Soldier Arrested, Crypto Malware, Wash. St. Sues T-Mobile, US Treasury Breach, LDAPNightmare PoC
Notable news for the week of December 30 through January 6. Your editor this week is Chris from the F5 Security Incident Response Team. For this edition we have a U.S. Army soldier being arrested on the AT&T and Verizon extortions; a summary of wallet-draining malware for 2024; the Washington State Attorney General suing T-Mobile; sanction intel targeted by Chinese spies, and the release of a PoC exploit for CVE-2024-49113.
U.S. Soldier Arrested for Cyber Crimes
On December 20th, Federal authorities arrested Cameron John Wagenius, a 20-year-old U.S. Army soldier on suspicion of being 'Kiberphant0m'. Kiberphant0m is a cybercriminal who has been selling and leaking sensitive customer call records from AT&T and Verizon. He is a communications specialist and was recently stationed in South Korea. According to his mother, he has acknowledged being associated with 'Judische', another cybercriminal from Canada who was arrested in October for stealing data and extorting companies who stored data with the cloud service Snowflake. In interviews, Judische claimed to outsource the selling to individuals like Kiberphant0m and others. Kiberphant0m has posted claims that he has hacked into at least 15 telecommunications firms, including AT&T and Verizon. When Judische was arrested, Kiberphant0m had gone online and posted claims they had call logs of President-elect Donald Trump as well as current Vice President Kamala Harris and threatened to leak them. One of the biggest takes in this story is that law enforcement is getting faster and more efficient at going after cybercriminals.
https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizon-extortions/#more-69925
Wallet Drainer Damage in 2024
Almost $500 million in cryptocurrency was stolen in 2024 through using wallet drainer malware. This was done through the scamming of more than 332,000 victims, according to anti-scam firm Scam Sniffer. Wallet drainers are malware that is designed to trick the victims into signing malicious transactions. The result of this is that their assets will end up getting stolen. The approximately $494 million that was stolen accounts for a 67% year-over-year increase, with the largest single theft amounting to $55.48 million! The attacks were more frequent at the beginning of 2024, Scam Sniffer stated. But the two largest single losses were in August and September.
Washington State Attorney General Files Lawsuit Over Breach
In response to the 2021 Data Breach that affected 76.6 million people, Washington State Attorney General Bob Ferguson filed a lawsuit against wireless carrier T-Mobile. The breach was disclosed in August of 2021, and the following year, T-Mobile agreed to pay $350 million to settle a class action lawsuit over the breach. Then last year, they also agreed to pay a $15.75 million civil penalty to settle an FCC investigation. Ferguson is suing over T-Mobile's lack of proper security controls regarding customer’s personal data. It was also asserted that the carrier knew about certain vulnerabilities and failed to address them properly. The lawsuit also states that T-Mobile misled customers by claiming that the protection of collected personal data was a top priority. The breach resulted in the disclosure of data such as names, addresses, driver's license information, and for 183,406 residents of Washington State, it also resulted in the disclosure of their Social Security Numbers. Another key factor in this is that a lack of security monitoring prevented the wireless carrier from discovering the breach for almost half a year. They ended up being tipped off by an outside, anonymous source. This highlights the crucial need for robust security monitoring.
https://www.securityweek.com/washington-attorney-general-sues-t-mobile-over-2021-data-breach/
Chinese APT Targets U.S. Treasury
On December 30, the U.S. Treasury sent a letter to Congress revealing a cyberattack, stating that that was specifically targeted at the Office of Foreign Assets Control (OFAC). The letter attributed the breach to a "China state-sponsored Advanced Persistent Threat (APT) actor". This illustrates the measures that the country is taking to gather intelligence on the U.S., especially in regards to groups that may be involved in placing sanctions on Chinese entities. The intrusion was blamed on an earlier BeyondTrust security incident where malicious actors stole an API key for the software maker's Remote Support SaaS product. This allowed remote access into some of the Treasury's workstations and any possible unclassified documents maintained by those users. BeyondTrust has been involved in helping law enforcement investigate this issue and has contacted any customers that have been affected.
https://www.theregister.com/2025/01/02/chinese_spies_targeted_sanctions_intel/
PoC for CVE-2024-49113
A Proof-of-Concept (PoC) exploit has been released for a patched flaw that impacts Windows LDAP that could result in a Denial of Service. The vulnerability is tracked via CVE-2024-49113 which has a CVSS score of 7.5. It was updated in December by Microsoft along with another LDAP vulnerability CVE-2024-49112 which is a critical with a score of 9.8. The PoC was devised by SafeBreach Labs and is codenamed LDAPNightmare. It is designed to crash any upatched Windows Server as long as the DNS server of the victim has internet connectivity. By sending a specific Remote Procedure Call to the victim server, a reboot can be forced casuing a DoS. The researchers also found that the same exploit chain can be leveraged to achieve a remote code execution through CVE-2024-49112 by modifying one of the packets used. As said time and time again it is crucial to update systems a soon as possible to reduce the risk that is posed by vulnerabilities that come out.
https://thehackernews.com/2025/01/ldapnightmare-poc-exploit-crashes-lsass.html