Cyber Security Headlines: ‘Snake’ malware network takedown, ‘PlugwalkJoe’ behind massive 2020 Twitter hack, DoJ takes down 13 DDoS-for-Hire sites

Operation Medusa takes down ‘Snake’ malware network

The US Department of Justice (DoJ) announced that a joint operation dubbed Medusa has decimated a 20-year-old malware operation run by Russia’s Federal Security Service of the Russian Federation (FSB). A threat group named Turla used malware called Snake to steal secrets from North Atlantic Treaty Organization (NATO)-member governments. Turla exfiltrated sensitive data through a global network of compromised machines to evade detection. The FBI developed a tool named Perseus, which they used to neutralize the Snake malware by commanding it to overwrite itself on compromised systems.

(Dark Reading and The Register)

‘PlugwalkJoe’ pleads guilty to massive 2020 Twitter hack 

On Tuesday, the DoJ announced that Joseph James O’Connor, a UK citizen known as “PlugwalkJoe,” has pleaded guilty to charges connected to the 2020 Twitter hack affecting numerous high-profile accounts. PlugwalkJoe and unnamed co-conspirators gained access to Twitter’s administrative tools and sent tweets from accounts including that of Elon Musk, Joe Biden, Barack Obama, and Apple. The tweets promoted a Bitcoin scam that raked in almost $120,000. O’Connor also took over an unnamed TikTok user’s account thought to be that of influencer Addison Rae. He pled guilty to multiple charges, including intentionally accessing a computer without authorization, making threatening communications, and cyberstalking.

(The Verge)

Justice Department takes down 13 DDoS-for-Hire sites

The Justice Department continued a busy week, announcing Monday that it has seized 13 Internet domains linked to stressor or booter platforms, more formally known as DDoS-for-hire services. Threat actors have paid for these services to launch millions of attacks against organizations, including schools, universities, governments, and financial institutions. Ten of the 13 illicit domains seized are “reincarnations” of DDoS services that were previously shuttered towards the end of last year.

(Dark Reading and The Hacker News)

EU draft rules make data handling tougher for US cloud providers

A draft proposal from the European Union (EU) would make it more difficult for non-EU cloud service providers, including Amazon, Google, and Microsoft, to secure an EU cybersecurity label to handle sensitive data. These cloud service providers would only gain such a clearance via a joint venture with an EU-based company. Further, the providers could only have a minority stake in the venture. The proposal would place tougher rules on access to sensitive data where a breach could harm public order, public safety, human life or health, or intellectual property. The proposal is likely to spark criticism from affected firms worried about being shut out of the European market.


And now a word from our sponsor, TrendMicro

Cybersecurity is not just about protection, it’s about foresight, agility, and resilience. 

Navigating a new era of cyber risk demands evolved strategies, new frameworks, and integrated tools to equip security teams to anticipate and defend against even the most advanced attacks. 

Trend Micro, the global leader in cybersecurity is bringing the cyber risk conversation to more than 120 cities around the world in their latest “Risk to Resilience World Tour” — The largest cybersecurity roadshow of its kind. Find the closest city to you and register today to take a leap towards a more resilient future. Head to

GitHub now auto-blocks secret leaks for all repos

On Tuesday, GitHub announced that it has begun automatically blocking the leak of sensitive info including credentials, API and private keys, access tokens, and management certificates for all public code repositories. The feature proactively prevents leaks by scanning for secrets before ‘git push’ operations are accepted. The company introduced push protection in beta a little over one year ago (April 2022). 

(Bleeping Computer)

You should probably patch that (Patch Tuesday edition)

Microsoft’s May 2023 Patch Tuesday security update is the lightest in volume since August 2021, and includes fixes for 49 new vulnerabilities. However two of the vulnerabilities addressed are being actively exploited by attackers. The first is a Win32k privilege escalation bug (CVE-2023-29336) that affects systems running Windows 10 and Windows Server 2008, 2012, and 2016. The other zero-day (CVE-2023-24932) is a security feature bypass issue in the Windows Secure Boot feature. Other notable bugs addressed are a 9.8 severity, low-complexity remote code execution (RCE) bug in Microsoft Network File Systems (NFS) (CVE-2023-24941) and another RCE flaw in SharePoint Server (CVE-2023-24955) disclosed by the Star Labs team at the Pwn2Own Vancouver 2023.

Additionally, Adobe has issued 14 security fixes for bugs in versions 8.3.0 and earlier of its 3D painting software. The majority of the issues are high-severity (‘critical’ based on Adobe’s severity ratings) memory-related vulnerabilities that can be exploited for arbitrary code execution.

Siemens also joined the patching party, publishing six new advisories for 26 vulnerabilities including two critical RCE flaws in its Siveillance Video products.

French industrial giant, Schneider Electric, issued advisories for six flaws affecting Powerlogic power meters, OPC Factory Server, Aveva products, and KNX automation systems. 

And finally, an advisory was issued for a new unpatched Linux NetFilter kernel flaw (CVE-2023-32233) impacting multiple Linux kernel distros including the current stable version 6.3.1. The bug allows unprivileged local users to escalate to root privilege, allowing complete control over a system. A severity level has not yet been assigned. The researchers shared their exploit privately to the Linux kernel team and plan to publicly release their exploit within seven days as required by Linux distros policy.

(Dark Reading and SecurityWeek [1][2][3] and Bleeping Computer [1])

CISOs face growing pressures amidst economic downturn

The 2023 Voice of the CISO report from Proofpoint provides insights from CISOs across more than dozen industries in 16 countries and indicates that over two-thirds (68%) of CISOs 

feel at risk of a material cyber attack in the next 12 months. 82% said they experienced a data loss event due to employees leaving the company. Respondents identified top threats as email fraud, insider threats, cloud account compromise, and distributed denial of service (DDoS) attacks. CISOs indicate seeing stronger and more frequent board-level engagement related to security threats. However, 58% of CISOs indicated the current economic downturn has negatively impacted their organization’s cybersecurity budget. Further, more than half of those polled reported struggling with personal liability risks and nearly two-thirds (61%) said they face excessive expectations.


Microsoft disarms MFA bombers with number matching 

Starting this week, Microsoft is taking stronger measures to defend against multi-factor authentication (MFA) push spamming and push bombing attacks. Authenticator users will be required to type in a one-time code to complete the MFA process and will not be able to opt out of the feature. Microsoft clarified that Windows users who don’t use Authenticator will not be affected by the new requirement.

(The Register)

Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.