told CNN on Friday.

In my opinion, now would be a good time for companies organizations who use MOVEIt to stop using it. Find a more secure way to manage sensitive data by putting it in a place where it cannot be easily accessed by ne’er-do-wells.


Experts Warn of New Spyware Threat Targeting Journalists



Security experts have warned about the emergence of previously unknown spyware with hacking abilities comparable to NSO Group’s Pegasus that has already been used by clients to target journalists, political opposition figures, and an employee of an NGO, The Guardian reported. 

Researchers at the Citizen Lab at the University of Toronto’s Munk School said the spyware, which is made by an Israeli company called QuaDream, infected some victim’s phones by sending an iCloud calendar invite to mobile users from operators of the spyware, who are likely to be government clients. Victims were not notified of the calendar invitations because they were sent for events logged in the past, making them invisible to the targets of the hacking. Such attacks are known as “zero-click” because users of the mobile phone do not have to click on any malicious link or take any action in order to be infected.

According to the Citizen Lab report, the hacking tool is marketed by QuaDream under the name Reign. The hacking attacks that have been discovered occurred between 2019 and 2021.

The research underscores that, even as NSO Group, the maker of one of the world’s most sophisticated cyber weapons, has faced intense scrutiny and been blacklisted by the Biden administration, probably curtailing its access to new customers, the threat posed by similar and highly sophisticated hacking tools continue to proliferate.

Microsoft posted information titled: “Standing up for democratic values and protecting stability of cyberspace: Principles to limit the threats posed by cyber mercenaries”. From the information:

The explosive growth of private “cyber mercenary” companies poses a threat to democracy and human rights around the world. Cyber mercenaries – private companies dedicated to developing, selling, and supporting offensive cyber capabilities that enable their clients to spy on the networks, computers, phones, or internet-connected devices of their targets – are are real cause for concern. These tools have been used to target elections, journalists, and human rights defenders and are increasingly accessible on the open market, enabling malicious actors to undermine our key democratic institutions.

At Microsoft, we believe that digital technology has incredible potential to improve lives across the world, support democracy, and protect and promote human rights. That is why, at the second Summit for Democracy, we were proud to join the international coalition of over 150 companies that make up the Cybersecurity Tech Accord individually and collectively pushing back on the cyber mercenary market by committing to a set of industry principles. 

Our collective commitment to limiting the threats posed by cyber mercenaries:

  • Take steps to counter cyber mercenaries’ use of products and services to harm people;
  • Identify ways to actively counter the cyber mercenary market;
  • Invest in cybersecurity awareness of customers, users, and the general public;
  • Protect customers and users by maintaining the integrity and security of products and services;
  • Develop processes for handling valid legal request for information.

Personally, I don’t see why cyber mercenaries need to exist at all. These groups do not have the right to hack into other people’s phones. If you haven’t updated your iOS devices in a while – now is a great time to do it.