US spy satellite agency breached, but insists no classified secrets spilled
Infosec in brief A computer intrusion hit the US spy satellite agency, but officials insist no classified secrets were lost – just some unclassified ones, apparently.
The National Reconnaissance Office (NRO) confirmed to The Register that attackers gained limited access to its networks, but no classified data was exposed. It would not answer whether the attack was linked to the SharePoint vulnerability that was used to break into other government agencies, such as the US National Nuclear Security Administration.
“We can confirm that an incident involving our unclassified Acquisition Research Center (ARC) website is currently being investigated in collaboration with federal law enforcement,” the agency said. “We do not comment on ongoing investigations.”
News of the breach was reported earlier by the Washington Times.
The ARC is the NRO’s unclassified portal for vendors to pitch their tech and bid on contracts, but it’s not connected to classified networks — which, according to the agency, means any awarded contract details should be safe. It also works as a market research tool for staff as they can see what technologies are available.
According to the Washington Times, however, attackers may have obtained sensitive information related to CIA technology acquisition efforts, including data tied to the agency’s Digital Hammer program. That initiative, announced three years ago by the CIA’s Open Source Enterprise director Randy Nixon, was designed to fast-track innovative tools for surveillance and intelligence gathering.
The CIA, characteristically, has nothing to say on the matter and the NRO has reportedly notified any companies affected by the breach.
Tea app secrets spilled by server snafu
Tea, an application ostensibly created to make women safer by allowing them to swap notes on potential paramours, has suffered a major data breach, exposing 72,000 images (13,000 selfies and photo IDs, and 59,000 pictures from app posts and direct messages).
The app, which was the top-downloaded free app on the Apple App Store this week and reportedly has more than 1.6 million users, lets them share notes on specific men and comment on their dating experiences. It includes a so-called Catfish Finder AI tool that uses reverse image searches and public records to help flag suspicious identities, including known aliases and criminal histories, if found.
“It’s basically Yelp for exes,” said one reviewer. “You get to see what people say about the person you’re thinking about matching with. And listen, that’s a game-changer for the girls who are done wasting time on smooth-talking liabilities.”
Users on 4chan surfaced the exposed database, which was apparently hosted in an unsecured Firebase storage bucket tied to Tea’s mobile app. On Friday, the app’s makers told 404 Media that it had “identified unauthorized access to one of our systems and immediately launched a full investigation to assess the scope and impact.”
The app maker said that the exposed data was collected over two years ago, possibly before or around its 2023 launch, and claimed that the “data was originally stored in compliance with law enforcement requirements related to cyber-bullying prevention.”
Its female customers might feel slightly less than reassured by that, given that the whole point of the app, developed by former Salesforce director of product Sean Cook, was to help users stay safer by sharing experiences. We’ve asked Tea for more details and will update if additional information comes in.
Blacksuit ransomware taken to the cleaners by cop, with little effect
Visitors to the dark web site of the Blacksuit ransomware gang have likely had their hopes dashed – a global law‑enforcement action has seized the site, insiders tell us.
The site [Onion link] now says that it has been taken down by Homeland Security as part of Operation Checkmate. The page includes the logos of the DHS, the US Secret Service, the National Crime Agency, and various other European and international law enforcement agencies, as you can see in the screenshot below.
Blacksuit blocked – Click to enlarge.
However, around the time of the takedown, Cisco reports seeing a relatively new ransomware-as-a-service group springing up, calling itself Chaos, that it believes was spun out of the Blacksuit gang. This is a tad confusing, since there’s already a ransomware group going by that name, but Cisco suspects that this is an intentional bit of misdirection by the new group to cover its tracks.
“Talos assesses with moderate confidence that the new group is likely formed by former members of the BlackSuit (Royal) gang, based on similarities in the ransomware’s encryption methodology, ransom note structure, and the toolset used in the attacks,” Cisco’s security team said.
This wouldn’t be the first time a group has faked a shutdown. As we’ve seen most recently with Hunters International, many criminal groups will simply announce they are shutting down when they become notorious. Then they restart with a new brand and much the same methods. And even if they are legitimately shut down by the cops, they often come back within weeks or months, as with REvil.
British student jailed for selling phishing kits
A court in London has given Ollie Holman, 21, a seven-year prison sentence for selling over a thousand phishing kits online and tutoring customers on how to use them.
Which is somewhat ironic, considering Holman was – at the time of his arrest – a student at the University of Kent studying electronic and computer engineering. Police estimate that over his two-year career as a criminal, Holman netted around £300,000, which he then laundered through cryptocurrency exchanges.
Security biz WMC Global spotted the kits and tipped off the police, and after a European law enforcement investigation, he was arrested in October 2023 and later released on bail. But he continued offering support for the phishing kits via Telegram, leading to a second arrest in May 2024.
“Holman acted with greed and profited handsomely from this illegal enterprise, funding his own lavish lifestyle at the expense of countless individuals and businesses who suffered devastating financial losses and emotional harm,” said Sarah Jennings, specialist prosecutor for the Crown Prosecution Service.
And he’s not out of the woods yet. The CPS said that it would be taking Holman back to court to try and seize his assets – those it can find at least.
EncroChat is the gift that keeps giving – to the police
Police in the UK have jailed a drug dealer who was using the encrypted EncroChat by using messages referencing his semi-famous father.
In 2020, after a three-year operation, Eurocops managed to infiltrate and then take down the EncroChat service, which was charging around £1,500 every six months to provide criminals with a supposedly secure method of communication. In the process, they harvested a lot of data from the site and, while some criminals were stupid enough to put names, addresses, and other real information in messages, others weren’t.
Police identified Thomas Hooton, 30, after an associate sent him a picture of his father, who unfortunately was rather famous – Peter Hooton, lead singer with the British band The Farm. That, along with messages in which Ownraptor mentioned driving a black Audi A3 insured by his “arl fella,” helped investigators link the handle to him. Police checks confirmed the elder Hooton had indeed insured the car.
Thomas Hooton pleaded guilty at Liverpool Crown Court to conspiring to supply heroin, cocaine, cannabis and ketamine with a reported wholesale value of around £1.3 million and was sentenced to 10 years and 8 months in prison.
Meanwhile, police are back to combing through the EncroChat data to catch more crims. While the low-hanging fruit who identified themselves on the service have now mostly been caught, this is an interesting case of how the smallest details can lead to personal identification.
And here’s a bit of flashback for those of you, like our editor, who vaguely remembered The Farm’s name but didn’t remember what their hit song was:
Groovy. ®
READ MORE HERE