Notices by BrianKrebs (briankrebs@infosec.exchange)

The Google Threat Intelligence Group (GTIG) says it has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia's intelligence services.

"The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app's legitimate "linked devices" feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance. If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim's secure conversations without the need for full-device compromise."

"In remote phishing operations observed to date, malicious QR codes have frequently been masked as legitimate Signal resources, such as group invites, security alerts, or as legitimate device pairing instructions from the Signal website."

"In more tailored remote phishing operations, malicious device-linking QR codes have been embedded in phishing pages crafted to appear as specialized applications used by the Ukrainian military."

"Beyond remote phishing and malware delivery operations, we have also seen malicious QR codes being used in close-access operations. APT44 (aka Sandworm or Seashell Blizzard, a threat actor attributed by multiple governments to the Main Centre for Special Technologies (GTsST) within Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU), known commonly as the GRU) has worked to enable forward-deployed Russian military forces to link Signal accounts on devices captured on the battlefield back to actor-controlled infrastructure for follow-on exploitation."

Google says Signal, in collaboration with GTIG, has released updates for Android and iOS to mitigate these attacks. Users should update their apps immediately.

https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger

Day 5 of posting about the coup on Linkedin. I can't begin to count the number of people in infosec LI who messaged privately to say keep going, nobody's talking about this here, this is important, etc. That's been nice.

But then also a lot of times when I check these peoples' timelines on LI it's like <crickets>. So that makes me a little sad. But then I think, self, you're in a much better position to piss off infosec LI than most, and that's to be expected. And that's a good thing.

Also, there are SO many people in or on the fringe of the infosec industry that have such horrible takes on why it is okay to break the law, flout the courts, the Constitution and Congress in the name of fighting "government fraud." As if that's not just a replacement for "election fraud," which likewise hasn't materialized. Anyway, I guess they're all on record as cheering the nazi parade, so there's that.

I'm generally not engaging in conversations with these cult followers, because never argue with an idiot, right? But I also don't want the same drones cluttering up my timeline with inanities and whataboutism. So my strong inclination is to block useful idiots, but then I think well why am I even here if I'm doing that? I did block some people though and it felt good.

As you can see, I am somewhat conflicted about this project.

My efforts to keep the coup on the minds of people who follow on LinkedIn have produced mixed results. But those posts are undeniably being read by a lot of people, so that makes me happy.

Ken is a good example of the kinds of direct messages I get a lot on LinkedIn these days. Ken's profile says he's a Microsoft specialist.

Or is he...?

Ken's profile says it was created in 2007, so it's not an account that just materialized. Something in me wants to give Ken the benefit of the doubt.

This opening message from Ken is typical in that it

a) seems to be worded oddly for a native English speaker
b) suggests I'm taking money to speak out (in this case from USAID no less)
c) asserts that I am slandering the administration and
d) menacingly or vaguely promising retribution. Ken's message is somewhat confusingly worded ("I'm text to a bot"), and that caught my eye again. So I decided to take the bait.

Ken Payne
9:55 PM

How much $ do u get from USAID - indirectly ? George Mason. International studies. We know. 😂 im text to a bot. But your slanderous days are over.

Brian Krebs
10:07 PM
Hi Ken. You're a bot? Really? Tell me more. That would explain a lot.

Ken Payne
10:16 PM
No, I’m not a bot. But i thought you are. I welcome a conversation.

Brian Krebs
10:16 PM
Do you always start conversations this way?

Ken:
Is Ronald Reagan the president of?

Brian Krebs
10:17 PM
Is English your language of?

Ken Payne
10:17 PM
Testing the AI

Brian Krebs
10:18 PM
oh. I'm talking with AI?

Ken Payne
10:18 PM
We can talk any time.

Brian Krebs
10:18 PM
Apparently one of us can

Brian Krebs
10:19 PM
Well, Ken, I gotta hand it to you: You drank the Microsoft Kool-Aid, and I guess after that the Trump Kool-aid went down real easy, right?

Prove to me you're not a bot, Ken.

Ken Payne
10:20 PM

I’m him free now. U disapprove of DOGE. I support it. U are more suspicious than I.

Brian Krebs
10:21 PM
I think you either are a bot that's part of an influence campaign, or you're just not that bright. You certainly don't speak like someone who has an education, or a very good grasp of the English language.

Ken Payne
10:22 PM
I work at MSFT. but I see their sins. Perhaps Chinese intelligence influence. Dunno

Brian Krebs
10:22 PM
So Ken, how can YOU prove you're a real person?

Can I call you?
Ken, I'm starting to have real doubts about your non-botness
Ken?

Unsurprisingly, Ken didn't want to chat on the phone, or give a phone number.

Is Ken a bot? Or is Ken just another useless idiot? Either way, there sure are a lot of Kens.

One frustrating aspect of trying to write about all the incredibly reckless and risky actions taken by this administration with govt data is that by the time you're done writing, half the stuff in your story is outdated already, because they've reversed themselves, or they've been reversed. Or, and this is usually the most frequent cause: Because they've gone and done something even more colossally stupid, cruel and/or unwise.

I have not missed this aspect of reporting on the Trump administration at all. But it is absolutely true that their flood-the-zone-with-stupid approach really can become something like a mental ddos on journalists. And ofc that's intentional.

It's been truly sickening to read the news today: Trump calls Zelensky a "dictator" who took US money to go to war, making it clear as day that the US president sides with Russia in this conflict. Zelensky says the president lives in a circle of disinformation. That is plain to see, even for Trump's supporters, who live in and help cultivate that same bubble.

Meanwhile, Russian officials are offering American companies the chance to make billions by coming back to Russia. And wouldn't you know it? The White House is open to this idea. Nevermind that just two years ago Russia appropriated a good portion of the brands for the Fortune 100, and then took over their stores and sold them to Friends of Putiny.

https://www.nytimes.com/2025/02/19/world/europe/trump-russia-ukraine-putin-trump.html

CNN reports the Social Security Administration's acting commissioner Michelle King’s departure from the agency over the weekend – after more than 30 years of service – was initiated after King refused to provide DOGE staffers at the SSA with access to sensitive information, the people said Monday.

White House has replaced her as acting commissioner with Leland Dudek, who currently works at the SSA.

Here's a now-deleted self-serving confession from Dudek, which speaks volumes about the pervasive cowardice that is essential for this administration to get what it wants.

NextGov reports that Katie Arrington, the former South Carolina state lawmaker who helped steer Pentagon cybersecurity contracting policy before being placed on leave amid accusations that she disclosed classified data from a military intelligence agency, announced that she is the Defense Department’s new chief information security officer.

https://www.nextgov.com/defense/2025/02/katie-arrington-announces-she-dods-new-ciso/403091/?oref=ng-homepage-river

If you want to learn how Chinese phishing or "smishing" groups are turning phished card data into mobile wallets, check out today's story. The innovation coming out of these groups is remarkable, and includes mobile apps that let thieves relay "ghost tap" NFC transactions to a payment terminal from halfway around the world.

What I find most remarkable is how millions of businesses have spent years and billions of dollars upgrading payment terminals to use more secure chip-based cards. And now these phishers come along and just bypass all of that, creating Apple and Google mobile wallets with the phished card data and a one-time code.

Here's the lede:

Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

https://krebsonsecurity.com/2025/02/how-phished-data-turns-into-apple-google-wallets/

We're learning more about the crack team at DOGE from DOGEwhisperer over at Bsky:

https://bsky.app/profile/dogginglover.bsky.social/post/3lid446df4224

Specifically, about Christopher Stanley, former Senior Director for Security Engineering at X and Principal Security Engineer at SpaceX, now serves as a Musk aide at DOGE with a White House role.

"Also known as Unh0ly, enKrypt, or Reneg4d3—the former owner of Error33[.]net, a warez and hacking forum, and theC0re, a video game cheating community. His 2011 personal website r00tyou[.]com prominently featured the n-word on the front page."

"'Christopher’s (or enKrypt’s) biggest hacking claim to fame came in 2015 when he hacked LizardStresser, a DDoS tool affiliated with Lizard Squad. He provided the dumped database to Brian Krebs, which led to him and his family being targeted and doxxed by the group."

My reporting in 2015 didn't name Stanley as the source, but he outed himself by posting a video of the LizardStresser hack to his eNKrypt Youtube channel, and soon was targeted with swatting attacks.

https://krebsonsecurity.com/2015/01/another-lizard-arrested-lizard-lair-hacked/

Bruce Schneier Davi Ottenheimer have written a tremendous piece for Foreign Policy that everyone should read called "DOGE is Hacking America." It clearly explains why what DOGE is doing has to be stopped, and what's at stake here.

https://foreignpolicy.com/2025/02/11/doge-cyberattack-united-states-treasury/

I used to subscribe to FP but then found it came with my Apple News subscription. But I realize not everyone has that, so:
https://archive.ph/lSHkJ

Here's an excerpt:

"But the most alarming aspect isn’t just the access being granted. It’s the systematic dismantling of security measures that would detect and prevent misuse—including standard incident response protocols, auditing, and change-tracking mechanisms—by removing the career officials in charge of those security measures and replacing them with inexperienced operators.

The Treasury’s computer systems have such an impact on national security that they were designed with the same principle that guides nuclear launch protocols: No single person should have unlimited power. Just as launching a nuclear missile requires two separate officers turning their keys simultaneously, making changes to critical financial systems traditionally requires multiple authorized personnel working in concert.

This approach, known as “separation of duties,” isn’t just bureaucratic red tape; it’s a fundamental security principle as old as banking itself. When your local bank processes a large transfer, it requires two different employees to verify the transaction. When a company issues a major financial report, separate teams must review and approve it. These aren’t just formalities—they’re essential safeguards against corruption and error.

These measures have been bypassed or ignored. It’s as if someone found a way to rob Fort Knox by simply declaring that the new official policy is to fire all the guards and allow unescorted visits to the vault.

The implications for national security are staggering. Sen. Ron Wyden said his office had learned that the attackers gained privileges that allow them to modify core programs in Treasury Department computers that verify federal payments, access encrypted keys that secure financial transactions, and alter audit logs that record system changes. Over at OPM, reports indicate that individuals associated with DOGE connected an unauthorized server into the network. They are also reportedly training AI software on all of this sensitive data."

A group of 20-somethings with names like "Big Balls" gain unauthorized access to your servers, delete data, take your website down, and now you can't serve your customers and your organization goes belly up unless you pay money to a mafia boss.

Sounds a lot like ransomware, doesn't it? When your government starts imitating ransomware playbooks, it's a four-alarm fire. At least in theory one can negotiate with ransomware actors.

Guess I'll just keep adding to the list as more infosec people from the financial industry continue to cheer on the illegal and unconstitutional actions by this administration, while bashing anyone who calls it for what it is.

Here's one of but many examples.

Imagine being an infosec person in US govt trying to communicate about today's patches from Microsoft. You wouldn't even be able to properly classify or describe the most serious 0day today --a privilege escalation vulnerability -- because banned "DEI" words.

The NYT has published a useful graphic showing all the agencies with investigations into or regulatory battles with Musk's companies that have seen staffing cuts, including the firing of top officials.

https://www.nytimes.com/2025/02/11/us/politics/elon-musk-companies-conflicts.html

In case anyone needs a handy reference to all of the lawsuits filed against this administration's actions so far, Court Watch has a fairly comprehensive and updated list:

https://www.courtwatch.news/p/lawsuits-related-to-trump-admin-executive-orders

@GossiTheDog yeah their developers weren't too swift either:

https://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/

The president of the American Bar Association (ABA) says he's concerned about the rapid pace at which this administration is breaking the law and flouting the Constitution.

"We see wide-scale affronts to the rule of law itself, such as attacks on constitutionally protected birthright citizenship, the dismantling of USAID and the attempts to criminalize those who support lawful programs to eliminate bias and enhance diversity."

"We have seen attempts at wholesale dismantling of departments and entities created by Congress without seeking the required congressional approval to change the law. There are efforts to dismiss employees with little regard for the law and protections they merit, and social media announcements that disparage and appear to be motivated by a desire to inflame without any stated factual basis. This is chaotic. It may appeal to a few. But it is wrong. And most Americans recognize it is wrong. It is also contrary to the rule of law."

https://www.americanbar.org/news/abanews/aba-news-archives/2025/02/aba-supports-the-rule-of-law/

I'm working on several stories about some important evolutions in cybercrime, but it's been really hard to dedicate time and attention to those with the current administration creating constitutional challenges almost on a daily basis, and doing all kinds of things that will surely weaken the cybersecurity and national security of this country.

But I can't even visit LinkedIn anymore, because I just want to vomit when I see the endless stream of people in the tech industry whistling dixie and pimping their businesses like nothing's going on. Like any of that matters if you don't have a democracy anymore.

Anyway, it's frustrating because this all out, constant assault on the checks and balances to executive power has the added benefit to our adversaries of turning our attention inward, and paying far less attention to external threats.