intern against Skynet, salaries for ghosts, monsters in the public domain

The October digest collected incidents that definitely tickled the nerves of the information security departments of the affected companies. The Halloween agenda includes a million-dollar scam involving dead souls, a hacker mortally offended by non-recognition of his merits, and terribly frequent attacks on game developers.

Phantom row

What's happened: Kitchenware maker Williams Sonoma lost more than $10 million due to employee fraud.

How it happened: Ben Thomas, 48, worked as a general manager at one of Williams Sonoma's distribution centers. Thomas’ responsibilities included selecting a company to hire temporary staff and approving payments of up to $50 thousand. At the same time, Thomas was prohibited from choosing companies affiliated with him to work for.

Later it turned outthat Thomas concealed from his employer the fact that he owned a temporary staffing company. With its help, from 2017 to 2023, Thomas earned more than $10 million. He chose his company as a contractor, made payments himself, but in fact did not provide any services.

Thomas spent the proceeds on a house with an area of ​​1200 m²yacht, cars, tickets to sporting events – and even (sic!) animal cloning. If the court finds Thomas guilty, he could face a maximum penalty of about 30 years in prison and a fine of thousands for each violation.

The Leathers Strike Back

What's happened: ByteDance intern sabotaged the development of neural networks.

How it happened: programmer Keyu Tian got an internship at a large Chinese company ByteDance. However, instead of working, he deliberately introduced errors into the code. The intern’s colleagues searched for bugs around the clock, but in the end they suspected something was wrong and began an investigation.

Identify the saboteur it worked thanks to the logs. They showed that the trainee, firstly, created confusion with checkpoints (save files for AI training). Tian changed the training parameters of the models, changed the input data, removed checkpoints, or completely stopped the training process. Secondly, it downloaded Pickle files with malicious code. The files automatically created bugs, changed the version of PyTorch (a framework for training ML), etc.

Tian attended all work meetings related to bug fixes, without arousing anyone's suspicion. In fact, he “kept his finger on the pulse” and found out how his colleagues were going to act in order to more effectively harm development. As a result, a team of 30 programmers worked in vain for two months. The deadlines were missed, and the customers' money was wasted.

Later ByteDance commented situation with Tian. The tech giant claims the media is exaggerating the scale of the incident and the programmer was fired back in August. The former employer also reported the intern's behavior to the university where he is studying and to professional programming associations to warn other companies about the pest.

At the same time, it is unknown why Keyu Tian took up sabotage. Who knows: maybe this is an ideological struggle against a terrible future, like in Terminators?

History Killer

What's happened: The Internet Archive organization, which owns the Wayback Machine service, was hacked twice in a month.

How it happened: On October 9, Wayback Machine users began receiving strange JavaScript alert. It said that their data had been stolen and that they should look for it in the leak tracking service HIBP (Have I Been Pwned).

HIBP founder Troy Hunt confirmed that he had recently received a SQL file “ia_users.sql” weighing 6.4 GB. According to him assessmentthe file contains 31 million unique records, including email addresses, Bcrypt hashed passwords, timestamps of their changes, etc. The most recent entry is September 28, 2024, and the data has been confirmed to be real. It is also notable that archive.org suffered a DDoS attack on the same day.

The second hack became known on October 20. Users began to receive answers to old technical support requests regarding the removal of sites from the Wayback Machine service. In the messages, the unknown author – clearly not an employee of the TP – claimedwhich gained access to Zendesk platform tokens, which Archive uses to process user requests. He also called it “disappointing” that the company did not replace the API keys exposed in its GitLab.

As it turned out Laterwe were talking about an unprotected GitLab configuration file on one of the Internet Archive development servers. It was the reason for two break-ins. The file contained an authentication token, which made it possible to download the archive.org source code and extract from there, among other things, the credentials for the site’s DBMS. Access to the DBMS, in turn, made it possible to steal user data, download additional source code and change the site.

It is noteworthy that these details were revealed by the “author” of the first hack. The hacker contacted the media through an intermediary, offended that “his leak” was attributed to the group that carried out the DDoS attack.

But all this serial drama did not ruin the service. At the time of this writing, the Internet Archive and Wayback Machine are operating normally.

Terrible addiction

What's happened: Employee stole almost £1 million due to gambling addiction.

How it happened: Alan Doig, 57, worked as a senior accountant at Gedling Borough Council for almost 20 years and was known as a man of integrity.

However, how found out police, due to his gambling addiction, Alan regularly transferred money from the municipality to his own account. Over 19 years of operation, he completed a total of 86 such transactions amounting to £934,343 thousand.

Alan knew very well how his colleagues and the city council's financial systems worked. This allowed him to remain undetected. But in 2021, due to the pandemic, the usual processes have changed, and new legal requirements have appeared. Alan's colleagues began to develop suspicions about unusual transactions.

As a result, an investigation was launched, which led to litigation. Alan admitted his guilt and repented, but still received a sentence of five years in prison.

After the incident, a municipality spokesman said they could not have prevented the fraud despite “numerous checks and controls” because “the attacker had insider information.”

Monsters are on the loose!

What's happened: game development company GameFreak, known for the Pokemon series of games, became a victim of a cyber attack. For the same reason, Red Barrels, which developed the Outlast games, had to postpone the release of updates.

How it happened: October 12 online steel appear screenshots of test builds and source code for games in the Pokemon franchise that have not yet been released. Development company quickly admitted leak and reported that unknown persons had stolen a colossal amount of information about current and former employees, as well as people working under contract. Their names, email addresses, phone numbers, etc. were made publicly available.

The company apologized and said that it had already fixed the vulnerability that attackers used to hack. However, the developer did not react in any way to the numerous materials on the Pokemon games that began to “walk” around networks. At a minimum, among the leaked information there is: information about future projects, game source codes, development documents and internal communications of top management.

And on October 2 on the website of the Canadian company Red Barrels appeared “Important message from the team.” In it, the developer reported that his IT systems were completely attacked in order to gain access to data.

The company immediately took security measures and brought in external experts to investigate the incident. However, according to the developer, due to a cyber attack they had to shift production deadlines. For the most part, this applies to the current version of the video game Outlast Trials and planned updates to it.

Nightmare for Cisco CISO

What's happened: IT giant Cisco suffered a data leak.

How it happened: October 14 unknown intruder announced the hacking of Cisco. In a post on a hacker forum, he said that, together with his accomplices, he hacked into a company and stole a large amount of data. They are put up for sale on the same shadow forum.

According to the hacker, Github, Gitlab and SonarQube projects, application source code, encrypted credentials, technology SRCs of Cisco and their clients, Jira tickets, API tokens, private AWS containers, Docker builds, private and public keys, SSL- certificates, information about Premium products, etc.

After the hack, the hacker was contacted Media. They found out that the hack occurred due to an open API token, and also received samples of stolen data and screenshots proving the veracity of the attacker’s words.

The company initially said they had found no evidence that the system had been compromised, but conflicting statements later followed. Cisco reportedthat their systems had not been hacked, but a small number of files that were not allowed for public download may still have been published. Because of this, on October 18, the IT giant disabled public portal DevHub.

Serial fakap

What's happened: there was a data leak from the Burger King and Detsky Mir chains.

How it happened: On October 10, information appeared on the Internet about two leaks at once: a chain of fast food restaurants “Burger King” and chain stores “Children's World”.

In the case of Burger King, a database with more than 5 million lines of customer data was leaked: phone numbers, email addresses, dates of birth, etc. Detsky Mir leaked just over 1 million lines: client names, phone numbers, email addresses, and bonus card numbers.

Burger King press service reportedthat the leak occurred on the contractor’s side, and “the data of our clients may also be among those affected by the attack.” Detsky Mir has not yet commented on the situation, but probably the reasons for the incident are the same: the retailer uses the services of the same contractor.

Doctor, what's wrong with him?

What's happened: hackers announced they had hacked Doctor Web

How it happened: in the past NBD we wrote about the hacking of a domestic information security company. This month the story continues. Let us remind you that on September 14, “Doctor” detected an attack on its resources and began to respond. We even had to temporarily shut down the servers, but eventually, on September 17, the vendor announced that the threat had been neutralized.

However, now it has become knownthat the attack was not limited to shutting down servers. For example, the official Telegram bot of the company became a victim. He began sending messages to users that were clearly not written by company employees. They claimed that Doctor Web had been hacked, client data was compromised, and “the antivirus now has a twist.”

Also on Telegram, hackers presented their version of events. In their channel (we do not provide links for ethical reasons) they write: “we managed to hack and unload the corporate GitLab server, where internal developments and projects were stored, the corporate mail server, Confluence, Redmine, Jenkins, Mantis, RocketChat – systems where development was carried out and tasks were discussed, etc.” To confirm their words, the hackers provided several databases of Doctor Web internal resources: ldap.dev.drweb.com, vxcube.drweb.com, bugs.drweb.com, antitheft.drweb.com, rt.drweb.com, etc.

The company itself refutedthat these statements are true—at least “for the most part.” “Neither virus database updates nor software module updates pose any security threat to our users,” the vendor wrote on its website.

We sincerely sympathize with our colleagues and hope that they will be able to completely eliminate the consequences of the attack.