Celebrating National Hispanic Heritage Month reminds us how the wide range of perspectives and experiences among our employees makes us stronger both as a company and as a steward of the internet. In honor of this month, we are proud to recognize the stories of three of our Hispanic employees, and the positive impact they make at Verisign.
As Verisign’s director of information security, Carlos Ruesta draws inspiration from his father’s community commitment as an agricultural engineer in Peru, working to bring safe food and water to isolated communities. His father’s experiences inform Carlos’ belief in Verisign’s mission of enabling the world to connect online with reliability and confidence, anytime, anywhere and motivates his work as part of a team that ensures trust.
As a leader in our security compliance division, Carlos ensures that his team maintains a robust governance, risk, and compliance framework, translating applicable laws and regulations into security control requirements. “Being part of a team that emphasizes trust, motivates me,” he said. “Management trusts me to make decisions affecting large-scale projects that protect our company. This allows me to use my problem-solving skills and leadership abilities.”
Carlos commends Verisign’s respectful and encouraging environment, which he considers vital in cultivating successful career paths for newcomers navigating the cybersecurity field. He says by recognizing individual contributions and supporting each other’s professional growth, Hispanic employees at Verisign feel a sense of belonging in the workplace and are able to excel in their career journeys.
Alejandro Gonzalez Roman, a senior UX designer at Verisign, combines his artistic talent with technical expertise in his role, collaborating among various departments across Verisign. “My dad is an artist, and still one of my biggest role models,” he said. “He taught me that to be good at anything means to dedicate a lot of time to perfecting your craft. I see art as a way to inspire people to make the world a better place. In my job as a UX designer, I use art to make life a little easier for people.”
As a UX designer, Alejandro strives to make technology accessible to everyone, regardless of background or abilities. He believes that life experiences and cultural knowledge provide individuals with a unique perspective, which he considers an invaluable source of inspiration when designing. And with the Hispanic population being one of the largest minorities in the United States, cultural knowledge is crucial. Understanding how different people interact with technology and integrating cultural insights into the work is essential to good UX design.
Overall, Alejandro is motivated by the strong sense of teamwork at Verisign. “Day-to-day work with our strong team has helped me improve my work” he said. “With collaboration and encouragement, we push each other to be better UX designers. I couldn’t succeed as I have without this amazing team around me.”
Rebecca Bustamante, senior manager of operations analysis, says Verisign’s “people-first” culture is part of her motivation, and she is grateful for the opportunities that allowed her to take on different roles within the company to learn and broaden her skills. “I’ve had opportunities because people believed in my potential and saw my work ethic,” she said. “These experiences have given me the understanding and skills to succeed at the job I have today.”
One of these experiences was joining the WIT@Verisign (Women in Technology) leadership team, which proved instrumental to her personal growth and led to valuable work friendships. In fact, one of her most cherished memories at Verisign includes leading a Verisign Cares team project in Virginia’s Great Falls Park, where she and her coworkers worked together to clear invasive plants and renovate walking paths.
Rebecca sees this type of camaraderie among employees as a crucial part of the people-first culture at Verisign. She particularly commends Verisign’s team leaders who value consistent communication and take the time to listen to people’s stories, which fosters an authentic understanding. This approach makes collaboration more natural and allows teamwork to develop organically. Rebecca emphasizes the significance of celebrating her culture, as it directly influences her job performance and effective communication. But she pointed out that the term “Hispanic” encompasses a wide diversity of peoples and nations. She advocates respect, practices active listening, and promotes a culture celebrating each other’s successes.
These three individuals – as well as their many team members – contribute to Verisign’s efforts to enable and enhance the security, stability, and resiliency of key internet infrastructure every single day.
At Verisign, we recognize the importance of talent and culture in driving an environment that fosters high performance, inclusion, and integrity in all aspects of our work. It’s why recruiting and retaining the very best talent is our continual focus. If you would like to be part of the Verisign Team, please visit Verisign Careers.
The post Verisign Celebrates Hispanic Heritage Month appeared first on Verisign Blog.
The victim shaming website operated by the cybercriminals behind 8Base — currently one of the more active ransomware groups — was until earlier today leaking quite a bit of information that the crime group probably did not intend to be made public. The leaked data suggests that at least some of website’s code was written by a 36-year-old programmer residing in the capital city of Moldova.
The 8Base ransomware group’s victim shaming website on the darknet.
8Base maintains a darknet website that is only reachable via Tor, a freely available global anonymity network. The site lists hundreds of victim organizations and companies — all allegedly hacking victims that refused to pay a ransom to keep their stolen data from being published.
The 8Base darknet site also has a built-in chat feature, presumably so that 8Base victims can communicate and negotiate with their extortionists. This chat feature, which runs on the Laravel web application framework, works fine as long as you are *sending* information to the site (i.e., by making a “POST” request).
However, if one were to try to fetch data from the same chat service (i.e., by making a “GET” request), the website until quite recently generated an extremely verbose error message:
The verbose error message when one tries to pull data from 8Base’s darknet site. Notice the link at the bottom of this image, which is generated when one hovers over the “View commit” message under the “Git” heading.
That error page revealed the true Internet address of the Tor hidden service that houses the 8Base website: 95.216.51[.]74, which according to DomainTools.com is a server in Finland that is tied to the Germany-based hosting giant Hetzner.
But that’s not the interesting part: Scrolling down the lengthy error message, we can see a link to a private Gitlab server called Jcube-group: gitlab[.]com/jcube-group/clients/apex/8base-v2. Digging further into this Gitlab account, we can find some curious data points available in the JCube Group’s public code repository.
For example, this “status.php” page, which was committed to JCube Group’s Gitlab repository roughly one month ago, includes code that makes several mentions of the term “KYC” (e.g. KYC_UNVERIFIED, KYC_VERIFIED, and KYC_PENDING).
This is curious because a FAQ on the 8Base darknet site includes a section on “special offers for journalists and reporters,” which says the crime group is open to interviews but that journalists will need to prove their identity before any interview can take place. The 8base FAQ refers to this vetting process as “KYC,” which typically stands for “Know Your Customer.”
“We highly respect the work of journalists and consider information to be our priority,” the 8Base FAQ reads. “We have a special program for journalists which includes sharing information a few hours or even days before it is officially published on our news website and Telegram channel: you would need to go through a KYC procedure to apply. Journalists and reporters can contact us via our PR Telegram channel with any questions.”
The 8Base darknet site also has a publicly accessible “admin” login page, which features an image of a commercial passenger plane parked at what appears to be an airport. Next to the airplane photo is a message that reads, “Welcome to 8Base. Admin Login to 8Base dashboard.”
The login page on the 8Base ransomware group’s darknet website.
Right-clicking on the 8Base admin page and selecting “View Source” produces the page’s HTML code. That code is virtually identical to a “login.blade.php” page that was authored and committed to JCube Group’s Gitlab repository roughly three weeks ago.
It appears the person responsible for the JCube Group’s code is a 36-year-old developer from Chisinau, Moldova named Andrei Kolev. Mr. Kolev’s LinkedIn page says he’s a full-stack developer at JCube Group, and that he’s currently looking for work. The homepage for Jcubegroup[.]com lists an address and phone number that Moldovan business records confirm is tied to Mr. Kolev.
The posts on the Twitter account for Mr. Kolev (@andrewkolev) are all written in Russian, and reference several now-defunct online businesses, including pluginspro[.]ru.
Reached for comment via LinkedIn, Mr. Kolev said he had no idea why the 8Base darknet site was pulling code from the “clients” directory of his private JCube Group Gitlab repository, or how the 8Base name was even included.
“I [don’t have] a clue, I don’t have that project in my repo,” Kolev explained. “They [aren’t] my clients. Actually we currently have just our own projects.”
Mr. Kolev shared a screenshot of his current projects, but very quickly after that deleted it. However, KrebsOnSecurity captured a copy of the image before it was removed:
A screenshot of Mr. Kolev’s current projects that he quickly deleted.
Within minutes of explaining why I was reaching out to Mr. Kolev and walking him through the process of finding this connection, the 8Base website was changed, and the error message that linked to the JCube Group private Gitlab repository no longer appeared. Instead, trying the same “GET” method described above caused the 8Base website to return a “405 Method Not Allowed” error page:
Mr. Kolev claimed he didn’t know anything about the now-removed error page on 8Base’s site that referenced his private Gitlab repo, and said he deleted the screenshot from our LinkedIn chat because it contained private information.
Ransomware groups are known to remotely hire developers for specific projects without disclosing exactly who they are or how the new hire’s code is intended to be used, and it is possible that one of Mr. Kolev’s clients is merely a front for 8Base. But despite 8Base’s statement that they are happy to correspond with journalists, KrebsOnSecurity is still waiting for a reply from the group via their Telegram channel.
The tip about the leaky 8Base website was provided by a reader who asked to remain anonymous. That reader, a legitimate security professional and researcher who goes by the handle @htmalgae on Twitter, said it is likely that whoever developed the 8Base website inadvertently left it in “development mode,” which is what caused the site to be so verbose with its error messages.
“If 8Base was running the app in production mode instead of development mode, this Tor de-anonymization would have never been possible,” @htmalgae said.
A recent blog post from VMware/Carbon Black called the 8Base ransomware group “a heavy hitter” that has remained relatively unknown despite the massive spike in activity in Summer of 2023.
“8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023,” Carbon Black researchers wrote. “Describing themselves as ‘simple pen testers,’ their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. ”
According to VMware, what’s particularly interesting about 8Base’s communication style is the use of verbiage that is strikingly familiar to another known cybercriminal group: RansomHouse.
“The group utilizes encryption paired with ‘name-and-shame’ techniques to compel their victims to pay their ransoms,” VMware researchers wrote. “8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery.”
Update, Sept. 21, 10:43 a.m. ET: The author of Databreaches.net was lurking in the 8Base Telegram channel when I popped in to ask the crime group a question, and reports that 8Base did eventually reply: ““hi at the moment we r not doing interviews. we have nothing to say. we r a little busy.”
In December 2022, KrebsOnSecurity broke the news that a cybercriminal using the handle “USDoD” had infiltrated the FBI‘s vetted information sharing network InfraGard, and was selling the contact information for all 80,000 members. The FBI responded by reverifying InfraGard members and by seizing the cybercrime forum where the data was being sold. But on Sept. 11, 2023, USDoD resurfaced after a lengthy absence to leak sensitive employee data stolen from the aerospace giant Airbus, while promising to visit the same treatment on top U.S. defense contractors.
In a post on the English language cybercrime forum BreachForums, USDoD leaked information on roughly 3,200 Airbus vendors, including names, addresses, phone numbers, and email addresses. USDoD claimed they grabbed the data by using passwords stolen from a Turkish airline employee who had third-party access to Airbus’ systems.
USDoD didn’t say why they decided to leak the data on the 22nd anniversary of the 9/11 attacks, but there was definitely an aircraft theme to the message that accompanied the leak, which concluded with the words, “Lockheed martin, Raytheon and the entire defense contractos [sic], I’m coming for you [expletive].”
Airbus has apparently confirmed the cybercriminal’s account to the threat intelligence firm Hudson Rock, which determined that the Airbus credentials were stolen after a Turkish airline employee infected their computer with a prevalent and powerful info-stealing trojan called RedLine.
Info-stealers like RedLine typically are deployed via opportunistic email malware campaigns, and by secretly bundling the trojans with cracked versions of popular software titles made available online. Credentials stolen by info-stealers often end up for sale on cybercrime shops that peddle purloined passwords and authentication cookies (these logs also often show up in the malware scanning service VirusTotal).
Hudson Rock said it recovered the log files created by a RedLine infection on the Turkish airline employee’s system, and found the employee likely infected their machine after downloading pirated and secretly backdoored software for Microsoft Windows.
Hudson Rock says info-stealer infections from RedLine and a host of similar trojans have surged in recent years, and that they remain “a primary initial attack vector used by threat actors to infiltrate organizations and execute cyberattacks, including ransomware, data breaches, account overtakes, and corporate espionage.”
The prevalence of RedLine and other info-stealers means that a great many consequential security breaches begin with cybercriminals abusing stolen employee credentials. In this scenario, the attacker temporarily assumes the identity and online privileges assigned to a hacked employee, and the onus is on the employer to tell the difference.
In addition to snarfing any passwords stored on or transmitted through an infected system, info-stealers also siphon authentication cookies or tokens that allow one to remain signed-in to online services for long periods of time without having to resupply one’s password and multi-factor authentication code. By stealing these tokens, attackers can often reuse them in their own web browser, and bypass any authentication normally required for that account.
Microsoft Corp. this week acknowledged that a China-backed hacking group was able to steal one of the keys to its email kingdom that granted near-unfettered access to U.S. government inboxes. Microsoft’s detailed post-mortem cum mea culpa explained that a secret signing key was stolen from an employee in an unlucky series of unfortunate events, and thanks to TechCrunch we now know that the culprit once again was “token-stealing malware” on the employee’s system.
In April 2023, the FBI seized Genesis Market, a bustling, fully automated cybercrime store that was continuously restocked with freshly hacked passwords and authentication tokens stolen by a network of contractors who deployed RedLine and other info-stealer malware.
In March 2023, the FBI arrested and charged the alleged administrator of BreachForums (aka Breached), the same cybercrime community where USDoD leaked the Airbus data. In June 2023, the FBI seized the BreachForums domain name, but the forum has since migrated to a new domain.
Unsolicited email continues to be a huge vector for info-stealing malware, but lately the crooks behind these schemes have been gaming the search engines so that their malicious sites impersonating popular software vendors actually appear before the legitimate vendor’s website. So take special care when downloading software to ensure that you are in fact getting the program from the original, legitimate source whenever possible.
Also, unless you really know what you’re doing, please don’t download and install pirated software. Sure, the cracked program might do exactly what you expect it to do, but the chances are good that it is also laced with something nasty. And when all of your passwords are stolen and your important accounts have been hijacked or sold, you will wish you had simply paid for the real thing.