Prosecutors Charge Two Brothers With Operating the Anonymous Sudan Attack-for-Hire Service

Notorious hacker USDoD busted in Brazil, Iranian hackers use brute force attacks to crack passwords, China wants Intel products security reviews, Hong Kong busts pig butchering scam ring members, SecureWorks says faux DPRK worker hacked his hiring company, Volkswagen probes attack, much more

Cynthia B Brumfield

Oct 17, 2024 — 12 min read

Anonymous Sudan image from Telegram channel.

An important message from our sponsor, Anchore

Learn the building blocks for adopting a secure software factory model in a highly informative webinar. The Department of Defense (DoD) software factory model has emerged as a cornerstone of innovation and security for national defense and cybersecurity. Software factories represent an integration of principles and practices found within the DevSecOps movement, with technical guidelines to support continuous cyber-readiness with real-time visibility.

Watch now

Interested in reaching the elite audience of cybersecurity decision-makers, public policy professionals, and journalists who read Metacurity? Send an email to info [at] Metacurity.com with the subject line "Sponsorship."

US prosecutors charged two Sudanese brothers, Ahmed Salah Yousif Omer, and Alaa Salah Yusuuf Omer, with running one of the most prolific and expansive cyberattack-for-hire gangs of all time, a small group they blamed for a stunning 35,000 denial-of-service attacks in a single year.

A grand jury indictment charged the pair with conspiracy and impairing computers, including in at least one hospital in the United States. Convictions could lead to potential life sentences.

The pair allegedly operated Anonymous Sudan, a prodigious outfit with 80,000 subscribers on Telegram that managed to knock offline key pages at Microsoft, OpenAI, and PayPal since January 2023. The indictment says they did all that with just three unindicted accomplices from their war-torn home country.

The group charged $600 or less for major denial-of-service attacks, and a Sudanese nationalist ideology drove the majority of their actions, said Martin Estrada, US attorney for the Los Angeles region.

Estrada said the brothers were arrested abroad in March and have been in custody since then. He declined to name the country holding them and comment on whether the United States would seek their extradition. The programs and computers they used have been seized, and there have been no more attacks from that network.

Younger brother Ahmed was the primary administrator of Anonymous Sudan and is either 21 or 22, according to an FBI agent’s affidavit filed with a criminal complaint against him. The prosecutor said both brothers are highly educated and were interviewed in custody.

An image of Ahmed Salah Yousif Omer’s passport. Source: Criminal Complaint

Kenya hospital websites shown as unavailable by Anonymous Sudan. Source: Criminal complaint.

A notorious hacker named USDoD, linked to the National Public Data and InfraGard breaches, was arrested by Brazil's Polícia Federal in "Operation Data Breach."

USDoD, aka EquationCorp, has a long history of high-profile data breaches where he stole data and commonly leaked it on hacking forums while taunting the victims.

These breaches include those on the FBI's InfraGard, a threat information sharing portal, and National Public Data, where the personal data and social security numbers of hundreds of millions of US citizens were leaked online.

It wasn't until the threat actor targeted cybersecurity firm CrowdStrike and leaked the company's internal threat actor list that his situation worsened.

Soon after leaking the IOC list, Brazilian publisher Techmundo received an anonymous report created by CrowdStrike that allegedly identified, or doxed, the threat actor, revealing he was a 33-year-old Brazilian named Luan BG.

Strangely, USDoD confirmed that CrowdStrike's information was accurate in an interview with HackRead and said he was currently living in Brazil.

"So congrats to Crowdstrike for doxing me, they are late for the party, intel421 Plus and a few other companies already doxed me even before the Infragard hack," USDoD told HackRead.

Brazil's Polícia Federal (PF) announced his arrest today in Belo Horizonte/MG, likely aided by this information.

The PF said the Federal Police launched Operation Data Breach on Wednesday (16/10) to investigate invasions of the Federal Police and other international institutions' systems.

"A search and seizure warrant and a preventive arrest warrant were served in the city of Belo Horizonte/MG against an investigated person suspected of being responsible for two publications selling Federal Police data, on May 22, 2020 and on February 22, 2022."

"The prisoner boasted of being responsible for several cyber invasions carried out in some countries, claiming, on websites, to have disclosed sensitive data of 80,000 members of InfraGard, a partnership between the Federal Bureau Investigation - FBI and private critical infrastructure entities in the United States of America." (Lawrence Abrams / Bleeping Computer)

Source: HackManac on X via Bleeping Computer.

A joint advisory from US, Canadian, and Australian cyber agencies warns that Iranian hackers are using brute force attacks to crack passwords in the health care, government, information technology, energy and engineering sectors.

“The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity,” the agencies wrote.

The tactics include lobbing a variety of common passwords at the targets, trial-and-error password attempts, and multifactor authentication (MFA) “push bombing,” which involves “bombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications,” according to the advisory.

The hackers conduct reconnaissance to determine potential victim identities. After gaining access, they often register compromised devices with MFA to retain that access. The agencies warned that they also use their access to penetrate target systems more deeply.

Despite the hackers’ use of MFA push bombing, the agencies recommend that critical infrastructure organizations enable MFA and use strong passwords to defend against the Iranian hackers. (Tim Starks / Cyberscoop)

The Cybersecurity Association of China (CSAC) said that Intel products sold in China should be subject to a security review, alleging the US chipmaker has "constantly harmed" the country's national security and interests.

While CSAC is an industry group rather than a government body, it has close ties to the Chinese state. The raft of accusations against Intel, published in a long post on its official WeChat account, could trigger a security review from China's powerful cyberspace regulator, the Cyberspace Administration of China (CAC).

Last year, CAC barred domestic operators of key infrastructure from buying products made by US memory chipmaker Micron Technology after deeming the company's products had failed its network security review. (Eduardo Baptista / Reuters)

China is employing what Taiwan says is an expanding army of hackers, diplomats, prosecutors, and celebrities in its effort to persuade Taiwan to submit to Beijing.

As Beijing began to launch a series of military drills, cyberattacks multiplied: Taiwan was hit Monday with at least twice the average number of daily attempted breaches, the military’s cyber command reported.

According to Taiwan's Digital Affairs Ministry, more than 90,000 cyberattack attempts on Taiwan were detected in August, with targets including government infrastructure. This was the highest number since a surge two years earlier during then-US House Speaker Nancy Pelosi's controversial visit to the island. (Joyu Wang and Austin Ramzy / Wall Street Journal)

Related: NDTV

Police in Hong Kong announced the arrests of more than two dozen members of a pig butchering romance scam ring that used deepfake artificial intelligence to lure its victims into parting with more than $46 million, with victims from Taiwan to Singapore and as far away as India.

Police said the 21 men and six women were held on charges including conspiracy to defraud following a raid on the gang’s alleged operating center at a 4,000-square-foot industrial unit in the city’s Hung Hom district.

Aged 21 to 34, the suspects were mainly well-educated, with many of them digital media and technology graduates allegedly recruited by the gang after attending local universities, police said. The suspects reportedly worked with IT specialists overseas to build a fake cryptocurrency platform, where the victims were coerced to make investments, police added.

According to Hong Kong police, the romance gang’s deepfake scam typically began with a text message in which the sender – posing as an attractive woman – said they had mistakenly added the wrong number.

The alleged scammers then started online romances with their victims, fostering a sense of intimacy until they began planning a future together.

Police said the group was highly organized and divided into departments responsible for different stages of the scam. They even used a training manual to teach members how to carry out the con by taking advantage of “the victim’s sincerity and emotion,” said police, who posted parts of the manual on Facebook.

Among the steps: learning about the victim’s worldview to create a “tailor-made” persona; inventing difficulties such as failed relationships or businesses to “deepen the other person’s trust”; and finally, painting a “beautiful vision” including travel plans together to push the victim into investing.

The scam ran for about a year before police received intelligence about it around August, police said. More than 100 cell phones, the equivalent of nearly $26,000 in cash, and several luxury watches were recovered during the raid, police said. (Jessie Yeung / CNN)

Researchers at SecureWorks report that a company has been hacked after accidentally hiring a North Korean cyber criminal as a remote IT worker.

The unidentified firm hired the technician after he faked his employment history and personal details. Once given access to the company’s computer network, the hacker downloaded sensitive company data and sent a ransom demand.

Secureworks said the IT worker, thought to be a man, was hired in the summer as a contractor. He used the firm’s remote working tools to log into the corporate network.

He then secretly downloaded as much company data as possible after gaining access to internal systems.

He worked for the firm for four months, collecting a salary. Researchers say this was likely redirected to North Korea in a complex laundering process to evade Western sanctions.

After the company sacked him for poor performance, it received ransom emails containing some of the stolen data and a demand to be paid a six-figure sum in cryptocurrency.

The hacker said they would publish or sell the stolen information online if the company did not pay. The firm did not disclose whether the ransom was paid. (Joe Tidy / BBC News)

A joint report by South Korea's National Cyber Security Center (NCSC) and AhnLab (ASEC) reports that the North Korean hacking group ScarCruft launched a large-scale attack in May that leveraged an Internet Explorer zero-day flaw to infect targets with the RokRAT malware and exfiltrate data.

ScarCruft (aka "APT37" or "RedEyes") is a state-sponsored cyber-espionage threat actor known for targeting systems in South Korea and Europe, as well as North Korean human rights activists and defectors, using phishing, watering hole, and Internet Explorer zero-days.

The report outlines a recent ScarCruft campaign dubbed "Code on Toast," which leveraged toast pop-up ads to perform zero-click malware infections.

The flaw used in zero-day attacks is tracked as CVE-2024-38178. It is a high-severity confusion flaw in Internet Explorer.

ASEC and NCSC, responding to the campaign, informed Microsoft immediately, and the tech giant released a security update to address CVE-2024-38178 in August 2024. (Bill Toulas / Bleeping Computer)

Related: ASEC, Korea News Plus, PCMag

APT 37's attack chain. Source: ASEC via Bleeping Computer.

According to the Texas Office of the Attorney General, the Texas Department of Public Safety reported that more than 115,000 customers' information was leaked in a data breach.

The AG’s website said 115,071 Texans have been affected.

Leaked information includes names, addresses, Social Security numbers, driver's license numbers, and government-issued ID numbers.

DPS has not notified customers about the incident. (Penelope Rivera / KERA)

A critical vulnerability in Kubernetes could allow unauthorized SSH access to a virtual machine running an image created with the Kubernetes Image Builder project.

With Kubernetes Image Builder, users can create virtual machine (VM) images for various Cluster API (CAPI) providers, like Proxmox or Nutanix, that run the Kubernetes environment. These VMs are then used to set up nodes (servers) that become part of a Kubernetes cluster.

According to a security advisory on the Kubernetes community forums, the critical vulnerability affects VM images built with the Proxmox provider on Image Builder version 0.1.37 or earlier.

The issue is currently tracked as CVE-2024-9486 and involves the use of default credentials that are enabled during the image-building process and not disabled afterward.

A threat actor who knows this could connect over an SSH connection and use these credentials to gain access with root privileges to vulnerable VMs.

The solution is to rebuild affected VM images using Kubernetes Image Builder version v0.1.38 or later, which sets a randomly generated password during the build process and disables the default “builder” account after the process. (Bill Toulas / Bleeping Computer)

The Volkswagen Group stated that after the 8Base ransomware group claimed to have stolen valuable information from the carmaker’s systems, it is continuing to monitor the situation closely.

On its leak site, 8Base claims to have stolen invoices, receipts, accounting documents, personal data, certificates, employment contracts, personnel files, and “a huge amount of confidential information.”

The time is up for Volkswagen on the ransomware group’s website, but the hackers do not appear to have made any of the stolen information public. (Eduard Kovacs / Security Week)

Related: The Register, Teiss, SC Media

The Cybersecurity and Infrastructure Security Agency (CISA) added an actively exploited hardcoded credentials flaw in SolarWinds Web Help Desk (WHD) software to its Known Exploited Vulnerabilities (KEV) catalog on Oct. 15.

The WHD flaw, CVE-2024-28987 (CVSS 9.1), could let a remote unauthenticated user access internal network functionality without detection and then modify data. This is an especially serious issue because so much of what’s done at a help desk involves resetting sensitive password information.

SolarWinds first disclosed details of the flaw in late August, and cybersecurity firm Horizon3.ai released additional technical specifics a month later.

Citing its finding of open exploitation, CISA has required federal agencies to fix the flaw by Nov. 5. (Steve Zurier / SC Media)

Related: CISA, Tech Radar, Security Affairs

We humbly encourage you to upgrade your Metacurity subscription

Google has revealed that its approach to making programming code more memory safe involves adopting memory safe languages and making unsafe languages more secure, to the extent possible.

Google has been an avid booster of memory safety for the past few years, celebrating the security benefits that accrue when code is written or rewritten in a language that offers guarantees of memory safety, like Rust.

However, it also acknowledges that legacy C and C++ code can't all be revised or discarded. So it's trying to balance its memory safety evangelism with the reality that C and C++ codebases will exist for decades and must be hardened.

This two-pronged approach has been discussed for some time, but the part about learning to live with unsafe code often gets drowned out by the appreciative odes to Rust and other memory safe languages (MSLs) like Java, Kotlin, Go, and Python. (Thomas Claburn / The Register)

Cyera, the Israel-founded, US-based cybersecurity unicorn that uses artificial intelligence to build what’s known as data security posture management, announced it had acquired Trail Security, a startup that was still in stealth mode building solutions for data loss prevention, for $162 million.

Moreover, sources say Cyera is in the process of raising at least $200 million at a pre-money valuation of around $3 billion. (Ingrid Lunden / TechCrunch)

Best Thing of the Day: How Not To Develop Secure Software

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) produced a guide to security bad practices that are deemed exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs).

Bonus Best Thing of the Day: New Uses for Cool Machines

In the wake of the company's bankruptcy, the code that runs Redbox DVD rental machines has been dumped online, and tinkerers are finding new uses for the nifty machines, including running Doom.

Worst Thing of the Day: You Thought Maybe Cyber Incidents Are Going Down?

The new chief executive of the UK's National Cyber Security Centre (NCSC), Richard Horne, said the NSCS has already responded to 50% more nationally significant cyber incidents than last year.

Bonus Worth Thing of the Day: Who Needs Users Anyway

If you're using Cloudflare's bot-blocking tools on your website, you're likely blocking your RSS users from reaching your website.