Notices by BrianKrebs (briankrebs@infosec.exchange)

My follower count here seems to have dropped by ~750-1,000 overnight. I'm guessing there was some kind of cleanup done on botted accounts or something? Or maybe I just pissed a lot of people off at once (totally possible).

@dalias They got access to 20 encrypted vaults. They'd still have to work out the master password for those targeted accounts. Theoretically, that could be done offline, as happened w/ the breach at LastPass, but it took many months for a lot of those stolen vaults to be cracked.

RE: https://infosec.exchange/@briankrebs/116670688015956223

Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." Dashlane said there was no evidence of a hack of its own systems, but it hasn't shared yet why or how that 2FA was compromised. The company said “the goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts,” and that it has already notified affected users.

https://support.dashlane.com/hc/en-us/articles/36038764990866-Security-advisory-Brute-force-attack-on-Dashlane-user-accounts?7194ef805fa2d04b0f7e8c9521f97343

New, by me: A number of high-profile and/or valuable Instagram accounts, including those of the Obama White House and the Chief Master Sergeant for the U.S. Space Force, got hacked and defaced with pro-Iran messaging in the past 24h after people figured out that Meta's AI support assistant could be tricked into resetting account passwords.

From the story:

"A video released on Telegram by pro-Iran hackers claimed to document a remarkably simple exploit that appears to have involved using a VPN connection with an IP address that is in or near the target's usual hometown, requesting a password reset for the account, and then choosing to chat with Meta's AI support assistant. From there, the video shows the attacker told the bot to link the account in question to a new email address, after which the bot dutifully sent that address a one-time code that allowed a password reset."

https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/

#meta #instagram #hack #ai #security

Get this man a wambulance. The POTUS is having such a hissy fit over multiple musical artists bowing out of invitations to celebrate our nation's 250th anniversary on July 4 that he's now saying all the performances should be canceled and we should have a big MAGA rally on the mall featuring him blathering on w/ his usual lies and hate.

Rather than respond to the artists' complaint that he'd politicized and personalized what should be a cause for national unity, he doubled down.

"So I am thinking about bringing the Number One Attraction anywhere in the World, the man who gets much larger audiences than Elvis in his prime...and the man who some say is the Greatest President in History (THE GOAT!), DONALD J. TRUMP, to take the place of these highly paid, Third Rate 'Artists.'"

"Trump said he was ordering aides to assess "the feasibility of doing an AMERICA IS BACK Rally" on the mall, where he would deliver a speech "rallying the Country forward like I have done ever since being President!"

Oh well, just another venerated tradition, destination and celebration in my hometown garishly marred by the president's unquenchable thirst for attention and power.

https://www.yahoo.com/news/politics/articles/trump-calls-replacing-us-250th-002946144.html

NPR laid off about 4 percent of its content division, including 10 journalists and some veteran reporters.

""People love science," NPR Science Correspondent Nell Greenfieldboyce, who was laid off Wednesday, said in an interview for this story. "It's such a break from the political and economic and often grim news to have something more inspiring and curiosity driven. I thought it was a great blessing to have the opportunity to give that to people."

https://www.npr.org/2026/05/27/nx-s1-5836624/npr-layoffs-job-cuts

#media #layoffs #journalism

One more thing: I'm looking forward to a hearing in Congress about this. The "Private-CISA" repo included AWS keys for at least two different Nightwing contractors, including terraform scripts from another employee with embedded clear text credentials, suggesting there was a practice of sharing credentials.

Somehow I missed this story in my research concerning Nightwing, the Virginia government contractor where the CISA contractor worked.

May 2, 2025: Raytheon, Nightwing to Pay $8.4 Million in Settlement Over Cybersecurity Failures

"The US government on Thursday announced that it has reached a settlement with Raytheon, RTX Corporation, and Nightwing Group in a lawsuit over the companies’ alleged failures to meet cybersecurity requirements for defense contractors.

Raytheon, a subsidiary of RTX Corporation (previously Raytheon Technologies Corporation), and its then-subsidiary Raytheon Cyber Solutions, Inc. (RCSI), allegedly failed to comply with cybersecurity requirements in 29 contracts and subcontracts with the Department of Defense (DoD). Nightwing is a cybersecurity and intelligence company that spun out of RTX.

According to the settlement, between 2015 and 2021, Raytheon did not implement necessary cybersecurity controls on a system used to perform work on DoD contracts. In 2015, the company landed a DHS cybersecurity contract worth $1 billion.

Raytheon and RCSI allegedly not only failed to implement a security plan for the internal development system, but also failed to ensure that it complied with other Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Acquisition Regulation (FAR) requirements.

Per DFARS and FAR, contractors are required to apply basic safeguarding to systems that process or store federal contract data, and to provide adequate security for those systems, respectively."

https://www.securityweek.com/raytheon-to-pay-8-4-million-in-settlement-over-cybersecurity-failures/amp/

Big companies have an expensive new addiction to AI, and their smack is getting more expensive. Who could have seen this coming? From the WSJ:

"Use of artificial intelligence by big companies is exploding—and the soaring cost has some of them pumping the brakes in a way that could complicate AI’s triumphal march across the economy.
Executives across industries this year have urged employees to integrate AI tools into their work, spending freely to encourage experimentation and seeking to send a message to Wall Street that their companies won’t be left behind in a coming wave of disruption."

"All that enthusiasm has resulted in skyrocketing costs for so-called tokens, the basic unit of measurement for AI computing, as AI model providers seek to balance supply and demand and manage their own costs. Some enterprises have hit their annual budget in just three months or reported seeing their AI spending bills double or triple."
 
"Now corporate leaders are scrambling to bring down expenses by finding ways to ration AI use in their organizations, steer workers toward cheaper, homegrown tools and help them hone their skills to improve returns." 

https://www.wsj.com/tech/ai/corporate-america-is-starting-to-ration-ai-as-cost-skyrockets-1eb99d7a (paywall)

https://archive.ph/v2dwg

@GossiTheDog Right. Meanwhile, the guy running it just continues to tell the media with a straight face that they never really got any abuse complaints. My response to that is yea that's what happens when your abuse mailbox goes straight to /dev/null/.

TIL there is a deleted verse at the end of the song The Day the Music Died, just after the bit about how the man there said the music wouldn't play.

"And there I stood alone and afraid
I dropped to my knees, and there I prayed
And I promised Him everything I could give. If only He would make the music live
And He promised it would live once more
But this time one would equal four
And in five years, four had come to mourn
And the music was reborn"

[edited title of song doh]

Say hello to Fred. I named him b/c I keep seeing him in the same place on trail walks. At least I think it's the same guy. Okay I don't even know if it's a he. But I still call him Fred. Anyway, he looks big, here, but he's actually just a little bigger than a golf ball.

#fredtheturtle

I'm sort of wimpy around spiders, but I was marveling at this mama wolf spider outside our door. That is, until I realized she was carrying hundreds of copies of herself on her back that will soon invade our home (several days of heavy rain have forced a ton of creepy crawly things indoors). BUT, they will also eat lots of bugs, so..

@evan Obligatory reference: https://www.youtube.com/watch?v=n0wWHTMMuSc

There's a tendency for organizations to react to inadvertently exposing secrets in public code repositories by disabling the repo in question on GitHub, but then taking their time to rotate the exposed credentials. I guess the thinking is that well, maybe nobody noticed. And that's pure folly. From today's story:

"Ayrey said his company Truffle Security monitors GitHub and a number of other code platforms for exposed keys, and attempts to alert affected accounts to the sensitive data exposure(s). They can do easily on GitHub because the platform publishes a live feed which includes a record of all commits and changes to public code repositories. But he said cybercriminal actors also monitor these public feeds, and are often quick to pounce on API or SSH keys that get inadvertently published in code commits."

"In practical terms, it is likely that cybercrime groups or foreign adversaries also noticed the publication of these CISA secrets, the most egregious of which appears to have happened in late April 2025, Ayrey said.

“We monitor that firehose of data for keys, and we have tools to try to figure out whose they are,” he said. “We have evidence attackers monitor that firehose as well. Anyone monitoring GitHub events could be sitting on this information.”"

New, by me: Lawmakers Demand Answers as CISA Tries to Contain Data Leak

"Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials."

From the story:

"KrebsOnSecurity has learned that more a week after CISA was first notified of the data leak by the security firm GitGuardian, the agency is still working to invalidate and replace many of the exposed keys and secrets."

"On May 20, KrebsOnSecurity heard from Dylan Ayrey, the creator of TruffleHog, an open-source tool for discovering private keys and other secrets buried in code hosted at GitHub and other public platforms. Ayrey said CISA still hadn’t invalidated an RSA private key exposed in the Private-CISA repo that granted access to a GitHub app which is owned by the CISA enterprise account and installed on the CISA-IT GitHub organization with full access to all code repositories."

https://krebsonsecurity.com/2026/05/lawmakers-demand-answers-as-cisa-tries-to-contain-data-leak/

New, from me: Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.

https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/

#botnet #ddos #kimwolf #cybercrime

Check it: Sen. Maggie Hassan (D-NH) is demanding answers from CISA and DHS over my reporting this week that a CISA contractor had published on GitHub a number of CISA AWS GovCloud keys and a ton of plaintext passwords, SSH keys, etc. for internal CISA resources.

ICYMI:

https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/

https://www.hassan.senate.gov/news/press-releases/senator-hassan-presses-for-answers-on-major-reported-data-leak-at-leading-cybersecurity-agency

#cisa #cybersecurity #databreach

New, by me: CISA Admin Leaked AWS GovCloud Keys on GitHub

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/

We've come to an icky time in security when the concern about using outdated, unpatched software starts to become overshadowed by the fear of downloading some backdoored update.