Tag Archive for: twitter

A Zero-Day Flaw in Hacked MOVEit Software Was Exposed on Twitter

/in


(Bloomberg) — John Hammond, a senior researcher at the cybersecurity firm Huntress, had already lost a few nights of sleep when someone he’d been messaging with privately over Twitter delivered a bombshell.

The person, who declined to provide his name but describes himself as an exploit writer, told Hammond on June 15 that he had inadvertently stumbled upon a new zero-day vulnerability in MOVEit file-transfer software — the type of flaw that doesn’t have a fix, or patch, leaving users vulnerable to hackers. What’s more, the anonymous researcher publicly shared details about the flaw on Twitter — a potentially disruptive move that could’ve enabled attackers to exploit the vulnerability before the software owner could respond. 

This was not the standard practice of cybersecurity researchers. They generally give organizations notice about such flaws before going public in an effort to avoid aiding bad actors. (The US Department of Homeland Security says that it gives organizations 45 days to respond to vulnerability reports before a public disclosure.) 

It stood to exacerbate what was already a crisis over MOVEit, the software at the center of an ongoing hacking campaign by a Russian-speaking criminal group called Clop that exploited a different, zero-day flaw to access files from at least dozens of companies and organizations. The researcher’s discovery ended up adding to the woes of Progress Software Corp., the company behind MOVEit software. 

Progress had already issued a patch soon after it discovered the initial zero-day flaw exploited by Clop. And based on a tip from Huntress, issued another fix to a second zero-day earlier this month, Hammond said.

Read More: Clop Gang Wreaked Havoc Long Before MOVEit Hacking Spree (1)

Now there was a third. In a private message on Twitter, the anonymous researcher told John he had realized what he had discovered was a zero-day event, according to screenshots of the thread shared with Bloomberg News. The researcher, a self-described exploit writer and “white-hat” hacker — someone who finds and reports flaws rather than exploiting them — capped the note off with an emoji of an astonished face.

Hammond, who had spent recent…

Source…

Eurovision, acts of war, and Twitter circles • Graham Cluley

/in


Smashing Security podcast #321: Eurovision, acts of war, and Twitter circles

Twitter shares explicit photos without users’ permission, one US company can look forward to a $1.4 billion payout seven years after an infamous cyberattack, and how might hackers target Eurovision?

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by cybersecurity reporter John Leyden.

Plus don’t miss our featured interview with Outpost24’s John Stock.

Hosts:

Graham Cluley – @gcluley
Carole Theriault – @caroletheriault

Guest:

John Leyden – @jleyden

Episode links:

Sponsored by:

  • Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
  • Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
  • Outpost24 – Understand your shadow IT risk with a free attack surface analysis.

Support the show:

You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

Follow us:

Follow the show on Twitter at @SmashinSecurity, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.

Thanks:

Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.
Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.

Source…

Man known as ‘PlugwalkJoe’ admits to Twitter hack that hijacked celebrity accounts

/in


By Margi Murphy | Bloomberg

A British man has admitted to his involvement in one of the most high-profile social media hacks, a plot that included the hijacking of top US political and business leaders’ Twitter accounts.

Joseph James O’Connor pleaded guilty in New York on Tuesday to hacking into the social network, a move that led to the impersonation of Barack Obama, Joe Biden, Jeff Bezos, Warren Buffett and others to advertise a Bitcoin scheme.

The 23-year-old, also known as “PlugwalkJoe,” was extradited from Spain on April 26, according to the Department of Justice. The crimes involved SIM swaps — a process in which a phone number is transferred to a new device in order to bypass security measures — but went far beyond that, prosecutors said.

“O’Connor used his sophisticated technological abilities for malicious purposes — conducting a complex SIM swap attack to steal large amounts of cryptocurrency, hacking Twitter, conducting computer intrusions to take over social media accounts, and even cyberstalking two victims, including a minor,” said US Attorney Damian Williams for the Southern District of New York.

“O’Connor’s guilty plea today is a testament to the importance of law enforcement cooperation, and I thank our law enforcement partners for helping to bring to justice to those who victimize others through cyberattacks,” he said.

The Department of Justice alleges that O’Connor plotted with others to hijack Twitter accounts to promote a scheme to defraud the public, with O’Connor paying $10,000 for just one of the accounts he requested. The co-conspirators used social engineering techniques to convince a Twitter employee into giving them access to administrative tools to the platform. Those tools were used to take control of the high-profile accounts.

According to the charge sheet, O’Connor pleaded guilty to a variety of cybercrimes, including the exploitation of social media accounts, online extortion and cyberstalking.

Source…

Briton pleads guilty in US to 2020 Twitter hack

/in


Joseph James O'Connor is lead by Spanish police officers as he leaves a court after being arrested in 2021

Joseph James O’Connor was arrested in Spain in 2021

A British national extradited to the US last month has pleaded guilty in New York to a role in one of the biggest hacks in social media history.

The July 2020 Twitter hack affected over 130 accounts including those of Barack Obama and Joe Biden.

Joseph James O’Connor, 23, known as PlugwalkJoe, pleaded guilty to hacking charges carrying a total maximum sentence of over 70 years in prison.

The hacking was part of a large-scale Bitcoin scam.

O’Connor, who was extradited from Spain, hijacked numerous Twitter accounts and sent out tweets asking followers to send Bitcoin to an account, promising to double their money.

O’Connor was charged alongside three other men over the scam. US teenager Graham Ivan Clark pleaded guilty in 2021. Nima Fazeli of Orlando, Florida, and Mason Sheppard, of Bognor Regis in the UK, were charged with federal crimes.

US Assistant Attorney-General Kenneth Polite Jr described in a statement O’Connor’s actions as “flagrant and malicious”, saying he had “harassed, threatened and extorted his victims, causing substantial emotional harm”.

“Like many criminal actors, O’Connor tried to stay anonymous by using a computer to hide behind stealth accounts and aliases from outside the United States.

“But this plea shows that our investigators and prosecutors will identify, locate, and bring to justice such criminals to ensure they face the consequences for their crimes.”

In 2020, an estimated 350 million Twitter users saw suspicious tweets from official accounts of the platform’s biggest users. Thousands fell for a scam, trusting that a crypto giveaway was real.

Cyber experts agreed that the consequences of the Twitter hack could have been far worse if O’Connor and other hackers had more sophisticated plans than a get-rich-quick scheme.

Disinformation could have been spread to affect political discourse and markets could have been moved by well-worded fake business announcements, for example.

The hack showed how fragile Twitter’s security was at the time. The attackers telephoned a small number of Twitter employees with a believable tale to convince them to hand over their internal login details – which eventually…

Source…