Cyber Intelligence Weekly

Cyber Intelligence Weekly (December 18, 2022): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here:

Also, we are always looking for great people to join our team. If you know anyone who fits the profiles for any of our open positions, drop me a line and let us know!

Before we get started on this week’s CIW, I’d like to Highlight our Top 10 Cybersecurity Articles of 2022. We’ve had a lot of great thought leadership delivered by our professional staff this past year, and this is a summary of the most popular articles that we released! Happy reading!

Top 10 Cybersecurity Articles in 2022

PS: The CIW will take a break next week for the holiday season and we will see you again in 2023!

Away we go!

1. Stolen Information on More Than 80K InfraGard Members Is Allegedly Being Sold on the Dark Web

This past week, Brian Krebs dropped a story about how a database of contact information for more than 80,000 members of InfraGard, a project established by the U.S. Federal Bureau of Investigation (FBI) to create partnerships with the private sector for the exchange of information about cyber and physical threats, was put up for sale. The hackers have been contacting members directly through the InfraGard portal online, using a new account that assumes the persona of a financial industry CEO.

Stolen Information on More Than 80K InfraGard Members Is Allegedly Being Sold on the Dark Web

Per the Krebs report, the alleged threat actor got into the InfraGard system by applying for a legitimate account using private personal information of a CEO at a company that would likely be granted such access. That CEO responded to a Krebs inquiry and said they were never contacted by the FBI to authorize or check this access request. Once in the InfraGard system, the threat actor used a simple python script against an available API to enumerate all users and capture their data from the system.

This is certainly a black eye for the InfraGard community and highlights the need for investments for continually updating web infrastructure throughout public associations and partnerships. In addition, continual testing and best practices checks could have prevented such an event from occurring.

2. Former Twitter Employee Hit with Jail Sentence for Spying for Saudi Arabia

A former Media Partnerships Manager for Twitter's Middle East and North Africa (MENA) region was found guilty by a federal jury earlier this year of conspiring to act as a foreign agent without notifying the Attorney General, wire fraud, international money laundering, and falsifying records during a federal investigation. A two-week trial before Senior U.S. District Judge Edward M. Chen for the Northern District of California resulted in the verdict.

This past week, just a few months after his conviction, Ahmad Abouammo, was sentenced to 42 months in federal prison for acting as a foreign agent for the Saudi’s. Abouammo was given a luxury watch and several cash payments to a bank account that he opened in his father’s name in Lebanon in exchange for information on selected targets of the Saudi government.

Former Twitter Employee Hit with Jail Sentence for Spying for Saudi Arabia

Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division had the following statement prepared, “Mr. Abouammo violated the trust placed on him to protect the privacy of individuals by giving their personal information to a foreign power for profit. His conduct was made all the more egregious by the fact that the information was intended to target political dissidents speaking out against that foreign power. We are committed to holding accountable those who act unlawfully as unregistered foreign agents and advance hidden influence campaigns on behalf of foreign regimes.

This story highlights the very real insider threat issue that is so often overlooked in corporate America. According to a recent study by the Ponemon Institute, which polled almost 300 firms, the average annualized cost of insider threat occurrences is $15.4 million per organization. Beyond the monetary cost, insider threats can lead to terrorism, workplace violence, and other violent situations that can result in fatalities. An internal threat capacity is simple for firms to miss yet crucial to the protection of assets. It frequently falls through organizational cracks. If your organization needs help with its insider threat mitigation program, please be sure to reach out to Echelon for assistance.

3. Rackspace Hosted Exchange Email Capabilities Still Offline After Ransomware Attack

Rackspace recently had a major cybersecurity incident where threat actors successfully delivered ransomware, affecting their hosted Exchange email environment. The event happened back on December 2, and some customers are still waiting to get their data and email back online. Per Rackspace’s last update on December 17, “We continue to make significant progress in our email data recovery efforts and are planning to begin transferring email data to our Hosted Exchange customers in the next few days. At this time, Rackspace engineers are continuing to extract data off of impacted servers, and move the data to a clean environment, where it is continually tested for security and availability.

Rackspace Hosted Exchange Email Capabilities Still Offline After Ransomware Attack

In its blog posts, Rackspace said it had hired CrowdStrike to lead the incident response efforts. Rackspace noted in their blog posts that they have confirmed that the incident appears to have been limited to the Hosted Exchange environment only and that the investigation is taking the necessary steps to ensure that customer environments are brought back online smoothly and securely. Rackspace has partnered with Microsoft to move customers to Microsoft 365 in order to get these customers up and running as quickly as possible.

The blog post and updates from Rackspace don’t offer up much information regarding root cause of the attack or whether or not there was a backup of the environment that could be leveraged to bring customers back on-line. Security researcher Kevin Beaumont postulates on his blog that the Rackspace Hosted Exchange environment may not have been patched for the ProxyNotShell vulnerability, and this may be the initial attack vector. This one will be interesting to follow as this issue gets resolved.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here:

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign up to get Cyber Intelligence Weekly in your inbox.