(In) Secure Digest Halloween Edition: What Spooked IS Specialists in October

In the October digest we have gathered incidents that definitely tickled the nerves of the IS departments of the affected companies. The Halloween agenda includes a million-dollar scam, a hacker offended by non-recognition of merit, and frighteningly frequent attacks on the game industry representatives.

Ghost Contracting

What happened: Kitchenware manufacturer Williams Sonoma lost more than $10 million due to employee fraud.

How it happened: Ben Thomas, 48, worked as a general manager at one of Williams Sonoma’s distribution centers. Thomas was responsible for choosing companies for hiring temporary staff and approving payments of up to $50,000 for them. At the same time, it was prohibited for the employee to choose companies, affiliated with him.

It was later discovered that Thomas concealed from his employer the fact that he owned a temporary staffing company. With the help of this company, Thomas earned more than $10 million between 2017 and 2023. He used to choose his own company as a contractor, made payments on his own, and did not actually provide any services.

Thomas spent the proceeds on a 1200 sq.m. house, a yacht, cars, tickets to sporting events — and even animal cloning. If the court finds Thomas guilty, he could face a maximum penalty of about 30 years in prison and a fine of many thousands of dollars for each offence.

Spooky intern

What happened: ByteDance intern sabotaged neural network development.

How it happened: Keiyu Tian, a programmer, got an internship at ByteDance, a large Chinese company. However, instead of working, he deliberately added errors to the code. The intern’s colleagues were looking for bugs around the clock, but eventually they suspected something wrong and started an investigation.

The saboteur was identified thanks to the logs. They showed that the trainee, firstly, created confusion with checkpoints (files-saving AI training). Tian used to change the model’s training parameters, the input data, delete checkpoints or stop the training process. After, he uploaded Pickle files with malicious code. The files automatically created bugs, changed the version of PyTorch (the ML learning framework), etc.

Tien attended all the meetings, related to bug fixing without arising anyone’s suspicion. In fact, he kept his finger on the pulse and learnt how his colleagues were going to act in order to affect the development process even more effectively. As a result, the team of 30 programmers worked for two months for nothing. Deadlines were blown and customers’ money was wasted.

ByteDance representatives later commented on the situation with Tian. The tech giant representatives claimed that the media exaggerated the scale of the incident, and the programmer was fired back in August. The former employer also reported the intern’s behaviour to the university where he is studying and to professional programming associations to warn other companies about the malicious actor.

However, it’s still unknown why Keiyu Tian sabotaged business processes. Who knows: maybe it is an ideological struggle against a terrible future, just like in Terminator movies?

History Killer

What happened: The Internet Archive organization that owns the Wayback Machine service was hacked twice in one month.

How it happened: On 9th of October, Wayback Machine users started receiving a strange JavaScript alert. It notified that users’ data had been stolen and that users should search for it in the leak-tracking service HIBP (Have I Been Pwned).

HIBP founder Troy Hunt confirmed that he had received a 6.4GB ia_users.sql SQL file shortly before. He estimated that the file contained 31 million unique records, including email addresses, Bcrypt hashed passwords, timestamps of their changes, etc. The most recent record is dated 28th of September 2024, and the data has been confirmed as real. It is also notable that archive.org was hit by a DDoS attack on the same day.

The details on the second hack came to light on 20th of October. Users started receiving responses to old requests to tech support regarding the removal of sites from the Wayback Machine service. In the messages, an unknown author — surely not a technical support employee — claimed gaining access to the tokens of the Zendesk platform, which Archive uses to process user requests. He also called it dispiriting that the company had not replaced the API keys exposed in its GitLab.

As it turned out later, the issue was with an unprotected GitLab configuration file on one of Internet Archive’s development servers. The file turned out to be the prerequisite of two hacks. The file contained an authentication token. The token allowed to download archive.org source code and retrieve, among other, the credentials for the site’s DBMS. Access to the DBMS, in turn, made it possible to steal user credentials, download some additional source code and modify the site.

Notably, these details were revealed by the author of the first hack. The hacker contacted the media through an intermediary, offended that ‘his leak’ was attributed to the group that carried out the DDoS attack.

But all this multi-part drama didn’t ruin the service. At the moment of publishing this text, the Internet Archive and the Wayback Machine are operating normally.

Scary addiction

What happened: An employee stole almost £1m because of a gambling addiction.

How it happened: Alan Doig, 57, had been working as a senior assistant accountant at Gedling Town Council for almost 20 years and was known as a man of integrity.

However, police discovered that Alan regularly transferred council money to his own account because of his gambling addiction. During a 19-year period, he made a total of 86 such transactions. Overall, Alan transferred £934,343,000 to his account.

Alan was well aware of how his colleagues and the City Council’s financial systems worked. This allowed him to remain undetected. But in 2021, due to the pandemic, the usual processes changed, new legal requirements were introduced. Alan’s colleagues became suspicious of unusual transactions.

As a result, an investigation was launched, which led to litigation. Alan pleaded guilty and repented, but still received a sentence of five years in prison.

After the incident, a spokesperson for the municipality said that they could not have prevented the fraud despite ‘numerous checks and controls’ because ‘the perpetrator had insider information’.

Monsters are on the loose!

What happened: GameFreak, the game development company known for the Pokemon series, fell victim of a cyberattack. Red Barrels, which developed Outlast, had to postpone the release of updates for the same reason.

How it happened: On 12th of October, screenshots of test builds and source code of yet-to-be-released games from the Pokemon franchise began appearing online. The developer representatives quickly admitted the leak and claimed that unknown threat actors had stolen a tremendous amount of information about current and former employees, as well as on contractors. The list of leaked data included: names, email addresses, phone numbers, etc.

The company officials apologized and reported that the vulnerability, exploited by malicious actors had already been fixed. However, the developer has not reacted in any way to the numerous materials on Pokemon games, leaked on the Internet. The leaked information includes, at least, the following: details on future projects, source codes of games, development documents, internal communication of executives.

On 2nd of October on the website of the Canadian company Red Barrels an important message from the team appeared. The developers reported that corporate IT systems had been attacked in order to gain access to data.

The company experts immediately implemented security measures and referred to third-party experts to investigate the incident. However, according to the developer representatives, they had to push back production deadlines due to the cyberattack. Mostly, this applies to the current version of the Outlast Trials video game and its updates.

A nightmare for Cisco’s CISO

What happened: IT giant Cisco had experienced a data leak incident.

How it happened: On 14th of October, an unknown attacker claimed hacking Cisco. In a post on a hacker forum, he claimed hacking the company together with associates, stole a large trove of data and put it up for sale.

According to the hacker’s statement, the following information was leaked: Github, Gitlab, SonarQube projects;source code; hard coded credentials; certificates; customer SRCs; Cisco Confidential Documents; Jira tickets; API tokens; AWS Private buckets; Cisco Technology SRCs; Docker Builds; Azure Storage buckets; Private & Public keys; SSL Certificates; Cisco Premium Products & More!

After the incident, media representatives contacted the hacker. They found out that the incident happened due to an open API token, and also received samples of the stolen data and screenshots proving the veracity of the attacker’s words.

Initially, the company representatives claimed they found no evidence that the system had been compromised, but contradictory statements later followed. Cisco officials reported their systems had not been compromised, but a small number of files that were not authorized for public download could still have been made public. Because of this, the IT giant shut down the publicly available DevHub portal on 18th of October.

IS tip of the month: IS incidents will remain a bogeyman if defence systems are used comprehensively. DLP will detect saboteurs, gamblers and side-companies, DCAP will check that authorization data from internal services is stored securely, and SIEM will identify vulnerabilities in the corporate network. You can test the functionality of these IS tools free of charge for a month.

Votes: 0
E-mail me when people leave their comments –

SearchInform is a 100% private company that develops risk management products being one of the industry leaders. More than 4,000 companies across 20+ countries are SearchInform clients. The development team has been creating search technologies for unstructured data since 1995 and started developing information security solutions in 2004. Today, the team has products and services for comprehensive protection against insider threats at all levels of corporate information systems.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead