On Thursday, a former CIA programmer who spilled the agency’s top-secret hacking toolbox online received a sentence of 40 years in prison. Joshua Schulte’s sentencing encompasses a 2022 guilty verdict handed down for causing the largest data breach in CIA history in 2017, as well as a separate trial last year for possession of child sexual abuse materials that also resulted in a jury verdict of guilty. A 2020 trial on the leaking charges that ended with a hung jury also produced convictions of contempt of court and making material false statements.
Schulte, 35, developed penetration tools for the espionage service and sent WikiLeaks a trove of techniques used for snooping on iPhones, Cisco networking devices, Skype and smart TVs (see: 7 Facts: ‘Vault 7’ CIA Hacking Tool Dump by WikiLeaks).
“Joshua Schulte betrayed his country by committing some of the most brazen, heinous crimes of espionage in American history,” said U.S. Attorney Damian Williams of the Southern District of New York. “And all the while, Schulte collected thousands upon thousands of videos and images of children being subjected to sickening abuse for his own personal gratification.”
Hacker Used Stolen Okta Tokens in Cloudflare Attack
A probable nation-state hacker used an access token and three service account credentials stolen from Okta in September to access a self-hosted Atlassian server used by internet infrastructure provider Cloudflare, Cloudflare disclosed Thursday.
The company said it “failed to rotate” the credentials after Okta disclosed the attack in October.
Cloudflare said no customer data or systems were affected by the penetration, a fact it attributed to its embrace of zero trust architecture. Zero trust is “like bulkheads in a ship where a compromise in one system is limited from compromising the whole organization,” company executives wrote in a blog post.
Cloudflare called the attacker – whom it didn’t name – “sophisticated” and said they had a “thoughtful and methodical manner” and likely hailed from a nation-state operation.
According to the company’s timeline, from Nov. 14 to Nov. 17 the hacker conducted reconnaissance and accessed the internal wiki, which is based on Atlassian Confluence, and the bug database, which is based on Atlassian Jira. “On November 20 and 21, we saw additional access indicating they may have come back to test access to ensure they had connectivity,” Cloudflare said.
On Nov. 22, the hacker used a Jira automation and customization tool called ScriptRunner to establish persistent access. The attacker “tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.”
Cyber defenders terminated the attacker’s access on Nov. 24, the company said.
Cybersecurity Attack on Georgia’s Fulton County Causes Outages
Georgia’s Fulton County is grappling with a cybersecurity attack that disrupted phone lines, the court system and the tax system over the weekend. Among the affected county employees is District Attorney Fani Willis, who leads an election interference criminal case against former President Donald Trump and alleged co-conspirators.
“At this time, we are not aware of any transfer of sensitive information about citizens or employees, but we will continue to look carefully at this issue,” county Board of Commissioners Chairman Robb Pitts said during a Monday press conference.
The Atlanta Journal-Constitution reported Thursday that cyber experts believe the attack was a ransomware attack and was likely not politically motivated. The county is recovering from the attack although many public services and internal county operations are still inoperative, the newspaper said.
Ukraine Detains Alleged Russian ‘Cyber Army’ Hacker
The Ukrainian domestic security service agency said on Telegram that it has arrested a suspected member of Russian intelligence-backed hacker group Cyber Army of Russia. Authorities said the individual, identified as a tech specialist from Kharkiv, had conducted DDoS attacks on government websites. The suspect allegedly joined the group through a hacker channel on Telegram.
Authorities said the man fed target information for missile attacks, including one that struck a hospital. If convicted, he could face a maximum sentence of 12 years in prison.
USB-Based Malware Campaign Targeted Italian Organizations
A financially motivated threat group tracked by Mandiant as UNC4990 is using USB devices to infect Italian organizations – and using third-party websites such as GitHub, Vimeo and the forum section of news site Ars Technica to host malicious payloads.
The threat intelligence company said the hackers behind the threat actors have been active since at least 2020 and favor targets in the health, transportation, construction and logistics sectors. The legitimate services used by hackers to host payloads weren’t hacked. “Nor did any of these organizations have anything misconfigured to allow for this abuse,” Mandiant said. In the case of Vimeo, hackers inserted an encoded payload into the description of a video about spacy progressive rock band Pink Floyd. The video is no longer available.
An infection starts with a victim clicking a malicious LNK shortcut file on a USB device, which leads to the execution of a coded PowerShell script that loads a downloader Mandiant dubbed Emptyspace, also known as BrokerLoader and Vetta Loader. The downloader communicates with the executable payload hidden on a third-party website.
Threat actors use a backdoor Mandiant calls Quietboard that’s capable of arbitrary command execution, clipboard content manipulation for crypto currency theft, removable drive infection, screenshotting, system information gathering, and communication with the C2 server.
Planet Home Lending Notifies Customers of Ransomware Attack
Planet Home Lending said it had been hacked by Russian-speaking extortion gang LockBit and notified nearly 200,000 customers of a November data breach incident. The non-bank lender attributed the breach to a vulnerability in NetScaler devices known as Citrix Bleed (see: Amid Citrix Bleed Exploits, NetScaler Warns: Kill Sessions).
Compromised personal identifiable information includes names, addresses, Social Security numbers, loan numbers and financial account details. The company said it had not paid a ransom demand and does not plan to pay any ransom to the threat actor.
Ukrainian Critical Infrastructure Targeted
Several state-owned Ukrainian critical infrastructure operators reported service disruption last week stemming from a cyberattack on their cloud-based information systems maintained by Parkovy data center facility in Kyiv.
At least five Ukrainian organizations confirmed the service disruption, including state-owned energy company Naftogaz; national postal service provider Ukrposhta; state railway Ukrzaliznytsia, DSBT, the agency responsible for transport safety; and the state television channel established for residents of the occupied areas of Ukraine.
Parkovy restored data access last Friday but anticipated 48 hours for complete recovery from available backups.
Other Coverage From Last Week
With reporting from Information Security Media Group’s Mihir Bagwe in Mumbai, India and David Perera in Washington, D.C.