(credit: cia.gov)

Federal authorities have arrested two men on charges they were part of a group that broke into the private e-mail accounts of high-ranking US government officials and a Justice Department computer system.

Andrew Otto Boggs, 22, of North Wilkesboro, North Carolina, and Justin Gray Liverman, 24, of Morehead City, North Carolina, were part of a group calling itself "Crackas with Attitude," federal prosecutors alleged. Although an FBI affidavit filed in the case didn't identify the targeted government officials by name, The Washington Post and other news organizations, citing unnamed people familiar with the matter, said they included CIA Director John Brennan, then-Deputy FBI Director Mark Giuliano, National Intelligence Director James R. Clapper, and other high-ranking officials. The group also used its unauthorized access to a Justice Department management system to obtain and later publish the names, phone numbers, and other personal details of more than 29,000 FBI and Department of Homeland Security officials.

According to the affidavit, the group didn't rely on computer hacking to break into restricted accounts. Instead, they used social engineering, in which they impersonated their targets and various IT support personnel purporting to help the victims. On October 11, 2015, one of the suspects allegedly accessed the account of one target, identified by the WaPo as Brennan, by posing as a technician from Verizon. The suspect then tricked another Verizon employee into resetting the password for Brennan's Internet service. Prosecutors said the suspects went on to take over a Brennan AOL account.

Read 4 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
PHP 'bcmath.c' Multiple Local Heap Overflow Vulnerabilities
 
PHP CVE-2015-8835 NULL Pointer Dereference Denial of Service Vulnerability
 
NTP CVE-2016-4953 Denial of Service Vulnerability
 

It could be nothing. It could be something.

The ISC HoneyPot">12:08:27.874575 IP x.x.x.x.12458 y.y.y.y.161:GetRequest(28).1.3.6.1.2.1.1.1.0
12:09:10.952260 IP z.z.z.z.12458 a.a.a.a.161:GetRequest(28).1.3.6.1.2.1.1.1.0

12:09:52.802179 IP b.b.b.b.12458 c.c.c.c.161:GetRequest(28).1.3.6.1.2.1.1.1.0


So I did some poking around, read some articles [1] and found some simlarities, etc. No real testing per se yet. Thenafter yesterdays data was collected, the ISC port data showeda curious correlation. So I am turning to our readers. Can any of you offer any corroborating data or anecdotes. The pic [3] below shows a triple in sources on Aug 11 near the time when some of therecent Cisco vulnerabilities became well known. [2] Then a similar spike yesterday. The numbers do not entirely warrant a deep dive, however, knowing about the events surrounding" />














[1] http://blog.level3.com/security/shadow-brokers-hit-light-of-day/
[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
[3]https://isc.sans.edu/port.html?port=161

Please leave a comment if you see anything that correlates in your travels.

-Kevin

--
ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Picosmos Shows v1.6.0 - Stack Buffer Overflow Vulnerability
 
PHPHolidays CMS v3.00.50 - Cross Site Scripting Web Vulnerability
 
Google Nexus Qualcomm Sound Driver Multiple Privilege Escalation Vulnerabilities
 
Linux Kernel 'sk_dst_get()' Denial of Service Vulnerability
 
CVE-2016-4264 Adobe ColdFusion <= 11 XXE Vulnerability
 
Internet Storm Center Infocon Status