Prisoner hacks his prison IT system goes wild
pIn other news Hackers leak ICE employee data John Bolton hacked and extorted giant SIM farm seized in LatviappThis newsletter is brought to you by Dropzone You can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business in your podcatcher or subscribing via this RSS feedppA convict at a Romanian prison has hacked the countrys prisoner management platform in a security breach that has rocked Romanias penitentiary agencyppThe incident took place in August and continued through OctoberppFrom various reports in Romanian media and a statement released by the national penitentiary police union the incident appears to have originated in the city of Dej in Romanias Transilvania region at a prison hospital complex where prisoners are sent to treat illnesses and then return to finish their sentence at their normal jailsppA prisoner found a way to hack the tablets and kiosks installed in the Dej hospital prison and at other Romanian penitentiaries These systems allow convicts to access an online platform managed by the National Penitentiary Association ANP using a username and password Prisoners can file requests can redeem days off their sentence by performing various jobs or can add money to a bank account that they can later use to shop for certain goods and servicesppThe prisoner found that shortly after logging into his account he could perform specific gestures on the tablet or abuse the Start menu and notification area on the kiosk to send the ANP app into the background and access other apps running on the deviceppOne of these apps was a browser page with other items shared on the same network including the hospital prison secretarys office printer systemppThis part is unclear in the reporting but it appears the prisoner accessed a printers web login page where he claims he could see other people logging into the device and also see the usernames and passwords they were using This looks like some F12 DevMode hacking The other theory is that he found access logs and just took a past admin users credentials which turned out to also work on the ANP app itself The account he chose was for a former director of the Dej prison hospital which had full admin access to the ANP appppSince this was an inandout temporary stay hospital for prisoners it looks like this one prisoner whose name was never shared in the reports might have told others of how to hack the ANP kiosks and tabletsppOne of the people he appears to have told is Aurel Z a prisoner who was later transferred to the Târgu Jiu prison in July A month later the prisoner tries the hacking method on his new prison and finds out that credentials from the Dej also worked here since it was a nationwide platformppThe first thing Aurel does is to grant some of his inmate friends the right to access adult contentppOnce the big important stuff is out of the way he starts modifying financial accounts for selected accounts He modifies money entries by adding a zero to sums or he deletes past expenses effectively readding alreadyspent money back into a prisoners accountppHe also modified entries in the zile câștig won days which are days that prisoners gain on their sentences for an early releaseppAccording to official statements Aurel modified accounts for 15 prisoners but he was caught after getting too greedyppHe added too much money to some accounts with one account holding 5 million lei 115 million and his own account spending as much as 10000 lei 2300 a month an outrageous sum for someone locked up in jail being almost three times the countrys minimum wageppThe hacking spree unraveled when accounts and a representative from the CEC Bank started seeing the irregularities between the money that entered the system the current total and the spent amountsppAn investigation began shortly after and authorities discovered the hacks at the start of October when they removed keyboards from the kiosks and temporarily removed the tablets from useppThe penitentiary police union claims to have observed hacks at two other prison complexes besides Dej and Târgu Jiu in Timișoara and in Pelendava near CraiovappThe union claims the Târgu Jiu hacker alone spent more than 300 hours logged into the system with admin access without being detectedppThey have also accused the ANP Director of gross negligence for failing to detect the breach after two supervisors and a shift manager reported rumors they heard from inmates about access to porn sites and modified balances Furthermore an informant allegedly reported the hack to the ANP a week before it was discovered only to be ignoredppBecause prison life is about reputation the original prisoner who found the ANP app loophole has come forward to take credit and tell union members about other ways the app could be hacked According to media reports this individual was allegedly jailed for ITrelated infractions and presented himself as a member of AnonymousppAurel Z is likely regretting his actions right about now He was serving a nineyear and tenmonth prison sentence for laundering money for the Italian mob and was set to be freed five months from now in January next yearppThe main Risky Business podcast is now on YouTube with video versions of our recent episodes Below is our latest weekly show with Pat and Adam at the helmppHackers leak ICE employee data Hackers have leaked the personal details of hundreds of DHS ICE FBI and DOJ officials The leaked data includes names phone numbers and even home addresses The leakers go by Scattered LAPSUS Hunters and are the group that tried to extort Salesforce and its customers earlier this month Its unclear from where the group got its data Additional coverage in 404 MediappKT breach got larger A security incident at South Koreas secondlargest mobile operator is far larger than initially reported Around 22200 Korea Telecom customers have had their personal data harvested after connecting to 20 fake mobile towers across the country The number is far larger than the two fake towers and 5500 users initially disclosed by KT in August Users who connected to the fake towers reported unauthorized micropayments from their accounts South Koreas government launched an investigation against KT last week for obstructing its probe into the matter Additional coverage in the Korea JoongAng DailyppSouth Korea confirms Onnara hack Hackers have breached an internal platform used by the South Korean government to exchange documents as well as the governments public key infrastructure GPKI The countrys intelligence agency confirmed the breach two months after an exposé in the Phrack hacking magazine alluded to a suspected breach The article pointed the finger at North Korea but new evidence suggests it might have been Chinese hackers Officials fear stolen digital certificates might have been used to hack other agencies Additional coverage in the Digital DailyEnglish coverage in the Korea JoongAng DailyppChina accuses NSA of hacking time center The Chinese government has accused the NSA of hacking its National Time Service Center Officials claim the NSA infiltrated its network and spied on staff since at least 2022 The NSA allegedly exploited vulnerabilities in a messaging service running on staff phones It then used 42 cyber weapons to move laterally including attempts to gain access to Chinas highprecision ground timing systems Officials claim the US was prepositioning to disable or sabotage the system Additional coverage in ABC NewsppVerisure Alert Alarm breach Hackers have stolen the personal data of more than 35000 current and former customers of the Verisure Alert Alarm system The data was taken from a thirdparty billing provider and only covers the companys Swedish customers Verisure says the Alert Alarm intrusion and emergency alert system only has 6000 customers and is separate from the main Verisure alert systems ht ASppRussian SMS aggregators hacked Two Russian SMS aggregation services were allegedly hacked and their data put up for sale on hacking forumsppEnvoy Air joins Oracle bloodbath Envoy Air has come out as a victim of the recent Oracle EBS zeroday attacks carried out by the Clop data extortion gang Additional coverage in BleepingComputerppCourt orders NSO to stop targeting WhatsApp A US judge has issued a permanent injunction banning the NSO Group from targeting the WhatsApp platform The judge also reduced punitive damages the spyware maker owes Meta from 167 million to just 4 million Meta won the damages in a jury trial that concluded in May NSO representatives said the order could put the company out of business Additional coverage in ReutersppIts been quite a number of years since weve seen how the Pegasus client panel looks Document from the WhatsApp lawsuit p15 storagecourtlistenercomrecapgovusppFlock teams up with Ring Flock has partnered with Amazon Ring and will allow its law enforcement customers to access Ring camera footagestreams Additional coverage in CNBCppEFF sues Trump admin over social media surveillance The Electronic Frontier Foundation has sued the Trump administration over a social media surveillance program The lawsuit alleges the US government is using social media activity to intimidate union workers permanent residents and other valid visa holders based on their political beliefs The plaintiffs say they were forced to cut down or abstain from their social media posting due to the governments surveillance They argue the governments actions infringe on their First AmendmentppExperian fined for GDPR violations The Dutch data protection agency fined Experians local division 27 million for breaking GDPR illegally collecting and selling personal information to assess creditworthinessppMozilla to support Firefox on Windows 10 Mozilla says it will continue to support Firefox on Windows 10 installations despite the OS reaching EoL Per Mozilla data the OS is still used by almost 37 of all Firefox usersppWhatsApp bans chatbots Meta has updated the WhatsApp Business API to ban generalpurpose AI chatbots The new terms will go into effect on January 15 next year After that Meta will delist any AI chatbot that uses external models Additional coverage in TechCrunchppRuby team takes control of package repos The main team behind the Ruby programming language has taken ownership of the Bundler and RubyGems package installers after Shopify attempted a forced corporatesponsored takeoverppwwwrubylangorgennews2025
As someone who spent a bunch of time talking before and after this all went down with current and past RubyGems maintainers RubyCentral employees gemcoop maintainers and Ruby Core folks this seems like the best outcome that was actually attainableppRussia cracks down on Apple The Russian government has sent Apple a letter demanding the ability for Russian search engines be installed and used on the companys devices Additional coverage in InterfaxppFrance activates extended data retention rules The French government has ordered ISPs and mobile operators to store connection and location data for at least a year The government cited a threat to national security to expand the normal internet logging requirements The government activated a state of emergency after multiple days of street protestsppSouth Korea mulls scam compound sanctions The South Korean government is considering joining the US and UK in sanctioning businesses associated with the cyber scam compound ecosystem Additional coverage in the Korea TimesppHackers extorted Bolton Hackers breached the personal AOL email account of former national security advisor John Bolton The breach took place in July 2021 two years after he was fired from the job The hackers tried to extort Bolton by threatening to release sections removed from a book because they contained classified material Boltons camp believes the hackers are Iranian Additional coverage in Kim Zetters Zero DayppThe John Bolton indictment released on Thursday contains a lot of interesting info about the AOL email account prosecutors say he used to send classified info to his wife and daughter while national security advisor an email account that Iran allegedly hacked I wrote about the indictment hereppIn this Risky Business sponsored interview Tom Uren talks to Edward Wu CEO and founder of Dropzone AI about a study that measured how AI practically helps SOC analysts triage realworld problems Analysts were faster more accurate and got less tired with AI assistance Edward thinks the technology wont replace human analysts but will speed their skill developmentppOperation SIMCARTEL Latvian police have arrested seven individuals who ran a SIM farm that was used in online fraud Officials seized more than 1200 SIM boxes and hundreds of thousands of SIM cards The group used two public websites gogetsmscom and apisimcom to rent access to phone numbers from 80 countries Numbers rented through the service were linked to multiple forms of fraud and scams Europol says the SIM farm numbers were linked to 49 million online accounts and that the group caused almost 5 million in damages in Austria and Latvia alone Additional coverage by VXDBppShinyHunters case in France Theres some weird story coming out of France where a man arrested in June claims hes not the ShinyHunters admin as the group kept hacking after he was detained Its weird because I went back and read the press releases and French authorities never claimed they arrested the ShinyHunters admin but four major BreachForums users Additional coverage in DataBreachesnetppCryLock couple profile The Financial Times published a profile on a Russian couple that ran the CryLock Cryakl ransomware The couple was arrested in Spain and extradited to Belgium Vadim Sirotin received seven years in prison while Elena Timofeeva received five years The two allegedly made a whopping 64 million from 400000 victims and were early pioneers of the RaaS modelppThis is a well written article about the story of two Russians a couple who wound up running a ransomware gang from Spain They may have been undone by targeting Russians theres some dangling threads about how they were caughtppNew npm malware Eighty malicious npm packages were discovered and taken down last week Check out the GitHub security advisory portal for more details Some of these packages were caught deploying AdaptixC2 a new C2 framework that launched this year according to KasperskyppCapita hack IR report Will Thomas has published a summary with the main lessons from the Capita 2023 hack based on an ICO 136page report PDF released last week when the ICO also fined Capita 14 millionppOperation MotorBeacon Seqrite looks at a phishing campaign targeting Russias automotive sector with the CAPI backdoorppZendesk email bomb attacks Hackers are abusing Zendesk installations to send email bombs Zendesk says the attackers are exploiting a normal Zendesk feature that allows anyone to create support tickets According to KrebsOnSecurity the company is also failing to validate sender emails and impose rate limits on outgoing emailspp20 ASNs responsible for all the badness Just 20 networks ASNs are responsible for 80 of all malicious password spraying activity According to Microsofts yearly Digital Defense report only 15 of password spraying attacks are blocked because the user has MFA enabled This also highlights the stilllow adoption of MFAppLumma dwindles after doxing campaign Usage of the Lumma infostealer has declined after hackers took over the malwares Telegram account and started doxing its members Details of five Lumma Stealer devs were posted on a website called Lumma Rats Leaked data included real names photos passport numbers bank accounts email addresses and links to online profiles Trend Micro says it recorded a drop in Lumma payloads since the doxing began in late August as known Lumma customers migrated to other rival infostealersppNew infostealer feature SANS ISC researchers have spotted an infostealer with a novel feature that besides text also retrieves imagebased content from an infected users clipboardppIn this sponsored product demo Dropzone founder and CEO Edward Wu walks Risky Business podcast host Patrick Gray through the companys AI SOC analystppBrickstorm update Cloud data management company Rubrik has found traces of the Brickstorm backdoor inside its customers backups Brickstorm is the backdoor planted inside networks hacked by a Chinese cyberespionage groupppWaterPlums OtterCandy NTTs security team looks at OtterCandy OtterCookie a backdoor used by the WaterPlum APT aka Famous Chollima Theres a similar report on this from Cisco Talos as wellppKittenBusters leak Nariman Gharib has published an analysis of Episodes 2 and 3 of new leaks from the Charming Kitten APT35 Iranian cyberespionage groupppAMD RDSEED vulnerability The Linux kernel has patched a bug in the RDSEED entropy generator that caused AMD Zen5 chips to fail to produce random numbers Only a few Zen5 chips were thought to be impacted initially but now all Zen5 models have been confirmed to be affected The patch disables RDSEED and forces all AMD Zen5 processors to use RDRAND for generating random numbers Additional coverage in PhoronixppDolby zeroclick vulnerability Googles Project Zero team has discovered a zeroclick exploit in the Dolby Unified Decoder The exploit allows attackers to run malicious code by sending users malcrafted audio files No user interaction is required on Android The issue has been patched in Chrome and Windows while the Android team is still working on a fixpp7Zip writeup A security researcher going by Dominik has reverseengineered a July 7Zip security update to look for details about two bugs that can be exploited for remote attacksppSimpleHelp vulnerabilities Tenable researchers have discovered two vulnerabilities in SimpleHelps remote support tool that can be chained for remote code execution on customer devicesppConnectWise security update ConnectWise has released a security update to patch two vulnerabilities including one that could have reverted the app to using cleartext HTTP trafficppThreattrend reports Check Point Elastic Elliptic ErnstYoung IANS NCC Group PDF and Zscaler have recently published reports and summaries covering various threats and infosec industry trendsppMore companies are getting deputy CISOs Almost 40 of Fortune 500 companies have named a deputy CISO or similar roles The role is designed to step in when the CISO is unavailable and act as an eventual successor According to IANS Research and Artico Search almost 95 of CISOs now regularly work with Csuite executives and the board on regulatory and other matters Additional coverage in CybersecurityDiveppNew toolProject CodeGuard Cisco has announced Project CodeGuard a new framework for securing AI code generators and coding agentsppNew toolSketchy Security firm Adversis has released Sketchy a tool that scans and warns about malicious dependencies when users try to clone a repoppNew toolReflectSonar Security researcher Ata Seren has opensourced ReflectSolar a tool to create detailed PDF reports of SonarQube scansppUsenix WOOT videos Talks from the Usenix Workshop on Offensive Technologies 2025 security conference which took place in August are available on YouTubeppUsenix VehicleSec videos Talks from the Usenix VehicleSec 2025 security conference which took place in August are available on YouTubeppIn this edition of Seriously Risky Business Tom Uren and Amberleigh Jack talk about First Wap a Jakartabased company that is selling surveillanceasaservice The good news is that it appears that government and media attention have had an impact on highprofile spyware vendors like NSO Group The bad news is that these smaller players are flying under the radar and arent afraid of selling to sketchy customersppIn this edition of Between Two Nerds Tom Uren and The Grugq talk about how different cybercriminal groups are looking for insiders to provide network accessppIn other news US CBO hacked by foreign APT Singapore to punish scammers with cane beatings Chrome will remove XSLT support for security reasonsppIn other news Meta is making a fortune from scam ads KT hid a second breach for months Pakistani senators get scammedppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Sublime Security
You can hear a podcast discussion ofppIn other news Hackers extort massage parlor visitors Balancer hacked for 128 million cargo thieves use hackers to go after trucking and freight companiespp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp
As someone who spent a bunch of time talking before and after this all went down with current and past RubyGems maintainers RubyCentral employees gemcoop maintainers and Ruby Core folks this seems like the best outcome that was actually attainableppRussia cracks down on Apple The Russian government has sent Apple a letter demanding the ability for Russian search engines be installed and used on the companys devices Additional coverage in InterfaxppFrance activates extended data retention rules The French government has ordered ISPs and mobile operators to store connection and location data for at least a year The government cited a threat to national security to expand the normal internet logging requirements The government activated a state of emergency after multiple days of street protestsppSouth Korea mulls scam compound sanctions The South Korean government is considering joining the US and UK in sanctioning businesses associated with the cyber scam compound ecosystem Additional coverage in the Korea TimesppHackers extorted Bolton Hackers breached the personal AOL email account of former national security advisor John Bolton The breach took place in July 2021 two years after he was fired from the job The hackers tried to extort Bolton by threatening to release sections removed from a book because they contained classified material Boltons camp believes the hackers are Iranian Additional coverage in Kim Zetters Zero DayppThe John Bolton indictment released on Thursday contains a lot of interesting info about the AOL email account prosecutors say he used to send classified info to his wife and daughter while national security advisor an email account that Iran allegedly hacked I wrote about the indictment hereppIn this Risky Business sponsored interview Tom Uren talks to Edward Wu CEO and founder of Dropzone AI about a study that measured how AI practically helps SOC analysts triage realworld problems Analysts were faster more accurate and got less tired with AI assistance Edward thinks the technology wont replace human analysts but will speed their skill developmentppOperation SIMCARTEL Latvian police have arrested seven individuals who ran a SIM farm that was used in online fraud Officials seized more than 1200 SIM boxes and hundreds of thousands of SIM cards The group used two public websites gogetsmscom and apisimcom to rent access to phone numbers from 80 countries Numbers rented through the service were linked to multiple forms of fraud and scams Europol says the SIM farm numbers were linked to 49 million online accounts and that the group caused almost 5 million in damages in Austria and Latvia alone Additional coverage by VXDBppShinyHunters case in France Theres some weird story coming out of France where a man arrested in June claims hes not the ShinyHunters admin as the group kept hacking after he was detained Its weird because I went back and read the press releases and French authorities never claimed they arrested the ShinyHunters admin but four major BreachForums users Additional coverage in DataBreachesnetppCryLock couple profile The Financial Times published a profile on a Russian couple that ran the CryLock Cryakl ransomware The couple was arrested in Spain and extradited to Belgium Vadim Sirotin received seven years in prison while Elena Timofeeva received five years The two allegedly made a whopping 64 million from 400000 victims and were early pioneers of the RaaS modelppThis is a well written article about the story of two Russians a couple who wound up running a ransomware gang from Spain They may have been undone by targeting Russians theres some dangling threads about how they were caughtppNew npm malware Eighty malicious npm packages were discovered and taken down last week Check out the GitHub security advisory portal for more details Some of these packages were caught deploying AdaptixC2 a new C2 framework that launched this year according to KasperskyppCapita hack IR report Will Thomas has published a summary with the main lessons from the Capita 2023 hack based on an ICO 136page report PDF released last week when the ICO also fined Capita 14 millionppOperation MotorBeacon Seqrite looks at a phishing campaign targeting Russias automotive sector with the CAPI backdoorppZendesk email bomb attacks Hackers are abusing Zendesk installations to send email bombs Zendesk says the attackers are exploiting a normal Zendesk feature that allows anyone to create support tickets According to KrebsOnSecurity the company is also failing to validate sender emails and impose rate limits on outgoing emailspp20 ASNs responsible for all the badness Just 20 networks ASNs are responsible for 80 of all malicious password spraying activity According to Microsofts yearly Digital Defense report only 15 of password spraying attacks are blocked because the user has MFA enabled This also highlights the stilllow adoption of MFAppLumma dwindles after doxing campaign Usage of the Lumma infostealer has declined after hackers took over the malwares Telegram account and started doxing its members Details of five Lumma Stealer devs were posted on a website called Lumma Rats Leaked data included real names photos passport numbers bank accounts email addresses and links to online profiles Trend Micro says it recorded a drop in Lumma payloads since the doxing began in late August as known Lumma customers migrated to other rival infostealersppNew infostealer feature SANS ISC researchers have spotted an infostealer with a novel feature that besides text also retrieves imagebased content from an infected users clipboardppIn this sponsored product demo Dropzone founder and CEO Edward Wu walks Risky Business podcast host Patrick Gray through the companys AI SOC analystppBrickstorm update Cloud data management company Rubrik has found traces of the Brickstorm backdoor inside its customers backups Brickstorm is the backdoor planted inside networks hacked by a Chinese cyberespionage groupppWaterPlums OtterCandy NTTs security team looks at OtterCandy OtterCookie a backdoor used by the WaterPlum APT aka Famous Chollima Theres a similar report on this from Cisco Talos as wellppKittenBusters leak Nariman Gharib has published an analysis of Episodes 2 and 3 of new leaks from the Charming Kitten APT35 Iranian cyberespionage groupppAMD RDSEED vulnerability The Linux kernel has patched a bug in the RDSEED entropy generator that caused AMD Zen5 chips to fail to produce random numbers Only a few Zen5 chips were thought to be impacted initially but now all Zen5 models have been confirmed to be affected The patch disables RDSEED and forces all AMD Zen5 processors to use RDRAND for generating random numbers Additional coverage in PhoronixppDolby zeroclick vulnerability Googles Project Zero team has discovered a zeroclick exploit in the Dolby Unified Decoder The exploit allows attackers to run malicious code by sending users malcrafted audio files No user interaction is required on Android The issue has been patched in Chrome and Windows while the Android team is still working on a fixpp7Zip writeup A security researcher going by Dominik has reverseengineered a July 7Zip security update to look for details about two bugs that can be exploited for remote attacksppSimpleHelp vulnerabilities Tenable researchers have discovered two vulnerabilities in SimpleHelps remote support tool that can be chained for remote code execution on customer devicesppConnectWise security update ConnectWise has released a security update to patch two vulnerabilities including one that could have reverted the app to using cleartext HTTP trafficppThreattrend reports Check Point Elastic Elliptic ErnstYoung IANS NCC Group PDF and Zscaler have recently published reports and summaries covering various threats and infosec industry trendsppMore companies are getting deputy CISOs Almost 40 of Fortune 500 companies have named a deputy CISO or similar roles The role is designed to step in when the CISO is unavailable and act as an eventual successor According to IANS Research and Artico Search almost 95 of CISOs now regularly work with Csuite executives and the board on regulatory and other matters Additional coverage in CybersecurityDiveppNew toolProject CodeGuard Cisco has announced Project CodeGuard a new framework for securing AI code generators and coding agentsppNew toolSketchy Security firm Adversis has released Sketchy a tool that scans and warns about malicious dependencies when users try to clone a repoppNew toolReflectSonar Security researcher Ata Seren has opensourced ReflectSolar a tool to create detailed PDF reports of SonarQube scansppUsenix WOOT videos Talks from the Usenix Workshop on Offensive Technologies 2025 security conference which took place in August are available on YouTubeppUsenix VehicleSec videos Talks from the Usenix VehicleSec 2025 security conference which took place in August are available on YouTubeppIn this edition of Seriously Risky Business Tom Uren and Amberleigh Jack talk about First Wap a Jakartabased company that is selling surveillanceasaservice The good news is that it appears that government and media attention have had an impact on highprofile spyware vendors like NSO Group The bad news is that these smaller players are flying under the radar and arent afraid of selling to sketchy customersppIn this edition of Between Two Nerds Tom Uren and The Grugq talk about how different cybercriminal groups are looking for insiders to provide network accessppIn other news US CBO hacked by foreign APT Singapore to punish scammers with cane beatings Chrome will remove XSLT support for security reasonsppIn other news Meta is making a fortune from scam ads KT hid a second breach for months Pakistani senators get scammedppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Sublime Security
You can hear a podcast discussion ofppIn other news Hackers extort massage parlor visitors Balancer hacked for 128 million cargo thieves use hackers to go after trucking and freight companiespp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp
