Newsletters

Since such operations are usually carried out with automated tools like headless browsers, Twitch's security team initially responded to the attack by blocking all user logins from all browsers except the very most recent versions of Chrome, Firefox, and Edge, on which most of its "legitimate" userbase would likely be using.

"There are organized groups trying to create botnets—bots that end up getting used for hate raids. There was one such mob very active recently," said Twitch chief product officer Tom Verrilli said in a Twitter thread yesterday, trying to explain to users what was happening and why some of them couldn't log in.

"When that happens, we (1) close whatever hole they found, (2) clean up the bot accounts made. Because (1) takes time, we're temporarily restricting log-in to certain browsers," he added.

Hopefully, the stolen data has been destroyed, but Optusdata's statement isn't evidence that it actually has been. Optus confirmed that it had not paid a ransom.

So. Where to from here?

It is common in Australia to prove your identity when creating new accounts by providing "100 points" of identification, where various identity documents are assigned particular point values. A driver's licence might be worth 50-70 points and a credit card 30, for example. This was originally an anti-financial crime measure, but the practice has since spread broadly in Australia across all sorts of sectors.

In the meantime, the Australian government said that since driver's license numbers were stolen in the breach, anyone whose data was leaked in the Optus incident can apply for a free replacement.

Rust coming to Linux 6.1: The first components written in the Rust programming language are coming to the official Linux kernel with its upcoming v6.1 release, Linus Torvalds announced last week, speaking at the Kernel Maintainers Summit.

Chrome 106: A new version of the Google Chrome browser is out, including 20 security fixes.

In addition, Mandiant also believes that XakNet has coordinated with another faux hacktivist group named KillNet, but has not formally linked the latter to the GRU just yet. The company has also not ruled out that either GRU or other Russian intelligence services might be behind other pro-Russian newly formed hacktivist groups, such as FromRussiaWithLove (FRWL), DeadNet, Beregini, JokerDNR (alternate spelling: JokerDPR), and RedHackersAlliance.

But Mandiant's findings are not surprising in the slightest for anyone familiar with APT28's history and its propensity toward using "hacktivist" personas. GRU's cyber division has also previously posed as Anonymous Poland in a campaign to influence the country's politics through leaks, hacked WADA under the guise of a hacktivist group cheekily named FancyBear (a codename used for Russia's FSB hackers), invented the Guccifer 2.0 persona [PDF] to leak data from the DNC hack, and the CyberBerkut persona to leak data on Ukrainian politicians in the late 2010s.

As for a response from the hacktivist groups after Mandiant's report, only XakNet has addressed the topic, promising a reply in the coming days. Knowing how we know XakNet, it will probably be something lame and stupid.

This EDPS investigation (and the current lawsuit) is a highly controversial topic among law enforcement officials. In an official response in January, Europol said that deleting this data will impact its "ability to analyze complex and large datasets at the request of EU law enforcement," which will hinder the EU's ability to detect and respond to many threats, such as terrorism, cybercrime, international drugs trafficking, child abuse, and others, many of which involve trans-national investigations at a very large scale.

In honesty, this is one of those situations where both parties are right at the same time. You can't fight crime in the XXI century without some serious ML and data analysis, but you also can't leave a giant database of PII data without any safeguards from institutional abuse. Sure, it's Europol. We're not talking about China or Russia, so the possibility of abuse is low. But it's also not zero, as there's always that rogue insider in every government agency.

Ask.fm 2020 breach: Earlier this week, an individual named "Data" began advertising the data of 350 million Ask.fm users on an underground cybercrime forum. Data told DataBreaches.net that he reached out to Ask.fm in 2020 about the breach but was ignored. The company appears to have never publicly disclosed the incident.

This week's release is Guacamaya's fourth since March and it has also compromised mining and oil companies and government offices in a number of different countries. In each case it releases data via Enlace Hacktivista, a website that documents hacker history, and/or via Distributed Denial of Secrets. Each release is accompanied by a statement, sometimes a video, that documents the hacking process and, once, even a poem.

The Ukraine IT Army also claimed some success this week and claims to have hacked the personal data of mercenaries from the Russian Wagner Group.

This week The Record published a comprehensive overview of the Belarusian Cyber Partisans, covering the group's founding, some of its successful operations and also interviews with its spokesperson Yuliana Shemetovets. This newsletter has covered the activities of the Belarusian Cyber Partisans several times, and an early episode of our Between Two Nerds podcast discussed how the Cyber Partisans evolved to become a very effective group.

American Airlines breach: American Airlines disclosed a security breach last week in a breach notification letter [PDF] filed with the Montana OAG. The airline said the breach occurred in July this year after a threat actor gained access to several employee email accounts. These accounts contained documents with the personal data of some of the airline's past customers, such as names, email addresses, home addresses, phone numbers, and travel documents information.

Gag order in Albania: The Albanian government has put a gag order on local press to prevent them from reporting any stories sourced from documents that were stolen and recently leaked by Iranian hackers.

Ransomware attack on Bosnia's government: Officials from Bosnia and Herzegovina are investigating a cyberattack that has crippled the operations of the country's parliament for more than two weeks, in what experts say bears all the hallmarks of a classic ransomware attack.

"The attacker had access to my admin account, probably through session hijacking (bypassing password and 2fa)," the admin also added.

KiwiFarms said that while information from the site's log suggests that a user database export operation performed by the intruder might have failed, registered users should still assume that their data might have been compromised through another means.

The incident sparked quite a wave of panic among the site's users, most of whom now fear that their real identities could be revealed through the stolen data, which is a very plausible scenario for those who did not practice good OpSec when registering on the site.

Azure Code Signing: Microsoft gave software developers a preview this week of an upcoming tool named Azure Code Signing, an Azure service that makes it easier to cryptographically sign code and apps.

Disable IE policy: Microsoft also released a new policy this week that will allow organizations to permanently disable the Internet Explorer browser right now and not have to wait for a future Microsoft update to do so.

Avast acquires "I don't care about cookies": Antivirus maker Avast has acquired "I don't care about cookies," a popular browser extension that hides cookie popups on internet websites.

To be clear, Iran has been subject to destructive cyber attacks, but the context surrounding these attacks is very different.

Jason Brodsky, policy director at United Against Nuclear Iran told Seriously Risky Business that the Stuxnet attack was justified because the Iranian nuclear program had "advanced to such a state… beyond any plausible civilian justification". Brodsky agreed that there had been attacks on Iranian rail and fuel infrastructure in the case of the (likely) Israeli-led Predatory Sparrow campaign, "but viewing these operations in the context of the chain of attacks which triggered them is important". In other words, you reap what you sow.

"Iran has also been actively seeking to harm civilians in its cyberattacks — with the attempted operation against Boston Children's Hospital, which the FBI director called one of the most despicable he had ever seen in June 2021. That is not to mention attacks on Israel's water infrastructure which could have poisoned innocent Israelis. The cyberattacks targeting Iran do not even come close to those operations."