Cyber Security Headlines: Twitter enlists George Hotz, $575 million crypto scheme, DrafKings $300K theft

Twitter enlists hacker George Hotz for 12 week “internship”

Despite Twitter’s rapidly diminishing workforce, Elon Musk has signed on hacker and frenemy, George Hotz, for a 12-week “internship.” Hotz is known for his security hacks including iOS jailbreaks and reverse engineering the PlayStation 3. Interestingly, Hotz and Musk have history, as the two got into a spat after Musk allegedly tried to hire Stotz at Tesla but “kept changing the terms.” Subsequently, Hotz founded Comma.ai, whose driver assistance system aimed to bring Tesla Autopilot–like functionality to other cars. The two appear to have made amends after reconnecting on Twitter. Hotz described his new role at Twitter as being in charge of search for the platform.

(TechCrunch)

Estonian duo arrested for masterminding $575 million Ponzi scheme

Two 37-year-old Estonian men, Sergei Potapenko and Ivan Turõgin, face up to 20 years behind bars for their role in a massive crypto-related Ponzi scheme. Between 2015 and 2019, the pair allegedly coerced thousands of investors to invest over $550 million in HashFlare. HashFlare supposedly enabled investors to rent a portion of the firm’s cryptocurrency mining operations in exchange for the crypto it produced. While HashFlare’s website showed they were making big profits, in reality the firm was mining Bitcoin at a rate of less than 1% of what it claimed to be. When investors tried to withdraw funds, the scammers either refused or paid them using virtual currency they purchased on the open market. In a separate scam, the fraudsters raised an additional $25 million convincing victims to invest in Polybius, a bank specializing in virtual currency, which never actually existed. The duo laundered funds by using “shell companies and phony contracts and invoices” to buy at least 75 properties, six luxury vehicles, cryptocurrency wallets and thousands of cryptocurrency mining machines. 

(Infosecurity Magazine)

Hackers steal $300K from DraftKings customers

Sports betting site DraftKings says an undisclosed number of customers lost $300,000 through a suspected credential stuffing campaign. DraftKings says it believes customer accounts were accessed using credentials compromised on other websites. It appears that, once cyber-criminals hijacked the DraftKings accounts, they changed the passwords and enabled two-factor authentication (2FA) for a phone number in their possession, locking out legitimate customers. DraftKings said they would “make whole” any customer that was impacted, although the firm presumably has no liability in this case. DraftKings indicated that they’ve seen no evidence of a breach on their own site.

(Infosecurity Magazine)

US senators ask Fidelity to reconsider Bitcoin 401(k)

Back in April, investment firm Fidelity said that it wanted to allow investors to put Bitcoin into their 401(k) accounts. On Monday, three Democratic senators urged Fidelity to reconsider exposing retail clients to Bitcoin in light of the collapse of FTX. Similar concerns were raised by the Department of Labor back in April. In a written letter, the senators stated, “The ill-advised, deceptive and potentially illegal actions of a few have a direct impact on the valuation of bitcoin and other digital assets.”

(CoinDesk)

Thanks to today’s episode sponsor, Compyl

Preparing a Thanksgiving meal can be stressful, but managing your security and compliance program doesn’t have to be. Compyl quickly integrates with the tools you use, and automates 85% of the day-to-day tasks, all while providing complete visibility and comprehensive reporting along the way. Learn about Compyl today at www.compyl.com.

Hackers breach energy orgs via bugs in discontinued web server

Back in April, Recorded Future reported that state-backed Chinese hacking groups targeted multiple Indian electrical grid operators, including Tata Power. The report noted that the attackers hacked Internet-exposed cameras, but didn’t specify how. On Tuesday, Microsoft clarified that the attackers exploited a vulnerable component in the Boa web server, a software solution discontinued since 2015. Boa servers are pervasive across IoT devices because of the web server’s inclusion in popular software development kits (SDKs). Microsoft says it expects more attacks because, in a single week, it has detected more than 1 million internet-exposed Boa server components.

(Bleeping Computer)

Experts warn threat actors may abuse popular red team tool

Researchers from Proofpoint are warning that a new red-teaming tool dubbed “Nighthawk” may soon be leveraged by threat actors. In 2021, MDSec created the tool, which is an advanced C2 framework and a commercially distributed remote access trojan (RAT) designed for legitimate use. Proofpoint’s analysis also revealed an “extensive list of configurable evasion techniques” within the product’s code. Proofpoint has seen a rise in threat actors leveraging red teaming tools because it helps with complicating attribution, evading endpoint detection, and streamlining the hacking process. Proofpoint concluded that security vendors should take note of Nighthawk’s capabilities in order to deliver effective protection to their customers.

(Infosecurity Magazine)

Ducktail hackers targets Facebook business accounts

On Tuesday, researchers at WithSecure warned that a Vietnamese hacking operation dubbed “Ducktail” is targeting individuals and companies operating on Facebook’s Ads and Business platform. The researchers spotted the campaign early this year but say the group recently evolved its tactics. For example, Ducktail added new spear-phishing avenues (like WhatsApp) and has enhanced their malware to better evade detection by changing file formats, to look more legitimate and has also added more robust methods to obtain attacker-controlled email addresses. WithSecure has published tips to protect businesses including urging employees to use separate accounts for personal and business purposes.

(Infosecurity Magazine)

Ohio universities receive $5 million in school safety funding

33 colleges and universities in Ohio will receive a total of $5 million in funding for security projects as part of the 2022 Campus Safety Grant Program. The program was funded with support from the Ohio legislature and funds will be used for physical security enhancements such as security cameras, door locks, alarms, public address systems and metal detectors. In order to receive grant funding, institutions had to first conduct a security vulnerability assessment to identify areas needing safety enhancements. Ohio State, Kent State, and Bowling Green are among the field of grant recipients.

(Security Magazine)

Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.