Notices by BrianKrebs (briankrebs@infosec.exchange)

@GossiTheDog Right. Meanwhile, the guy running it just continues to tell the media with a straight face that they never really got any abuse complaints. My response to that is yea that's what happens when your abuse mailbox goes straight to /dev/null/.

TIL there is a deleted verse at the end of the song The Day the Music Died, just after the bit about how the man there said the music wouldn't play.

"And there I stood alone and afraid
I dropped to my knees, and there I prayed
And I promised Him everything I could give. If only He would make the music live
And He promised it would live once more
But this time one would equal four
And in five years, four had come to mourn
And the music was reborn"

[edited title of song doh]

Say hello to Fred. I named him b/c I keep seeing him in the same place on trail walks. At least I think it's the same guy. Okay I don't even know if it's a he. But I still call him Fred. Anyway, he looks big, here, but he's actually just a little bigger than a golf ball.

#fredtheturtle

I'm sort of wimpy around spiders, but I was marveling at this mama wolf spider outside our door. That is, until I realized she was carrying hundreds of copies of herself on her back that will soon invade our home (several days of heavy rain have forced a ton of creepy crawly things indoors). BUT, they will also eat lots of bugs, so..

@evan Obligatory reference: https://www.youtube.com/watch?v=n0wWHTMMuSc

There's a tendency for organizations to react to inadvertently exposing secrets in public code repositories by disabling the repo in question on GitHub, but then taking their time to rotate the exposed credentials. I guess the thinking is that well, maybe nobody noticed. And that's pure folly. From today's story:

"Ayrey said his company Truffle Security monitors GitHub and a number of other code platforms for exposed keys, and attempts to alert affected accounts to the sensitive data exposure(s). They can do easily on GitHub because the platform publishes a live feed which includes a record of all commits and changes to public code repositories. But he said cybercriminal actors also monitor these public feeds, and are often quick to pounce on API or SSH keys that get inadvertently published in code commits."

"In practical terms, it is likely that cybercrime groups or foreign adversaries also noticed the publication of these CISA secrets, the most egregious of which appears to have happened in late April 2025, Ayrey said.

“We monitor that firehose of data for keys, and we have tools to try to figure out whose they are,” he said. “We have evidence attackers monitor that firehose as well. Anyone monitoring GitHub events could be sitting on this information.”"

New, by me: Lawmakers Demand Answers as CISA Tries to Contain Data Leak

"Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials."

From the story:

"KrebsOnSecurity has learned that more a week after CISA was first notified of the data leak by the security firm GitGuardian, the agency is still working to invalidate and replace many of the exposed keys and secrets."

"On May 20, KrebsOnSecurity heard from Dylan Ayrey, the creator of TruffleHog, an open-source tool for discovering private keys and other secrets buried in code hosted at GitHub and other public platforms. Ayrey said CISA still hadn’t invalidated an RSA private key exposed in the Private-CISA repo that granted access to a GitHub app which is owned by the CISA enterprise account and installed on the CISA-IT GitHub organization with full access to all code repositories."

https://krebsonsecurity.com/2026/05/lawmakers-demand-answers-as-cisa-tries-to-contain-data-leak/

New, from me: Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.

https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/

#botnet #ddos #kimwolf #cybercrime

Check it: Sen. Maggie Hassan (D-NH) is demanding answers from CISA and DHS over my reporting this week that a CISA contractor had published on GitHub a number of CISA AWS GovCloud keys and a ton of plaintext passwords, SSH keys, etc. for internal CISA resources.

ICYMI:

https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/

https://www.hassan.senate.gov/news/press-releases/senator-hassan-presses-for-answers-on-major-reported-data-leak-at-leading-cybersecurity-agency

#cisa #cybersecurity #databreach

New, by me: CISA Admin Leaked AWS GovCloud Keys on GitHub

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/

We've come to an icky time in security when the concern about using outdated, unpatched software starts to become overshadowed by the fear of downloading some backdoored update.

New, from me: Canvas Breach Disrupts Schools and Colleges Nationwide

"An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions."

"Canvas parent firm Instructure [NYSE:INST] responded to today's defacement attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage coursework and assignments, and to communicate with students."

Lots more here:

https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/

#canvas #breach #shinyhunters #instructure

@kkarhan @SecureOwl I had to dig up this 2008 WaPo story from Archive since WaPo nuked all my blog posts from their site. It's about @chetfaliszek, the guy who registered donotreply.com.

https://web.archive.org/web/20110810225035/http://voices.washingtonpost.com/securityfix/2008/03/they_told_you_not_to_reply.html

ZOMG! It's freakin Patch Tuesday again. And Microsoft has patched a staggering 167 security holes (think more people are using AI to find bugs, maybe?)

tl;dr: There's something for everyone today, like an Adobe Reader 0day that's apparently been exploited since at least November 2025; a SharePoint zero-day; and a fix for BlueHammer -- a Windows Defender bug for which there is working exploit code that no longer works if you install today's Windows updates (as per @wdormann).

https://krebsonsecurity.com/2026/04/patch-tuesday-april-2026-edition/

New, from me: Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

https://krebsonsecurity.com/2026/04/russia-hacked-routers-to-steal-microsoft-office-tokens/

@heidilifeldman the most corrupt everything all the time. your own personal lawyer as the AG are you freaking high? sure, no conflict there at all. every single attorney associated with this administration should be facing disbarment proceedings like yesterday.

The POTUS' war on Iran is already bringing rationing of fuel and major disruptions in many countries, and it's going to get a lot worse soon as the final shipments that made it thru the Strait start to arrive this week, the NYT reports. I admire (but do not share) this story's optimism of the potential for the Iran war to hasten more global adoption of renewables.

"Sri Lanka and Myanmar are rationing fuel. The Philippines has instituted four-day workweeks to conserve gasoline and electricity. Bangladesh briefly closed its universities to reserve power for homes and businesses. Across India, families and restaurants are cooking over wood fires for want of gas. Airlines are canceling flights."

"As painful as the first phase of the energy crisis set off by the war with Iran has been, what comes next will be worse. This week, the final deliveries of oil and liquefied natural gas to Asia that passed through the Strait of Hormuz before it was closed are expected to arrive. The last tanker shipments to Europe should land by mid-April. After that, many countries’ reserves of gasoline, diesel, liquid petroleum gas and natural gas will dwindle. The price of oil could soar as high as $200 a barrel if the war drags on."

Meanwhile, China -- which leads the world in battery technology production -- stands to massively gain from all this oil shock.

"As the Philippines declared a national energy emergency on March 24, car shoppers in Manila were crowding into showrooms of the Chinese carmaker BYD and purchasing E.V.s ."

Of course, here in the US we've largely said that we're just gonna keep making gas guzzlers and forget about all those pledges we made to invest in electric vehicles. Consumers in the US would be flocking to those BYD cars too if import duties didn't make them prohibitively expensive. Most of the big car makers in the US are hopelessly focused on people who don't bat an eyelash spending $60,000 (base price) for a new car or truck.

https://www.nytimes.com/2026/04/01/opinion/oil-crisis-iran-electric-solar.html

Whoa, that escalated quickly. This just got sent out by the press folks at the Federal Communications Commission (FCC). The FCC says it has decided that all foreign-made consumer-grade Internet routers are henceforth prohibited from receiving FCC authorization and are therefore prohibited from being imported for use or sale in the United States.

"Update Follows Determination by Executive Branch Agencies that Consumer-Grade Routers Produced in Foreign Countries Threaten National Security

WASHINGTON, March 23, 2026—Today, the Federal Communications Commission updated its Covered List to include all consumer-grade routers produced in foreign countries. Routers are the boxes in every home that connect computers, phones, and smart devices to the internet. This followed a determination by a White House-convened Executive Branch interagency body with appropriate national security expertise that such routers “pose unacceptable risks to the national security of the United States or the safety and security of United States persons.”

"The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense” and (2) pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”

"This action does not affect any previously-purchased consumer-grade routers. Consumers can continue to use any router they have already lawfully purchased or acquired."

"Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations. Interested applicants are encouraged to submit applications to conditional-approvals@fcc.gov."

Not sure how many consumer-grade routers will be left for sale if it really is a ban on approvals for any foreign-made consumer routers like they said, and not just a bunch of already restricted Chinese makers like Huawei and ZTE.

https://www.fcc.gov/document/fcc-updates-covered-list-include-foreign-made-consumer-routers

FCC's "covered list" of "thou shalt not entities": https://www.fcc.gov/supplychain/coveredlist

Breaking, new, by me: Iran-backed Hackers Claim Wiper Attack on Medtech Firm Stryker

A hacktivist group with links to Iran's intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker's largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker's main U.S. headquarters says the company is currently experiencing a building emergency.

From the story:

"Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices."

"Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently."

https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

#stryker #handala #intune #wiper #cybersecurity

New, by me: How AI Assistants are Moving the Security Goalposts

AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations, while blurring the lines between data and code, trusted co-worker and insider threat, ninja hacker and novice code jockey.

Read more (and boost please!):

https://krebsonsecurity.com/2026/03/how-ai-assistants-are-moving-the-security-goalposts/

#openclaw #AI #agentic #aiagents #lethaltrifecta