IntelBroker Claims Theft of Five Eyes Data From State Department Contractor

The US Department of State is investigating claims of a cyber incident after a threat actor, IntelBroker, leaked documents allegedly stolen from a government technology contractor, Acuity.

IntelBroker describes the files as containing classified information from the Five Eyes intelligence alliance. According to their claims, the leaked data includes the full names, emails, office numbers, and personal cell numbers of government, military, and Pentagon employees, as well as their email addresses.

IntelBroker has also shared screenshots of some allegedly stolen documents (first spotted by Dark Web Informer) but has yet to disclose the method used to obtain them. "Today, I am releasing the documents belonging to the Five Eyes Intelligence Group," the threat actor says in a post on a hacking forum.

"This data was obtained by breaching into Acuity Inc, a company that works directly with the US Government and its allies."

Since December, IntelBroker has been leaking data allegedly stolen from or belonging to various government agencies, including ICE & USCIS, the Department of Defense, and the US Army. It is unknown whether these incidents are related to the Five Eyes data leak. However, some of the data leaked in the ICE/USCIS forum post is also contained in the Five Eyes post, indicating an overlap.

The State Department said it “takes seriously its responsibility to safeguard its information and continuously takes steps to improve the Department's cybersecurity posture. For security reasons, we will not provide details on the nature and scope of the claim." (Sergiu Gatlan / Bleeping Computer)

Related: The Record, BankInfoSecurity, HackRead, Cybernews, GBHackers, Infosecurity Magazine

Google is suing two alleged crypto scammers, accusing them of using its Play Store to offer fraudulent pig-butchering cryptocurrency trading apps and investment platforms that instead took users’ money.

The accused scammers, two app developers based in China and Hong Kong named Yunfeng Sun (aka Alphonse Sun) and Hongnam Cheung (aka Zhang Hongnim and Stanford Fischer), allegedly uploaded 87 different fraudulent apps to enable their schemes, luring in more than 100,000 people who downloaded them. Based on user complaints, Google alleges that users lost anywhere from $100 to tens of thousands of dollars each. Apps uploaded by the pair and their unnamed associates have been used in versions of the scam since at least 2019, according to Google.

Google says it’s the first company of its peers to take this kind of action. It had already shut down the apps on the Play Store once it had determined they were fraudulent. “This litigation is a critical step in holding these bad actors accountable and sending a clear message that we will aggressively pursue those who seek to take advantage of our users,” Google’s general counsel, Halimah DeLaine Prado, said.

Google says the scheme also harmed it because it threatened the “integrity” of its app store and diverted resources to detect and disrupt the operation. The company says it suffered economic damages of more than $75,000 investigating the fraud. (Lauren Feiner / The Verge)

Related: Bloomberg, CNBC, Reuters, Google Crypto Scammer Lawsuit, CNBC, Coindesk, DailyCoin, Cointelegraph, Coingape

Cyber specialists and investigators of the Security Service of Ukraine have identified hackers from Russian Military Intelligence who attacked one of the Ukrainian national mobile operators, Kyivstar and are gathering evidence against them and plan to transfer the materials of this investigation to the International Criminal Court in The Hague.

The Ukrainian Security Service has established that Kyivstar was attacked by the hacker group Sandworm, a regular unit of the Russian Military Intelligence. The Ukrainian Security Service is now conducting a series of examinations and has requested additional information from international partners.

"Not only the specific hacker but at least the commander of the military unit and the leadership of the intelligence service performing destructive activities should be held accountable," said Illia Vityuk, head of the cybersecurity department of the Security Service of Ukraine.

He emphasized that there are only three cases in the world where charges have been served against hackers for cyberattacks on infrastructure. (Interfax-Ukraine)

Related: SSU.gov.ua, Kyiv Independent, Odessa Journal, ITC.ua

In an interview with Ukrinform, Illia Vitiuk, head of the Cybersecurity Department of the Security Service of Ukraine (SBU), discussed details of the structure of Russian hacking groups.

"Hacker groups, also known as APT [advanced persistent threat] groups, operate directly in the staff of the special services. We know their structure. In Russia, the GRU and the FSB are leading in this respect. The GRU has military units that are special units.”

Vitiuk said, “For example, unit 74455 is SandWorm, and unit 26155 is APT-28. And there are many of them. Each of them specializes in specific directions. SandWorm is engaged in attacks on energy, telecommunications, Internet providers, and communications operators. There are individuals out there who write malware, surf the web, send phishing emails, and more. FSB has 'Armageddon,' 'Turla,' 'Dragonfly.' Each special service has two or three APT groups," he said.

According to Vitiuk, Yevgeny Serebryakov heads the SandWorm group. The SBU charged him with carrying out a hacker attack on the Kyivstar mobile communications operator in December 2023.

He noted that the SBU plans to issue suspicion notices against members of the SandWorm group, as well as the heads of the Main Directorate of the General Staff of the Russian Federation. (Ukrinform)

Related: Ukrinform, Odessa Journal

One Fist, a team of vigilante hackers carrying out cyberattacks against Russia, has been sent awards of gratitude by Ukraine's military.

One Fist has stolen data from Russian military firms and hacked cameras to spy on troops. It is made up of hackers from eight different countries, including the UK, the US, and Poland. They have collectively launched dozens of cyber-attacks, celebrating each one on social media.

The certificates were sent to them all for "a significant contribution to the development and maintenance of vital activities of the military." They were signed by the commander of the Airborne Assault Forces of Ukraine.

One of the hackers, Voltage, is an IT worker from Michigan whose real name is Kristopher Kortright. He has been coordinating hacks from his home in the US. He said he is delighted his efforts for Ukraine have been officially recognized with a certificate of gratitude.

The certificates are a controversial sign of how modern warfare is shifting. Although many nations, including the UK and the US, have official award systems for ethical hacking, this is thought to be the first time a country has awarded hackers for malicious and possibly criminal hacks. (Joe Tidy / BBC News)

Related: WION

A cyberattack, which sources say is ransomware, has forced Omni Hotels & Resorts' computer systems offline.

"Since Friday, March 29, Omni Hotels & Resorts has been responding to a cyberattack on its systems. Upon learning of this issue, Omni immediately took steps to shut down its systems to protect and contain its data," the hotel chain said. "As a result, certain systems were brought offline, most of which have been restored. Omni quickly launched an investigation with a leading cybersecurity response team, which is ongoing."

At this time, no ransomware gang has claimed responsibility for the cyberattack. However, if Omni Hotels does not pay a ransom demand, the gang will claim the attack and start leaking stolen data to further extort the company.

According to Omni employees, the IT team is now manually restoring affected systems from scratch, and hotel staff have been informed that systems will be available again on Thursday.

While all Omni locations have remained open and accepting new guests after the cyberattack, front desk employees have been experiencing issues with credit card payments, new reservations, and modifying already-made reservations.

"Dear valued guests, our technology teams are continuing to work on restoring our systems that are currently down," Omni Hotels said. (Sergiu Gatlan / Bleeping Computer)

Related: Dark Reading, Dallas Morning News, WFAA, WLOS, CSO Online, The Cyber Express, The Register

The administration of Mayor Eric Adams took its payroll website, the New York City Automated Personnel System, Employee Self Service (known as NYCAPS/ESS), partially offline for the last nine days in response to a recent phishing scheme targeting city employees, leaving the city’s roughly 300,000 full-time workers with limited access to essential forms as Tax Day nears.

Last month, the city’s cybersecurity team was made aware of a text message phishing campaign in which hackers tried to steal NYCAPS users’ personal information, a spokesperson for the Office of Technology & Innovation said.

Since then, the team has been conferring with the city’s payroll office and the Department of Citywide Administrative Services, which manages municipal buildings, “to implement enhancements to security measures,” which shut down access to the site, the technology office further said.

“City employees have been advised to remain vigilant and confirm the legitimacy of any NYCAPS and payroll-related communications and activity,” the statement added. The city sent an email to all employees Tuesday afternoon warning them about the phishing scheme but did not mention that access to NYCAPS had been limited.

That action comes after the city’s largest agency, the Department of Education, sent an email to its employees on March 23 warning about a new “smishing” or SMS phishing campaign “targeting users of NYCAPS/ESS.”

Department of Education’s newly appointed Chief Information Officer Intekhab Shakil wrote in the email that employees received text messages asking them to activate multi-factor authentication for the NYCAPS system. However, the texts were a scam, trying to get city employees to hand over their usernames, passwords, and even a picture of their driver’s license.

The fake site used to trick people “is a phishing scam domain out of Lithuania,” Naveed Hasan, a technology consultant and member of the city’s Panel for Education Policy, posted on X, formerly Twitter, last week. (Jeff Coltin / Politico)

Related: StateScoop

Russia's Prosecutor General's Office has announced the indictment of six suspected "hacking group" members for using malware to steal credit card and payment information from foreign online stores in attacks known as card skimming.

In a rare case of tackling cybercrime, the Russian authorities announced the indictment of six men, named Denis Priymachenko, Alexander Aseev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev, for the card skimming crimes.

According to investigations, the six suspects started the malicious activity nearly seven years ago and managed to steal over 160,000 payment cards.

"Since the end of 2017, these individuals, using computer programs, bypassed the protection of foreign online store websites and gained access to their databases," the prosecutor said.

The Russian authorities say that the card skimming group did not use the stolen cards themselves but instead sold them on dark web platforms.

The six men are accused of committing crimes relating to Part 2 of Article 187 (illegal turnover of payment means) and Part 3 of Article 273 (creation, use, and distribution of malicious computer programs) of the Criminal Code of the Russian Federation.

The suspects are being sent to the Soviet District Court of Ryazan, which will decide on their penalty. (Bill Toulas / Bleeping Computer)

Related: General Prosecution Office for the Russian Federation, SC Media

IT security software company Ivanti released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways.

Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction.

The vulnerability is caused by a heap overflow weakness in the IPSec component of all supported gateway versions.

While Ivanti said the remote code execution risks are limited to "certain conditions," the company didn't provide details on the vulnerable configurations. "We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure," Ivanti added.

The company also patched three other security flaws, impacting the same products and exploitable by unauthenticated threat actors for DoS attacks. These flaws are CVE-2024-22052, a null pointer dereference vulnerability in the IPSec component; CVE-2024-22053, a heap overflow vulnerability in the IPSec component; and CVE-2024-22023, an XML entity expansion or XEE vulnerability in the SAML component. (Sergiu Gatlan / Bleeping Computer)

Related: Ivanti, Help Net Security, The Record

Google has fixed two Google Pixel zero-days exploited by forensic firms to unlock phones without a PIN and gain access to the data stored within them.

CVE-2024-29745 is marked as a high-severity information disclosure flaw in the Pixel's bootloader, while CVE-2024-29748 is described as a high-severity elevation of privilege bug in the Pixel firmware.

Security researchers for GrapheneOS, a privacy-enhanced and security-focused Android distribution, disclosed on X that they discovered forensic companies actively exploited the flaws.

Although Pixels run Android, they receive separate updates from the standard monthly patches distributed to all Android device OEMs. This is due to their unique hardware platform, over which Google has direct control, and the exclusive features and capabilities.

While the April 2024 security bulletin for Android didn't contain anything severe, the corresponding April 2024 bulletin for Pixel devices disclosed active exploitation of two vulnerabilities tracked as CVE-2024-29745 and CVE-2024-29748 flaws.

"There are indications that the following may be under limited, targeted exploitation," warned Google. (Bill Toulas / Bleeping Computer)

Related: PCMag, Tom’s Guide

In an interview, Andrews Freund, the Microsoft engineer who discovered the XZ-utils backdoor, said that becoming an internet hero has been disorienting because he is “a fairly private person who just sits in front of the computer and hacks on code.”

“It felt surreal,” he said.” “There were moments where I was like, I must have just had a bad night of sleep and had some fever dreams.”

Since his findings became public, Mr. Freund said, he had been helping the teams who are trying to reverse-engineer the attack and identify the culprit. But he’s been too busy to rest on his laurels. The next version of PostgreSQL, the database software he works on, is coming out later this year, and he’s trying to get some last-minute changes in before the deadline.

“I don’t really have time to go and have a celebratory drink,” he said. (Kevin Roose / New York Times)

Related: Hacker News (ycombinator), r/Technology

Canonical, the maker of the Linux distribution Ubuntu, is delaying the beta release of Ubuntu 24.04 LTS by a week because the backdoor was discovered in the widely used compression tool XZ-Utils.

The release was supposed to be today but has been pushed back to April 11.

Canonical says it chose to do this to ensure users’ security. Lukasz Zemczak, the company’s Senior Software Engineer and Interim Manager announced that all beta version binary packages created after the backdoor was committed to xz-utils (February 26) would be removed and rebuilt.

As a result, Canonical can guarantee that the threat will not affect any binary in the builds of Ubuntu 24.04 LTS (codenamed Noble Numbat). (Martijn van Best / Techzine)

Related: Ubuntu

In the latest State of AI and Security Survey Report conducted by the Cloud Security Alliance and Google Cloud, 55% of all organizations say they are planning to embrace the potential of generative artificial intelligence technology to enhance their security within the next year.

The global survey of 2,486 information technology and security professionals from organizations of various sizes revealed that the growing adoption of generative AI is being pushed through by C-suite executives, according to 82% of respondents. The reason is that high-level executives recognize the competitive advantage the technology can provide in modern business environments.

The survey also found that AI is no longer just a concept but a practical reality at many companies, with 67% of the surveyed organizations saying they have already tested how AI can be used specifically to enhance security. (Mike Wheatley / Silicon Angle)

Related: CSA, FinTech Global, TechRadar, Cryptopolitan, VentureBeat, TechRepublic

In a nightmarish tale, Iowa system administrator Matthew David Keirans pleaded guilty to charges related to stealing and assuming a former coworker's identity over a 33-year period during which he maliciously worked with authorities, supplying them with forged documents that would ultimately see his victim jailed and admitted to a mental hospital for nearly a year and a half.

Keirans first met his victim, William Donald Woods, who ran away from home at 16, in "about 1988" while working at a hot dog stand in Albuquerque, New Mexico.

Roughly two years later, in 1990, Keirans is said to have assumed Woods' identity "in every aspect of his life," purchasing all manner of forged documents, including a Kentucky birth certificate, US social security number, and I-9 form, all of which he later used to secure employment at an Iowa hospital in 2013 as a remote sysadmin.

After passing the hospital's background checks, he became a core member of the University of Iowa Hospitals & Clinics' IT team and assumed a key role in maintaining the hospital's systems and infrastructure.

After Keirans racked up over $100,000 in debt in Woods’ name, Woods was arrested by the LAPD when Keirans faxed a series of forged documents to local police, "proving" he was ”the real Woods.” Woods spent 428 days in jail and was sentenced to a mental hospital for not using his “real name.”

Woods was released from both hospital and jail in 2021, was again homeless, and spent more than two years filing various reports to convince any authority that would listen that he was, in fact, the victim of identity fraud.

His luck turned on January 13, 2023, when, after discovering where Keirans worked, he informed the Iowa hospital about the situation, which then engaged a senior detective in the local police force. (Connor Jones / The Register)

Related: Ars Technica, Plea Agreement

Security researcher AmrAwad discovered a premium WordPress plugin named LayerSlider, used in over one million sites, that is vulnerable to unauthenticated SQL injection, requiring admins to prioritize applying security updates for the plugin.

LayerSlider is a tool for creating responsive sliders, image galleries, and animations on WordPress sites, allowing users to build visually appealing elements with dynamic content on online platforms.

The critical (CVSS score: 9.8) flaw is tracked as CVE-2024-2879.

On March 25, AmrAwad reported the flaw to WordPress security firm Wordfence via its bug bounty program. For his responsible reporting, AmrAwad received a $5,500 bounty. (Bill Toulas / Bleeping Computer)

Related: Reddit - Information Security News, Cyber Security News, SC Magazine, Techradar

Nearly one million individuals' personal details, financial account information, and medical records may well have been stolen from City of Hope systems in the United States.

City of Hope is a healthcare organization that operates cancer hospitals and outpatient centers in Duarte, California, as well as the Atlanta, Chicago, and Phoenix areas.

In a data breach notification, the City of Hope said 827,149 people were affected by the breach. The city said a malicious actor infiltrated "a subset of our systems," had access to the aforementioned personal records, and stole at least some files between September 19 and October 12, 2023. The city says it became aware of "suspicious activity" a day later and swears it immediately took action to minimize any disruption to its operations.

Affected individuals will receive two years of free identity monitoring services from Kroll. (Jessica Lyons / The Register)

Related: Maine Attorney General, City of Hope, JD Supra, Teiss, Cybernews, The HIPAA Journal

Microsoft is ending support for Windows 10 on October 14th, 2025, and will require users to pay for Extended Security Updates (ESU), with pricing starting at $61 for the first year.

For the first time ever, Windows 10 will offer consumers pricing for additional security updates. Businesses and consumers will need to purchase ESU licenses for each Windows 10 device they plan to keep using after the end-of-support cutoff date next year.

For businesses, the first year is $61. It then doubles to $122 for the second year and doubles again in year three to $244. (Tom Warren / The Verge)

Related: Microsoft Tech Community, Gizmodo, ZDNet, PCWorld, Microsoft Education Blog, Thurrott, BetaNews, XDA Developers, The Register, TechSpot, Windows Central

Best Thing of the Day: Something’s Going Right in Singapore

The Cyber Security Agency of Singapore reports that over 70% of organizations in Singapore have implemented the requirements necessary to obtain a "Cyber Essentials" certification, in contrast to a mere 3% of global organizations that have achieved a “mature” level of cybersecurity readiness, according to Cisco.

Worst Thing of the Day: It’s OK To Be Lax on Cybersecurity

A bill making its way through the Tennessee statehouse would make it harder for breach victims to sue after a data breach, protecting companies that do not take reasonable care to protect their customers’ data.

Closing Thought