December 29, 2022

KrebsOnSecurity turns 13 years old today. That’s a crazy long time for an independent media outlet these days, but then again I’m bound to keep doing this as long as they keep letting me. Heck, I’ve been doing this so long I briefly forgot which birthday this was!

Thanks to your readership and support, I was able to spend more time in 2022 on some deep, meaty investigative stories — the really satisfying kind with the potential to effect positive change. Some of that work is highlighted in the 2022 Year in Review review below.

Until recently, I was fairly active on Twitter, regularly tweeting to more than 350,000 followers about important security news and stories here. For a variety of reasons, I will no longer be sharing these updates on Twitter. I seem to be doing most of that activity now on Mastodon, which appears to have absorbed most of the infosec refugees from Twitter, and in any case is proving to be a far more useful, civil and constructive place to post such things. I will also continue to post on LinkedIn about new stories in 2023.

Here’s a look at some of the more notable cybercrime stories from the past year, as covered by KrebsOnSecurity and elsewhere. Several strong themes emerged from 2022’s crop of breaches, including the targeting or impersonating of employees to gain access to internal company tools; multiple intrusions at the same victim company; and less-than-forthcoming statements from victim firms about what actually transpired.

JANUARY

You just knew 2022 was going to be The Year of Crypto Grift when two of the world’s most popular antivirus makers — Norton and Avira — kicked things off by installing cryptocurrency mining programs on customer computers. This bold about-face dumbfounded many longtime Norton users because antivirus firms had spent years broadly classifying all cryptomining programs as malware.

Suddenly, hundreds of millions of users — many of them old enough to have bought antivirus from Peter Norton himself back in the day — were being encouraged to start caring about and investing in crypto. Big Yellow and Avira weren’t the only established brands cashing in on crypto hype as a way to appeal to a broader audience: The venerable electronics retailer RadioShack wasted no time in announcing plans to launch a cryptocurrency exchange.

By the second week of January, Russia had amassed more than 100,000 troops along its southern border with Ukraine. The Kremlin breaks with all tradition and announces that — at the request of the United States — it has arrested 14 people suspected of working for REvil, one of the more ruthless and profitable Russian ransomware groups.

Security and Russia experts dismiss the low-level arrests as a kind of “ransomware diplomacy,” a signal to the United States that if it doesn’t enact severe sanctions against Russia for invading Ukraine, Russia will continue to cooperate on ransomware investigations.

The Jan. 19th story IRS Will Soon Require Selfies For Online Access goes immediately viral for pointing out something that apparently nobody has noticed on the U.S. Internal Revenue Service website for months: Anyone seeking to create an account to view their tax records online would soon be required to provide biometric data to a private company in Virginia — ID.me.

Facing a backlash from lawmakers and the public, the IRS soon reverses course, saying video selfies will be optional and that any biometric data collected will be destroyed after verification.

FEBRUARY

Super Bowl Sunday watchers are treated to no fewer than a half-dozen commercials for cryptocurrency investing. Matt Damon sells his soul to Crypto.com, telling viewers that “fortune favors the brave” — basically, “only cowards would fail to buy cryptocurrency at this point.” Meanwhile, Crypto.com is trying to put space between it and recent headlines that a breach led to $30 million being stolen from hundreds of customer accounts. A single bitcoin is trading at around $45,000.

Larry David, the comedian who brought us years of awkward hilarity with hits like Seinfeld and Curb Your Enthusiasm, plays the part of the “doofus, crypto skeptic” in a lengthy Super Bowl ad for FTX, a cryptocurrency exchange then valued at over $20 billion that is pitched as a “safe and easy way to get into crypto.” [Last month, FTX imploded and filed for bankruptcy; the company’s founder now faces civil and criminal charges from three different U.S. agencies].

On Feb. 24, Russia invades Ukraine, and fault lines quickly begin to appear in the cybercrime underground. Cybercriminal syndicates that previously straddled Russia and Ukraine with ease are forced to reevaluate many comrades who are suddenly working for The Other Side.

Many cybercriminals who operated with impunity from Russia and Ukraine prior to the war chose to flee those countries following the invasion, presenting international law enforcement agencies with rare opportunities to catch most-wanted cybercrooks. One of those is Mark Sokolovsky, a 26-year-old Ukrainian man who operated the popular “Raccoon” malware-as-a-service offering; Sokolovsky was busted in March after fleeing Ukraine’s mandatory military service orders.

Also nabbed on the lam is Vyacheslav “Tank” Penchukov, a senior Ukrainian member of a transnational cybercrime group that stole tens of millions of dollars over nearly a decade from countless hacked businesses. Penchukov was arrested after leaving Ukraine to meet up with his wife in Switzerland.

Tank, seen here performing as a DJ in Ukraine in an undated photo from social media.

Ransomware group Conti chimes in shortly after the invasion, vowing to attack anyone who tries to stand in Mother Russia’s way. Within hours of that declaration several years worth of internal chat logs stolen from Conti were leaked online. The candid employee conversations provide a rare glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also reveal how Conti dealt with its own internal breaches and attacks from private security firms and foreign governments.

Faced with an increasing brain drain of smart people fleeing the country, Russia floats a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation’s prison population to perform low-cost IT work for domestic companies.

Chipmaker NVIDIA says a cyberattack led to theft of information on more than 71,000 employees. Credit for that intrusion is quickly claimed by LAPSUS$, a group of 14-18 year-old cyber hooligans mostly from the United Kingdom who specialized in low-tech but highly successful methods of breaking into companies: Targeting employees directly over their mobile phones.

LAPSUS$ soon employs these skills to siphon source code and other data from some of the world’s biggest technology firms, including Microsoft, Okta, Samsung, T-Mobile and Uber, among many others.

MARCH

We learn that criminal hackers are compromising email accounts and websites for police departments worldwide, so that they can impersonate police and send legal requests to obtain sensitive customer data from mobile providers, ISPs and social media companies. That story prompts revelations that several companies — including Apple, Discord and Meta/Facebook — have complied with the fake requests, and draws the attention of Congress to the problem.

APRIL

It emerges that email marketing giant Mailchimp got hacked. The unknown intruders gained access to internal Mailchimp tools and customer data by social engineering employees at the company, and then started sending targeted phishing attacks to owners of Trezor hardware cryptocurrency wallets.

The FBI warns about a massive surge in victims from “pig butchering” scams, in which flirtatious strangers online lure people into investing in cryptocurrency scams. Investigative reports reveal pig butchering’s link to organized crime gangs in Asia that attract young job seekers with the promise of customer service jobs. Instead, those who show up at the appointed time and place are kidnapped, trafficked across the border into neighboring countries like Cambodia, and pressed into a life of indentured servitude scamming others online.

The now-defunct and always phony cryptocurrency trading platform xtb-market[.]com, which was fed by pig butchering scams.

MAY

KrebsOnSecurity reports that hackers who specialize in filing fake police requests for subscriber data gained access to a U.S. Drug Enforcement Administration (DEA) portal that taps into 16 different federal law enforcement databases.

The government of Costa Rica is forced to declare a state of emergency after a ransomware attack by Conti cripples government systems. Conti  publishes nearly 700 GB worth of government records after the country’s leaders decline to pay a $20 million ransom demand.

JUNE

KrebsOnSecurity identifies Russian national Denis Emelyantsev as the likely owner of the RSOCKS botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. Emelyantsev was arrested that same month at a resort in Bulgaria, where he requested and was granted extradition to the United States —  reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”

The employees who kept things running for RSOCKS, circa 2016. Notice that nobody seems to be wearing shoes.

JULY

Big-three consumer credit bureau Experian comes under scrutiny after KrebsOnSecurity reveals identity thieves are reliably seizing control over consumer credit files by simply re-registering using the target’s personal information and an email address tied to the crooks. Two months later, Experian would be hit with a class-action lawsuit over these security and privacy failures.

Twitter acknowledges that it was relieved of phone numbers and email addresses for 5.4 million users. The security weakness that allowed the data to be collected was patched in January 2022.

AUGUST

Messaging behemoth Twilio confirms that data on 125 customers was accessed by intruders, who tricked employees into handing over their login credentials by posing as employees of the company’s IT department.

Among the Twilio customers targeted was encrypted messaging service Signal, which relied on Twilio to provide phone number verification services. Signal said that with their access to Twilio’s internal tools, the attackers were able to re-register those users’ phone numbers to another device.

Food delivery service DoorDash discloses that a “sophisticated phishing attack” on a third-party vendor allowed attackers to gain access to some of DoorDash’s internal company tools. Thanks to data left exposed online by the intruders, it becomes clear that DoorDash was victimized by the same group that snookered employees at Twilio, Mailchimp, CloudFlare, and dozens of other major companies throughout 2022.

Mailchimp discloses another intrusion involving targeted phishing attacks against employees, wherein hackers stole data on more than 200 Mailchimp customers. Web hosting giant DigitalOcean discloses it was one of the victims, and that the intruders used their access to send password reset emails to a number of DigitalOcean customers involved in cryptocurrency and blockchain technologies. DigitalOcean severs ties with Mailchimp after that incident, which briefly prevented the hosting firm from communicating with its customers or processing password reset requests.

Password manager service LastPass discloses that its software development environment was breached, and that intruders made off with source code and some proprietary LastPass data. LastPass emphasizes the intruders weren’t able to access any customer data or encrypted password vaults, and that “there is no evidence of any threat actor activity beyond the established timeline,” and “no evidence that this incident involved any access to customer data or encrypted password vaults.”

SEPTEMBER

Uber discloses another breach, forcing the company to take several of its internal communications and engineering systems offline as it investigates. The intrusion only comes to light when the hacker uses the company’s internal Slack channel to boast about their access, listing several internal databases they claimed had been compromised. The intruder told The New York Times they got in by sending a text message to an employee while posing as an employee from Uber’s IT department. Uber blames LAPSUS$ for the intrusion.

Australian telecommunications giant Optus suffers a data breach involving nearly 10 million customers, including passport or license numbers on almost three million people. The incident dominates headlines and politics in Australia for weeks, as the hacker demands a million dollars in cryptocurrency not to publish the information online. Optus’s CEO calls the intrusion a “sophisticated attack,” but interviews with the hacker reveal they simply enumerated and scraped the data from the Optus website without authentication. After briefly posting 10,000 records from the intrusion, the hacker announces they made a mistake, and deletes the auction.

OCTOBER

A report commissioned by Sen. Elizabeth Warren (D-Mass.) reveals that most big U.S. banks are stiffing account takeover victims. Even though U.S. financial institutions are legally obligated to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner, the report cited figures showing that four of the nation’s largest banks collectively reimbursed only 47 percent of the dollar amount of claims they received.

Joe Sullivan, the former chief security officer for Uber, is found guilty of two felonies after a four-week trial. In 2016, while the U.S. Federal Trade Commission was already investigating a 2014 breach at Uber, another security breach affected 57 million Uber account holders and drivers. The intruders demand $100,000, but Sullivan and his team paid the ransom under the company’s bug bounty program, made the hackers sign a non-disclosure agreement, and concealed the incident from users and investors. The two hackers involved pleaded guilty in 2019; by this time, it has become a nearly everyday occurrence for victim companies to pay to keep a ransomware attack quiet.

NOVEMBER

A ransomware group with ties to REvil begins publishing names, birth dates, passport numbers and information on medical claims on nearly 10 million current and former customers of Australian health insurer Medibank. The data is published after Medibank reportedly declines to pay a US$10 million ransom demand.

DECEMBER

KrebsOnSecurity breaks the news that InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, saw its database of contact information on more than 80,000 members put up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible were communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.

A cybercriminal starts selling account data scraped from 400 million Twitter users, including email addresses and in many cases phone numbers. The seller claims their data was scraped in late December 2021 using the same vulnerability that Twitter patched in January 2022, and that led Twitter to acknowledge the data scraping of 5.4 million user accounts earlier this year. Twitter no longer has a press office, and the company’s Chief Twit has remained silent about the 400 million claim so far, despite many indications that the data is legitimate.

Two days before Christmas, LastPass posted an update on its investigation into the August data breach, saying the intruder was able to use data stolen in the August breach to come back and copy a backup of customer vault data from the encrypted storage container. LastPass’s lackadaisical disclosure timeline and failure to answer follow-up questions has done little to assuage the fears of many users, leaving Wired.com to recommend users abandon the platform in favor of the password managers 1Password and Bitwarden.

Also two days before Christmas, KrebsOnSecurity notifies Experian that anyone can bypass security questions in their application for a free credit report, meaning identity thieves can access your full credit file with just your name, address, date of birth and Social Security number. Unfortunately, this static data on most Americans has been for sale in the cybercrime underground for years. Experian has yet to say whether it has fixed the problem, but expect to see a full report about this early in the New Year.

This entry was posted on Thursday 29th of December 2022 05:35 PM


68 thoughts on “Happy 13th Birthday, KrebsOnSecurity!

  1. Dave

    Thank you for all the fantastic and informative information over the last twelve years.
    Brian, you rock

    Reply
  2. Andy

    There are three ways to be prepared for a problem: foresight, experiencing it firsthand, or learning about it before it becomes widespread. This is the ideal place for the latter.

    Reply
  3. Donna

    Happy 12th birthday, KOS! Thank you, Brian, for the hard work you do to bring us essential and interesting information.

    Reply
  4. Andy

    This is not the birthday you were looking for*.

    *https://krebsonsecurity.com/2022/13/happy-13th-birthday-krebsonsecurity/

    Reply
  5. nina

    Hi Brian, this appreciative blog reader / lurker has suggested you as your work be considered for a First Amendment Coalition award. I think you nail all the criteria but their judges may have different mileage. Regardless best of luck in 2023 and know that your efforts are valued and essential.

    Reply
  6. Henry Winokur

    Well done on reaching this milestone, Brian.

    It scares me to think about what we’d have to do without reporters like you.

    Experian–among others–again demonstrates why it is a totally unreliable partner in anything having to do with one’s personal financial safety. They should be put out of our misery by being put out of business.

    Reply
  7. John

    Wow! What a guy! Very impressive. I appreciate your hard work. Regards Johnnyb.

    Reply
  8. John

    Thank you Brian for the grate service you do for the cyber security community.

    Reply
  9. Steve M

    Congratulations BK and KOS on thirteen years, happy birthday. Wishing you another thirteen plus many, many more birthdays as well. Thanks for all the information you provide as well, it is appreciated.

    Reply
  10. Ken Sims

    Congratulations! But you know what this means … KrebsOnSecurity is now a teenager.
    Pretty soon it’s going to be all “Why do we always gotta post what you want? Why can’t we ever post what I want?”
    Brian: “Well, what do you want to post?”
    KOS: “I dunno.”

    Reply
  11. kate

    Thank you for all you do to keep track of all this, and try to make it safer!

    Reply
  12. Karen Morgan

    Happy 13th birthday to KOS, Brian Krebs! You have made KOS the go-to for all things cyber security-related. I have been a fan of yours since those long ago Washington Post reporting days and continue to be a fan. Thank you for the service you provide with your deep dives that shine a light onto the mal-actors and the mal-acts that make the Internet such a risky place to operate in. Here’s to many more years of you doing what you do best!

    Reply
  13. Ralph Hightower

    Norton Security:
    I have just one question. WTF?

    I’m glad that I ditched Norton Security ages ago.

    Reply
  14. Scott E

    Honestly, if KOS wasn’t around it would be like a big gapping hole in how I keep tabs on the infosec corner. It is a resource more than news. Many Thanks!

    Reply
  15. mark

    Congrats, and thank you very much for your work. During the last years I was working before I retired, I began reading this site, and still do… and not infrequently in that time warned my employer, as well as family and friends (those supermarket skimmers? gas pump skimmers?).

    I considered it part of my job to read you.

    Reply
  16. Nancy

    Happy Birthday! May there be many more.
    I make sure to read every posting and recommend to any who will listen.
    Thank you for all your work.

    Reply
  17. Jeff

    Thank you for all you do Brian!
    To recap your recap: While you should use ‘best practices’ with your data and ID, neither will ever be secure. Consumers and businesses will get hacked – its just a matter of time.
    Credit bureaus should be regulated by the government – it’s appalling they can store consumers information and control their lives and we can’t at the very least have standard ‘secure’ practices amongst them all. Of course this is the same government that can’t secure its own data so…

    Reply
  18. Greg in California

    Brian, excellent work. I don’t know how you keep up with all these issues.

    Reply
  19. Roger A. Grimes

    Congrats, Brian! You are THE BEST investigative cybersecurity reporter/investigator on the planet! You were from your early beginnings and you are still today. You have shared so much good information earlier than anyone else, at times at great personal risk to yourself. Thanks for your service to our community. I tried to quit Twitter and there’s just too much good information and people that mostly only post there. Mastodon’s a pain…so much so probably 2/3rd’s the people I know who wanted to go there just gave up. It’s not hard to sign up and use, but harder than the other more popular social media choices anyone can use. It’s hard to tell others to move to Mastodon when it’s harder to register, harder to use, and far less people are there.

    Reply
    1. John M

      Mastodon has actually become super easy.
      It’s not more difficult than Twitter or other alternatives, it’s just different. People have expectations of it being just like Twitter, so they call it hard.
      Most people who at least try it, succeed. 10 million in just 2 months, by far the most successful Twitter alternative.

      Reply
  20. Wayne

    Really weird that all of the “journalists” bailed on twitter as soon as they stopped suppressing free speech. Even stranger they all flocked to a platform where you can create clicke’s of like minded people to suppress alternative thoughts…

    Reply
    1. BrianKrebs Post author

      Plenty of people — including tons on Twitter — made it clear that if you don’t like the new Twitter, you should just leave. Which is what I did.

      I used to post a great deal of original content on Twitter, but when the CEO started acting like a spoiled, entitled brat and the platform became increasingly like shouting into a jet engine, I decided to post my content elsewhere. Someplace it will actually be appreciated.

      Twitter profits handsomely from content produced by journalists of all stripes. The thing is, many journalists have decided like I have, which is that they’ll stop feeding the beast.

      And yet, you’re still here, expressing your alternative thoughts.

      Reply
    2. Freeze Peach

      Musk talks about freedom of speech, until that speech is negative toward him.
      Before journalists left Twitter, it was Twitter that started purging dissenters. Mass account suspensions for the left, and mass account restoration for right wing (who were suspended previously using due process).

      Free speech absolutists are still just extremists. Most rational people still prefer moderation.

      Reply
      1. Joseph

        I agree Musk pretended to be for “free speech” then bans Ye West and still hasn’t unbanned tons of accounts.

        As for the “journalists” I don’t consider any of the hacks in MSM to be anything other than propagandists. Anyone actually being a “journalist” and speaking truth to power is banned, or given the julian assange treatment.

        As for “Free speech absolutists” being extremists… that is just delusional. Our country is in a sad state when people think the few freedoms they have left are “extreme”.

        Reply
        1. Freeze Peach

          It’s the propagandists who have convinced the gullible masses that mainstream media can’t be trusted.
          Think about how you’re being manipulated.
          Once you distrust everybody in mainstream media, you start getting your news from where? Fringe media. Any idiot with an opinion and a microphone.
          Before the internet, these people could barely get a spot at 3:00 a.m. on community Access TV. Now you subscribe to them because you don’t trust the mainstream.

          Good journalists like Brian can still be independent even if they are mainstream and have traditional journalist backgrounds.
          We need to bring back trust in mainstream media. And don’t let bad actors taint and destroy the institution of journalism.

          Yes, Free speech absolutists are extremists. And quite delusional too. They think Free speech means freedom from consequences and that private companies must abide by the first amendment of the US Constitution. It’s these extremists who believe social media companies are the gatekeepers of some global digital town square. Reality that shatters your delusion, is that they are more akin to privately owned property.

          Reply
          1. Joseph

            …The mainstream media cannot be trusted. This doesn’t mean I trust Alex Jones talking about lizard people, it just means I understand all media outlets roll up under a few conglomerates and they all have agendas from the people running things. If the mainstream media consisted of “journalists” speaking the “truth” we would know who was on Ghislane Maxwell’s list. Truth is all the mainstream media outlets serve the same masters who push terrible things on the world like “WMDs” in Iraq leading to endless wars.

            Good journalists can be “independent” depending on the topic. As soon as they cover something that hits too close to an agenda, you will be censored/slandered/debanked.

            The “private companies must abide by the 1st amendment” argument doesn’t really work when you have giant monopolies in bed with the government. The idea that these are “distinct entities” not in bed with each other is naive. Bad Spaceship Man just released how twitter was secretly censoring people at the behest of government.

            Decentralization is the key.

            Reply
            1. Freeze Peach

              By generalizing all mainstream journalism or calling them fake news, you still elevate and support fringe “journalists” by default. It doesn’t have to be the poster child, Alex Jones. But allowing yourself to trust Spaceship Man at his word, that Twitter’s previous management was “in bed” or “secretly censoring people at the behest”, proves my point.
              THAT was a perfect example of fringe news media twisting public opinion without actual journalistic process.

              So once you think that all mainstream media is untrusted because there is the inevitable bias, you must default to trusting social media. That is insane mental gymnastics.
              That is how conspiracy theorists and disinformation has taken over weak minds. They call out regular bias (yes, corporate news media is biased. duh), spin up outrage as if this is something new. So when legit journalists or fact checkers call out something real or rightfully label something as a tabloid nothingburger… the gullible masses dismiss it and just believe the sensational BS coming from celebrities.

              If you actually read the source emails… they are anywhere near as damning or sensational as the headline tweets. They are actually fitting and expected internal discussions during a time when the people demanded social media be responsive to foreign disinformation campaigns. Taken in proper context, the people asked government to get involved with Twitter and Facebook. Remember they dragged the CEO’s in front of Congress.

              Reply
  21. Brian Fiori (AKA The Dean)

    Happy Anniversary. Let’s hope you have at least 13 more great years ahead!

    Reply

Leave a Reply

Your email address will not be published.