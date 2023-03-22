Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202!

A cybercrime forum’s shuttering could leave the community unsteady — for a while, anyway

Days after news broke about the arrest of its alleged operator, the notorious cybercriminal forum BreachForums says it’s shutting down.

Cyber experts say its demise will be a blow to the cybercrime underworld, but it’s not clear how long the reprieve will last.

The past few days were a rapid series of developments for the popular marketplace where criminals could buy and sell hacked personal data.

Conor Brian Fitzpatrick and said he admitted to being BreachForums’s administrator, who is known as Pompompurin. The FBI arrested 19-year-oldand said he admitted to being BreachForums’s administrator, who is known as Pompompurin.

In response to the arrest, new administrator Baphomet said they would be taking over for Pompompurin.

By Tuesday, Baphomet said BreachForums would be shuttered.

The situation

On Friday, after Bloomberg News first reported on Fitzpatrick’s arrest, Baphomet said they were taking steps to shore up security on BreachForums and remove Pompompurin’s access.

“I have most, if not all the access necessary to protect BF infrastructure and its users,” they said. After the arrest, Baphomet explained, “I decided to remove his access to all important infrastructure and restricted his forum account to still login but not to carry out any administrative actions.

“I also since that point have been constantly monitoring everything and going through every log to see any access or modifications to Breached infra,” they continued, using another name for the site. “So far nothing like that has been seen.”

By Tuesday, Baphomet had reconsidered. “I will be taking down the forum, as I believe we can assume that nothing is safe anymore,” they wrote. “I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping Breached up as it is.”

The administrator probably had no choice in the matter, said Brett Callow, a threat analyst at the cybersecurity firm Emsisoft.

“I don’t see how the forum could have continued anyway, if it was compromised,” Callow told me. “People would have lost faith in the integrity of the operation.”

The ramifications

The shuttering of BreachForums comes after the site was around for around a year. It replaced RaidForums, a similar site that the FBI seized in 2022.

“In the short term, people will now find it harder to buy and sell stolen data,” Callow said. “In the long term, Breached will invariably be replaced by something else. What that something else will be remains to be seen.”

Alexander Leslie, an associate threat intelligence analyst at the cyber company Recorded Future, predicted lasting harm to the cybercrime scene.

“This is a major disruption of the cybercriminal threat landscape that will likely reverberate for months, as threat actors react and adapt,” Leslie wrote on Twitter. Baphomet doesn’t have the trust that Pompompurin did, and the arrest will “deplete that community’s morale for a long, long time,” he wrote.

“It will likely be a few months before we see the BreachForums community rally around a successor,” he continued. “As was the case with Raid, it took several weeks — and in many, many failed successors — before BreachForums established itself. This time, it will be even more volatile.”

Callow said cybercriminals who used BreachForums are likely wondering whether the FBI has information on them, too, and will be wondering about the state of their operational security, or OPSEC, to protect themselves.

“Quite a few of them now will be sweating … as to what their OPSEC was good enough, or whether the FBI will be kicking in their doors next,” he said. “It’s a valid concern. We don’t know how deeply the operation was compromised before the arrest of the admin. We don’t know what information the FBI may have gathered off that arrest or disruptions that may lead to.”

Baphomet, for their part, indicated they would set up another forum — this time using the messaging app Telegram.

“Baphomet’s latest message indicated that the forum will likely relaunch in another format, though it remains to be seen whether this will continue in the spirit of Raid or Breach, or be something new entirely,” cybersecurity firm Flashpoint wrote in a blog post on Tuesday. “Threat actors will likely continue to have an appetite for breached databases, and it remains to be seen if this can be through an alternative venue, or requires a new forum entirely.”

State government sites use TikTok-linked web-tracking code, study finds

Web-tracking code designed by TikTok parent company ByteDance has been utilized on over two dozen U.S. state governments’ websites, the Wall Street Journal’s Byron Tau and Dustin Volz report, citing data from Toronto-based Feroot Security.

“A review of the websites of more than 3,500 companies, organizations and government entities … found that so-called tracking pixels from the TikTok parent company were present in 30 U.S. state-government websites across 27 states, including some where the app has been banned from state networks and devices,” Tau and Volz write.

TikTok says the tracking code is designed to increase the effectiveness of ad campaigns, but the findings show that ByteDance technologies are imbued into government systems at a time when federal officials and Capitol Hill are cracking down on the app and its Chinese owners.

Feroot CEO Ivan Tsarynny said the tracking technology “can be watching and recording you when you’re renewing your driver’s license, paying your taxes or filling out doctors’ forms,” and advised the tracking technology’s deletion, they write. A TikTok spokeswoman told the Wall Street Journal that “the data we receive from advertisers is used to improve the effectiveness of our advertising services,” and company policies instruct advertisers to not share certain data with the company.

State officials removed the code from some government websites, including a Maryland Department of Health site and a Utah website, after the Journal reached out for comment.

Hack exposed info of at least 17 current or former members of Congress

The personal information of at least 17 current or former members of Congress was exposed after the breach of the D.C. health insurance marketplace Health Link, Scott Macfarlane from CBS News reports. Additionally, the hacker who claimed responsibility for the breach said it was “an idea born out of Russian patriotism,” AJ Vicens writes in CyberScoop.

The hacker, who goes by the name Denfur, was asked to provide proof of his Russian nationality, but told CyberScoop, “You just have to take my word.”

Data including Social Security numbers, home addresses and email addresses was also reportedly exposed.

DC Health Link has said the data of around 56,000 people was exposed.

Beyond the members of Congress, the data of hundreds of other staff in Congress may have also been exposed, Rep. Joseph Morelle (D-N.Y.) told CBS in an interview.

“I think the number can and may grow,” Morelle told CBS News. “I don’t know what the probability is. But we’ve only been able to look through some of the data that’s gotten out.”

Morelle, who is the top Democrat on the Committee on House Administration, said the panel launched an investigation into the data breach. The FBI and Capitol Police are also investigating.

Ransomware attackers upping use of extortion tactics

Ransomware hackers are increasing the use of coercion and extortion tactics to instill fear into victims, Matt Kapko from Cybersecurity Dive reports, citing data released yesterday from Palo Alto Networks.

A layering of encryption and extortion tactics is making organizations’ recovery and response harder, the report says, citing Michael Sikorski, CTO and vice president of threat intelligence at Palo Alto’s Unit 42 incident response division.

“Ransomware attacks involving data theft jumped from 40% in mid 2021 to 70% by late 2022, Unit 42 found. Harassment spiked 20 times in ransomware cases during the same period, with threat actors resorting to the tactic in 1 in 5 cases,” Kapko writes.

Sikorski cited various examples, such as a ransomware attack on a hospital in which the hacker threatened to leak individual patients’ health data if it was not paid.

