The X Attack - More Information Surfaces: Cyber Security Today for Wednesday, March 12, 2024 - Cybersecurity Today

Summary7 min read

Podcast Summary: Cybersecurity Today – "The X Attack - More Information Surfaces"

Episode Details:

Title: The X Attack - More Information Surfaces
Podcast: Cybersecurity Today
Host: Jim Love
Release Date: March 12, 2025

1. Pro-Palestinian Hackers Claim Responsibility for Twitter's DDoS Attack

Timestamp: [00:00-07:30]

In the latest cybersecurity incident, a pro-Palestinian hacktivist group known as the Dark Storm team has claimed responsibility for a Distributed Denial of Service (DDoS) attack on X (formerly Twitter) that occurred on a recent Monday. Initially, CEO Elon Musk attributed the attack to IP addresses originating from Ukraine. However, cybersecurity experts cautioned against this assumption, pointing out that attackers often utilize compromised devices and proxy networks to obscure their true locations.

Jim Love reports, “'Despite Musk's attempt to suggest that Ukraine was somehow responsible for the attack, there is no evidence of that at this point,'” emphasizing the importance of accurate attribution in cyberattack investigations.

Established in 2023, Dark Storm has focused on targeting entities perceived to support Israel, primarily through overwhelming DDoS attacks that render systems inaccessible to legitimate users. This attack signals the group's resurgence after a period of inactivity following the shutdown of their Telegram channel. Their recent targets include high-profile organizations such as the Los Angeles International Airport, the Port of Haifa, and the UAE Ministry of Defense, demonstrating their capability to disrupt critical infrastructure.

Cyber experts highlighted that some of X's Origin servers were inadequately protected behind the platform's DDoS protection services, allowing the botnet to execute the attack effectively. In response, X has fortified these vulnerabilities to better defend against future threats.

Key Insights:

The resurgence of Dark Storm underscores the need for robust security protocols for high-profile platforms and critical infrastructure.
Accurate attribution of cyberattacks is crucial for effective response and mitigation.

2. US CISA Faces Critical Workforce Reductions Amid Cybersecurity Threats

Timestamp: [07:31-15:00]

The Cybersecurity and Infrastructure Security Agency (CISA) is undergoing significant personnel reductions due to budget cuts implemented by the Department of Government Efficiency (DOGE), an entity established under President Trump's administration and now overseen by Elon Musk. These cuts have severely impacted CISA's ability to safeguard the nation's critical infrastructure against escalating cyber threats.

Cybersecurity specialist Paula Davis stated, “'We’re being targeted daily, hourly, and every single minute,'” highlighting the constant pressure from cybercriminals attempting to infiltrate vital systems like water supplies and the power grid.

Former NSA Director Rob Joyce expressed grave concerns, stating, “'Such layoffs could have a devastating impact on national security, particularly in countering threats from adversarial nations,'” pointing out that the reduction exacerbates the existing workforce shortage in the federal cybersecurity sector, which currently fills only about 83% of available positions.

Key Implications:

Reduced manpower at CISA hinders the agency’s capacity to coordinate cybersecurity efforts effectively across federal agencies and the private sector.
The workforce shortage within the cybersecurity industry is deepening, potentially leaving critical infrastructures more vulnerable to attacks.

3. Successful Seizure of $23 Million in Cryptocurrency Linked to Ripple Wallet Hack

Timestamp: [15:01-24:30]

A significant victory in the fight against cybercrime has been achieved as US authorities seized over $23 million in stolen cryptocurrency connected to a $150 million hack of a Ripple Wallet. This breach is believed to be linked to the 2022 LastPass data breach, where attackers allegedly cracked passwords stored in the password manager to gain unauthorized access to Ripple’s wallet.

Jim Love notes, “'It’s quite amazing that the police were able to track and freeze the funds,'” attributing the success to the prompt action taken by Ripple co-founder Chris Larson who reported the theft swiftly. A collaboration between security researchers and federal agents traced the stolen funds through multiple exchanges, including OkX, Kraken, Whitebit, and Fixed Float, allowing authorities to freeze approximately $24 million before it could be withdrawn.

The Department of Justice (DOJ) alleges that the attackers bypassed traditional security measures by extracting private keys from the victim's password vault, likely exploiting vulnerabilities from the LastPass breach. Although LastPass denies conclusive evidence linking its breach to these crypto heists, the incident underscores the persistent risks associated with password manager vulnerabilities and the storage of sensitive financial data online.

Key Takeaways:

Effective collaboration and prompt reporting are critical in mitigating the impact of large-scale cryptocurrency thefts.
The incident highlights the importance of securing password management systems to prevent unauthorized access to financial assets.

4. New York Sues Allstate Insurance Over Major Data Breaches

Timestamp: [24:31-35:00]

New York State has initiated legal action against Allstate Insurance and its subsidiary, National General, alleging inadequate data security measures that led to significant data breaches in 2020 and 2021. These breaches exposed the driver's license numbers of nearly 200,000 individuals, including over 165,000 New Yorkers.

Between August and November 2020, attackers exploited vulnerabilities in National General’s online quoting websites, where a function pre-populating web forms inadvertently exposed sensitive information. The situation deteriorated further in early 2021 when a second, more extensive breach compromised the personal information of an additional 187,000 individuals.

The New York Attorney General Letitia James accuses the companies of failing to implement reasonable security measures, misrepresenting their data security practices, and neglecting timely notifications to affected individuals and state agencies. The state is seeking civil fines of $5,000 per violation along with other remedies.

Allstate has responded by claiming they addressed the vulnerabilities years prior, promptly notified regulators, reached out to potentially affected consumers, and offered free credit monitoring as a precautionary measure.

Jim Love emphasizes, “'This legal action underscores the critical importance of robust cybersecurity measures in protecting consumer data,'” highlighting the severe legal and reputational consequences companies face when failing to safeguard personal information adequately.

Key Points:

Legal accountability for data breaches emphasizes the necessity for companies to maintain stringent cybersecurity protocols.
Timely breach detection and notification are not only regulatory requirements but also crucial for maintaining consumer trust.

5. Conviction of Houston Developer for Corporate Sabotage

Timestamp: [35:01-45:30]

In a noteworthy case of insider threat, a 55-year-old software developer from Houston, Texas, Davis Liu, has been convicted for intentionally damaging his former employer's computer systems. Liu worked for Eaton Corporation from 2007 until his termination in September 2019, following corporate restructuring.

Jim Love outlines the events, “'Lou deployed custom malware that caused production servers to crash by exhausting system resources through infinite loops,'” further detailing how Liu deleted colleagues’ user profiles and implemented a kill switch named ISDL (IS Davis Liu enabled in Active Directory). This malicious code was designed to lock out all users if Liu’s account was disabled, leading to a significant disruption upon his termination.

The sabotage resulted in thousands of employees losing access to critical systems, prompting investigations that linked the malware to Liu. Facing charges of causing intentional damage to protected computers, Liu was convicted and now faces up to 10 years in prison. A sentencing date is yet to be determined.

Jim Love cautions, “'Companies of all sizes need to take a serious look at their security and termination processes with what we're calling a zero trust lens,'” advocating for meticulous security measures during employee terminations to prevent similar incidents.

Key Lessons:

Insider threats remain a critical concern for organizations, necessitating comprehensive security protocols.
Adopting a zero trust approach can help mitigate risks associated with employee departures and insider sabotage.

Conclusion

This episode of Cybersecurity Today delves into a spectrum of pressing cybersecurity issues, from sophisticated cyberattacks by hacktivist groups and internal threats from disgruntled employees to significant legal actions against corporations failing to protect consumer data. The discussions underscore the ever-evolving landscape of cyber threats and the imperative for robust, proactive security measures across all sectors. Host Jim Love effectively highlights the interconnectedness of these issues, providing listeners with a comprehensive overview of the current state of cybersecurity and the ongoing challenges faced by organizations and authorities alike.

Notable Quotes:

Jim Love [00:05]: “'Despite Musk's attempt to suggest that Ukraine was somehow responsible for the attack, there is no evidence of that at this point,'”
Paula Davis [09:15]: “'We’re being targeted daily, hourly, and every single minute,'”
Rob Joyce [11:45]: “'Such layoffs could have a devastating impact on national security, particularly in countering threats from adversarial nations,'”
Jim Love [35:50]: “'Companies of all sizes need to take a serious look at their security and termination processes with what we're calling a zero trust lens,'”

Stay Informed: For more insights and updates on the latest in cybersecurity, subscribe to Cybersecurity Today and join host Jim Love in navigating the complexities of the digital threat landscape.

Loading summary

Transcript1 lines

[00:01]
Jim Love
A pro Palestinian group claims credit for the Twitter outage. A US cybersecurity group is devastated by doge cuts, US authorities recovered 23 million from a cryptocurrency hack and a developer is sentenced for his kill switch. This is Cybersecurity today. I'm your host Jim Love. A pro Palestinian hacktivist group, the Dark Storm team, has claimed responsibility for the Distributed Denial of service, or DDoS, attack on X Twitter on Monday of this week. Elon Musk initially indicated that the massive attack came from IP addresses from around Ukraine, but cybersecurity experts cautioned against drawing conclusions based solely on IP data. Attackers often use compromised devices and proxy networks to mask their true locations, but Dark Storm emerged as the only group taking credit for the incident, posting their claim on their new Telegram channel. If this is true, it marks the resurgence of this dangerous group after a period of some inactivity. Established in 2023, the dark storm team is recognized for conducting cyber attacks against entities perceived to support Israel. Their operations have predominantly involved DDoS attacks, aiming to overwhelm targeted systems with excessive traffic, rendering them inaccessible to legitim legitimate users. Prior to the attacks on X, the group had been inactive following the shutdown of their Telegram channel. Since reactivating, the Dark Storm team has targeted various organizations across multiple countries, including in the United States, the Los Angeles International Airport in Israel, the Port of Haifa, and in the United Arab Emirates, the Ministry of Defense. These attacks have successfully disrupted critical infrastructure and highlighting the group's capability to impact essential services. So despite Musk's attempt to suggest that Ukraine was somehow responsible for the attack, there is no evidence of that at this point. But what Musk failed to talk about, and what some analysts have reported, is that some of X's Origin servers were not adequately secured behind the company's DDoS protection services, rendering them susceptible to direct attacks, and the oversight allowed the botnet to target these servers most effectively. X has since addressed these vulnerabilities to bolster its defenses against future incidents. Which leaves us with the potential resurgence of Dark Storm, with their focus on high profile platforms and critical infrastructure, necessitating robust security protocols and and safeguards for digital communication channels and essential infrastructure services. And in a related story, the US Cybersecurity and Infrastructure Security Agency CISA has experienced significant personnel reductions following a budget cut implemented by the Department of Government Efficiency, or doge, run by Elon Musk and established under President Trump's administration. These cuts have notably impacted top recruits responsible for safeguarding the nation's critical infrastructure against cyber threats, one of these being terminated. Cybersecurity specialist Paula Davis noted, we're being targeted daily, hourly and every single minute, citing suspected cybercriminals, attempts to infiltrate water systems and even the power grid. The reduction in the workforce raises concerns about the agency's capacity to effectively coordinate cybersecurity efforts across federal agencies and and the private sector. Rob Joyce, former NSA director of cybersecurity, expressed that such layoffs could have a devastating impact on national security, particularly in countering threats from adversarial nations. The layoffs exacerbate existing challenges in attracting and retaining cybersecurity professionals within the federal government in the first place. The cybersecurity industry already faces a workforce shortage, with only enough professionals to fill at most 83% of available jobs. The recent cuts may deter potential candidates from considering federal positions, further widening the talent gap. And on a More positive note, US authorities have seized over $23 million in stolen cryptocurrency linked to the $150 million hack of a Ripple Wallet, a case that cybersecurity experts believe is is connected to the 2022 LastPass data breach. The Department of Justice alleges that attackers gained unauthorized access by cracking passwords stored in an online password manager widely believed to be LastPass, and it's quite amazing that the police were able to track and freeze the funds stolen. Hackers usually rapidly move stolen assets across multiple drop accounts and quickly cash out. But reportedly Chris Larson, Ripple co founder and the victim of the attack, notified authorities quickly. A team of security researchers and federal agents were able to trace and freeze the funds. A team of security researchers and federal agents were able to trace and freeze the funds, following them through Multiple exchanges, including OkX, Kraken, Whitebit and Fixed Float. Authorities moved to swiftly freeze 24 million in crypto before it could be withdrawn. According to a recently unsealed DOJ complaint, attackers likely extracted private keys from the victim's password vault, since they seem to bypass traditional attack techniques like device compromise or even sim swapping. The conclusion was that Larson, like other high profile crypto theft victims, had stored his seed phrases, the keys to his crypto accounts, in LastPass's secure notes section before the 2022 breach. While LastPass appears to deny conclusive evidence linking its breach to the crypto heists, the evidence certainly suggests that it was a result of this 2022 hack. Which raises the question that some security researchers have asked, why didn't LastPass notify people about this vulnerability? The case highlights the lingering risks of Password manager breaches and and the vulnerabilities of storing sensitive financial data online. And New York State has filed a lawsuit against Allstate Insurance and its subsidiary National General, alleging inadequate data security measures led to two significant data breaches in 2020 and 2021. These breaches exposed the driver's license numbers of nearly 200,000 individuals, including over 165,000 New Yorkers. Between August and November 2020, attackers exploited vulnerabilities in the National General's online quoting websites. A function that pre populated the web forms would give anyone access to key information like the driver's license number of any resident at a given address that affected 12,000 individuals. The company made the situation worse by not just failing to detect the breach for over two months, but also not notifying consumers or state agencies as is required by law. A second breach occurred in early 2021, this one more extensive and compromising the personal information of an additional 187,000 individuals, including about 155,000 New Yorkers. This type of information is hugely valuable to cyber crooks who are looking to exploit it for identity theft and other nefarious purposes. This incident was discovered in February 2021, shortly after Allstate acquired National General in January of 2021. The lawsuit filed by the New York Attorney General Letitia James, accuses National General and Allstate of failing to implement reasonable data security measures, misrepresenting their data security practices to consumers, and neglecting to notify affected individuals promptly. The state seeks civil fines of $5,000 per violation and other remedies. Allstate has stated that it has addressed the issue years ago by securing its systems. After identifying vulnerabilities in the online quoting pool, the company claims it promptly notified regulators, contacted potentially affected consumers, and offered free credit monitoring as a precaution. But this legal action underscores the critical importance of robust cybersecurity measures in protecting consumer data. Companies know that they're legally obligated to safeguard personal information and promptly inform affected individuals and authorities in the event of a breach. But it appears that New York is demonstrating that failure to do this can result in some severe legal consequences, financial penalties in addition to damage to the company's reputation. After this breach, nobody's going to say you're in good hands with Allstate. And finally, a 55 year old software developer from Houston, Texas, has been convicted of intentionally damaging his employer's computer systems by deploying malicious code designed to disrupt operations. Upon his departure, the developer, identified as Davis Liu, worked for an Ohio based company, reportedly Eaton Corporation from November 2007 until his termination in September of 2019 following a corporate restructuring. In 2018, Lou experienced a reduction in his responsibilities, which led to some dissatisfaction with his role. So in August 2019, Lou reportedly deployed custom malware that caused production servers to crash by exhausting system resources through putting them through infinite loops. He is also said to have deleted colleagues user profiles. But finally, he also implemented a kill switch named IS DL enabled in ad, an abbreviation of IS Davis Lou enabled in Active Directory. The code was designed to lock out all users if his account in the company's Windows Active directory was disabled. Upon his termination on September 9, 2019, the kill switch was activated, resulting in thousands of employees losing access to critical systems. The sabotage was discovered following the system disruptions that coincided with Lou's termination. Investigations revealed the presence of the malicious code linked to Lou. Some reports stated that the code was linked to his computer or his id, but frankly, the name of the kill switch alone made it clear who had implemented the malicious code. Lou was subsequently arrested and charged with causing intentional damage to protected computers. But a jury recently convicted Lou, and he now faces a maximum penalty of 10 years in prison. A sentencing date has not yet been set. While events like this are certainly extreme, other forms of sabotage, such as leaking company information, could be equally damaging. So companies of all sizes need to take a serious look at their security and termination processes with what we're calling a zero trust lens. It's almost like you really want to do terminations carefully, not with a chainsaw. Just a thought. Thanks to all of you who went to buymeacoffee.comtechpodcast to support the podcast. We're about halfway to where we need to be to stay solvent. So if you haven't already done it, if you can chip in as little as five bucks a month Canadian, we can keep these programs on the air. That's buymeacoffee.com techpodcast thanks again, and as always, thanks for listening.